fbpx

Microsoft Issues Emergency Out-Of-Band Update to Fix “Crazy Bad” Vulnerability

By 

Patched Microsoft Malware Protection Engine

In an emergency out-of-band update released late last night, Microsoft fixed a vulnerability in the Microsoft Malware Protection Engine discovered by two Google security experts over the weekend, and which the two described as “crazy bad” and “the worst Windows remote code exec in recent memory.”

While initially the two Google experts didn’t reveal what Windows feature the bug was found in, the veil of mystery lifted yesterday when both Microsoft and the two experts shared more details about the issue.

Vulnerability affects Microsoft Malware Protection Engine

As per the two sources, the bug affects the Microsoft Malware Protection Engine (MsMpEng), a core service that ships with Windows 7, Windows 8.1, Windows 10, and Windows Server 2016, and which is the core of many of Microsoft security tools, such as:

  • Windows Defender
  • Microsoft Security Essentials
  • Microsoft Endpoint Protection
  • Microsoft System Center Endpoint Protection
  • Windows Intune Endpoint Protection
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft Forefront Endpoint Protection 2010

According to the Google experts, the bug is a “type confusion” vulnerability in NScript, the MsMpEng component that handles “any filesystem or network activity that looks like JavaScript.”

The two experts say that NScript mishandles how it interprets some JavaScript object types, which allows them to deliver an exploit that can use the Microsoft Malware Protection Engine to execute malicious code.

Vulnerability is trivially exploitable

The researchers say the issue can be exploited with no user interaction needed.

This includes scenarios such as sending an email with the exploit included in the message’s body, hosting malicious JavaScript code inside a web page, or by delivering a JS exploit to thousands or millions on users, via ads on reputable sites.

“Vulnerabilities in MsMpEng are among the most severe possible in Windows, due to the privilege, accessibility, and ubiquity of the service,” Tavis Ormandy, one of the Google researchers says.

This is because the service runs without sandboxing — a basic and very efficient security feature —, but also because the service runs as
NT AUTHORITY\SYSTEM, a system-level user with no limitations.

Furthermore, the service is included by default on all recent Windows operating system, exposing hundreds of millions of PCs to remote hacking.

Microsoft patches issue within days

Unlike past incidents, where Microsoft has allowed exploited zero-day vulnerabilities to fester in the wild without being bothered to deliver a patch for months, this time around, the company moved lightning fast to address the issue.

In just a few days, the company had prepared and already shipped a patch to fix the vulnerable MsMpEng service.

According to a Microsoft advisory, the first version of the Microsoft Malware Protection Engine affected by this flaw is v1.1.13701.0. The issue has been patched in v1.1.13704.0, released a few hours ago, and which has already reached some users (screenshot above).

Microsoft also said that on latest Windows platforms, the risk of exploitation should be lower if the user has turned on Windows CFG (Control Flow Guard), a security feature that can make exploitation of memory-based vulnerabilities much harder.

The vulnerability is tracked as CVE-2017-0290. The two Google researchers also released proof-of-concept exploit code. The entire exploit fits in a tweet. To help spread the word about this issue, US-CERT has also released an accompanying alert.

The Top 5 Reasons Why You Need To Deploy New-school Security Awareness Training In 2018

Excerpted from CyberheistNews Vol 7 #50

2017 was a dumpster fire of privacy and security screw-ups.

To start 2018 with a simple, effective, IT security strategy is an excellent New Year’s resolution and helps your CEO to keep their job. Better yet, thousands of your peers will tell you this was the best and most fun IT security budget they ever spent… hands-down.

This list is the high-power ammo you need to get budget and roll out new-school security awareness training, ideally right now.

Here are the Top 5 reasons…

  1. Social Engineering is the No. 1 go-to strategy for the bad guys. Unfortunately, their time is money too. Why spend 2 months of research uncovering a 0-day when you (literally) can create an effective spear-phishing attack in 2 hours? They are going after the human—the weakest link in IT security—and your last line of defense.
  2. Ransomware is only going to get worse in 2018. Email is still their favorite attack vector, and their sophistication is increasing by the month. The downtime caused by ransomware can be massive.
  3. Compliance requirements for awareness training are being sharpened up. Thinking that today you can get away with a yearly one-time, old-school awareness training session is whistling past the graveyard. A good example is May 25, 2018 when enforcement actions for GDPR begin. We have compliance training for GDPR ready in 24 languages.
  4. Legally you are required to act “reasonably” and take “necessary” measures to cope with a threat. If you don’t, you violate either compliance laws, regulations, or recent case law. Your organization must take into account today’s social engineering risks and “scale security measures to reflect the threat”. Don’t trust me, confirm with your lawyer, and next insist on getting budget. Today, data breaches cause practically instant class action lawsuits. And don’t even talk about all employees filing a class action against your own company because your W-2 forms were exfiltrated with CEO fraud.
  5. Board members’ No. 1 focus today is cyber security. Some very pointed questions will be asked if they read in the Wall Street Journal that your customer database was hacked and the breach data is being sold on the dark web. Once it becomes clear that your organization did not deploy a simple, effective strategy that could have prevented this, a few (highly placed) heads will roll. Target’s CEO and CISO are just an example. Help your CEO to keep their job.

Former US CISO on Why Awareness Training Is Priority Number 1:

In an information technology environment where personnel are on the cyber front line at work and also at the house, the key to ensuring security is still awareness training, says former U.S. CISO Gregory Touhill, who was the Air Force General responsible for Cyber Training before he became the first US CISO.

“A congressman asked me when I took my post as the first federal CISO: ‘If I gave you an extra dollar, how would you spend it on cybersecurity?’ And I told him I would spend it on better training my people. I find a very well-trained, well-informed workforce is better prepared to help an organization buy down their cyber risk,” Touhill says in an interview with Information Security Media Group.

Training at All Levels

Touhill calls for daily security drills and exercises at all levels of an organization to help reinforce defensive strategies.

“Board and C-suite officers are increasingly large targets for whale phishing,” Touhill says. “Everybody has a stake in cybersecurity and I would contend everyone is on cyber front lines. That training needs to be tailored and continuous for the entire workforce.”

Touhill discusses:

  • The effectiveness of techniques such as gamification;
  • Why he believes one-and-done annual training fails;
  • Continuous phishing training;
  • His recommendations for improving training in 2018.

Touhill is now president of the Cyxtera Federal Group and teaches cybersecurity and risk management for the CISO certification program at Carnegie Mellon University’s Heinz College.

Scam of the Week: New Massive Data Breach Poses Major Threat

Here’s a fun question to pose to the family dinner table: Have you ever heard of Alteryx?

100 to 1 you never heard of them, but chances are good that they have heard of you. Alteryx is a data analytics company that makes its money by repackaging data that it’s collected from different sources. And it became the latest reminder of how much data little-known companies have collected on us – and how little oversight there is over the security of that data.

Companies You’ve Never Heard of Are Exposing Your Personal Data

Earlier this week, an analyst from the security firm Upguard shared that Alteryx had not properly protected detailed information it had collected on 123 million U.S. households (All told, there are about 126 million American households, according to the Census Bureau.)

This data leak was discovered by a researcher, and not (we hope) by a criminal. But the leak affects about as many people as the massive hack Equifax reported in September, which affected 145.5 million Americans, or nearly every adult.

Another Leaky AWS Bucket

The data had been left unprotected in an Amazon Web Services storage bucket available to anyone with a free AWS account. After being informed of the data breach, Alteryx secured the information, however, it had been available to identity thieves and scammers for a considerable period of time.

Alteryx and credit reporting agency Experian—which was the source of the data—both downplayed the risk of identity theft because no names were included in the data included in the data breach. This response is just PR and disingenuous as 248 data fields for every household were included in the data breach which are easy to map to the names.

This is just another example of the lack of important laws in the United States protecting people from data aggregators’ negligence and requiring these companies to employ security measures to protect our personal data. Many other countries require such measures by law, the new European GDPR is an excellent example.

What to Do About It

I suggest you send the following to your employees, friends, and family. You’re welcome to copy, paste, and/or edit:

“There is another major data breach, that pretty much covers every living adult in the United States. At this point you have to assume that cyber criminals have highly personal information that they can use to trick you. You need to watch out for the following things:

  • Phishing emails that claim to be from your financial institution where you can “check if your data was compromised”
  • Phishing emails that claim there is a problem with a credit card, your credit record, or other personal financial information
  • Calls from scammers that claim they are from your bank or credit union
  • Fraudulent charges on any credit card because your identity was stolen

Here are 5 things you can do to prevent identity theft:

  1. First sign up for credit monitoring – dozens of companies do that.
  2. Next freeze your credit files at the three major credit bureaus Equifax, Experian and TransUnion. Remember that generally it is not possible to sign up for credit monitoring services after a freeze is in place. Advice for how to file a freeze is available here on a state-by-state basis:
    http://consumersunion.org/research/security-freeze/
  3. Check your credit reports via the free annualcreditreport.com
  4. Check your bank and credit card statements for any unauthorized activity
  5. If you believe you may have been the victim of identity theft, here is a site where you can learn more about how to protect yourself:
    www.idtheftcenter.org.

Quotes of the Week

“By three methods we may learn wisdom: First, by reflection, which is noblest; Second, by imitation, which is easiest; and third by experience, which is the bitterest.” – Confucius

“Wisdom comes from experience. Experience is often a result of lack of wisdom.” – Terry Pratchett

“Here is an example of a young man gaining wisdom by experience. LOL:”
http://mashable.com/2017/12/22/man-fails-slide-london-tube-escalator/#leLSSc2WJqqR

 

It’s time to update WordPress

update-wordpress

WordPress 4.9.1 Security and Maintenance Release

WordPress 4.9.1 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.

WordPress versions 4.9 and earlier are affected by four security issues which could potentially be exploited as part of a multi-vector attack. As part of the core team’s ongoing commitment to security hardening, the following fixes have been implemented in 4.9.1:

  1. Use a properly generated hash for the newbloguser key instead of a determinate substring.
  2. Add escaping to the language attributes used on html elements.
  3. Ensure the attributes of enclosures are correctly escaped in RSS and Atom feeds.
  4. Remove the ability to upload JavaScript files for users who do not have the unfiltered_html capability.

Thank you to the reporters of these issues for practicing responsible security disclosureRahul Pratap Singh and John Blackbourn.

Eleven other bugs were fixed in WordPress 4.9.1. Particularly of note were:

  • Issues relating to the caching of theme template files.
  • A MediaElement JavaScript error preventing users of certain languages from being able to upload media files.
  • The inability to edit theme and plugin files on Windows based servers.

This post has more information about all of the issues fixed in 4.9.1 if you’d like to learn more.

Spearhead Multimedia clients, as well as all Wordpress users, may contact us to perform the update for you.

EU to Declare Cyber-Attacks “Act of War” – USA Likely to Follow 

European Union member states have drafted a diplomatic document which states serious cyber-attacks by a foreign nation could be construed as an act of war.

The document developed as a deterrent to provocations by nation states like Russia and North Korea, will declare that member states may respond to online attacks with conventional weapons “in the gravest circumstances.”

This framework on a joint EU diplomatic response to malicious cyber activities would seem to raise the stakes significantly on state-sponsored attacks, especially those focused on critical infrastructure.

UK security minister Ben Wallace claimed last week that the UK government is “as sure as possible” that North Korea was behind the WannaCry ransomware attacks in May that crippled over a third of NHS England, forcing the cancellation of thousands of operations and appointments.

The problem is that definitive attribution in cyberspace is very difficult, making the framework appear largely symbolic.

It brings the EU in line with NATO policy in the past, establishing cyber as a legitimate military domain, meaning an online attack could theoretically trigger Article 5, the part of its treaty related to collective defense, which states that an attack on one member is an attack on all 29 allies.

McAfee chief scientist, Raj Samani, claimed the move was unsurprising considering WannaCry and the likely state-backed attacks on French and German elections.

“While it is important to define cyber-attacks that are used for espionage or disruption as they would be when committed by physical actors, the greatest challenge that countries have will be in identifying and proving that the malicious actors that caused the cyber-attack have direct links to governmental organizations – something that these groups will be even more keen to conceal going forward,” he added.”

I’m expecting the USA to follow with a similar statement, to function as an additional deterrent against the recent spate of Russian and North Korean incursions.

The vast majority of Russia’s attacks start with social engineering and spear phishing attacks. However, current investigations show that they also have been running paid propaganda campaigns through Facebook.

Full blog post with links to sources:
https://blog.knowbe4.com/eu-to-declare-cyber-attacks-act-of-war.-usa-likely-to-follow

2018 Is Likely to Be a Worse Year for Ransomware Than 2017

Sophos released their 2018 malware forecast this week. Their predictions would make any IT Pro concerned, link to a PDF of their report below. Read on for your executive summary.

Ransomware Mutations Running Amok

You have seen a lot in this blog this year about the WannaCry and NotPetya ransomware strains. Both attacks exploited the EternalBlue Windows SMB vulnerability, and both did not have workable decryption mechanisms for the few organizations desperate enough to try to pay the ransom.

Both incidents make one thing clear: WannaCry and NotPetya appear to be the work of military cyber warfare divisions. Their authors aren’t script kiddies, but professional Dev teams using sophisticated techniques. Nation states are fighting a cold cyber war, and both commercial and non-profit organizations are the collateral damage worldwide.

RaaS Is for Newbie Cyber Crims

There is an area where amateur cyber “crims” do come in, and that’s Ransomware as a Service, aka RaaS. Newbies without l33t skills simply buy the code on the dark web including easy how-to videos.

Sophos says that RaaS is growing in popularity on the Dark Web, and this year’s Cerber ransomware is their example of a worrisome trend. Here’s some of what it says in the report that specifically pertains to RaaS:

“Ransomware is big business on the Dark Web. Its creators realized they could make more money not just by extorting currency from their victims, but by selling kits buyers could use to make and distribute their own. We’ve seen a number of different services and pricing models in the past year, and expect to see many more in 2018.

One of the biggest examples, as mentioned above, is Cerber. Other examples include Satan, malicious software that once opened in a Windows system, encrypts all the files and demands a ransom for the decryption tools, and Philadelphia. The latter was notable for its marketing technique, which included a slick YouTube video advertisement on the open web.”

New “Marketing” Techniques

Sophos reports on an additional ransomware trend they found in a malware strain called Spora. Instead of demanding one ransom to decrypt an entire encrypted drive or partition, some ransomware offers victims multiple options. The options seen in Spora are:

  • Decrypt two files for nothing
  • Decrypt a selection of files for 30.00 dollars
  • Have the ransomware itself removed for 20.00 dollars
  • Buy what they call immunity for 50.00 dollars
  • Get everything on the computer restored for 120.00 dollars

Ransomware Is Now Targeting Non-Win OSen

September 2013 was when CryptoLocker reared its ugly head as the first weapons-grade ransomware that exclusively targeted Windows, which remains Target No. 1.

But Sophos notices a trend of ransomware targeting non-Windows operating systems. I would not be surprised if in 2018 a worldwide MacOS or Linux distro ransomware pandemic broke out.

Ransomware is also growing rapidly on Android. Sophos reported that the prevalence of Android ransomware has grown almost every month in 2017; 30.4% of the Android malware researched in September 2017 by Sophos was ransomware, and they expect that 45% of all Android malware in October was ransomware.

One of the biggest Android ransomware stories broke this October: DoubleLocker. Looks like Android ransomware is going to be a bigger problem in 2018.

Healthcare Continues to Be a Target.

Many cyber criminals are specifically targeting the healthcare industry. Sophos states this trend started in 2016. Healthcare is the single most targeted industry because they are the victims who are most likely to pay ransoms. The Sophos report shows that critical infrastructure, education and small businesses also are often targeted for ransomware attacks, as they’re more likely to pay up as well.

Between April 1st and October 3rd, Sophos notes that the top four countries for ransomware victims are the United States (17.2%), Great Britain (11.1%), Belgium (8.6%), and Singapore (6.5%.) And of course neither Ukraine or Russia even show up in the Top 16, because that’s where these organized cyber crime gangs are, and they know that FSB (KGB) swat teams will knock down their doors if they target these countries.

ZDNet also has predictions about the nasty future of ransomware with four ways the nightmare is about to get even worse:
http://www.zdnet.com/article/the-nasty-future-of-ransomware-four-ways-the-nightmare-is-about-to-get-even-worse/

From the Cyberheist News blog.