Thursday, April 30, 2020

Apple Mail Security Issue

Apple always took a firm stance on user security and reliability when it comes to their iPhone series. The iOS operating system is known as one of the most secure operating systems in the market. However, 2 major vulnerabilities have been recently discovered that have existed for years and are actively being exploited in the wild.

Researchers at security firm ZecOps were conducting a routine Digital Forensics and Incident Response (DFIR) investigation when they ran into some abnormalities with some iPhones. This led to the discovery of 2 vulnerabilities in the default Apple Mail app – an out-of-bounds write and a heap-overflow. These vulnerabilities can lead to remote code execution and total takeover of the device. The alarming part is how long these vulnerabilities have been around – researchers say they have existed at least since iOS 6, which was released in September of 2012.

The first attacks in the wild that they could find were from January 2018; that’s over 2 years of exploitation. Some suspected targets include Managed Security Service Providers from the Middle East, journalists in Europe, corporate executives from Japan and Sweden, as well as individuals at a Fortune 500 organization in North America.

The 2 vulnerabilities stem from a common issue: how the application handles return values from system calls. The vulnerability can be exploited by sending a large e-mail, or at least one large enough to consume enough RAM to cause the overflow and bounds issues. In iOS 13, the exploit can work even without user interaction, while in iOS 12 the user has to click on the e-mail, but the attack can take place before the content is rendered. Users may notice a slight delay in the mail app on iOS 13 for a short time, but other than that there is no other noticeable abnormal behavior. In iOS 12, the exploit has been known to cause the mail app to occasionally crash. Part of the attacker’s routine is to remove the e-mail from the victim’s phone, showing operational security awareness in cleaning their tracks.

    Apple has released a publicly-available beta of version 13.4.5 with a fix for both vulnerabilities, but the patch has not made it to stable release yet. Until that happens, it is recommended to disable the Apple Mail app and switch to Outlook or Gmail if updating to the beta isn’t possible. Also, make sure to log out of the Apple Mail app as well.





Microsoft Corporation Buys

    The Domain Name System (DNS) is something most of us use every day, whether we think about it or not. It is hugely convenient for converting human readable addresses into the addresses that computers actually use to communicate with each other. Sometimes this convenience can have unintended side effects though, such as hundreds of thousands of computers constantly attempting to send potentially sensitive information to an unintended location. In an attempt to help secure computers worldwide Microsoft recently purchased the domain name ‘’ for an undisclosed sum (likely north of a million dollars) from a private party. Why would they or you care about this nondescript domain name? The reason stems back to the Windows 2000 days and poorly configured Active Directory servers.

    Active Directory is a service commonly utilized in corporate networks which among other things handles authentication and shared computing resources. This is the service that allows you to map network drives and printers easily on a primarily Windows network. In order to map those services DNS is utilized so that users don’t have to remember a bunch of IP addresses. The issue is that old versions of Active Directory defaulted to ‘corp’ as the root name, causing collisions anywhere outside of the specific corporate network it was setup on. If the computer tried to look up the fileserver address for example, it would ask the Active Directory service for the address using the name ‘fileserver\corp’. On the original network the Active Directory server would know about the ‘corp configuration’ and return the correct address. But if the user was on a different network, such as at a hotel or home, they would likely get back a generic DNS response for the ‘’ domain name. The computer would then try to access this resource as normal, potentially sending authentication tokens or other details to the computer that ‘’ was pointing to.

     Microsoft started working on this problem in 2009 when it issued updates designed to mitigate the problem. They also issued updates in 2015 designed to further mitigate the issue. It turns out that a lot of computers simply never updated, as information never stopped flowing to ‘’. Microsoft has also recommended not using the default ‘corp’ setting in Active Directory for as long as they have known about the issue. Now at least with the domain in the hands of Microsoft they can monitor the incoming traffic and perhaps find out a way to stop it all together.



Thursday, April 9, 2020

You should be restricting NTLM

There is a security issues that most people do not know about .. That when you share a file in zoom  and other products, your computer can passes your NTLM security credentials,

There is a GPO that should be set to only pass NTLM inside your domain

Called Network security: Restrict NTLM: NTLM authentication in this domaim

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.


Malicious attacks on NTLM authentication traffic resulting in a compromised server or domain controller can occur only if the server or domain controller handles NTLM requests. If those requests are denied, this attack vector is eliminated.


When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage within the domain.

Potential impact

If you configure this policy setting, numerous NTLM authentication requests could fail within the domain, which could degrade productivity. Before implementing this change through this policy setting, set Network security: Restrict NTLM: Audit NTLM authentication in this domain to the same option so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using Network security: Restrict NTLM: Add server exceptions in this domain.


Secret Service Issues COVID-19 (Coronavirus) Phishing Alert

March 9, 2020
CMR 04-20
Secret Service Issues COVID-19 (Coronavirus) Phishing Alert

    WASHINGTON - Criminals are opportunists, and as seen in the past, any major news event can become an opportunity for groups or individuals with malicious intentions. The Coronavirus is no different. In fact, the Coronavirus is a prime opportunity for enterprising criminals because it plays on one of the basic human conditions…fear. Fear can cause normally scrupulous individuals to let their guard down and fall victim to social engineering scams, phishing scams, non-delivery scams, and auction fraud scams.

    The United States Secret Service is proactively taking steps to alert the public about the types of email scams associated with the Coronavirus. The Secret Service’s Global Investigative Operations Center (GIOC) reports the subsequent email scams:

    “Phishing” is the fraudulent practice of sending emails purporting to be from reputable companies in order to entice individuals to reveal personal information, such as passwords and credit card numbers. Phishing scams have become ubiquitous through email communication and ecommerce. Cyber criminals are exploiting the Coronavirus through the wide distribution of mass emails posing as legitimate medical and or health organizations. In one particular instance, victims have received an email purporting to be from a medical/health organization that included attachments supposedly containing pertinent information regarding the Coronavirus.
    This lead to either unsuspecting victims opening the attachment causing malware to infect their system, or prompting the victim to enter their email login credentials to access the information resulting in harvested login credentials. This type of incident enables further occurrences of cyber enabled financial crimes such as Business Email Compromise (BEC), PII theft, ransomware and account takeovers. Another side effect of the Coronavirus is increased teleworking, which furthers the reliance on email for communication adding yet another multiplier to these email fraud schemes. More of these incidents are expected, and increased vigilance regarding email communication is highly encouraged.

Another emerging fraud scheme exploiting the Coronavirus is using social engineering tactics through legitimate social media websites seeking donations for charitable causes related to the virus. Criminals are exploiting the charitable spirit of individuals, seeking donations to fraudulent causes surrounding the Coronavirus. Increased caution should be exercised when donating to charitable organizations.

A third fraud scheme surrounds non-delivery scams. Essentially, criminal actors advertise as an in-demand medical supply company that sells medical supplies that can be used to prevent/protect against the Coronavirus. The criminal enterprise will demand upfront payment or initial deposits then abscond with the funds and never complete delivery of the ordered products.

Quick Tips:

 Phishing Emails / Social Engineering – Avoid opening attachments and clicking on links within emails from senders you do not recognize. These attachments can contain malicious content, such as ransomware, that can infect your device and steal your information. Be leery of emails or phone calls requesting account information or requesting you to verify your account. Legitimate businesses will never call you or email you directly for this information.

Always independently verify any requested information originates from a legitimate source.

Visit websites by inputting the domain name yourself. Business use encryption, Secure Socket Layer (SSL). Certificate “errors” can be a warning sign that something is not right with the website.
The United States Secret Service will continue leading the charge to combat cyber-enabled financial crimes.

To learn more about the Secret Service’s Investigative Mission please visit us at:

This post is a direct copy off of the Secret Service’s web site Here

Gift USB are they a Problem ?

    The FBI is warning of attacks from the FIN7 APT in which victims are sent USB drives via USPS and prompted to examine its contents. This attack is a variation of the “lost USB” or “BadUSB” tactic in which a malicious USB is dropped on site with the intention of a curious employee finding it and inspecting the contents. This version, however, is much more targeted. In one instance, the attackers sent a package containing a USB drive, a letter, and a gift card for a major electronics retailer to a hospitality company. The letter thanked the recipient for being a regular customer and prompted them to use the gift card for any items specified on the USB drive. The FBI warns that many of these packages have been sent to businesses that targeted employees in human resources, IT, or management.

    Researchers at Trustwave analyzed the USB device and found that once plugged in, the USB emulates a keyboard and downloads a JavaScript backdoor, which the attackers can use to access the machine. The backdoor, known as GRIFFON, is a tool commonly associated with the FIN7 group. Researchers found that the backdoor will contact IP addresses of Russian origin, another indicator of the FIN7 group. In their analysis, researchers were able to match identifiers on the printed circuit board to a malicious USB for sale on an international marketplace. The researchers state that the “USB device used an Arduino microcontroller and was programmed to emulate a USB keyboard. Since PCs trust keyboard USB devices by default, once it is plugged in, the keyboard emulator can automatically inject malicious commands.” This device was able to be purchased for as low as 5 dollars, much cheaper than premium BadUSB devices, which can retail for up to 100 dollars.

    While rare, USB style attacks can happen. The best way to prevent this attack is to avoid using any unknown USBs. In an organization, informing employees about BadUSB attacks and providing a means to report suspicious devices is an important prevention step. Additionally, limiting physical access to machines will help prevent a bad actor on-site from exploiting devices via USB. Some anti- virus programs now provide keyboard authorization, which means that when the antivirus detects that a keyboard has been plugged in, the user must verify that it is indeed a keyboard and not a USB flash drive. BadUSB attacks can take many forms but educating users in combination with proper security controls is the best way to prevent the exploitation of this attack.