National Cyber Awareness System:
03/29/2018 01:00 PM EDT
Original
release date: March 29, 2018 The Internet Crime Complaint Center (IC3) has released an alert on tech
|
Month: March 2018
Windows Server 2019 – now available in preview
This blog post was authored by Erin
Chapple, Director of Program Management, Windows Server.
Chapple, Director of Program Management, Windows Server.
Today is a big day for Windows
Server! On behalf of the entire Windows Server team, I am delighted to announce
Windows Server 2019 will be generally available in the second half of calendar
year 2018. Starting now, you can access the preview build through our Insiders program.
Server! On behalf of the entire Windows Server team, I am delighted to announce
Windows Server 2019 will be generally available in the second half of calendar
year 2018. Starting now, you can access the preview build through our Insiders program.
What’s
new in Windows Server 2019
new in Windows Server 2019
Windows Server 2019 is built on the
strong foundation of Windows Server 2016 – which continues to see great
momentum in customer adoption. Windows Server 2016 is the fastest adopted
version of Windows Server, ever! We’ve been busy since its launch at Ignite
2016 drawing insights from your feedback and product telemetry to make this
release even better.
strong foundation of Windows Server 2016 – which continues to see great
momentum in customer adoption. Windows Server 2016 is the fastest adopted
version of Windows Server, ever! We’ve been busy since its launch at Ignite
2016 drawing insights from your feedback and product telemetry to make this
release even better.
We also spent a lot of time with
customers to understand the future challenges and where the industry is going.
Four themes were consistent – Hybrid, Security, Application Platform, and
Hyper-converged infrastructure. We bring numerous innovations on these four
themes in Windows Server 2019.
customers to understand the future challenges and where the industry is going.
Four themes were consistent – Hybrid, Security, Application Platform, and
Hyper-converged infrastructure. We bring numerous innovations on these four
themes in Windows Server 2019.
Hybrid cloud scenarios:
We know that the move to the cloud
is a journey and often, a hybrid approach, one that combines on-premises and
cloud environments working together, is what makes sense to our customers.
Extending Active Directory, synchronizing file servers, and backup in the cloud
are just a few examples of what customers are already doing today to extend
their datacenters to the public cloud. In addition, a hybrid approach also
allows for apps running on-premises to take advantage of innovation in the
cloud such as Artificial Intelligence and IoT. Hybrid cloud enables a
future-proof, long-term approach – which is exactly why we see it playing a
central role in cloud strategies for the foreseeable future.
is a journey and often, a hybrid approach, one that combines on-premises and
cloud environments working together, is what makes sense to our customers.
Extending Active Directory, synchronizing file servers, and backup in the cloud
are just a few examples of what customers are already doing today to extend
their datacenters to the public cloud. In addition, a hybrid approach also
allows for apps running on-premises to take advantage of innovation in the
cloud such as Artificial Intelligence and IoT. Hybrid cloud enables a
future-proof, long-term approach – which is exactly why we see it playing a
central role in cloud strategies for the foreseeable future.
At
Ignite in September 2017, we announced the Technical Preview of Project Honolulu
– our reimagined experience for management of Windows and Windows Server.
Project Honolulu is a flexible, lightweight browser-based locally-deployed
platform and a solution for management scenarios. One of our goals with Project
Honolulu is to make it simpler and easier to connect existing deployments of
Windows Server to Azure services. With Windows Server 2019 and Project
Honolulu, customers will be able to easily integrate Azure services such as
Azure Backup, Azure File Sync, disaster recovery, and much more so they will be
able to leverage these Azure services without disrupting their applications and
infrastructure.
Security:
Security continues to be a top
priority for our customers. The number of cyber-security incidents continue to
grow, and the impact of these incidents is escalating quickly. A Microsoft
study shows that attackers take, on average, just 24-48 hours to penetrate an environment after
infecting the first machine. In addition, attackers can stay in the penetrated
environment – without being noticed – for up to 99 days on average, according to a report
by FireEye/Mandiant. We continue on our journey to help our customers improve
their security posture by working on features that bring together learnings
from running global-scale datacenters for Microsoft Azure, Office 365, and
several other online services.
priority for our customers. The number of cyber-security incidents continue to
grow, and the impact of these incidents is escalating quickly. A Microsoft
study shows that attackers take, on average, just 24-48 hours to penetrate an environment after
infecting the first machine. In addition, attackers can stay in the penetrated
environment – without being noticed – for up to 99 days on average, according to a report
by FireEye/Mandiant. We continue on our journey to help our customers improve
their security posture by working on features that bring together learnings
from running global-scale datacenters for Microsoft Azure, Office 365, and
several other online services.
Our approach to security is
three-fold – Protect, Detect and Respond. We bring security features in all
three areas in Windows Server 2019.
On the Protect front, we introduced Shielded VMs in Windows Server 2016, which
was enthusiastically received by our customers. Shielded VMs protect virtual
machines (VM) from compromised or malicious administrators in the fabric so
only VM admins can access it on known, healthy, and attested guarded fabric. In
Windows Server 2019, Shielded VMs will now support Linux VMs. We are also
extending VMConnect to improve troubleshooting of Shielded VMs for Windows
Server and Linux. We are adding Encrypted Networks that will let admins encrypt
network segments, with a flip of a switch to protect the network layer between
servers.
three-fold – Protect, Detect and Respond. We bring security features in all
three areas in Windows Server 2019.
On the Protect front, we introduced Shielded VMs in Windows Server 2016, which
was enthusiastically received by our customers. Shielded VMs protect virtual
machines (VM) from compromised or malicious administrators in the fabric so
only VM admins can access it on known, healthy, and attested guarded fabric. In
Windows Server 2019, Shielded VMs will now support Linux VMs. We are also
extending VMConnect to improve troubleshooting of Shielded VMs for Windows
Server and Linux. We are adding Encrypted Networks that will let admins encrypt
network segments, with a flip of a switch to protect the network layer between
servers.
On the Detect and Respond front, in Windows
Server 2019, we are embedding Windows Defender Advanced Threat Protection (ATP)
that provides preventative protection, detects attacks and zero-day exploits
among other capabilities, into the operating system. This gives customers
access to deep kernel and memory sensors, improving performance and
anti-tampering, and enabling response actions on server machines.
Server 2019, we are embedding Windows Defender Advanced Threat Protection (ATP)
that provides preventative protection, detects attacks and zero-day exploits
among other capabilities, into the operating system. This gives customers
access to deep kernel and memory sensors, improving performance and
anti-tampering, and enabling response actions on server machines.
Application Platform:
A key guiding principle for us on
the Windows Server team is a relentless focus on the developer experience. Two
key aspects to call out for the developer community are improvements to Windows
Server containers and Windows Subsystem on Linux (WSL).
the Windows Server team is a relentless focus on the developer experience. Two
key aspects to call out for the developer community are improvements to Windows
Server containers and Windows Subsystem on Linux (WSL).
Since the introduction of containers
in Windows Server 2016, we have seen great momentum in its adoption. Tens of
millions of container images have been downloaded from the Docker Hub. The team
learned from feedback that a smaller container image size will significantly
improve experience of developers and IT Pros who are modernizing their existing
applications using containers. In Windows Server 2019, our goal is to reduce
the Server Core base container image to a third of its current size of 5 GB.
This will reduce download time of the image by 72%, further optimizing the
development time and performance.
in Windows Server 2016, we have seen great momentum in its adoption. Tens of
millions of container images have been downloaded from the Docker Hub. The team
learned from feedback that a smaller container image size will significantly
improve experience of developers and IT Pros who are modernizing their existing
applications using containers. In Windows Server 2019, our goal is to reduce
the Server Core base container image to a third of its current size of 5 GB.
This will reduce download time of the image by 72%, further optimizing the
development time and performance.
We are also continuing to improve
the choices available when it comes to orchestrating Windows Server container
deployments. Kubernetes support is currently in beta, and in
Windows Server 2019, we are introducing significant improvements to compute,
storage, and networking components of a Kubernetes cluster.
the choices available when it comes to orchestrating Windows Server container
deployments. Kubernetes support is currently in beta, and in
Windows Server 2019, we are introducing significant improvements to compute,
storage, and networking components of a Kubernetes cluster.
A feedback we constantly hear from
developers is the complexity in navigating environments with Linux and Windows
deployments. To address that, we previously extended Windows Subsystem on Linux (WSL) into insider builds for
Windows Server, so that customers can run Linux containers
side-by-side with Windows containers on a Windows Server. In Windows Server
2019, we are continuing on this journey to improve WSL, helping Linux users
bring their scripts to Windows while using industry standards like OpenSSH,
Curl & Tar.
developers is the complexity in navigating environments with Linux and Windows
deployments. To address that, we previously extended Windows Subsystem on Linux (WSL) into insider builds for
Windows Server, so that customers can run Linux containers
side-by-side with Windows containers on a Windows Server. In Windows Server
2019, we are continuing on this journey to improve WSL, helping Linux users
bring their scripts to Windows while using industry standards like OpenSSH,
Curl & Tar.
Finally, Window Server customers
using System Center will be excited to know that System Center 2019 is coming
and will support Windows Server 2019.
using System Center will be excited to know that System Center 2019 is coming
and will support Windows Server 2019.
We have much more to share between
now and the launch later this year. We will bring more details on the goodness
of Windows Server 2019 in a blog series that will cover the areas above.
now and the launch later this year. We will bring more details on the goodness
of Windows Server 2019 in a blog series that will cover the areas above.
Sign
up for the Insiders program to access Windows Server 2019
We know you probably cannot wait to
get your hands on the next release, and the good news is that the preview build
is available today to Windows Insiders. Join the program to ensure you
have access to the bits. For more details on this preview build, check out the Release
Notes.
We love hearing from you, so don’t
forget to provide feedback using the Windows Feedback Hub app, or the Windows Server space in the Tech community.
forget to provide feedback using the Windows Feedback Hub app, or the Windows Server space in the Tech community.
Breaking Botnets and Wrestling Ransomware Webcast
Microsoft has an event
Webcast: Microsoft Security Intelligence Report
Volume 23—Breaking Botnets and Wrestling Ransomware
Volume 23—Breaking Botnets and Wrestling Ransomware
| The security threat landscape is constantly evolving, and Microsoft has spent over a decade tracking and analyzing software vulnerabilities, exploits, malware, unwanted software, and attacker group methods and tactics via the Security Intelligence Report. As organizations move to the cloud and invest into modern technologies, Microsoft continues its commitment to analyzing and informing the security community with deep insights on the latest threats.
During this webinar, we will discuss learnings from the
Security Intelligence Report Volume 23 that include analysis of the top security threat trends we saw in 2017, dive deep into insights on attack vectors, and actionable recommendations from a security industry veteran and a former CISO for your organization to protect and defend itself against these threats. Key takeaways from this webinar include:
Webcast: Microsoft Security Intelligence Report Volume 23—Breaking Botnets and Wrestling Ransomware April 10, 2018 1:00 PM ET / 10:00 AM PT
|
4G LTE Under Attack
Over the past few years, Fourth Generation Long Term
Evolution or 4G LTE has become the standard for cellular communications.
Security vulnerabilities affecting 4G LTE need to be taken seriously as any
disruption to the network can have serious consequences to life in 2018 and
beyond. Billions of people around the world depend on the integrity of 4G LTE
for daily activities in both their personal and professional lives.
Evolution or 4G LTE has become the standard for cellular communications.
Security vulnerabilities affecting 4G LTE need to be taken seriously as any
disruption to the network can have serious consequences to life in 2018 and
beyond. Billions of people around the world depend on the integrity of 4G LTE
for daily activities in both their personal and professional lives.
A recent study conducted by a group of researchers from
Purdue and Iowa University has uncovered a bundle of vulnerabilities affecting
4G LTE cellular networks. These protocol level vulnerabilities can be exploited
for malicious purposes in numerous ways. The researchers have proven that these
flaws can allow an attacker to intercept calls and text messages, kick a device
off of the network, and even track a user’s location. These may sound like
far-fetched scenarios; however eight of the ten attacks discovered have been
proven in a testing environment using devices with SIM cards from real US
carriers.
Purdue and Iowa University has uncovered a bundle of vulnerabilities affecting
4G LTE cellular networks. These protocol level vulnerabilities can be exploited
for malicious purposes in numerous ways. The researchers have proven that these
flaws can allow an attacker to intercept calls and text messages, kick a device
off of the network, and even track a user’s location. These may sound like
far-fetched scenarios; however eight of the ten attacks discovered have been
proven in a testing environment using devices with SIM cards from real US
carriers.
The discovery of this set of vulnerabilities may sound like
just another security story; however, the potential
for abuse here is enormous. In addition to tracking an individual’s
location, their location can also be spoofed or altered.
This presents unique challenges for criminal
investigations as criminals can use this to provide false alibis or even frame
another person. The research also proves it possible for an attacker to
generate and distribute fake emergency alerts. As seen in the recent case of
the false alarm for a threat against Hawaii, this could be abused to create
massive disruption.
All of these potential attack scenarios are made possible by
authentication relay attacks. A successful authentication relay attack will
allow an attacker to bypass network authentication defenses without any
legitimate credentials and disguise their identity. Once authenticated an
attacker has access to the network core where they can essentially block a
target device from receiving notifications altogether.
authentication relay attacks. A successful authentication relay attack will
allow an attacker to bypass network authentication defenses without any
legitimate credentials and disguise their identity. Once authenticated an
attacker has access to the network core where they can essentially block a
target device from receiving notifications altogether.
The major cellular carriers have been notified of these
flaws and are in the process of releasing fixes. The research team has agreed
to not release their proof of concept code until the fixes have been applied.
Perhaps the most troubling part of this story is that these types of attacks
can be conducted for as little as $1,300, which is negligible to a
well-organized criminal effort
flaws and are in the process of releasing fixes. The research team has agreed
to not release their proof of concept code until the fixes have been applied.
Perhaps the most troubling part of this story is that these types of attacks
can be conducted for as little as $1,300, which is negligible to a
well-organized criminal effort
Sources:
https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/new- campaign-exploits-cve-2018-4878-anew-via-malicious-microsoft-word-documents
Re-purposing Lucrative Exploits
Last month Adobe released a
Flash security update to remediate the zero-day Remote Code Execution (RCE)
CVE-2018-4878 vulnerability that was most visibly being utilized by the North
Koreans to spy upon the south. The South Korean CERT team noted that the exploit
was being actively used by the North to target valuable information assets in
the south as early as 31, January 2017. The vulnerability, scoring a 9.8 out of
10 base score from the National Vulnerability Database (NVD) was quickly
acknowledged by Adobe who posted a bulletin (APSA18-01) with security advisory
details for the critical vulnerability including mitigations. The 9.8 base
score from the NVD was due to the flaw being exploitable over the internet,
requiring low skill to execute the attack, without any privileges on the target
machine, and no user interaction with the target. The exploit is realized by a
malicious malformed flash object being embedded in Office documents. Once
opened the embedded SWF flash file would execute, downloading an additional
payload from the web, the Remote Access Trojan ROKRAT.
Flash security update to remediate the zero-day Remote Code Execution (RCE)
CVE-2018-4878 vulnerability that was most visibly being utilized by the North
Koreans to spy upon the south. The South Korean CERT team noted that the exploit
was being actively used by the North to target valuable information assets in
the south as early as 31, January 2017. The vulnerability, scoring a 9.8 out of
10 base score from the National Vulnerability Database (NVD) was quickly
acknowledged by Adobe who posted a bulletin (APSA18-01) with security advisory
details for the critical vulnerability including mitigations. The 9.8 base
score from the NVD was due to the flaw being exploitable over the internet,
requiring low skill to execute the attack, without any privileges on the target
machine, and no user interaction with the target. The exploit is realized by a
malicious malformed flash object being embedded in Office documents. Once
opened the embedded SWF flash file would execute, downloading an additional
payload from the web, the Remote Access Trojan ROKRAT.
|
Figure 1. Exploit workflow. Source – http://blog.talosintelligence.com/2018/02/group-123-goes- wild.html
|
|
Adobe released a patch for the
troubling zero-day on 6 of February to address CVE-2018- 4878 aiming to protect
victims from the RCE vulnerability, but attackers found a new way to exploit
CVE-2018-4878 as noted by TREND MICRO in their February 27, 2018 report stating
“The campaign involves the use of malicious spam – specifically with a
spam email that with an embedded link that directs the recipient to a Microsoft
Word lure document (Detected by Trend Micro as TROJ_CVE20184878.A and
SWF_CVE20184878.A) stored on the malicious website safe-storage[.]biz. After
the file is downloaded and executed, it will prompt the user to enable editing
mode to view what’s inside the document. This document is what triggers the
exploitation of CVE-2018-4878 – in particular, a cmd.exe window is opened that
is remotely injected with a malicious shellcode.”
troubling zero-day on 6 of February to address CVE-2018- 4878 aiming to protect
victims from the RCE vulnerability, but attackers found a new way to exploit
CVE-2018-4878 as noted by TREND MICRO in their February 27, 2018 report stating
“The campaign involves the use of malicious spam – specifically with a
spam email that with an embedded link that directs the recipient to a Microsoft
Word lure document (Detected by Trend Micro as TROJ_CVE20184878.A and
SWF_CVE20184878.A) stored on the malicious website safe-storage[.]biz. After
the file is downloaded and executed, it will prompt the user to enable editing
mode to view what’s inside the document. This document is what triggers the
exploitation of CVE-2018-4878 – in particular, a cmd.exe window is opened that
is remotely injected with a malicious shellcode.”
This reviving of CVE-2018-4878
illustrates not only the classic “cat and mouse” dance between
attacker and defender but also the ability and keenness of attackers to adapt
methods to keep exploiting lucrative vulnerabilities such as those with high
NVD scores.
Sources:
https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and- exploits/new-campaign-exploits-cve-2018-4878-anew-via-malicious-microsoft- word-documents
http://blog.talosintelligence.com/2018/02/group-123-goes-wild.html
Thanks to Peraton CIP report for this information
Malware: The New DRM Solution
Software piracy has been an issue for about as long as there has been software to pirate. Companies are constantly developing new Digital Rights Management (DRM) solutions to protect their products, while software pirates, known as crackers, are constantly finding new ways to bypass these technologies. However, FlightSimLabs (FSLabs) recently thought of a new DRM strategy: place malware within their installer.
FlightSimLabs develops add-ons for Microsoft’s Flight Simulator game. These add-ons allow customers to buy additional planes to fly, expanding the game experience. Some Reddit users noticed a strange file, test.exe, which was extracted into a temporary folder when the A320X add-on was installed. Upon further investigation, the executable turned out to be malware purposefully placed by FSLabs to steal usernames and passwords stored in Google Chrome when a pirated copy is installed.
The malware is designed to run only when a flagged serial number is detected. The application is actually the command-line tool Chrome Password Dump
created by SecurityXploded which retrieves and displays usernames and passwords from Chrome in an easy-to-read format. The .bin file provided with the FSLabs application calls the test.exe file and sends the output to a Log.txt file. As if this wasn’t bad enough, the text file is then encoded with Base64.exe and sent back to an FSLabs site, installLog.flightsimlabs.com over an HTTP connection (not even
HTTPS). Security researchers at Fidus Information Security determined that the malware was not called when the application is run with a legitimate serial number.
The founder and owner of FSLabs, Lefteris Kalamaras, states “First of all – there are no tools used to reveal any sensitive information of any customer who has legitimately purchased our products.” The malware was intended to collect information on people using pirated copies only. However, stealing credentials may still violate multiple sections of the Computer Fraud and Abuse Act. Also, even though the malware is not activated by the add-on for legitimate users, it was still extracted and puts their systems at risk of someone else activating it. FSLabs has offered another version of the installer without the test.exe file.
Sources:
https://threatpost.com/flight-sim-labs-heavy-handed-anti-piracy-tactics-raise-hackles/130005/
https://www.fidusinfosec.com/fslabs-flight-simulation-labs-dropping-malware-to-combat-piracy/ https://www.extremetech.com/gaming/264411-flight-sim-labs-caught-deliberately-distributing-malware-gaming-mods
Thanks to Peraton CIP report for this information
National Consumer Protection Week
Original
release date: March 02, 2018
March 4–10 is National
Consumer Protection Week (NCPW), an event to encourage people and
businesses to learn more about avoiding scams and understanding consumer
rights. During NCPW, the Federal Trade Commission (FTC) and its partners
highlight free resources to help protect consumers.
NCCIC/US-CERT recommends consumers participate in the FTC/Facebook
live chats and review the following NCCIC/US-CERT security tips: