blogmirnet – Page 33 – My information Resource (blog.mir.net)

Microsoft Security Public Webinars

Critical Patches Issued for Microsoft Products, August 13, 2024 – PATCH: NOW

OVERVIEW:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

Windows Secure Kernel Mode
Windows Kerberos
Microsoft Windows DNS
Windows TCP/IP
Microsoft Office
Azure Connected Machine Agent
Windows Kernel
Windows Power Dependency Coordinator
Azure Stack
Azure Health Bot
Windows IP Routing Management Snapin
Windows NTFS
Microsoft Local Security Authority Server (lsasrv)
Windows Routing and Remote Access Service (RRAS)
Microsoft Bluetooth Driver
Microsoft Streaming Service
Windows Network Address Translation (NAT)
Windows Clipboard Virtual Channel Extension
Windows NT OS Kernel
Windows Resource Manager
Windows Deployment Services
Reliable Multicast Transport Driver (RMCAST)
Windows Ancillary Function Driver for WinSock
Windows WLAN Auto Config Service
Windows Layer-2 Bridge Network Driver
Windows DWM Core Library
Windows Transport Security Layer (TLS)
Microsoft WDAC OLE DB provider for SQL
Windows Security Center
Azure IoT SDK
Windows Network Virtualization
Windows Mobile Broadband
Windows Update Stack
Windows Compressed Folder
Microsoft Dynamics
.NET and Visual Studio
Microsoft Office Visio
Microsoft Office Excel
Microsoft Office PowerPoint
Microsoft Office Outlook
Windows App Installer
Windows Scripting
Windows SmartScreen
Windows Kernel-Mode Drivers
Microsoft Office Project
Azure CycleCloud
Windows Common Log File System Driver
Microsoft Teams
Windows Print Spooler Components
Line Printer Daemon Service (LPD)
Microsoft Copilot Studio
Windows Mark of the Web (MOTW)
Windows Cloud Files Mini Filter Driver
Microsoft Edge (Chromium-based)
Windows Initial Machine Configuration

RISK:
Government:

Large and medium government entities: High
Small government entities: Medium

Businesses:

Large and medium business entities: High
Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found in the Microsoft link in the References section.

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
- Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

REFERENCES:

Microsoft:
https://msrc.microsoft.com/update-guide/
https://msrc.microsoft.com/update-guide/releaseNote/2024-Aug

Blue Screen of Death

A Denial of Service in CLFS.sys in Microsoft Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, and Windows Server 2022 allows a malicious authenticated low-privilege user to cause a Blue Screen of Death via a forced call to the KeBugCheckEx function.

CWE-ID	CWE Name	Source
CWE-1284	Improper Validation of Specified Quantity in Input

NIST Releases First 3 Finalized Post-Quantum Encryption Standards

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has finalized its principal set of encryption algorithms designed to withstand cyberattacks from a quantum computer.

Researchers around the world are racing to build quantum computers that would operate in radically different ways from ordinary computers and could break the current encryption that provides security and privacy for just about everything we do online. The algorithms announced today are specified in the first completed standards from NIST’s post-quantum cryptography (PQC) standardization project, and are ready for immediate use.

Observed TA2725 Phishing Campaigns

Observed TA2725 Phishing Campaigns

Example of phishing email delivering Mispadu. Image Source: Proofpoint.

TA2725 is a financially motivated cyber threat actor that typically targets Latin America (LATAM) and some European countries. The group has its tactics and is now delivering Mispadu and Astaroth malware in phishing campaigns targeting the Garden State Network (GSN). TA2725 primarily targets finance, services, manufacturing, law firms, and commercial facilities and uses a multi-stage infection process. TA2725 historically exploited Windows SmartScreen vulnerabilities; however, their most recent campaign tactics include sending phishing emails with URLs that lead to malware download pages, distributing malware through zipped files (MSI, HTA, exe, etc.), and employing geofencing tactics. They typically target banking credentials, as well as credentials and payment data for popular consumer accounts such as Netflix and Amazon. Other banking malware distributed in past campaigns includes Ousaban Stealer and Grandoreiro trojans.

Example of phishing email delivering Astaroth. Image Source: Proofpoint.

Phishing emails observed in this campaign use banking transaction lures in Spanish that include links to a zip file containing an HTA file. The final malware payload is Mispadu, a LATAM malware loader that typically drops banking malware and remote access trojans. HTA stands for HTML Applications and executes media files; however, it can also be used for malicious purposes without a GUI. In phishing campaigns delivering Astaroth, TA2725 uses emails with Portuguese language lures related to CENPROT shared documents and tax lures containing a zipped LNK file that leads to the Astaroth malware.

Recommendations

Facilitate user awareness training to include these types of phishing-based techniques. Avoid clicking links and opening attachments in unsolicited emails. Confirm requests from senders via contact information obtained from verified and official sources. Review the Don’t Take the Bait! Phishing and Other Social Engineering Attacks NJCCIC product for more information on common phishing and social engineering attacks. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools. Phishing and other malicious cyber activity can be reported to the FBI’s IC3 and the NJCCIC.

Phishing for (Stolen) Information

The NJCCIC observed an uptick in campaigns aiming to spread Formbook infostealing malware. Formbook is classified as malware-as-a-service (MaaS), though it was originally advertised as browser-logger software. Formbook can extract data from HTML forms and gain access to keystrokes, browsers auto-fill information, and clipboard data.

The email campaign spotted by Proofpoint included messages claiming to be Requests for Quotations (RFQ), purchasing orders, or invoices. The emails contained compressed executables that utilized Packager Shell Objects (OLE) to exploit vulnerabilities found in Equation Editor. After successful exploitation, LCG Kit downloads and installs Formbook, XLoader, Agent Tesla, and LokiBot. This is a new variation of a recurring campaign by the cyber threat group TA2536.

In May, security researchers discovered phishing attacks targeting small and medium-sized businesses (SMB) in Poland, Italy, and Romania. This campaign spread several malware types, including Formbook, Agent Tesla, and Remcos RAT . Threat actors imitated existing businesses and their employees to add legitimacy to their emails.

Recommendations

Avoid clicking links and opening attachments in unsolicited emails. Confirm requests from senders via contact information obtained from verified and official sources. Type official website URLs into browsers manually. Facilitate user awareness training to include these types of phishing-based techniques. Maintain robust and up-to-date endpoint detection tools on every endpoint. Consider leveraging behavior-based detection tools rather than signature-based tools.

Recent State-Sponsored Activity Impacting the Cyber Threat Landscape

The current state of heightened geopolitical unrest has led to nation-state threat actors launching cyberattacks to advance their political and economic agendas, thereby influencing and endangering critical information, as well as public safety and services. Recently exposed actions by advanced persistent threat (APT) groups and state-aligned hacking groups indicate an evolution in the cyber threat landscape and a fundamental shift in the goals and techniques of state-sponsored cyber operations. The main objectives of state-sponsored APT activities often involve strategic and industrial espionage, with their primary efforts focused on infiltrating systems to steal valuable data. However, recent changes in tactics, intensity, and expected outcomes were observed.

China

Increased tensions in the Asian Pacific region involving US allies like the Philippines and Taiwan have subsequently escalated cyber threat activity. The People’s Republic of China (PRC) modus operandi typically aims to position itself in systems to disrupt capabilities and could involve sabotaging critical infrastructure and industrial capacities, causing disruption and potential panic. A recent analysis report revealed that threat actors in the PRC-aligned cyberespionage ecosystem are engaging in an alarming trend of using ransomware as a final stage in their operations for financial gain, disruption, distraction, misattribution, or removal of evidence. Two clusters of activity involve ransomware or data encryption tooling – one linked to a suspected Chinese cyberespionage threat group, ChamelGang, and the second cluster resembling previous intrusions involving artifacts linked to suspected PRC and North Korean (DPRK) APT groups. Most affected organizations were primarily in the US, with manufacturing the most significantly impacted sector. Education, finance, healthcare, and legal sectors were also affected to a lesser degree. The use of ransomware by threat actors associated with the PRC and DPRK against government and critical infrastructure sectors denotes a shift in the intensity of cyber threats. Their dual objectives of financial gain and espionage underscore the need for heightened international cooperation and the implementation of robust defense strategies.

Another PRC State-sponsored cyber threat includes the hacking group Volt Typhoon, which has engaged in cyberespionage campaigns and aims to maintain a covert presence in networks while avoiding detection. There are concerns that the group is developing capabilities to disrupt critical infrastructure during future crises, posing a risk to various sectors, including communications, transportation, water and wastewater, energy, military, defense, and maritime in the US and its territories, such as Guam.

A joint international cybersecurity advisory from agencies and law enforcement across eight countries, including the US, warns of the recently observed tactics used by the PRC State-sponsored threat group APT40, also known as Kryptonite Panda and GINGHAM TYPHOON. This group conducts malicious cyber operations for the PRC Ministry of State Security (MSS) and is based in Haikou, Hainan Province, PRC.

Russia

Recorded Future analysts identified a likely Russian government-aligned influence network known as CopyCop has shifted its focus to the 2024 US elections. CopyCop creates and spreads political content using AI and inauthentic websites to disseminate targeted content through YouTube videos. In June, analysts discovered the network expanded its influential content sources to include mainstream news outlets in the US and UK, conservative-leaning US media, and Russian State-affiliated media. Within twenty-four hours of registering and posting the original articles, CopyCop scrapes, modifies, and disseminates content to US election-themed websites using over 1,000 fake journalist personas. Despite the content being generated rapidly, AI-generated content for this campaign was not observed being widely shared on social media platforms.

Earlier this year, Microsoft identified an ongoing cyberattack, cautioning that the Russian APT Midnight Blizzard (APT 29, Cozy Bear) continues to attempt to exploit various shared secrets for further attacks via email. Recent Microsoft notifications on social media reveal that the hack had a broader impact on the company’s customer base. Additionally, Midnight Blizzard was attributed to the recent cyberattack that breached the remote access software company TeamViewer. The company noted that the incident occurred on June 26 after their security team detected an irregularity in TeamViewer’s internal corporate IT environment.

The US intends to prohibit Kaspersky Labs antivirus software, a company headquartered in Moscow that serves 400 million users and 250,000 corporate customers globally, over national security concerns. The US Department of Commerce’s Bureau of Industry and Security (BIS) indicated that the ban will take effect on September 29. BIS reached this decision due to the potential influence of the Russian military and intelligence authorities on the company, which is subject to Russian Government jurisdiction. Individuals and businesses that continue to use existing Kaspersky products and services will not face legal penalties; however, any individual or business that continues to use Kaspersky products and services assumes all cybersecurity and associated risks, which could spell disaster with cyber insurance claims.

DPRK

Recently, American cybersecurity company KnowBe4 hired a Principal Software Engineer who was later discovered to be a DPRK State cyber threat actor who attempted to install information-stealing malware on the network. Despite passing background checks and interviews, the threat actor used a stolen identity and AI tools to deceive the hiring process. This type of impersonation and insider threat highlights the advanced tactics of DPRK nation-state threat actors’ attempts to infiltrate US companies.

A DPRK-linked cyberespionage group, now known as APT45, has expanded its operations to include financially motivated attacks involving ransomware. The group has used ransomware families known as SHATTEREDGLASS and Maui to target organizations in South Korea, Japan, and the US. This shift in focus emphasizes the importance of staying updated on threat intelligence to address current threats.

Kimsuky is a DPRK APT cyber threat group that conducts worldwide attacks to gather intelligence aligned with the DPRK government’s interest. Kimsuky’s primary focus is gathering intelligence on foreign policy, national security considerations regarding the Korean peninsula, and nuclear policy. A 2023 United Nations report revealed the involvement of DPRK State hackers in unprecedented levels of cryptocurrency theft in the previous year. The theft was estimated to be between $630 million and over $1 billion in 2022 alone, doubling Pyongyang’s illicit gains from cyber theft.

Iran

MuddyWater, an Iranian cyber threat group linked to the Ministry of Intelligence and Security (MOIS), has intensified cyberattacks on Israel and its allies during the Israeli-Hamas War. The group typically uses phishing campaigns and has recently introduced a new custom backdoor called BugSleep. They increasingly use English to target various sectors and regions using themes like webinars and online courses in phishing emails. Their malware can execute multiple commands and target a wide range of global entities, primarily focusing on Israeli and Saudi Arabian targets. MuddyWater targets various sectors, including telecommunications, government (IT services), and the oil industry. They have expanded their cyberespionage operations, focusing on governmental and defense institutions in Central and Southwest Asia and businesses in North America and Europe.

Recommendations:

Implement cybersecurity best practices to reduce risk and increase resiliency to cyber threats as detailed on the NJCCIC Guidance and Best Practices webpage, in addition to the following:

Avoid clicking links, responding to, or otherwise acting on unsolicited text messages or emails.
Use strong, unique passwords and enable MFA for all accounts where available, choosing authentication apps or hardware tokens over SMS text-based codes.
Keep systems up to date and apply patches after appropriate testing.
Utilize monitoring and detection solutions to identify suspicious login attempts and user behavior.
Enforce the principle of least privilege, disable unused ports and services, and use web application firewalls (WAFs).
Employ a comprehensive data backup plan and ensure operational technology (OT) environments are segmented from the information technology (IT) environments.
Cyber incidents can be reported to the FBI’s IC3 and the NJCCIC.

Building cyberthreat resilience

Cyberthreats are more sophisticated and frequent than ever, and the devastating impact of a breach is a reality that every organization must face. Join us at Microsoft Discovery Day: Building Cyberthreat Resilience to learn how Microsoft empowers security operations teams to protect, detect, and respond against these cyberthreats. During this free event, you’ll discover how to expedite your response by pairing extended detection and response (XDR) with security information and event management (SIEM). Gain a deeper perspective on the current state of cybersecurity and global threat intelligence and explore a roadmap for machine learning and AI at Microsoft. You’ll have the opportunity to:  Uncover the latest challenges and trends facing the cybersecurity world and what it means for your organization. Discover how to protect, detect, and respond to cyberthreats effectively by using XDR and SIEM together with Generative AI. Improve your security posture by learning how other business leaders have implemented comprehensive cyberthreat protection in their security strategies. Space is limited. Register for free today. Delivery language: English
Closed captioning provided in: English Microsoft Teams delivers a rich, interactive experience that works best with the Teams app. We recommend downloading the app if you don’t have it, as not all browsers are supported. When you join this event, your name, email, or phone number may be viewable by other session participants in the attendee list. By joining this event, you’re agreeing to this experience. When: Thursday, August 22, 2024, 3:00 – 4:00 PM (GMT-04:00)
Where: Online

Microsoft Discovery Hour: Building Cyberthreat Resilience

Register now >

Defend Against Threats with Extended Detection and Response training day

Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft Security Virtual Training Day from Microsoft Learn. Join us at Defend Against Threats with Extended Detection and Response to learn how to better protect apps and data in Microsoft 365 Defender, Microsoft Defender for Endpoint, and Microsoft Sentinel. You’ll get an in-depth view into attack disruption, incidents and alerts, and best practices for investigation and incident management. You will have the opportunity to: Learn how to investigate, respond to, and hunt for threats using Microsoft Defender and Microsoft Sentinel. Understand how integrating Microsoft 365 Defender and Microsoft Sentinel enhances security and response time. Discover how to help mitigate threats across your entire infrastructure with Microsoft Security tools and solutions. Join us at an upcoming Defend Against Threats with Extended Detection and Response event: Delivery Language: English Closed Captioning Language(s): English

August 06, 2024 \| 12:00 PM – 3:15 PM \| (GMT-05:00) Eastern Time (US & Canada) August 20, 2024 \| 12:00 PM – 3:15 PM \| (GMT-05:00) Eastern Time (US & Canada)


Visit the Microsoft Virtual Training Days website to learn more about other event opportunities.

NIST Cloud Computing Forensic Reference Architecture: SP 800-201

The final version of NIST Special Publication (SP) 800-201, NIST Cloud Computing Forensic Reference Architecture, is now available. This document addresses the need to support a cloud system’s forensic readiness, which is the ability to collect digital forensic evidence quickly and effectively with minimal investigation costs by proactively addressing known challenges that could impact such data collection. Forensic readiness supports incident response processes and procedures, secure internal enterprise operations, and criminal justice and civil litigation system functions.

The document presents a reference architecture to help users understand the forensic challenges that might exist for an organization’s cloud system based on its architectural capabilities. The architecture identifies challenges that require mitigation strategies and how a forensic investigator would apply those strategies to a particular forensic investigation. The reference architecture is both a methodology and an initial implementation that can be used by cloud system architects, cloud engineers, forensic practitioners, and cloud consumers to analyze and review their cloud computing architectures for forensic readiness.