My information Resource (blog.mir.net)

Download the content from
the Microsoft Security Compliance Toolkit
(click Download and select Windows 10 Version 1903 and Windows Server Version
1903 Security Baseline.zip).

• Enabling the new “Enable svchost.exe mitigation
  options” policy, which enforces stricter security on Windows services
  hosted in svchost.exe, including that all binaries loaded by svchost.exe
  must be signed by Microsoft, and that dynamically-generated code is
  disallowed. Please pay special attention to this one as it might
  cause compatibility problems with third-party code that tries to use the
  svchost.exe hosting process, including third-party smart-card plugins.
• Configuring the new App Privacy setting, “Let
  Windows apps activate with voice while the system is locked,” so that
  users cannot interact with applications using speech while the system is locked.
• Disabling multicast name resolution (LLMNR) to
  mitigate server spoofing threats.
• Restricting the NetBT NodeType to P-node,
  disallowing the use of broadcast to register or resolve names, also to
  mitigate server spoofing threats. We have added a setting to the custom
  “MS Security Guide” ADMX to enable managing this configuration setting
  through Group Policy.
• Correcting an oversight in the Domain
  Controller baseline by adding recommended auditing settings for Kerberos
  authentication service.
• Dropping the password-expiration policies that
  require periodic password changes. This change is discussed in further
  detail below.
• Dropping the specific BitLocker drive
  encryption method and cipher strength settings. The baseline has been
  requiring the strongest available BitLocker encryption. We are removing
  that item for a few reasons. The default is 128-bit encryption, and our
  crypto experts tell us that there is no known danger of its being broken
  in the foreseeable future. On some hardware there can be noticeable
  performance degradation going from 128- to 256-bit. And finally, many
  devices such as those in the Microsoft Surface line turn on BitLocker by
  default and use the default algorithms. Converting those to use 256-bit
  requires first decrypting the volumes and then re-encrypting, which
  creates temporary security exposure as well as user impact.
• Dropping the File Explorer “Turn off Data
  Execution Prevention for Explorer” and “Turn off heap termination on
  corruption” settings, as it turns out they merely enforce default
  behavior, as Raymond Chen describes here.

• Dropping the enforcement of the default
  behavior of disabling the built-in Administrator and Guest accounts. We
  had floated this proposal at the time of the draft baseline, and have
  since decided to accept it. The change is discussed in more detail below.
• Dropped a Windows Defender Antivirus setting
  that applies only to legacy email file formats.
• Changed the Windows Defender Exploit Protection
  XML configuration to allow Groove.exe (OneDrive for Business) to launch
  child processes, particularly MsoSync.exe which is necessary for file
  synchronization.

GO Here for the full article

    Docker is a well known application that uses operating-system-level virtualization to develop and deliver software in packages called containers. Senior software engineer Aleksa Sarai discovered a flaw that affects all versions of Docker, that could allow an attacker to gain read and write access to any file on the host system. Recently, a proof-of-concept code has been released demonstrating how an attacker could use this vulnerability.

     The vulnerability stems from FollowSymlinkInScope function, allowing a basic time-of-check to time-of-use (TOCTOU) attack that gives read and write access to any file on the host system. The purpose of the FollowSymlinkInScope is to “resolve a specified path in a secure manner by treating the processes as if they were inside the Docker container.” The resolved path is not operated on immediately, meaning that an attack could potentially speculate on the gap and then add a symbolic link path that could resolve on the host with root privileges. The docker cp utility is what allows copying content from Docker containers to the host file system.

    There are a few different approaches being proposed when it comes to addressing this vulnerability. Sarai proposed making changes to “chrootarchive.” This would allow archive operations to take place in a secure environment where the root is the container “rootfs.” However, this would involve changing a core piece of Docker, which is not feasible. According to Sarai, “Unfortunately, changes to this core piece of Docker are almost impossible (the TarUntar interface has many copies and re-implementations that would all need to be modified to be able to handle a new ‘root’ argument). Therefore, another approach that has been proposed is to pause the container when using the file system. This would not actually prevent all of the possible attacks. However, it would protect against some of the more basic attacks. A patch to do just this has been submitted upstream and is currently under review.

    Sarai provided two different scripts to show off the exploit, one for read and one for write. Sarai explained the scripts are “…a fairly dumb reproducer which basically does a RENAME_EXCHANGE of a symlink to “/” and an empty directory in a loop, hoping to hit the race condition. Then our “user” attempts to copy a file from the path repeatedly,” explained the expert. “You can call it like this (note that since this requires exploiting a race condition, only a small percentage of the attempts succeed — however if I had made my reproducer a bit more clever about how quickly it does the RENAME_EXCHANGE it could be more likely to hit the race).” Sarai explained that the success rate with this exploit is about .06%, which seems low, but realistically, it would only take about 12 seconds for this exploit to reach success. 
Sources: • https://securityaffairs.co/wordpress/86272/hacking/docker-race-condition-flaw.html 
• https://nvd.nist.gov/vuln/detail/CVE-2018–
• https://github.com/moby/moby/pull/39252

    The end of last month at Black Hat Asia 2019, Mark Ermolov and Maxim Goryachy from Positive Technologies gave a presentation titled “Intel VISA: Through the Rabbit Hole”. Slashdot characterized the presentation as researchers had discovered and abused new and undocumented features in intel chipsets.

    The capability is named Intel Visualization of Internal Signals Architecture (Intel VISA) and it is a utility included in modern Intel chipsets to help with testing/debugging during manufacturing. It is included with Platform Controller Hub (PCH) chipsets, is a part of modern Intel CPUs, and functions much like a logic signal analyzer. It is able to collect signals sent from internal buses and peripherals to the PCH and CPU. Effectively this means unauthorized access to the VISA would expose ANY data to examination by an unscrupulous person to intercept and collect data from the computer memory and function at the lowest possible level.

    The real question is: Is there a real threat? The researchers said they have several methods of enabling Intel VISA and capturing data, including the secretive Intel Management Engine (ME) which has been housed in the PCH since the release of the Nehalem processors and 5-Series chipsets.  But there are caveats. On the positive side, Intel has not publicly disclosed the feature and is only shared with others under a non-disclosure agreement. Additionally, the feature is disabled by default, so attackers must first figure out how to enable it before exploiting it. On the negative side, the researchers found a way to disable Intel VISA using an older Intel ME vulnerability. Intel released a firmware patch that fixes that particular vulnerability in 2017 (INTEL-SA-00086), but unless there was an explicit update to the firmware (it’s not correctable via OS update) the CPU remains affected.

      It’s worth noting that if the attacker has exploited the Intel ME vulnerability, they are well into your system and there is little additional capability offered via VISA that they don’t already have. But back on the negative side, if an attacker finds an alternate to enable VISA, that could indeed become a new attack vector.

     The researchers indicated that they know three alternate ways to enable VISA, which they revealed in the presentation slides (link below). The bigger question remains: what other secret or undocumented modes/ features lie in Intel’s CPUs? Intel may try to keep them secret from the public, but security through obscurity is no paradigm to follow.
   As the researchers proved, people will uncover those secret features, and some will abuse them.

Sources:

• https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Goryachy-Ermolov-Intel-Visa-Through-the-Rabbit-Hole.pdf

• https://www.zdnet.com/article/researchers-discover-and-abuse-new-undocumented-feature-in-intel-chipsets/

    Researchers at Blackberry’s Cylance Labs have discovered novel techniques utilizing steganography, the practice of concealing a file, message, image, or video within another file, message, image, or video, to load malware payloads onto victims’ machines. 

    The Advanced Persistent Threat (APT) group “OceanLotus”, primarily believed to be Vietnam-based, is using steganography techniques to deliver malware backdoors on compromised systems. The malware loader utilizes steganography techniques to read an encrypted payload contained within an image file to decrypt and execute the malicious payload which loads one of two backdoors onto the machine. The backdoors are associated with OceanLotus’ parent cyber espionage group, APT32, and were first discovered back in 2017, namely the Denes backdoor and the Remy backdoor. 

    Researchers at Cylance labs pointed out that it would not be difficult to swap out the backdoors for some other malicious payload and that what is essential is the tactic of using steganography to hide the payload and that it would still be just as effective. The threat actor would encode the image with their payload of choice before distributing it with a simple decoder to the target.   The obfuscation of the malware payload loading portion of the technique is what’s impressive from a security detection point of analysis.

    The group has seemingly avoided discovery using common steganography detection techniques. To accomplish this, they utilize the “bespoke” tool to encode data into the images using a least significant bit approach to both minimize visual differences between the encoded image with it’s original and to avoid detection/ analysis by discovery tools.

    “The user does not interact with the image (nor is the image sent via email), rather the image is used to hide the payload from analysts/tools/monitoring software. In a way, the payload is hiding in plain sight, as an image carrying a payload will be virtually indistinguishable from an original image”, said Tom Bonner, BlackBerry Cylance director of threat research.  

    The payload, once executed and loaded onto the machine, then downloads Dynamic Link Libraries (DLL) and Command and Control communications libraries that are heavily obfuscated with large quantities of useless junk code, said researchers from Cylance. The junk code significantly inflates the library’s size which makes both static analysis and debugging more difficult.

Source:
• https://cyware.com/news/oceanlotus-threat-actor-group-leveragessteganography-to-deliver-backdoors-781be11c 

The National
Cybersecurity Center of Excellence (NCCoE) at NIST is seeking comments on
a revised draft
of the practice guide NIST
SP 1800-13, Mobile Application Single Sign-On. The
guide aims to help public safety first responder personnel efficiently and
securely gain access to their mission-critical data via mobile devices and
applications. 

The goal of this project is to
illustrate a method for public safety organizations to deploy efficient and
interoperable multifactor authentication and single sign-on tools to protect
access to sensitive information while meeting the demands of an operational
environment that relies on rapid response. This revision of the original NIST SP
1800-13 was updated at the request of the public safety community to
incorporate iOS version 12. Organizations are encouraged to review the draft
and provide feedback for possible incorporation into the practice guide.

This project will result in a
publicly available NIST Cybersecurity Practice Guide (NIST SP 1800 series) –a
detailed implementation guide of the practical steps needed to implement a
cybersecurity reference design that addresses a particular challenge. 

The public comment period ends on June 28, 2019. See the publication details for links to
the document files and instructions for submitting comments.

Publication details:
https://csrc.nist.gov/publications/detail/sp/1800-13/draft

Project homepage:
https://www.nccoe.nist.gov/projects/use-cases/mobile-sso

Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote
Desktop Services – formerly known as Terminal Services – that
affects some older versions of Windows. The Remote Desktop Protocol
(RDP) itself is not vulnerable. This vulnerability is pre-authentication
and requires no user interaction. In other words, the vulnerability is
‘wormable’, meaning that any future malware that exploits this
vulnerability could propagate from vulnerable computer to vulnerable
computer in a similar way as the WannaCry malware spread across
the globe in 2017. While we have observed no exploitation of this
vulnerability, it is highly likely that malicious actors will write an
exploit for this vulnerability and incorporate it into their malware. 

Now that I have your attention, it
is important that affected systems are patched as quickly as possible to
prevent such a scenario from happening. In response, we are taking the
unusual step of providing a security update for all customers to protect
Windows platforms, including some out-of-support versions of Windows. 

Vulnerable in-support systems include
Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads
for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected.  

Out-of-support systems include Windows
2003 and Windows XP. If you are on an out-of-support version, the best
way to address this vulnerability is to upgrade to the latest version of
Windows. Even so, we are making fixes available for
these out-of-support versions of Windows in KB4500705. 

Customers running Windows 8 and Windows
10 are not affected by this vulnerability, and it is no coincidence that
later versions of Windows are unaffected. Microsoft invests heavily in
strengthening the security of its products, often through major
architectural improvements that are not possible to backport to earlier
versions of Windows.  

There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled.
The affected systems are mitigated against ‘wormable’ malware or
advanced malware threats that could exploit the vulnerability, as NLA
requires authentication before the vulnerability can be triggered.
However, affected systems are still vulnerable to Remote Code
Execution (RCE) exploitation if the attacker has valid credentials that
can be used to successfully authenticate. 

It is for these reasons that we strongly
advise that all affected systems – irrespective of whether NLA is
enabled or not – should be updated as soon as possible.  

Resources
Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008
Links to downloads for Windows 2003 and Windows XP  

Source Microsoft TechNet

Microsoft is excited to announce enhancements to BitLocker management capabilities in both Microsoft Intune and System Center Configuration Manager (SCCM), coming in the second half of 2019. Whether your management infrastructure is on-premises or in the cloud, robust BitLocker management is required for today’s enterprises to secure modern endpoints.
 
Microsoft provides a range flexible BitLocker management alternatives to meet your organization’s needs, as follows:

•     Cloud-based BitLocker management using Microsoft Intune
•     On-premises BitLocker management using System Center Configuration Manager
•     Microsoft BitLocker Administration and Monitoring (MBAM)

To learn more about the new enhancements to BitLocker Go Here
Detailed Information found on Microsoft web site..

Normally I would not post a Phishing attack but this one seems to be working