You should be restricting NTLM

There is a security issues that most people do not know
about .. That when you share a file in zoom  and other products, your computer can passes your NTLM security credentials,

There is a GPO that should be set to only pass NTLM inside your
domain

Called Network security:
Restrict NTLM: NTLM authentication in this domaim

Security considerations

This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation.
NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards.

Vulnerability

Malicious attacks on NTLM authentication traffic resulting in a compromised server or domain controller can occur only if the server or domain controller handles NTLM requests. If those requests are denied, this attack vector is eliminated.

Countermeasure

When it has been determined that the NTLM authentication protocol should not be used within a network because you are required to use a more secure protocol such as the Kerberos protocol, then you can select one of several options that this security policy setting offers to restrict NTLM usage within the domain.

Potential impact

If you configure this policy setting, numerous NTLM authentication requests could fail within the domain, which could degrade productivity. Before implementing this change through this policy setting, set Network security: Restrict NTLM: Audit NTLM authentication in this domain to the same option so that you can review the log for the potential impact, perform an analysis of servers, and create an exception list of servers to exclude from this policy setting by using Network security: Restrict NTLM: Add server exceptions in this domain.

 

Secret Service Issues COVID-19 (Coronavirus) Phishing Alert

March 9, 2020
CMR 04-20
Secret Service Issues COVID-19 (Coronavirus) Phishing Alert

    WASHINGTON – Criminals are opportunists, and as seen in the past, any major news event can become an opportunity for groups or individuals with malicious intentions. The Coronavirus is no different. In fact, the Coronavirus is a prime opportunity for enterprising criminals because it plays on one of the basic human conditions…fear. Fear can cause normally scrupulous individuals to let their guard down and fall victim to social engineering scams, phishing scams, non-delivery scams, and auction fraud scams.

    The United States Secret Service is proactively taking steps to alert the public about the types of email scams associated with the Coronavirus. The Secret Service’s Global Investigative Operations Center (GIOC) reports the subsequent email scams:

    “Phishing” is the fraudulent practice of sending emails purporting to be from reputable companies in order to entice individuals to reveal personal information, such as passwords and credit card numbers. Phishing scams have become ubiquitous through email communication and ecommerce. Cyber criminals are exploiting the Coronavirus through the wide distribution of mass emails posing as legitimate medical and or health organizations. In one particular instance, victims have received an email purporting to be from a medical/health organization that included attachments supposedly containing pertinent information regarding the Coronavirus.
   
    This lead to either unsuspecting victims opening the attachment causing malware to infect their system, or prompting the victim to enter their email login credentials to access the information resulting in harvested login credentials. This type of incident enables further occurrences of cyber enabled financial crimes such as Business Email Compromise (BEC), PII theft, ransomware and account takeovers. Another side effect of the Coronavirus is increased teleworking, which furthers the reliance on email for communication adding yet another multiplier to these email fraud schemes. More of these incidents are expected, and increased vigilance regarding email communication is highly encouraged.

Another emerging fraud scheme exploiting the Coronavirus is using social engineering tactics through legitimate social media websites seeking donations for charitable causes related to the virus. Criminals are exploiting the charitable spirit of individuals, seeking donations to fraudulent causes surrounding the Coronavirus. Increased caution should be exercised when donating to charitable organizations.

A third fraud scheme surrounds non-delivery scams. Essentially, criminal actors advertise as an in-demand medical supply company that sells medical supplies that can be used to prevent/protect against the Coronavirus. The criminal enterprise will demand upfront payment or initial deposits then abscond with the funds and never complete delivery of the ordered products.

Quick Tips:

 Phishing Emails / Social Engineering – Avoid opening attachments and clicking on links within emails from senders you do not recognize. These attachments can contain malicious content, such as ransomware, that can infect your device and steal your information. Be leery of emails or phone calls requesting account information or requesting you to verify your account. Legitimate businesses will never call you or email you directly for this information.

Always independently verify any requested information originates from a legitimate source.

Visit websites by inputting the domain name yourself. Business use encryption, Secure Socket Layer (SSL). Certificate “errors” can be a warning sign that something is not right with the website.
The United States Secret Service will continue leading the charge to combat cyber-enabled financial crimes.

To learn more about the Secret Service’s Investigative Mission please visit us at: www.SecretService.gov

This post is a direct copy off of the Secret Service’s web site Here

Gift USB are they a Problem ?

    The FBI is
warning of attacks from the FIN7 APT in which victims are sent USB drives via
USPS and prompted to examine its contents. This attack is a variation of the
“lost USB” or “BadUSB” tactic in which a malicious USB is dropped on site with
the intention of a curious employee finding it and inspecting the contents.
This version, however, is much more targeted. In one instance, the attackers
sent a package containing a USB drive, a letter, and a gift card for a major
electronics retailer to a hospitality company. The letter thanked the
recipient for being a regular customer and prompted them to use the gift card
for any items specified on the USB drive. The FBI warns that many of these
packages have been sent to businesses that targeted employees in human
resources, IT, or management.
    Researchers at
Trustwave analyzed the USB device and found that once plugged in, the USB
emulates a keyboard and downloads a JavaScript backdoor, which the attackers
can use to access the machine. The backdoor, known as GRIFFON, is a tool
commonly associated with the FIN7 group. Researchers found that the backdoor
will contact IP addresses of Russian origin, another indicator of the FIN7
group. In their analysis, researchers were able to match identifiers on the
printed circuit board to a malicious USB for sale on an international marketplace. The
researchers state that the “USB device used an Arduino microcontroller and was
programmed to emulate a USB keyboard. Since PCs trust keyboard USB devices by
default, once it is plugged in, the keyboard emulator can automatically inject
malicious commands.” This device was able to be purchased for as low as 5
dollars, much cheaper than premium BadUSB devices, which can retail for up to
100 dollars.

    While rare, USB style
attacks can happen.
The best way to prevent
this attack is to avoid using any unknown USBs. In an
organization, informing employees about BadUSB attacks and providing a means to
report suspicious devices is an important prevention step. Additionally,
limiting physical access to machines
will help prevent a bad actor on-site from exploiting devices via USB. Some anti- virus programs now provide
keyboard authorization, which means that when
the antivirus detects that a keyboard has been plugged in, the user must verify
that it is indeed a keyboard and not a USB flash drive. BadUSB attacks can take
many forms but educating users in combination with proper security controls is
the best way to prevent the exploitation of this attack.

Sources: 

A new type of attack

    Speculative
execution attacks seem to come out every month at this point. We’ve previously written about ones like Spectre and Meltdown, which allow an attacker to read portions of memory they
should not have access to. A new speculative execution attack has recently been
unveiled which focuses on Intel processors and operates with slight differences
from previous attack methods. The attack was first discovered on April 4th,
2019 by Jo Van Bulck and has been under a press embargo with Intel until very
recently. The attack was also independently discovered by researchers from
Bitdefender in February of 2020.
    The new attack goes by the name Load Value Injection, which is a
descriptor for a new class of attacks on modern Intel processors. The
attack focuses on exfil- trating data from the Intel SGX, which is a vault
built into Intel processors designed to store secrets, even if the host
operating system is compromised. This new attack class can bypass the
mitigations released for all previously known
speculative execution attacks. In addition to bypassing
previous mitigations, the researchers say creating mitigations for this attack
is much more difficult. They also claim a potential performance impact making
SGX computations 19 times slower after mitigations are applied on a system.

     This new attack works in an opposite fashion compared to
previous attacks like Spectre and Meltdown. “We smuggle — ‘inject’ — the
attacker’s data through hidden processor buffers into a victim program and
hijack transient execution to acquire sensitive information, such as the victim’s
fingerprints or passwords”, according to the researchers. This is in contrast to previous attacks
where the victim’s
information was leaked directly to the attacker via arbitrary memory reads.
While the researchers haven’t found a way to leverage this new attack across
virtual machine domains, they believe it is theoretically possible.

 

    To mitigate this new attack class, Intel is performing
hardware fixes in the sili- con of future CPUs. This should reduce the
performance penalty resulting from the software fixes currently being rolled out. For
current CPUs that require miti- gation, Intel is releasing an update to its SGX
SDK for developers. This update includes
multiple fixes such as blacklisting certain processor instructions and explicit
speculative execution barriers. According to Intel, depending on your specific
workload and threat model, it may be advantageous to forego the patches until
the issues are fixes in silicon due to the performance penalties.

Sources:

·            https://lviattack.eu/#faq


COVID-19 and SPYMax on Android APPs

    Cyber criminals are taking full
advantage of the COVID-19 pandemic and increased
communications surrounding it by installing spyware via apps to end-users’
mobile devices. The spyware being utilized is a commercial version called SpyMax, which can be acquired by anyone
with an internet connection and a credit
card.

    Kristin Del Rosso, a researcher with mobile cybersecurity firm Lookout,
has associated the malware with over 30 rogue Android applications to date.
The re- searchers have not yet
associated the various corrupt apps with any
nationstate backed
actors but do note that the “use of these commercial surveillance- ware
families has been observed in the past as part of the tooling used by nationstates in the Middle East.”

    One of the
latest apps taking advantage of the COVID-19 crisis is titled “corona live 1.1”
which is a trojanized version of the legitimate “corona live” application that provides
an interface to the data at the Johns Hopkins
Corona Virus tracker such as infection rates and deaths
caused by the virus. Under the hood, the malicious app is utilizing the
commercial SpyMax application which
has typical spyware capabilities. The SpyMax
tool is capable of accessing files, call logs, SMS messages, contact lists,
location tracking, opening up a shell for the execution of further commands,
listening through the microphone, and watching through the camera.

    Researchers at
Lookout tracked down the command and control server for the app and pivoted
from there to find 30 other unique apps that all share the same infrastructure,
suggesting a much larger surveillance campaign has been in progress for some
time. The command and control domain appears to be hosted through the dynamic
DNS provider No-IP and resolves several different addresses within the same
range. The address space is operated by the Libyan Telecom and Technology
internet service provider. The researchers at Lookout also noted that these
apps were never available from the Google Playstore and that most instances are
being downloaded from third-party sites.

    Kristin Del Rosso also noted,
“This surveillance campaign highlights how in times of crisis, our innate need
to seek out information can be used against us for malicious ends. Furthermore,
the commercialization of ‘off-the-shelf’ spyware kits makes it fairly easy for
these malicious actors to spin up these bespoke campaigns almost as quickly
as a crisis like COVID-19 takes hold.”

Sources:

       
https://blog.lookout.com/commercial-surveillanceware-operators-latest-to-take-advantage-of-covid-19
 

Warning About Coronavirus themed health advisories

    Threat actors are currently spreading malicious
Coronavirus themed health advisories via email which, when opened, deploy a
Remote Administration Tool (RAT) onto the systems of targets. This phishing
campaign has been traced back to APT36, a Pakistan-based group notable for
targeting Indian defense and government entities. Researchers at Malwarebytes
Labs’ Threat Intelligence Team note that the emails attempt to impersonate
Indian government officials and target residents of India. Once the payload is on the
target’s system, the threat actors have full control of that machine. However,
this is not the only group attempting to exploit COVID-19 to infect potential
targets.

    Researchers
have observed nation-state actors from China, North Korea, and Russia attempting to exploit the coronavirus to spread their malware. In February, Russian hackers carried out a phishing campaign in which they hid a backdoor trojan in a document containing news on COVID-19. They then sent these
malicious documents to Ukrainian officials, claiming to be from the Ukraine
Center for Public Health. Toward the end of February, researchers have ob-
served North Korea using similar tactics to other nation states. Researchers
found that a group of North Korean hackers was sending South Korean officials
malware-infested documents disguised as COVID-19 response information. Re-
searchers also found that Chinese hackers were targeting both the Vietnamese and
Mongolian governments using malicious attachments. However, not all COVID-19
themed attacks are happening outside of the United States. Researchers at
Cofense discovered a phishing campaign targeting U.S. citizens, which claimed
to be an email from the Center for Disease Control. 
    The email differs from the attacks previously mentioned in that it
does not contain a document attached to it. Instead, the email tells the
recipient that a high-risk person is being monitored in their city. The email
then provides a fake link to the CDC’s website with more information. The user
is redirected to a fake Microsoft login page where, if entered, the user’s
credentials are harvested.
    Staying safe during this time not only includes
practicing proper hygiene and social distancing measures but employing proper
cybersecurity awareness. Epidemics and natural disasters are, unfortunately,
frequently capitalized on by bad actors. When people are desperate for news, an
email claiming to be from your government’s health department can be quite
convincing. As always, be wary of unsolicited emails containing documents and
links. When in doubt of an email’s authenticity, it is best to exercise caution
and not to click links or download documents contained within the email.

Sources:

·  https://www.bleepingcomputer.com/news/security/nation-backed-hackers-spread-crimson-rat-via-coronavirus-phishing/

 
https://cofense.com/threat-actors-capitalize-global-concern-coronavirus-new-phishing-campaigns/

 

Cryptographic Key Generation: NIST Releases Draft SP 800-133 Rev. 2 for Comment

NIST requests your comments on Draft Special Publication (SP) 800-133 Revision 2, Recommendation for
Cryptographic Key Generation, which discusses the
generation of the keys to be managed and used by
the approved cryptographic algorithms. This revision provides a
method for determining a symmetric key by combining multiple keys and other
data.

The public comment period closes on April 17, 2020. See the publication details for a copy of the
draft and instructions for submitting comments.
NOTE: A call for patent claims is included
on page iii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent
Policy–Inclusion of Patents in ITL Publications.

Defending Against COVID-19 Cyber Scams

The Cybersecurity and Infrastructure Security Agency (CISA) warns
individuals to remain vigilant for scams related to Coronavirus Disease 2019
(COVID-19). Cyber actors may send emails with malicious attachments or links to
fraudulent websites to trick victims into revealing sensitive information or
donating to fraudulent charities or causes. Exercise caution in handling any
email with a COVID-19-related subject line, attachment, or hyperlink, and be
wary of social media pleas, texts, or calls related to COVID-19.

CISA encourages individuals to remain vigilant and take the following
precautions.

Discovery of Cloud Snooper this week

    Cloud security is as important as ever as more and more services are moved to the cloud. Unfortunately misconfigured servers still exist, regardless of where they are located. A simple Google search (no Shodan required) is all it takes to find unsecured S3 buckets, which can be treasure troves of information. Let’s be real though, that type of find is low-hanging fruit that any script kiddie or automated tool can find. There’s something far more sophisticated lurking in the cloud and there’s a good chance a nation state is behind it.

    Researchers over at SophosLabs announced the discovery of Cloud Snooper this week. They were looking into infected cloud servers hosted by Amazon Web Services (AWS) when they noticed unusual traffic on a Linux server. The security groups (SGs), which are firewall rules designed to limit traffic to the server, were properly configured. But a rootkit and a backdoor were found on the system that allowed the adversary to bypass the firewall altogether.

    It all works by piggybacking malicious packets on legitimate traffic allowed by the SGs. The attacker sends these “disguised” requests to the rootkit, where they are intercepted. The malware sends the command to the backdoor. The outbound traffic is then obfuscated in the same way, giving the adversary the ability to siphon data and execute commands. The researchers noted that because
of this technique “the C2 traffic stays largely indistinguishable from the legitimate web traffic.”

    Linux servers aren’t the only ones vulnerable to Cloud Snooper – there’s also a Windows version based on the notorious Gh0st RAT. What’s worse is that it isn’t limited to cloud services either. The researchers pointed out that the technique could potentially bypass nearly any firewall. Security best practices will help to mitigate the threat, which includes keeping all security services and patches up to date, proper configuration management, and two-factor authentication.

Sources:

Wifi attack called Kr00k, which affects millions of devices

    Wireless network security has come a long way since the days of easily breakable Wired Equivalent Privacy (WEP). WiFi Protected Access (WPA) 2 has been the most commonly used standard since it was released in 2004 and has had very few vulnerabilities since the original release.

    This week however researchers from ESET released the details of a new attack called Kr00k, which affects millions of devices all over the world. This vulnerability can allow an attacker to read data between the device and access point as if there was no encryption at all.

    As detailed in a previous blog, device manufacturers rarely implement common standards like Bluetooth of WiFi into their products from scratch. They instead purchase and integrate one of
the many off the shelf solutions provided by Broadcom or others, tweaking for their specific use case.

    The two most popular chipsets for WiFi come from Broadcom and Cypress, both of which are vulnerable to the Kr00k attack. These chipsets are used in millions of devices including smartphones, laptops, IoT devices, etc. This means that the attacks spans nearly every manufacturer of electronics
that uses WiFi in their products.

    The attack itself is based on a bug in the access point disassociation logic. Disassociations happen via special control frames in a WiFi connection and happen all the time legitimately, whether from low signal or an intentional disconnect from an access point. When a disassociation request happens the vulnerable chipsets reset the transmit buffer with an encryption key of all zeros. This buffer is then finalized by being transmitted out using the all zero encryption key which makes it vulnerable to sniffing by a 3rd party. The transmit buffer is relatively small at only 32 kilobytes but using the attack sequentially via a script makes it possible to leak larger pieces of data given enough time. The same attack can also be used on the access point itself and is not limited to attacking a single client only.

    By using the attack on a vulnerable access point it would be possible to eavesdrop on any client connected to the wireless net-work, whether it has already been patched or not.

    After ESET researchers found the bug they responsibly disclosed it to the chipset makers and began a 120-day countdown for public disclosure. This gave manufacturers plenty of time to create a patch and start rolling it out to vulnerable devices. To make sure that your network is not vulnerable each device utilizing WiFi should be checked to make sure it is patched and up to date. It would also be wise to utilize VPN software when on untrusted networks as it may not be possible to verify that the access point is not vulnerable.

Sources:

https://threatpost.com/billions-of-devices-wifi-encryption-hack/153267/

https://www.zdnet.com/article/new-kr00k-vulnerability-lets-attackers-decrypt-wifi-packets/