Microsoft Releases a critical Remote Code Execution vulnerability for Windows 7, Windows Server 2008 R2, and Windows Server 2008

Microsoft released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote
Desktop Services – formerly known as Terminal Services – that
affects some older versions of Windows. The Remote Desktop Protocol
(RDP) itself is not vulnerable. This vulnerability is pre-authentication
and requires no user interaction. In other words, the vulnerability is
‘wormable’, meaning that any future malware that exploits this
vulnerability could propagate from vulnerable computer to vulnerable
computer in a similar way as the WannaCry malware spread across
the globe in 2017. While we have observed no exploitation of this
vulnerability, it is highly likely that malicious actors will write an
exploit for this vulnerability and incorporate it into their malware. 

Now that I have your attention, it
is important that affected systems are patched as quickly as possible to
prevent such a scenario from happening. In response, we are taking the
unusual step of providing a security update for all customers to protect
Windows platforms, including some out-of-support versions of Windows. 

Vulnerable in-support systems include
Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads
for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected.  

Out-of-support systems include Windows
2003 and Windows XP. If you are on an out-of-support version, the best
way to address this vulnerability is to upgrade to the latest version of
Windows. Even so, we are making fixes available for
these out-of-support versions of Windows in KB4500705

Customers running Windows 8 and Windows
10 are not affected by this vulnerability, and it is no coincidence that
later versions of Windows are unaffected. Microsoft invests heavily in
strengthening the security of its products, often through major
architectural improvements that are not possible to backport to earlier
versions of Windows.  

There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled.
The affected systems are mitigated against ‘wormable’ malware or
advanced malware threats that could exploit the vulnerability, as NLA
requires authentication before the vulnerability can be triggered.
However, affected systems are still vulnerable to Remote Code
Execution (RCE) exploitation if the attacker has valid credentials that
can be used to successfully authenticate. 

It is for these reasons that we strongly
advise that all affected systems – irrespective of whether NLA is
enabled or not – should be updated as soon as possible.  

Resources
Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008
Links to downloads for Windows 2003 and Windows XP  


Source Microsoft TechNet

New About Bitlocker enhancements


Microsoft is excited to announce enhancements to BitLocker management capabilities in both Microsoft Intune and System Center Configuration Manager (SCCM), coming in the second half of 2019. Whether your management infrastructure is on-premises or in the cloud, robust BitLocker management is required for today’s enterprises to secure modern endpoints.

 
Microsoft provides a range flexible BitLocker management alternatives to meet your organization’s needs, as follows:

  •     Cloud-based BitLocker management using Microsoft Intune
  •     On-premises BitLocker management using System Center Configuration Manager
  •     Microsoft BitLocker Administration and Monitoring (MBAM)


To learn more about the new enhancements to BitLocker Go Here
Detailed Information found on Microsoft web site..

Alert: Phishing Scam Email From “[email protected]

Normally I would not post a Phishing attack but this one seems to be working

02 May 2019
LOS ANGELES – 2 May 2019 – The Internet
Corporation for Assigned Names and Numbers (“ICANN”) has received
reports that a phishing
email
from “[email protected]
has been sent to ICANN contracted parties.
The [email protected]
email address, for example, is not a valid ICANN organization email address.
Contracted parties may have recently received emails from “[email protected]“,
which is a valid ICANN org email address. If you receive an email from the
[email protected]” address, or
any other suspicious email address, do not respond. Please forward the email
in its entirety to [email protected].
For additional information about phishing
scams, visit https://www.icann.org/resources/pages/phishing-2013-05-03-en.

About ICANN

ICANN’s mission is to help ensure a stable,
secure, and unified global Internet. To reach another person on the Internet,
you need to type an address – a name or a number – into your computer or
other device. That address must be unique so computers know where to find
each other. ICANN helps coordinate and support these unique identifiers
across the world. ICANN was formed in 1998 as a not-for-profit public-benefit
corporation with a community of participants from all over the world.
 

New NIST draft practice guide, SP 1800-15, “Securing Small-Business and Home Internet of Things (IoT) Devices

The National Cybersecurity Center of Excellence (NCCoE)
has published a preliminary draft practice guide, SP 1800-15, “Securing
Small-Business and Home Internet of Things (IoT) Devices: Mitigating
Network-Based Attacks Using Manufacturer Usage Description (MUD),” and is
seeking public comments. The popularity of IoT devices is growing rapidly, as
are concerns over their security. IoT devices are often vulnerable to malicious
actors who can exploit them directly and use them to conduct network-based
attacks. SP 1800-15 describes for IoT product developers and implementers an
approach that uses MUD to automatically limit IoT devices to sending and
receiving only the traffic that they require to perform their intended
functions.

We will use this feedback to help shape the next version
of this document.

Please
submit your comments by June 24, 2019. See the publication details link below
for a copy of the document and instructions for submitting comments.

New NIST Drafts 8213 Reference for Randomness Beacons: Format and Protocol Version 2

NIST has
released Draft NIST Internal Report (NISTIR) 8213,
A Reference for Randomness Beacons: Format and Protocol
Version 2
, for public comment. A randomness beacon is a timed
source of public randomness. It pulsates fresh randomness at expected times and
makes it available to the public. The pulses contain random values that are
timely generated, stored, timestamped, signed and hash-chained in a publicly-readable
database. Thereafter, any external user can retrieve—via database queries—any
past pulse and its associated data. Beacons offer the potential to improve
fairness, auditability and efficiency in numerous societal applications that
require randomness. A notable benefit of using public randomness is in enabling
after-the-fact verifiability, for the purpose of public transparency.

Draft NISTIR 8213 provides a
reference for implementing interoperable randomness beacons. The document
defines terminology and notation, a format for pulses, a protocol for beacon
operations, hash-chaining and skiplists of pulses, and the beacon interface
calls. It also provides directions for how to use beacon randomness, and
includes security considerations. With the release of this draft publication,
NIST intends to seek constructive feedback from interested parties.

The public comment period for this draft closes
on August 5, 2019
. See the publication details link below for
the document and instructions for submitting comments.

NOTE:  A call for patent claims is included on page iv of
this draft. For additional information, see the Information
Technology Laboratory (ITL) Patent Policy–Inclusion of Patents in ITL
Publications
.

Publication detaills:
https://csrc.nist.gov/publications/detail/nistir/8213/draft

NIST Randomness Beacon project:
https://www.nist.gov/programs-projects/nist-randomness-beacon

E-mail Signature Verification Methods Secuity Issue

    E-mail changed the communication world forever, allowing for instant communication as opposed to what is now commonly referred to as “snail mail”. When it was designed, security was not really a concern that was built in. Over time cryptographic methods were developed to help communicators verify the authenticity of senders through electronic signatures, such as the OpenPGP and Signed Multipurpose Internet Mail Extensions (S/MIME) standards. However, new research has discovered some serious flaws in many popular implementations of these methods.

    Researchers from Ruhr University Bochum and Münster University of Applied Sciences tested 25 popular e-mail clients from various operating systems including Windows, Linux™, macOS, iOS, and Android as well as web-based clients to see how they fared against signature spoofing attacks. The team used five attack classes with the goal of the attacker being able to “create and send an email with arbitrary content to Bob whose email client falsely indicates that the email has been digitally signed by Alice” where Bob and Alice are legitimate communicators who have securely exchanged cryptographic keys/certificates.

These classes are:
    • Exploiting flaws due to mishandling of Cryptographic Message Syntax (CMS).
    • Performing GnuPG API injection attacks.
    • MIME attacks against handling of partially signed messages.
    • Displaying a valid ID on the e-mail header with a false signature.
• Using HTML and CSS to mimic valid signatures in the user interface.
    The testing revealed that 14 of 20 OpenPGP clients and 15 of 22 S/MIME clients were at least partially vulnerable to these attacks. Many were able to be tricked with spoofed signatures on all UI levels, with all of the subset being able to spoof a signature even with limitations that could still go unnoticed by users. The only client to show no vulnerabilities on the OpenPGP or S/MIME tests was the web client Horde/IMP. This testing shows that just because certain standards and methods may be in wide use doesn’t necessarily mean they are secure by default. For a full list of tested clients and detailed testing methods and results, please refer to the “johnny-fired” PDF from the researchers linked below.
Sources:
https://thehackernews.com/2019/04/email-signature-spoofing.html 
https://github.com/RUB-NDS/Johnny-You-Are-Fired/raw/master/paper/johnny-fired.pdf
https://www.technadu.com/popular-email-clients-vulnerable-signaturespoofing-attacks/66443/05

Dells SupportAssist Vulnerability

    The Dells SupportAssist software is currently associated with a vulnerability allowing Remote Code Execution (RCE) attacks. It comes pre-installed on virtually all new Dell devices running Windows®, the SupportAssist application “proactively checks the health of your system’s hardware and software. When an issue is detected, the necessary system state information is sent to Dell for troubleshooting to begin.”

    Dell released an advisory, DSA-2019-051: Dell SupportAssist Client Multiple Vulnerabilities, where it announced “An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables via SupportAssist client from attacker hosted sites.” The vulnerability is being tracked as CVE-2019-3719 and comes with a Base Severity score 8.0 HIGH in NIST’s CVE database. MITRE has performed an analysis on the vulnerability and has also added that description to the CVE stating, “Dell SupportAssist Client versions prior to 3.2.0.90 contain a remote code execution vulnerability. An unauthenticated attacker, sharing the network access layer with the vulnerable system, can compromise the vulnerable system by tricking a victim user into downloading and executing arbitrary executables.”
    Primarily Dell uses the SupportAssist application to be able to install drivers and other software remotely, but to accomplish this, it must be able to detect what is already present on your system.   Installing the SupportAssist package installs two packages, the SupportAssistAgent, and the Dell Hardware Support service. The services essentially expose a REST API of sorts which supports the communication between the service and Dell’s websites.

    Security researcher Bill Demirkapi who discovered the vulnerability states in his blog “On start, Dell SupportAssist starts a web server (System.Net.HttpListener) on either port 8884, 8883, 8886, or port 8885. The port depends on whichever one is available, starting with 8884. On a request, the ListenerCallback located in HttpListenerServiceFacade calls ClientServiceHandler.ProcessRequest.
ClientServiceHandler.ProcessRequest, the base web server function, starts by doing integrity checks for example making sure the request came from the local machine and various other checks. Later in this article, we’ll get into some of the issues in the integrity checks, but for now most are not important to achieve RCE.”

    It should also be noted that Demirkapi discovered the vulnerability in September of 2018 and promptly sent a write up to Dell explaining the RCE vulnerability. Dell confirmed the vulnerability on 11/22/2018 and finally released a patch and advisory on 4/18/2019. 
Sources: 
https://nvd.nist.gov/vuln/detail/CVE20193719#vulnCurrentDescriptionTitle
https://d4stiny.github.io/RemoteCode-Execution-on-most-Dellcomputers

Windows Server Summit 2019 on May 22nd, 2019

Wednesday, May 22, 2019
9:00 AM–11:00 AM Pacific Time

Join
this virtual event to learn about strategies, insights, and
technologies to modernize and manage your Windows Server ecosystem. Be
among the first to learn about exciting new product capabilities. 

You’ll also:

  • Discover what’s new in Windows Server 2019, Windows Admin Center, and Azure Stack HCI.
  • Learn how to take advantage of Azure services to integrate your on-premises environment with the cloud. 
  • Get tips and tricks to modernize your evolving applications and infrastructure before support for Windows Server 2008 and 2008 R2 ends. 

Agenda:

  • Innovations in Microsoft’s hybrid strategy: Deep dive into Microsoft’s hyperconverged technologies and how to add hybrid services from Azure.
  • Modernize Windows Server apps and workloads: Learn about security, Remote Desktop Services, containers, and features on demand.
  • New in management and security: See what’s new in Windows Admin Center, System Center 2019, and Windows Server 2019.
  • Insights and best practices: Chat with Windows Server community experts.
  • Looking ahead: Learn more about Windows Server Semi-Annual Channel and Windows Server on Azure.
Register here

Hawkeye malware kit

    Researchers have found a new version of the Hawkeye malware kit and have noticed that alongside technical advances, they’ve included some business improvements.

    While Hawkeye has been a product since 2013, the recent change in ownership at the end of 2018 has decided that change beyond just its capabilities is in order. Providing a business via a licensing model extends the longevity and security of a revenue source and maintains the sales relationship with minimal effort. Including a terms of service that forbids illicit use sheds a small degree of liability, but including a restriction against their product being scanned by antivirus software seems to negate any possible plausible deniability. These steps seem to be an effort to distance the provider from the “troubled youth” of the malware and legitimize it to some degree but utterly fails to actually reform it.

    The malware itself is found in ongoing malware campaigns since mid 2018, before the regime change. The formula adheres to many of the usual suspects: vague emails about fiscal functions and duties that sound urgent, confirmations and audits of things that require oversight, general notices of company gatherings with details not contained in the body of the email, and other pedestrian and mundane pieces of bait for the weaponized Excel hook. Sometimes an RTF or Doc file is used for older campaigns and occasionally the malicious document is stored a few more steps away in a drobox or other file sharing location.

    The current attacks use the CVE-2017-11882 vulnerability, a buffer overflow vulnerability in Excel’s equation editor. It triggers the memory handling error when the  data sent for the font name is too long which then allows the attacker to execute arbitrary code on the victims machine with the victims level of privilege. 
    At this point the attacker downloads a payload from an attacker controlled server, which decompiles itself and retrieves a final payload which cements Hawkeye in the user’s system. The researchers found tools not used in the current campaign such as Anti-Virtual machine detection, USB drive infection, and others.
   Hawkeye itself offers keylogging, systems monitoring, and other espionage tools as well as a way to exfiltrate data collected and technical support for as long as your license is valid. The latest campaign hinges on a vulnerability that has since been patched. As always, update your programs and be vigilant of any suspicious documents.
Sources: 
https://securityaffairs.co/wordpress/84008/malware/hawkeyestealer.html
https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html
https://threatpost.com/hawkeye-keylogger-malspam-campaigns/143807/

Security Issues with Macro enabled Systems

   Macro enabled Office documents are a useful tool for automating advanced calculations in document files but they have a long history of abuse as well. They are easy to spot as documents containing embedded Visual Basic for Applications (VBA) code have a ‘m’ at the end of the filename, e.g .xlsm or .docm. When opening these files Microsoft Office asks if you would like to enable the embedded macros, and for good reason. They can be used to run malicious code on a target system or infect the computer with malware.

    Researchers at Checkpoint recently uncovered a new malicious document campaign targeting government finance entities and several embassies in Europe. If these documents are opened with macros enabled they drop multiple malicious AutoHotKey scripts onto the target system and begin communicating with command and control servers to exfiltrate data. Specifically the document drops 4 files, the AutoHotKey program itself and 3 scripts used to gather information or take control of the computer. ‘htv.ahk’ is the most dangerous of the 3 scripts dropped, it grabs a malicious version of Teamviewer, executes it, and then sends login credentials to the attackers server.

    The malicious version of Teamviewer has a few interesting modifications. First it completely hides the running instance so that the attacker can take control without the user receiving any notifications the way that the standard version would provide. It also allows for the transfer and execution of additional .exe and .dll files onto the target machine. The standard version of Teamviewer only supports transferring files; execution would be done through the Windows GUI. Later versions of the malicious Teamviewer application also provide a more traditional command and control mechanism via text based commands. This interface allows the attacker to do much more including searching for files or download and execution of files from an external webserver.

    Checkpoint acknowledges that in most cases it is difficult to provide attribution for attacks such as these. In this case however they were able to find posts on a clearnet hacking forum with code samples identical to the ones used in the campaign. Beyond the identical code samples the user ‘EvaPicks’ was also talking about techniques used in the campaign. 

    Most high end firewalls will inspect macro enabled document files with extra scrutiny because of attacks like this. AutoHotKey is also frequently detected as malicious software by anti virus programs despite its legitimate use in task automation. Regardless end users must remain vigilant when opening files from unknown sources in order to protect sensitive information and equipment.
Sources:
https://research.checkpoint.com/finteam-trojanized-teamviewer-againstgovernment-targets/
https://threatpost.com/teamviewer-attacks-state-department/144014/