Tag Archives: hits

3 zero-day fixes in heavy April Patch Tuesday release

Just when things couldn’t get worse, the hits keep on coming for Windows administrators.

At a time when the coronavirus pandemic is straining resources and stretching administrators’ nerves, the next avalanche of security updates landed on April Patch Tuesday. Microsoft delivered fixes for 113 vulnerabilities, including three zero-days with varying levels of severity on both supported and unsupported Windows systems. The total number of vulnerabilities repaired this month was just two shy of March’s epic release.

Out of the 113 bugs repaired on April Patch Tuesday, 19 are rated critical. Microsoft products that received fixes include Windows, both Edge browsers (HTML- and Chromium-based), Internet Explorer, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, and Microsoft Apps for Android and Mac systems.

The heightened urgency to patch quickly due to multiple zero-days will test the mettle of administrators, many of whom have been working tirelessly to help users work remotely with little time to prepare.

“That’s a nice recipe for disaster,” said Chris Goettl, director of product management and security at Ivanti, a security and IT management vendor based in South Jordan, Utah.

He noted that all the zero-days affect the Windows 7 and Server 2008/2008 R2 OSes, which all reached end-of-life in January but have patches available for customers that can afford to subscribe to the Extended Security Updates program. Goettl said he noticed a pattern with this crop of Microsoft updates.

Chris Goettl, director of product management and security, IvantiChris Goettl

“It looks like the [zero-day] exploits are happening, in most of these cases, on the older platforms. So it’s very likely these are targeting Windows 7 and Server 2008 platforms, especially trying to take advantage of people’s inability to patch,” he said.

Three zero-days affect Windows systems

Two bugs (CVE-2020-0938 and CVE-2020-1020) in the Adobe Font Manager Library affect all supported Windows OSes on both the client and server side, leaving unpatched systems vulnerable to remote code execution attacks. A user could trigger the exploit several ways, including opening a malicious file or examining a document via the File Explorer preview pane. 

Windows 10 systems have built-in protections that would limit the attacker to the AppContainer sandbox where they would not be able to do much damage, Goettl noted. 

The other zero-day (CVE-2020-1027) is an elevation-of-privilege vulnerability in the Windows kernel rated important that affects all supported Windows versions. To take advantage of the flaw, the attacker would need local credentials to run a malicious file. The patch changes how the Windows kernel handles objects in memory.

Other noteworthy April Patch Tuesday fixes

Initially reported by Microsoft as another zero-day but revised shortly thereafter, CVE-2020-0968 describes a remote code execution flaw in the Internet Explorer scripting engine. The bug is rated critical for Windows client systems and moderate for Windows Server OSes due to built-in protections. 

The attacker can target a user a few different ways — through a website with user-contributed ads or content or via a document specially crafted with the IE scripting engine and using ActiveX to run malicious code — but the damage is limited to the privilege level of the user of the unpatched system.

“This one is able to be mitigated if the user has less than full admin rights,” Goettl said. “In those cases, [the attacker] would get full control of the box, but then they would have to exploit something else to gain full administrative access.”

Hyper-V shops will want to address a remote-code flaw (CVE-2020-0910) rated critical for Windows 10 and Windows Server 2019 systems. This bug lets an attacker with credentials on a guest OS run code on the Hyper-V host. 

CVE-2020-0935 is a publicly disclosed vulnerability in the OneDrive for Windows application rated important that could let an attacker run a malicious application to take control of the targeted system. OneDrive has its own updating system so customers with machines connected to the Internet should have the fix, but IT workers will need to perform manual updates on systems that have been air-gapped.

Report: Hundreds of thousands of Exchange systems remain vulnerable

Exchange Server is a notoriously complex messaging platform to manage. It’s one of the most important communication tools for just about every company, which means downtime is not an option. When you combine these factors, it’s no surprise that many Exchange Server systems do not get the patching attention they deserve.

Cybersecurity services company Rapid7 highlighted this issue with a recent report that shows more than 350,000 Exchange Server systems were still susceptible to a flaw that Microsoft corrected in February.

CVE-2020-0688 is a remote code execution vulnerability that only requires an attacker to have the credentials of an Exchange user account — not even an administrator — to overtake the Exchange Server system and possibly Active Directory.

Rapid7 claimed its researchers uncovered even more troubling news.

“There are over 31,000 Exchange 2010 servers that have not been updated since 2012. There are nearly 800 Exchange 2010 servers that have never been updated,” Rapid7’s Tom Sellers wrote in the blog.

Many IT workers use a staggered deployment to roll out Microsoft updates in stages as one way to limit issues with a faulty update. Many organizations can spare several Windows client and server systems for testing, but it’s rare to see a similar non-production environment for an Exchange Server system.

“Exchange updates are complex and take a long time,” Goettl said. “And because of the way some companies have customized their email services, Exchange can be very sensitive [to updates] as well. You can’t duplicate your Exchange environment very easily.”

Microsoft offers VPN help in wake of pandemic

With more remote users connected to VPN due to the coronavirus pandemic, rolling out this month’s Patch Tuesday updates could slow access across the network to other resources for end users. 

Most organizations were caught unprepared by the sudden surge of remote users. With enough time and money, IT could alleviate potential congestion through traffic shaping or upgraded infrastructure to increase network speeds. Other organizations can avoid problems with limited bandwidth over VPN by using a third-party patching offering or Microsoft Intune to route security updates directly from Microsoft to the end user’s machine. But some organizations that use Microsoft Endpoint Configuration Manager — formerly System Center Configuration Manager — do not have that functionality, which limits their options. 

Microsoft engineer Stefan Röll wrote a blog to help these customers with a tutorial to set up a VPN split tunnel configuration. This type of arrangement helps avoid network overload.

“Managing your [d]evices (especially security updates and software installations) is necessary and will become challenging as the majority of your work force will be connected to the corporate network via VPN. Depending on the number of clients even a couple of 100MB security updates will quickly add up to several [gigabytes] or [terabytes] that [need] to be pushed out over your VPN network. Without further consideration you can quickly overload your VPN connection causing other applications to degrade in performance or to completely fail,” Röll wrote. 

Go to Original Article
Author:

Wanted – Gtx 1050 or similar graphics card

Morning buddy,

Here is the official blurb…
“The EVGA GeForce GTX 1050 hits the perfect spot for that upgrade you know you need, but at the value you want! With the advanced NVIDIA Pascal architecture, the GTX 1050 displays stunning visuals and great performance at 1080p resolution. Installing an EVGA GeForce GTX 1050 gives you the power to take on today’s titles in Full 1080p HD – with room to spare.

Manufacturer: EVGA
Chipset: GIGABYTE
Type: Graphics Card
Video memory: 2 GB
Video memory type: GDDR5
Output: HDMI, DVI, DisplayPort”

And attached is the official image but I’ll post some images later if okay.

ChrisHoppyBot

Go to Original Article
Author:

Wanted – Gtx 570 , gtx 660 or similar power – price range

Morning buddy,

Here is the official blurb…
“The EVGA GeForce GTX 1050 hits the perfect spot for that upgrade you know you need, but at the value you want! With the advanced NVIDIA Pascal architecture, the GTX 1050 displays stunning visuals and great performance at 1080p resolution. Installing an EVGA GeForce GTX 1050 gives you the power to take on today’s titles in Full 1080p HD – with room to spare.

Manufacturer: EVGA
Chipset: GIGABYTE
Type: Graphics Card
Video memory: 2 GB
Video memory type: GDDR5
Output: HDMI, DVI, DisplayPort”

And attached is the official image but I’ll post some images later if okay.

ChrisHoppyBot

Go to Original Article
Author:

PyRoMineIoT cryptojacker uses NSA exploit to spread

A new malware variant reads like the greatest hits of cyberthreats: a cryptojacker using an NSA exploit to scan for IoT devices with hardcoded passwords to spread and distribute the miner. And according to experts, there’s blame to be had on all sides.

Researchers at Fortinet’s FortiGuard Labs have been tracking Python-based malware that uses the EternalRomance National Security Agency (NSA) exploit to spread and install a cryptominer — hence, PyRoMine. And, now, the researchers found a variant that directly targets IoT devices, which they call PyRoMineIoT.

Jasper Manuel, a malware researcher at Fortinet, based in Sunnyvale, Calif., wrote in a blog post that PyRoMine and PyRoMineIoT malware don’t need Python to be installed on the target systems, and PyRoMineIoT uses the EternalRomance NSA exploit to scan for IoT devices that are vulnerable due to using hardcoded passwords. Once PyRoMineIoT infects a device, the malware downloads components, including a Monero cryptominer.

“This development confirms yet again that malware authors are very interested in cryptocurrency mining, as well as in capturing a chunk of the IoT threat ecosystem,” Manuel wrote. “We predict that this trend will not fade away soon, but will continue as long as there are opportunities for the bad guys to easily earn money by targeting vulnerable machines and devices.”

Sean Newman, director of product management for Corero Network Security, based in Marlborough, Mass., said enterprises may not need to worry about cryptojackers specifically, because “they have their own specific mission, which has nothing to do with any data or information within an organization which ends up hosting them.”

“But there is the obvious performance impact for any device which does get compromised for this purpose, which could negatively impact the function of IoT devices, for example,” Newman wrote via email. “However, enterprises should really be asking themselves the [following] question: If a hacker can plant malware within my organization to mine cryptocurrency, what other malware can they, or another cybercriminal, plant just as easily?”

Justin Jett, director of audit and compliance for Plixer, based in Kennebunk, Maine, said regardless of the size of the enterprise, “organizations should be concerned with cryptominers.”

“These malicious applications steal valuable resources that are critical to business applications. When allowed to go unabated, vital business applications are unable to perform as required. This means that organizations are losing not only resources, but time and money,” Jett wrote via email. “Every company should use network traffic analytics to see where these cryptominers are spreading. Specifically, in the case of PyRoMineIoT, the malware is actively scanning for IoT devices on the network. Network traffic analytics makes quick work of such security vulnerabilities and can help IT professionals quickly see where the malware has compromised them.”

The NSA connection

While the PyRoMineIoT malware uses an NSA exploit — leaked by the Shadow Brokers — to help it spread and infect more vulnerable devices, experts said the blame for any damage shouldn’t necessarily go to the NSA, because even if the EternalRomance NSA exploit hadn’t been developed by the U.S. government, someone else would have created the attack.

Pat Ciavolella, malware team lead at The Media Trust, based in McLean, Va., said, “Developers are innovative” and would have eventually created something similar to the EternalRomance NSA exploit.

If a hacker can plant malware within my organization to mine cryptocurrency, what other malware can they, or another cybercriminal, plant just as easily?
Sean Newmandirector of product management for Corero Network Security

“Part of that innovation comes from being on the lookout for vulnerabilities, which is also how security measures are improved,” Ciavolella wrote via email. “The NSA and any organization that does this type of work needs to exercise tighter control over who has access to their innovations so that they do not fall into the wrong hands. Today’s digital economy isn’t just the Wild West, it’s the Wild ‘Westworld’ — virtually any innovation in the wrong hands can hurt others.”

Gabriel Gumbs, vice president of product strategy at STEALTHbits Technologies, based in Hawthorne, N.J., said, “Blaming the NSA is easy and far too convenient.”

“IoT vendors must be held to higher standards,” Gumbs wrote via email. “It is not OK to sell interconnected devices to consumers that fail to implement even basic security measures.”

Larry Trowell, principal consultant with Synopsys Software Integrity Group, said the government shares some of the blame for the NSA exploit.

“It’s in every country’s interest to develop systems enabling offensive and defensive strategies to protect individuals and national services,” Trowell wrote via email. “There is no fault in that. If the NSA does have some blame to share in this situation, it is for allowing secrets to be exfiltrated — not in developing them.”

Jett said although the NSA exploit was stolen, “they didn’t create the vulnerabilities that allow for the malware to exploit devices.”

“As such, you can’t hold them responsible for the malware that has emerged from the EternalRomance exploit. Vendors whose products are vulnerable to EternalRomance are responsible for resolving the exploit problem,” Jett wrote. “Additionally, it has been more than a year since the NSA exploits were released, and vendors have created patches. It becomes incumbent on the users to make sure they are properly patching their software and reducing the threat surface for these exploits.”