Tag Archives: Wild

Microsoft patches Windows ALPC flaw exploited in the wild

A Windows ALPC vulnerability that has been exploited in the wild for two weeks was finally patched by Microsoft as part of the September 2018 Patch Tuesday release.

The Windows Advanced Local Procedure Call (ALPC) flaw was disclosed with proof-of-concept exploit code on Aug. 27, 2018, by Twitter user SandboxEscaper. The vulnerability affects the Windows Task Scheduler and can allow an attacker to obtain elevated system privileges.

Microsoft noted the issue would require an attacker to log on to the target system. The vendor labeled the Windows ALPC flaw (CVE-2018-8440) as “important,” but not “critical,” in its Patch Tuesday advisory, despite the vulnerability being actively exploited in the wild.

On Sept. 5, Matthieu Faou, malware researcher for ESET, based in Bratislava, Slovakia, first reported seeing a group called PowerPool exploiting the Windows ALPC vulnerability in the wild over the previous week. Faou noted the group did not reuse the proof of concept released by SandboxEscaper and instead modified it slightly.

Allan Liska, threat intelligence analyst at Recorded Future in Somerville, Mass., said this meant PowerPool added the exploit to their arsenal of tools within 48 hours of the exploit being published on Twitter. But it is still unclear how widespread the attacks have been.

“The challenge is that PowerPool is a relatively new group, and they don’t have a large footprint in terms of exploitation — at least as far as we can tell. So, there isn’t a good way to gauge the extent of the damage,” Liska said via email. “As far as Microsoft’s decision, even though the vulnerability was being exploited in the wild, because it is not a remote access vulnerability, nor a critical one, Microsoft probably made the correct decision not releasing an out-of-band patch.”

Although Microsoft chose not to release an out-of-band patch for the Windows ALPC flaw, a third-party patch from micropatching vendor 0patch was released on Aug. 30. Mitja Kolsek, co-founder of 0patch, noted in a blog post that the patch they released was “functionally identical” to the patch released by Microsoft.

Chris Goettl, director of security product management at Ivanti, based in South Jordan, Utah, said consistency is key with update cycles to help plan maintenance. But “on the flip side, security researchers and threat actors do not have set schedules.”

“An exploit can be developed and be released at any time and cannot be planned for. If a researcher finds a threat and the threat is considerable, there should be some urgency put around getting a resolution in place,” Goettl said via email. “In this case, it seems it should have been reasonable to keep this update in the normal update cycle. If it would have been remotely exploitable without authentication and in a protocol like SMB — think Eternal family of exploits — or something of a similar more dire nature, it would have warranted an out-of-band release.”

Another patched Apache Struts vulnerability exploited

At least one malicious actor began exploiting a critical vulnerability in Apache Struts in the wild, despite a patch being issued last week.

According to researchers at Volexity, a cybersecurity company based in Washington, D.C., the exploits of the Apache Struts vulnerability surfaced in the wild not long after a proof-of-concept (PoC) exploit was published publicly on GitHub.

The Apache Software Foundation posted a security bulletin about the vulnerability — tracked as CVE-2018-11776 — on Aug. 22, 2018, and said that a remote code execution attack is possible “when namespace value isn’t set for a result defined in underlying configurations and in same time, its upper action(s) configurations have no or wildcard namespace. Same possibility when using url tag which doesn’t have value and action set and in same time, its upper action(s) configurations have no or wildcard namespace.”

The flaw, which was discovered and reported in April by security researcher Man Yue Mo of Semmle Inc., a software analytics company based in San Francisco, affects Struts 2.3 through 2.3.34 and Struts 2.5 through 2.5.16. Apache patched the vulnerability and noted that upgrading to version 2.3.35 or 2.5.17 would solve the problem. However, only a day after Apache posted its security bulletin, a researcher posted a PoC exploit on GitHub.

“Shortly after the PoC code was released, Volexity began observing active scanning and attempted exploitation of the vulnerability across its sensor network,” Volexity researchers said in a blog post. “The in-the-wild attacks observed thus far appear to have been taken directly from the publicly posted PoC code.”

The researchers also noted that the vulnerability is “trivial to exploit” and has already seen at least one malicious actor attempt to exploit it “en masse in order to install the CNRig cryptocurrency miner.”

“Although the main payload for Apache Struts exploits appears to be cryptocurrency miners, failure to patch also leaves an organization open to significant risk that goes beyond cryptomining.”

In 2017, another Apache Struts vulnerability — enabling remote code execution exploits — was disclosed; shortly after that disclosure, the vulnerability was exploited in the massive Equifax data breach that exposed 148 million U.S. consumers’ personal data.

Enterprises and users are encouraged to update to the patched versions of Apache Struts immediately so as not to become the next victim of an Equifax-like data breach.

In other news:

  • Facebook removed its own security app, Onavo Protect, from Apple’s App Store this week because of its privacy issues. Onavo is a free VPN app that Facebook acquired in 2013 to collect data on how much its users use other mobile apps. Apple updated its App Store rules in June to ban the collection of information about other apps installed and in use on mobile devices. Apple reportedly urged Facebook to voluntarily remove the app from the App Store after Apple ruled that Onavo violated its new data collection policies. Onavo was downloaded more than 33 million times on both iOS and Android devices, and while it is no longer available in the App Store, it is still on offer in the Google Play
  • NIST published guidance this week on securing wireless infusion pumps after research over the past few years has shown the vulnerabilities in the internet-connected medical devices. The guidance, NIST SP 1800-8 “Securing Wireless Infusion Pumps in Healthcare Delivery Organizations,” suggests a defense-in-depth strategy for protecting wireless infusion pumps. “This strategy may include a variety of tactics: using network segmentation to isolate business units and user access; applying firewalls to manage and control network traffic; hardening and enabling device security features to reduce zero-day exploits; and implementing strong network authentication protocols and proper network encryption, monitoring, auditing, and intrusion detection systems (IDS) and intrusion prevention systems (IPS),” the guidance This special publication is part of NIST’s ongoing effort to secure IoT devices.
  • A researcher at Check Point uncovered new malware that hijacks browsers. A rootkit called CEIDPageLock is being distributed by the RIG Exploit kit, according to Check Point’s Israel Gubi. “It acts to manipulate the victim’s browser and turn their home-page into a site pretending to be 2345.com — a Chinese web directory,” Gubi explained, adding that it “monitors user browsing and dynamically replaces the content of several popular Chinese websites with the fake home page, whenever the user tries to visit them.” He said that CEIDPageLock targets Chinese victims specifically.

Wild Me joins AI for Earth | Stories

A new investment from Microsoft’s AI for Earth program will accelerate Wild Me, an organization that identifies and tracks individual animals using machine learning and computer vision

REDMOND, Wash. — June 14, 2018 — On Thursday, Microsoft Corp. announced that Wild Me, a Portland-based nonprofit organization that focuses on combatting extinction with citizen science and artificial intelligence, will become a new featured project in its AI for Earth program. This deeper level of investment and engagement will enable Wild Me, and its wide range of users and supporters, to more effectively and efficiently use software and AI to combat extinction.

“The world is facing a major biodiversity crisis, and Wild Me’s work in harnessing computer vision and machine learning to monitor and track individual animals is truly groundbreaking,” said Bonnie Lei, AI for Earth project manager at Microsoft. “Microsoft hopes to accelerate Wild Me’s conservation impact by enabling wider usage of its open source algorithms through making them available on Microsoft Azure as APIs, and boosting the speed and accuracy of its entire Wildbook platform by migrating it over to Azure.”

Wildbook is an open source, cloud-based software platform — created by Wild Me in collaboration with faculty and students at Princeton University, Rensselaer Polytechnic Institute and the University of Illinois-Chicago — that brings together AI, computer vision, scientific research and citizen science to help protect endangered species. Using images uploaded from conservationists, researchers and citizen scientists, the software helps identify and track animal populations, monitor their migrations and interactions, and evaluate threats to inform and improve conservation efforts.

“Wildbook democratizes science and conservation,” said Tanya Berger-Wolf, director at Wild Me and professor at University of Illinois-Chicago. “The partnership with Microsoft will allow us to enable science and conservation at planetary scale and high resolution over time, space and individual animals.”

Wild Me will be the fifth AI for Earth featured project, joining land cover mapping, Project Premonition, FarmBeats and iNaturalist. With 111 grantees in 27 countries, AI for Earth puts Microsoft’s cloud and AI tools in the hands of those working to solve global environmental challenges. Through grants that provide access to cloud and AI tools, opportunities for education and training on AI, and investments in innovative, scalable solutions, AI for Earth works to advance sustainability across the globe.

Microsoft (Nasdaq “MSFT” @microsoft) enables digital transformation for the era of an intelligent cloud and an intelligent edge. Its mission is to empower every person and every organization on the planet to achieve more.

For more information, press only:

Microsoft Media Relations, WE Communications for Microsoft, (425) 638-7777,

rrt@we-worldwide.com

Note to editors: For more information, news and perspectives from Microsoft, please visit the Microsoft News Center at http://news.microsoft.com. Web links, telephone numbers and titles were correct at time of publication, but may have changed. For additional assistance, journalists and analysts may contact Microsoft’s Rapid Response Team or other appropriate contacts listed at http://news.microsoft.com/microsoft-public-relations-contacts.