By Sergiu Gatlan September 23, 2022 07:28 AM

Microsoft has acknowledged a known issue where copying files/shortcuts using Group Policy Preferences on Windows client devices might not work as expected after installing recent Windows cumulative updates released during this month’s Patch Tuesday.

On affected systems, files or shortcuts will not copy to the target drives or end up as zero-byte files when using Group Policy file operations.

“File copies using Group Policy Preferences might fail or might create empty shortcuts or files using 0 (zero) bytes,” Microsoft explained.

“Known affected Group Policy Objects are related to files and shortcuts in User Configuration -> Preferences -> Windows Settings in Group Policy Editor.”

The list of affected platforms includes client (from Windows 8.1 up to Windows 11 22H2) and server releases (from Windows Server 2008 SP2 and up to Windows Server 2022).

Microsoft acknowledged the issue following a stream of Windows admin reports across multiple social networks and on Microsoft’s online community regarding issues with Group Policy settings after deploying September 2022 Patch Tuesday updates.

At the time, some of the affected admins suggested a radical fix requiring manually uninstalling and hiding the offending cumulative updates. Unfortunately, this would also remove all fixes for recently patched security vulnerabilities.

However, multiple admins have also reported that un-checking the “Run in user security context” option on the affected GPOs will help address the file copying and shortcut creation problems.
Official workarounds are also available

Microsoft confirmed the last workaround shared by impacted customers before the issue was acknowledged, together with a couple of additional ways to mitigate the issue (any one of them is enough for mitigation) :

Uncheck the “Run in logged-on user’s security context (user policy option).” Note: This might not mitigate the issue for items using a wildcard (*).
Within the affected Group Policy, change “Action” from “Replace” to “Update.”
If a wildcard (*) is used in the location or destination, deleting the trailing “\” (backslash, without quotes) from the destination might allow the copy to be successful.

Redmond also added that its developers are working on a resolution for this known issue and will provide a fix with an upcoming update.

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-shares-workarounds-for-windows-group-policy-issues/)

Microsoft: Windows KB5017383 preview update added to WSUS by mistake
(https://www.bleepingcomputer.com/news/microsoft/microsoft-windows-kb5017383-preview-update-added-to-wsus-by-mistake/)
Microsoft rolls out emergency fix for blocked Windows logins (https://www.bleepingcomputer.com/news/microsoft/microsoft-rolls-out-emergency-fix-for-blocked-windows-logins/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

By Sergiu Gatlan September 22, 2022 01:13 PM
Microsoft says a threat actor gained access to cloud tenants hosting Microsoft Exchange servers in credential stuffing attacks, with the end goal of deploying malicious OAuth applications and sending phishing emails.

“The investigation revealed that the threat actor launched credential stuffing attacks against high-risk accounts that didn’t have multi-factor authentication (MFA) enabled and leveraged the unsecured administrator accounts to gain initial access,” the Microsoft 365 Defender Research Team said.

“The unauthorized access to the cloud tenant enabled the actor to create a malicious OAuth application that added a malicious inbound connector in the email server.”

The attacker then used this inbound connector and transport rules designed to help evade detection to deliver phishing emails through the compromised Exchange servers.

The threat actors deleted the malicious inbound connector and all the transport rules between spam campaigns as an additional defense evasion measure.

In contrast, the OAuth application remained dormant for months between attacks until it was used again to add new connectors and rules before the next wave of attacks.

These email campaigns were triggered from Amazon SES and Mail Chimp email infrastructure commonly used to send marketing emails in bulk.
The attacker used a network of single-tenant applications as an identity platform throughout the attack.

After detecting the attack, Redmond took down all apps linked to this network, sent alerts, and recommended remediation measures to all affected customers.

Microsoft says this threat actor was linked to campaigns pushing phishing emails for many years.

The attacker was also seen sending high volumes of spam emails within short timeframes through other means “such as connecting to mail servers from rogue IP addresses or sending directly from legitimate cloud-based bulk email sending infrastructure.”

“The actor’s motive was to propagate deceptive sweepstakes spam emails designed to trick recipients into providing credit card details and signing up for recurring subscriptions under the guise of winning a valuable prize,” Microsoft further revealed.

“While the scheme possibly led to unwanted charges for targets, there was no evidence of overt security threats such as credential phishing or malware distribution.”

Article (https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-via-oauth-apps-for-phishing/)
Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

This week, SecurityBoulevard has featured an interesting article on why APIs have no clothes — APIs being the digital equivalent of the protagonist in the Hans Christian Andersen’s folktale The Emperor’s New Clothes. In the story, the emperor was exposed, but no one told him or was willing to do anything about it. Not so different from where you might find yourself with APIs.

The first challenge to API security the author highlights is presented by the disappearing perimeter. Organizations can no longer rely on perimeter protections, such as firewalls, to protect their assets. The adoption of cloud technology and PaaS has meant that the external perimeter is largely eroded. Instead, the focus needs to move to protect the API endpoints themselves by using advanced authentication like multi-factor authentication (MFA), and monitoring multiple levels of the network to identify attacks.

As ever, the lack of cybersecurity talent and skills only exacerbates the problem, and nowhere is this more acutely felt than with APIs. Many of the lessons learned with protecting web applications no longer apply to APIs, and teams need to learn new skills or adapt their methods to protect APIs.

To remedy this and get your APIs covered, the author suggests going back to the basics in protecting APIs, namely:

Authentication
Auditing and logging
Encryption

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient

“Where Service and Technical Skills Count”

By Sergiu Gatlan September 8, 2022 12:20 PM
Microsoft says a Windows 11 update released in late August is blocking customers from signing in with newly added Microsoft Account users after restarting or logging off systems running Windows 11, version 21H2.

“After installing KB5016691 and adding a new Microsoft account user in Windows, you might be unable to sign in for a brief time after the first restart or sign out. The issue only affects the newly added Microsoft account user and only for the first sign in,” Microsoft explained.

“This issue only affects devices after adding a Microsoft account. It does not affect Active Directory domain users accounts or Azure Active Directory accounts.”

Microsoft says it addressed this issue via Known Issue Rollback (KIR), a Windows capability designed to revert buggy Windows non-security fixes pushed through Windows Update.

Once rolled out, KIR-issued fixes usually reach all consumer and non-managed business devices within a day. Affected users can also get the fix after restarting any impacted Windows devices.

As a workaround, those experiencing this issue can wait for the lock screen to appear again, as it will resolve itself after some time, allowing users to log in as expected.
Group policies available for enterprise

As an IT admin, you must install and configure a KIR Group Policy to resolve this known issue on affected enterprise-managed devices.

“The special Group Policy can be found in Computer Configuration -> Administrative Templates -> KB5016691 220722_051525 Known Issue Rollback -> Windows 11 (original release),” Microsoft added.

You can download this Rollback Group Policy for Windows 11, version 21H2, from here.

To deploy the Known Issue Rollback via Group Policy, you have to go to the Local Computer Policy or the Domain policy on your domain controller using the Group Policy Editor to choose the Windows version you need to target.

Detailed information on how to deploy and configure KIR Group Policies can be found on Microsoft’s support website.

In July, Microsoft issued another emergency fix via Known Issue Rollback (KIR) to address an issue causing the Windows 11 start menu to malfunction after installing recent updates.

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

By Sergiu Gatlan August 31, 2022 03:16 PM

Apple has released new security updates to backport patches released earlier this month to older iPhones and iPads addressing a remotely exploitable WebKit zero-day that allows attackers to execute arbitrary code on unpatched devices.

This zero-day vulnerability is the same one Apple patched for macOS Monterey and iPhone/iPad devices on August 17, and for Safari on August 18.

The flaw is tracked as CVE-2022-3289 and is an out-of-bounds write vulnerability in WebKit, the web browser engine used by Safari and other apps to access the web.

If successfully exploited, it allows attackers to perform arbitrary code execution remotely by tricking their targets into visiting a maliciously crafted website under their control.

In a security advisory published today, Apple once again said that they’re aware of reports that this security issue “may have been actively exploited.”

The list of devices today’s security updates apply to includes iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation), all of them running iOS 12.5.6.
Patch your older phones to block attacks

Even though Apple has disclosed that it received reports of active exploitation in the wild, the company is yet to release info regarding these attacks.

By withholding this information, Apple is likely aiming to allow as many users as possible to apply the security updates before other attackers pick up on the zero-day’s details and start deploying exploits in their own attacks targeting vulnerable iPhones and iPads.

Although this zero-day vulnerability was most likely only used in targeted attacks, it’s still strongly advised to install today’s iOS security updates as soon as possible to block potential attack attempts.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added this security bug to its catalog of exploited vulnerabilities on August 19, requiring Federal Civilian Executive Branch (FCEB) agencies to patch it to protect “against active threats.”

This is the seventh zero-day bug fixed by Apple since the start of the year:

In March, Apple patched two zero-day bugs in the Intel Graphics Driver (CVE-2022-22674) and AppleAVD (CVE-2022-22675).
In February, Apple released security updates to fix another WebKit zero-day bug exploited in attacks against iPhones, iPads, and Macs.
In January, Apple patched two other exploited zero-days that enabled code execution with kernel privileges (CVE-2022-22587) and web browsing activity tracking (CVE-2022-22594).

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”

By Ionut Ilascu August 28, 2022 01:15 PM
he threat actor behind the Twilio hack used their access to steal one-time passwords (OTPs) delivered over SMS from customers of Okta identity and access management company.

Okta provides its customers with multiple forms of authentication for services, including temporary codes delivered over SMS through Twilio.

With access to the Twilio console, the threat actor could see mobile phone numbers and OTPs belonging to Okta customers.
Using Twilio to search for OTPs

On August 4, cloud communications company Twilio discovered that an unauthorized party gained access to its systems and information belonging to its customers.

At the time, one of the services Okta used for customers opting for SMS as an authentication factor was provided by Twilio.

On August 8, Okta learned that the Twilio hack exposed “unspecified data relevant to Okta” and started to route SMS-based communication through a different provider.

Using internal system logs from Twilio’s security team, Okta was able to determine that the threat actor had access to phone numbers and OTP codes belonging to its customers.

“Using these logs, Okta’s Defensive Cyber Operations’ analysis established that two categories of Okta-relevant mobile phone numbers and one-time passwords were viewable during the time in which the attacker had access to the Twilio console” – Okta

The company notes that an OTP code remains valid for no more than five minutes.

When it comes to the threat actor’s activity in the Twilio console regarding its customers, Okta distinguishes between “targeted” and “incidental exposure” of phone numbers.

The company says that the intruder searched for 38 phone numbers, almost all of them associated with one organization, indicating interest in gaining access to that client’s network.

Article ( https://www.bleepingcomputer.com/news/security/okta-one-time-mfa-passcodes-exposed-in-twilio-cyberattack/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, RackSpace, Axcient
“Where Service and Technical Skills Count”