Security

Microsoft Windows Zero-Day Under Attack

Dark Reading Staff 9-8-2021

Microsoft has issued an advisory containing mitigations and workarounds for a remote code execution flaw in Windows it says is being exploited in targeted attacks.

CVE-2021-40444 exists in MSHTML, the proprietary browser engine built into Windows that allows the operating system to read and display HTML files. MSHTML, also known as Trident, was mainly used by Internet Explorer but is also used by Microsoft Office, Broadcom notes in its advisory on the vulnerability. It allows developers to add Web browsing into their applications.

Microsoft reports the targeted attacks it has observed use specially crafted Office documents. In explaining how an attack would work, it says an adversary could create a malicious ActiveX control to be used by an Office document that hosts the MSHTML browser-rendering engine. An attacker would have to convince a victim to open the file. Officials note victims with fewer user privileges on the system could be less affected than those with administrative user rights.

The company credits four external researchers with finding the vulnerability: Dhanesh Kizhakkinan, Genwei Jiang, and Bryce Abdo of Mandiant, and Haifei Li of EXPMON, in addition to Rick Cole with the Microsoft Security Threat Intelligence Center (MSTIC).

Read the full advisory for more details.

FBI Requests to Pass a Bill Over Ransomware Attacks

FBI Requests to Pass a Bill Over Ransomware Attacks – Reporting Ransomware Immediately To Be A Law?

By Consider The Consumer on August 9, 2021
FBI’s Plead for Mandatory Reporting of Ransomware Attacks but in reality nothing has happened

The FBI and Department of Justice are pleading with Americans to assist them in avoiding cyberattacks, stating that companies may withhold information out of fear of being sued.
Appeal for a Bill

Tuesday, during a congressional hearing, top federal cybersecurity officials urged Congress to pass a bill requiring businesses and consumers inside the United States to disclose ransomware attacks when they occur.

Richard Downing, Deputy Assistant Attorney General, told a U.S. Hearing before the Senate Judiciary Committee that investigation opportunities are lost without quick reporting. The capacity to assist other victims experiencing similar attacks is diminished, and the government and Congress lack a complete picture of the threat confronting American companies.

The request follows a series of high-profile assaults on U.S. private and public sites, including hospitals, schools, and a fuel pipeline.

The ransomware attack on Colonial Pipeline Co., which carries over half of the East Coast’s diesel, gasoline, and jet fuel, prompted the pipeline’s temporary shutdown, resulting in significant ripple effects currently being studied.

Based on Tuesday’s testimony, roughly three-quarters of all cyberattacks in the country go unreported, making it more difficult for authorities to counteract.

According to reports, Executive Assistant Director of the Cybersecurity and Infrastructure Security Agency Eric Goldstein stated that without such visibility, they are unable to communicate information efficiently, issue timely alerts, assist victims, or comprehend the consequences of these attacks on the critical national functions on which they all rely.

President Joe Biden decided to sign an executive order, following several high-profile cyberattacks on national utilities and services in May. The order requires government contractors in the information technology industry to disclose cyberattacks.
Persuading the Victims of Ransomware Attacks

On Tuesday, Assistant Director of the FBI’s Cyber Division Bryan Vorndran stated that victims of cybercrime should be compelled to inform authorities about cybercriminals’ ransom requests and whether they paid the extortion.

Additionally, the idea of shielding companies from accountability if they do report law enforcement to the cyberattacks was considered. Certain companies may be hesitant to disclose their cyberattacks for fear of litigation, such as class action lawsuits. Unfortunately they all hide behind EULA agreements on their websites, non-responsibility if you get infected.

Downing stated that victims should not be penalized for cooperating with the government. Victims should retain any legal privilege they may have had over the information before releasing it.

Numerous companies and businesses are facing class action lawsuits over their lack of ransomware protection.
Editor’s Note on FBI Requests to Pass a Bill Over Ransomware Attacks:

This article is written to inform you of the latest FBI’s request to pass a bill that would force companies and citizens to report ransomware attacks immediately.

Bitdefender-Smartphone Safe

Personally I have asked Bitdefender to add to the Enterprise Gravity Zone for 4 years no success
But-7 tips to keep your smartphone safe until Bitdefender adds to Gravity Zone!

Hello Folks,
Your smartphone stores a great deal of personal information. Let’s face it, your whole life is on that thing. You send emails and text messages, make calls, take and share videos and photos, use social media, shop online and so much more.
To make sure you don’t become part of a rising proportion of people targeted by hackers, we’ve compiled a list of seven tips to help you keep your smartphone and your data safe.
1) Keep your smartphone and apps up to date
Software updates protect you from vulnerabilities or loopholes that can be exploited. Install them as soon as they come up.
2) Delete unused apps from your device
If you don’t need/ use it, delete it. Old apps may have severe security flaws that can compromise your device.
3) Back up data
This action is essential in case of theft or malicious compromise such as a ransomware attack.
4) Stay away from SMS scams
Delete any unexpected SMS or email containing links to download something or ask you for personal or financial information, even if they seem to come from legit sources (your bank, delivery companies).
5) Hang up or don’t respond to suspicious phone calls
Scammers may also call you on the phone to convince you to reveal personally identifiable information, bank account numbers, PINs, credit card numbers.
6) Think twice before connecting to public WiFi networks
Public WiFi can face many threats, including theft of personal information such as login and financial data, especially if you don’t use a VPN to encrypt your data.
Use Bitdefender Mobile Security to protect your smartphone
No matter how cautious you are, you can never replace a security software tailor-made to keep you safe from the latest threats.
Find out more about the full protection of your iPhone or Android devices.
Stay Safe,
Roy Miehe
CEO MspPortal Partners Inc

Breach: Microsoft Power Apps records leaked via OData API

The big news this week is the data breach at the Microsoft Power Apps platform, leading to the disclosure of up to 38 million records with Personally Identifiable Information (PII). The details range from names and email addresses to COVID-19 vaccination status, and even Social Security numbers. The breach was discovered by researchers at UpGuard, who detail the underlying issue, the entities impacted, and the response from Microsoft in their recent blog.

Researchers discovered that an OData API that Power Apps used for accessing data publicly exposed sensitive user data which should have been private. The access to data is controlled with the setting called table permissions, which can be set to restrict access to sensitive records. Unfortunately, Microsoft had opted to switch off table permissions by default, meaning that they were publicly accessible unless users realized to switch it on. Microsoft did warn users on the impact of leaving this setting off, but as the breach shows, this might not have been the best call:

Article1_OData

Upon their discovery, UpGuard notified Microsoft about the issue. The initial response was that this public accessibility was by design, not a vulnerability. Not the first time we see this excuse with reported API vulnerabilities, often dressed up in the guise of “improved user experience”.

UpGuard then proceeded to notify the impacted entities, many of whom took swift action to remove the leaked PII data. To add insult to injury, many core Microsoft portals were also affected, and subsequently Microsoft appears to have notified impacted government cloud customers of the issue.

Since the disclosure of the breach, Microsoft has changed their stance here:

They have changed the default setting so that new lists enforce table permissions to protect underlying data.
They have provided a dedicated tool, Portal Checker, for finding OData lists that allow anonymous access.

The lessons learned here include:

This is a classic example of Broken Authentication on an API — the impact of having unauthenticated APIs can lead to unintended data disclosure. You could also argue that this falls under API7:2019 — Security misconfiguration, too.
As a developer, always ensure you understand the full impact of your chosen default settings and permissions.
As a platform designer providing API service, always ensure strict access restriction (deny-by-default, least privilege…). Allowing full anonymous access to data or other resources is not a sensible default, regardless of any warnings that you glue on top.
Subscribe to API Articles

Windows Privilege Escalation Vuln Puts Admin Passwords At Risk

July 21 2021

Microsoft has issued a temporary workaround for systems vulnerable to CVE-2021-36934, also known as “HiveNightmare” and “SeriousSAM.”

Microsoft has issued a temporary workaround for a privilege escalation vulnerability that could expose administrator passwords to non-admin users.

CVE-2021-36934, also called “HiveNightmare” and “SeriousSAM,” appears to have been first detected by security researcher Jonas Lykkegaard, Forbes reports. Lykkegaard noticed the Security Account Manager (SAM) file had become read-enabled for all users, meaning an attacker with non-admin privileges could access hashed passwords and elevate privileges.

Lykkegaard and other security researchers found the issue affected the Windows 11 preview as well as Windows 10. Microsoft has confirmed the problem affects Windows 10 version 1809 and newer operating systems and has provided workarounds for systems affected by the flaw.

“An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database,” the company wrote in its CVE.

An attacker who successfully exploited the flaw could run arbitrary code with system privileges and then install programs; view, change, or delete data; or create new accounts with full user rights. They also have the ability to execute code on a target system to exploit the bug. So far Microsoft has not detected exploits in the wild, though it notes exploitation is “more likely.”

Microsoft has stated it will update the CVE as its investigation continues.
Article: Dark Reading

Little about MspPortal Partners and Bitdefender relationship

1) We do 1,2,3 line tech support for Bitdefender Gravity Zone we average 60 tech cases a week just on 1 and 2nd level support we typically solve our case load within 15-30 minutes
2) We do the hands on Training (1 hour) no power point live. When we are done you can start selling that day. We write a default policy that will keep you out of trouble and avoid Crypto. We also do a lot of Bitdefender’s beta work. Helps us to be better service to you
3) We do the licenses (reality we just keep your bucket full so it’s nothing more than adding more licenses when needed (just send an email to us) You only pay for what you use/install
4) Last we do the invoicing 2nd of the month we make sure you receive a report of the breakdown for your billing on the first. for the prior month (arrears)
5) The reality is even though we are a distributor we are really a VAD value add we work for a living 😉
6) Techs since 1994 when Roy Miehe started this firm

We will be glad to answer any questions you may have and also share some best practices with you.

Bitdefender has a great program with solutions specifically tailored for MSPs..

Phishing Trends with PDF Files in 2020 continue in 2021

PDF files are an enticing phishing vector as they are cross-platform and allow attackers to engage with users, making their schemes more believable as opposed to a text-based email with just a plain link. To lure users into clicking on embedded links and buttons in phishing PDF files

Experienced Support for Advanced Ransomware Threats

When it comes to your personal or business cybersecurity, you need solutions that you can trust. You need partners and suppliers that exude confidence. This trust comes from experience; a proven history of working with and protecting organizations like yours against all types of cybersecurity threats, from malware to phishing attacks, simple spam to ransomware.

In today’s environment of advanced threats, you need a firm such as MspPortal Partners to assist you in protecting your business, and or your personal computer. MspPortal has more than 400 tech firms and 2,000 techs on the ground, and we work with the leading endpoint security solution providers in the industry.

On February 5^th, the National Cyber Investigative Joint Task Force (NCIJTF) released a joint-sealed ransomware factsheet to address current ransomware threats and provide information on prevention and mitigation techniques. The factsheet was developed by an interagency group of subject matter experts from more than 15 government agencies to increase awareness of the ransomware threats to police and fire departments; state, local, tribal, and territorial governments; and critical infrastructure entities.

To reduce the risk of public and private sector organizations falling victim to common infection vectors like those outlined in the NCIJTF factsheet, CISA launched the Reduce the Risk of Ransomware Campaign in January 2021 to provide informational resources to support organizations’ cybersecurity and data protection posture against ransomware. Please download and read the PDF. Direct PDF Ransomware_Fact_Sheet

The NCIJTF fact sheet outlines five best practices to minimize ransomware risks.

Backup your data, system images, and configurations, test your backups, and keep the backups offline
Utilize multi-factor authentication
Update and patch systems
Make sure your security solutions are up to date
Review and exercise your incident response plan

At MspPortal Partners, we supply one, two and even three (when needed) in typically 1-2 hours either by email or a direct call we are here to be of service.

Our technology solutions include Bitdefender, which leads the market in malware protection. There are a lot of firms that use extreme marketing dollars to profess to be the best, but in industry antivirus comparisons and reviews, Bitdefender is always is on top. All resellers and distributors that work with Mspportal Partners are trained by Roy Miehe, a top trainer and antivirus professional that has worked in the anti-virus industry since 1996, and as a tech since 1994, working on many beta Microsoft products. He has propelled MspPortal Partners to a leading MSPs working only with the best-of-breed solutions.

Please take the time to send a note (Contact page link) over and we will find the best tech firm for your needs. MspPortal offers a number of technology services, in addition to security solutions.

SonicWall Breached Via Zero-Day Flaw In Remote Access Tool

Sophisticated hackers compromised SonicWall’s NetExtender VPN client and SMB-oriented Secure Mobile Access 100 series product, which are used to provide employees and users with remote access to internal resources.

SonicWall disclosed Friday night that highly sophisticated threat actors attacked its internal systems by exploiting a probable zero-day flaw on the company’s secure remote access products.

The Milpitas, Calif.-based platform security vendor said the compromised NetExtender VPN client and SMB-oriented Secure Mobile Access (SMA) 100 series products are used to provide employees and users with remote access to internal resources. The SMA 1000 series is not susceptible to this attack and utilizes clients different from NetExtender, according to SonicWall.

“We believe it is extremely important to be transparent with our customers, our partners and the broader cybersecurity community about the ongoing attacks on global business and government,” SonicWall wrote in an “Urgent Security Notice” posted to its product notifications webpage at 11:15 p.m. ET Friday. The company said the coordinated attack on its systems was identified “recently.”

SolarWinds Hackers Access Malwarebytes’ Office 365 Emails

SonicWall declined to answer questions about whether the attack on its internal systems was carried out by the same threat actor who for months injected malicious code into the SolarWinds Orion network monitoring tool. The company, however, noted that it’s seen a “dramatic surge” in cyberattacks against firms that provide critical infrastructure and security controls to governments and businesses.

The company said it is providing mitigation recommendations to its channel partners and customers. Multi-factor authentication must be enabled on all SonicWall SMA, firewall and MySonicWall accounts, according to SonicWall.

Products compromised in the the SonicWall breach include: the NetExtender VPN client version 10.x (released in 2020) used to connect to SMA 100 series appliances and SonicWall firewalls; as well as SonicWall’s SMA version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance.

SonicWall partners and customers using the SMA 100 series should either use a firewall to only allow SSL-VPN connections to the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA directly itself, according to the company.

For firewalls with SSN-VPN access using the compromised version of the NetExtender VPN client, partners and customers should either disable NetExtender access to the firewall(s) or restrict access to users and admins via an allow-list/whitelist for their public IPs, according to SonicWall.

SonicWall is the fifth pure-play cybersecurity vendor to publicly disclose an attack over the past seven weeks. FireEye blew the lid off what would become the SolarWinds hacking campaign Dec. 8 when company said that it was breached in an attack designed to gain information on some of its government customers. The attacker was able to access some of FireEye’s internal systems, the company said.

Then CrowdStrike disclosed Dec. 23 that it had been contacted eight days earlier by Microsoft’s Threat Intelligence Center, which had identified a reseller’s Microsoft Azure account making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago, according to CTO Michael Sentonas.

The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and the hackers failed in their attempt to read the company’s email since CrowdStrike doesn’t use Office 365 email, according to Sentonas.

Then Mimecast announced Jan. 12 that a sophisticated threat actor had compromised a Mimecast-issued certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services. The compromised certificate was used to authenticate Mimecast’s Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products to Microsoft 365, the company disclosed.

Mimecast declined to answer CRN questions about whether its breach was carried out by the same group who attacked SolarWinds. But three cybersecurity officials told Reuters Jan. 12 they suspected the hackers who compromised Mimecast were the same group that broke into SolarWinds. The Washington Post reported that the SolarWinds attack was carried out by the Russian foreign intelligence service.

Most recently, Malwarebytes disclosed Tuesday that the SolarWinds hackers leveraged a dormant email production product within its Office 365 tenant that allowed access to a limited subset of internal company emails. Malwarebytes doesn’t itself use SolarWinds Orion, and learned about the attack from Microsoft following suspicious activity from a third-party application in the company’s Office 365 tenant

By Michael Novinson January 23, 2021, 11:20 AM EST (Article)

13 email threat types to know about right now

Brought to by Barracuda and MspPortal Partners/MSP Aggregator – Distributor
How inbox defense protects against increasingly sophisticated attacks or compliment your current mail filtering solution considering O365 and Mimecast are now compromised very inexpensive to protect yourself from bad actors.
Have your tech team contact MspPortal Partners for pricing

MspPortal provides aggressive/displacement pricing but assisting in the integration and 1 & 2 line tech support

PDF Table of Contents
1) Introduction: Radically reduce susceptibility to targeted email attacks page 1
2) Fighting increasingly complex email attacks page 3
3) Spam page 5
4) Malware 8
5) Data Exfiltration page 12
6) URL Phishing page 15
7) Scamming page 18
8) Spear Phishing page 22
9) Domain Impersonation page 26
10)Brand Impersonation page 30
11)Blackmail page 34
12)Business Email Compromise page 38
13)Conversation Hijacking page 42
14)Lateral Phishing page 46
15)Account Takeover page 49
16)Strengthening your email security posture with API-based inbox defense page 53
17)Conclusion: Effectively protecting against evolving email threats page 56

PDF download Barracuda 13 email threats