Stay Alert

Microsoft Windows Zero-Day Under Attack

Dark Reading Staff 9-8-2021

Microsoft has issued an advisory containing mitigations and workarounds for a remote code execution flaw in Windows it says is being exploited in targeted attacks.

CVE-2021-40444 exists in MSHTML, the proprietary browser engine built into Windows that allows the operating system to read and display HTML files. MSHTML, also known as Trident, was mainly used by Internet Explorer but is also used by Microsoft Office, Broadcom notes in its advisory on the vulnerability. It allows developers to add Web browsing into their applications.

Microsoft reports the targeted attacks it has observed use specially crafted Office documents. In explaining how an attack would work, it says an adversary could create a malicious ActiveX control to be used by an Office document that hosts the MSHTML browser-rendering engine. An attacker would have to convince a victim to open the file. Officials note victims with fewer user privileges on the system could be less affected than those with administrative user rights.

The company credits four external researchers with finding the vulnerability: Dhanesh Kizhakkinan, Genwei Jiang, and Bryce Abdo of Mandiant, and Haifei Li of EXPMON, in addition to Rick Cole with the Microsoft Security Threat Intelligence Center (MSTIC).

Read the full advisory for more details.

Windows Privilege Escalation Vuln Puts Admin Passwords At Risk

July 21 2021

Microsoft has issued a temporary workaround for systems vulnerable to CVE-2021-36934, also known as “HiveNightmare” and “SeriousSAM.”

Microsoft has issued a temporary workaround for a privilege escalation vulnerability that could expose administrator passwords to non-admin users.

CVE-2021-36934, also called “HiveNightmare” and “SeriousSAM,” appears to have been first detected by security researcher Jonas Lykkegaard, Forbes reports. Lykkegaard noticed the Security Account Manager (SAM) file had become read-enabled for all users, meaning an attacker with non-admin privileges could access hashed passwords and elevate privileges.

Lykkegaard and other security researchers found the issue affected the Windows 11 preview as well as Windows 10. Microsoft has confirmed the problem affects Windows 10 version 1809 and newer operating systems and has provided workarounds for systems affected by the flaw.

“An elevation of privilege vulnerability exists because of overly permissive Access Control Lists (ACLs) on multiple system files, including the Security Accounts Manager (SAM) database,” the company wrote in its CVE.

An attacker who successfully exploited the flaw could run arbitrary code with system privileges and then install programs; view, change, or delete data; or create new accounts with full user rights. They also have the ability to execute code on a target system to exploit the bug. So far Microsoft has not detected exploits in the wild, though it notes exploitation is “more likely.”

Microsoft has stated it will update the CVE as its investigation continues.
Article: Dark Reading

Experienced Support for Advanced Ransomware Threats

When it comes to your personal or business cybersecurity, you need solutions that you can trust. You need partners and suppliers that exude confidence. This trust comes from experience; a proven history of working with and protecting organizations like yours against all types of cybersecurity threats, from malware to phishing attacks, simple spam to ransomware.

In today’s environment of advanced threats, you need a firm such as MspPortal Partners to assist you in protecting your business, and or your personal computer. MspPortal has more than 400 tech firms and 2,000 techs on the ground, and we work with the leading endpoint security solution providers in the industry.

On February 5th, the National Cyber Investigative Joint Task Force (NCIJTF) released a joint-sealed ransomware factsheet to address current ransomware threats and provide information on prevention and mitigation techniques. The factsheet was developed by an interagency group of subject matter experts from more than 15 government agencies to increase awareness of the ransomware threats to police and fire departments; state, local, tribal, and territorial governments; and critical infrastructure entities.

To reduce the risk of public and private sector organizations falling victim to common infection vectors like those outlined in the NCIJTF factsheet, CISA launched the Reduce the Risk of Ransomware Campaign in January 2021 to provide informational resources to support organizations’ cybersecurity and data protection posture against ransomware. Please download and read the PDF. Direct PDF Ransomware_Fact_Sheet

 

The NCIJTF fact sheet outlines five best practices to minimize ransomware risks.

  1. Backup your data, system images, and configurations, test your backups, and keep the backups offline
  2. Utilize multi-factor authentication
  3. Update and patch systems
  4. Make sure your security solutions are up to date
  5. Review and exercise your incident response plan

At MspPortal Partners, we supply one, two and even three (when needed) in typically 1-2 hours either by email or a direct call we are here to be of service.

Our technology solutions include Bitdefender, which leads the market in malware protection. There are a lot of firms that use extreme marketing dollars to profess to be the best, but in industry antivirus comparisons and reviews, Bitdefender is always is on top. All resellers and distributors that work with Mspportal Partners are trained by Roy Miehe, a top trainer and antivirus professional that has worked in the anti-virus industry since 1996, and as a tech since 1994, working on many beta Microsoft products. He has propelled MspPortal Partners to a leading MSPs working only with the best-of-breed solutions.

Please take the time to send a note (Contact page link) over and we will find the best tech firm for your needs. MspPortal offers a number of technology services, in addition to security solutions.

 

SonicWall Breached Via Zero-Day Flaw In Remote Access Tool

Sophisticated hackers compromised SonicWall’s NetExtender VPN client and SMB-oriented Secure Mobile Access 100 series product, which are used to provide employees and users with remote access to internal resources.

SonicWall disclosed Friday night that highly sophisticated threat actors attacked its internal systems by exploiting a probable zero-day flaw on the company’s secure remote access products.

The Milpitas, Calif.-based platform security vendor said the compromised NetExtender VPN client and SMB-oriented Secure Mobile Access (SMA) 100 series products are used to provide employees and users with remote access to internal resources. The SMA 1000 series is not susceptible to this attack and utilizes clients different from NetExtender, according to SonicWall.

“We believe it is extremely important to be transparent with our customers, our partners and the broader cybersecurity community about the ongoing attacks on global business and government,” SonicWall wrote in an “Urgent Security Notice” posted to its product notifications webpage at 11:15 p.m. ET Friday. The company said the coordinated attack on its systems was identified “recently.”

SolarWinds Hackers Access Malwarebytes’ Office 365 Emails

SonicWall declined to answer questions about whether the attack on its internal systems was carried out by the same threat actor who for months injected malicious code into the SolarWinds Orion network monitoring tool. The company, however, noted that it’s seen a “dramatic surge” in cyberattacks against firms that provide critical infrastructure and security controls to governments and businesses.

The company said it is providing mitigation recommendations to its channel partners and customers. Multi-factor authentication must be enabled on all SonicWall SMA, firewall and MySonicWall accounts, according to SonicWall.

Products compromised in the the SonicWall breach include: the NetExtender VPN client version 10.x (released in 2020) used to connect to SMA 100 series appliances and SonicWall firewalls; as well as SonicWall’s SMA version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances and the SMA 500v virtual appliance.

SonicWall partners and customers using the SMA 100 series should either use a firewall to only allow SSL-VPN connections to the SMA appliance from known/whitelisted IPs or configure whitelist access on the SMA directly itself, according to the company.

For firewalls with SSN-VPN access using the compromised version of the NetExtender VPN client, partners and customers should either disable NetExtender access to the firewall(s) or restrict access to users and admins via an allow-list/whitelist for their public IPs, according to SonicWall.

SonicWall is the fifth pure-play cybersecurity vendor to publicly disclose an attack over the past seven weeks. FireEye blew the lid off what would become the SolarWinds hacking campaign Dec. 8 when company said that it was breached in an attack designed to gain information on some of its government customers. The attacker was able to access some of FireEye’s internal systems, the company said.

Then CrowdStrike disclosed Dec. 23 that it had been contacted eight days earlier by Microsoft’s Threat Intelligence Center, which had identified a reseller’s Microsoft Azure account making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago, according to CTO Michael Sentonas.

The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and the hackers failed in their attempt to read the company’s email since CrowdStrike doesn’t use Office 365 email, according to Sentonas.

Then Mimecast announced Jan. 12 that a sophisticated threat actor had compromised a Mimecast-issued certificate used to authenticate several of the company’s products to Microsoft 365 Exchange Web Services. The compromised certificate was used to authenticate Mimecast’s Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products to Microsoft 365, the company disclosed.

Mimecast declined to answer CRN questions about whether its breach was carried out by the same group who attacked SolarWinds. But three cybersecurity officials told Reuters Jan. 12 they suspected the hackers who compromised Mimecast were the same group that broke into SolarWinds. The Washington Post reported that the SolarWinds attack was carried out by the Russian foreign intelligence service.

Most recently, Malwarebytes disclosed Tuesday that the SolarWinds hackers leveraged a dormant email production product within its Office 365 tenant that allowed access to a limited subset of internal company emails. Malwarebytes doesn’t itself use SolarWinds Orion, and learned about the attack from Microsoft following suspicious activity from a third-party application in the company’s Office 365 tenant

 

By Michael Novinson January 23, 2021, 11:20 AM EST (Article)

Stay Alert this Holiday Season

It should go without saying that when it comes to cybersecurity, if you use a computer or mobile device, you shouldn’t let your guard down this holiday season. Unfortunately, when it comes fighting to be the first who gets the new Sony PS5 or Apple Air Pods Max, sometimes commonsense goes out the window. Add a global pandemic, which has consumed everyone’s attention, and it’s no surprise why personal privacy and cybersecurity are not a focus or priority.

With more people working remotely and companies extending their networks to home offices around the world, nefarious practitioners have also shifted their focus. Again, no surprise that the response of businesses to send people home because of COVID-19, created a gap in cybersecurity, forcing organizations to invest even more time and resources in protective measures. In addition, phishing emails related to COVID-19 have surged, along with scams and attacks related to stimulus payments.

One editor wrote, “Ask almost anyone what the top global story was for 2020, and they will likely start with the COVID-19 pandemic. But there is much more to this story.

“2020 will also be remembered as the year that security events exploded and cyber incidents transformed society in numerous ways.”

So, as we head into and slowly out of the most vulnerable time of the year, pay a little more attention to what website you are sharing your personal information with, and what email you are responding to. As you focus on taking care of your personal health and doing your part to prevent the spread of the COVID-19 virus, consider your approach to cybersecurity and do your best to avoid falling victim to or spreading digital viruses as well.