Stay Alert

CISA Issues Emergency Directive 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System

CISA Issues Emergency Directive 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System

04/11/2024 02:15 PM EDT

Today, CISA publicly issued Emergency Directive (ED) 24-02 to address the recent campaign by Russian state-sponsored cyber actor Midnight Blizzard to exfiltrate email correspondence of Federal Civilian Executive Branch (FCEB) agencies through a successful compromise of Microsoft corporate email accounts. This Directive rhttps://www.cisa.gov/news-events/directives/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-systemequires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to secure privileged Microsoft Azure accounts.

While ED 24-02 requirements only apply to FCEB agencies, other organizations may also have been impacted by the exfiltration of Microsoft corporate email and are encouraged to contact their respective Microsoft account team for any additional questions or follow up. FCEB agencies and state and local government should utilize the distro MBFedResponse@Microsoft.com for any escalations and assistance with Microsoft. Regardless of direct impact, all organizations are strongly encouraged to apply stringent security measures, including strong passwords, multifactor authentication (MFA) and prohibited sharing of unprotected sensitive information via unsecure channels.

Article (https://www.cisa.gov/news-events/alerts/2024/04/11/cisa-issues-emergency-directive-24-02-mitigating-significant-risk-nation-state-compromise-microsoft)

Folks be smart get off O365 they are compromised ever since they were invefected by solarwinds a leaking timebomb

2020 was a roller coaster of major, world-shaking events. We all couldn’t wait for the year to end. But just as 2020 was about to close, it pulled another fast one on us: the SolarWinds hack, one of the biggest cybersecurity breaches of the 21st century.

The SolarWinds hack was a major event not because a single company was breached, but because it triggered a much larger supply chain incident that affected thousands of organizations, including the U.S. government.

Suggestion at least use our malware protection products (Like Mail Protection to start off with)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”

New Windows driver blocks software from changing default web browser

Must read article (https://www.bleepingcomputer.com/news/microsoft/new-windows-driver-blocks-software-from-changing-default-web-browser/)

 

By Lawrence Abrams April 7, 2024 10:17 AM
Microsoft is now using a Windows driver to prevent users from changing the configured Windows 10 and Windows 11 default browser through software or by manually modifying the Registry.

Windows users can still change their default browser through the Windows settings. However, those who utilized software to make the changes are now blocked by a driver quietly introduced to users worldwide as part of the February updates for Windows 10 (KB5034763) and Windows 11 (KB5034765).

IT consultant Christoph Kolbicz was the first to notice the change when his programs, SetUserFTA and SetDefaultBrowser, suddenly stopped working.

SetUserFTA is a command line program that lets Windows admins change file associations through login scripts and other methods. SetDefaultBrowser works similarly but is only for changing the default browser in Windows.

Starting with Windows 8, Microsoft introduced a new system for associating file extensions and URL protocols with default programs to prevent them from being tampered with by malware and malicious scripts.

This new system associates a file extension or URL protocol to a specially crafted hash stored under the UserChoice Registry keys.

If the correct hash is not used, Windows will ignore the Registry values and use the default program for this URL protocol, which is Microsoft Edge.

Kolbicz reverse engineered this hashing algorithm to create the SetUserFTA and SetDefaultBrowser programs to change default programs.

However, with the Windows 10 and Windows 11 February updates installed, Kolbicz noted that these Registry keys have now been locked down, giving errors when modified outside the Windows Settings.

For example, using the Windows Registry Editor to modify these settings gives an error stating, “Cannot edit Hash: Error writing the value’s new contents.”

BleepingComputer contacted Microsoft about the lockdown of these Registry keys in March, but they said they had nothing to share at this time.

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”

FTC: Americans lost $1.1 billion to impersonation scams in 2023

By Bill Toulas April 1, 2024 12:03 PM

At MspPortal Partners Inc we/partners can train your employees for Work and Home. With our # 1 Mail Protection and Phishing Education rated and used by the top 500 firms.

“Many scammers impersonate more than one organization in a single scam – for example, a fake Amazon employee might transfer you to a fake bank or even a fake FBI or FTC employee for fake help.”

The top Five scam types FTC highlights are:

1) Copycat Account Security Alerts: Scammers send fake alerts about unauthorized account activity, tricking victims into transferring funds for protection.
Phony Subscription Renewals: Emails claim a subscription you never had is renewing, coaxing you into a refund scam that involves returning over-refunded amounts via gift cards.

2) Fake Giveaways, Discounts, or Money to Claim: Scams offer bogus discounts or giveaways from known brands, leading victims to buy gift cards or send money to claim the non-existent offers.

3) Bogus Problems with the Law: Impersonators claim you’re implicated in a crime, pushing you to move money or buy gift cards under the guise of resolving the issue.

4) Phony Subscription Renewals: Emails claim a subscription you never had is renewing, coaxing you into a refund scam that involves returning over-refunded amounts via gift cards.

5) Made-up Package Delivery Problems: Fraudulent messages from carriers about delivery issues, aiming to steal credit card information or account details under the pretense of resolving a delivery problem.

The agency provides tips for consumers to protect against this type of fraud, which include avoiding clicking on URLs arriving via unsolicited communications, distrusting requests for money transfers, and taking the time to verify suspicious communications.

148,0000 Phone Calls
120,0000 Phishing Emails
65,000 Text Messages
45,000 Other Methods

Article (https://www.bleepingcomputer.com/news/security/ftc-americans-lost-11-billion-to-impersonation-scams-in-2023/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”

New MFA-bypassing phishing kit targets Microsoft 365, Gmail accounts

FYI We do have Phishing Training Available..spend the money don’t get malware. Targets O365 and Gsuite which in reality are easy targets

By Bill Toulas March 25, 2024 12:56 PM

Cybercriminals have been increasingly using a new phishing-as-a-service (PhaaS) platform named ‘Tycoon 2FA’ to target Microsoft 365 and Gmail accounts and bypass two-factor authentication (2FA) protection.

Tycoon 2FA was discovered by Sekoia analysts in October 2023 during routine threat hunting, but it has been active since at least August 2023, when the Saad Tycoon group offered it through private Telegram channels.

The PhaaS kit shares similarities with other adversary-in-the-middle (AitM) platforms, such as Dadsec OTT, suggesting possible code reuse or a collaboration between developers.

In 2024, Tycoon 2FA released a new version that is stealthier, indicating a continuous effort to improve the kit. Currently, the service leverages 1,100 domains and has been observed in thousands of phishing attacks.

Tycoon 2FA attacks

Tycoon 2FA attacks involve a multi-step process where the threat actor steals session cookies by using a reverse proxy server hosting the phishing web page, which intercepts the victim’s input and relays them to the legitimate service.

“Once the user completes the MFA challenge, and the authentication is successful, the server in the middle captures session cookies,” Skoia explains. This way, the attacker can replay a user’s session and bypass multi-factor authentication (MFA) mechanisms.

Sekoia’s report describes the attacks in seven distinct stages as described below Target :

Stage 0 – Attackers distribute malicious links via emails with embedded URLs or QR codes, tricking victims into accessing phishing pages.
Stage 1 – A security challenge (Cloudflare Turnstile) filters out bots, allowing only human interactions to proceed to the deceptive phishing site.
Stage 2 – Background scripts extract the victim’s email from the URL to customize the phishing attack.
Stage 3 – Users are quietly redirected to another part of the phishing site, moving them closer to the fake login page.
Stage 4 – This stage presents a fake Microsoft login page to steal credentials, using WebSockets for data exfiltration.
Stage 5 – The kit mimics a 2FA challenge, intercepting the 2FA token or response to bypass security measures.
Stage 6 – Finally, victims are directed to a legitimate-looking page, obscuring the phishing attack’s success.

An overview of the attack is described with the diagram below, which includes all the steps of the process.

Evolution and scale

Sekoia reports that the latest version of the Tycoon 2FA phishing kit, released this year, has introduced significant modifications that improve the phishing and evasion capabilities.

Key changes include updates to the JavaScript and HTML code, alterations in the order of resource retrieval, and more extensive filtering to block traffic from bots and analytical tools.

For example, the kit now delays loading malicious resources until after the Cloudflare Turnstile challenge is resolved, using pseudorandom names for URLs to obscure its activities.

Also, Tor network traffic or IP addresses linked to data centers are now better identified, while traffic is rejected based on specific user-agent strings.

Regarding the scale of operations, Sekoia reports that it’s substantial, as there’s evidence of a broad user base of cybercriminals currently utilizing Tycoon 2FA for phishing operations.

The Bitcoin wallet linked to the operators has recorded over 1,800 transactions since October 2019, with a notable increment starting August 2023, when the kit was launched.

Over 530 transactions were over $120, which is the entry price for a 10-day phishing link. By mid-March 2024, the threat actors’ wallet had received a total of $394,015 worth of cryptocurrency.

Tycoon 2FA is just a recent addition to a PhaaS space that already offers cybercriminals plenty of options. Other notable platforms that can bypass 2FA protections include LabHost, Greatness, and Robin Banks.

For a list of the indicators of compromise (IoCs) linked to the Tycoon 2FA operation, Sekoia makes available a repository with over 50 entries.

Article (https://www.bleepingcomputer.com/news/security/new-mfa-bypassing-phishing-kit-targets-microsoft-365-gmail-accounts/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”

 

Google’s new AI search results promotes sites pushing malware, scams

Google’s new AI search results promotes sites pushing malware, scams  (Get off Google Chrome)

By Mayank Parmar March 25, 2024 07:32 AM

Google’s new AI-powered ‘Search Generative Experience’ algorithms recommend scam sites that redirect visitors to unwanted Chrome extensions, fake iPhone giveaways, browser spam subscriptions, and tech support scams.

Earlier this month, Google began rolling out a new feature called Google Search Generative Experience (SGE) in its search results, which provides AI-generated quick summaries for search queries, including recommendations for other sites to visit related to the query.

However, as SEO consultant Lily Ray first spotted, Google’s SGE is recommending spammy and malicious sites within its conversational responses, making it easier for users to fall for scams.
BleepingComputer found that the listed sites promoted by SGE tend to use the .online TLD, the same HTML templates, and the same sites to perform redirects.

This similarity indicates that they are all part of the same SEO poisoning campaign that allowed them to be part of the Google index.

When clicking on the site in the Google search results, visitors will go through a series of redirects until they reach a scam site.

In BleepingComputer’s tests, the redirects most commonly lead you to fake captchas or YouTube sites that try to trick the visitor into subscribing to browser notifications.

Browser notifications are a common tactic scammers use to send visitors a barrage of unwanted ads directly to the operating system desktop, even when you’re not on the website.

Once we subscribed to some of the notifications, we began to receive spam with advertisements for tech support affiliate scams, fake giveaways, and other unwanted sites.

In one instance, we received an alert for McAfee antivirus that led to a site claiming our system was infected with ten viruses, urging the visitor to “Scan now to remove viruses” or renew their license.

However, these misleading ads are simply designed to sell McAfee licenses so the fraudsters can earn affiliate commissions.

Finally, and while not as common, BleepingComputer saw some of the redirects pushing unwanted browser extensions that perform search hijacking, and potentially other malicious behavior.

Other scams promoted by the SGE results lead to fake Amazon giveaways that pretend to be loyalty programs giving away an Apple iPhone 15 Pro.

These giveaway scams are used to collect your personal information, which will be sold to other scammers and direct marketers.

Article (https://www.bleepingcomputer.com/news/google/googles-new-ai-search-results-promotes-sites-pushing-malware-scams/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”

 

New Windows Server updates cause domain controller crashes, reboots

By Sergiu Gatlan March 20, 2024 04:40 PM 0

The March 2024 Windows Server updates are causing some domain controllers to crash and restart, according to widespread reports from Windows administrators.

Affected servers are freezing and rebooting because of a Local Security Authority Subsystem Service (LSASS) process memory leak introduced with the March 2024 cumulative updates for Windows Server 2016 and Windows Server 2022.

LSASS is a Windows service that enforces security policies and handles user logins, access token creation, and password changes.

As many admins have warned, after installing the KB5035855 and KB5035857 Windows Server updates released this Patch Tuesday, domain controllers with the latest updates would crash and reboot due to increasing LSASS memory usage.

“Since installation of the march updates (Exchange as well as regular Windows Server updates) most of our DCs show constantly increasing lsass memory usage (until they die),” one admin said.

“We’ve had issues with lsass.exe on domain controllers (2016 core, 2022 with DE and 2022 core domain controllers) leaking memory as well. To the point all domain controllers crashed over the weekend and caused an outage,” another one added.

“Our symptoms were ballooning memory usage on the lsass.exe process after installing KB5035855 (Server 2016) and KB5035857 (Server 2022) to the point that all physical and virtual memory was consumed and the machine hung,” one admin told BleepingComputer.

“The Support rep says they expect official comms to be announced from Microsoft soon.”
Temporary workaround available

Until Microsoft officially acknowledges this memory leak issue, admins are advised to uninstall the buggy Windows Server updates from their domain controllers.

“Microsoft Support has recommended that we uninstall the update for the time being,” the same admin told BleepingComputer.

To remove the troublesome updates, open an elevated command prompt by clicking the Start menu, typing ‘cmd,’ right-clicking the Command Prompt application, and then choosing ‘Run as Administrator.’

Next, run one of the following commands, depending on what update you have installed on your Windows domain controller:

wusa /uninstall /kb:5035855
wusa /uninstall /kb:5035857

Once uninstalled, you should also use the ‘Show or Hide Updates’ troubleshooter to hide the buggy update so it will no longer appear in the available updates list.

Microsoft addressed another LSASS memory leak affecting domain controllers in December 2022, when affected servers would freeze and restart after installing Windows Server updates released during the November 2022 Patch Tuesday.

In March 2022, Microsoft fixed one more LSASS crash, causing unexpected Windows Server domain controller reboots.

A Microsoft spokesperson could not immediately provide more details when contacted by BleepingComputer earlier today.

Article ( https://www.bleepingcomputer.com/news/microsoft/new-windows-server-updates-cause-domain-controller-crashes-reboots/)

Update Article 3-21-2024 (https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-windows-server-issue-behind-domain-controller-crashes/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”

2 different articles must read

Brought to you by Bleeping Computer

ScreenConnect flaws exploited to drop new ToddleShark malware

The North Korean APT hacking group Kimsuky is exploiting ScreenConnect flaws, particularly CVE-2024-1708 and CVE-2024-1709, to infect targets with a new malware variant dubbed ToddleShar

Article (https://www.bleepingcomputer.com/news/security/screenconnect-flaws-exploited-to-drop-new-toddleshark-malware/)

Hackers steal Windows NTLM authentication hashes in phishing attacks
Folks you need a phishing training!! We have it inexpensive for your clients

The hacking group known as TA577 has recently shifted tactics by using phishing emails to steal NT LAN Manager (NTLM) authentication hashes to perform account hijacks.

Article (https://www.bleepingcomputer.com/news/security/hackers-steal-windows-ntlm-authentication-hashes-in-phishing-attacks/)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”

ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware

Hundreds of initial access brokers and cybercrime gangs are jumping on the max-critical CVE-2024-1709 authentication bypass, threatening orgs and downstream customers.
BY Tara Seals, Managing Editor, News, Dark Reading February 23, 2024

Just days after initial exploitation reports started rolling in for a critical security vulnerability in the ConnectWise ScreenConnect remote desktop management service, researchers are warning that a supply chain attack of outsized proportions could be poised to erupt.

Once the bugs are exploited, hackers will gain remote access into “upwards of ten thousand servers that control hundreds of thousands of endpoints,” Huntress CEO Kyle Hanslovan said in emailed commentary, opining that it’s time to prepare for “the biggest cybersecurity incident of 2024.”

ScreenConnect can be used by tech support and others to authenticate to a machine as though they were the user. As such, it could allow threat actors to infiltrate high-value endpoints and exploit their privileges.

Even worse, the application is widely used by managed service providers (MSP) to connect to customer environments, so it can also open the door to threat actors looking to use those MSPs for downstream access, similar to the tsunami of Kaseya attacks that businesses faced in 2021.
ConnectWise Bugs Get CVEs

ConnectWise disclosed the bugs on Monday with no CVEs, after which proof-of-concept (PoC) exploits quickly appeared. On Tuesday, ConnectWise warned that the bugs were under active cyberattack. By Wednesday, multiple researchers were reporting snowballing cyber activity.

The vulnerabilities now have tracking CVEs. One of them is a max-severity authentication bypass (CVE-2024-1709, CVSS 10), which allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices. It can be paired with a second bug, a path-traversal issue (CVE-2024-1708, CVSS 8.4) that allows unauthorized file access.
Initial Access Brokers Ramp Up Activity

According to the Shadowserver Foundation, there are at least 8,200 vulnerable instances of the platform exposed to the Internet within its telemetry, with the majority of them located in the US.

“CVE-2024-1709 is widely exploited in the wild: 643 IPs seen attacking to date by our sensors,” it said in a LinkedIn post.

Huntress researchers said a source within the US intelligence community told them that initial access brokers (IABs) have started pouncing on the bugs to set up shop inside various endpoints, with the intent of selling that access to ransomware groups.

And indeed, on one instance, Huntress observed cyberattackers using the security vulnerabilities to deploy ransomware to a local government, including endpoints likely linked to 911 systems.

“The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all,” Hanslovan said. “Hospitals, critical infrastructure, and state institutions are proven at risk.”

He added: “And once they start pushing their data encryptors, I’d be willing to bet 90% of preventative security software won’t catch it because it’s coming from a trusted source.”

Bitdefender researchers, meanwhile, corroborated the activity, noting that threat actors are using malicious extensions to deploy a downloader capable of installing additional malware on compromised machines.

“We’ve noticed several instances of potential attacks leveraging the extensions folder of ScreenConnect, [while security tooling] suggests the presence of a downloader based on the certutil.exe built-in tool,” according to a Bitdefender blog post on the ConnectWise cyber activity. “Threat actors commonly employ this tool … to initiate the download of additional malicious payloads onto the victim’s system.”

The US Cybersecurity and Infrastructure Security Agency (CISA) has added the bugs to its Known Exploited Vulnerabilities catalog.
Mitigation for CVE-2024-1709, CVE-2024-1708

On-premises versions up to and including 23.9.7 are vulnerable — so the best protection is identifying all systems where ConnectWise ScreenConnect is deployed and applying the patches, issued with ScreenConnect version 23.9.8.

Organizations should also keep a lookout for indicators of compromise (IoCs) listed by ConnectWise in its advisory. Bitdefender researchers advocate monitoring the “C:\Program Files (x86)\ScreenConnect\App_Extensions\” folder; Bitdefender flagged that any suspicious .ashx and .aspx files stored directly in the root of that folder may indicate unauthorized code execution.

Also, there could be good news on the horizon: “ConnectWise stated they revoked licenses for unpatched servers, and while it’s unclear on our end how this works, it appears this vulnerability is still a major concern for anyone running a vulnerable version or who did not patch swiftly,” Bitdefender researchers added. “This is not to say ConnectWise’s actions aren’t working, we’re unsure of how this played out at this time.”

Article ( https://www.darkreading.com/remote-workforce/connectwise-screenconnect-mass-exploitation-delivers-ransomware?_mc=NL_DR_EDT_DR_weekly_20240229&cid=NL_DR_EDT_DR_weekly_20240229&sp_aid=121742&elq_cid=34964379&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_cid=52262)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”

Microsoft 365 suite is now WARN

I feel so sorry for folks that use O365..most of you are glutton for punishment. They provide no really true US support considering they take you money either monthly or yearly..Unfortunately most Major Firms use O365. think about looking around..careful with O365 for Malware and phishing attacks

Anyway

Some users may be unable to sign into the Microsoft To Do service
Title: Some users may be unable to sign into the Microsoft To Do service User impact: Users may be unable to sign into the Microsoft To Do service. Current status: We’re reviewing network traces to isolate the source of this issue and identify our troubleshooting actions. Scope of impact: Impact may occur for all users when attempting to sign into the Microsoft

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”

Microsoft: Outlook clients not syncing over Exchange ActiveSync

By Sergiu Gatlan February 9, 2024 12:57 PM

Microsoft warned Outlook for Microsoft 365 users that clients might have issues connecting to email servers via Exchange ActiveSync after a January update.
Exchange ActiveSync (EAS) is an Exchange synchronization protocol using HTTP and XML to let users access their email, calendar, contacts, and tasks.
EAS is enabled by default on new user mailboxes, and disabling it prevents users from synchronizing their mailboxes with mobile devices.
“After updating to Version 2401 Build 17231.20182 Outlook stops connecting when using the Exchange ActiveSync (EAS) protocol,” Microsoft said.
“We have to use Activesync in order to connect to our cloud-hosted email server. Other syncing may not be impacted,” one impacted user said.
While the Outlook Team has yet to provide an explanation for this syncing issue, it’s currently investigating and will provide a fix as soon as a solution is found.

Article (https://www.bleepingcomputer.com/news/microsoft/microsoft-outlook-clients-not-syncing-over-exchange-activesync/)

If you are stressed and concerned at MspPortal with Barrcuda we can backup your O365 environment and archive you mail very inexpensive considering the alternative

Also if you are not running our Phiseline Test product ..you are not training your clients to help themselves protect themselves from themselves

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”