Windows update

NSA publishes advisory on 25 vulnerabilities used by Chinese state sponsored hackers

/in , , /by

The National security Agency in the United States recently released an advisory warning of the threat of Chinese state sponsored attacks and detailed 25 vulnerabilities used. The advisory gives detailed information about the vulnerabilities, what it affects and how to remediate them. Most of them are remotely exploited and can be used to gain initial access to a system before using other vulnerabilities to go further in to the network. Most of these vulnerabilities already have patches ready to be installed so as always we really want to emphasize keeping systems up to date with the latest patches and software.

Top 5 Security News

Remote beach accessPhoto by Caleb George on Unsplash

CVE-2020-16891 | Windows Hyper-V Remote Code Execution Vulnerability

/in /by

Published: 2020-10-13
MITRE CVE-2020-16891

“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.”

This is especially bad for “hotel” environment with multiple different tenants that should not be able to influence each other, but it is also bad for environments with different levels of security sensitivity within the same tenant.

There is no workarounds or possible mitigations in the configuration.

CVSS Base Score is 8.8

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2140691with the highest priority.

Road giving access to remote areaPhoto by Ricardo Esquivel from Pexels

CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability

/in /by

Published: 2020-10-13
MITRE CVE-2020-16898

“A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets.”

This vulnerability affects Windows 10, Server 2019 and Server Core versions (see full Security Advisory for proper details). It can be mitigated by disabling a network feature or blocking ICMPv6 Router Advertisement packets.

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave a workaround in place.

CVSS Base score is 9.8

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2139859 with the highest priority.

Image by Karl Egger from Pixabay

CVE-2020-3992 | ESXi OpenSLP remote code execution vulnerability

/in /by

Published: 2020-10-20
MITRE CVE-2020-3992

“A malicious actor residing in the management network who has access to port 427 on an ESXi machine may be able to trigger a use-after-free in the OpenSLP service resulting in remote code execution.”

The workaround is to stop and disable the SLP service.

CVSS Base Score is 9.8

Basefarm and VMware recommends that you install the updates for this vulnerability as soon as possible. Basefarm also recommends that the management services of ESXi servers are not available for regular users, but are places on a protected network.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2146240 with the highest priority.

“Known assailant” back with a vengeance

/in , /by

In this post there is specific focus on an infamous threat that resurfaced during the summer.

Following several news articles in Nordic media of phishing attacks towards public services in late august and, in addition, sources that indicate that the Emotet trojan resurfaced in mid-july, several sources online are now indicating a massive campaigning not only in the Nordics but worldwide.

Emotet is an e-mail trojan that is often used as the entry point to target organizations. It´s success has largely been brought on by the craftiness of mimicking valid e-mails and attachments, utilizing macros in Word and Excel files. In addition, its evolution of attack techniques adds to that success.
For example, there are indications that the latest strain is using stolen attachments to add credibility to the forged e-mails.

Emotet is often paving way for at least two know other assailants in TrickBot and QakBot, to further spread laterally and steal credentials.

How to protect against Emotet (as well as Trojans and  Malware in general):

  • Be extra suspicious and cautious towards e-mails and attachments, even from known sources
  • Report suspicious e-mails to your Security organization for investigation
  • Make sure you have an up to date security program, preferably with anti-exploit capabilities
  • Make sure your systems are patched and up to date with the latest security patches
  • Enforce proper network segmentation
  • Enable MFA (Multi factor authentication on your e-mail service)
  • Block networks that generally do not need access (TOR, VPN etc.)

If you get infected:

  • Report it to your security organization or SIRT immediately
  • It is strongly advised that you perform and audit of your network and e-mail accounts to make sure other devices are not compromised.

Further reading:

Brown envelope with red sealPhoto by John-Mark Smith from Pexels

Check your Exchange for ongoing leaks

/in , , /by

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

Currently the biggest exposure to threats in the cyber domain is presented via mail. Phishing attacks tricks out the credentials for legitimate users and then gain access to the mail account, and some actors will sit with this access to months looking for ways to benefit from this access. As a way of establishing persistence an attacker will often create rules in the mail-system to have mail forwarded to an external account the attacker controls. This way, even if you change passwords, the attacker still receives copies of the mail.

These forwarding rules can serve as valuable indicators. And even if absence of evidence is not evidence of absence, it is worth to look for these rules with regular intervals. This is nothing new, but a reminder seemed in place given the current threat landscape. Here is an older blogpost from Compass-Security explaining the issue.

There is also a project on Github to help faciliate testing and low-volume activity data acquisition from the Office 365 Management Activity API that might be interesting in this regard.

Top 5 Security News

Water Droplets on Spider WebWater Droplets on Spider Web - CC0 by Pixabay

CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

/in , /by

Published: 2020-07-29
MITRE CVE-2020-1472

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka ‘Netlogon Elevation of Privilege Vulnerability’.

There are many non-Windows device implementations of the Netlogon Remote Protocol (also called MS-NRPC). To ensure that vendors of non-compliant implementations can provide customers with updates, a second release that is planned for Q1 2021 will enforce protection for all domain-joined devices.

If the guidelines from the KB article “How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472” are not followed, your organization risks devices in your environment being denied access when the enforcement phase starts in Q1 2021. If there are currently no non-compliant devices in your environment, you can move to enforcement mode for further protection in advance of required enforcement.

The Base CVSS score for this vulnerability is 10 (out of 10 possible).
The Temporal CVSS score (at 2020-08-19) is 9.

There is no known exploitation of this in the wild, and the details about the vulnerability is not publicly disclosed. Meaning there should be some time still before this is a major issue. And if it becomes exploited in the wild, Basefarm always recommends that domain controllers are not reachable on the public internet.

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. Our goal is to have this mitigated on all servers within 1 week. We are tracking this internally as BF-VLN-2102348 with the highest priority.

RedCurl cybercrime group discovered

/in , , /by

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

A new CyberCrime group nicknamed RedCurl has been discovered after over two years of operation, attacking at least 14 organizations in over 26 attacks. They are known to attack companies in at least six countries, including Norway with banks, insurance and financial companies as some of the industries that they went after. The group was discovered by Group-IB, a global threat hunting and intelligence company headquartered in Singapore, and released a 57 page report on it.

The groups modus operandi did not use advanced tools but rather relied on handcrafted phishing emails, powershell and time to successfully carry out their attacks.

According to the Group-BI report “The attackers posed as members of the HR team at the targeted organization and sent out emails to multiple employees at once, which made the employees less vigilant, especially considering that many of them worked in the same department“, and used the companies logos, signature lines, and spoofing the companies own domain making it very difficult to spot that the mails were not legitimate.

Top 5 Security News

Old shoesImage by Martin Pecar from Pixabay

CVE-2020-10713 – GRUB 2 boot loader buffer overflow – aka BootHole

/in /by

Published: 2020-07-29
MITRE CVE-2020-10713

GRUB 2 is a “boot loader”, it precedes the actual operating system and allows for multiple options in what operating system to load and with what parameters given. An attacker with administrative privileges on a system, or physical access, can use this vulnerability to bypass the check of cryptographic signatures and run arbitrary code. GRUB 2 is the default boot loader for most popular GNU/Linux distributions, but it is independent of any OS so this vulnerability can also be exploited against Windows systems.

Some might say that game is over anyway if an attacker has administrative privileges or physical access, but this attack method provides a way for an attacker to establish persistence on a system perhaps invisible for an OS and its endpoint security platform.

RedHat reports “In CVE-2020-10713, an attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB.”

And for remediation “Red Hat recommends all customers to update their grub2 packages. Red Hat customers using Secure Boot need to update kernel, fwupdate, fwupd, shim and dbxtool packages containing newly validated keys and certificates. Users running Secure Boot with Red Hat Enterprise Linux 8 need to take additional steps to boot into previously released RHEL 8 kernels after applying the grub2 package updates.”

This vulnerability has a CVSS Base score of 8.2 with the CVSS vectors CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Basefarm is currently evaluating this vulnerability and its consequences for the continued secure operations of our customers and our own systems. Internally this is tracked in BF-VLN-2089662. At this early point we refer to the individual vendors for more information:

Microsoft ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB

Red Hat Boot Hole Vulnerability – GRUB 2 boot loader – CVE-2020-10713

This vulnerability was discovered and responsibly disclosed by Eclypsium, see their in depth technical writeup “There’s a Hole in the Boot”

Update 2020-07-31: There are some reports about the RHEL grub2 security update rendering systems unbootable. Patching for vulnerabilities IS important, but doing so in a responsible manner is also a priority.

Photography of person peeking through blindsPhoto by Noelle Otto from Pexels

Unique insights and large ransomware attacks

/in , , , /by

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT)

This week we get a unique insight into a threat actors inner working as IBM’s X-Force IRIS security team uncover a 40GB cache of data belonging to a threat actor called “ITG18” (overlaps with another outfit alternatively known as Charming Kitten and Phosphorus) believed to be sponsored by Iran. Included in the extracted data is several hours of video “showing operators searching through and exfiltrating data from multiple compromised accounts”.
Read more …

Top 5 Security News