Posts

Cybersecurity Updates For Week 15 of 2022

Microsoft Issues Patches for 2 Windows Zero-Days and 126 Other Vulnerabilities

Microsoft’s Patch Tuesday updates for the month of April have addressed a total of 128 security vulnerabilities spanning across its software product portfolio, including Windows, Defender, Office, Exchange Server, Visual Studio, and Print Spooler, among others.

Read more:
https://thehackernews.com/2022/04/microsoft-issues-patches-for-2-windows.html

Menswear Brand Zegna Reveals Ransomware Attack

Accounting materials from the Italy-based luxury fashion house were leaked online by RansomExx because the company refused to pay.

Read more:
https://threatpost.com/menswear-zegna-ransomware/179266/

Critical flaw in Elementor WordPress plugin may affect 500k sites

The authors of the Elementor Website Builder plugin for WordPress have just released version 3.6.3 to address a critical remote code execution flaw that may impact as many as 500,000 websites.

Read More:
https://www.bleepingcomputer.com/news/security/critical-flaw-in-elementor-wordpress-plugin-may-affect-500k-sites/

Other news worth mentioning:

CISA Warns Against Russian Hackers Exploiting a Critical Bug
Black-hat hackers: bad to the bone or just victims of society?
No plain sailing: modern pirates hack superyachts’ cybersecurity
Microsoft Takes Down Domains Used in Cyberattack Against Ukraine
VMware Confirms Workspace One Exploits in the Wild

Cybersecurity Updates For Week 6 of 2022

Argo CD High Severity Vulnerabilit – CVE-2022-24348

Argo CD before 2.1.9 and 2.2.x before 2.2.4 allows directory traversal related to Helm charts because of an error in helmTemplate in repository.go. For example, an attacker may be able to discover credentials stored in a YAML file.

Read more:
https://www.armosec.io/blog/cve-2022-24348-argo-kubernetes/

Windows DNS Server Remote Code Execution Vulnerability – CVE-2022-21984

A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account over the network.

Read more:
https://dirteam.com/sander/2022/02/08/windows-server-2022-suffers-a-windows-dns-server-remote-code-execution-vulnerability-cve-2022-21984/

SAP Critical Vulnerabilities in business applications

SAP released three patches for all impacted systems of a possible security attack while Onapsis helped provide a free open-source vulnerability scanner tool to assist all SAP customers affected to immediately address these issues.

Read More:
https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/

Other news worth mentioning:

PrivateLoader: The first step in many malware schemes
Two Arrested for Alleged Conspiracy to Launder $4.5 Billion in Stolen Cryptocurrency
Decryptor Keys Published for Maze, Egregor, Sekhmet Ransomwares
France Rules That Using Google Analytics Violates GDPR Data Protection Law

Microsoft Windows Multiple Security Updates Affecting TCP/IP | CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086

Published: 2021-02-09
MITRE CVE-2021-24074
MITRE CVE-2021-24094
MITRE CVE-2021-24086

“Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.”

CVSS Base Score is 9.8, 9.8 and 7.5.

All have potential workarounds that should have a minimal operational impact.

Currently there is no exploit in the wild. If an exploit is published this vulnerability will become critical to mitigate as fast as possible.

We are tracking this internally as BF-VLN-2216447 with the highest priority and is currently evaluating this vulnerability and how to best handle it and ensure operational stability for all our customers.

For further general details we point to the Microsoft Security Response Center blog post about the topic.

Don’t get caught in the cold with ransomware

Before prevention is enabled.

Ransoms is sadly the trend these days. We want to share a cheap and effective way to enable prevention that most probably fail to consider.

Using the ransomware simulator from KnowBe4, RanSim, we could see that our endpoints did no prevention previously.

An easy way to minimize the attack surface for ransomware is to use the built-in feature in Windows 10 and Server 2019 called “Controlled Folder Access”. This can be managed with the following:

  • Windows Security app
  • Microsoft Intune
  • Mobile Device Management (MDM)
  • Microsoft Endpoint Configuration Manager
  • Group Policy
  • PowerShell

More information can be found here:

Our results after we enabled this prevention (and enabled it for RanSims test-folder) look a lot better.

It notes some things that got denied that should not be denied, but testing did not show any impact to the users experience. This only affected this particular untrusted application.

After prevention is enabled

CVE-2020-16898 | Windows TCP/IP Remote Code Execution Vulnerability

Published: 2020-10-13
MITRE CVE-2020-16898

“A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets.”

This vulnerability affects Windows 10, Server 2019 and Server Core versions (see full Security Advisory for proper details). It can be mitigated by disabling a network feature or blocking ICMPv6 Router Advertisement packets.

Basefarm and Microsoft recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave a workaround in place.

CVSS Base score is 9.8

Basefarm is currently evaluating this vulnerability, how to best handle it and ensure operational stability for all our customers. We are tracking this internally as BF-VLN-2139859 with the highest priority.

Windows update

New year, new vulnerabilities

This blog post is a summary of this week’s Information Security News put together by our Security Incident Response Team (SIRT).

The year 2020 started of by throwing out a bunch of new vulnerabilities that needed fixing.
First it was the Citrix vulnerability in Application Delivery Controller and Gateway products, formerly known as netscaler. The vulnerability was technically was released in 2019 as CVE-2019-19781; and allowed an attacker to get arbitrary remote code execution trough a directory traversal. The exploit was really easy to pull of and only needed two web-requests to the gateway, and multiple POC was released early January leading to active exploitation in the wild. Citrix has not yet released a patch for the vulnerability, but instead released a way to mitigate the vulnerability by means of configuration. A patch is expected next week.

Then on Tuesday, 14th of January Microsoft released its monthly patches fixing a bunch of bugs and security issues. In this patch there were two critical vulnerabilities that warranted extra atention. One was dubbed “curveball” and is tracked as CVE-2020-0601. Curveball is a bug in the Windows crypto API(Crypt32.dll) and how Windows Elliptic Curve Cryptography (ECC). The vulnerability allows anyone to present a certificate, and windows will happily acknowledge it as a valid certificate even when it is no. This could let an attacker launch Man-in-the-middle attacks against HTTPS connections, present fake certificates for phishing pages and allow fake signed executables to be launched. The vulnerability affects Windows 10, and Windows server 20016 and later.

Another big one from this patch was the Microsoft RD gateway vulnerability tracked as CVE-2020-0609 allowing arbitrary remote code execution by sending a specially crafted request to the server over the RDP connection. By using this exploit an attacker could get full access to the server by means of installing software, create users with full access rights etc.

There were also multiple other other vulnerabilities fixed, such as CVE-2020-0603 is a critical remote code execution bug in ASP.NET Core allowing an attacker to execute code by getting a user to open a file, and CVE-2020-0636 (Windows Subsystem for Linux (WSL)) allowing a user to run commands with elevated privileges.

In other news, SHA-1 is a Shambles after the first chosen prefix collision for sha1 was done. This means that sha1 is considered unsafe to use for integrity checking as you can create two documents that are completely different, add extra data to make them the same length and then add some specific data to generate the same sha1-sum for both documents. SHA1 should now be avoided for integrity checking of data.

A total of 334 vulnerabilities was patched by Oracle this week, covering many widely used applications like MySQL, VirtualBox, Java and Oracle Database.

On a different note, Windows 7 and windows server 2008(r2) is now end of life as of January 14, and will not get any more security updates. Microsoft wil also up the fees for running these operation systems, so both from a economical and security standpoint it makes sense to upgrade now sooner than later.

To sum up this weeks security news, stay up to date with patching at all times. There is no excuse not to.

Security Software & Tools Tips – October 2019

In this monthly post, we try to make you aware of five different security-related products.
This is a repost from my personal website Ulyaoth

This month we have chosen for the following:
* block-doh
* DisableWinTracking
* P0f
* GitGuardian
* Sandboxie

block-doh

Information from the block-doh website:

DoH provides “privacy” at the expense of security. The prominent providers do NOT filter malicious websites, domains, and IP addresses. This has the effect of creating a mechanism by which hackers bypass security policy and this has been observed in the wild. Organizations that use DNS to protect their constituents are directly harmed by DoH.

Website:

https://github.com/bambenek/block-doh

DisableWinTracking

Information from the DisableWinTracking website:

A tool that uses some of the known methods of disabling tracking in Windows 10.

Website:

https://github.com/10se1ucgo/DisableWinTracking

P0f

Information from the P0f website:

P0f is a tool that utilizes an array of sophisticated, purely passive traffic fingerprinting mechanisms to identify the players behind any incidental TCP/IP communications (often as little as a single normal SYN) without interfering in any way.

Website:

http://lcamtuf.coredump.cx/p0f3/

GitGuardian

Information from the GitGuardian website:

GitGuardian is a cybersecurity bot. It prevents public exposure of your secrets from your Github repo. It is also the first platform scanning all GitHub public activity in real time for API secret tokens, database credentials or vault keys.

Website:

https://www.gitguardian.com/

Sandboxie

Information from the Sandboxie website:

Sandboxie uses isolation technology to separate programs from your underlying operating system preventing unwanted changes from happening to your personal data, programs and applications that rest safely on your hard drive.

Website:

https://www.sandboxie.com/

Image by 200 Degrees from Pixabay

Patch Tuesday February 2016

Yet another patch Tuesday has come upon us.
Microsoft released 13 updates, some of which fix critical issues, to address vulnerabilities in their product line. Adobe on the other hand has released patches which address 22 vulnerabilities for their Adobe Flash and Adobe Acrobat/Reader products.
Oracle also pushed out a new update – Java SE 8, Update 73.

Microsoft
Adobe

SandWorm

On Tuesday, October 14, 2014, iSIGHT Partners – in close collaboration with Microsoft – announced the discovery of a zero-day vulnerability impacting all supported versions of Microsoft Windows and Windows Server 2008 and 2012.

Microsoft is making a patch for this vulnerability available as part of patch updates on the 14th – CVE-2014-4114.

Exploitation of this vulnerability was discovered in the wild in connection with a cyber-espionage campaign that iSIGHT Partners attributes to Russia.

This is making the rounds in the news, which isn’t surprising given the potential source as well as targets, but should you as an end user be worried over this? Probably not – in most cases. The vulnerability isn’t released in the wild, which means that you’d need to be the target for a very specific group of people to be hit by this. You should however of course still tread with caution until tomorrow’s Windows Update which will fix this vulnerability.

More information:
http://www.isightpartners.com/2014/10/cve-2014-4114/

How to install Logstash on Windows Server 2012 with Kibana in IIS.

This post is currently outdated, please have a look here to see a up to date version: https://ulyaoth.com/tutorials/how-to-install-elastic-stack-5-4-on-windows-server-2016/

This post is a repost from Sjir Bagmeijer’s personal website, you can find a more up to date post on his website:
https://ulyaoth.com/tutorials/how-to-install-elastic-stack-5-4-on-windows-server-2016/

In this guide I will show that it is also possible to run Logstash on a Windows Server 2012 machine and use IIS as web server. This guide probably requires some improvements and optimizations but it should give you a good example of how to set everything up.

Please, be aware that you will probably have to configure Kibana in a different way then I did to make everything look shiny, and you will probably have to use a different kind of logstash configuration to make things show as you would like. I am also aware that Logstash provides all-in-one pages that have ElasticSearch and Kibana built in, however I still feel setting things up separately is more appropriate.

The config below is just meant to be an example to show that everything works just as fine on Windows as it does on Linux.

If you are interested in Linux then please have a look at my other guide at:
http://bfblogg.wpengine.com/blog/how-to-install-logstash-with-kibana-interface-on-rhel/

Now lets start with the guide!

Step 1: Download Logstash, Kibana and ElasticSearch.
Simpely go to “http://www.elasticsearch.org/overview/elkdownloads/

Logstash: https://download.elasticsearch.org/logstash/logstash/logstash-1.4.2.zip
Kibana: https://download.elasticsearch.org/kibana/kibana/kibana-3.1.0.zip
Elasticsearch: https://download.elasticsearch.org/elasticsearch/elasticsearch/elasticsearch-1.2.1.zip

Step 2: Extract all packages
I created myself a folder called “basefarm” in “c:\basefarm\” and extracted all folders there to make it easier.

So, for me it looks like this now:
c:\basefarm\elasticsearch
c:\basefarm\kibana
c:\basefarm\logstash

Step 3: Download the JDK version of Java and install it.
Go to the Java website: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Accept the license and then download: “Windows x64 (jdk-8u5-windows-x64.exe)” package.
Now install it!

Step 4: Add the JAVA_HOME variable to the server
Now right click on “This PC” and choose “Properties” on the right bottom site next to your computer and full computer name click on Change settings.
On the window that opens go to the Advanced tab and click on “Environment Variables”.
at the bottom box called “System Variables” click on “new” and add the following:
Variable Name: JAVA_HOME
Variable value: C:\Program Files\Java\jdk1.8.0_05

It should look like this:

Step 5: Download the required configuration files
Logstash.conf: https://github.com/sbagmeijer/ulyaoth/blob/master/guides/logstash/windows/logstash.conf

Place this file in:
C:\basefarm\logstash\bin

ulyaoth.json:
https://raw.githubusercontent.com/sbagmeijer/ulyaoth/master/guides/logstash/kibana/dashboard/ulyaoth.json

Place this file in:
C:\basefarm\kibana\app\dashboards

rename “ulyaoth.json” to “basefarm.json” so you end up with “C:\basefarm\kibana\app\dashboards\basefarm.json”.

Step 6: Configure Kibana & Logstash
Open the file: C:\basefarm\kibana\config.js

and change the following line:
default_route : ‘/dashboard/file/default.json’,

to:
default_route : ‘/dashboard/file/basefarm.json’,

Now open the file: C:\basefarm\kibana\app\dashboards\basefarm.json

and change the following line:
“title”: “Ulyaoth: Logstash Search”,

to:
“title”: “Basefarm: Logstash Search”,

Step 7: Install IIS
Go to “Server Manager” and choose “Add Roles and Features Wizard” from the list here choose “Web Server (IIS)” now go further and let it install.

Step 8: Open IIS Manager and stop the “Default Web Site”
Just press the stop button like you see below in the picture:

Step 9: Create a new website for Kibana as shown below
Right click on “sites” in the left part of IIS Manager and click “Add Website”.

Fill it in something like this:

It should automatically start.

Step 10: Start Elasticsearch and put it on auto-start
Open a console and go to “c:\basefarm\elasticsearch\bin\”
now type the following command:
service install

You should see something like:

Now type the following:
service manager

You should see the elasticsearch service manager:

You have to change on the tab the “Startup type” from Manual to Automatic and then press “Apply”. This should make Elasticsearch start automatically on server boot.

This window contains some more options such as how much memory Elasticsearch will use. You can find this under the “Java” tab. I would suggest to make this fitfor your server if you have a server that will handle a huge amount of logs. I would increase the “Maximum Memory Pool: 1024” at least to a higher amount.

Before you close the window make sure to press “Start” so it actually will run right now 🙂

This is everything to start ElasticSearch automatically on boot. To test that it is working, open a browser and go to this url: http://127.0.0.1:9200/

If you see a json string something like what you see below in the picture then it means it is running:

Step 11: Start Logstash & Autostart it
For this step we need another small program to create a proper Windows service, so please go ahead and download “NSSM” (the Non-Sucking Service Manager) from: http://nssm.cc/
http://nssm.cc/release/nssm-2.23.zip

Once you have the zip file simply unzip it and copy the file from the unzipped folder you now have: “nssm-2.23\win64” (nssm.exe) to “C:\basefarm\logstash\bin” so it should result in you having “C:\basefarm\logstash\bin\nssm.exe”.

I know you technically do not have to copy this file but just to keep things clean and to have this available for any future use you never know. 🙂

Now open a Command Prompt and type:
cd C:\basefarm\logstash\bin

And then type the following:
nssm install logstash

You will now see a GUI to create a server fill in the following:
Path: C:\basefarm\logstash\bin\logstash.bat
Startup directory: C:\basefarm\logstash\bin
Arguments: agent -f C:/basefarm/logstash/bin/logstash.conf

It should look like this:

If all looks okay double check on the “Details” tab that “Startup Type” is set to “Automatic” and then press “Install service”. This should be all for Logstash to automatically start on server boot.

If you wish to adjust the memory Logstash does use then simpely open the file “C:\basefarm\logstash\bin\logstash.bat” and the change the following two lines accordingly to the amount of memory you wish it to use:
[code]
set LS_MIN_MEM=256m
set LS_MAX_MEM=1g
[/code]

Step 12: Edit your host file (optional)
This step I only do because I run everything on a test server with no internet connection.

open: C:\Windows\System32\drivers\etc\hosts

Now add:
127.0.0.1 loghost.basefarm.com

And save the file.

Now reboot your server so you can test that everything is automatically coming online.

This is all you should have to do once the server is back online you have logstash up and running so just go to:
http://loghost.basefarm.com/

And you should see:

As you can see, your Kibana IIS logs are shipped now to the Logstash instance.

Just remember, if you run this website over the internet you probably need to make sure port 9200 is accessible but I would restrict it to internal use only so Kibana can reach it but not the outside world.

If you want to ship logs from another server to your loghost server I would suggest to have a look into a program called “nxlog” (http://nxlog-ce.sourceforge.net/) this is a fairly simple way of shipping logs to Lgstash and works perfect on Wndows.

If you have any suggestions to improve this guide then please feel free to or update the configs on GitHub or to provide me the information so I can update the guide and help others!

I also would like to thank “Milo Bofacher” for pointing to “nssm” and “nxlog”!