Search This Blog

Showing posts with label Microsoft. Show all posts

Russian banks to face risk due to a cancellation of support for Windows 7


Termination of technical support for Windows 7 and Windows Server 2008 operating systems (OS) can become a serious problem for Russian banks. According to the architect of the Microsoft technology center in Russia, Ivan Budylin, now, banks are required to quickly switch to Windows 10, since working without technical support is contrary to information security requirements. He added that the lack of updates can lead to significant risks of data loss.

At the same time, according to the survey, credit institutions are not yet ready to completely abandon the old OS.

Some banks reported that they had signed an agreement with Microsoft for paid additional support for Windows 7 (EAS). However, the expert noted that paid support is not an alternative to updating the operating system, but a temporary measure.

A similar situation was already with the Windows XP operating system, which was not supported in 2017 but continued to be used. During WannaCry ransomware virus epidemic, some XP users faced a situation where the malware appeared on the computer, was blocked and deleted by the antivirus.
However, then the virus repeatedly tried to get into the computer again and was blocked again. This caused a huge load on the network, processor, and disk. The devices started working so slowly that it was almost impossible to do anything on them.

Therefore, experts recommended updating Windows 7 as soon as possible, even though antiviruses can protect an already unsupported system.

Yuri Brisov, a member of the Commission on legal support of the digital economy, said that by denying the ability to regularly and timely update systems, banks put their customers at risk, which is unacceptable.

According to Boris Yedidin, a lawyer and co-founder of Moscow Digital School, for using outdated programs and operating systems, banks can bring to administrative responsibility under the article “Violation of information protection rules”.

Recall that Microsoft has refused to support the Windows 7 operating system since January 14. The computer will work with the old OS, but the company does not provide technical support for any software updates, as well as security updates and fixes.

An Ex-Operating System Hit by an Exploit Found In Audio Files



A crypto-mining exploit attack, has as of late been discovered in Windows 7 , the ex-operating system which ceased to exist only a couple of days back as per the official announcement by Microsoft, hidden away in sound WAV records.

Ophir Harpaz and Daniel Goldberg, two security analysts at Guardicore Labs, have uncovered how a medium-sized medical tech sector business was attacked by cryptominers utilizing WAV audio files to muddle the malware.

While trying to exploit the EternalBlue vulnerability the attackers focused on the organization's system, running Windows 7 machines in December 2019. The EternalBlue exploit has been around for quite a few years now and was even behind the scandalous WannaCry attacks that hit the U.K. National Health Service (NHS) in 2017.

The Guardicore research journey started in October 2019, when a number of blue screens of death began coming up on Windows machines in the target network. Further investigations unveiled that over half of the system, some 800 endpoints, were getting to suspicious data in a registry key.

And soon enough the Guardicore researchers found a Monero crypto-mining module, utilizing steganography to hide within the audio WAV files.

Daniel Goldberg, a senior cybersecurity researcher at Guardicore Labs and one of the report authors, when asked to comment on the risk-level for those still running Windows 7 replied that, "The risks are crazy high to organizations facing this WAV-based attack if they are running a Windows 7 system after EoL. Before the quarter is over, there will be other vulnerabilities discovered in Windows 7 too that will not be fixed by Microsoft and will also be easy to exploit."

Further going on to describe the WAV-based attack threat to Windows 7 as being "like a hot knife through butter." 

Apart from updating to Windows 7 , whether there exists any other way for those who will not or cannot make a move away from Windows 7, Goldberg points out, "Segment machines you can't support away from the internet and the rest of your network, your old windows 7 machine running this critical but obsolete application should not be accessible from the internet, or most of the machines in your networks."

Additionally arguing that the best offense is a good defense, Terry Ray, senior vice-president and fellow at Imperva, a cyber-security software and services company, says, "Businesses must be responsible, and act in favor of their customers, who trust them with their information, by updating their systems, if not, they will face severe consequences which will come at a huge cost to the customer, and the future of the business. Simply put, don’t fall victim and instead, upgrade to up to date systems which generate regular security updates and have the right systems in place to deter attacks."

Malware Against Crypto-Currency Businesses; Microsoft and Apple are Targets Alike


“AppleJeus” operation was the first time “macOS” users were made victims by Lazarus. Herein, a manipulated application was used to target potential victims. Apparently, Lazarus used customized malware, especially for macOS users.

Per leading sources, the malware had been so fabricated that it released the current and the next-stage payload automatically without any manual actions required. For attacking Windows users a multi-stage infection procedure was fabricated.

Reportedly, compromising “crypto-currency” related business was the major objective of “AppleJeus” and Lazarus at large. The macOS malware employed the source course only to structure “macOS” installers. Allegedly, “QtBitcoinTrader” was used.

However, the hackers at Lazarus altered the macOS malware. For starters, it no more has an encryption/decryption network communication routine as per reports.

In another case, the .NET malware was disguised as Wallet updaters like “wfcwallet.com” and “www.chainfun365.com”. Herein, the multi-stage infection took place but in a different way.

Later on files of the likes of “rasext,dll” and “msctfp.dat” are uploaded onto the target’s system. Allegedly, the Remote Access Connection Manager was also into play.

Per sources, there was another case where a highly altered form of the macOS malware was at work. Similar to other cases, the fake website and application were being called by the attacker. The apparent differences as per reports in the attack are as follows:
o The malicious application was hosted via “GitHub”.
o The post-installation script of the macOS malware was different as well.
o This version used “ADVobfuscator” to hide its code.
o The author of this modified macOS malware utilized “Object-C” and not QT framework.


In a different attack, the post-install script was the same as the previous attack; the author here had used “SWIFT” for the development of the malware. The method of data collection was changed and then the conduct authentication began. According to sources, the “auth_signature and auth_timestamp” parameters were used to deliver the second payload. The current system time of the device is acquired by the malware and then it’s combined with the “12GWAPCT1F011S14” hard-coded string and an “MD5 hash” is created. The hash is used as the “auth_signature” parameter and the time is used as the value of the “auth_timestamp” parameter. These values can be reproduced as well and finally, the second payload is uploaded.

Apart from all the macOS cases, there was a Windows incident as well. Per sources, a version of the “UnionCryptoTrader” was found. Allegedly, the “Telegram messenger” was at play. The infection procedure was pretty much the same as one of the previous cases with an add-on. A final backdoor payload was done. This version showed numerous exchange rates for crypto-currency.

Reportedly, the Windows malware uploads the encrypted “msctfp.dat file” and loads all the configuration values. Later an extra command is executed as per the contents of the file. Finally, the malware communicates with the C2 server, a post request is sent.

Several parameters are sent and according to the response code from the C2 server, the “POST” request is sent through along with the encrypted data and a random value that could be used to identify individual victims.

Innumerable fake websites were found still in action. The fake websites were crypto-currency oriented but could easily be identified as fake if looked at with a keen eye.

Part 2 of the “AppleJeus” had its victims spread across, Poland, China, Russia, and the US with most of them related to businesses involving crypto-currency.

Lazarus group has been quite a matter of talk for a very long time. It especially continues to be a matter of concern for the cyber-world.

The AppleJeus and other malware that exist and would exist in the future are evolving by the hour. Crypto-currency associated businesses are the key and foremost objects of Lazarus and other threat actors and hence need to be more vigilant than ever.


Cyber Attack Alert! Microsoft Gives Inside Revelations About RDP Brute Force Attacks


Microsoft conducted a long-term study, which majorly focused on RDP brute-force attacks, their success and the duration they last for.

Per sources, according to the reports of the study, over 0.8% of the RDP brute force attacks on an average last for about “2-3 days”. The study also revolved around the effect of such attacks on various business organizations.

Data from over 45,000 devices and workstations that ran “Microsoft Defender Advanced Threat Protection” (commercial version of the free Defender anti-virus app) was acquired in terms of RDP login related acts.

According to reports, both failed and successful attempts at RDP login was part of the data collected for the detailed study that spread across numerous months of dedication.

Reportedly, the aforementioned successful and failed events include Windows events with ID 4264 and 4265, correspondingly. The usernames that the attackers or users may have used were also collected.


Per sources, RDP, Remote Desktop Protocol happens to be a feature of the Windows operating system that enables the users to log into a “remote computer” or device by way of an interface that looks much like a desktop, by means of the computer’s public IP address and port 3389.

Businesses and organizations usually make use of RDP and its provisions to manage servers, workstations and other connected devices in remote areas. It’s easier for the administrators and employees alike to work that way.

Brute force attacks have been pretty common on Windows devices especially via open RDP ports. Automated tools that the hackers use help them to create various combinations of passwords and usernames to figure out the target computer’s RDP login details.

Simple and basic combinations stand at the top of the hit list. The password and usernames combinations that have previously been leaked on the dark web are also used the most.

Where on an average these brute force attacks last for 2 to 3 days, in 90% of the cases, as the reports have found out, the attacks last for around a week.

According to the study reports the attacks spread across days because the hackers were trying out selected combos per hour rather than blindly shooting combos.

This clearly helped the attackers dodge the chances of their attack Internet Protocols getting banned by the firewalls.

Microsoft, according to sources, also mentioned that “0.8% of the devices that were attacked by the brute-force attacks were compromised. Also, that on an average a machine was expected to have a high probability of being compromised leading to an RDP brute force attack every 3-4 days”.

Per sources it’s imperative to look for the following things in a sign-in attempt:
 Event ID 4625 login type
 number of other devices with RDP inbound connections from one or more of the same IP
 number of failed sign-ins
 Event ID 4625 failure reason
 The number count of a username and the times it failed to log in
 number of RDP inbound external IP
 an hour and the day of the failed sign-in
 RDP connections
 Timing of successful sign-in attempts

To secure your device from such attacks, it’s supremely essential to monitor unknown connections and failed sign-in attempts.


Microsoft Enters 2020 with Two New Products


Microsoft plans to come up with two products with the advent of the New Year, Windows 10X-powered Surface Neo and Android-powered Surface Duo and this could be an indication of 2020 being the year of foldable and dual-screen devices from smartphone and PC creators.

Microsoft's new operating system, Windows 10 X, is set to power the main rush a.k.a the first wave of foldable and dual-screen equipment scheduled for holiday 2020 and Surface Neo is said to have been the primary equipment to be dispatched with Windows 10 X, however, the Redmond giant is additionally preparing the OS for dual-screen PCs from accomplices.

Windows 10 X is additionally expected to power the dual-screen PCs created by Microsoft OEM accomplices like HP, Dell, and Lenovo. A leak as of late affirmed that Windows 10 X will be coming to workstations and other customary PC form factors in the future, however apparently the operating system is as yet 'immature'.


Anyway because of the moderate-paced advancement of the operating system and inadequate adaptable panel supply as per another report, Intel probably won't promote foldable notebooks in the future.

Despite the fact that Intel's dual-screen model highlights a 17-inch display and it would run Windows 10 X, the company will postpone the unveiling which was initially planned for CES 2020 because of issues with “immature OS support”.

The report refers to 'upstream supply chain' as the source of the talk likewise including that Intel won't promote foldable notebooks until mid-2020.

Windows 10 X was announced at the October 2019 occasion and Microsoft has ever since protected it under much 'secrecy' and still hasn't uncovered when it intends to launch Windows 10 X, yet the operating system is reputed to finalize at some point in 2020, a couple of months or weeks before the launch of Surface Neo and other much-awaited foldable devices.

A cyber- security provider discovers Microsoft, LinkedIn and many others becoming the most preferred targets for phishing


Akamai Technologies, Inc. an American content delivery network as of late discovered various issues, like the DDoS attacks, credential stuffing, and phishing and in its State of the internet/security (SOTI) report, it featured the research done by the organization over the last 12 months.

According to Akamai's discoveries over 50% of every unique organization that was 'impersonated' by tracked phishing domains was from the financial services and among the favored targets for phishing, companies like Microsoft, PayPal, DHL, DocuSign, and LinkedIn were among the top targets.

As per Akamai the attack aimed at gathering the personal information of users and duping them by later claiming to be a 'trustworthy' source, just like an organization or a bank, it assumes a vital job in 32% all breaches and 78% of all cyber-attacks.

In its report it has featured that among the phishing kits observed by it for almost 262 days, 60% of kits were active for 20 days or less, more than 2 billion unique domains that seemed malignant and 89% of the domains utilized for phishing had a 'life expectancy' of under 24 hours while 94% had a life expectancy of under three days.

While the measures embraced against such phishing attacks have been developing throughout the years, the shifty and cautious strategies utilized by phishing kits have been transforming too.

Akamai’s report basically highlights some of the content-based evasion techniques used by phishing kits. The crucial evasion techniques incorporate the CSS font evasion, arbitrarily generated URLs, sub-domain and HTTP user-agent filtering.

Here are some of the steps to be taken by users to better protect themselves from such attacks:

  1. Check the email or message for spelling mistakes, unusual phrases, and discrepancies in the domain name.                                                                                                                                        
  2. If the email contains unnecessary attachments or links, avoid clicking on them.                                 
  3. Do not click on shortened links, especially on social media.                                                                    
  4. At all costs avoid emails from suspicious senders that contain urgent deadlines and ask you to click on a link or visit a website urgently.                                                                                                   
  5. Do not enter personal information in pop-up screens as companies generally do not use pop-up screens to ask for user information.


Alert! A Method that Allows Hackers to make Ransomware in your Windows Unseen.


Cyber-Security company Nyotron has caught a new way that lets hackers modify Microsoft files in a unique style that subsisting anti-ransomware are unable to identify.

Ransomware is one of the most common cyber-security menaces. "It is said to be the top 2 widely used technique used by hackers, as in the case of hijacking 28 computers appeared," confirms Verizon's data breach inquiry report. Unfortunately, for the present time, it is proving quite hard to be identified. The ransomware can permit attackers to avoid the present computer securities by depending on a data system, which is the ‘rename’ selection in the Windows operating system. This detour can be performed in just two rows of the cipher. That is how simple it is for hackers.



What is Ransomware? 

Ransomware is a sort of harmful virus, intended to reject entrance to a network system or information. For access to the data, the malware demands a ransom to be paid. It normally grows through fraud e-mails or by hitting an affected website that is unfamiliar. Ransomware is disastrous to a person or an institution.

"The firm has obeyed declaration disciplines and urged all safety businesspeople to discuss the issue. Moreover, to examine if the system is infected or not, the company has provided users a fresh new tool," says Nir Gaist, Founder and Chief Technology Officer at Nyotron. Gaist further adds, "The unusual style of file alteration 'RIPlace' suggests that while technology might not ‘cover’ the virus, let's say, it helps adjust data on a computer stealthily. Therefore, from the warning player outlook, it is our only hope for identifying 'Ransomware.' The firm has also explained how the RIPlace technique allows ransomware to dodge the detection and infect computers despite Symantec Endpoint Protection and Windows Defender Antivirus software being installed.

"Recently, there was a vulnerability discovered in Canon cameras which allowed the hackers to perform ransomware attacks," say the experts from Check Point, a cyber-security company. The company examined if the DSLR's image transference custom could be misused to let an attacker hack the DSLR and affect it with the virus. However, the attacker, in this case, was obliged to be close to the camera to affect it. The issue sparked caution, as it could be used to exploit different kinds of devices.

Microsoft launches on-demand service for emergency security threats



Microsoft has launched a new service, providing customers a direct line to the top security experts from the company when the threat is bad enough that it can't be dealt with by the customer alone.

Threat hunting service, Threat Experts on Demand is now a part of Microsoft Defender Advanced Threat Protection (ATP) and will be available to the customers with Windows 10 Enterprise E5 and the Microsoft 365 bundle subscription. The venture is basically for large organizations that although have good and strong security but may encounter a sticky problem such as NotPetya outbreak, insider threats, and cyber-espionage threats.

This is a development and adds on to Microsoft security services for customers, complimenting targeted attack notifications and Azure Sentinel cloud-SIEM service, which became available in September.

Microsoft says, that once clicking the button, the security team will send the problem to Microsoft's incident response services and it also promises technical consultation to customers on adversaries and relevant issues by their threat experts.

"Customers do what they can to deal with these threats but sometimes they need additional help," said Brian Hooper, senior research lead at the Microsoft Defender research group. "Sometimes they just want a trusted partner. Microsoft has visibility of over a billion machines worldwide and we're able to use that to bring out and deeply understand the threats that enterprises face. We help them become aware of those threats in their environment, reduce dwell time, and give them visibility into those critical threats so they can prioritize and respond with confidence."

He also said Threat Experts on Demand does allow enterprise customers to "tap into the 3,500-plus security professionals Microsoft has globally". After receiving a threat, which the customer can't deal with, he/she can contact Threat Experts with a click of a button and there will be a full-time Microsoft employee to handle each and every request for help.

"This is our managed threat hunting capability. It combines expert human hunters with our own artificial intelligence and automation to help our enterprise customers deal with those critical threats", said Hooper.

ZDNet explains that the Experts on Demand human element includes: 

1.Additional clarification on alerts, including the root cause or scope of the incident.
2. Clarity into suspicious machine behavior and recommended next steps if faced with an advanced attacker.
3. Determines risk and protection regarding threat actors, campaigns, or emerging attacker techniques.
4. Seamlessly transitions to Microsoft Incident Response (IR) services when necessary.

Apple Apologises To Siri Users for “Not Fully Living Up To Their High Ideals”




Apple apologizes to Siri users for not 'fully living up to their ideals' as well as enabling temporary workers to tune in to voice recordings of Siri users so as to review them.

The announcement was made after a review of the grading programme was finished, which had been triggered to reveal its existence with the help of a Guardian report.

 “As a result of our review, we realise we have not been fully living up to our high ideals, and for that we apologise, as we previously announced, we halted the Siri grading program. We plan to resume later this fall when software updates are released to our users.” Apple said in an unsigned statement posted to its website.

The company committed to three changes to the way Siri is run after it resumes the grading programme:
  • It will no longer keep audio recordings of Siri users by default, though it will retain automatically generated transcripts of the requests.                                                                                
  • Users will be able to opt in to sharing their recordings with Apple. “We hope that many people will choose to help Siri get better,” the company said.                                                                        
  • Only Apple employees will be allowed to listen to those audio samples. The company had previously outsourced the work to contracting firms. Over the past two weeks, it has ended those contracts, resulting in hundreds of job losses around the world.


In the past six months, almost every significant producer of voice-assistance technology has been 'revealed' to have been operating human-oversight programs, having run them in discreetly for a considerable length of time. Many out of them have sworn in to change their frameworks.

Amazon was the first to have been identified, then came along Google and Microsoft, with the former pledging to review its safeguards and the latter updating its privacy policy.

New Vulnerability in Bluetooth Connections Allows Hackers to Spy on Private Conversations


Bluetooth is used worldwide as one of the most convenient methods of connecting and controlling the devices in range. However, according to a recent report, a vulnerability labeled as the KNOB (Key Negotiation of Bluetooth) attack has been found in Bluetooth connections.

All the Bluetooth compliant devices can be affected by the vulnerability, which allows attackers to spy on a victim's personal conversations. Hackers can also exploit the vulnerability to manipulate the data present on the compromised device.

How the attack unfolds? 

While establishing a functional Bluetooth connection, both the devices rely upon an encryption key. Therefore,
in order to execute the attack, hackers exploit the vulnerability in the Bluetooth standard and weaken this encryption of Bluetooth devices instead of breaking it straightaway.

The attacker gets in the way while the devices are setting up the encryption key and resorts to brute force attack for breaking the new key with less number of digits and manipulates both the devices to employ the new encryption key.

The vulnerability affects devices by some of the renowned manufacturers namely, Apple, Qualcomm, and Intel. Companies like Apple, Microsoft, Cisco, Google, Blackberry, Broadcom and Chicony has already issued a patch to fix the flaw, as per the reports by Mashable.

The group of researchers from the Singapore University of Technology and Design, University of Oxford, and CISPA Helmholtz Center for Information Security, who found this critical vulnerability, explained, "We found and exploited a severe vulnerability in the Bluetooth specification that allows an attacker to break the security mechanisms of Bluetooth for any standard-compliant device. As a result, an attacker is able to listen, or change the content of, nearby Bluetooth communication, even between devices that have previously been successfully paired."

Israeli spyware firm NSO can mine data from social media accounts









An Israeli spyware firm has claimed that they can scoop  user data from the world’s top social media, the Financial Times report. 

The powerful malware Pegasus from NSO Group is the same spyware that breached WhatsApp data earlier this year. 

The firm said that this time their malware can scrap data from the servers of Apple, Google, Amazon, Facebook, and Microsoft. 

According to the reports of the Times, the NSO group had “told buyers its technology can surreptitiously scrape all of an individual’s data from the servers of Apple, Google, Facebook, Amazon and Microsoft, according to people familiar with its sales pitch”.

However, the companies spokesperson denied the allegation in a in written statement to AFP’s request for comment. 
“There is a fundamental misunderstanding of NSO, its services and technology,” it said.

“NSO’s products do not provide the type of collection capabilities and access to cloud applications, services, or infrastructure as listed and suggested in today’s FT article.”

In the mean time, Amazon and Google told AFP that they have started an investigation on the basis of report, but so far found no evidence that the software had breached their systems or customer accounts.




Microsoft Warns Users against BlueKeep RDP Flaw; Immediate Update Advised, Again!






Microsoft has beseeched its users all over again to get their systems updated because as it turns out hackers already have exploits of the BlueKeep RDP flaw, already.


The patch has been fabricated for the “wormable” BlueKeep Remote Desktop Protocol (RDP) vulnerability; therwise the hackers could easily perform a “WannaCry” level attack.

The first warning was sent by Microsoft on May 14 when they’d released a patch for another serious Remote Code Execution vulnerability, CVE-2019-0708.

Successful exploitation of this vulnerability leads to the hacker executing an arbitrary code on the windows machine and installing programs.

 The term “Wormable” refers to the fact that any future malware exploits could contagiously spread from one system to another.

According to sources, this vulnerability is of pre-authentication type and needs no user interaction.

Any attacker who could easily exploit this vulnerability could install programs, edit, and view or delete data and even create new accounts with complete user rights.

Microsoft has a strong hunch that the cyber-cons already have fully developed plans for exploiting the aforementioned vulnerability.

More than a million PCs are susceptible to these wormable, BlueKeep RDP flaws.

A security researcher conducted RDP scan hunting for port 3389 used by Remote Desktop to find potentially and current vulnerable devices.

Major Anti-Virus brands such as Kaspersky, McAfee, Check Point and Malware Tech developed a Proof-of-Concept (PoC) that would use the CVE-2019-0708 to remotely execute the code on victim’s system.


So it happens, numerous corporate networks are under the threat and are still vulnerable more than individuals are as more systems are connected in a single network.

A single compromised system of a corporate network could put the entire organization and its systems in danger.

The compromised device could be used as a gateway and as it’s a “wormable” attack it could easily propagate across networks.

The most the users could do is keep their systems updated and their security as tight as possible as future malware could also try hacking back in.

Solutions
·      Update systems as soon as possible
·      Block Remote Desktop Services if they are not in use
·      Block TCP port 3389 at the Enterprise Perimeter Firewall
·      Apply the patch to the vulnerable systems and devices that have RDP enabled

A Micropatch Fix Issued For the Remote Desktop Services RCE Vulnerability Bluekeep in the Form of a 22 Instructions



BlueKeep, the Remote Desktop Service RCE vulnerability was recently issued a fix by the 0patch platform, as a 22 instructions micropatch which can be additionally used to ensure protection for always-on servers against many exploitation attempts.

After the vulnerability was unveiled, the critical software flaw known and tracked as as CVE-2019-0708 was at that point fixed by Microsoft on May 14. Be that as it may, 0patch's micropatch does not require rebooting and it focuses on a quite specific gathering of people, not at all like the Microsoft's security fix, enabling administrators to fix frameworks that either can't be restarted or don't consider for Microsoft security fixes to be installed for different reasons.

Mitja Kolsek, the co-founder of 0patch says that, “This is often due to always-on requirements, but another common reason is that restarting a fleet of remote machines (e.g., ATMs) brings a risk of having to physically visit all these machines in case something goes wrong (e.g., they don't wake up for some reason, or lose/corrupt in-memory data when they restart),"



The fix is known to fix the vulnerability influencing the 32-bit Windows XP SP3 only, yet the company is likewise said to port it to Server 2003 and different versions dependent on "user requests" to help legacy systems.

While the 0patch fixes are generally intended to be a substitute arrangement until Microsoft issues its very own official patches, for this situation, they will most likely be a lasting solution for servers that can't be restarted — except if their administrators figure out how to sidestep the issues keeping them from rebooting the machines.


Another conceivable arrangement would be to pursue Microsoft's recommendations and switch on Network Level Authentication (NLA) for Remote Desktop Services Connections on frameworks affected by the BlueKeep vulnerability.

Google restricts Huawei’s access to Android apps





Google restricts the access of its Android operating system and apps for Chinese tech giant Huawei after US’s President Donald Trump administration blacklisted the firm.

The order not only impacted Google but the US chip-makers as well.  Intel Corp, Qualcomm Inc., Xilinx Inc., and Broadcom Inc. have all stopped doing business with the Chinese tech giant

"We are complying with the order and reviewing the implications," a Google spokesperson said on Monday. Huawei, the world's No. 2 smartphone seller, relies on a suite of Google services for its devices, including the Android system and the Google Play app store.

Huawei will now only be able to use the public version of Android and the new phones will not have Google play store, Gmail, and other services provided by Google.

The users who are now using the Huawei smartphones will not be affected by this order, but they won’t be able to update their phones. 

However, the Chinese tech company claim that for the last three years that have been working on their own operating system.

"Huawei has been building an alternative operating system just in case it is needed," said Huawei spokesperson Glenn Schloss. "We would like to be able to continue operating in the Microsoft and Google ecosystems," he added.

The company has bought Microsoft’s operating system license for its laptops and tablets. Meanwhile, Microsoft (MSFT) did not immediately respond to a request for comment.


Bug in Microsoft RDP allows hackers perform WannaCry level attack


A critical remote execution vulnerability in Microsoft remote desktop services enables let attackers compromise the vulnerable system with WannaCry level malware.

Microsoft recently fixed this RCE vulnerability in Remote Desktop Services – formerly known as Terminal Services, and it’s affected some of the old version of Windows.

A WannaCry attack was one of the notorious cyber attacks in this decade, and it shut down million of computer around the world by exploiting the vulnerability in the RDP protocol.

In this case, Remote Desktop Protocol (RDP) itself is not vulnerable, but attackers need to perform pre-authentication, and it doesn’t require user interaction.

This vulnerability didn’t have any exploit at this time, but in the future, an attacker will create a malware that exploits this vulnerability in a similar way of WannaCry attack.

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008 and also out of support versions Windows 2003 and Windows XP.

3 Million Endpoints are Vulnerable to This RCE Bug

Initially, an unauthenticated attacker will send the specially crafted malicious request to the vulnerable systems after they establish a connection through RDP.

According to Microsoft, This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An Independent researcher Kevin Beaumont said, based on the Shodan search engine, around 3 million RDP endpoints are directly exposed to the internet.

“There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered.” Microsoft said.

According to Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC) “Customers running Windows 8 and Windows 10 are not affected by this vulnerability”.

Legitimate Apps That Could Be Exploited To Bypass The Windows Defender: Microsoft’s List



Microsoft recently, published a conspicuous list of application that are legitimate and yet could be exploited by hackers to bypass the Windows defender.


These hackers try to slide into the organizations’ networks and infect them via bypassing the security imparted by the defender.

The hackers usually make use of off-the-land attack tactics where they use the victim’s operating system features or authentic network administration tools to compromise the networks.

The major motive of this project was to comprehend the binaries that were being misused by the attacker.

·       LOLBins- Living Off The Land Binaries
·       LOLScripts- Living Off The Land Scripts
·       LOLLibs- Living Off The Land Libraries
·       GTFOBins- Unix Platform Binaries

The only point of fusing the legitimate app is to stay undetected in order to bypass the security measures of the network.

The LOTL tools are just a way to be as stealthy as possible as be as malignant as possible without even being easily caught.

The following applications are in the list that Microsoft published and recommend to do away with if not in use:
·       addinprocess.exe
·       addinprocess32.exe
·       addinutil.exe
·       bash.exe
·       bginfo.exe[1]
·       cdb.exe
·       csi.exe
·       dbghost.exe
·       dbgsvc.exe
·       dnx.exe
·       fsi.exe
·       fsiAnyCpu.exe
·       kd.exe
·       ntkd.exe
·       lxssmanager.dll
·       msbuild.exe[2]
·       mshta.exe
·       ntsd.exe
·       rcsi.exe
·       system.management.automation.dll
·       windbg.exe
·       wmic.exe

Along with the published list Microsoft has also highly recommended the users to download latest security updates.

In addition it has also provided the “deny file rules” for all apps.

Lateral movement and defense evasion happen to be the mostly used ways to exploit the authentic applications.

Unprotected database exposes data of 80 million US households




Security researchers have uncovered a security breach that exposes the data of more than half of United States households. 

Experts working with a firm named vpnMentor, that expertises in analyzing virtual private network services, discovered a database containing details of about 80 million American households. 

The database was hosted on a Microsoft cloud server, that includes some sensitive information like names, addresses, locations, gender, age, income, home type and marital status, among other data. 

However, social security numbers and credit card details were not enlisted there. 

Researchers Ran Locar and Noam Rotem said it's unclear who owns the 24-gigabyte database.  

'Unlike previous leaks we've discovered, this time, we have no idea who this database belongs to,' the researchers said. 

'It's hosted on a cloud server, which means the IP address associated with it is not necessarily connected to its owner.'  

Meanwhile, the database is still available online, and is not protected by password. 

'This isn’t the first time a huge database has been breached,' the researchers explained. 

'However, we believe that it is the first time a breach of this size has included peoples' names, addresses, and income. 

'This open database is a goldmine for identity thieves and other attackers,' they added.  






Microsoft’s email services hacked




Microsoft has confirmed a data breach by unknown hackers who might have been successful in accessing a ‘’limited’’ number of Microsoft customer’s Email.

According to the company, hackers breached the Microsoft network between January 1 and March 28 and compromised the Microsoft support agent’s credentials.

Microsoft sent an email notification to all their customer via stating, “This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments”

The company has confirmed the incident to TechCrunch that account of users of services like @msn.com and @hotmail.com had been compromised in the recent breach, but the exact number of victims is not known. 

“We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access,” said a Microsoft spokesperson in an email.

Microsoft is urging all its affected users to change their passwords immediately. 




99 Iranian websites used for hacking were seized by Microsoft

                    




According to a report by Associated Press, Microsoft has seized 99 Iranian websites that were supposedly stealing information and launching cyber attacks. The report also said that it had been tracking the group of hackers since 2013.

The hackers were targeting people in the middle east to steal sensitive information by using the malicious websites that were disguised as Microsoft, Linkedin, Outlook and Windows products. Microsoft confirmed in a court filing that this group was stealing information about reporters, activists, political people including “ protesting oppressive regimes”.

The hackers are from Iran but the Tehran government has denied any hacking activity from their end. In the past also Iran government has denied any hacking attempts from their end.

Allison Wikoff, a security researcher at Atlanta-based SecureWorks told Associated Press that according to her observation it is one of the “more active Iranian threat groups”. She further added that Microsoft analyze fake domains through analyzing traffics to protect against fake domains and the practice is popularly called as “sinkholing”.In the past also, Microsoft has used “sinkholing” to seize fake domains made by Russian hackers back in 2016.







US Court Authorizes Microsoft to be in Charge of 99 Hacking Sites


Microsoft has been legally given the control of 99 websites which were being operated in association with an Iranian hacking group, Phosphorus. 

In order to prevent the sites from being employed for the execution of cyber attacks, a US court authorized Microsoft's Digital Crimes Unit to be in charge of these websites related to the aforementioned hacking group which is also known as Charming Kitten, Ajax Security Team and APT 35.

The malicious group, Phosphorus is configured to employ spear-phishing to sneak into private accounts of individuals. Cybercriminals at Phosphorus resort to social engineering in order to lure individuals to click on the links, at times sent via fake accounts that appear to be of familiar contacts. The link carries infectious software which allows Phosphorus to sneak into the computer systems.

Basically, it performs malicious activity to acquire access to sensitive data stored onto the computer systems of government agencies and businesses.

Putting the same into context in a blog post, Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft, said, "Its targets also include activists and journalists - especially those involved in advocacy and reporting on issues related to the Middle East,"

"Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013,"

"Phosphorus also uses a technique, whereby it sends people an email that makes it seem as if there's a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems," Burt told in his blog post.


Commenting on the matter, Microsoft said, "The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit's sinkhole."