Search This Blog
Load More
Trendy Right Now

Popular Posts

Showing posts with label Microsoft. Show all posts
NCC Group
chimer Cyber Attacks Fox-IT Google Microsoft NCC Group

Technology and Software Giants, Microsoft and Google face Threat by Chimer Gang Attack

 


The world's biggest technology and software giants, namely Microsoft, and Google are being threatened by a new group of cybercriminals who are targeting their cloud services. Working in coordination with their Chinese interests, the threat actors are attacking a wide range of organizations with the intent of exfiltrating data. 

The security researcher, NCC Group and Fox-IT, taking account of this incident said that these attackers have a “wide set of interest” and their target data ranges from the intellectual property belonging to the victims in the semiconductor Industry to the commuter data from the airways industry. 

The actors that are targeting these giants are referred to as Chimer by CyCraft. This group named Chimera is not new for the cyber industry, instead, they have been engaged in such incidents from the year 2019 till the year 2020. However, on every such occasion, they have managed to escape the situation without garnering much attention. “Our threat intelligence analysts noticed a clear overlap between the various cases in infrastructure and capabilities, and as a result we assess with moderate confidence that one group was carrying out the intrusions across multiple victims operating in Chinese interests”, added the team of researchers.

The team of researchers briefly explained the scheme of attackers while targeting such organizations. These actors commence their threat process by accessing the username and passwords from the victim’s previous data breaches. They then use the credentials of the victims in credential stuffing or password spray attacks against assorted remote services. Moving ahead, as they obtain the valid accounts of the victims, they use it to access the victim’s VPN, Citrix, or any other remote service with this network access. After entering their network, the actors try to accept all the permissions and get the list of other accounts with the admin privileges. Now they target other accounts from the list and then try their password spraying attack on these accounts. They do this until any other account is compromised by their attack. Lastly, they use this account to load a Cobalt Strike beacon into the memory which later can be used for remote access and command and control (C2). 

Following the incident, the security researchers affirmed that they have contained and eradicated the threat from their clients’ network. They further added that “NCC Group and Fox-IT aim to provide the wider community with information and intelligence that can be used to hunt for this threat in historic data and improve detections for intrusions by this intrusion set”.
Read more »
Mozilla Firefox
Backspace Key Cyber Security Google Chrome Microsoft Mozilla Firefox

Mozilla Firefox Disabling Backspace Key to Prevent Data Loss

Mozilla Firefox is about to disable the browser's backspace key to help users avoid data loss. 

In 2014, Google Chrome and Microsoft Edge have already removed the ability to go back to a previous page by using the backspace key as there were possibilities of losing data entered into forms on the current page. Those who are using Google Chrome have to download an extension to use this again, whereas Microsoft Edge had offered a flag for its users to re-active it. In the same way, Mozilla Firefox is also offering its users the option to re-activate the backspace key if they wish to do so. 

"Would be useful to determine how commonly backspace is used as a "back" action shortcut, so we can figure out if we need to tweak the UX somehow to avoid accidental loss of form data due to mistyping the backspace key," Google Chrome developers stated in a 2014 bug post. 

According to the sources, seven years ago, Mozilla Firefox had set up the committee and reviewed the bug post: whether the backspace key should be disabled or not. Finally, the committee had decided not to change anything at that time. Around six years later, Mozilla finally came to the point where it has decided to remove the backspace key after realizing that except for Mozilla and Internet Explorer 11, no browsers support this keyboard shortcut. 

"To prevent user data loss when filling out forms, the Backspace key as a navigation shortcut for "Go back one page" is now disabled. To re-enable the Backspace keyboard shortcut, you can change the about: config preference browser.backspace_action to 0. You can also use the recommended Alt + Left arrow (Command + Left arrow on Mac) shortcut instead," Firefox Release Manager Pascal Chevrel added to the Firefox Nightly 86.0a1 release notes. 

According to TechDows, the first who reported about this change which is now available live on the Firefox browser for users to test and know. 
Further information is for those users who want to continue using the backspace key, you will be able to re-enable this key just follow these steps: 

1. Enter about: config in the Firefox address bar. 
2. Search for browser.backspace_action and change its value to '0'. 

Once the setting is configured, you will be able to use the backspace key to go back to the previous page in Mozilla Firefox.
Read more »
SolarWind
Data Breach Microsoft Russia SolarWind

SolarWinds Attack Update: Russian Hackers Breached 250 US Agencies and Top Companies

More than 250 US Federal Agencies and big companies have been attacked by alleged state-sponsored Russian hackers. The attackers gained access by hacking into 'SolarWinds Orion' management and monitoring software. The hack was much worse than what I expected, says US Senator Mark Warner according to New York Times report. The scale of the attack keeps increasing, it's evident that the US government failed to detect the attack. As per the report, companies like Amazon and Microsoft who offer cloud-based services, now investigate further to find evidence. 

The report suggests that Russian hackers compromised multiple supply chain layers to breach more than 250 networks and gain access. According to Microsoft, hackers exploited the SolarWinds software which allowed them to copy user accounts of the company, some of which were top-level individual accounts. Microsoft found unusual activity in a few company accounts and upon investigation, it found that hackers used one account to access source code in multiple source codes repositories. Besides this, Microsoft confirms that the account didn't allow hackers to change code or modify engineering systems. 

The further investigation cleared that no other unusual activities were found. During the investigation, these accounts were tested and then restored. Earlier assumptions suggested Russian actors breached more than 18000 public and private networks (including government agencies).  According to the reports, it suggests that few breached SolarWinds softwares were modified in Eastern Europe. Cybersecurity experts and federal officers currently investigate if the large scale attack operated from areas where Russian intelligence is deeply embedded. 

CISA (Cybersecurity and Infrastructure Security Agency) has alarmed US federal agencies to either shut down all the exploits SolarWinds applications or update the hacked SolarWinds Orion software. E-Hacking News earlier reported "currently, Microsoft hints to “a very sophisticated nation-state actor” as the attacker, cybersecurity experts, and the U.S government has alleged Russia for orchestrating the SolarWinds attack. The cyberattack also revealed a listing of susceptible companies. However, Microsoft didn't disclose how much the hackers were able to view the source code and what the hackers did with it. "
Read more »
Russian Hackers
Cyber Attacks Microsoft Russia Russian Hackers

Russian hackers gained access to the source codes of Microsoft programs and systems

Microsoft believes that hackers who previously attacked US government departments and businesses have gained access to internal information about its software code.

Microsoft is among the clients of the US firm SolarWinds, whose systems were hacked earlier this year. On December 17, Microsoft representatives admitted that "malicious SolarWinds code was detected in its ecosystem, it was isolated and removed."

The company's specialists reported that "one account was used to view program code in a number of repositories."

As it became known earlier, the Orion software of SolarWinds was hacked in March of this year. Hackers managed to inject the virus into the Orion update, which was then downloaded and used by thousands of SolarWinds customers, including leading government agencies, as well as more than 400 major American companies.

In a joint statement released last week, the Office of the US Director of National Intelligence, the FBI and the Infrastructure and Cybersecurity Agency said they had documented a major attack on the federal government's computer networks.

US Secretary of State Michael Pompeo outlined the version according to which Russia was involved in the attack. Meanwhile, US President Donald Trump stressed that the media exaggerated the scale of the incident.

Press Secretary of the Russian President Dmitry Peskov said that Moscow was not involved in hacker attacks on US government agencies and companies.

Experts agree that by raising the topic of cyber attacks, the new US administration is preparing the ground for another package of anti-Russian sanctions. This can be both the introduction of sanctions and a cyber attack, for example, on the main state institutions, says Konstantin Blokhin, a researcher at the Center for Security Research of the Russian Academy of Sciences. And the fact that Trump did not blame Russia does not mean a change in Washington's foreign policy.

A similar point of view is expressed by the political scientist-Americanist Mikhail Sinelnikov-Orishak. "This is a great reason to accuse Moscow of interfering in internal affairs, to justify any measures, since it is impossible to determine exactly who is behind these attacks. In addition, this is a good justification for allocating additional funds from the budget for the cyberspace," said the political scientist.

Read more »
US Cyberattack
Cyber Security Microsoft SolarWind US Cyberattack

SolarWind Cyberattack: Microsoft Admits Hackers Could View Its Source Code

While Microsoft is investigating the major SolarWinds cyberattack, according to the company, it found that Microsoft's systems were hacked "beyond just the presence of malicious SolarWinds code." Microsoft believes that the Solorigate incident can be a chance to be together and work towards essential safety steps like sharing information, strengthening security, and countering cyberattacks. As per Microsoft, the attackers could see source codes in multiple source code repositories; however, the hacked account didn't give any permission to change any systems or code. 

Currently, Microsoft hints to “a very sophisticated nation-state actor” as the attacker, cybersecurity experts, and the U.S government has alleged Russia for orchestrating the SolarWinds attack. The cyberattack also revealed a listing of susceptible companies. Besides this, today's announcement of Microsoft shows that experts may find the further impact of the cyberattack in the coming weeks and months. As of now, Microsoft said that meanwhile the hackers managed to intercept deeper than before, the company didn't find any evidence which may suggest "access to production services or customer data,” or "no indications that our systems were used to attack others." 

Besides this, the company said that it holds a common assumption that hackers may be able to intercept its source code and that Microsoft doesn't depend merely on the privacy of source codes to safeguard its products. However, Microsoft didn't disclose how much the hackers were able to view the source code and what the hackers did with it.  In December, Dan Smith, Microsoft President warned that the cyber attack is a "moment of reckoning" and alarmed about its threat. He termed it as unusual espionage, not attacking any particular targets, but disrupting critical infrastructure trust and reliability to progress a country's intelligence organization.  

"The list of vulnerable companies is much smaller than SolarWinds’ overall client list, so simply appearing on the list doesn’t mean a company has been affected. SolarWinds claims that only 33,000 companies use the Orion product, compared to its total client base of 330,000," reports Verge. "As with many companies, we plan our security with an “assume breach” philosophy and layer in defense-in-depth protections and controls to stop attackers sooner when they do gain access," says Microsoft blog.

Read more »
Ransomware Attacks.
Cyber Security McAfee Microsoft Ransomware Ransomware Attacks.

'Ransomware Task Force': Microsoft, McAfee and Rapid7 Coalition

 

19 tech companies, cybersecurity firms, and non-profits have collaborated with the Institute for Security and Technology (IST) to form a new group called "The Ransomware Task Force" (RTF) to tackle the increasingly destructive and prevalent threat of ransomware. The joint venture includes big names such as Microsoft, McAfee, Rapid7, Cybereason along with other cyber advocacy groups, threat intelligence, think tanks, and research groups – The Global Cyber Alliance, The Cyber Threat Alliance, and The CyberPeace Institution, to name a few. 
 
The primary focus of The Ransomware Task Force will be to provide security against Ransomware attacks by engaging various stakeholders in assessing technical solutions and identifying loopholes in already existing solutions. The idea is to work collectively on building a roadmap to address the scope of the threat based on an 'industry consensus' instead of relying upon individual suggestions.  
 
The founding members came together to combat a form of cybercrime that they believe is expansive in its scope and has led to violent consequences that go beyond economic ruination. Actively addressing the threat of ransomware while providing clear guidance will effectively diminish the varying levels of the ransomware kill chain. Other founding partners include Aspen Digital, Citrix, Resilience, SecurityScorecard, The Cybersecurity Coalition, Stratigos Security, Team Cymru, Third Way, UT Austin Stauss Center, Shadowserver Foundation. The website for The Ransomware Task Force inclusive of full membership and leadership roles will be rolled out in January 2021.  
 
While giving insights, the Institute for Security and Technology, one of the founding members, said, “The RTF’s founding members understand that ransomware is too large of a threat for any one entity to address, and have come together to provide clear recommendations for both public and private action that will significantly reduce the threat posed by this criminal enterprise,”
 
As per Sam Curry, one of the founding members of RTF and Chief Security Officer at Cybereason, "Time and time again, we see ransomware capabilities deployed early in hacking operations but not immediately detonated,"  
 
"In these cases, the ransomware is detonated only after preliminary stages of the attack are finished across all compromised endpoints to achieve maximum impact on the victim. Reducing hackers' attempts to amplify the impact of ransomware attacks will drive down ransomware costs for the victim and decrease the victim's inclination to pay ransom demands."
Read more »
Vulnerability and Exploits.
Microsoft patch fixes Vulnerability and Exploits.

Microsoft releases patches for 58 vulnerabilities


On Tuesday, Microsoft released fixes for 58 vulnerabilities for more than ten products for Windows and other software in their last Patch Tuesday for this year.

These include vulnerabilities ranging from critical (nine of them), important (forty-six of the flaws were rated important), and moderate (rest three). None of these vulnerabilities or bugs were publicly known or exploited by hackers yet. Both users and administrators should update their systems with these patches as soon as possible. 

Some of these patches include:

22 remote code execution holes have been sealed, according to SANS Technology. These fixed execution holes covered two critical vulnerabilities CVE-2020-17118 and CVE-2020-17121 in Microsoft SharePoint, an acute point for exploitation. 

The second vulnerability, Microsoft said could be used for a network-based attack by infiltrating the network by making a site and installing executive codes.

“In a network-based attack, an attacker can gain access to create a site and could execute code remotely within the kernel. The user would need to have privileges", said Microsoft. 

Microsoft released the patch for yet another critical remote code execution (RCE) vulnerability CVE-2020-17095 , scoring an 8.5 out of 10 on CVSS scale (Common Vulnerability Scoring System). This vulnerability present in Microsoft's Hyper V system (which is used to create Virtual Machine environments ) could be used to hack the Virtual machines by RCE.

 “An attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data,” commented Microsoft on the Hyper V vulnerability. 

Other fixes and updates were released for products including Windows, multiple versions of the Edge browser, Microsoft Office, Visual Studio, as well as other products and services in Microsoft’s portfolio. This month's updates were still on the lower end as compares to last month's where the tech giant rolled out a bundle of 112 fixes.
Read more »
Microsoft
APT Bismouth Crypto Currency mining Cyber Security Microsoft

Microsoft discovers Vietnamese Govt sponsored threat actor deploying cryptocurrancy malware

Microsoft on Monday claimed that Vietnamese government-backed hackers have been behind the cryptocurrency-mining malware campaign.

These state-run cyberspies have started additional activities of gaining financial aid along with running government-backed projects. Similar groups have been already reported from Russia, China, and Korea making it difficult to determine whether the campaign is for intelligence gathering or capital gain.  
Discovered by Microsoft Security Intelligence, Bismuth based in Vietnam also known as APT32 and OceanLotus has been active since 2012 doing backhand work for the government like hacking and data/info gathering for political, economic, and foreign policy matters. But, recently Microsoft observed a transformation in their activities earlier in the year.

 "In campaigns from July to August 2020, the group deployed Monero coin miners in attacks that targeted both the private sector and government institutions in France and Vietnam," Microsoft said in their blog.

Microsoft suspects two theories behind this change: 

One of the reason could be to avoid suspicion and throw light over random crimes like crypto-mining malware and hide their cyber-espionage pursuits. This tactic will help them disguise and decrease security responses. 

Another and the more likely reason Microsoft believes is - it is what it looks like. These groups as they have total immunity from the government are expanding into gaining revenue from the systems they already went through during their spying operations. 

 Crypto-miners usually are suspected to be cybercriminals and not government-sponsored threat actors and are also not taken into account by security in normal routine checkups. But, these APT from the Chinese, Russian, Iranian, and North Korean state have started upside businesses of gaining capital via tactics like crypto-mining. 

 The reason being, since these groups are state-sponsored, they have total immunity. In-home state, they help the government and these countries doesn't have extradition treaties with the US, they can do anything with little or no consequence.
Read more »
U.S.
COVID-19 cyber attack Microsoft North Korean Hackers U.S.

British Drug maker AstraZeneca Working to Deploy the Covid-19 Vaccine Targeted by Suspected North Korean Hackers

 


There is no denying the fact that cyberattacks against health bodies, vaccine scientists and drug makers have risen to an extreme length during the Coronavirus pandemic as state-backed and criminal hacking groups scramble to acquire the most recent research conducted as well as the data about the outbreak.

Yet another example has come across in the recent times, as a British drug maker company races to deploy its vaccine for the Corona virus and a couple of suspected North Korean hackers attempted to break into its systems. 

According to sources, the hacking endeavored to focus on a "broad set of people" including staff working on the COVID research.

The Reuters report that, by posing like recruiters on the networking site LinkedIn and WhatsApp the hackers approached the staff of AstraZeneca with fake job offers and later sent documents which appeared to be job descriptions that were bound with malevolent code intended to access a victim's computer. 

The source, who basically spoke on the condition of anonymity to examine non-public data, said the tools and the methods utilized in the attacks demonstrated that they were important for a continuous hacking campaign that US authorities and cybersecurity researchers have 'attributed' to North Korea. 

The campaign was previously been centered around defence companies and media organizations however pivoted to Coronavirus related targets as of late, as per three people who have investigated the attacks. 

Microsoft said for the current month alone it had observed two North Korean hacking groups target vaccine developers in multiple countries, including by "sending messages with fabricated job descriptions" Microsoft however didn't name any of the targeted organizations.

The North Korean mission to the United Nations in Geneva though didn't react to a request put forth for their comment. Pyongyang has likewise denied carrying out the previously mentioned cyberattacks.

It has no direct line of contact for foreign media. AstraZeneca, which has arisen as one of the top three Coronavirus antibody developers, also declined to comment. 

As North Korea has been accused consistently by the US prosecutors for a portion of the world's 'most audacious and damaging cyberattacks’, including the hack and leak of emails from Sony Pictures in 2014, the 2016 theft of $81 million from the Central Bank of Bangladesh, and releasing the Wannacry ransomware virus in 2017. 

Pyongyang has consequently portrayed the allegations against it as attempts by Washington to malign its image. 

Reuters however has recently reported that hackers from Iran, China and Russia likewise have attempted to break into leading drug makers and even the World Health Organization this year, yet Tehran, Beijing and Moscow have all denied the allegations.



Read more »
Technology
Microsoft Microsoft 365 Microsoft Azure Outage Shutdown Servers. Technology

Microsoft 365 Services Restored After Hours Long Outage


Recently Microsoft was hit with a massive global outage that interrupted users’ access to multiple services including Outlook.com, Office 365, Teams, Exchange, Azure, OneDrive Dynamics 365, SharePoint, amid other cloud-based services.

As per the Azure status history page, the users who were trying to access any of Microsoft’s services encountered issues with logging in and server connection as the downtime started around 21:25 UTC on Monday.


The service interruptions had a rather short lifetime, lasting for several hours before Microsoft technicians fixed the issue and successfully rolled back their systems on Tuesday.

In current times of global pandemic wherein physical access for people is restricted all over the world, the outage of online services has proven to be even more disruptive as the number of people relying on it for work and studies has sprung up by a remarkable margin. As classrooms moved online, students and educational institutions are heavily dependent on services offered by Microsoft and Google, primarily.

Giving insights on the matter, Microsoft said “Users who were not already authenticated to the cloud services using Azure AD would have seen multiple authentication request failures. The impact was primarily in the Americas based on the issue being exacerbated by load, but users in other regions may also have experienced some impact. Users that had previously authenticated prior to the issue may not have experienced any noticeable effect.”

Acknowledging the issue, Microsoft 365 Status said in a tweet, “we’ve received reports of users experiencing issues accessing their Exchange Online accounts via Outlook on the Web. Our initial investigation indicates that India-based users are primarily impacted audience. Further details can be found in your admin center under EX223208.”

“We took corrective actions to mitigate the impact to Exchange ActiveSync and have confirmed that service has been restored after users force a sync on their impacted devices. More information can be found under EX223053 in the admin portal.” Microsoft 365 Status said in another tweet.

The issues affecting Microsoft’s online authentication systems have been resolved by the company and the services are restored. Most users reported their system being fully recovered and services functioning normally again.
Read more »
VPN
Bing Hacks Cyber Security Microsoft VPN

Microsoft Suffered A Rare Cyber-Security Lapse When One of Bing's Backend Servers Were Exposed Online

 

Microsoft endured a rather rare cyber-security lapse just this month when the company's IT staff incidentally left one of Bing's backend servers exposed on the web. 

Discovered by Ata Hakcil, a security researcher at WizCase, only imparted his discoveries to ZDNet the previous week. As per Hakcil's investigation, the server is said to have exposed more than 6.5 TB of log documents containing 13 billion records coming from the Bing search engine.

Hakcil said the server was exposed from September 10 to September 16, when he initially had informed the Microsoft Security Response Center (MSRC), and the server was made secure one more time with a password. 

The Wizcase researcher had the option to check and re-check his discoveries by finding search queries he performed in the Bing Android app in the server's logs.

 
Microsoft admitted to committing this mistake and commented last week, 

"We've fixed a misconfiguration that caused a small amount of search query data to be exposed," a Microsoft spokesperson told ZDNet in an email last week. After analysis, we've determined that the exposed data was limited and de-identified." ZDNet, which was provided access to the server while it was exposed without a password, can affirm that no personal user info was made public. 

Rather, the server exposed specialized details, like search inquiries, details regarding the client's system (device, OS, browser, etc.), geo-location details (wherever accessible), and various tokens, hashes, and coupon codes.
The leaky server was distinguished as an Elasticsearch system. Elasticsearch servers are high-grade systems where organizations collect huge amounts of information to handily search and channel through billions of records easily. 

Throughout the previous four years, Elasticsearch servers have frequently been the source of numerous coincidental information leaks. 

The reasons are known to fluctuate and can go from administrators neglecting to set a password; firewalls or VPN frameworks unexpectedly going down and uncovering an organization's normally-internal servers; or organizations duplicating production data to test systems that aren't always secured as rigorously as their essential infrastructure.

Read more »
Vulnerabilities and Exploits
CVE vulnerability Microsoft Security Vulnerabilities Vulnerabilities and Exploits

New Windows Vulnerability Allows Domain Takeover, Microsoft Released Patch



 A new vulnerability named Zerologon has been identified by cybersecurity organization, Secura who tracked the high rated vulnerability as CVE-2020-1472; it allows attackers to gain admin control of a Windows domain, inducing the ability to steal credentials from individual Windows account.

In order to exploit Zerologon, the attacker is required to be on the network, access to which can be acquired by various methods such as phishing, drive-by exploits or etc.

The attacker disables security features that protect the Netlogen process and change a system's password linked with its Active Directory account. Zerologon exploits a weak cryptographic algorithm used in the Netlogon authentication process, as per the expert findings at Secura.

 While exploiting the vulnerability and attempting to authenticate against the domain controller, the bug impersonates the identity of any computer on a network and disables security features. In order to obtain domain administrator access to carry out malicious activities, the attacker needs to connect to a domain controller through a Netlogon secure channel connection. The attack is carried out swiftly, lasting not more than three seconds.

In August 2020, Microsoft effectively disrupted the operations of numerous companies in the patching process that took place in two phases and finally released patches for a severe 10/10 rated security flaw that was described as an elevation of privilege in Netlogon. The task has been an arduous one for Microsoft.

 In their blog post on Zerologon, Secura explained, "It would not be necessary to wait for some other user to attempt to log in. Instead, the attacker can login themselves, pretending to only support NTLM and providing some invalid password. The service they are logging in to will forward the NTLM handshake to the domain controller and the domain controller would reply with a negative response. This message could then be replaced by a spoofed reply (also containing a recalculated session key) indicating that the password was correct and, by the way, the user trying to log in happened to be a member of the domain admin group (meaning they also have administrative privileges on the target machine),"
"This vulnerability can be particularly dangerous when an attacker has a foothold in an internal network because it allows for both elevation of privileges (to local admin) and lateral movement (gaining RCE on other machines on the network)," the blog post further read.
Read more »
TikTok
Cyber Security Microsoft Oracle TikTok

TikTok owner Chinese company clarifies to Microsoft that it would not be its new owner

 

Following President Donald Trump's executive order that labeled the video-sharing application TikTok as a "national emergency", its owner has a September 15 deadline decided to either sell the app to a US company or see the service banned completely banned from the US market.

Be that as it may, Microsoft had already stepped in the race before the official announcement came from the president, saying it was interested in taking up TikTok and incorporate "world-class security, privacy, and digital safety protections" to the app if it did. 

By uniting with Walmart to co-bid for the Chinese company's US, Canadian, Australian, and New Zealand operations. 

Microsoft authorities dubbed the conversations as "preliminary", highlighting that it was not planning to give any further updates on the discussions until there was a definitive result. ByteDance, the Chinese multinational internet technology, said it would exclude TikTok's algorithm as a feature of the sale, as per a South China Morning Post report, and further clarified to Microsoft that it would not be its new owner.

Sunday's blog post emphasized what Microsoft has expressed right from the beginning - that the potential procurement would have required "significant changes" to the application's present status. 

The company moreover explained in a blog post, "ByteDance let us know today they would not be selling TikTok's US operations to Microsoft, we are confident our proposal would have been good for TikTok's users while protecting national security interests." 

"To do this, we would have made significant changes to ensure the service met the highest standards for security, privacy, online safety, and combatting disinformation, and we made these principles clear in our August statement.." 

Nonetheless, following Microsoft's bid, Oracle has also started holding discussions with ByteDance, indicating its interest in the video-sharing application. 


The Wall Street Journal on Monday morning revealed that Oracle would soon be announced as TikTok's "trusted tech partner" and that the video-sharing platform's sale would not actually be organized as an acquisition. 

Meanwhile, Tik Tok affirms that it would launch a lawsuit against the US government concerning its ban. Any possible lawsuit, however, would not keep the company from being constrained to auction the application in the US market.
Read more »
Trump
Chinese Hackers Cyber Security Iranian hackers Microsoft Russian Hackers Trump

Microsoft Confirms Cyber-Attacks on Biden and Trump Campaigns

Microsoft reports breaching of email accounts belonging to individuals associated with the Biden and Trump election campaigns by Chinese, Iranian, and Russian state-sponsored hackers. 

Tom Burt, Corporate VP for Customer Security and Trust at Microsoft, revealed the occurrences in a detailed blog post after Reuters announced about a portion of the Russian attacks against the Biden camp. 

"Most of these assaults" were recognized and blocked, which is what he added later and revealed in the blog post with respect to the additional attacks and furthermore affirmed a DNI report from August that asserted that Chinese and Iranian hackers were likewise focusing on the US election process.

 As indicated by Microsoft, the attacks conducted by Russian hackers were connected back to a group that the organization has been tracking under the name of Strontium and the cybersecurity industry as APT28 or Fancy Bear. 

 While Strontium generally carried out the spear-phishing email attacks, as of late, the group has been utilizing 'brute-force' and password spraying techniques as an integral technique to breaching accounts. 

Then again, the attacks by Iranian hackers originated from a group tracked as Phosphorous (APT35, Charming Kitten, and the Ajax Security Group). 

These attacks are a continuation of a campaign that began a year ago, and which Microsoft recognized and cautioned about in October 2019. At that point, Microsoft cautioned that the hackers focused on "a 2020 US presidential campaign" yet didn't name which one. 

Through some open-source detective work, a few individuals from the security community later linked the attacks to the Trump campaign. 

What's more, only a couple of days back Microsoft affirmed that the attacks are indeed focused on the Trump campaign, yet in addition unveiled a new activity identified with the said group. The attacks were likewise identified by Chinese groups. 

While presently there are several hacking groups that are assumed to work under orders and the security of the Chinese government, Microsoft said that the attacks focusing on US campaigns originated from a group known as Zirconium (APT31), which is a similar group that Google spotted not long ago, in June. 

Microsoft says it detected thousands of attacks coordinated by this group between March 2020 and September 2020, with the hackers accessing almost some 150 accounts during that time period.


Read more »
Microsoft
Anubis malware Microsoft

Anubis Malware that Attacks Windows Users


In a recent cybersecurity incident, Microsoft reports of a new malware called 'Anubis.' Anubis is not related to any banking malware and is famous for attacking windows systems and devices. Recently, the MSI Microsoft Security Intelligence discovered a new window malware. Anubis is capable of stealing windows users' data and has a high threat level. Detailed analysis revealed that the malware triggers the coding of 'Loki' malware responsible for stealing data. The Loki malware came out a few years ago and wreaked hell as infamous ransomware.


According to Microsoft, "the new malware shares a name with an unrelated family of Android banking malware. Anubis is deployed in what appears to be limited, initial campaigns that have so far only used a handful of known download URLs and C2 servers." On its Twitter account, according to Microsoft's tweet, it found a new malware named Anubis, that was roaming in the wild until now. Currently, Anubi has only a limited target, and its range of attacks is also little. "Anubis is deployed in what appears to be limited, initial campaigns that have so far only used a handful of known download URLs and C2 servers," says MSI. Besides, the malware only targets windows systems. Hence, non-windows users are safe. Also, Microsoft defender can identify this malware. Therefore users are safe from Anubis. Another good news.

About Anubis 
Microsoft team first identified the malware in June, as of now, Anubis has become highly active. Having the same name Anubis, users shouldn't confuse it with another android trojan that bears the same name. The windows malware steals user information, including financial data, system data, cryptocurrency wallets, login credentials, and personal information, whereas the android trojan is only a banking malware.

The MSI team is yet to confirm how Anubis is attacking its targets. Therefore, every windows user, for now, should be alert while downloading any 3rd party application/softwares, suspicious emails, etc. The users should also use premium software that guarantees safety against malware. If you're not a Windows user, you needn't worry. The company will update its users if it finds more details about the malware.
Read more »
Microsoft
COVID-19 Cyber Security Microsoft

Microsoft's new report suggest a rapid transformation in cyber security due to the pandemic

 In just two months of the pandemic, the digital world went through "two years worth of digital transformation" according to Microsoft and to compute these changes the company did a survey of 800 leaders from companies with more than 500 employees from the United States, United Kingdom, India, and Germany. The report circumcises the pandemic threat landscape, the long term cybersecurity, budget, staffing, and the adjustments companies did to update their security.


The crux of the matter remains that the pandemic bought on a  multitude of attacks and scams but the very thing strengthened the need for better cybersecurity and many businesses realized this and overall we saw a grave change where digital security is concerned.

According to Microsoft's report following are the changes bought on in cybersecurity by the global pandemic in the long term-
Security as a prime factor in Digital Empathy
With scales of business going WFH (work from home), business leaders quickly realized better security is more productive and drives a better end-to-end experience. For most business leaders the main aim was to improve user experience and productivity thus investing in cybersecurity with VPNs and Multi-factor authentications. The reports show a considerable increase in cybersecurity investments in the surveyed countries since the beginning of the pandemic.

Zero Trust Journey
According to csooonline.com, "Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access." Earlier, this Zero Trust capability was an option, now this has become the priority and everyone's on it for a much secure and private environment inside the database of the company.

More Database, Better Threat Intelligence
The pandemic highlighted the advantages of cloud backups and threat tracking. Microsoft tracked around 8 Million threats daily from around the world due to the diverse and large data input. With the help of automated tools, human insights, and large data, many threats could be tracked and stopped before they reached the user. 

Cyber reliance key to business operations
Cyber Security is fundamental for efficient business operations and cyber resilience. For that remote workplace, businesses need to constantly update their security plans and threat assessment as well as employ end to end security solutions.

Microsoft reports, "More than half of cloud forward and hybrid companies report having cyber-resilience strategy for most risk scenarios compared to 40% of the primarily on-premises organization. 19% of companies relying primarily upon on-premises technology do not expect to maintain a documented cyber-resilience plan."

 Cloud Security Solutions as Inevitable 
Nearly, 40% of organizations invested in cloud security solutions, followed by Data and Information Security (28%), Network Security(27%), and Anti-phishing tools (26%). Cloud not only protects data but also helps track security issues and provides overall integrated security.


  
Read more »
User Security
Data Breach Microsoft Microsoft 365 Phishing Attack User Data User Security

A Provider of Cyber Security Training Loses 28,000 Items of Personally Identifiable Information (PII) In a Data Breach


A provider of cybersecurity training and certification services, 'The Sans Institute', lost roughly 28,000 items of personally identifiable information (PII) in a data breach that happened after a solitary staff part succumbed to a phishing attack. 

The organization discovered the leak on 6 August 2020, when it was leading a systematic review of its email configuration and rules. 

During this process, its IT group identified a dubious forwarding rule and a malignant Microsoft Office 365 add-in that together had the option to forward 513 emails from a particular individual's account to an unknown external email address before being detected. 

While the majority of these messages were innocuous, however, a number included files that contained information including email addresses, first and last names, work titles, company names and details, addresses, and countries of residence. 

Sans is currently directing a digital forensics investigation headed up by its own cybersecurity instructors and is working both to ensure that no other data was undermined and to recognize areas in which it can harden its systems. 

When the investigation is complete, the organization intends to impart all its findings and learnings to the extensive cybersecurity community. 

Lastly, Point3 Security strategy vice-president, Chloé Messdaghi, says that "Phishers definitely understand the human element, and they work to understand peoples’ pain points and passions to make their emails more compelling. They also know when to send a phishing email to drive immediate responses." 

And hence she concluded by adding that "The final takeaway is that we all need to stay aware and humble – if a phishing attack can snag someone at the Sans Institute, it can happen to any of us who let our guard down."

Read more »
Windows
Botnets Microsoft SBM Vulnerabilities and Exploits Windows

Prometei: A Cryptomining Botnet that Attacks Microsoft's Vulnerabilities


An unknown Botnet called "Prometei" is attacking windows and Microsoft devices (vulnerable) using brute force SMb exploits. According to Cisco Talos, these SMB vulnerabilities help in mining cryptocurrency. The botnet has affected around a thousand devices. It came in March; however, according to experts at Cisco Talos, the campaign could only generate a small amount of $5000 in four months of its activities. The botnet was working since the beginning of March and took a blow on 8th June. However, the botnet kept working on its mining operations to steal credentials. According to experts, the botnet is working for somebody based in Europe, a single developer.


"Despite their activities being visible in logs, some botnets successfully fly under detection teams' radar, possibly due to their small size or constant development on the adversary's part. Prometei is just one of these types of networks that focuses on Monero mining. It has been successful in keeping its computing power constant over the three months we've been tracking it," says Cisco Talo's report.
Vanja Svajcer, a cybersecurity expert, says that earning $1250 monthly is more than average for a European. Therefore, the developer would 've made a fair profit from the botnet. Besides crypto mining, it can also steal private credentials and escape without getting traced.

About SMB attack 

 The hacker exploits the Windows Server Message Block protocol using a vulnerability. After this, the hackers retrieve passwords from Mimikatz, which is an open-source app for credential authentication. To spread itself in SMB protocol, the hackers use the RdpcIip.exe spreader module. This spreader tries to authenticate SMB operation using retrieved credentials or a temporary guest profile, which doesn't require any password. If the spreader can infiltrate, it uses a Windows app to launch the botnet remotely. But if the attack fails, the hackers can use other versions of vulnerabilities to start botnet.

To protect yourself, Cisco Talos says, "defenders need to be constantly vigilant and monitor systems' behavior within their network. Attackers are like water — they will attempt to find the smallest crack to seep in. While organizations need to be focused on protecting their most valuable assets, they should not ignore threats that are not particularly targeted toward their infrastructure."
Read more »
Spear Phishing
Cybersecurity DNS Hijacking Microsoft Spear Phishing

Users Might be Under Risk of DNS Vulnerability


What is DNS?

 It is an essential element in the network (online infrastructure) that allows users to watch or access content on the internet by building a link between an IP address and the respective website with the help of a database. Hackers can use it as an opportunity to disturb the service, which causes altering in the domain registrars. Also known as DNS hijacking, altering domain registrars can cause DDoS attacks, DNS Tunneling, cache position, etc.


About the DNS Risk 

  • In a recent incident, a cryptocurrency exchange Japanese company named Coincheck was a victim of DNS Hijacking. The attack costed the company exposure of around 200 clients' private information and e-mails. The hackers first altered the basic DNS entry by using the company's account and Oname.com- the company's domain registrar provider. After this, the hackers used a spear-phishing technique to steal information and e-mails from the 200 clients. 


  • In another DNS hijacking incident last month, a group of experts from Israel found an "NXNS Vulnerability." The vulnerability in the DNS servers can cause massive scale DDoS attacks if exploited by hackers. To lessen the impact of the attack, Microsoft recently issued a security advisory about the vulnerability. 
It is not all; the DNS vulnerability issue is just one thing. According to cyber experts, there is another DNS threat out in the wild, and the pressing issue is that very few people know about it.

Concerns regarding DNS 

 In present times, the most pressing problem, according to cybersecurity experts, is the exploitation of unattended domains. In other words, domains that are no longer in use but still exist on the internet. It happens under the circumstances of dissolved firms, mergers, and partnerships, as the companies leave out their old domains because of the rebranding. If a domain is left out to expire, the following things can happen:

  • If the hackers re-register the expired domains and make a new e-mail server, they can have access to confidential organizational information.
  • Left out domains of stores can be re-built, and the hackers can use it to receive orders and steal the money.
Read more »
Windows
Microsoft Technology Vulnerability Windows

All Windows Versions Hit By A Vulnerability; Attackers Take Full Control Over Computer




A vulnerability that existed in every single current Window versions allowing an attacker to misuse the Windows Group Policy feature to assume full control over a computer was recently dealt with by Microsoft. The administrators of the multinational technology can remotely deal with the entirety of the Windows devices on a system through the Group Policy feature.

This element permits the administrators to make a centralized global configuration policy for their organization that is pushed out to the entirety of the Windows devices on their network. The vulnerability was quite a serious one as it was capable enough to influence all Windows variants since Windows Server 2008.

These Group Policies allow an administrator to control how a computer can be utilized, like 'disabling settings in apps, prohibiting apps from running, enabling and disabling Windows features, and even deploying the same wallpaper on every Windows computer.'


To appropriately apply these new policies, the gpsvc service or 'Group Policy Client' service, is configured to run with 'system' privileges, which gives the same rights and permissions from the Administrator account.

However, Microsoft has already fixed the 'CVE-2020-1317 | Group Policy Elevation Privilege Vulnerability' discovered by cybersecurity firm CyberArk, who found a symlink attack against a file utilized for Group Policy updates to have access to elevated privileges.

"This vulnerability permits an unprivileged user in a domain environment to perform a file system attack which in turn would allow malicious users to evade anti-malware solutions, bypass security hardening, and could lead to severe damage in an organization network. This vulnerability could impact any Windows machine (2008 or higher), to escalate its privileges in a domain environment," CyberArk state in their report.

When playing out a group policy update that applies to the entirety of the devices in an organization, Windows will compose the new policies to a computer in a subfolder of the %LocalAppData% folder that any user, including a standard user, has permission.

Having full access to a file that is known to be utilized by a procedure with SYSTEM privileges, CyberArk found that they could come up with a symbolic link between the file to an RPC command that executes a DLL.

As the Group Policy Client service runs with SYSTEM privileges, when they endeavor to apply the policies in that file, it will rather execute any DLL the attackers need with SYSTEM privileges.

To trigger this vulnerability, a local attacker could execute the gpupdate.exe program, which plays out a manual group policy synchronization, and this command would then trigger the policy update and run an attacker's malevolent DLL.

As indicated by CyberArk, the full steps to ‘exploit’ this vulnerability would be as per the following:

  1. List the group policy GUIDs you have in C:\Users\user\AppData\Local\Microsoft\Group Policy\History\ 
  2. If you have multiple GUIDs check which directory was updated recently 
  3. Go inside this directory and into the sub-directory, which is the user SID. 
  4. Look at the latest modified directory; this will vary in your environment. In some cases, it can be the Printers directory. 
  5. Delete the file, Printers.xml, inside the Printers directory. 
  6. Create an NTFS mount point to \RPC Control + an Object Manager symlink with Printers.xml that points on C:\Windows\System32\whatever.dll 
  7. Open your favorite terminal and run gpupdate. 

"There you have it; an arbitrary create on arbitrary locations, you can also delete and modify system protected files by using this exploit. There is a small change in behavior that goes on based on your GPO objects (printers, devices, drives). Alas, all of them end up in EoP," CyberArk explains.

As this vulnerability affects millions, if not conceivably a billion devices, it's a very serious security flaw that ought to be addressed to by all Windows administrators as soon as possible.


Read more »
Subscribe to: Posts (Atom)