We have been actively working with customers through our customer support teams, third-party hosters, and partner network to help them secure their environments and respond to associated threats from the recent Exchange Server on-premises attacks. Based on these engagements we realized that there was a need for a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premises Exchange Server.
Microsoft has released a new, one-click mitigation tool, Microsoft Exchange On-Premises Mitigation Tool to help customers who do not have dedicated security or IT teams to apply these security updates. We have tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.
By downloading and running this tool, which includes the latest Microsoft Safety Scanner, customers will automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed. This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching. We recommend that all customers who have not yet applied the on-premises Exchange security update:
Then, follow the more detailed guidance here to ensure that your on-premises Exchange is protected.
If you are already using Microsoft Safety Scanner, it is still live and we recommend keeping this running as it can be used to help with additional mitigations.
Once run, the Run EOMT.ps1 tool will perform three operations:
Mitigate against current known attacks using CVE-2021-26855 using a URL Rewrite configuration. Scan the Exchange Server using the Microsoft Safety Scanner. Attempt to reverse any changes made by identified threats.
Before running the tool, you should understand:
The Exchange On-premises Mitigation Tool is effective against the attacks we have seen so far, but is not guaranteed to mitigate all possible future attack techniques. This tool should only be used as a temporary mitigation until your Exchange servers can be fully updated as outlined in our previous guidance.
We recommend this script over the previous ExchangeMitigations.ps1 script as it tuned based on the latest threat intelligence. If you have already started with the other script, it is fine to switch to this one.
This is a recommended approach for Exchange deployments with Internet access and for those who want to attempt automated remediation.
Thus far, we have not observed any impact to Exchange Server functionality when these mitigation methods are deployed.
For more technical information, examples, and guidance please review the GitHub documentation.
Microsoft is committed to helping customers and will continue to offer guidance and updates that can be found at https://aka.ms/exchangevulns.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS GUIDANCE. The Exchange On-premises Mitigation Tool is available through the MIT License, as indicated in the GitHub Repository where it is offered.
If you have already managed multiple Wi-Fi access points, you should know that this can be a nightmare … But with good choices for hardware and a controller, this becomes easier. It’s the main goal of the Unifi controller: manage most of the tasks on a wireless network to avoid issues. It’s available on Raspberry Pi and I will show you how to install it.
How to install and configure Unifi controller on Raspberry Pi? Start by adding the Ubiquiti server to the list of repositories for Raspberry Pi OS. Then, the Unifi controller can be installed with apt and managed as a system service.
The installation is straightforward, you can install it like any Debian package. But the access points configuration is not so easy and I saw no article explaining this. As I’m using it at work, I can show you all the configuration steps with real access points and clients.
Before switching to Ubiquiti products, I remember having tested many brands to solve my issues, but none of them could not support over 10-20 users simultaneously (I even tested a fireproof model from D-Link, something like this one on Amazon ^^). So I definitely recommend trying Ubiquiti, this is cheap compared to other famous brands but works very well. Let’s see how to do this!
Ubiquiti Networks is an American company, selling hardware for wireless technologies like access points, routers and cameras. They started with wireless devices, and they are now diversifying upon a broader range of products. The latest innovative product concerns the solar technology, they help you to manage solar farms.
Anyway, the product that interests us today is a software: Unifi controller. The goal of this product is to manage access points and wireless devices from a unique web interface. From the interface, you can see all the access points and broadcast a unique SSID. The controller will handle the roaming between access points and load distribution.
Raspberry Pi Course Sale: 10% off today. Take it to the next level. I’m here to help you get started on Raspberry Pi, and learn all the skills you need in the correct order.YES, I WANT TO IMPROVE
Why do I need these products?
These products target mainly companies and large areas but you can have the same needs at home if you get some issues with your Wi-Fi connection (rooms with no network, roaming, stability, etc.). If you need over one access point to cover all the house, it could be interesting to install these products at home.
For example, let’s say you install three access points and the controller somewhere. You’ll have only one Wi-Fi SSID in all the area (outdoor included). And you can move from one side to another without disconnection.
Ubiquiti products
Ubiquiti products are distributed by resellers, but are also available on several e-commerce websites:
To test these products, you don’t need many things. Just buy one or more access points and build your professional wireless network. Here is the link: Ubiquiti Unifi AP on Amazon.
You have several packages available: Only one, 2 AP (access point), 4 AP, etc. Choose the one you prefer, but there is not a big saving by taking big packs, so you can try with one or two, and order the others after.
Whatever your choice, a PoE switch will make the installation easier If you want to start without it, there is a last option. Ubiquiti provides an adapter with the AP (power cord + network = PoE Network), but you need a power outlet and two RJ45 cables instead of only one cable for everything. Here is the link to the PoE injector on Amazon, make sure to check the AP power requirements are they are not all the same (a Pro AP needs PoE-48 for example).
Unifi controller installation
Now that you understand what are the Unifi products, we can move to the controller installation.
Installation on Raspberry Pi OS
As for any tutorial on this site, you firstly need to install Raspberry Pi OS on your Raspberry Pi. Any version will do the job (I’m doing it with Raspberry Pi OS Lite). If you don’t know how to do this, read my article on How to install Raspberry Pi OS on your Raspberry Pi.
Once installed, update it and reboot: sudo apt update sudo apt upgrade sudo reboot
And enable SSH access with: sudo service ssh start This way you can follow this tutorial from your computer (if needed, check this post to learn more about this).
Set a static IP address
As our Raspberry Pi will be like a server on our network, we need to use:
A wired connection If you want a fast Wi-Fi network, you need to have your controller and your access point on a good connection. So, I don’t recommend setting up the controller with a Wi-Fi connection (at home it’s probably ok).
A static IP address The Raspberry Pi will become an important node on your network, so we need to fix its IP. By default, the Raspberry Pi use the DHCP to get a random IP among those available.
For the static IP, you can either fix the IP in the DHCP server (your Internet router probably), or set a static IP in the Raspberry Pi configuration.
Master your Raspberry Pi in 30 days Sale: 25% off today. Download the eBook. Uncover the secrets of the Raspberry Pi in a 30 days challenge.GET IT NOW!
Unifi controller installation
Now we are ready to start the installation. For these steps you have two choices:
Download and install directly the official Debian package from the website.
Add a new repository to manage the Unifi package with apt.
On the Ubiquiti downloads page you can find the Debian package to install the controller. You can download it and install it on your Raspberry Pi. But I don’t recommend it.
Because the Controller has many updates, about every month you have to download and install a new versionmanually. There is a repository available and it’s easier to manage all updates with apt rather than doing everything manually.
Connect with SSH to your Raspberry Pi.
Add the repository in the apt configuration file: echo 'deb https://www.ui.com/downloads/unifi/debian stable ubiquiti' | sudo tee /etc/apt/sources.list.d/100-ubnt-unifi.list
Add the key to the trusted keys: sudo wget -O /etc/apt/trusted.gpg.d/unifi-repo.gpg https://dl.ui.com/unifi/unifi-repo.gpg This allows us to use software from the previous repository
Run apt update to update the available packages list : sudo apt update
And finally, install the Unifi package: sudo apt install unifi Answer yes and wait a few seconds for the installation process to finish.
This is the end of the installation procedure, but your controller may not work yet. You can check the service status with: sudo service unifi status If you get an error like this one on a fresh Raspberry Pi OS installation:
Starting Ubiquiti UniFi Controller: unifi
Cannot locate Java Home
Then you need to install Java to start the Unifi service. Currently, the Unifier controller requires Java 8. You may already have it from another application, but if you have this error, here is how to fix it: sudo apt install openjdk-8-jre And finally start the Unifi service: sudo service unifi start You can find more details about Java in this tutorial.
Check the status again if you want: If everything is ok, you can move on to the next part to know how to use the software.You may also like:
To access the web interface, go to https://<IP>:8443 For example, in my case it’s https://192.168.1.25:8443/ You’ll get a browser warning because we don’t have a secured certificate for the moment. Accept the exception and move to the next page to configure everything you need to get started:
Step1: Start by giving a name to his controller and click on “Next”
Step 2: Choose if you want to enable the cloud interface (default) or not (advanced). It depends on what you are trying to do. If you are always on the same network (home or in a company), you don’t really need the cloud panel. But it can be useful for remote sites.
If you keep the default option, fill the form to create an Unifi account.
On the advanced option, you have a form like this: If you enable one option, you need to create a cloud account AND a local account. I don’t need it for my test, so I disable everything.
Step 3: Sign in or configure options. This step is also different depending on your choice in the previous step You may need to sign in your account, or just to configure two additional options (auto backup and auto-optimize). Keep them enabled if asked.
Step 4: Configure your devices. You can just skip this, it’s not required for now. You can add devices at anytime in the interface
Step5: You can finally configure your Wi-Fi settings now. You can also change this in the interface, so just pick something to get started.
Step6: Finally, you also need to review your settings and you are ready to go.
Good job! You will now be redirected to the web panel. We can finally see it and configure more things if needed.
Web interface overview
Once logged in the web interface, you’ll get many submenus to manage everything. For the moment, it should be pretty empty, but in the left bar you can see:
Dashboard: Here you can have a preview of your network performance (number of APs and clients). Most of this dashboard needs the Unifi Security Gateway, so it’s not an important page.
Statistics: In this page you can monitor clients and traffic in the whole network. For the moment, nothing here 🙂
Map: In this one you can upload a map of your building, and place all APs on it. This way you can know where they are and see the global Wi-Fi coverage (approximately).
Devices: This page shows you all the Unifi devices you have on your network. It’s the most important page, you will manage APs from here.
Clients: Same thing for the clients. You’ll see here all the connected clients with information about them (IP, AP, network usage, …):
Insights: Here you can see miscellaneous information. I’m using this mainly to see known clients (not connected now, but you can check the history, block or unblock them).
Events: This window shows you all the recent logs on your network This can be clients connections, AP upgrades, roaming, …
Alerts: Same thing with errors and warnings.
Settings: And this is the page where you’ll configure everything. We’ll use it to create the wireless network.
Chat support: If you need help from Unifi, you can ask for help here.
Now that you have visited the whole interface, we can move forward to configure the access point.
Add the first access point
Physical preparation
There are two possibilities for the access point cabling.
With a PoE switch:
Plug the access point to the POE Switch with an RJ45 cable.
Basically, that’s it. The status light should turn on and you can move to the next step.
Without PoE switch:
You must have a POE adapter like this: (it’s available on Amazon if you don’t have one with your access point: check it here).
Connect the LAN port to your switch or wall network socket.
Connect the POE port to the access point.
If the access point LED starts to blink, it’s ok.
Software configuration
Now that we powered on the access point, we can go back to the Unifi web interface for the next steps:
Access the web interface: https://IP:8443.
Click on “Devices” in the left menu.
You should now see your access point in the list: The controller is seeing it, but we need to tell that it’s an access point for this controller.
Click on “Adopt” at the end of the line. The adoption process starts, after a few seconds, you should get the “Connected” status.
If needed (probably), you can upgrade the AP firmware to the latest version by clicking “Upgrade”. Your access point will take a few minutes to download and update the firmware.
Anyway, the first access point is ready, and we can now create the wireless network (SSID).
You can click on the line to see and change other settings for the access point (on the right).
For example, you can set an alias for each access point to know which one is which. In the properties window, click on the config tab and set an alias.
Change everything you want on the access point and move to the SSID creation.
Create your wireless network
Creating a wireless network is basically setting an SSID, a password and a security type. You can do this in the “Settings” menu from the left bar:
In settings, click on “Wireless Networks”.
Then click on the “Create a new wireless network” button:
In the new window, choose an SSID, a security type and a password: Choose WPA-Personal for security, WEP is not secure. And prefer a long password (ideally a phrase from 15 to 30 characters).
Click “Save”.
The access points will restart with the new settings. After a few seconds, the new wireless network is available for all your devices.
Connect to it and check that everything works fine. By default, the Unifi controller will give you an IP address within your main network. You have nothing else to do, but you can change it in Settings > LAN.
Then go back to the different menus to see information and statistics about your device. Enjoy 🙂
Related questions
Do I need to keep the Raspberry Pi on? Not really. As soon as the Raspberry Pi stops, the controller is no longer available but the access point continue to work. You can still access the Wi-Fi network, but you lose controller’s features like roaming between APs.
Do the Unifi controller have advanced features you don’t talk about? Yes, a lot. I made a quick tutorial, but you can do a lot more: schedule downtimes, create guest access with VLAN or not, Radius with Active Directory, filter MAC address, block and unblock clients, etc …
How to reset an Unifi access point? If you lose access to an access point or have strange scenarios in the adoption process, you can reset it to factory defaults. To do this, use the reset button near the RJ45 socket. While the access point is on, let the button pressed for 10 seconds and then wait for the reset.
Conclusion
That’s it, you know how to install and configure an Unifi controller on your Raspberry Pi. This controller is running perfectly on my Raspberry Pi (3B+ and 4). I don’t know how many clients it would handle, but at home it’s more than enough.
If you have questions on this topic, leave a comment below and I’ll help you. I’m using this software at work for five years now, so I may have the answer 😉
One of the first malware samples tailored to run natively on Apple’s M1 chips has been discovered, suggesting a new development that indicates that bad actors have begun adapting malicious software to target the company’s latest generation of Macs powered by its own processors.
While the transition to Apple silicon has necessitated developers to build new versions of their apps to ensure better performance and compatibility, malware authors are now undertaking similar steps to build malware that are capable of executing natively on Apple’s new M1 systems, according to macOS Security researcher Patrick Wardle.
Wardle detailed a Safari adware extension called GoSearch22 that was originally written to run on Intel x86 chips but has since been ported to run on ARM-based M1 chips. The rogue extension, which is a variant of the Pirrit advertising malware, was first seen in the wild on November 23, 2020, according to a sample uploaded to VirusTotal on December 27.
“Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications, so that their code will natively run on M1 systems,” said Wardle in a write-up published yesterday. “The malicious GoSearch22 application may be the first example of such natively M1 compatible code.”
While M1 Macs can run x86 software with the help of a dynamic binary translator called Rosetta, the benefits of native support mean not only efficiency improvements but also the increased likelihood of staying under the radar without attracting any unwanted attention.
First documented in 2016, Pirrit is a persistent Mac adware family notorious for pushing intrusive and deceptive advertisements to users that, when clicked, downloads and installs unwanted apps that come with information gathering features.
For its part, the heavily obfuscated GoSearch22 adware disguises itself as a legitimate Safari browser extension when in fact, it collects browsing data and serves a large number of ads such as banners and popups, including some that link to dubious websites to distribute additional malware.
Wardle said the extension was signed with an Apple Developer ID “hongsheng_yan” in November to further conceal its malicious content, but it has since been revoked, meaning the application will no longer run on macOS unless attackers re-sign it with another certificate.
Although the development highlights how malware continues to evolve in direct response to both hardware changes, Wardle warned that “(static) analysis tools or antivirus engines may struggle with arm64 binaries,” with detections from industry-leading security software dropping by 15% when compared to the Intel x86_64 version.
GoSearch22’s malware capabilities may not be entirely new or dangerous, but that’s beside the point. If anything, the emergence of new M1-compatible malware signals this is just a start, and more variants are likely to crop up in the future.
A full-time mass work from home (WFH) workforce was once considered an extreme risk scenario that few risk or security professionals even bothered to think about.
Unfortunately, within a single day, businesses worldwide had to face such a reality. Their 3-year long digital transformation strategy was forced to become a 3-week sprint during which offices were abandoned, and people started working from home.
Like in an eerie doomsday movie, servers were left on in the office, but nobody was sitting in the chairs.
While everyone hopes that the world returns to its previous state, it’s evident that work dynamics have changed forever. From now on, we can assume a hybrid work environment.
Even companies that will require their employees to arrive daily at their offices recognize that they have undergone a digital transformation, and work from home habits will remain.
The eBook “5 Security Lessons for Small Security Teams for a Post-COVID19 Era” (download here) helps companies prepare for these new work dynamics. The practical insights and provided recommendations make this a very helpful guide for small security teams that feel the brunt of security on a daily basis and now need to add one more item to their security strategy planning and execution.
This eBook details the following five security lessons derived from current business, IT, and threat landscape trends:
You can’t do it all. In particular, they suggest asking your security vendor for their customer success and offered services. Some vendors provide a range of free offerings, but many customers don’t realize this and forego the opportunity to extend their security team virtually.
Response speed is the name of the game. Everyone will tell you that automation is key. The guide takes it a step further and also suggests how to remove overheads from security stacks as well as how to reduce analyst work inefficiencies.
More corporate devices to be issued to employees. This point provides best practices for securely procuring and managing all of those new devices, also when the security team works remotely.
Supply chain attacks are on the rise. Your supplier’s security, unfortunately, becomes your security. The guide provides tips on how to receive more visibility into the threats that now reside in your environment, including how to address this challenge in a budget-constrained way.
Economies have changed. When ransomware is growing to insurmountable amounts, what are the ways – from training to technologies – to best protect your business.
At the end of the day, small security teams deal with many challenges. As all security teams go, they have the burden of tedious tasks and operational demands while needing to keep the business going.
But on top of that, they have a stricter budget and human resource limitations. In each practical step, this guide takes these constraints into consideration.
It’s no secret that sysadmins have plenty on their plates. Managing, troubleshooting, and updating software or hardware is a tedious task. Additionally, admins must grapple with complex webs of permissions and security. This can quickly become overwhelming without the right tools.
If you’re a sysadmin seeking to simplify your workflows, you’re in luck. We’ve gathered some excellent software picks to help tackle different duties more efficiently.
Thankfully, these free tools are also respectful of tight budgets—without sacrificing core functionality.
Best for Permissions Management: SolarWinds Permissions Analyzer for Active Directory
Whether you are part of an organization with many members or numerous resources, keeping track of permissions can be challenging. Changes in responsibilities, titles, or even employment statuses can influence one’s access to proprietary data. Each user has unique privileges.
SolarWinds Permissions Analyzer streamlines this process. Once the software has system access, you may inspect user permissions using the search bars. This lets you cross-reference specific users with key file groups—showing read access, write or modify access, delete or create capabilities, and even full control.
How does Permissions Analyzer (PA) check this?
The tool performs a user search
PA reads NTFS rights and calculates NTFS permissions
PA then reads membership information for any pertinent groups
PA searches for local group membership information
The program reads share rights, calculating share permissions
Finally, results are merged and finalized
This process is incredibly quick. Referring to the figure above, the way SolarWinds displays this information is its bread and butter. Permissions Analyzer organizes the output into a hierarchical table—including expandable categories based on inheritance. For instance, you can see if group membership impacts specific permissions statuses.
This information is shown in concert with NTFS, Shares, and Total permissions. The GUI allows for quick consumption using iconography and color (partially adopting the traffic light scheme). Therefore, PA excels where alternatives fall short: simplicity and usability.
Note that SolarWinds Permissions Analyzer is an investigative tool. It doesn’t allow you to edit permissions within the app; however, it provides rapid visibility into your permissions structure.
Best for Boosting Password Security: Specops Password Auditor
Active Directory password security is vitally important, yet many organizations routinely fail short. Teams can institute password policies—both broad and fine-grained. But, are these efforts adequate? Specops Password Auditor can answer that question and more for you.
Password Auditor does what its namesake implies by scanning all user accounts within your environment to detect leaked passwords. Specops maintains a dictionary of compromised passwords; should any user passwords match, Password Auditor highlights them within the tool.
The central dashboard displays the following in a unified view:
Breached passwords (and their corresponding users)
Identical passwords (and matching users)
Admin account names and stale variants
Accounts with expired passwords
Various password policies according to users, roles, and security
Password policy usage and compliance (pass, caution, fail)
This breakdown is easier to read at a glance than most others out there—including some paid options. It’s also a great supplement to Azure AD Password Protection. While that functionally applies password policies to domain controllers, Password Auditor determines if these policies are ultimately working properly.
Are dormant accounts causing issues? Perhaps password length and complexity aren’t up to snuff. Password Auditor can shed light on these issues.
Like SolarWinds Permissions Analyzer, Specops’ tool conducts a scan of your users and policies. This process is quick and easy to monitor. Password Auditor automatically compiles a report of its findings, which is available as a downloadable PDF. You may also export to CSV.
Worried about potential tampering? Specops Password Auditor is a read-only program.
Best for Network Visibility and Protocol Analysis: Wireshark
For lovers of the now-deprecated Microsoft Message Analyzer, Wireshark has emerged as a popular replacement. The multi-platform tool supports an expansive list of operating systems:
Windows 8+ and Windows Server 2012(R)+
macOS 10.12+
Over a dozen versions of UNIX, Linux, and BSD
Wireshark can inspect hundreds of network protocols, and even when that list is continually evolving. Accordingly, Wireshark can capture data whether you’re online or offline, allowing for uninterrupted inspection. Wireshark also supports over 20 capture file formats.
You may retrospectively parse logs using your preferred interface—whether that be the GUI or the TShark terminal utility. Files compressed using gzip can be uncompressed on the fly, which saves time.
Want to inspect the packets traveling throughout your network? Simply take advantage of the three-pane browser view, which keeps data well organized. Layouts also feature collapsible sections—letting you reveal additional details on demand or keep the interface uncluttered.
What else does Wireshark offer?
Numerous display filters
VoIP analysis
Real-time data reads over ethernet, IEEE, Bluetooth, USB, token ring, and more
Decryption for IPsec, Kerberos, SNMP, ISAKMP, SSL/TLS, WEP, WPA, and WPA2
Customizable coloring rules
Easy data export via XML, PostScript, CSV, or plain text
Wireshark remains open source to this day, and the developers maintain high-quality documentation on Wireshark’s website and GitHub pages.
Best for Proactive User-Password Management: Specops Password Notification Email
Even when your password policy is sound, it’s important to keep passwords from becoming stale. This can prevent hackers from gaining repeat access to a compromised account over the long term.
Unanticipated expiry can also separate users from vital resources. Accordingly, companies enforcing periodic password expiry should look no further than Specops Password Notification.
Password Notification’s premise is pretty simple: prevent a lockout, thwart unwanted access, and keep users connected from afar. Additionally, the goal is to lessen the burden on help desk technicians and universally prevent frustration. How exactly does the tool work?
The pwdLastSet attribute is compared to the maximum password age. This age is outlined in a given domain policy or fine-grained password policy
Users impacted by relevant GPOs are sent notification emails when their password nears expiry. This warning period, message, and subject are customizable
IT admins can communicate with all users—even those on remote networks or VPNs
Regular Windows users don’t receive these alerts when they’re off the network.
How else can you tailor emails in Password Notification? Email frequency is adjustable, as are recipients (including multiple contacts). You can also set priority levels that change dynamically as deadlines approach. Seamless time zone integrations are also available.
Manual methods might otherwise rely on scripting via PowerShell. Specops’ tool gives users rich functionality out of the box, without the need for heavy configuration.
Intel and Cybereason have partnered to build anti-ransomware defenses into the chipmaker’s newly announced 11th generation Core vPro business-class processors.
The hardware-based security enhancements are baked into Intel’s vPro platform via its Hardware Shield and Threat Detection Technology (TDT), enabling profiling and detection of ransomware and other threats that have an impact on the CPU performance.
“The joint solution represents the first instance where PC hardware plays a direct role in ransomware defenses to better protect enterprise endpoints from costly attacks,” Cybereason said.
Exclusive to vPro, Intel Hardware Shield provides protections against firmware-level attacks targeting the BIOS, thereby ensuring that the operating system (OS) runs on legitimate hardware as well as minimizing the risk of malicious code injection by locking down memory in the BIOS when the software is running to help prevent planted malware from compromising the OS.
Intel TDT, on the other hand, leverages a combination of CPU telemetry data and machine learning-based heuristics to identify anomalous attack behavior — including polymorphic malware, file-less scripts, crypto mining, and ransomware infections — in real-time.
“The Intel [CPU performance monitoring unit] sits beneath applications, the OS, and virtualization layers on the system and delivers a more accurate representation of active threats, system-wide,” Intel said. “As threats are detected in real-time, Intel TDT sends a high-fidelity signal that can trigger remediation workflows in the security vendor’s code.”
The development comes as ransomware attacks exploded in number last year, fueled in part by the COVID-19 pandemic, with average payout increasing from about $84,000 in 2019 to about $233,000 last year.
The ransomware infections have also led to a spike in “double extortion,” where cybercriminals steal sensitive data before deploying the ransomware and hold it hostage in hopes that the victims will pay up rather than risk having their information made public — thus completely undermining the practice of recovering from data backups and avoid paying ransoms.
What’s more, malware operators are increasingly extending their focus beyond the operating system of the device to lower layers to potentially deploy bootkits and take complete control of an infected system.
Last month, researchers detailed a new “TrickBoot” feature in TrickBot that can allow attackers to inject malicious code in the UEFI/BIOS firmware of a device to achieve persistence, avoid detection and carry out destructive or espionage-focused campaigns.
Viewed in that light, the collaboration between Intel and Cybereason is a step in the right direction, making it easier to detect and eradicate malware from the chip-level all the way to the endpoint.
“Cybereason’s multi-layered protection, in collaboration with Intel Threat Detection Technology, will enable full-stack visibility to swiftly detect and block ransomware attacks before the data can be encrypted or exfiltrated,” the companies said.
Hardware security keys—such as those from Google and Yubico—are considered the most secure means to protect accounts from phishing and takeover attacks.
But a new research published on Thursday demonstrates how an adversary in possession of such a two-factor authentication (2FA) device can clone it by exploiting an electromagnetic side-channel in the chip embedded in it.
The vulnerability (tracked as CVE-2021-3011) allows the bad actor to extract the encryption key or the ECDSA private key linked to a victim’s account from a FIDO Universal 2nd Factor (U2F) device like Google Titan Key or YubiKey, thus completely undermining the 2FA protections.
“The adversary can sign in to the victim’s application account without the U2F device, and without the victim noticing,” NinjaLab researchers Victor Lomne and Thomas Roche said in a 60-page analysis.
“In other words, the adversary created a clone of the U2F device for the victim’s application account. This clone will give access to the application account as long as the legitimate user does not revoke its second factor authentication credentials.”
The whole list of products impacted by the flaw includes all versions of Google Titan Security Key (all versions), Yubico Yubikey Neo, Feitian FIDO NFC USB-A / K9, Feitian MultiPass FIDO / K13, Feitian ePass FIDO USB-C / K21, and Feitian FIDO NFC USB-C / K40.
Besides the security keys, the attack can also be carried out on NXP JavaCard chips, including NXP J3D081_M59_DF, NXP J3A081, NXP J2E081_M64, NXP J3D145_M59, NXP J3D081_M59, NXP J3E145_M64, and NXP J3E081_M64_DF, and their respective variants.
The key-recovery attack, while doubtless severe, needs to meet a number of prerequisites in order to be successful.
An actor will have first to steal the target’s login and password of an account secured by the physical key, then stealthily gain access to Titan Security Key in question, not to mention acquire expensive equipment costing north of $12,000, and have enough expertise to build custom software to extract the key linked to the account.
“It is still safer to use your Google Titan Security Key or other impacted products as a FIDO U2F two-factor authentication token to sign in to applications rather than not using one,” the researchers said.
To clone the U2F key, the researchers set about the task by tearing the device down using a hot air gun to remove the plastic casing and expose the two microcontrollers soldered in it — a secure enclave (NXP A700X chip) that’s used to perform the cryptographic operations and a general-purpose chip that acts as a router between the USB/NFC interfaces and the authentication microcontroller.
Once this is achieved, the researchers say it’s possible to glean the ECDSA encryption key via a side-channel attack by observing the electromagnetic radiations coming off the NXP chip during ECDSA signatures, the core cryptographic operation of the FIDO U2F protocol that’s performed when a U2F key is registered for the first time to work with a new account.
A side-channel attack typically works based on information gained from the implementation of a computer system, rather than exploiting a weakness in the software. Often, such attacks leverage timing information, power consumption, electromagnetic leaks, and acoustic signals as a source of data leakage.
By acquiring 6,000 such side-channel traces of the U2F authentication request commands over a six-hour period, the researchers said they were able to recover the ECDSA private key linked to a FIDO U2F account created for the experiment using an unsupervised machine learning model.
Although the security of a hardware security key isn’t diminished by the above attack due to the limitations involved, a potential exploitation in the wild is not inconceivable.
“Nevertheless, this work shows that the Google Titan Security Key (or other impacted products) would not avoid [an] unnoticed security breach by attackers willing to put enough effort into it,” the researchers concluded. “Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered.”
(it’s available on Amazon if you don’t have one with your access point: 
The controller is seeing it, but we need to tell that it’s an access point for this controller.
Choose WPA-Personal for security, WEP is not secure.
