Blog - Page 77 of 101 - Appunti dalla rete

Top Mac Malware and Security Vulnerabilities

It is commonly believed that Macs are immune to viruses. However, although they are less vulnerable than Windows computers, the reality is that MacBooks, iMacs, and Mac minis are still susceptible to malware and other security vulnerabilities — and there are some worrying ones out there, too.

Below are the top 5 macOS malware programs, security flaws, and vulnerabilities that you need to be aware of!

Silver Sparrow

Disclosed by Red Canary researchers, Silver Sparrow is a unique macOS malware program that was created to target Apple’s new M1 processors.

Silver Sparrow is a PUA (potentially unwanted application) that can serve as a delivery mechanism for malware. Once your device is infected it will contact a server every hour. It is still currently unknown how much of a threat Silver Sparrow truly poses, but in theory, it could act as a catalyst for significant attacks.

Apple quickly released an update to macOS that stopped Silver Sparrow from being able to be installed. Therefore, if you have a fully updated version of macOS, you are safe from Silver Sparrow.

XLoader

It was all but guaranteed that one of the most common pieces of Windows malware would make its way to macOS. Initially reported by Check Point security researchers in July 2021, it was confirmed that a Mac version of the XLoader malware had actually been around for some time.

XLoader is a new variant of the infamous Formbook, a program used to steal login credentials, record keystrokes, and download and execute files.

Once a device is infected with XLoader, it transfers a hidden application bundle containing a copy of itself to the user’s home folder, and what is particularly dangerous about it is the fact that it can run completely undetected by macOS.

XCSSET

Initially reported by Trend Micro in August 2020, XCSSET primarily targets macOS users in Asia. Many experts believe that XCSSET mainly targets Chinese gambling sites and their users.

XCSSET replaces users’ web browser icons with fake versions that launch malware whenever opened. XCSSET can bypass macOS’s privacy protections by hijacking the privileges of legitimate apps, allowing it to take screen captures.

XCSSET seeks to access information via the Safari browser, including login details for various Apple, Google, PayPal, and Yandex services. Other types of information it can collect include notes and messages sent via Skype, Telegram, QQ, and WeChat.

macOS Big Sur IOMobileFrameBuffer

This vulnerability can allow attackers to take over an affected system. It is a critical memory corruption issue found in internal component extensions in macOS. This security flaw allows the installation of malicious applications and enables them to execute commands with system administrator privileges — bypassing macOS’s built-in security measures.

The issue was addressed immediately by Apple, with a fix released in the macOS Big Sur 11.5.1 July 26, 2021 update.

Log4Shell

Log4Shell is a vulnerability in the widely used Java library Apache Log4j — software used by an innumerable number of large companies including Google, Apple, Netflix, Twitter, and many more. It enables attackers to perform remote code execution and gain control over affected servers.

Log4j is an open-source logging tool used by a huge number of websites and apps. Because it is so widely used, the number of services at risk of exploitation is incredibly concerning.

Although macOS is not directly affected by Log4Shell, according to security researchers, the vulnerability has been found to affect Apple’s iCloud platform. Luckily, Apple was quick to patch the vulnerability — releasing a fix shortly after it was discovered.

It was estimated that around 850,000 attacks were attempted within just 72 hours of the initial outbreak. It is not clear if Apple’s iCloud was among the services targeted.

Apache has already released an update fixing the vulnerability, although because of Log4j’s widespread worldwide use, the prospect of all the apps that use it receiving the fix is simply not realistic.

However, even if you use one of the compromised apps, your Mac will not be at risk. When exploited, the bug affects the server running Log4j, not the computer itself. Although in theory the exploit could be used to plant a malicious app on a server that then affects connected machines.

Stay protected at all times

Malware creators will always seek out undiscovered vulnerabilities that they can exploit, and Macs are certainly not immune. Fortunately, security researchers are often exceptionally quick at discovering these vulnerabilities, and fixes are almost always released timely.

However, it is best practice to always use a trusted antivirus app to ensure you are as protected as possible against all types of threats.

Trend Micro’s Antivirus One — the best option for complete peace of mind

Antivirus One can protect your Mac from viruses, malware, and adware, block potential web threats and safeguard against vulnerabilities.

Some key features include:

Fast Thorough Scans — Scan your Mac for hidden threats in less than a minute.
Web Threat Protection — Avoid online fraud, malicious software embedded in websites, and other threats lurking on the web.
Data Privacy Sweeps — Clear personal information out of Safari, Google Chrome, and Mozilla Firefox before it leaks online.

Source :
https://news.trendmicro.com/2022/02/21/top-mac-malware-and-security-vulnerabilities/

Microsoft Teams is the new frontier for phishing attacks

Even with email-based phishing attacks proving to be more successful than ever, cyberattackers are ramping up their efforts to target employees on additional platforms, such as Microsoft Teams and Slack.

One advantage is that in those applications, most employees still assume that they’re actually talking to their boss or coworker when they receive a message.

“The scary part is that we trust these programs implicitly — unlike our email inboxes, where we’ve learned to be suspicious of messages where we don’t recognize the sender’s address,” said Armen Najarian, chief identity officer at anti-fraud technology firm Outseer.

Notably, traditional phishing has seen no slowdown: Proofpoint reported that 83% of organizations experienced a successful email-based phishing attack in 2021 — a massive jump from 57% in 2020. And outside of email, SMS attacks (smishing) and voice-based attacks (vishing) both grew in 2021, as well, according to the email security vendor.

However, it appears that attackers now view widely used collaboration platforms, such as Microsoft Teams and Slack, as another growing opportunity for targeting workers, security researchers and executives say. For some threat actors, it’s also a chance to leverage the additional capabilities of collaboration apps as part of the trickery.

Sophisticated Teams attacks

Patrick Harr, CEO of phishing protection vendor SlashNext, told VentureBeat that a highly sophisticated phishing attack recently struck a customer on Microsoft Teams.

It happened, Harr said, while the CEO of the customer company was traveling to China. Posing as the CEO, an attacker sent a WhatsApp message to several of the company’s employees, asking them to join a Teams meeting.

Once in the meeting, the employees saw a video feed of the CEO, which they didn’t realize had been scraped from a past TV interview. As part of the trick, the attackers had added a fake background to the video to make it appear the CEO was in China, Harr said.

But since there was no audio, the “CEO” said that there “must be a bad connection” — and then dropped a SharePoint link into the chat.

Posing as the CEO, the attacker told the employees that “‘since I can’t can’t make this work, send me the information on this SharePoint link,’” Harr said.

An employee did end up clicking on the malicious SharePoint link — but they were blocked from accessing the page.

Ultimately, the incident demonstrates that “these bad actors are nesting themselves in legitimate services,” Harr said. “They’re getting very creative. They’re staying ahead of the curve.”

A big target

Microsoft Teams is massively widespread in the enterprise, with 270 million monthly active users, and that’s led attackers to take notice.

Threat actors have spotted a few of other things about Teams, too: If you can acquire an account’s Microsoft Office 365 password, that can potentially get you into Teams as well. And while more workers may be savvy about email phishing techniques at this point, they’re less likely to be suspicious about a Teams message, according to researchers.

Attackers are seizing the opportunity: In January, email security platform Avanan saw thousands of attacks involving malware dropped into Teams conversations, researchers at the Check Point-owned organization reported.

By attaching a malicious executable file in a Microsoft Teams conversation, “hackers have found a new way to easily target millions of users,” the Avanan researchers wrote in a blog post. When clicked, the .exe file installs a Trojan on a user’s Windows PC, and the Trojan then installs malware.

The attacks are having success because with Microsoft Teams, unlike with email, “end-users have an inherent trust of the platform,” the researchers wrote.

Ultimately, the incidents reported by Avanan show that “hackers are beginning to understand and better utilize Teams as a potential attack vector,” the researchers said.

In other words, as they are known to do, cyberattackers are evolving once again.

‘The new BEC’

Referring to the Microsoft Teams attacks cited by Avanan, “this is the new business email compromise / legitimate service abuse,” said Sean Gallagher, a senior threat researcher at Sophos Labs, in a tweet. “It follows the trend we’ve seen with Slack and Discord.”

Business email compromise (BEC) describes a type of phishing attack in which an attacker targets a certain individual in a company, and attempts to persuade the individual to perform a wire transfer of funds to their account.

BEC attacks “are not losing their effectiveness,” Gallagher said in an email to VentureBeat. Indeed, 77% of organizations faced business email compromise attacks last year, up from 65% in 2020, according to Proofpoint data.

But with the arrival of BEC-like attacks on collaboration platforms such as Microsoft Teams, “malicious actors are expanding their attack surface and finding new ways to get a foothold into organizations,” Gallagher said.

“As more businesses move toward the cloud and software-as-a-service [SaaS] models, legitimate hosted services – like Microsoft Teams and Slack – will be an attractive avenue for attackers,” Gallagher said.

Najarian agreed that BEC attacks “are still very effective for criminal hacker groups.”

“But expanding their tactics into Microsoft Teams, Slack, Discord and other chat apps presents another revenue driver for them,” Najarian said in an email.

Combining tactics

Notably, the types of Microsoft Teams attacks reported by SlashNext and Avanan involve a combination of social engineering and credential harvesting.

“If malicious actors secure credentials and can access a Microsoft 365 environment in the cloud, they can act as a trusted team member,” Gallagher said. “As such, victims assume the files and links shared in the legitimate service are trusted, since they do not display the tell-tale signs of a malicious URL once uploaded or shared in the trusted environment.”

Adversaries can “get into all sorts of places in the enterprise that they otherwise wouldn’t be able to access without compromising the network,” he said.

All in all, legitimate service abuse is an emerging vector for malicious actors to target the enterprise, he said — and it will only continue to grow “as the enterprise becomes more detached from traditional infrastructure.”

Source :
https://venturebeat.com/2022/02/23/microsoft-teams-is-the-new-frontier-for-phishing-attacks/

Microsoft rolling out new endpoint security solution for SMBs

Microsoft says its new endpoint security solution for small and medium-sized businesses (SMBs) known as Microsoft Defender for Business has hit general availability.

It has started rolling out to new and existing Microsoft 365 Business Premium customers worldwide starting today, March 1st.

Microsoft Defender for Business helps companies with up to 300 employees defend against cybersecurity threats, including malware, phishing, and ransomware in environments with Windows, macOS, iOS, and Android devices.

It comes with simplified client configuration via a wizard-driven setup, and it enables all recommended security policies out-of-the-box, making it easy to use even by organizations without dedicated security teams.

In November, Microsoft announced this new security solution at Microsoft Ignite 2021 in response to a 300% increase in ransomware attacks in the previous year, with more than 50% of them directly affecting SMBs, according to US Secretary of Homeland Security Alejandro Mayorkas.

Defender for Business began rolling out in preview worldwide in December when Microsoft also announced that it would be available as a standalone license directly from Microsoft and Microsoft Partner Cloud Solution Provider (CSP) channels at $3 per user per month.https://www.youtube.com/embed/umhUNzMqZto

Key features bundled with the Microsoft Defender for Business security suite include:

Simplified deployment and management for IT administrators who may not have the expertise to address today’s evolving threat landscape.
Next-generation antivirus protection and endpoint detection and response to detect and respond to sophisticated attacks with behavioral monitoring.
Automated investigation and remediation to help customers react quickly to threats.
Threat and vulnerability management proactively alerts users to weaknesses and misconfigurations in software.
Microsoft 365 Lighthouse integration with Microsoft Defender for Business for IT service providers to view security events across customers, with additional capabilities coming.

You can get Defender for Business as part of Microsoft 365 Business Premium and will not require onboarding or offboarding devices from Microsoft Defender for Endpoint P1 or P2.

“Defender for Business will be rolled out to existing Microsoft 365 Business Premium customers in the next few weeks. There is no action or additional transactions required and it will show up in the Microsoft 365 Defender portal under the section, Endpoints,” Microsoft said.

“Defender for Business will also be offered as a standalone solution and will be coming later this year. You can continue to preview the standalone solution by signing up at https://aka.ms/MDB-Preview.”

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-rolling-out-new-endpoint-security-solution-for-smbs/

Ubiquiti UniFi Network 7.0 Introduces Revamped Settings to Simplify System Configuration

Comprehensive network customization has always been a touchstone of the UniFi Network application, and a guiding principle for our developers who work tirelessly to refine it. However, providing such an immense degree of user control can sometimes complicate our larger pursuit to simplify IT for every type of user. We want our settings to provide a wealth of options while also being easy to navigate and understand. Otherwise, network optimization is only possible for the most technically adept.

UniFi Network 7.0 resolves this tension by delivering a more intuitively organized dashboard and an enhanced search engine that makes it simpler than ever to locate the exact settings you need to support your unique deployment. We’ve also expanded automation options for many settings to deliver a more plug-and-play experience for new UniFi users setting up their systems for the first time.

Making network configuration more accessible is our top priority with the 7.0 release, but long-time users can rest assured that our advanced settings remain as robust as ever. In fact, we’ve made many key innovations, including network-specific multicast DNS settings, expanded data retention options, and more sophisticated configuration copying that even accounts for the specific outlet a device is plugged into. You’ll also be able to surf through these options with unprecedented speed as we’ve drastically lowered latency within the Settings menu.

In short, UniFi Network 7.0 is about making your network settings as unique as your deployment, in terms of functionality, navigability, and even aesthetic with the introduction of Light Mode and other dashboard enhancements. There’s so much more we could cover, but no rundown could compare to seeing these improvements yourself.

However, if you’d like to start by reviewing the release’s bug fixes, known issues, OS-specific installation details, or download links, you can find them all on the Ubiquiti Community forum. Once you’ve updated to 7.0 and had some time to explore, we’d love to hear about your experience on the forum as well!

This release marks a huge advancement of UniFi by making network management deeper and more accessible—but our work continues. To follow us on our journey, make sure to check this feed periodically for new content related to product announcements, innovations, tutorials, and more.

Source :
https://blog.ui.com/2022/03/01/unifi-network-version-7-0-introduces-revamped-settings-to-simplify-system-configuration/

Cisco Umbrella Enhances Support of DNS Encryption With DNS Over HTTPS

In December 2011, Cisco Umbrella – then going by the name OpenDNS – became the first public DNS resolver to announce support for DNS encryption. Now, a decade later, we’re proud to announce that we’ve added support for DNS over HTTPS (DoH) directly to our core Umbrella resolvers. In addition, we’ve also added support for Discovery of Designated Resolvers (DDR). These moves allow us to provide our customers with the low-latency and high availability DNS service they expect while also enhancing their security and privacy.

In this blog, we unpack what this latest DNS over HTTPS update means for Cisco Umbrella customers and discuss how they can configure DoH in their network. For more information on the DNS security offered by Cisco Umbrella, register for our on-demand demo of Cisco Umbrella today!

Our History With DNS Encryption

More than a decade ago, we became the first public resolver to announce support for DNSCrypt: a made-for-DNS solution to securing one of the most fundamental parts of internet communication. To this day, Cisco Umbrella continues to be at the forefront of DNS encryption, using DNSCrypt in the default configurations of our endpoint clients and DNS forwarders.

While we still believe that DNSCrypt has a critical place in our infrastructure, the lack of an Internet Engineering Task Force (IETF) standard for DNSCrypt has prevented widespread adoption. Recently, developments in encrypted DNS have focused on two different encryption protocols: DNS over HTTPS (DoH) and DNS over TLS (DoT).

Using DNS over HTTPS (DoH) With Cisco Umbrella

Unlike DNSCrypt, DoH is an IETF standard for performing DNS queries over a secure, encrypted channel. While it serves a similar purpose to our long-time friend DNSCrypt, its status as an IETF standard makes DNS over HTTPS more common amongst major browsers and operating systems.

Cisco Umbrella first announced support for DoH in May 2020. At that time, we wanted to support our users looking to take advantage of browser-based DNS initiatives. To keep our ability to adapt quickly, we launched DNS over HTTPS support using a set of dedicated resolvers (‘doh.umbrella.com’ and ‘doh.opendns.com’) with their own anycast IPs (146.112.41.5 and 146.112.41.2).

Since that release, the popularity of DoH has picked up steam. Apple added support in September 2020, and Microsoft recently announced that upcoming versions of Windows will support this form of DNS encryption. We’ve seen the result of this popularity on the Cisco Umbrella network, which has prompted our team to add support for DNS over HTTPS directly to Umbrella core resolvers.

Enabling DoH on Cisco Umbrella

Because we support DNS over HTTPS with our core resolvers, Cisco Umbrella customers will continue to experience the low-latency and high availability DNS service for which Umbrella is known. In addition, users can now configure DoH for Cisco Umbrella and OpenDNS on our well-known anycast addresses:

Resolver	IPv4	IPv6	DoH
Umbrella/OpenDNS	208.67.222.222 208.67.220.220	2620:119:35::35 2620:119:53::53	https://dns.opendns.com/dns-query https://dns.umbrella.com/dns-query
FamilyShield	208.67.222.123 208.67.220.123	2620:119:35::123 2620:119:53::123	https://familyshield.opendns.com/dns-query
Sandbox	208.67.222.2 208.67.220.2	2620:0:ccc::2 2620:0:ccd::2	https://sandbox.opendns.com/dns-query

Additionally, we’ve moved the dedicated DNS over HTTPS hostnames and IPs onto the same core resolvers. This means they will provide the same service as our well-known IPs. And since we’ll continue to support those hostnames and IPs into the future, our existing users need not make any changes.

Using DNS over TLS (DoT) With Cisco Umbrella

While adding support for DNS over HTTPS directly to our core resolvers enabled our users to take advantage of DNS encryption better, it also provides an additional benefit. We can now handle TLS connections and support DNS over TLS natively in the core resolvers. We’re thrilled to announce that, as of January 28, 2022, support for DoT is live on all Umbrella resolvers globally.

Like DoH, DoT is an IETF standard for performing DNS queries over a secure, encrypted channel. Unlike DoH, however, DoT uses a dedicated port (TCP/853) for its connections. Clients that support DoT will check if their DNS server supports DoT. If it doesn’t, clients will fall back to regular unencrypted DNS (sometimes called Do53). Thus, configuration for DoT is typically just a matter of enabling it in a supported client.

Discovery of Designated Resolvers (DDR)

With all of these new methods for DNS encryption, clients need an automated means to discover what encryption methods their chosen DNS resolver supports. Tasked with this goal, the Adaptive DNS Discovery (ADD) working group at the IETF has proposed a standard called Discovery of Designated Resolvers (DDR).

The basics of DDR are simple. When a DNS client first finds out its DNS server, it will send a DNS query for a special use domain name, ‘_dns.resolver.arpa’, using a special DNS query type (type 64, or ‘SVCB’). The DNS server will respond with the different types of encryption it supports, and any configuration information the client needs. The client can pick the kind of encryption it prefers, verify that all the information is secure, and then start encrypting DNS.

Cisco Umbrella is very proud to be the first public resolver to announce support for DDR. We developed it in close collaboration with Microsoft to ensure that encrypted resolver selection works smoothly end to end. We look forward to DDR support being added to more clients and operating systems in the future.

Our DNS over HTTPS and DNS over TLS services are now discoverable via DDR, and any supported client can start using it now.

Enhance Your DNS Security Today

Just as with our decade of support for DNSCrypt, Cisco Umbrella views encryption of DNS queries in transit as a core component of DNS security, along with the use of DNSSEC for securing the data in the queries itself. We’ve been pleased to see the industry and client begin to add direct support for DNS encryption, and we can’t wait to see standards like DoH, DoT, and DDR take off and become more widely adopted.

If you want to learn more about the DNS security that Cisco Umbrella provides, view our on-demand demo today!

Source :
https://umbrella.cisco.com/blog/enhancing-support-dns-encryption-with-dns-over-https

100 Million Samsung Galaxy Phones Affected with Flawed Hardware Encryption Feature

A group of academics from Tel Aviv University have disclosed details of now-patched “severe” design flaws affecting about 100 million Android-based Samsung smartphones that could have resulted in the extraction of secret cryptographic keys.

The shortcomings are the result of an analysis of the cryptographic design and implementation of Android’s hardware-backed Keystore in Samsung’s Galaxy S8, S9, S10, S20, and S21 flagship devices, researchers Alon Shakevsky, Eyal Ronen, and Avishai Wool said.

Trusted Execution Environments (TEEs) are a secure zone that provide an isolated environment for the execution of Trusted Applications (TAs) to carry out security critical tasks to ensure confidentiality and integrity.

On Android, the hardware-backed Keystore is a system that facilitates the creation and storage of cryptographic keys within the TEE, making them more difficult to be extracted from the device in a manner that prevents the underlying operating system from having direct access.

Instead, the Android Keystore exposes APIs in the form of Keymaster TA (trusted application) to perform cryptographic operations within this environment, including secure key generation, storage, and its usage for digital signing and encryption. On Samsung mobile devices, the Keymaster TA runs in an ARM TrustZone-based TEE.

However, security flaws uncovered in Samsung’s implementation meant that they could provide an adversary with root privileges a workable path to recover the hardware-protected private keys from the secure element. The list of issues identified is as below –

Initialization Vector (IV) reuse in Keymaster TA (CVE-2021-25444) – An IV reuse vulnerability in Keymaster prior to SMR AUG-2021 Release 1 allows decryption of custom keyblob with privileged process. (Impacts Galaxy S9, J3 Top, J7 Top, J7 Duo, TabS4, Tab-A-S-Lite, A6 Plus, and A9S)
Downgrade attack in Keymaster TA (CVE-2021-25490) – A keyblob downgrade attack in Keymaster prior to SMR Oct-2021 Release 1 allows [an] attacker to trigger IV reuse vulnerability with privileged process. (Impacts Galaxy S10, S20, and S21)

In a nutshell, successful exploitation of the flaws against the Keymaster TA could achieve unauthorized access to hardware-protected keys and data secured by the TEE. Implications of such an attack could range from an authentication bypass to advanced attacks that can break fundamental security guarantees offered by cryptographic systems.

Following responsible disclosure in May and July 2021, the issues were addressed via security updates shipped in August and October 2021 for the affected devices. The findings are expected to be presented at the USENIX Security Symposium later this August.

“Vendors including Samsung and Qualcomm maintain secrecy around their implementation and design of [TrustZone operating systems] and Tas,” the researchers said. “The design and implementation details should be well audited and reviewed by independent researchers and should not rely on the difficulty of reverse engineering proprietary systems.”

Source :
https://thehackernews.com/2022/02/100-million-samsung-galaxy-phones.html

Deploying WPA2 WiFi profile (including Pre-Shared key) using Group Policy

Problem

Whilst there is a setting in Group Policy Preferences to deploy WiFi settings, this does not include the WiFi Pre-Shared Key (PSK).

The following method will allow you to also push out the Pre-Shared Key:

Solution

From a PC that already has the WiFi profile installed:

Open command prompt (as admin) and run the following command. Make a note of the name of the profile you want to export:

netsh wlan show profiles

Run the following command, replacing the profile name with the one you wish to export, and path to an existing folder where an XML file will be created

netsh wlan export profile name="MyWiFiSSID" folder=C:\WLAN key=clear

Note that the key=clear is vital for this to work.

Copy that XML file to a network share that is accessible from the computer accounts. Do bear in mind the WiFi key is visible in plain text within this file, so consideration must be taken as where/how to store it.

The following command is used to install the profile:

netsh wlan add profile filename="\\servername\share\Wi-Fi-MyWiFiSSID.xml" user=all

… however, this will reinstall and reconnect the WiFi each time.

From my experience, the best method is to create a Computer Startup script GPO that will only run once. This one does the trick:

IF EXIST C:\WiFi.txt GOTO END

netsh wlan add profile filename="\\servername\share\Wi-Fi-MyWiFiSSID.xml" user=all >> C:\WiFi.txt

Source :
https://goddamnpc.com/deploying-wpa2-wifi-profile-including-pre-shared-key-using-group-policy/

Hackers Backdoor Unpatched Microsoft SQL Database Servers with Cobalt Strike

Vulnerable internet-facing Microsoft SQL (MS SQL) Servers are being targeted by threat actors as part of a new campaign to deploy the Cobalt Strike adversary simulation tool on compromised hosts.

“Attacks that target MS SQL servers include attacks to the environment where its vulnerability has not been patched, brute forcing, and dictionary attack against poorly managed servers,” South Korean cybersecurity company AhnLab Security Emergency Response Center (ASEC) said in a report published Monday.

Cobalt Strike is a commercial, full-featured penetration testing framework that allows an attacker to deploy an agent named “Beacon” on the victim machine, granting the operator remote access to the system. Although billed as a red team threat simulation platform, cracked versions of the software have been actively used by a wide range of threat actors.

Intrusions observed by ASEC involve the unidentified actor scanning port 1433 to check for exposed MS SQL servers to perform brute force or dictionary attacks against the system administrator account, i.e., “sa” account, to attempt a log in.

That’s not to say that servers not left accessible over the internet aren’t vulnerable, what with the threat actor behind LemonDuck malware scanning the same port to laterally move across the network.

“Managing admin account credentials so that they’re vulnerable to brute forcing and dictionary attacks as above or failing to change the credentials periodically may make the MS-SQL server the main target of attackers,” the researchers said.

Upon successfully gaining a foothold, the next phase of the attack works by spawning a Windows command shell via the MS SQL “sqlservr.exe” process to download the next-stage payload that houses the encoded Cobalt Strike binary on to the system.

The attacks ultimately culminate with the malware decoding the Cobalt Strike executable, followed by injecting it into the legitimate Microsoft Build Engine (MSBuild) process, which has been previously abused by malicious actors to filelessly deliver remote access trojans and password-stealing malware on targeted Windows systems.

Furthermore, the Cobalt Strike that’s executed in MSBuild.exe comes with additional configurations to evade detection of security software. It achieves this by loading “wwanmm.dll,” a Windows library for WWan Media Manager, then writing and running the Beacon in the memory area of the DLL.

“As the beacon that receives the attacker’s command and performs the malicious behavior does not exist in a suspicious memory area and instead operates in the normal module wwanmm.dll, it can bypass memory-based detection,” the researchers noted.

Source :
https://thehackernews.com/2022/02/hackers-backdoor-unpatched-microsoft.html

New Wiper Malware Targeting Ukraine Amid Russia’s Military Operation

Cybersecurity firms ESET and Broadcom’s Symantec said they discovered a new data wiper malware used in fresh attacks against hundreds of machines in Ukraine, as Russian forces formally launched a full-scale military operation against the country.

The Slovak company dubbed the wiper “HermeticWiper” (aka KillDisk.NCV), with one of the malware samples compiled on December 28, 2021, implying that preparations for the attacks may have been underway for nearly two months.

“The wiper binary is signed using a code signing certificate issued to Hermetica Digital Ltd,” ESET said in a series of tweets. “The wiper abuses legitimate drivers from the EaseUS Partition Master software in order to corrupt data. As a final step the wiper reboots [the] computer.”

Specifically, HermeticWiper is delivered via the benign but signed EaseUS partition management driver that then proceeds to impair the first 512 bytes, the Master Boot Record (MBR) for every physical drive, before initiating a system shutdown and effectively rendering the machine inoperable.

“After a week of defacements and increasing DDoS attacks, the proliferation of sabotage operations through wiper malware is an expected and regrettable escalation,” SentinelOne’s principal threat researcher Juan Andres Guerrero-Saade said in a report analyzing the new malware.

At least one of the intrusions involved deploying the malware directly from the Windows domain controller, indicating that the attackers had taken control of the target network.

The scale and the impact of the data-wiping attacks remains unknown as yet, as is the identity of the threat actor behind the infections. But the development marks the second time this year that a destructive malware has been deployed on Ukrainian computer systems after the WhisperGate operation in mid-January.

The wiper attacks also follow a third “massive” wave of distributed denial-of-service (DDoS) attacks that hit several Ukrainian government and banking institutions on Wednesday, knocking out online portals for the Ministry of Foreign Affairs, Cabinet of Ministers, and Rada, the country’s parliament.

Last week, two of the largest Ukrainian banks, PrivatBank and Oschadbank, as well as the websites of the Ukrainian Ministry of Defense and the Armed Forces suffered outages as a result of a DDoS attack from unknown actors, prompting the U.K. and U.S. governments to point the fingers at the Russian Main Intelligence Directorate (GRU), an allegation the Kremlin has denied.

Campaigns that use DDoS attacks deliver torrents of junk traffic that are intended to overwhelm targets with the goal of rendering them inaccessible. A subsequent analysis of the February 15 incidents by the CERT-UA found that they were carried out using botnets such as Mirai and Mēris by leveraging compromised MikroTik routers and other IoT devices.

What’s more, information systems belonging to Ukraine’s state institutions are said to have been unsuccessfully targeted in as many as 121 cyber attacks in January 2022 alone.

That’s not all. Cybercriminals on the dark web are looking to capitalize on the ongoing political tensions by advertising databases and network accesses containing information on Ukrainian citizens and critical infra entities on RaidForums and Free Civilian marketplaces in “hopes of gaining high profits,” according to a report published by Accenture earlier this week.

The continuous onslaught of disruptive malicious cyber acts since the start of the year has also led the Ukrainian law enforcement authority to paint the attacks as an effort to spread anxiety, undermine confidence in the state’s ability to defend its citizens, and destabilize its unity.

“Ukraine is facing attempts to systematically sow panic, spread fake information and distort the real state of affairs,” the Security Service of Ukraine (SSU) said on February 14. “All this combined is nothing more than another massive wave of hybrid warfare.”

Source :
https://thehackernews.com/2022/02/new-wiper-malware-targeting-ukraine.html

Back up your Documents, Pictures, and Desktop folders with Microsoft OneDrive

You can back up your important folders (your Desktop, Documents, and Pictures folders) on your Windows PC with OneDrive PC folder backup, so they’re protected and available on other devices. If you haven’t already set up OneDrive on your computer, see Sync files with OneDrive in Windows. There’s no extra cost for PC folder backup (up to 5 GB of files without a subscription). See OneDrive plans.

Note: If you’re surprised that your files are saving to OneDrive, see Files save to OneDrive by default in Windows 10.https://www.microsoft.com/en-us/videoplayer/embed/RE2PM4G?pid=ocpVideo0-innerdiv-oneplayer&jsapi=true&postJsllMsg=true&maskLevel=20&market=en-us

Set up PC folder backup

If you’re prompted to back up your important folders (Desktop, Documents, and Pictures), select the prompt to start the folder backup wizard.If you didn’t see the prompt or you already closed the wizard, select the white or blue cloud icon in the Windows notification area, and then select Help & Settings > Settings, then Backup > Manage backup.
In the Back up your folders dialog, make sure the folders that you want to back up are selected.
Select Start backup.
You can close the dialog box while your files sync to OneDrive. Or, to watch your files sync, select View upload progress. If you already closed the dialog, to open the OneDrive activity center, select the white or blue cloud in the notification area.

Access your backed up folders on any device

When your files finish syncing to OneDrive, they’re backed up and you can access them from anywhere in Documents, Desktop, or Pictures. When you back up your Desktop folder, the items on your desktop roam with you to your other PC desktops where you’re running OneDrive.

You can back up a maximum of 5 GB of files in OneDrive for free, or up to 1 TB with a Microsoft 365 subscription.

Try Microsoft 365 for free

If you’re signed in to the OneDrive sync app on your computer, you can use File Explorer to access your OneDrive. You can also use the OneDrive mobile app to access your folders on any device.

Manage or stop PC folder backup

To stop or start backing up your folders in OneDrive, update your folder selections in OneDrive Settings.

Open OneDrive settings (select the white or blue cloud icon in your notification area, and then select Help & Settings > Settings.)
In Settings, select Backup > Manage backup.
To start backing up a folder, select any folder that doesn’t say Files backed up, and then select Start backup.
To stop backing up a folder, select Stop backup, and confirm your request. See important notes below.

Screenshot of when you stop protecting folders in OneDrive

When you stop backing up a folder, the files that were already backed up by OneDrive stay in the OneDrive folder, and will no longer appear in your device folder.
In the folder that you stopped backing up, you’ll see an icon titled Where are my files that’s a shortcut to your folders in OneDrive. To access your files, select the icon to open the folder in OneDrive.
If you want those files back in your device folder and not in OneDrive, move them manually from the OneDrive folder back to your device folder. Note that any new files you add to that folder on your device won’t be backed up by OneDrive after you stop the backup.
To move the files. select Where are my files to open the folder in OneDrive, then select the files that you want to move to your device folder, and drag them to that location.

Fix problems with PC folder backup

Here are a list of errors you might see when you set up PC folder backup and how to resolve them:

The following file type can’t be protected: Outlook database files (.pst).
Folder protection is unavailable: A common reason for this error is that important folders on PCs that are connected to a domain can’t be protected in a personal OneDrive account (when you’re signed in with a Microsoft account). For info about data protection solutions, contact your IT administrator. You shouldn’t have this issue with a work or school account.
File exceeds the maximum path length: Make sure the entire file path, including the file name, contains fewer than 260 characters. An example of a file path is:
C:\Users\<UserName>\Pictures\Saved\2017\December\Holiday\NewYears\Family…
To resolve this, shorten the name of your file or the name of subfolders in OneDrive, or select a sub-folder that’s closer to the top-level folder.
File exceeds the maximum file size: OneDrive can’t sync files over 250GB. Remove these files from the folder you want to protect and then try again.
The file name isn’t allowed in OneDrive: File names can’t start with a space or include any of these characters: \ : / * ? < > ” |. Please move or rename the file to continue.
The folder isn’t selected for syncing: The folder with the error is not syncing to your PC. To resolve this error, open OneDrive Settings (right-click the white or blue cloud icon in your notification area, and select Settings), select Choose Folders, and then make sure the folder you want to protect is selected. If Pictures is showing this error, make sure that Pictures, Screenshots, and Camera Roll are all selected (or don’t exist). It’s also possible that the OneDrive folder has a different name from the Windows important folder.
Important folders aren’t in the default locations: The folder with the error contains another important folder and can’t be protected until the contained folder is moved. Important folders that may be contained within the folder include: Documents, Desktop, Pictures, Screenshots, Camera Roll, or the OneDrive folder.
An unknown error occurred, with error code 0x80070005: If you receive error code 0x80070005, the “Prohibit User from manually redirecting Profile Folders” group policy is enabled. You may find that the files from the folders you selected were moved to identically named folders in your OneDrive folder, and the original locations are empty. Move the folder contents back to the original locations and ask your administrator whether the policy can be changed.
Folder contains a reparse point (junction point or symlink): The folder you want to protect contains a special file type that links parts of the file system together. These items can’t be protected. To protect the folder, remove the file causing the issue.
Post PC folder backup: OneDrive tries to automatically re-open notebooks that were previously open. In rare cases, some notebooks may not be automatically loaded in the OneNote desktop app after PC folder backup. Workaround for this issue is to reopen the notebooks in the OneNote app using File > Open.Caution: Some applications may depend on these links to function properly. Remove only the links that you know are safe to modify.

Source :
https://support.microsoft.com/en-us/office/back-up-your-documents-pictures-and-desktop-folders-with-onedrive-d61a7930-a6fb-4b95-b28a-6552e77c3057