7 Cyber Security Tips for SMBs

When the headlines focus on breaches of large enterprises like the Optus breach, it’s easy for smaller businesses to think they’re not a target for hackers. Surely, they’re not worth the time or effort?

Unfortunately, when it comes to cyber security, size doesn’t matter.

Assuming you’re not a target leads to lax security practices in many SMBs who lack the knowledge or expertise to put simple security steps in place. Few small businesses prioritise cybersecurity, and hackers know it. According to Verizon, the number of smaller businesses being hit has climbed steadily in the last few years – 46% of cyber breaches in 2021 impacted businesses with fewer than 1,000 employees.

Cyber security doesn’t need to be difficult#

Securing any business doesn’t need to be complex or come with a hefty price tag. Here are seven simple tips to help the smaller business secure their systems, people and data.

1 — Install anti-virus software everywhere#

Every organisation has anti-virus on their systems and devices, right? Unfortunately, business systems such as web servers get overlooked all too often. It’s important for SMBs to consider all entry points into their network and have anti-virus deployed on every server, as well as on employees’ personal devices.

Hackers will find weak entry points to install malware, and anti-virus software can serve as a good last-resort backstop, but it’s not a silver bullet. Through continuous monitoring and penetration testing you can identify weaknesses and vulnerabilities before hackers do, because it’s easier to stop a burglar at the front door than once they’re in your home.

2 — Continuously monitor your perimeter#

Your perimeter is exposed to remote attacks because it’s available 24/7. Hackers constantly scan the internet looking for weaknesses, so you should scan your own perimeter too. The longer a vulnerability goes unfixed, the more likely an attack is to occur. With tools like Autosploit and Shodan readily available, it’s easier than ever for attackers to discover internet facing weaknesses and exploit them.

Even organisations that cannot afford a full-time, in-house security specialist can use online services like Intruder to run vulnerability scans to uncover weaknesses.

Intruder is a powerful vulnerability scanner that provides a continuous security review of your systems. With over 11,000 security checks, Intruder makes enterprise-grade scanning easy and accessible to SMBs.

Intruder will promptly identify high-impact flaws, changes in the attack surface, and rapidly scan your infrastructure for emerging threats.

3 — Minimise your attack surface#

Your attack surface is made up of all the systems and services exposed to the internet. The larger the attack surface, the bigger the risk. This means exposed services like Microsoft Exchange for email, or content management systems like WordPress can be vulnerable to brute-forcing or credential-stuffing, and new vulnerabilities are discovered almost daily in such software systems. By removing public access to sensitive systems and interfaces which don’t need to be accessible to the public, and ensuring 2FA is enabled where they do, you can limit your exposure and greatly reduce risk.

A simple first step in reducing your attack surface is by using a secure virtual private network (VPN). By using a VPN, you can avoid exposing sensitive systems directly to the internet whilst maintaining their availability to employees working remotely. When it comes to risk, prevention is better than cure – don’t expose anything to the internet unless it’s absolutely necessary!

4 — Keep software up to date#

New vulnerabilities are discovered daily in all kinds of software, from web browsers to business applications. Just one unpatched weakness could lead to full compromise of a system and a breach of customer data; as TalkTalk discovered when 150,000 of its private data records were stolen.

According to a Cyber Security Breaches Survey, businesses that hold electronic personal data of their customers are more likely than average to have had breaches. Patch management is an essential component of good cyber hygiene, and there are tools and services to help you check your software for any missing security patches.

5 — Back up your data #

Ransomware is on the increase. In 2021, 37% of businesses and organisations were hit by ransomware according to research by Sophos. Ransomware encrypts any data it can access, rendering it unusable, and can’t be reversed without a key to decrypt the data.

Data loss is a key risk to any business either through malicious intent or a technical mishap such as hard disk failure, so backing up data is always recommended. If you back up your data, you can counter attackers by recovering your data without needing to pay the ransom, as systems affected by ransomware can be wiped and restored from an unaffected backup without the attacker’s key.

6 — Keep your staff security aware#

Cyber attackers often rely on human error, so it’s vital that staff are trained in cyber hygiene so they recognise risks and respond appropriately. The Cyber Security Breaches Survey 2022 revealed that the most common types of breaches were staff receiving fraudulent emails or phishing attacks (73%), followed by people impersonating the organisation in emails or online (27%), viruses, spyware and malware (12%), and ransomware (4%).

Increasing awareness of the benefits of using complex passwords and training staff to spot common attacks such as phishing emails and malicious links, will ensure your people are a strength rather than a vulnerability.

— Protect yourself relative to your risk#

Cyber security measures should always be appropriate to the organisation. For example, a small business which handles banking transactions or has access to sensitive information such as healthcare data should employ far more stringent security processes and practices than a pet shop.

That’s not to say a pet shop doesn’t have a duty to protect customer data, but it’s less likely to be a target. Hackers are motivated by money, so the bigger the prize the more time and effort will be invested to achieve their gains. By identifying your threats and vulnerabilities with a tool like Intruder, you can take appropriate steps to mitigate and prioritize which risks need to be addressed and in which order.

It’s time to raise your cyber security game#

Attacks on large companies dominate the news, which feeds the perception that SMBs are safe, when the opposite is true. Attacks are increasingly automated, so SMBs are just as vulnerable targets as larger enterprises, more so if they don’t have adequate security processes in place. And hackers will always follow the path of least resistance. Fortunately, that’s the part Intruder made easy…

About Intruder#

Intruder is a cyber security company that helps organisations reduce their attack surface by providing continuous vulnerability scanning and penetration testing services. Intruder’s powerful scanner is designed to promptly identify high-impact flaws, changes in the attack surface, and rapidly scan the infrastructure for emerging threats. Running thousands of checks, which include identifying misconfigurations, missing patches, and web layer issues, Intruder makes enterprise-grade vulnerability scanning easy and accessible to everyone. Intruder’s high-quality reports are perfect to pass on to prospective customers or comply with security regulations, such as ISO 27001 and SOC 2.

Intruder offers a 14-day free trial of its vulnerability assessment platform. Visit their website today to take it for a spin!

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

Source :
https://thehackernews.com/2022/11/7-cyber-security-tips-for-smbs.html

How to disable TLS 1.0 and TLS 1.1 on Windows servers

Transport Layer Security (TLS)  – TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not providers sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.

Most of the companies and Internet Browsers are now moving to TLS 1.2 which is having better security algorithms than TLS 1.0 and TLS 1.1. TLS is more secure than SSL. Mozilla Firefox, Google Chrome, Apple and Microsoft are all ending support for TLS 1.0/1.1 in 2020, so its better to plan ahead of time and test all the applications and create Policies to disable TLS 1.0 and TLS 1.1 on Windows devices.

If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFCTLS 1.1 RFCTLS 1.2 RFC and TLS 1.3 RFC. 

Similar other Blog posts:

Create a GPO in Active Directory to disable TLS 1.0 and TLS 1.1

We will be creating a Group policy object in Active directory to disable TLS 1.0 and TLS 1.1. You will need to create given registry keys and registry entries to control TLS protocols. Please find below steps to disable TLS 1.0 and TLS 1.1 on windows servers.

How to create a GPO in Active Directory to disable TLS 1.0 and TLS 1.1

  1. Login on a domain controller as a domain administrator.
  2. Open Group policy management console (Go to Start -> Run and type gpmc.msc and press Enter)
  3. Expand Group Policy Objects Folder. Right-click on it and Select New.
  1. Provide a Name of the GPO. For Example: Disable TLS 1.0 and TLS 1.1 Windows servers
  2. Right click on the Group policy “Disable TLS 1.0 and TLS 1.1 Windows Servers” and click on Edit.
  3. Go to Computer Configuration -> Preferences -> Windows settings -> Registry.
  4. Right click on Registry -> click on New -> click on Registry Item.
  1. In the next step, we will create registry keys and registry entries to Disable TLS 1.0 and TLS 1.1. Its recommended to disable SSL 2.0 and SSL 3.0 as well. Most of the newer Windows operating systems have TLS 1.2 enabled by default. However, If you want to control TLS 1.2 and TLS 1.3 then you can use the given registry keys for TLS 1.2 and TLS 1.3.

Registry Keys to disable TLS 1.0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to disable TLS 1.1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000

Copy

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001

Copy

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to Enable TLS 1.2 [Recommended]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000

Copy

Registry Keys to Enable TLS 1.3 [Optional]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "DisabledByDefault"=dword:00000000

Copy

After you click on Registry Item, A window will show where you can enter Information about the registry Item which you want to create. You need to provide below information about the registry Item:

  • Action: Select Update from the drop-down. Selecting Update will create the registry keys and registry entries if its not found on end users devices.
  • Hive: Select HKEY_LOCAL_MACHINE
  • Key Path: You can either browse to the registry path or provide a registry key to create / update.
  • Value Name: We will be creating two registry entries for each protocol. DisabledbyDefault and Enabled.
  • Value type: Select REG_DWORD.
  • Value type: Select 1 to Enable an 0 to disable.

Go through the process of creating an entry for each registry Item. Below screenshot shows that we have Disabled TLS 1.0, TLS 1.1 protocols and Enabled TLS 1.2 and TLS 1.3.

  1. Once you create all the registry Items in the Group policy management console for Disable TLS 1.0 and TLS 1.1 Windows Servers GPO. You can link the GPO to the Organization Unit (OU) containing windows servers.
  2. Please note that as this group policy object contains settings in Computer configuration which will target the Devices. A restart of the computer will be required so that registry entries can be created.

Disable TLS 1.0 and TLS 1.1 using IIS Crypto Tool

If your windows servers are not domain joined or you do not want to create group policy object in Active directory to disable deprecated SSL and TLS protocols. You can download and Install IIS Crypto tool on Windows server and manually select the checkboxes to Disable / Enable SSL / TLS protocols.

Please follow below steps to disable TLS 1.0 and TLS 1.1 using IIS Crypto Tool:

  1. Login on Windows Server using administrator credentials.
  2. Download IIS Crypto GUI tool.
  3. Launch IIS Crypto tool as an administrator.
  4. Uncheck SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 from Server Protocols.
  5. Uncheck SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 from Client Protocols.
  6. Reboot the server.
  7. Repeat Steps 1 to 6 on each server where you want to disable deprecated SSL and TLS protocols.
Disable deprecated SSL and TLS protocols using IIS Crypto Tool

Conclusion

In this blog post, we have seen how to disable TLS 1.0 and TLS 1.1 on windows servers. Its highly recommended to disable SSL 2.0 and SSL 3.0 as well. Newer Windows server operting systems have TLS 1.2 and TLS 1.3 enabled but you can still control these protocols using the given registry keys.

If you have only couple of servers and you do not want to create the Active directory group policy or your windows servers are standalone servers and not domain joined. You can use IIS Crypto tool to disable deprecated SSL and TLS protocols.

Source :
https://techpress.net/how-to-disable-tls-1-0-and-tls-1-1-on-windows-servers/

How to disable TLS 1.0 and TLS 1.1 using Powershell on Windows 11

Transport Layer Security (TLS)  – TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not providers sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.

Most of the companies and Internet Browsers are now moving to TLS 1.2 which is having better security algorithms than TLS 1.0 and TLS 1.1. TLS is more secure than SSL. Mozilla Firefox, Google Chrome, Apple and Microsoft are all ending support for TLS 1.0/1.1 in 2020, so its better to plan ahead of time and test all the applications and create Policies to disable TLS 1.0 and TLS 1.1 on Windows machines.

If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFCTLS 1.1 RFCTLS 1.2 RFC and TLS 1.3 RFC. 

Similar other Blog posts:

Disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 using Powershell

We can easily disable TLS 1.0 and TLS 1.1 using Powershell. However its recommended to also disable SSL 2.0, SSL 3.0 as well. We will be using below powershell code to create registry keys and registry entries. Once the registry keys are created, a reboot of that device will be required to complete the change.

Please note below Powershell Code needs to be run as an administrator as it needs to perform changes in Windows registry.

To run Powershell code on Windows 11 computer. Please use below steps:

  • Login on a Windows 11 PC as administrator.
  • Open Powershell Console as an administrator.
  • Run below piece of powershell code to enable / disable SSL / TLS Protocols.

Powershell code to disable SSL 2.0

 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force
 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force    
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'Enabled'           -Value '0' -Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'DisabledByDefault' -value '1' -Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to disable SSL 3.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'  

Copy

Powershell code to disable TLS 1.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force                                                                                                                                                            
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to disable TLS 1.1

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force                                                                                                                                                                                 
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to Enable TLS 1.2

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force  
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force                                       
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value '0' –Type 'DWORD'    

Copy

Powershell code to Enable TLS 1.3

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server'-name 'Enabled'            -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'DisabledByDefault' -value '0' –Type 'DWORD'

Copy

How to verify if TLS 1.0 and TLS 1.1 has been disabled on Windows 11

Please follow below steps to verify if SSL / TLS protocols are disabled or enabled.

  1. Login on Windows 11 PC as an administrator.
  2. Click on Windows Icon / Start Menu -> Search for Registry Editor.
  3. Launch Registry Editor.
  4. Browse to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols

You should find below registry keys / registry entries:

Disable TLS 1.0 and TLS 1.1 registry key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols

Registry Keys to check if SSL 2.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if SSL 3.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if TLS 1.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if TLS 1.1 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000

Copy

Registry Keys to check if TLS 1.2 is Enabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000

Copy

Registry Keys to check if TLS 1.3 is Enabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "DisabledByDefault"=dword:00000000

Copy

Conclusion

In this blog post, we have checked the powershell codes to disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1. We have checked the Powershell code to enable TLS 1.2 and TLS 1.3. Its highly recommended to disable old unsupported protocols to reduce the security risk on your computer.

Source :
https://techpress.net/how-to-disable-tls-1-0-and-tls-1-1-using-powershell-on-windows-11/

How to disable TLS 1.0 and TLS 1.1 using Powershell on Windows 10

Transport Layer Security (TLS)  – TLS protocol is used to provide privacy and data integrity between two communicating applications. SSL and TLS are both cryptographic protocols but because SSL protocols does not providers sufficient level of security compared to TLS, SSL 2.0 and SSL 3.0 have been deprecated. TLS 1.0 was released in 1999, TLS 1.1 was released in 2006, TLS 1.2 was released in 2008 and TLS 1.3 was released in 2018.

Most of the companies and Internet Browsers are now moving to TLS 1.2 which is having better security algorithms than TLS 1.0 and TLS 1.1. TLS is more secure than SSL. Mozilla Firefox, Google Chrome, Apple and Microsoft are all ending support for TLS 1.0/1.1 in 2020, so its better to plan ahead of time and test all the applications and create Policies to disable TLS 1.0 and TLS 1.1 on Windows machines.

If you are interested in learning more about these protocols, differences between these protocols and security improvements – you can check Protocols RFC’s (Request for Comments) at these links TLS1.0 RFCTLS 1.1 RFCTLS 1.2 RFC and TLS 1.3 RFC. 

Similar other Blog posts:

Disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1 using Powershell

We can easily disable TLS 1.0 and TLS 1.1 using Powershell. However its recommended to also disable SSL 2.0, SSL 3.0 as well. We will be using below powershell code to create registry keys and registry entries. Once the registry keys are created, a reboot of that device will be required to complete the change.

Please note below Powershell Code needs to be run as an administrator as it needs to perform changes in Windows registry.

To run Powershell code on Windows 10 computer. Please use below steps:

  • Login on a Windows 10 PC as administrator.
  • Open Powershell Console as an administrator.
  • Run below piece of powershell code to enable / disable SSL / TLS Protocols.

Powershell code to disable SSL 2.0

 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Force
 New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -Force    
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'Enabled'           -Value '0' -Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client' -Name 'DisabledByDefault' -value '1' -Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
 Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to disable SSL 3.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -Force  
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'  

Copy

Powershell code to disable TLS 1.0

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force                                                                                                                                                            
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to disable TLS 1.1

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -Force                                                                                                                                                                                 
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client' -name 'DisabledByDefault' -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'Enabled'           -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server' -name 'DisabledByDefault' -value '1' –Type 'DWORD'

Copy

Powershell code to Enable TLS 1.2

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force  
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force                                       
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value '0' –Type 'DWORD'    

Copy

Powershell code to Enable TLS 1.3

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -Force
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -Force
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'Enabled'           -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client' -name 'DisabledByDefault' -value '0' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server'-name 'Enabled'            -value '1' –Type 'DWORD'
Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server' -name 'DisabledByDefault' -value '0' –Type 'DWORD'

Copy

How to verify if TLS 1.0 and TLS 1.1 has been disabled on Windows 10

Please follow below steps to verify if SSL / TLS protocols are disabled or enabled.

  1. Login on Windows 10 PC as an administrator.
  2. Click on Windows Icon / Start Menu -> Search for Registry Editor.
  3. Launch Registry Editor.
  4. Browse to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols

You should find below registry keys / registry entries:

Disable TLS 1.0 and TLS 1.1 registry key
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols

Registry Keys to check if SSL 2.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if SSL 3.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if TLS 1.0 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server] "DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client] "DisabledByDefault"=dword:00000001

Copy

Registry Keys to check if TLS 1.1 is disabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client] "DisabledByDefault"=dword:00000000

Copy

Registry Keys to check if TLS 1.2 is Enabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "DisabledByDefault"=dword:00000000

Copy

Registry Keys to check if TLS 1.3 is Enabled

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server] "DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Client] "DisabledByDefault"=dword:00000000

Copy

Conclusion

In this blog post, we have checked the powershell codes to disable SSL 2.0, SSL 3.0, TLS 1.0 and TLS 1.1. We have checked the Powershell code to enable TLS 1.2 and TLS 1.3. It’s highly recommended to disable old unsupported protocols to reduce the security risk on your computer.

Source :
https://techpress.net/how-to-disable-tls-1-0-and-tls-1-1-using-powershell-on-windows-10/

Microsoft April 2022 Patch Tuesday fixes 119 flaws, 2 zero-days

Today is Microsoft’s April 2022 Patch Tuesday, and with it comes fixes for two zero-day vulnerabilities and a total of 119 flaws.

Microsoft has fixed 119 vulnerabilities (not including 26 Microsoft Edge vulnerabilities) with today’s update, with ten classified as Critical as they allow remote code execution.

The number of bugs in each vulnerability category is listed below:

  • 47 Elevation of Privilege Vulnerabilities
  • 0 Security Feature Bypass Vulnerabilities
  • 47 Remote Code Execution Vulnerabilities
  • 13 Information Disclosure Vulnerabilities
  • 9 Denial of Service Vulnerabilities
  • 3 Spoofing Vulnerabilities
  • 26 Edge – Chromium Vulnerabilities

For information about the non-security Windows updates, you can read about today’s Windows 10 KB5012599 and KB5012591 updates and the Windows 11 KB5012592 update.

Two zero-days fixed, one actively exploited

This month’s Patch Tuesday includes fixes for two zero-day vulnerabilities, one publicly disclosed and the other actively exploited in attacks.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The actively exploited zero-day vulnerability fixed today is a bug that security researcher Abdelhamid Naceri discovered that Microsoft previously tried to fix twice after new patch bypasses were discovered.

  • CVE-2022-26904 – Windows User Profile Service Elevation of Privilege Vulnerability

The publicly exposed zero-day is a privilege elevation bug discovered by CrowdStrike and the US National Security Agency (NSA).

  • CVE-2022-24521 – Windows Common Log File System Driver Elevation of Privilege Vulnerability

Now that Microsoft has issued patches for these vulnerabilities, it should be expected for threat actors to analyze the vulnerabilities to learn how to exploit them.

Therefore, it is strongly advised to install today’s security updates as soon as possible.

Recent updates from other companies

Other vendors who released updates in April 2022 include:

The April 2022 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities and released advisories in the April 2022 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

TagCVE IDCVE TitleSeverity
.NET FrameworkCVE-2022-26832.NET Framework Denial of Service VulnerabilityImportant
Active Directory Domain ServicesCVE-2022-26814Windows DNS Server Remote Code Execution VulnerabilityImportant
Active Directory Domain ServicesCVE-2022-26817Windows DNS Server Remote Code Execution VulnerabilityImportant
Azure SDKCVE-2022-26907Azure SDK for .NET Information Disclosure VulnerabilityImportant
Azure Site RecoveryCVE-2022-26898Azure Site Recovery Remote Code Execution VulnerabilityImportant
Azure Site RecoveryCVE-2022-26897Azure Site Recovery Information Disclosure VulnerabilityImportant
Azure Site RecoveryCVE-2022-26896Azure Site Recovery Information Disclosure VulnerabilityImportant
LDAP – Lightweight Directory Access ProtocolCVE-2022-26831Windows LDAP Denial of Service VulnerabilityImportant
LDAP – Lightweight Directory Access ProtocolCVE-2022-26919Windows LDAP Remote Code Execution VulnerabilityCritical
Microsoft Bluetooth DriverCVE-2022-26828Windows Bluetooth Driver Elevation of Privilege VulnerabilityImportant
Microsoft DynamicsCVE-2022-23259Microsoft Dynamics 365 (on-premises) Remote Code Execution VulnerabilityCritical
Microsoft Edge (Chromium-based)CVE-2022-26909Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityModerate
Microsoft Edge (Chromium-based)CVE-2022-1139Chromium: CVE-2022-1139 Inappropriate implementation in Background Fetch APIUnknown
Microsoft Edge (Chromium-based)CVE-2022-26912Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityModerate
Microsoft Edge (Chromium-based)CVE-2022-26908Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-1146Chromium: CVE-2022-1146 Inappropriate implementation in Resource TimingUnknown
Microsoft Edge (Chromium-based)CVE-2022-26895Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-26900Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-26894Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-1232Chromium: CVE-2022-1232 Type Confusion in V8Unknown
Microsoft Edge (Chromium-based)CVE-2022-26891Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-1125Chromium: CVE-2022-1125 Use after free in PortalsUnknown
Microsoft Edge (Chromium-based)CVE-2022-1136Chromium: CVE-2022-1136 Use after free in Tab StripUnknown
Microsoft Edge (Chromium-based)CVE-2022-24475Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityImportant
Microsoft Edge (Chromium-based)CVE-2022-1145Chromium: CVE-2022-1145 Use after free in ExtensionsUnknown
Microsoft Edge (Chromium-based)CVE-2022-1135Chromium: CVE-2022-1135 Use after free in Shopping CartUnknown
Microsoft Edge (Chromium-based)CVE-2022-1138Chromium: CVE-2022-1138 Inappropriate implementation in Web CursorUnknown
Microsoft Edge (Chromium-based)CVE-2022-1143Chromium: CVE-2022-1143 Heap buffer overflow in WebUIUnknown
Microsoft Edge (Chromium-based)CVE-2022-24523Microsoft Edge (Chromium-based) Spoofing VulnerabilityModerate
Microsoft Edge (Chromium-based)CVE-2022-1137Chromium: CVE-2022-1137 Inappropriate implementation in ExtensionsUnknown
Microsoft Edge (Chromium-based)CVE-2022-1134Chromium: CVE-2022-1134 Type Confusion in V8Unknown
Microsoft Edge (Chromium-based)CVE-2022-1127Chromium: CVE-2022-1127 Use after free in QR Code GeneratorUnknown
Microsoft Edge (Chromium-based)CVE-2022-1128Chromium: CVE-2022-1128 Inappropriate implementation in Web Share APIUnknown
Microsoft Edge (Chromium-based)CVE-2022-1133Chromium: CVE-2022-1133 Use after free in WebRTCUnknown
Microsoft Edge (Chromium-based)CVE-2022-1130Chromium: CVE-2022-1130 Insufficient validation of untrusted input in WebOTPUnknown
Microsoft Edge (Chromium-based)CVE-2022-1129Chromium: CVE-2022-1129 Inappropriate implementation in Full Screen ModeUnknown
Microsoft Edge (Chromium-based)CVE-2022-1131Chromium: CVE-2022-1131 Use after free in Cast UIUnknown
Microsoft Graphics ComponentCVE-2022-26920Windows Graphics Component Information Disclosure VulnerabilityImportant
Microsoft Graphics ComponentCVE-2022-26903Windows Graphics Component Remote Code Execution VulnerabilityImportant
Microsoft Local Security Authority Server (lsasrv)CVE-2022-24493Microsoft Local Security Authority (LSA) Server Information Disclosure VulnerabilityImportant
Microsoft Office ExcelCVE-2022-24473Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office ExcelCVE-2022-26901Microsoft Excel Remote Code Execution VulnerabilityImportant
Microsoft Office SharePointCVE-2022-24472Microsoft SharePoint Server Spoofing VulnerabilityImportant
Microsoft Windows ALPCCVE-2022-24482Windows ALPC Elevation of Privilege VulnerabilityImportant
Microsoft Windows ALPCCVE-2022-24540Windows ALPC Elevation of Privilege VulnerabilityImportant
Microsoft Windows Codecs LibraryCVE-2022-24532HEVC Video Extensions Remote Code Execution VulnerabilityImportant
Microsoft Windows Media FoundationCVE-2022-24495Windows Direct Show – Remote Code Execution VulnerabilityImportant
Power BICVE-2022-23292Microsoft Power BI Spoofing VulnerabilityImportant
Role: DNS ServerCVE-2022-26815Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26816Windows DNS Server Information Disclosure VulnerabilityImportant
Role: DNS ServerCVE-2022-24536Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26824Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26823Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26822Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26829Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26826Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26825Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26821Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26820Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26813Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26818Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26819Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26811Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: DNS ServerCVE-2022-26812Windows DNS Server Remote Code Execution VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-22008Windows Hyper-V Remote Code Execution VulnerabilityCritical
Role: Windows Hyper-VCVE-2022-24490Windows Hyper-V Shared Virtual Hard Disks Information Disclosure VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-24539Windows Hyper-V Shared Virtual Hard Disks Information Disclosure VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-26785Windows Hyper-V Shared Virtual Hard Disks Information Disclosure VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-26783Windows Hyper-V Shared Virtual Hard Disks Information Disclosure VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-24537Windows Hyper-V Remote Code Execution VulnerabilityCritical
Role: Windows Hyper-VCVE-2022-23268Windows Hyper-V Denial of Service VulnerabilityImportant
Role: Windows Hyper-VCVE-2022-23257Windows Hyper-V Remote Code Execution VulnerabilityCritical
Role: Windows Hyper-VCVE-2022-22009Windows Hyper-V Remote Code Execution VulnerabilityImportant
Skype for BusinessCVE-2022-26911Skype for Business Information Disclosure VulnerabilityImportant
Skype for BusinessCVE-2022-26910Skype for Business and Lync Spoofing VulnerabilityImportant
Visual StudioCVE-2022-24767GitHub: Git for Windows’ uninstaller vulnerable to DLL hijacking when run under the SYSTEM user accountImportant
Visual StudioCVE-2022-24765GitHub: Uncontrolled search for the Git directory in Git for WindowsImportant
Visual StudioCVE-2022-24513Visual Studio Elevation of Privilege VulnerabilityImportant
Visual Studio CodeCVE-2022-26921Visual Studio Code Elevation of Privilege VulnerabilityImportant
Windows Ancillary Function Driver for WinSockCVE-2022-24494Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityImportant
Windows App StoreCVE-2022-24488Windows Desktop Bridge Elevation of Privilege VulnerabilityImportant
Windows AppX Package ManagerCVE-2022-24549Windows AppX Package Manager Elevation of Privilege VulnerabilityImportant
Windows Cluster Client FailoverCVE-2022-24489Cluster Client Failover (CCF) Elevation of Privilege VulnerabilityImportant
Windows Cluster Shared Volume (CSV)CVE-2022-24538Windows Cluster Shared Volume (CSV) Denial of Service VulnerabilityImportant
Windows Cluster Shared Volume (CSV)CVE-2022-26784Windows Cluster Shared Volume (CSV) Denial of Service VulnerabilityImportant
Windows Cluster Shared Volume (CSV)CVE-2022-24484Windows Cluster Shared Volume (CSV) Denial of Service VulnerabilityImportant
Windows Common Log File System DriverCVE-2022-24521Windows Common Log File System Driver Elevation of Privilege VulnerabilityImportant
Windows Common Log File System DriverCVE-2022-24481Windows Common Log File System Driver Elevation of Privilege VulnerabilityImportant
Windows DefenderCVE-2022-24548Microsoft Defender Denial of Service VulnerabilityImportant
Windows DWM Core LibraryCVE-2022-24546Windows DWM Core Library Elevation of Privilege VulnerabilityImportant
Windows Endpoint Configuration ManagerCVE-2022-24527Windows Endpoint Configuration Manager Elevation of Privilege VulnerabilityImportant
Windows Fax Compose FormCVE-2022-26917Windows Fax Compose Form Remote Code Execution VulnerabilityImportant
Windows Fax Compose FormCVE-2022-26916Windows Fax Compose Form Remote Code Execution VulnerabilityImportant
Windows Fax Compose FormCVE-2022-26918Windows Fax Compose Form Remote Code Execution VulnerabilityImportant
Windows Feedback HubCVE-2022-24479Connected User Experiences and Telemetry Elevation of Privilege VulnerabilityImportant
Windows File ExplorerCVE-2022-26808Windows File Explorer Elevation of Privilege VulnerabilityImportant
Windows File ServerCVE-2022-26827Windows File Server Resource Management Service Elevation of Privilege VulnerabilityImportant
Windows File ServerCVE-2022-26810Windows File Server Resource Management Service Elevation of Privilege VulnerabilityImportant
Windows InstallerCVE-2022-24499Windows Installer Elevation of Privilege VulnerabilityImportant
Windows InstallerCVE-2022-24530Windows Installer Elevation of Privilege VulnerabilityImportant
Windows iSCSI Target ServiceCVE-2022-24498Windows iSCSI Target Service Information Disclosure VulnerabilityImportant
Windows KerberosCVE-2022-24545Windows Kerberos Remote Code Execution VulnerabilityImportant
Windows KerberosCVE-2022-24486Windows Kerberos Elevation of Privilege VulnerabilityImportant
Windows KerberosCVE-2022-24544Windows Kerberos Elevation of Privilege VulnerabilityImportant
Windows KernelCVE-2022-24483Windows Kernel Information Disclosure VulnerabilityImportant
Windows Local Security Authority Subsystem ServiceCVE-2022-24487Windows Local Security Authority (LSA) Remote Code Execution VulnerabilityImportant
Windows Local Security Authority Subsystem ServiceCVE-2022-24496Local Security Authority (LSA) Elevation of Privilege VulnerabilityImportant
Windows MediaCVE-2022-24547Windows Digital Media Receiver Elevation of Privilege VulnerabilityImportant
Windows Network File SystemCVE-2022-24491Windows Network File System Remote Code Execution VulnerabilityCritical
Windows Network File SystemCVE-2022-24497Windows Network File System Remote Code Execution VulnerabilityCritical
Windows PowerShellCVE-2022-26788PowerShell Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26789Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26787Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26786Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26796Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26790Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26803Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26802Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26794Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26795Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26797Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26798Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26791Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26801Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26793Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows Print Spooler ComponentsCVE-2022-26792Windows Print Spooler Elevation of Privilege VulnerabilityImportant
Windows RDPCVE-2022-24533Remote Desktop Protocol Remote Code Execution VulnerabilityImportant
Windows Remote Procedure Call RuntimeCVE-2022-26809Remote Procedure Call Runtime Remote Code Execution VulnerabilityCritical
Windows Remote Procedure Call RuntimeCVE-2022-24528Remote Procedure Call Runtime Remote Code Execution VulnerabilityImportant
Windows Remote Procedure Call RuntimeCVE-2022-24492Remote Procedure Call Runtime Remote Code Execution VulnerabilityImportant
Windows schannelCVE-2022-26915Windows Secure Channel Denial of Service VulnerabilityImportant
Windows SMBCVE-2022-24485Win32 File Enumeration Remote Code Execution VulnerabilityImportant
Windows SMBCVE-2022-26830DiskUsage.exe Remote Code Execution VulnerabilityImportant
Windows SMBCVE-2022-21983Win32 Stream Enumeration Remote Code Execution VulnerabilityImportant
Windows SMBCVE-2022-24541Windows Server Service Remote Code Execution VulnerabilityCritical
Windows SMBCVE-2022-24500Windows SMB Remote Code Execution VulnerabilityCritical
Windows SMBCVE-2022-24534Win32 Stream Enumeration Remote Code Execution VulnerabilityImportant
Windows Telephony ServerCVE-2022-24550Windows Telephony Server Elevation of Privilege VulnerabilityImportant
Windows Upgrade AssistantCVE-2022-24543Windows Upgrade Assistant Remote Code Execution VulnerabilityImportant
Windows User Profile ServiceCVE-2022-26904Windows User Profile Service Elevation of Privilege VulnerabilityImportant
Windows Win32KCVE-2022-24474Windows Win32k Elevation of Privilege VulnerabilityImportant
Windows Win32KCVE-2022-26914Win32k Elevation of Privilege VulnerabilityImportant
Windows Win32KCVE-2022-24542Windows Win32k Elevation of Privilege VulnerabilityImportant
Windows Work Folder ServiceCVE-2022-26807Windows Work Folder Service Elevation of Privilege VulnerabilityImportant
YARP reverse proxyCVE-2022-26924YARP Denial of Service VulnerabilityImportant

Source :
https://www.bleepingcomputer.com/news/microsoft/microsoft-april-2022-patch-tuesday-fixes-119-flaws-2-zero-days/

Microsoft: New malware uses Windows bug to hide scheduled tasks

Microsoft has discovered a new malware used by the Chinese-backed Hafnium hacking group to maintain persistence on compromised Windows systems by creating and hiding scheduled tasks.

The Hafnium threat group has previously targeted US defense companies, think tanks, and researchers in cyberespionage attacks.

It is also one of the state-sponsored groups linked by Microsoft to last year’s global scale exploitation of the ProxyLogon zero-day flaws impacting all supported Microsoft Exchange versions.

Persistence via Windows registry value removal

“As Microsoft continues to track the high-priority state-sponsored threat actor HAFNIUM, new activity has been uncovered that leverages unpatched zero-day vulnerabilities as initial vectors,” the Microsoft Detection and Response Team (DART) said.

“Further investigation reveals forensic artifacts of the usage of Impacket tooling for lateral movement and execution and the discovery of a defense evasion malware called Tarrask that creates ‘hidden’ scheduled tasks, and subsequent actions to remove the task attributes, to conceal the scheduled tasks from traditional means of identification.”

This hacking tool, dubbed Tarrask, uses a previously unknown Windows bug to hide them from “schtasks /query” and Task Scheduler by deleting the associated Security Descriptor registry value.

The threat group used these “hidden” scheduled tasks to maintain access to the hacked devices even after reboots by re-establishing dropped connections to command-and-control (C2) infrastructure.

While the Hafnium operators could have removed all on-disk artifacts, including all registry keys and the XML file added to the system folder to delete all traces of their malicious activity, it would have removed persistence across restarts.

Deleting Security Descriptor to hide a scheduled task
Deleting Security Descriptor to hide a scheduled task (Microsoft)

How to defend against Tarrask attacks

The “hidden” tasks can only be found upon closer manual inspection of the Windows Registry if you look for scheduled tasks without an SD (security descriptor) Value within their Task Key.

Admins can also enable the Security.evtx and the Microsoft-Windows-TaskScheduler/Operational.evtx logs to check for key events linked to tasks “hidden” using Tarrask malware.

Microsoft also recommends enabling logging for ‘TaskOperational’ within the Microsoft-Windows-TaskScheduler/Operational Task Scheduler log and monitoring for outbound connections from critical Tier 0 and Tier 1 assets.

“The threat actors in this campaign used hidden scheduled tasks to maintain access to critical assets exposed to the internet by regularly re-establishing outbound communications with C&C infrastructure,” DART added.

“We recognize that scheduled tasks are an effective tool for adversaries to automate certain tasks while achieving persistence, which brings us to raising awareness about this oft-overlooked technique.”

Source :
https://www.bleepingcomputer.com/news/security/microsoft-new-malware-uses-windows-bug-to-hide-scheduled-tasks/

Cybersecurity Terms and Threats You Need to Know in 2020

Let’s do a show of hands — who loves jargon? Anyone?

I didn’t think so.

Face it, aside from trivia champions, jargon doesn’t make life any easier for us. If you’re attending your first security conference this year, you might feel like you need an interpreter to make sense of the technical terminology and acronyms you’ll find around every corner.

At Cisco Umbrella, we’re fluent in cybersecurity – and we want to help you make sense of the often-confusing security landscape! In this post, we define key cybersecurity terms that everyone should know in 2020 — and beyond.

Part 1: Threats

Backdoor: A backdoor is an access point designed to allow quick and undetected entrance to a program or system, usually for malicious purposes. A backdoor can be installed by an attacker using a known security vulnerability, and then used later to gain unfettered access to a system.

Botnet: A botnet is a portmanteau for “robot network.” It’s a collection of infected machines that can be used for any number of questionable activities, from cryptomining to DDoS attacks to automated spam comments on blogs.

Command-and-control (C2) attacks: Command-and-control attacks are especially dangerous because they are launched from inside your network. Security technologies like firewalls are designed to recognize and stop malicious activity or files from entering your network. However, a command-and-control attack is trickier than a standard threat. A file doesn’t start out showing any malicious behavior, so it is deemed harmless by your firewall and permitted to enter your network. Once inside, the file stays dormant for a set period of time or after being triggered remotely. Then, the file reaches out to a malicious domain and downloads harmful data, infecting your network.

Denial of Service (DoS) Attack: This type of attack consumes all of the resources of a target so that it can no longer be used or reached, effectively taking it down. DoS attacks are designed to take a website or server offline, whether for monetary, political, or other reasons. A DDoS, or Distributed Denial of Service attack, is a subcategory of DoS attack that is carried out using two or more hosts, often via a botnet.

Drive-by download: A drive-by download installs malware invisibly in the background when the user visits a malicious webpage, without the user’s knowledge or consent. Often, drive-by downloads take advantage of browser or browser plug-in vulnerabilities that accept a download under the assumption that it’s a benign activity. Using an up-to-date secure browser can help protect you against this type of attack.

Exploit: An exploit is any attack that takes advantage of a weakness in your system. It can make use of software, bits of data, and even social engineering (like pretending to be someone from your IT team who needs your password to perform a security update). To minimize exploits, it’s important to keep your software up-to-date and to be aware of social engineering techniques (see below).

Malware: Malware is a generic term for any program installed on a system with the intent to corrupt, damage, or disable that system. Razy, TeslaCry, NotPetya, and Emotet are a few recent examples.

  • Cryptomining malware: Cryptomining by itself is not necessarily malicious — many people mine crypto currency on their own systems. Malicious cryptomining, however, is a browser- or software-based threat that enables bad actors to hijack system resources to generate crypto currencies. Cryptomining malware is an easy way for bad actors to generate cash while remaining anonymous and without having to use their own resources. Learn more about the cryptomining malware threat.
  • Ransomware: Ransomware is malware used to encrypt a victim’s data with an encryption key that is known only to the attacker. The data becomes unusable until the victim pays a ransom to decrypt the data (usually in cryptocurrency). Ransomware is a fast-growing and serious threat — learn more in our newly updated guide to ransomware defense.
  • Rootkits: A rootkit is a malicious piece of code that hides itself in your system, prevents detection, and enables bad actors to gain continued access to your system. If attackers gain full access to your system once, they can use rootkits to continue that access over a long period of time.
  • Spyware: Malicious code that gathers information about you and your browsing habits, and then sends that information to a third party.
  • Trojans: A trojan is a seemingly innocuous program that acts as a front for malicious code hiding inside. Trojans can do any number of things, from stealing data to allowing remote system control.  These programs take their name from the famous Grecian “Trojan Horse” that took advantage of a similar vulnerability.
  • Viruses: Often used as a blanket term, a virus is a piece of code that attaches itself to files, such as email attachments or files you download online. Once it infects your system, it can cause all kinds of problems, whether that means deleting system files or corrupting your data. Computer viruses also replicate and spread across networks – just like viruses in the physical world.
  • Worms: A worm is a type of malware that clones itself in order to spread to other computers, performing various damaging actions on whatever system it infects. Unlike a virus, a worm exists as a standalone entity — it isn’t hidden inside something else like an attachment.

MitM or Man-in-the-Middle Attack: A MitM attack is pretty much what it sounds like. An attacker will intercept, relay, and potentially change messages between two parties without their knowledge. MitM can be used to break encryption, compromise account details, or gain access to systems by impersonating a user.

Phishing: Phishing is a technique that mimics a legitimate communication (like an email from your online bank) to steal sensitive information. Like fishermen with a lure, attackers will attempt to take your personal information by using fake emails, forms, and web pages to coax you to provide it to them.

  • Spear phishing is a form of phishing that targets one specific individual by using publicly accessible data about them, like from a business card or social media profile.
  • Whale phishing goes one step further than spear phishing and describes a targeted attack on a high-ranking individual, like a CEO or government official.

Social engineering: A general term for any activity in which an attacker is trying to manipulate you into revealing information, whether over email, phone, web forms, or social media platforms. Passwords, account credentials, social security numbers — we often don’t think twice about giving this information away to someone we can trust, but who’s really on the other end of the line? Protect yourself, and think twice before sharing. It’s always OK to verify the request for information in another way, like calling an official customer support number.

Zero-day (0day): A zero day attack is when a bad actor exploits a new, previously unknown software vulnerability for which there is no patch. It’s a constant struggle to stay ahead of attackers, but you don’t have to do it alone — you can get help from the security experts at Cisco Talos.

Part 2: Solutions

Anti-malware: Anti-malware software is a broad category of software designed to block, root out, and destroy viruses, worms, and other nasty things that are described in this list. These products need to be updated regularly to ensure that they remain effective against new threats. They can be deployed at various points in the network chain (email, endpoint, data center, cloud) and either on-premises or delivered from the cloud.

Cloud access security broker (CASB): This is software that provides the ability to detect and report on the cloud applications that are in use across your environment. It provides visibility into cloud apps in use as well as their risk profiles, and the ability to block/allow specific apps. Read more about securing cloud apps here.

Cloud security: this is a subcategory of information security and network security. It is a broad term that can include security policies, technologies, applications, and controls that are used to protect sensitive company and user data wherever it is exposed in a public, private, or hybrid cloud environment.

DNS-layer security: This is the first line of defense against threats because DNS resolution is the first step in establishing a connection to the internet. It blocks requests to malicious and unwanted destinations before a connection is even established — stopping threats over any port or protocol before they reach your network or endpoints. Learn more about DNS-layer security here.

Email security: This refers to the technologies, policies, and practices used to secure the access and content of email messages within an organization. Many attacks are launched via email messages, whether through targeted attacks (see note on phishing above) or malicious attachments or links. A robust email security solution protects you from attacks whether email is in transit across your network or when it is on a user’s device.

Encryption: This is the process of scrambling messages so that they cannot be read until they are decrypted by the intended recipient. There are several types of encryption, and it’s an important component of a robust security strategy.

Endpoint security: if DNS-layer security is the first line of defense against threats, then you might think of endpoint security as the last line of defense! Endpoints can include desktop computers, laptop computers, tablets, mobile phones, desk phones, and even wearable devices — anything with a network address is a potential attack path. Endpoint security software can be deployed on an endpoint to protect against file-based, fileless, and other types of malware with threat detection, prevention, and remediation capabilities.

Firewall: Imagine all the nasty, malicious stuff on the Internet without anything to stop it. A firewall stands between your trusted entities and whatever lies beyond, controlling access based on security rules. A firewall can be hardware or software, a standalone security appliance or a cloud-delivered solution.

Next-generation firewall (NGFW): This is the industry’s new solution for an evolved firewall.  It is typically fully integrated with the rest of the security stack, threat-focused, and delivers comprehensive, unified policy management of firewall functions, application control, threat prevention, and advanced malware protection from the network to the endpoint.

Security information and event management (SIEM): This is a broad term for products that deal with security information management (SIM) and security event management (SEM). These systems allow for aggregation of information and events into a single “pane of glass” for security teams to use.

Secure web gateway (SWG): This is a proxy that can log and inspect all of your web traffic for greater transparency, control, and protection. It allows for real-time inspection of inbound files for malware, sandboxing, full or selective SSL decryption, content filtering, and the ability to block specific user activities in select apps.

Secure internet gateway (SIG): This is a cloud-delivered solution that unifies a variety of connectivity, content control, and access technologies to provide users with safe access to the internet, both on and off the network. By operating from the cloud, a SIG protects user access anywhere and everywhere, with traffic routing to the gateway for inspection and policy enforcement regardless of what users are connecting to, or where they’re connecting from. Because a SIG extends security beyond the edge of the traditional network — and without the need for additional hardware or software — thousands of enterprises have adopted it as a modern catch-all for ensuring that users, devices, endpoints, and data have robust protection from threats.

Secure access service edge (SASE): Gartner introduced an entirely new enterprise networking and security category called “secure access service edge.” SASE brings together networking and security services into one unified solution designed to deliver strong security from edge to edge — in the data center, at remote offices, with roaming users, and beyond. By consolidating a variety of powerful point solutions into one solution that can be deployed anywhere from the cloud, SASE can provide better protection and faster network performance, while reducing the cost and work it takes to secure the network.

Cybersecurity is always evolving, and it can be hard to keep up with the rapid pace of changes. Be sure to bookmark this blog post – we’ll keep it up to date as new threats and technologies emerge. To learn more, check out our recent blog posts about cybersecurity research, or come chat with our security experts in person in Barcelona at Cisco Live EMEA this month. Don’t be shy!

 

Source :
https://umbrella.cisco.com/blog/2020/01/14/cybersecurity-terms-and-threats-you-need-to-know-in-2020/

What is DNSSEC and Why Is It Important?

If you’re like most companies, you probably leave your DNS resolution up to your ISP. But as employees bypass the VPN, and even more organizations adopt direct internet access, it’s more than likely that you have a DNS blind spot. So what steps can you take to ensure your visibility remains free and clear?

One simple and easy thing you can start doing right away is to mine your DNS data. Each time a browser contacts a domain name, it has to contact the DNS server first. Since DNS requests precede the IP connection, DNS resolvers log requested domains regardless of the connection’s protocol or port. That’s an information gold mine! Just by monitoring DNS requests and subsequent IP connections you will eliminate the blind spot and easily gain better accuracy and detection of compromised systems and improve your security visibility and network protection.

But what about those pesky cache poisoning attacks, also known as DNS spoofing?

DNS cache poisoning attacks locate and then exploit vulnerabilities that exist in the DNS, in order to draw organic traffic away from a legitimate server toward a fake one.This type of attack is dangerous because the client an be redirected, and since the attack is on the DNS server, it will impact a very large number of users.

Back in the early nineties, the era of the world-wide-web, Sony Discmans and beepers (we’ve come a long way kids!), the Internet Engineering Task Force, or  IETF started thinking about ways to make DNS more secure. The task force proposed ways to harden DNS and in 2005, Domain Name System Security Extensions, aka DNSSEC, was formally introduced.

DNS Security Extensions, better known as DNSSEC, is a technology that was developed to, among other things, protect against [cache poisoning] attacks by digitally ‘signing’ data so you can be assured [the DNS answer] is valid. DNSSEC uses cryptographic signatures similar to using GPG to sign an email; it proves both the validity of the answer and the identity of the signer. Special records are published in the DNS allowing recursive resolvers or clients to validate signatures. There is no central certificate authority, instead parent zones provide certificate hash information in the delegation allowing for proof of validity.

Cisco Umbrella now supports DNSSEC by performing validation on queries sent from Umbrella resolvers to upstream authorities. Customers can have the confidence that Cisco Umbrella is protecting their organization from cache poisoning attacks, without having to perform validation locally.

Cisco Umbrella supports DNSSEC

Cisco Umbrella delivers the best, most reliable, and fastest internet experience to every single one of our more than 100 million users. We are the leading provider of network security and DNS services, enabling the world to connect to the internet with confidence on any device.

Get the details on how Cisco Umbrella supports DNSSEC.

 

Source :
https://umbrella.cisco.com/blog/2020/01/28/what-is-dnssec-and-why-is-it-important/

Emotet Malware Now Hacks Nearby Wi-Fi Networks to Infect New Victims

Emotet, the notorious trojan behind a number of botnet-driven spam campaigns and ransomware attacks, has found a new attack vector: using already infected devices to identify new victims that are connected to nearby Wi-Fi networks.

According to researchers at Binary Defense, the newly discovered Emotet sample leverages a "Wi-Fi spreader" module to scan Wi-Fi networks, and then attempts to infect devices that are connected to them.

The cybersecurity firm said the Wi-Fi spreader has a timestamp of April 16, 2018, indicating the spreading behavior has been running "unnoticed" for close to two years until it was detected for the first time last month.

The development marks an escalation of Emotet's capabilities, as networks in close physical proximity to the original victim are now susceptible to infection.

How Does Emotet's Wi-Fi Spreader Module Work?

The updated version of the malware works by leveraging an already compromised host to list all the nearby Wi-Fi networks. To do so, it makes use of the wlanAPI interface to extract the SSID, signal strength, the authentication method (WPA, WPA2, or WEP), and mode of encryption used to secure passwords.

On obtaining the information for each network this way, the worm attempts to connect to the networks by performing a brute-force attack using passwords obtained from one of two internal password lists. Provided the connection fails, it moves to the next password in the list. It's not immediately clear how this list of passwords was put together.

Emotet malware cybersecurity

But if the operation succeeds, the malware connects the compromised system on the newly-accessed network and begins enumerating all non-hidden shares. It then carries out a second round of brute-force attack to guess the usernames and passwords of all users connected to the network resource.

After having successfully brute-forced users and their passwords, the worm moves to the next phase by installing malicious payloads — called "service.exe" — on the newly infected remote systems. To cloak its behavior, the payload is installed as a Windows Defender System Service (WinDefService).

In addition to communicating with a command-and-control (C2) server, the service acts as a dropper and executes the Emotet binary on the infected host.

The fact that Emotet can jump from one Wi-Fi network to the other puts onus on companies to secure their networks with strong passwords to prevent unauthorized access. The malware can also be detected by actively monitoring processes running from temporary folders and user profile application data folders.

Emotet: From Banking Trojan to Malware Loader

Emotet, which was first identified in 2014, has morphed from its original roots as a banking Trojan to a "Swiss Army knife" that can serve as a downloader, information stealer, and spambot depending on how it's deployed.

Over the years, it has also been an effective delivery mechanism for ransomware. Lake City's IT network was crippled last June after an employee inadvertently opened a suspicious email that downloaded the Emotet Trojan, which in turn downloaded TrickBot trojan and Ryuk ransomware.

Although Emotet-driven campaigns largely disappeared throughout the summer of 2019, it made a comeback in September via "geographically-targeted emails with local-language lures and brands, often financial in theme, and using malicious document attachments or links to similar documents, which, when users enabled macros, installed Emotet."

"With this newly discovered loader-type used by Emotet, a new threat vector is introduced to Emotet's capabilities," Binary Defense researchers concluded. "Emotet can use this loader-type to spread through nearby wireless networks if the networks use insecure passwords."

Coronavirus Affecting Business as Remote Workforces Expand Beyond Expected Capacity

The novel coronavirus epidemic is a major global health concern. To help prevent the spread of the new virus, organizations, businesses and enterprises are protecting their workforce and allowing employees to work remotely. This practice helps limit individual contact with large groups or crowds (e.g., restaurants, offices, transit) where viruses can easily spread.

As such, ‘stay at home’ is a common phrase in many health-conscious regions this week. According to the BBC, the city of Suzhou said businesses would remain closed until Feb 8, if not longer. As of 2018, Suzhou had a population of more than 10.7 million people.

On Jan. 30, the World Health Organization labeled the outbreak as a global health emergency. In response, the U.S. Department of issued a Level 4 travel advisory to China (do not travel).

Precautions like these are causing unexpected increases in mobile workers; many organizations don’t have enough virtual private network (VPN) licenses to accommodate the increase of users. This is a serious risk as employees will either not have access to business resources or, worse, they will do so via non-secure connections.

Organizations and enterprises in affected areas should review their business continuity plans. The National Law Review published a useful primer for employers and organizations managing workforces susceptible to coronavirus outbreaks. In addition, leverage SonicWall’s ‘5 Core Practices to Ensure Business Continuity.”

What is the coronavirus?

Coronavirus (2019-nCoV) is a respiratory illness first identified in Wuhan, China, but cases have since been reported in the U.S., Canada, Australia, Germany, France, Thailand, Japan, Hong Kong, and nine other countries. In an effort to contain the virus, the Chinese authorities have suspended air and rail travel in the area around Wuhan.

According to Centers for Disease Control and Prevention (CDC), early patients in the outbreak in China “reportedly had some link to a large seafood and animal market, suggesting animal-to-person spread. However, a growing number of patients reportedly have not had exposure to animal markets, indicating person-to-person spread is occurring. At this time, it’s unclear how easily or sustainably this virus is spreading between people.”

The latest situation summary updates are available via the CDC: 2019 Novel Coronavirus, Wuhan, China.