Posts

Permissions Flaw Found Azure AD Connect

A permissions flaw in Microsoft’s Azure AD Connect software could allow a rogue admin to escalate account privileges and gain unauthorized universal access within a company’s internal network.

Microsoft issued an advisory for the vulnerability on Tuesday. Affected are Office 365 customers running Microsoft’s Active Directory Domain Services in conjunction with Azure AD Connect software installed with the Express Settings, according to Preempt Security that first identified the vulnerability.

Microsoft didn’t release a patch to fix the bug, rather it made available a PowerShell script that adjusts the permissions of the Active Directory domain accounts to protect customers from the vulnerability. Microsoft also said future versions of affected software (after version 1.1.654.0) would not be impacted by this vulnerability.

“Before this release, the account was created with settings that allowed a user with password administrator rights the ability to change the password to a value know to them. This allowed you to sign in using this account, and this would constitute an elevation of privilege security breach. This release tightens the setting on the account that is created and removes this vulnerability,” Microsoft states.

The flaw allows trusted users limited or temporary privileges within a domain, such as the ability to change passwords or add users to administrative groups, to escalate privileges, said Roman Blachman, CTO and co-founder of Preempt.

He said there are several scenarios where “stealthy admins” can elevate their access within a domain. One way is a rogue technical support operator (or “stealth admin”) could use their limited privilege of managing passwords to change the password of a domain administrator. They could then login as the domain administrator and configure their own profile with greater access to the company’s network.

“The flaw allows a support operator to replicate all of the domain passwords of every user and compromise any account in the domain and give themselves full administrator rights,” Blachman said. “So, this support operator could go from having limited access to making themselves a domain admin.”

In another attack scenario, a rogue admin with limited privileges of adding and removing users from administrative groups could simply add themselves to a group with more privileges.

To circumvent detection, Preempt said a stealthy admin would alternatively target the MSOnline (MSOL) PowerShell Module, part of Windows Azure Active Directory. “Such (service) accounts are often less monitored than full domain admins even though they have relatively high privileges,” researcher said.

“Imagine a help desk technician with permissions to reset non-admin passwords but no other domain admin privileges. Because the MSOL account is generated under the Built-in Users container, and the Built-in Account Operators group (e.g. helpdesk team) has permissions to reset passwords for the Built-in Users container, this gives the account operator full de facto access to domain passwords, as well as other elevated privileges (e.g. Domain Admin),” researcher wrote in a technical write up of the vulnerability posted Tuesday.

Using the aforementioned technique, Blachman said, it is possible for an admin to escalate their privileges via the MSOL service account.

“Now the stealthy admin can log into Azure AD Connect and reconfigure the account so everything would work properly and no one would ever notice the changes to the account,” Blachman said.   

“Microsoft acknowledged the issue and has released a Microsoft Security Advisory 4056318 and a PowerShell script that addresses the flaw by adjusting the permissions of the Active Directory domain accounts to modify properties of the AD DS synchronization account (MSOL),” Preempt said.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

19-Year-Old TLS Vulnerability Weakens Modern Website Crypto

A vulnerability called ROBOT, first identified in 1998, has resurfaced. Impacted are leading websites ranging from Facebook to Paypal, which are vulnerable to attackers that could decrypt encrypted data and sign communications using the sites’ own private encryption key.

The vulnerability is found in the transport layer security protocol used for Web encryption. A successful attack could allow an attacker to passively record traffic and later decrypt it or open the door for a man-in-the-middle attack, according to researchers.

ROBOT, which stands for Return Of Bleichenbacher’s Oracle Threat, was named after Daniel Bleichenbacher, the researcher who originally discovered it almost two decades ago. The version of ROBOT discovered recently was through Facebook’s bug bounty program, which paid an undisclosed reward to researchers Hanno Böck, Juraj Somorovsky and Craig Young who published their findings Tuesday.

The vulnerability is tied to the TLS protocol and a flaw in the algorithm that handles RSA encryption keys. The attack involves using specially crafted queries designed to generate errors on TLS servers that use RSA encryption to protect communications between a user’s browser and a website.

The attack involves sending crafted queries that generate “yes” or “no” answers in a type of brute-force guessing attack. Using this technique, called an adaptive chosen-ciphertext attack, over time can force the TLS server to reveal the session key. That allows an attacker to then decrypt HTTPS traffic sent between the TLS server and the user’s browser.

This is same technique used to exploit Bleichenbacher’s ROBOT vulnerability in 1998.

“In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption,” researchers wrote. “We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today’s Internet.”

The original ROBOT patch did not include replacing the insecure RSA algorithm; rather the TLS standard was modified to make brute-force guessing exponentially harder.

“After Bleichenbacher’s original attack the designers of TLS decided that the best course of action was to keep the vulnerable encryption modes and add countermeasures. Later research showed that these countermeasures were incomplete leading the TLS designers to add more complicated countermeasures,” researchers wrote. “The section on Bleichenbacher countermeasures in the latest TLS 1.2 standard (7.4.7.1) is incredibly complex. It is not surprising that these workarounds aren’t implemented correctly.”

Since the original ROBOT patch, variations of the vulnerability have surfaced. In March 2016, a TLS vulnerability related to ROBOT called DROWN exposes 33 percent of HTTPS connections to attack.

What researchers revealed on Tuesday was that a number of vendors failed to properly implement countermeasures used to protect against attacks that take advantage of the ROBOT vulnerability.

“We have identified vulnerable implementations from at least seven vendors including F5, Citrix, and Cisco,” researchers wrote. “Some of the most popular webpages on the Internet were affected, including Facebook and Paypal. In total, we found vulnerable subdomains on 27 of the top 100 domains as ranked by Alexa.”

The United States Computer Emergency Readiness Team issued a security bulletin on the vulnerability Tuesday and lists eight vendors affected.

On Tuesday, Cisco issued an advisory for the vulnerability it rated as medium. It said multiple Cisco products are affected such as the Cisco ACE 4710 Application Control Engine Appliance and the Cisco ACE30 Application Control Engine Module.

Facebook and Paypal each issued patches in October.

Researchers offer of number of stopgap mitigation solutions in its research along with offering a testing tool for public HTTPS servers, as well as a Python tool to test for the vulnerability.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

Microsoft December Patch Tuesday Update Fixes 34 Bugs

Microsoft patched 34 vulnerabilities that are part of its December Patch Tuesday release. A total of 20 vulnerabilities were rated critical and another 12 were rated important. Impacted are Internet Explorer, Microsoft Edge, Microsoft Windows, Microsoft Office, SharePoint and Exchange.

Notable patches include two (CVE-2017-11937 and CVE-2017-11940) fixes impacting Microsoft’s Malware Protection Engine (MPE). Both remote code execution vulnerabilities became known last week via research by the UK National Cyber Security Centre. Both were patched last week.

“These MPE vulnerabilities also affect Exchange Server, so back-end administrators do have some work to do this month,” said Greg Wiseman, senior security researcher at Rapid7.

“The biggest thing going on this month are bugs relating to Internet Explorer. Over half the CVEs this month are affecting IE and Edge,” said Chris Goettl, product manager, Ivanti. Over twenty of the 34 vulnerabilities are classified as a “scripting engine memory corruption vulnerability” impacting Microsoft browsers.

One scripting engine memory corruption vulnerabilities (CVE-2017-11907) is a remote code execution bug that exists when IE improperly accesses objects in memory. “An attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website,” wrote Microsoft. A successful exploit of the vulnerability gives the attacker the same user rights as the current user.

“It doesn’t take sophisticated social engineering tactics to convince most users to visit a malicious web page, or a legitimate, but compromised, website (as in a watering hole attack). If the user is browsing with an unpatched version of Internet Explorer or Edge, an attacker could execute arbitrary code. If the user has administrative rights, it’s game over and the attacker could take full control of the system,” Wiseman said.

Security experts are also recommending admin prioritize a patch for a Microsoft Excel remote code execution vulnerability (CVE-2017-11935) affecting Microsoft Office 2016. “Due to an error in the way Microsoft Office improperly handles objects in memory while parsing specially crafted files,” according to the CVE description. A remote attacker can exploit this issue by enticing a victim to open a specially crafted file, according to the CVE record.

“This vulnerability gives the attacker full control of the system. All I need to do is convince somebody to either open an attachment or come to my specially crafted website and download some content,” Goettl said. “Click-rates today are high. User are still the weakest security link. This is probably the one vulnerability that I would say is most likely to be exploited this month.”

Microsoft said none of the security issues that are part of Patch Tuesday security bulletin have been publicly disclosed or exploited.

Meanwhile researchers at the Zero Day Initiative are recommending special attention to a Windows information disclosure vulnerability bug (CVE-2017-11927). “This bug takes us all the way back to the early days of Internet Explorer and CHM (compressed help) files. This patch resolves an information disclosure vulnerability in the Windows its:// protocol handler,” notes ZDI in a blog post.

Microsoft describes the information disclosure vulnerability as a bug that exists when the Windows its:// protocol handler “unnecessarily sends traffic to a remote site in order to determine the zone of a provided URL.” Doing so could inadvertently expose sensitive user information to a malicious site.

“An attacker who successfully tricked a user into disclosing the user’s NTLM hash could attempt a brute-force attack to disclose the corresponding hash password,” Microsoft wrote.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

BankBot Targets Polish Banks via Google Play

Two new applications that managed to slip into Google Play despite being infected with the BankBot Trojan have been observed targeting the legitimate apps of Polish banks, ESET warns.

The malware hid inside the seemingly legitimate Crypto Monitor, an app for tracking cryptocurrency prices, and StorySaver, a utility that helps users download stories from Instagram. Both applications provide their users with the promised functionality, but also serve a nefarious purpose.

On the victim’s device, the apps can display fake notifications and login forms that have been designed to look as if they come from legitimate banking applications, which allows them to harvest the credentials victims enter into the fake forms.

They can also intercept text messages, thus being able to bypass SMS-based 2-factor authentication.

The BankBot banking Trojan was first observed about a year ago, when its source code leaked online alongside instructions on how to use it. It took over a month for the first malware based on that code to emerge, but numerous BankBot variations have been observed since, some in Google Play.

In a report published in early November, RiskIQ revealed that the malware managed to slip into the official Android application store disguised as Cryptocurrencies Market Prices, an application for users looking for timely information for people who engage in cryptocurrency marketplaces.

Only a couple of weeks after that report, the Crypto Monitor malicious app was uploaded to Google Play, under the developer name walltestudio. Four days later, on November 29, StorySaver was published to the marketplace, under the developer name kirillsamsonov45, ESET says.

The applications had between 1000 and 5000 downloads when ESET reported their malicious behavior to Google on December 4. Both of them have been removed from the application store.

After being launched on the infected device, the malicious apps retrieve information on the installed programs and compare these against a list of targeted banking software.

According to ESET, the malware targets the official apps of fourteen Polish banks, namely Alior Mobile, BZWBK24 mobile, Getin Mobile, IKO, Moje ING mobile, Bank Millennium, mBank PL, BusinessPro, Nest Bank, Bank Pekao, PekaoBiznes24, plusbank24, Mobile Bank, and Citi Handlowy.

The malware can display fake login forms imitating those of the targeted apps and can do so either without any action from the user, or after the user clicks on a fake notification.

ESET claims that most of the infections (96%) were detected in Poland, but that a small set of users in Austria were infected as well (the remaining 4% of detections). The local social engineering campaigns propagating the malicious apps contributed to this.

“The good news is that this particular banking malware doesn’t use any advanced tricks to ensure its persistence on affected devices. Therefore, if you’ve installed any of the above described malicious apps, you can remove them by going to Settings > (General) > Application manager/Apps, searching for either “StorySaver” or “Crypto Monitor” and uninstalling them,” ESET says.

Mobile banking users who installed one of the malicious applications are advised to check their bank account for any suspicious activity. They should also consider changing PIN codes, the researchers say.

Related: Millions Download “ExpensiveWall” Malware via Google Play

Related: Android Malware Found on Google Play Abuses Accessibility Service

Source: infosec island

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!

New Spider Ransomware Comes With 96-Hour Deadline

A new ransomware strain called Spider is targeting victims located in the Balkans in what is called a “mid-scale” campaign.

The Spider ransomware is unique in that attackers are given a 96-hour deadline to pay. Attackers also attempt to calm victims, assuring them the ransom payment and file recovery process will be “really easy.” Attackers go one step further and provide a link to a video tutorial on how the Spider ransomware payment and file recovery process works.

The campaign was first spotted on Dec. 10 by Netskope Threat Research labs who shared its finding in a blog post Tuesday.

Victims are targeted with malicious Office documents sent as attachments as part of an email phishing campaign with the subject line reading “Debt Collection”, according to Google Translate of the Bosnian-language phrase”Potrazivanje dugovanja”.

“These attachments are auto-synced to the enterprise cloud storage and collaborations apps. Netskope Threat Protection detects the decoy document as ‘VB:Trojan.VBA.Agent.QP’ and the downloaded payload as ‘Trojan.GenericKD.12668779’ and ‘Trojan.GenericKD.6290916,’” wrote Netskope researchers.

The malicious Office documents are written in the Bosnian language and contain obfuscated code, according to researchers. If the malicious code is executed a Windows PowerShell launches with instructions to download a malicious Base64 encoded payload hosted on YourJavaScript.com, a free hosting site.

“After downloading the payloads, the PowerShell script decodes the Base64 string and performs XOR operation with the key ‘AlberTI’ to decode the final payloads, which is later saved into executable (.exe) files,” researchers wrote. “The decoded payloads named ‘dec.exe’ and ‘enc.exe’ compiled in .NET  are copied to the ‘%APPDATA% /Spider’ directory.”

According to Netskope binary “enc.exe” is the ransomware encryptor and “dec.exe” is the decryptor. The encryptor (enc.exe) encrypts the user’s files using AES encryption and adds the “.spider” extension to encrypted files.

Once files are encrypted the ransomware note is displayed warning that the victim only has 96 hours to pay the ransom in bitcoin to obtain a key to unencrypt a files. “You have to be fast, after 96 hours the key will be blocked and all your files will remain permanently encrypted… do not try anything stupid, the program has several security measures to delete all your files and cause the damage to your PC,” according to the note.

Attackers also walk victims through the payment process, from how to use the Tor Browser and how to obtain a bitcoin for payment. If victims are still confused, the ransomware provides a link to video hosted on a video sharing service that offers a tutorial.

“The video provides instructions to decrypt victims files. We suspect that the video was most likely uploaded by the threat actor group of Spider,” researchers wrote.

Netscope’s Amit Malik, author of the post, said to avoid Spider, or other ransomware attacks, users should disable macros by default and not execute unsigned macros from untrusted sources. “We continue to see an increase of decoy Office documents as an attack vector in spreading ransomware like GlobeImposter tied to several active and ongoing campaigns,” he said.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!