Archive for Microsoft

Microsoft Prepares To Put The Bullet In Windows 8.1… Sorry To The Six Of You Who Still Use It

Posted in Commentary with tags on June 24, 2022 by itnerd

Microsoft is getting ready to send reminders to Windows 8.1 users that support will end on January 10th 2023. Which is the same strategy that they used with Windows 7. What does that mean for you? Microsoft has a webpage here that has a FAQ which spells out what the end of support will means.

My advice is that if you’re still on Windows 8.1, or Windows 7 for that matter, you should be looking towards upgrading to a Windows 11 (or Windows 10) PC as that will provide you with a safer and more secure platform to do whatever it is that you need your computer to do. Because holding on to any computer that runs an earlier Microsoft OS really isn’t a good idea.

Microsoft Office365 Appears To Be Having Issues

Posted in Commentary with tags on June 21, 2022 by itnerd

Are you having trouble with Microsoft Office365 this morning? If so, you’re not alone as it appears to be having issues. Users have been reporting the following:

  • Being asked to relogin to their accounts
  • Emails stuck in queues and not getting delivered
  • Not being able to access their Exchange Online mailboxes via any connection method they tried. 

Microsoft has seemed to admit that there’s a problem.

I’ve done some testing with a couple of Office365 accounts and I only have issues with one of them. So this is a thing quite clearly. I’ll be keeping an eye on this as this is possibly going to impact a large number of people.

Everyone Needs To Pay Attention To This Microsoft Zero Day Exploit That Is Making The Rounds

Posted in Commentary with tags on June 4, 2022 by itnerd

I’ve been delaying writing about this until I could get some more information about this zero day exploit, and mitigation strategies for it. Let’s start with the exploit.

Researchers warned last weekend that a flaw in Microsoft’s Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Here’s some details:

On May 27, a researcher who uses the online moniker “nao_sec” reported on Twitter that they had found an interesting malicious document on the VirusTotal malware scanning service. The malicious Word file, uploaded from Belarus, is designed to execute arbitrary PowerShell code when opened.

The malware was later analyzed by several others, including researcher Kevin Beaumont, who published a blog post detailing his findings on Sunday.

“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell,” Beaumont explained, adding, “That should not be possible.”

The researcher noted that the code is executed even if macros are disabled — malicious Word documents are typically used for code execution via macros. Microsoft Defender currently does not appear to be capable of preventing execution.

“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” Beaumont said.

The researcher decided to name the zero day vulnerability “Follina” because the malicious file references 0438, which is the area code of Follina, a village in Italy.

This is now being tracked as CVE-2022-30190. Currently there is no fix for it that Microsoft has issued. But they offer guidance for mitigation. That all sounds good, but here’s the bad news. This appears to be actively being exploited by threat actors and Microsoft may have been asleep at the switch:

The Microsoft Support Diagnostic Tool vulnerability was reported to Microsoft on April 12 as a zero-day that was already being exploited in the wild, researchers from Shadow Chaser Group said on Twitter. A response dated April 21, however, informed the researchers that the Microsoft Security Response Center team didn’t consider the reported behavior a security vulnerability because, supposedly, the MSDT diagnostic tool required a password before it would execute payloads.

On Monday, Microsoft reversed course, identifying the behavior with the vulnerability tracker CVE-2022-30190 and warning for the first time that the reported behavior constituted a critical vulnerability after all.

That’s bad on Microsoft’s part. Really bad.

My advice is that you should follow Microsoft’s guidance for this to mitigate the issue until a fix appears. Because if there is no fix, and it’s actively being exploited by threat actors, it’s only a matter of time before there is widespread pwnage.

Microsoft Warns Of Fast Spreading Linux Malware

Posted in Commentary with tags on May 21, 2022 by itnerd

The Microsoft 365 Defender Research Team has come across a new type of Linux trojan combining denial-of-service functionality with XOR-based encryption for communication. And there’s a massive increase on how often it’s been seen:

In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos. First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its denial-of-service-related activities on Linux endpoints and servers as well as its usage of XOR-based encryption for its communications.

Here’s how it works:

XorDdos’ modular nature provides attackers with a versatile trojan capable of infecting a variety of Linux system architectures. Its SSH brute force attacks are a relatively simple yet effective technique for gaining root access over a number of potential targets.

Adept at stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos enables adversaries to create potentially significant disruptions on target systems. Moreover, XorDdos may be used to bring in other dangerous threats or to provide a vector for follow-on activities.

Microsoft sums it up how to defend yourself this way:

Defenders can apply the following mitigations to reduce the impact of this threat:

  • Encourage the use of Microsoft Edge—available on Linux and various platforms—or other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
  • Use device discovery to find unmanaged Linux devices on your network and onboard them to Microsoft Defender for Endpoint. 
  • Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to use cloud-based machine learning protections that can block a huge majority of new and unknown variants. 
  • Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode.
  • Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet. 
  • Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. 

Clearly cross platform threats are real. Which means that you have to have a cross platform security. And the days of Linux being secure because nobody targets that platform are over.

“Five Eyes” Puts Out Cybersecurity Advisory That Highlights Microsoft Products In A Bad Way

Posted in Commentary with tags , on April 28, 2022 by itnerd

 There’s a Cybersecurity Advisory that was released yesterday jointly by the cybersecurity authorities of the United States, Australia, Canada, New Zealand and the United Kingdom who are also known as the “Five Eyes” and includes major agencies like the NSA, FBI, CISA, CIA. The advisory details the 15 most common vulnerabilities and exposures (CVEs) exploited by hackers in 2021: 

Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors.

To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities—some of which were also routinely exploited in 2020 or earlier. The exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.

Of those top 15 CVEs, an alarming 9 are due to deficiencies in Microsoft designed, operated, and owned systems, including 7 CVEs within Microsoft’s Exchange Server. The advisory also notes a broader list of frequently exploited CVEs, another four of which are from Microsoft. This is a concerning and frightening number of easily exploitable vulnerabilities in an operating system that bills itself as the world’s premiere defense against cyberattacks.

If you run Exchange Server, you should be taking a look at this advisory. The bad guys are clearly exploiting these vulnerabilities, which means that you need to be actively defending against them. And even if you aren’t running Microsoft Exchange, this advisory is still worth reading as it will give you some places to look to ensure that you have the best protections from getting pwned.

Microsoft Confirms That They Got Pwned By LAPSUS$

Posted in Commentary with tags , on March 23, 2022 by itnerd

Microsoft last night confirmed that they were indeed pwned by the LAPSUS$ group, or DEV-0537 as Microsoft calls them after the extortion group released 37GB of source code from Microsoft’s Azure DevOps server. The source code is for various internal Microsoft projects, including for Bing, Cortana and Bing Maps as I described in this story from yesterday.

This week, the actor made public claims that they had gained access to Microsoft and exfiltrated portions of source code. No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity. Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog. Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.

If a company as big as Microsoft can get pwned, then nobody is safe.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“Gurucul Labs has done extensive research over many years where we see an Insider Threat quickly becomes apparent as an External Threat and are often not mutually exclusive. This has been more common when insiders are recruited by external groups based on nation-state attack objectives seeking to gain access to networks, steal intellectual property or gain further intelligence on individuals. This is a dangerous and emerging situation where rather than through some combination of blackmail, patriotism, and financial incentives, The Lapsus$ ransomware group has determined that the financial incentive is significant enough to “turn” an insider. Recruiting insiders for stealing sensitive data and executing ransomware, with this combined impact being referred to as a “double extortion” campaign, can be extraordinarily difficult to detect for most XDR and SIEM solutions because they lack the analytics and machine learning models to identify both internal and external malicious activity as being part of the same attack. Customers need the unique approach of combining traditional security analytics, Network Traffic Analytics (NTA), User Entity Behavior Analytics (UEBA) and Identity Access Analytics (IAA) with a risk prioritization engine to determine if users are violating their access privileges in terms of resources and applications, transpiring in any unusual activity based on their role and entitlements, or suspiciously communicating with external parties.  The right solution can enable security teams to escalate in real-time with the necessary context and risk priority in order for the organization to take precise and swift action. Even if the attack has progressed rapidly, it is still important to understand communications and transactional data flow that is indicative of data exfiltration and allow for rapid response to shut it down immediately.”

Peter Stelzhammer, Co-Founder, AV-Comparatives had this to add:

“Even as single sign-on solutions are on the rise, there are some downsides with them, as well with other systems like password managers. It sounds promising to memorize only one password like your master password, but it comes with a downside. In the past years we have seen LastPass, Dashlane, 1Password, Keeper, Onelogin and KeePass with vulnerabilities.  Not all of them lead to breaches, but it shows the dangerousness. Cyber criminals are now on the way to attack the superordinate units instead of the low-level single password of the user. This shows how dependent we all are, from proper coding and vulnerabilities research, full single sign on solutions and password managers. Of course, the best would be using different 20-character passwords with special characters and numbers as well as different login names, but that’s not convenient nor practical. Even with biometric access you fall into a trap. What we have to do is watch the tools we use for vulnerabilities.”

This should serve as a big wake up call that cybersecurity is no longer optional. Because in this case, Microsoft got pwned. Which means that you could be next if you don’t take action now.

UPDATE: Darren Williams, CEO and Founder of BlackFog offers this additional perspective:

“The attack on Microsoft follows the typical pattern we are seeing from the Lapsus$ extortion gang including the recent attack on computer hardware manufacturer Nividia. The Lapsus$ gang in particular has ramped up attacks in March, and which further highlights that the traditional defensive approaches that have been historically relied on are failing organizations today. Perimeter defense tactics are insufficient when it comes to preventing these attacks and the inevitable data exfiltration. The growing importance of anti-data exfiltration techniques must be considered when it comes to preventing these catastrophic losses in the future.”

Microsoft Is Halting New Sales To Russia

Posted in Commentary with tags , on March 4, 2022 by itnerd

Microsoft gets part marks from me on this. The good part of this is that Microsoft is halting “many aspects” of its business in the country to honor US, UK and EU sanctions. Here’s why they don’t get a perfect grade from me:

We are announcing today that we will suspend all new sales of Microsoft products and services in Russia.

In addition, we are coordinating closely and working in lockstep with the governments of the United States, the European Union and the United Kingdom, and we are stopping many aspects of our business in Russia in compliance with governmental sanctions decisions.

We believe we are most effective in aiding Ukraine when we take concrete steps in coordination with the decisions being made by these governments and we will take additional steps as this situation continues to evolve.

Now the cynic in me says that this doesn’t go as far as Blackberry’s exit from Russia where they’ve totally cut Russia off. As in no sales, no support, nothing. To be fair, that’s not 100% clear from the blog post. But Microsoft needs to make that clear. Like now. And by they way, what does “stopping many aspects of our business in Russia” mean? They need to clarify that too. Like now.

Also in that blog post was this:

Our single most impactful area of work almost certainly is the protection of Ukraine’s cybersecurity. We continue to work proactively to help cybersecurity officials in Ukraine defend against Russian attacks, including most recently a cyberattack against a major Ukrainian broadcaster.

Since the war began, we have acted against Russian positioning, destructive or disruptive measures against more than 20 Ukrainian government, IT and financial sector organizations. We have also acted against cyberattacks targeting several additional civilian sites. We have publicly raised our concerns that these attacks against civilians violate the Geneva Convention.

Okay. I can be down with that. It would take away a major offensive weapon that the Russians love to use.

Who’s going to be the next company to pull out of Russia? I’m taking bets.

Other Companies Are Fighting Russian Disinformation…. But Where’s Apple?

Posted in Commentary with tags , , , , on March 1, 2022 by itnerd

Earlier today, I wrote that Twitter was taking action to stop disinformation from spreading from Russian media. After some looking around, I found that other social media platforms are doing the same thing in whole or in part.

Let’s start with Facebook:

Facebook’s parent company Meta said Monday it will limit access to Russian state-controlled media outlets RT and Sputnik across the European Union, a move that will likely heighten tensions between the world’s largest social network and the Russian government.

“We have received requests from a number of governments and the EU to take further steps in relation to Russian state-controlled media. Given the exceptional nature of the current situation, we will be restricting access to RT and Sputnik across the EU at this time,” Nick Clegg, who oversees global affairs at Meta and is the former UK deputy prime minister, said in a tweet.

Now let’s go to TikTok:

TikTok has joined Facebook in blocking access to two Russian state media outlets in the European Union. Sputnik and RT are no longer able to post to audiences within the EU, and their pages and content will no longer be accessible to users in the bloc, a TikTok spokesperson confirmed.

Next up is YouTube:

Google’s YouTube said Tuesday that it would block Kremlin-backed media outlets RT and Sputnik from Europe following similar bans by Facebook and TikTok.

“It’ll take time for our systems to fully ramp up. Our teams continue to monitor the situation around the clock to take swift action,” Google’s video streaming service said in a statement.

YouTube’s ban — following an announcement from the European Commission that it wanted to remove these Russian media outlets from the EU — would apply within the European Union and the U.K.

While this is not meant to fight disinformation, Google is disabling live traffic in Ukraine:

The company said it had taken the action of globally disabling the Google Maps traffic layer and live information on how busy places like stores and restaurants are in Ukraine for the safety of local communities in the country, after consulting with sources including regional authorities.

Now over to Netflix:

Netflix was due to fall under a series of new obligations in Russia on March 1 after it was added to a register of “audiovisual services”overseen by the country’s communications regulator, Roskomnadzor, last year. 

The obligations mean that Netflix would have had to stream 20 Russian federal television stations, including the likes of Channel One, NTV and a channel run by the Russian Orthodox Church, Spas. Channel One in particular has close links to the Kremlin.

“Given the current situation, we have no plans to add these channels to our service,” a Netflix spokesperson said on Monday evening.

Finally, Microsoft has announced that they are going to de-rank Russian media outlets on Bing so that they don’t show up nearly as often as well as pulling apps from the Windows Store that are associated with Russian media:

We are moving swiftly to take new steps to reduce the exposure of Russian state propaganda, as well to ensure our own platforms do not inadvertently fund these operations. In accordance with the EU’s recent decision, the Microsoft Start platform (including will not display any state-sponsored RT and Sputnik content. We are removing RT news apps from our Windows app store and further de-ranking these sites’ search results on Bing so that it will only return RT and Sputnik links when a user clearly intends to navigate to those pages. Finally, we are banning all advertisements from RT and Sputnik across our ad network and will not place any ads from our ad network on these sites.

Who’s missing from this list? Apple. One has to wonder why a company who preaches that it has such high ideals isn’t rushing to join this? As I type this, apps from RT and Sputnik which are two of the biggest mouthpieces for the Russians are still available on the App Store. Why isn’t Apple taking action? That’s a very interesting question that Apple will need to answer ASAP as they really stand out for not having taken action unlike all the companies above. And I should also say, it looks really bad on them.

Want To Install Windows 11 Pro? Soon You’ll Need An Internet Connection & A Microsoft Account

Posted in Commentary with tags on February 20, 2022 by itnerd

Microsoft has announced that later this year, users will be required to connect to the internet and sign-in with a Microsoft Account during the out of box setup experience on Windows 11 Pro. The news comes via a change log in the latest Windows 11 preview build:

Similar to Windows 11 Home edition, Windows 11 Pro edition now requires internet connectivity during the initial device setup (OOBE) only. If you choose to setup device for personal use, MSA will be required for setup as well. You can expect Microsoft Account to be required in subsequent WIP flights.

Now if you’ve got Windows 11, you needed to do this. Which is one reason why I haven’t moved my production computer to Windows 11 yet. But this is going to tick off users for the following reasons:

  • If you don’t want to use a Microsoft account to use Windows 11, and there are many who don’t, this will tick you off.
  • If you want to use Windows 11 in a completely “air-gapped” environment. Meaning that you want to set it up and use it completely off the Internet for security reasons, that’s a non-starter.

Now why don’t I want to use a Microsoft account? With my personal computers running Windows 10, I skip setting up a Microsoft Account and setup a local account instead using this workaround as this isn’t the first time Microsoft has tried something like this, and I prefer local accounts over ones that talk to Microsoft. Call me paranoid. Then I leave it like that. On the shipping build of Windows 11, it was relatively easy to bypass the internet requirement on Windows 11 Home. But in this build of Windows 11, this workaround no longer works. And seeing as this is in a development build, it means that this will make it into shipping versions of Windows sometime this year. Infuriating users in the process.

Microsoft should get ready for the blowback. Because it’s coming.

Microsoft Office 365 Is A Target For MFA “Fatigue” Attack Says GoSecure Report

Posted in Commentary with tags , on February 17, 2022 by itnerd

It is considered to be good practise to use multi-factor authentication or MFA for any accounts that you have as that should make you less likely to be pwned. But GoSecure has a report out that says not so fast on that front. They’ve come across a MFA attack that leverages the one weakness of MFA. Fatigue:

The term “MFA Fatigue” refers to the overload of notifications or prompts via MFA applications, in multiple accounts, that the user receives during the day to perform logins or approve different actions. It should not be confused with “Password Fatigue” in which the user is overwhelmed with the number of passwords or PINs they must remember for multiple accounts or events. MFA Fatigue and Password Fatigue do share a similar theme, that the user is “fatigued” (or overwhelmed by volume) and will start setting security best practices aside and become careless, putting their organization and their accounts in danger of compromise. 

As a result there are now attacks that leverage this fatigue to pwn you. Which of course is bad. Lucas Budman, CEO of TruU had this to say:

“MFA fatigue will continue to proliferate unless we leverage new ways of authenticating users that cannot be easily stolen or manipulated. Multifactor is common parlance, but in fact for most people “multi” really means a single factor that serves as the second or MFA factor.  The reality is that it’s very easy to compromise a password, making us completely dependent on the second or “band-aid” factor. New solutions like TruU address these issues by completely eliminating the password and by continuously monitoring a host of behavioral and environmental signals—in other words, true multifactor.”

The solution that was mentioned in the above paragraph is also known as passwordless authentication and many companies are brining this, or have brought this to market in a variety of forms. Thus if you’re security conscious, you should have a look at this tech to keep your enterprise safe.