The IT Nerd

Bad news if you use Microsoft’s discontinued Boa web server. It’s being targeted by hackers. Microsoft put out a warning about this along with potential remediations, but Security Week has a story about this web server being used in attacks. Which effectively makes this a today problem for anyone who uses Boa.

Sharon Nachshony, Security Researcher, Silverfort had this to say:

     “The Microsoft research highlights a long-standing supply-chain risk to IoT and OT environments from legacy technology. While hard to manage, given the abundance of such technology in critical industries, a rigorous patching regime is essential.

Age-old vulnerabilities such as this provide a jumping-off point for attackers looking to move laterally to more sensitive areas by abusing the identity attack surface. With access to critical areas inside OT environments – their activities can quickly become significantly more impactful.

To stop lateral movement, MFA should be applied to resources such as Command Line interfaces, WMI, Shared Folders and Service Accounts to close down commonly used attack paths.”

If you’re a user of the Boa web server, consider this your invitation to follow Microsoft’s advice so that you don’t get pwned seeing as this is clearly being exploited by threat actors as I type this.

Microsoft yesterday admitted to accidentally exposing sensitive customer data after failing to configure a server security. The involved files were exposed from 2017 to August 2022, including data such as:

• Names
• Email addresses
• Email content
• Company name
• Phone numbers

In addition, Microsoft warned that the exposed data may include “attached files relating to business between a customer and Microsoft or an authorized Microsoft partner.”

SOCRadar claims that the sensitive data of over 65,000 entities in 111 countries on a misconfigured Microsoft server that had been left accessible over the internet.

What could possibly go wrong with that sort of info floating around for anyone to get access to?

John Stevenson, Product Director at Cyren had:

     “Given that Cloud server ‘misconfigurations’ are one of the most common root causes for the loss of personally identifiable information (PII), it is extremely important that organizations stay vigilant for any attempt to target them or their employees, especially through phishing attempts. While there is currently no evidence that the PII accessible from the server has been exploited in the wild, search tools such as the one referenced here are undoubtedly double-edged. At this time, the ‘BlueBleed’ site allows any authenticated user to search the data repository. With the news of this leak, it is essential that organizations look to additional security controls that operate in the inbox to identify targeted, socially engineered email attacks that are routinely missed by Microsoft’s native security controls.”

SOCRadar, which has dubbed the data breach “BlueBleed”, has created a website where concerned companies can search to see if their data has been exposed. You might want to pay a visit to see if your company has been affected.

If you are responsible for an Microsoft Exchange server and it is not Microsoft’s Exchange Online offering, then you should read this story and take action immediately. Microsoft is reporting via a blog post that there’s a zero-day Exchange vulnerability in the wild:

Microsoft is aware of limited targeted attacks using two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a server-side request forgery (SSRF) vulnerability, while the second one, identified as CVE-2022-41082, allows remote code execution (RCE) when Exchange PowerShell is accessible to the attacker. Refer to the Microsoft Security Response Center blog for the mitigation guidance regarding these vulnerabilities.  

CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. However, authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability, and they can be used separately.

Microsoft Defender Antivirus and Microsoft Defender for Endpoint detect post-exploitation malware and activity associated with these attacks. Microsoft also released a script, available at https://aka.ms/eomtv2, to apply the mitigations for the SSRF vector CVE-2022-41040 to on-premises Exchange servers.

Microsoft will continue to monitor threats that take advantage of these vulnerabilities and take necessary response actions to protect customers.

What makes these exploits so dangerous is this:

While these vulnerabilities require authentication, the authentication needed for exploitation can be that of a standard user. Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy.

So, if any user who gets e-mail from an Exchange server has their credentials leak out to threat actors, then the threat actors can use these exploits to pwn the Exchange server. Lovely.

The fact that the attacks at present are targeted implies that a nation state is behind this. There are no signs yet that the exploits have been publicly published. But that’s likely to to change soon. Which is why Exchange admins need to take action now by following this guidance from Microsoft. To reiterate, if you’re responsible for administering an Exchange server that is part of Microsoft’s Exchange Online offering, then you need not worry. If however your Exchange server is on premise, then you have some work to do. And that work is a today problem.

If you’re not familiar with Microsoft BitLocker, it’s the native full disk encryption product for Microsoft Windows. But only the business and enterprise versions. The consumer versions of Windows 10 and 11 don’t have this feature. Enterprises around the world use this as a way to encrypt the data on their hard drive for security reasons. But it appears that threat actors are also using this to launch ransomware attacks according to Microsoft:

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran. However, judging from their geographic and sectoral targeting, which often lacked a strategic value for the regime, we assess with low confidence that some of DEV-0270’s ransomware attacks are a form of moonlighting for personal or company-specific revenue generation. This blog profiles the tactics and techniques behind the DEV-0270/PHOSPHORUS ransomware campaigns. We hope this analysis, which Microsoft is using to protect customers from related attacks, further exposes and disrupts the expansion of DEV-0270’s operations.

DEV-0270 leverages exploits for high-severity vulnerabilities to gain access to devices and is known for the early adoption of newly disclosed vulnerabilities. DEV-0270 also extensively uses living-off-the-land binaries (LOLBINs) throughout the attack chain for discovery and credential access. This extends to its abuse of the built-in BitLocker tool to encrypt files on compromised devices.

In some instances where encryption was successful, the time to ransom (TTR) between initial access and the ransom note was around two days. The group has been observed demanding USD 8,000 for decryption keys. In addition, the actor has been observed pursuing other avenues to generate income through their operations. In one attack, a victim organization refused to pay the ransom, so the actor opted to post the stolen data from the organization for sale packaged in an SQL database dump.

I have to admit that this is novel as the threat actors are using built in tools to pwn their targets. The Microsoft report has mitigation strategies that you should read and implement. Because it seems that we’re going to hear more from this in the weeks and months to come.

Microsoft on Thursday released their findings regarding H0lyGh0st, which is a group with ties to North Korea which utilizes a ransomware payload with the same name for its campaign and has successfully compromised small businesses in multiple countries, starting as early as September 2021.

Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims. The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files. As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims’ customers if they refuse to pay. This blog is intended to capture part of MSTIC’s analysis of DEV-0530 tactics, present the protections Microsoft has implemented in our security products, and share insights on DEV-0530 and H0lyGh0st ransomware with the broader security community to protect mutual customers.

Saryu Nayyar, CEO and Founder, Gurucul had this comment:

     “While ransomware is seemingly focused on getting paid to unlock your sensitive data, threat actors often return multiple times once they are successful at an attack, knowing the victim has paid once. We also know they often replicate the data for themselves for sale even as they lock organizations out of their own data. However, this additional extortion through threats of posting the already stolen data is another example of how threat actors find ways to extract more out of their victims. It feels like a never-ending cycle for targeted organizations. This reinforces the need to evaluate newer and more advanced technologies beyond current XDR and SIEM platforms as part of ongoing threat detection and response initiatives within security operations to prevent a successful detonation of ransomware. Prioritizing solutions that automate detection, prioritize seemingly random indicators of compromise for further investigation and even automating responses with a high-level of confidence and low impact are critical in deciding where to invest.”

I would take a good look at the Microsoft report on these threat actors as this is clearly a dangerous bunch of individuals.

Microsoft is getting ready to send reminders to Windows 8.1 users that support will end on January 10th 2023. Which is the same strategy that they used with Windows 7. What does that mean for you? Microsoft has a webpage here that has a FAQ which spells out what the end of support will means.

My advice is that if you’re still on Windows 8.1, or Windows 7 for that matter, you should be looking towards upgrading to a Windows 11 (or Windows 10) PC as that will provide you with a safer and more secure platform to do whatever it is that you need your computer to do. Because holding on to any computer that runs an earlier Microsoft OS really isn’t a good idea.

Are you having trouble with Microsoft Office365 this morning? If so, you’re not alone as it appears to be having issues. Users have been reporting the following:

• Being asked to relogin to their accounts
• Emails stuck in queues and not getting delivered
• Not being able to access their Exchange Online mailboxes via any connection method they tried. 

Microsoft has seemed to admit that there’s a problem.

I’ve done some testing with a couple of Office365 accounts and I only have issues with one of them. So this is a thing quite clearly. I’ll be keeping an eye on this as this is possibly going to impact a large number of people.

I’ve been delaying writing about this until I could get some more information about this zero day exploit, and mitigation strategies for it. Let’s start with the exploit.

Researchers warned last weekend that a flaw in Microsoft’s Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Here’s some details:

On May 27, a researcher who uses the online moniker “nao_sec” reported on Twitter that they had found an interesting malicious document on the VirusTotal malware scanning service. The malicious Word file, uploaded from Belarus, is designed to execute arbitrary PowerShell code when opened.

The malware was later analyzed by several others, including researcher Kevin Beaumont, who published a blog post detailing his findings on Sunday.

“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell,” Beaumont explained, adding, “That should not be possible.”

The researcher noted that the code is executed even if macros are disabled — malicious Word documents are typically used for code execution via macros. Microsoft Defender currently does not appear to be capable of preventing execution.

“Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View,” Beaumont said.

The researcher decided to name the zero day vulnerability “Follina” because the malicious file references 0438, which is the area code of Follina, a village in Italy.

This is now being tracked as CVE-2022-30190. Currently there is no fix for it that Microsoft has issued. But they offer guidance for mitigation. That all sounds good, but here’s the bad news. This appears to be actively being exploited by threat actors and Microsoft may have been asleep at the switch:

The Microsoft Support Diagnostic Tool vulnerability was reported to Microsoft on April 12 as a zero-day that was already being exploited in the wild, researchers from Shadow Chaser Group said on Twitter. A response dated April 21, however, informed the researchers that the Microsoft Security Response Center team didn’t consider the reported behavior a security vulnerability because, supposedly, the MSDT diagnostic tool required a password before it would execute payloads.

On Monday, Microsoft reversed course, identifying the behavior with the vulnerability tracker CVE-2022-30190 and warning for the first time that the reported behavior constituted a critical vulnerability after all.

That’s bad on Microsoft’s part. Really bad.

My advice is that you should follow Microsoft’s guidance for this to mitigate the issue until a fix appears. Because if there is no fix, and it’s actively being exploited by threat actors, it’s only a matter of time before there is widespread pwnage.

The Microsoft 365 Defender Research Team has come across a new type of Linux trojan combining denial-of-service functionality with XOR-based encryption for communication. And there’s a massive increase on how often it’s been seen:

In the last six months, we observed a 254% increase in activity from a Linux trojan called XorDdos. First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its denial-of-service-related activities on Linux endpoints and servers as well as its usage of XOR-based encryption for its communications.

Here’s how it works:

XorDdos’ modular nature provides attackers with a versatile trojan capable of infecting a variety of Linux system architectures. Its SSH brute force attacks are a relatively simple yet effective technique for gaining root access over a number of potential targets.

Adept at stealing sensitive data, installing a rootkit device, using various evasion and persistence mechanisms, and performing DDoS attacks, XorDdos enables adversaries to create potentially significant disruptions on target systems. Moreover, XorDdos may be used to bring in other dangerous threats or to provide a vector for follow-on activities.

Microsoft sums it up how to defend yourself this way:

Defenders can apply the following mitigations to reduce the impact of this threat:

• Encourage the use of Microsoft Edge—available on Linux and various platforms—or other web browsers that support Microsoft Defender SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that contain exploits and host malware.
• Use device discovery to find unmanaged Linux devices on your network and onboard them to Microsoft Defender for Endpoint. 
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to use cloud-based machine learning protections that can block a huge majority of new and unknown variants. 
• Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode.
• Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet. 
• Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume. 

Clearly cross platform threats are real. Which means that you have to have a cross platform security. And the days of Linux being secure because nobody targets that platform are over.