Archive for January 24th, 2017

Windows 10 – New Defender Security Center will centralize controls

The forthcoming “Windows 10 Creators Update” will centralize security controls within the new Defender Security Center.  This will provide easier capabilities for users to tune privacy and security settings on their computers and devices.

https://blogs.windows.com/windowsexperience/2017/01/23/introducing-windows-defender-security-center/

http://www.forbes.com/sites/leemathews/2017/01/24/windows-10-is-getting-smarter-easier-security-controls/

The Windows Defender Security Center includes five pillars that give you control and visibility of your device security, health and online safety experiences.

1. Virus & threat protection — provides a new view of your antivirus protection whether it’s Windows Defender Antivirus that comes free with Windows 10 or AV software from one of our ecosystem partners. If you’ve chosen Windows Defender Antivirus, your scan results and threat history will be displayed here, or you will be able to launch your 3rd party AV protection app directly from this screen.

2. Device performance & health — provides a single view of your latest Windows updates, drivers, battery life and storage capacity. Additionally, you have the option to start fresh with a clean install of Windows using the Refresh Windows feature. This option will keep your personal files and some Windows settings, and remove most of your apps for a fresh start that can help with performance improvements should your device need them.

3. Firewall & network protection — provides information on the network connections and active Windows Firewall settings, as well as links to network troubleshooting information.

4. App & browser control — allows you to adjust settings for SmartScreen for apps and browsers helping you be more informed and stay safer online by warning you of potential malicious sites, downloads and unrecognized apps and files from the Internet.

5. Family options — gives you an easy way to connect to the family options available online. This page can link you to information about parental controls, options for setting up good screen time habits, setting up activity reports of your kids’ online activity and managing controls for purchasing apps and games. You can also view the health and safety of your family’s devices from this centralized location.

Oracle – Huge January 2017 quarterly security update

In the latest quarterly security updates, Oracle has patched 270 Vulnerabilities within it’s product base

http://www.eweek.com/security/oracle-patches-270-vulnerabilities-in-january-update.html

http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

Oracle is out with its first Critical Patch Update (CPU) for 2017 and it’s a big one. In total, Oracle is patching a staggering 270 different vulnerabilities across its software portfolio, with 121 patches in Oracle’s E-Business Suite alone. In its security advisory for the January 2017 CPU, Oracle strongly recommends that organizations patch quickly.

The largest set of patches in the new CPU are for Oracle’s E-Business suite, which accounted for 42 percent of the entire CPU. Of the 121 security issues in the E-Business suite, 118 are remotely exploitable without the need for a user to enter credentials.  Oracle’s open-source MySQL database is being patched for 27 different security issues, though only 5 of them are remotely exploitable without authentication. The Fusion Middleware suite is being updated for 18 different vulnerabilities, with 16 of the issues being remotely exploitable without user authentication.    Java, which in the past has typically been among the Oracle software components with the most vulnerabilities, is being patched for 17 issues in the January CPU.

Ransomware – New Sage 2.0 variant circulating in-the-wild

The Internet Storm center documents a new ransonware variant circulating in-the-wild

https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/

https://www.pcrisk.com/removal-guides/10732-sage-ransomware

On Friday 2017-01-20, I checked a malicious spam (malspam) campaign that normally distributes Cerber ransomware.  That Friday it delivered ransomware I’d never seen before called “Sage.”  More specifically, it was “Sage 2.0.”  Sage is yet another family of ransomware in an already crowded field.  It was noted on BleepingComputer forums back in December 2016, and Sage is a variant of CryLocker. 

Emails from this particular campaign generally have no subject lines, and they always have no message text.  The only content is a zip attachment containing a Word document with a malicious macro that downloads and installs ransomware.  Sometimes, I’ll see a .js file instead of a Word document, but it does the same thing. The Word document macros or .js files are designed to download and install ransomware

The infected Windows host has an image of the decryption instructions as the desktop background.  There’s also an HTML file with the same instructions dropped to the desktop.  The same HTML file is also dropped to any directory with encrypted files.  “.sage” is the suffix for all encrypted files.

Ransomware – Petya variant targets Human Resources users via Job applications

Ransomware dangers continue to circulate in-the-wild.  SHRM is a major Human Resources professional networking site.  It shares the risks associated with a new Petya variant, this is targeting companies via infected job applications.

https://www.shrm.org/resourcesandtools/hr-topics/employee-relations/pages/hackers-infect-job-applications-with-ransomware.aspx

HR departments are being targeted by a new ransomware attack that comes disguised as a job application.  The cybercriminals behind the attacks demand about $1,000 in digital currency called bitcoin to restore data on infected computers, according to a recent blog post by Check Point Software.   One bitcoin is worth roughly $894, according to Coindesk, a site that tracks news and information about digital currencies.

Once an applicant applies for a job by filling out the online application, they may be asked to e-mail additional files. The malware arrives in an e-mail with two attachments—a benign PDF that appears to be an applicant’s cover letter and an Excel file containing infected macros—reported Check Point, a San Carlos, Calif.-based malware-protection firm. This ransomware is a variant of one called Petya, which was developed by a cybercriminal who goes by the name Janus, according to Check Point.

Victims receive a ransom message on their screen telling them that their hard disk has been “infected with a military grade encryption algorithm. There is no way to restore your data without a special key” that only the cybercriminals can provide.

Petya and other malware are sold as ransomware-as-a-service products, so it’s “very likely” that more than one cybercriminal is using this type of malware, Check Point said.  To avoid a malware infection, ZDNet advises, don’t enable macros on Microsoft Office documents and watch for unanticipated or notably generic e-mails.  “The most effective solution revolves around security awareness training, specifically utilizing phishing simulation training”