Uncategorized

The MAY 2019 IIL blog features several techniques for filtering Microsoft Excel spreadsheets to zero in on targeted results

Basic Filtering in Excel

In this blog I’ll discuss filtering. In another continued blog, I’ll talk about advanced filtering. First, what is filtering? Notice all the filtering is done using the selected cell’s property, whereas in the previous filter by color (a misnomer, actually, because you can also filter here by icon), you can see all the choices available. Next month, we’ll show what can be done with advanced filtering.

https://isc.sans.edu/forums/diary/CVE20190604+Attack/24952/

https://www.thezdi.com/blog/2019/3/13/cve-2019-0604-details-of-a-microsoft-sharepoint-rce-vulnerability

Over the past week, I started seeing attacks on Sharepoint servers using vulnerability CVE-2019-0604. The Zero Day Initiative has a great write up(1) on the exploit of the vulnerability. Initial detection of the exploit came from endpoint exploit detection. When reviewing the IIS logs, we saw a post to the Picker.aspx. This appears to be the most common entry point for this attack exploiting CVE-2019-0604.

Initial Log — 2019-05-02 07:04:13 192.168.1.1 POST /_layouts/15/Picker.aspx – 443 – 121.147.96.8 python-requests/2.18.4 200 0 0 670

In the case of this attacker, they dropper a China Chopper payload on the server. China Chopper has been around for a long time. Crowdstrike did a great writeup(2) in 2015. The payload for this is just a one-liner that was echoed into the files via command line. The anomaly that endpoint detected was a cmd shell spawning by w3wp.exe process.

US CERT resources are shared below as there are concerns, this new vulnerability could turn into an internet WORM — which could impact any exposed & vulnerable system randomly.

https://www.us-cert.gov/ncas/current-activity/2019/05/16/Microsoft-Releases-Security-Updates-Address-Remote-Code-Execution

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708

Microsoft has released security updates to address a remote code execution vulnerability in the following in-support and out-of-support operating systems:

In-support systems: Windows 7, Windows Server 2008 R2, and Windows Server 2008

Out-of-support systems: Windows 2003 and Windows XP

A remote attacker could exploit this vulnerability to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Microsoft Security Advisory and Microsoft Customer Guidance for CVE-2019-0708 and apply the necessary updates

When IT Pros invest in their continuing education, it is of value to both them & their employers. Some key advantages of professional designations are noted below

https://www.eweek.com/it-management/top-five-reasons-to-earn-certificate

It’s no secret that tech automation is poised to upend many traditional careers. The good news is that if you have the right technical background, your skills are in greater demand than ever. In fact, according to a recent survey by the Consumer Technology Association, 92% of employers reported that they’ll “need more employees with technical skills.” Many of these jobs will require adeptness in relatively new fields such as artificial intelligence, machine learning and data science.

If you don’t already have experience in one of these burgeoning areas, how do you get it? Should you take off a couple of years from work and go to graduate school? Or, does it make more sense to seek out an employer that’s willing to teach you?

1. Rapid change requires constant updating of your skills.
2. A certificate program helps you earn targeted skills in less time and for less money than a degree.
3. Professional certificate programs are designed to meet employer expectations
4. Programs can offer a boost to your professional network
5. Career counselors can help you navigate your career.

KB4494441 for Windows 10 version 1809 may install twice to provide new speculative side-channel protection for the most recent Patch Tuesday update as shared below.  So far, this appears not to cause any Windows integrity issues, other than additional processing time:

https://www.ghacks.net/2019/05/16/kb4494441-for-windows-10-version-1809-may-install-twice/

https://support.microsoft.com/en-us/help/4494441/windows-10-update-kb4494441

Reports are coming in that this week’s security update for Windows 10 version 1809, KB4494441, may install twice on devices running that particular version of Windows 10. Microsoft released KB4494441 for Windows 10 version 1809 on Tuesday as part of the company’s monthly patch day. The May 2019 update for Windows 10 version 1809 patched a critical security vulnerability in Windows 10, enabled protections against a new class of speculative side-channel vulnerabilities, and enabled Retpoline to optimize protections against the Spectra 2 Variant.

The “Patch Tuesday” April 2019 Windows Security release contains an RDP vulnerability that has a potential to become a dangerous WORM that could attack randomly & infect non-patched machines with these services running.  Even better is to disable RDP to prevent malware attacks as techniques from XP to WIN10 are shared in links below

https://www.lifewire.com/disable-remote-access-in-windows-xp-2487711

https://www.lifewire.com/disable-windows-remote-desktop-153337

Why would you want to disable remote assistance or desktop? Simple, because either could be used or exploited by an attacker to gain remote access to your system, allowing them to run programs on your computer or use your computer to distribute spam or attack other computers.

Remote Assistance and Remote Desktop can be very useful when you need them. But, most of the time you don’t. In the meantime, if an attacker somehow finds a way in, or if an attack is created to exploit a vulnerability in the Remote Assistance or Remote Desktop services, your computer is just sitting and waiting to be attacked.

Having designed SOX controls in past, a long-term resource has been re-launched in MAY 2019 to include stronger passwords & spam controls.

http://www.sarbanes-oxley-forum.com

Some key topic areas include:

General Sarbanes Oxley Discussion
Sarbanes-Oxley: IT Issues
Other Legislation & Issues
Overseas Impact of Sarbanes-Oxley
Sarbanes-Oxley: Audit Issues

While Windows XP and 2003 Server are officially unsupported products, the dangers of an RDP based worm exploit being developed are probable. Microsoft has developed a special standalone patch that users can pre-install now (or disabling RDP services mitigates threat also)

https://www.pcmag.com/news/368371/microsoft-patch-old-windows-systems-or-risk-computer-worm

Microsoft is trying to prevent the outbreak of a computer worm by urging those running older Windows systems to patch their machines. Redmond has discovered a serious flaw in Windows 7, Windows XP, and Windows Server 2003 and 2008 systems, which can be exploited to create malware capable of automatically spreading from one vulnerable machine to another. “While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware,” Microsoft said. The vulnerability deals with the Remote Desktop Services function in Windows, which can allow a user to take control of the machine over a network. Enterprises often choose to activate the feature on PCs and servers as a way to control them remotely.

Normally, the access requires a correct username and password. However, Microsoft discovered that an “unauthenticated attacker” can install malware on a Windows machine through the Remote Desktop Services function by sending specially crafted data packets. The bug also requires no interaction from the owner of the affected Windows machine. So theoretically, an attacker could scan the internet to find additional machines to target. An estimated 3 million Remote Desktop Protocol endpoints are currently exposed to the internet, according to security researcher Kevin Beaumont, who cites data from device search engine Shodan.  Fortunately, Windows 10 and Windows 8 are immune from the threat

WhatsApp users should immediately update to latest version of this popular software connectivity tool

https://www.pcmag.com/news/368338/this-whatsapp-flaw-helped-send-spyware-with-a-voice-call

https://www.us-cert.gov/ncas/current-activity/2019/05/14/Facebook-Releases-Security-Advisory-WhatsApp

https://www.facebook.com/security/advisories/cve-2019-3568

WhatsApp had a scary flaw that secretly sent spyware to smartphones simply by calling the victim. On Monday, the Facebook-owned messaging service disclosed the vulnerability, which affects iOS and Android, after it was used to attack a number of victims, a WhatsApp spokesperson told PCMag. “WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date,” the spokesperson said in an email.

According to WhatsApp, the attacks have all the hallmarks of a private company that works with governments to deliver spyware to mobile phones. Although it refrained from naming the company, WhatsApp is probably referring to NSO Group, an Israeli technology firm notorious for developing a spyware program known as Pegasus, which has targeted human rights activists, politicians, and journalists. The WhatsApp vulnerability allegedly allowed NSO Group to send spyware to the victims even when didn’t answer a voice call on the app, according to The Financial Times, which was first to report the news.

US-CERT: Facebook has released a security advisory to address a vulnerability in WhatsApp. A remote attacker could exploit this vulnerability to take control of an affected device.  The Cybersecurity and Infrastructure Security Agency (CISA) encourages users to review the Facebook Security Advisory for CVE-2019-3568 and upgrade to the appropriate version.

Below are key resources documenting this recent monthly Microsoft Patch Tuesday release

https://isc.sans.edu/forums/diary/Microsoft+May+2019+Patch+Tuesday/24934/

https://blog.talosintelligence.com/2019/05/MS-Patch-Tuesday-May-2019.html

https://patchtuesdaydashboard.com/

https://portal.msrc.microsoft.com/en-us/security-guidance/summary

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 79 vulnerabilities, 22 of which are rated “critical,” 55 that are considered “important” and one “moderate.” This release also includes two critical advisories: one covering Microsoft Live accounts and another addressing updates to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Scripting Engine, the Microsoft Edge web browser and GDI+. For more on our coverage of these bugs, check out the Snort blog post here, covering all of the new rules we have for this release.

UPDATE: Today’s Patch Tuesday also addresses the new CPU side-channel attack published today known as Zombieload (ADV190013). As Meltdown, Spectre, and Foreshadow the new flaw may allow an attacker to steal sensitive data and keys being processed by the CPU. To fix the issue you must apply OS updates provided by Microsoft today (not available for all versions yet) and firmware microcode from device OEMs. The details for this advisory are available at

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190013