Computer Safety & News

Canada’s Centre for Cyber Security (CCCS) has become aware of a memory resident keylogger malware campaign, affecting Microsoft Windows .  It is currently gaining traction as there are no physical files  present on the hard drive.   AV products are usually more effective in finding malware on disk rather than in memory.   “Fileless” malware has been around for many years and this is excellent security awareness bulletin for an attack in the wild occurring now. 

https://cyber.gc.ca/en/alerts/fileless-malware-advisory

The Astaroth malware, a notorious info-stealing malware known for stealing sensitive information like credentials, keystrokes, and other data, resides solely in memory and is much more difficult to detect than traditional malware.   The purpose of this advisory is to bring heightened awareness to the increase in the detection and identification of fileless malware, including Astaroth. The advisory provides an overview of fileless malware, the commonly used infection vectors and potential mitigations.

https://www.us-cert.gov/ncas/current-activity/2019/07/22/apple-releases-multiple-security-updates

Apple has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.   The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:

iOS 12.4

tvOS 12.4

Safari 12.1.2

macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra

watchOS 5.3

Cisco’s Enterprise Strategy Group (ESG) documents the increased complexity of keeping end users safe. Technology & even the attackers are becoming more sophisticated as new computing capabilities emerge.

https://isc.sans.edu/forums/diary/Reevaluating+Network+Security+It+is+Increasingly+More+Complex/25152/

GROWING TECHNOLOGY RISKS — The report identified three main factors related to the increase in network security complexity. The attack surface and the workload are both growing and the threats and vulnerabilities are more complex to identify and deal with. The security team has to keep up with more devices that add complexity to a network (IoT, tablets, phones, laptops, cloud computing, etc) that are now widely integrated to the enterprise. Complex security events can lead to short or extended network outages, application or network availability, loss of proprietary data and/or productivity.

KEY TECHNOLOGY DEFENSE CATEGORIES — The report highlight the following priorities: the biggest factors driving network security include preventing/detecting malware threats (47%), regulatory compliance (42%), support for cloud computing initiatives (38%), and the need for network security to be more scalable to support dynamic business processes and new business initiatives (34%)

FULL REPORT by Cisco ESG – Navigating Network Security Complexity (14 page PDF)
https://www.cisco.com/c/dam/en/us/products/collateral/security/defense-orchestrator/esg-research-insights-report.pdf

The new preview release for WIN10 v20H1 v18941 has just been released for beta testing. It contains some of the following new features

https://www.windowscentral.com/hands-windows-10-20h1-build-19841-showcasing-new-changes

New in build 18941 is a change to the calendar flyout on the taskbar that now allows you to add events to your calendar straight from the taskbar. Also new in this build is the ability to make your device “passwordless” if you have Windows Hello enabled. There are also a few hidden features that haven’t been announced in this build, including improvements to the yet-to-be-announced new Cortana experience, and Virtual Desktops

COMPLETE CHANGE LOG for WIN10 v20H1
https://www.windowscentral.com/windows-10-20h1-changelog

Windows 10 defaults in creating new accounts by requiring use of the “Microsoft account”.  However, users may wish to create new WIN10 user accounts that are more similar to WIN7 local accounts.  Features release v1903 accommodates this better than past feature releases.  Earlier releases tended to discourage creation of LOCAL accounts — that are not linked with the Microsoft account (by hiding the capability).  This PC World article shares tips & techniques for this process:

https://www.pcworld.com/article/3409788/how-microsoft-made-it-harder-to-create-windows-10-local-accounts.html

If you’re thinking about resetting your Windows PC with a local account, save yourself some frustration and consider upgrading to the Windows 10 May 2019 Update first.  We discovered two workarounds, though, to allow you to log in as you wish.

Corporate ADMINs should actively patch & monitor all RDP security vulnerabilities

https://redmondmag.com/articles/2019/07/19/remote-desktop-protocol-is-a-big-target.aspx

Remote Desktop Protocol (RDP) is an easy-to-find and popular target for remote attackers, according to a recent study conducted by Sophos. Researchers set up 10 “honeypots” running RDP over a 30-day period, from April 18 to May 19. RDP is a protocol used for remote connections with servers, and is used in Microsoft’s Remote Desktop Services solution. All told, there were 4.3 million login attempts across the 10 servers, which were running the Windows Server 2019 operating system in its default configuration. All 10 of the honeypots were attacked on Day 1 after lighting up the servers, and it took just one minute and 24 seconds for the first server to get probed. The attackers conducted brute-force attacks — that is, they were trying common user names and passwords to gain access to the servers. The top user name selected was “administrator” …

CISA which is part of Homeland Security has just published an excellent Ransomware protection guide for corporate & home users:

https://www.us-cert.gov/Ransomware

QUOTE:  CISA recommends the following precautions to protect users against the threat of ransomware:

• Update software and operating systems with the latest patches. Outdated applications and operating systems are the target of most attacks.
• Never click on links or open attachments in unsolicited emails.
• Backup data on a regular basis. Keep it on a separate device and store it offline.
• Follow safe practices when browsing the Internet.
• Read Good Security Habits for additional details.

In addition, CISA also recommends that organizations employ the following best practices:

• Restrict users’ permissions to install and run software applications
• Apply the principle of “least privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through a network.
• Use application whitelisting to allow only approved programs to run on a network.
• Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing.
• Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
• Configure firewalls to block access to known malicious IP addresses.

See the Ransomware Security Publication, technical guidance on How to Protect Your Networks from Ransomware, and CISA’s Awareness Briefings on Combating Ransomware more information.

For recent CISA Alerts on specific ransomware threats, see:

• TA17-181A: Petya Ransomware (NotPetya) 
• TA17-132A: Indicators Associated With WannaCry Ransomware
• TA16-091A: Ransomware and Recent Variants

The SANS ISC shares excellent & in-depth article on 802.1x Wired Access Control best practices to inventory especially for unknown devices & vulnerabilities

https://isc.sans.edu/forums/diary/The+Other+Side+of+Critical+Control+1+8021x+Wired+Network+Access+Controls/25146/

So why do people want this, and why is it part of the Critical Controls? Because it really is about controlling both your known and unknown inventory. Known devices authenticate properly, and are given access to the network. Unknown devices (visitors, or unsanctioned gear of any kind) are either denied access or shuffled off to a jail or guest VLAN. Either way, the access requests for the “unknown” devices are all logged and can then be investigated if that’s the next step in your organization. Only known inventory is allowed access to the network.

The new Microsoft Intune suite is used to manage mobile devices.  A new improved release with improved security templates are now available.

https://redmondmag.com/articles/2019/07/12/intune-admin-templates-and-security-baselines-now-available.aspx

https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-Intune-announces-general-availability-of/ba-p/737412

WHAT IS INTUNE? — Intune is Microsoft’s mobile management service for PCs and mobile devices (Android and iOS), as well as mobile applications. It’s provided as a service from Microsoft’s datacenters (“the cloud”). IT pros familiar with device management using Group Policy settings get a different kind of device management experience with Intune.  Learn how to get started with Microsoft Intune with our detailed technical documentation.

NEW RELEASE — Administrative templates for Microsoft Intune are now at the “general availability” commercial release stage for managing Windows 10 devices, Microsoft disclosed in a Thursday announcement. In addition, new security baselines for Intune are going live, per a Tuesday announcement.

US CERT has highlighted important security release for Chrome v75, which should auto-update for most users.  This is detailed below

https://www.us-cert.gov/ncas/current-activity/2019/07/15/google-releases-security-updates-chrome

https://chromereleases.googleblog.com/2019/07/stable-channel-update-for-desktop.html

Google has released Chrome 75.0.3770.142 for Windows, Mac, and Linux. This version addresses a vulnerability that an attacker can exploit to take control of an affected system.  CISA encourages users and administrators to review the Chrome Release