US Commerce Dept Shares Tips On Securing Virtual Meetings
21.3.2020  Bleepingcomputer  BigBrothers

The US National Institute of Standards and Technology (NIST) today shared a number of measures that should be taken by remote workers to prevent eavesdropping and protect their privacy during virtual meetings while working from home during the current COVID-19 pandemic.

Jeff Greene, the director of the National Cybersecurity Center of Excellence (NCCoE) at the NIST said that "if virtual meetings are not set up correctly, former coworkers, disgruntled employees, or hackers might be able to eavesdrop."

"Using some basic precautions can help ensure that your meetings are an opportunity to collaborate and work effectively – and not the genesis of a data breach or other embarrassing and costly security or privacy incident."

Boost your online meetings' security
Greene suggests taking advantage of your conferencing software's built-in security features, as well as of suggestions provided by their developers to boost virtual meetings' security.

NCCoE's director recommends considering multi-factor authentication (MFA) whenever available and to make use of a dashboard to keep a close eye on your meeting's attendees.

Limiting the reuse of meeting access codes and enabling notifications on attendees joining in to be able to quickly identify those who shouldn't be attending.

The list of measures to be taken to prevent eavesdropping by unauthorized parties according to the NIST:

• Follow your organization’s policies for virtual meeting security.
• Limit reuse of access codes; if you’ve used the same code for a while, you’ve probably shared it with more people than you can imagine or recall.
• If the topic is sensitive, use one-time PINs or meeting identifier codes, and consider multi-factor authentication.
• Use a “green room” or “waiting room” and don’t allow the meeting to begin until the host joins.
• Enable notification when attendees join by playing a tone or announcing names. If this is not an option, make sure the meeting host asks new attendees to identify themselves.
• If available, use a dashboard to monitor attendees – and identify all generic attendees.
• Don’t record the meeting unless it’s necessary.
• If it’s a web meeting (with video):
- Disable features you don’t need (like chat or file sharing).
- Before anyone shares their screen, remind them not to share other sensitive information during the meeting inadvertently.
When you know that sensitive information will be shared between the attendees of a specific virtual meeting, you can also take the following additional measures to further increase security:

• Using only approved virtual meeting services.
• Issuing unique PINs or passwords for each attendee and instructing them not to share them.
• Using a dashboard feature so you can see who all the attendees are at any time.
• Locking the call once you have identified all the attendees and lines in use.
• Encrypting recordings, requiring a passphrase to decrypt them, and deleting recordings stored by the provider.
• Only conducting web meetings on organization-issued devices.
NIST provides a separate collection of telework security resources designed to assist remote workers including a guide to enterprise telework and BYOD security, an infographic on securing conference calls, guidance on mobile security, and security configurations and checklists.

CISA tips on securing enterprise VPNs
The DHS Cybersecurity and Infrastructure Security Agency (CISA) also shared tips on how to secure enterprise virtual private networks (VPNs) in response to the increasing number of employees working from home in response to the current COVID-19 pandemic.

CISA advised organizations to keep their VPN software, network devices, and user devices up to date, to alert their employees of any phishing attacks, as well as to make sure that their security teams are up to speed when it comes to security incident detection and response.

Also, CISA recommended implementing MFA on VPN connections or require users to use strong passwords as a defense measure against attacks.

Enterprises were also encouraged to test their VPN infrastructure in advance to assess its capability to support an increased number of users.

As part of its teleworking guidance, the DHS cybersecurity agency also suggested reviewing CISA documentation on how to secure network infrastructure devices, avoid social engineering and phishing attacks, as well as to choose, protect and supplement passwords.

To assist the wave of new remote workers, Software developers and service providers including Google, Microsoft, Adobe, Zoom, and LogMeIn, are also offering free licenses or enhanced versions of their software and services during Coronavirus-disease outbreak.

Windows 10 Secured-Core PCs Can Block Driver-Abusing Malware
21.3.2020  Bleepingcomputer  Virus

Microsoft says that Windows 10 Secured-core PCs can successfully defend their users against malware designed to take advantage of driver security flaws to disable security solutions.

"Multiple malware attacks, including RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron, and campaigns by the threat actor STRONTIUM, have leveraged driver vulnerabilities (for example, CVE-2008-3431, CVE-2013-3956, CVE-2009-0824, CVE-2010-1592, etc.) to gain kernel privileges and, in some cases, effectively disable security agents on compromised machines," Microsoft says.

However, according to Microsoft, endpoint devices can be defended against such attacks if you are using a Secured-core PC that comes with built-in protection against firmware attacks that have been increasingly used by both state-sponsored hacking attacks and commodity malware.

Secured-core PCs were released as a solution to the number of increasing firmware security issues that attackers can exploit to bypass a Windows machine's Secure Boot, as well as to the lack of visibility at the firmware level commonly present in today's endpoint security solutions.

Malware abusing vulnerable firmware and drivers
"In addition to vulnerable drivers, there are also drivers that are vulnerable by design (also referred to as 'wormhole drivers'), which can break the security promise of the platform by opening up direct access to kernel-level arbitrary memory read/write, MSRs," Microsoft adds.

"In our research, we identified over 50 vendors that have published many such wormhole drivers. We actively work with these vendors and determine an action plan to remediate these drivers."

One instance of a threat actor abusing firmware vulnerabilities is the Russian-backed APT28 cyber-espionage group (also tracked as Tsar Team, Sednit, Fancy Bear, Strontium, and Sofacy) who used a Unified Extensible Firmware Interface (UEFI) rootkit dubbed LoJax during some of its 2018 operations.

More recently, the operators behind the RobbinHood Ransomware exploited a vulnerable GIGABYTE driver to elevate privileges and install malicious unsigned Windows drivers that allowed them to terminate antivirus and security software processes on compromised systems.

RobbinHood Ransomware attack chain (Microsoft)
"In this attack scenario, the criminals have used the Gigabyte driver as a wedge so they could load a second, unsigned driver into Windows," Sophos researchers explained at the time.

"This second driver then goes to great lengths to kill processes and files belonging to endpoint security products, bypassing tamper protection, to enable the ransomware to attack without interference."

This tactic enabled the attackers to circumvent anti-ransomware defenses by killing the antivirus software before deploying the ransomware executable used to encrypt the victim's documents.

Sophos was unable to fully analyze this ransomware sample so far therefore the processes and services that are being targeted are currently unknown.

Secured-core PCs feature built-in protection
As Microsoft says, however, Windows 10 comes with hardware and firmware protection features that can successfully fight against attacks such as the one that infected victims with Lojax and RobbinHood Ransomware.

Moreover, Secured-core PCs introduced by Microsoft in October 2019 in partnership with OEM partners Lenovo, HP, Dell, Panasonic, Dynabook, and Getac can block firmware-level attacks as they come with these hardware-backed security features enabled by default removing the need for users to make the required BIOS and OS settings changes manually.

"Because both BIOS settings and OS settings are enabled out of the box with these devices, the burden to enable these features onsite is removed for customers," Microsoft adds, with the following features being turned on all Secured-core PCs:

Security promise Technical features
Protect with hardware root of trust TPM 2.0 or higher
TPM support enabled by default
Virtualization-based security (VBS) enabled
Defend against firmware attack Windows Defender System guard enabled
Defend against vulnerable and malicious drivers Hypervisor-protected code integrity (HVCI) enabled
Defend against unverified code execution Arbitrary code generation and control flow hijacking protection [CFG, xFG, CET, ACG, CIG, KDP] enabled
Defend against limited physical access, data attacks Kernel DMA protection enabled
Protect identities and secrets from external threats Credential Guard enabled
However, users of other devices can also take advantage of similar protection if they configure their hardware and Windows security features correctly.

"Specifically, the following features need to be enabled: Secure boot, HVCI (enables VBS), KDP (automatically turned on when VBS is on), KDMA (Thunderbolt only) and Windows Defender System Guard," Microsoft explains.

"With Secured-core PCs, however, customers get a seamless chip to cloud security pattern that starts from a strong hardware root of trust and works with cloud services and Microsoft Defender ATP to aggregate and normalize the alerts from hardware elements to provide end-to-end endpoint security."

Windows Terminal v0.10 Released with Mouse Input Support
21.3.2020  Bleepingcomputer  OS

​Microsoft has released Windows Terminal v0.10 for Windows 10 that includes some very useful features including full mouse input support and the ability to split a screen by using a keyboard combination.

With this release, Microsoft has added full mouse input support so that you can use terminal programs that support the mouse such as Midnight Command (shown below), Tmux, and other programs.

With this support, you can simply click on a button, file, or screen with your mouse to switch between them as shown by the image below.

Mouse Support in Midnight Commander
To use the mouse to select text for copying, you need to hold down the Shift key while selecting the text.

Microsoft has also added support for a split-screen keybinding that allows you to easily split the currently selected terminal session.

To do this you would add the "duplicate" option to a keybinding that issues the "splitPane" command. An example keybinding that sets the Ctrl+Shift+D keyboard combination to perform this command is seen below.

"keybindings": [
{"keys": ["ctrl+shift+d"], "command": {"action": "splitPane", "split": "auto", "splitMode": "duplicate"}}
]

Illustrating the duplicate option of splitPane
This release also fixes the following bugs:

The text behavior when it reflows on resizing of the window is significantly improved!
The borders when using dark themes aren’t white anymore!
If you have the taskbar auto-hidden and your Terminal is maximized, the taskbar now appears when you mouse over the bottom of the screen.
Azure Cloud Shell can now run PowerShell, accept mouse input, and follow the desired shell of your choice.
Touchpad and touchscreen scrolling now moves at a normal pace.
Users who want to try the new features of Windows Terminal v0.10 can update it now from the Microsoft Store.

Windows 10 Cumulative Update KB4541331 Released
21.3.2020  Bleepingcomputer  OS

If you're still using the dated Windows 10 October 2018 Update, which was released in November 2018, a new cumulative update is now available for your device.

Microsoft has released KB4541331 optional update for Windows 10 version 1809 to fix a bug that causes printing issues, prevents the touch keyboard from appearing during sign in, and several other problems.

KB4541331 will advance your computer to Windows 10 Build 17763.1131 and it will install only after you check for updates manually.

Like every Windows Update, you can open the Settings app and click on the Windows Update option to install the patches. If you own multiple PCs or if you would like to patch the PCs manually, you can learn more about it here.

Here's what new and improved in KB4541331:

Addresses an issue that causes an error when printing to a document repository.
Addresses a drawing issue with the Microsoft Foundation Class (MFC) toolbar that occurs when dragging in a multi-monitor environment.
Addresses an issue that prevents the touch keyboard from appearing during sign in when the user is prompted for the password.
Addresses an issue that causes new child windows to flicker and appear as white squares on server devices that are configured for stark visual contrast.
Addresses an issue that displays incorrect folder properties in File Explorer when the path is longer than MAX_PATH.
Addresses an issue that causes calendar dates to appear on the wrong day of the week in the clock and date region of the notification area when you select the Samoa time zone.
Addresses an issue with reading logs using the OpenEventLogA() function.
Addresses an issue that prevents machines that have enabled Credential Guard from joining a domain. The error message is "The server's clock is not synchronized with the primary domain controller's clock."
Addresses an issue that might cause a delay of up to two minutes when signing in or unlocking a session on Hybrid Azure Active Directory-joined machines.
Addresses an issue that causes authentication to fail when using Azure Active Directory and the user’s security identifier (SID) has changed.
Addresses an issue that might cause domain controllers (DC) to register a lowercase and a mixed or all uppercase Domain Name System (DNS) service (SRV) record in the _MSDCS. DNS zone. This occurs when DC computer names contain one or more uppercase characters.
Addresses an issue that causes authentication in an Azure Active Directory environment to fail and no error appears.
Addresses an issue that causes high CPU utilization when retrieving a session object.
Addresses high latency in Active Directory Federation Services (AD FS) response times for globally distributed datacenters in which SQL might be on a remote datacenter.
Improves the performance for all token requests coming to AD FS, including OAuth, Security Assertion Markup Language (SAML), WS-Federation, and WS-Trust.
Addresses a high latency issue in acquiring OAuth tokens when AD FS front-end servers and back-end SQL servers are in different datacenters.
Restores the constructed attribute in Active Directory and Active Directory Lightweight Directory Services (AD LDS) for msDS-parentdistname.
Addresses an issue to prevent SAML errors and the loss of access to third-party apps for users who do not have multi-factor authentication (MFA) enabled.
Addresses an issue with evaluating the compatibility status of the Windows ecosystem to help ensure application and device compatibility for all updates to Windows.
Addresses an issue that prevents Microsoft User Experience Virtualization (UE-V) settings from roaming to enable the signature files that are used for new messages, forwarded messages, and replies.
Addresses an issue with high CPU usage on AD FS servers that occurs when the backgroundCacheRefreshEnabled feature is enabled.
Addresses an issue that creates the Storage Replica administrator group with the incorrect SAM-Account-Type and Group-Type. This makes the Storage Replica administrator group unusable when moving the primary domain controller (PDC) emulator.
Addresses an issue that prevents some machines from automatically going into Sleep mode under certain circumstances because of Microsoft Defender Advanced Threat Protection (ATP) Auto Incident Response (IR).
Addresses an issue that prevents some machines from running Microsoft Defender ATP Threat & Vulnerability Management successfully.
Improves support for non-ASCII file paths for Microsoft Defender ATP Auto IR.
Addresses an issue that, in some scenarios, causes stop error 0xEF while upgrading to Windows 10, version 1809.

Microsoft is aware of at least one known issue in this update where some Asian language packs installed may receive the error, "0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_FOUND."

Microsoft says it's working on a resolution and it will provide an update in a future release.

One billion devices
Earlier this week, Microsoft revealed that Windows 10 is now being actively used on 1 billion devices every month. The operating system was released in the second half of 2015 and it took nearly five years for Windows 10 to become active on 1 billion devices.

"New Windows 10 features and security updates are now delivered faster than ever before. We’ve evolved from releasing a version every three years, to releasing multiple versions per year. And with the recent decoupling of the new Chromium-based Edge browser from Windows 10 we can now deliver new builds to customers outside of the normal Windows 10 release cadence—and to more versions of Windows," said Yusuf Mehdi, Corporate Vice President, Modern Life, Search & Devices at Microsoft.

Nation-Backed Hackers Spread Crimson RAT via Coronavirus Phishing
21.3.2020  Bleepingcomputer  APT  Phishing  Virus 

A state-sponsored threat actor is attempting to deploy the Crimson Remote Administration Tool (RAT) onto the systems of targets via a spear-phishing campaign using Coronavirus-themed document baits disguised as health advisories.

This nation-backed cyber-espionage is suspected to be Pakistan-based and it is currently tracked under multiple names including APT36, Transparent Tribe, ProjectM, Mythic Leopard, and TEMP.Lapis.

The group, active since at least 2016, is known for targeting Indian defense and government entities and for stealing sensitive info designed to bolster Pakistan's diplomatic and military efforts.

Coronavirus-themed spear-phishing campaign
APT36's ongoing spear-phishing attacks were first spotted by researchers with QiAnXin's RedDrip Team who discovered malicious documents camouflaged as health advisories and impersonating Indian government officials.

The spear-phishing emails, attributed by the Chinese researchers to the Transparent Tribe hacking group and also analyzed by Malwarebytes Labs' Threat Intelligence Team, are trying to trick the targets into enabling macros so that the Crimson RAT payload can be deployed.

APT36 uses two lure formats in this campaign: Excel documents with embedded malicious macros and RTF documents files designed to exploit the CVE-2017-0199 Microsoft Office/WordPad remote code execution vulnerability.

Fake Coronavirus health advisory (Malwarebytes Labs)
Once the malicious documents used as baits are opened and the malicious macros are executed, a 32-bit or a 64-bit version of the Crimson RAT payload will be dropped based on the victim's OS type.

After the device is compromised, the attackers can perform a wide range of data theft tasks including but not limited to:

• Stealing credentials from the victim’s browser
• Listing running processes, drives, and directories on the victim’s machine
• Retrieving files from its C&C server
• Using custom TCP protocol for its C&C communications
• Collecting information about antivirus software
• Capturing screenshots

After being executed, the Crimson RAT will automatically connect to the hardcoded command-and-control addresses and send all the collected info on the victim, including the list of running processes, the machine's hostname, and the currently logged in username.

"APT36 has used many different malware families in the past, but has mostly deployed RATs, such as BreachRAT, DarkComet, Luminosity RAT, and njRAT," Malwarebytes says.

"In past campaigns, they were able to compromise Indian military and government databases to steal sensitive data, including army strategy and training documents, tactical documents, and other official letters.

"They also were able to steal personal data, such as passport scans and personal identification documents, text messages, and contact details."

State-backed groups behind other Coronavirus-themed attacks
APT36 is not the only nation-sponsored threat actor known for using COVID-19-themed malware and phishing emails to attack and infect potential targets.

Chinese APTs (Mustang Panda and Vicious Panda), North Korean APTs (Kimsuky), Russian APTs (Hades and TA542), as well as some without known affiliations such as SWEED have also been recently adopting Coronavirus baits as part of their attacks as recently reported by ZDNet.

Cybercriminals with no nation-state ties have also been playing the Coronavirus card heavily trying to monetize on their targets' COVID-19 fears.

Phishing campaigns using Coronavirus baits have targeted US and UK targets since the start of February, impersonating U.S. Centers for Disease Control and Prevention (CDC) officials and virologists.

New malware strains have also been spotted since the Coronavirus started, such as new ransomware called CoronaVirus used as a cover for the Kpot Infostealer, a Remote Access Trojan (RAT), a Trojan, a stealer/keylogger, and even a wiper.

The World Health Organization (WHO) also warned of active Coronavirus-themed phishing attacks impersonating WHO officials with the end goal of delivering malware and stealing the targets' sensitive information.

Last but not least, Ancient Tortoise BEC fraudsters have also been seen sending scam emails attempting to use the Coronavirus outbreak as cover for them updating payment information on invoices to bank accounts under their control.

Microsoft Edge to Let You Set Custom Backgrounds for New Tabs
21.3.2020  Bleepingcomputer  OS

Microsoft is testing the ability to add set a custom background image for the new tab page in Microsoft Edge Canary build 82.0.457.0.

For those who are using the latest Microsoft Edge Canary build, Microsoft is conducting a limited test that allows you to change the background image to one of your choosing.

To change to a custom desktop background, you would open a new tab page, click on the Settings cog, and then select Custom. If you are part of the test, you will be able to see an option to set the background to "Your own image" as shown below.

Setting a custom background in Microsoft Edge
You will then be prompted to select an image that you want to be used as the background for the new tab page.

Below you can see a custom background that BleepingComputer applied to the new tab page.

Microsoft Edge using a custom background for the NTP
As already stated, this feature is currently only available to those whose Edge clientID has been added to this test.

New Nefilim Ransomware Threatens to Release Victims' Data
21.3.2020  Bleepingcomputer  Ransomware

A new ransomware called Nefilim that shares much of the same code as Nemty has started to become active in the wild and threatens to release stolen data.

Nefilim became active at the end of February 2020 and while it not known for sure how the ransomware is being distributed, it is most likely through exposed Remote Desktop Services.

Head of SentinelLabs Vitali Krimez and ID Ransomware's Michael Gillespie both told BleepingComputer that Nefilim and Nemty 2.5 share much of the same code.

The main difference is that Nefilim has removed the Ransomware-as-a-Service (RaaS) component and now relies on email communications for payments rather than a Tor payment site.

It is not known if this is a fork of their ransomware from the original operators or if new threat actors obtained the source code to release a new version.

Nefilim threatens to release data
In the Nefilim ransom note, the attackers state that if a user does not pay the ransom in seven days they will release data that was stolen from the network.

A large amount of your private files have been extracted and is kept in a secure location.
If you do not contact us in seven working days of the breach we will start leaking the data.
After you contact us we will provide you proof that your files have been extracted.

In the past, this would have been seen as an empty threat, but with ransomware infections such as Maze, Sodinokibi, DoppelPaymer, and Nemty all following through with their threats, it should no longer be ignored.

The Nefilim encryption process
When encrypting files, Nefilim will encrypt a file using AES-128 encryption. This AES encryption key will then be encrypted by an RSA-2048 public key that is embedded in the ransomware executable.

This encrypted AES key will then be added to the contents of each encrypted file and can only be decrypted by the RSA private key known to the ransomware developers.

For each encrypted file, Nefilim will append the .NEFILIM extension to the file name. For example, a file called 1.doc would be encrypted and named 1.doc.NEFILIM.

Files encrypted by the Nefilim Ransomware
In addition to the encrypted AES key, the ransomware will also add the "NEFILIM" string as a file marker to all encrypted files as shown below.

NEFILIM file marker
When done, a ransom note named NEFILIM-DECRYPT.txt will be created throughout the system that contains instructions on how to contact the ransomware developers.

This ransom note contains different contact emails and the threat that they will leak data if a ransom is not paid within seven days of the "breach".

Caption
Unfortunately, a brief analysis by Gillespie indicates that this ransomware appears to be secure, which means that there is no current way to recover files for free.

The ransomware, though, is still being researched and if new weaknesses we will publish updated information.

US Democratic Party Symbol Changed to a Rat in Google Search
21.3.2020  Bleepingcomputer  BigBrothers

The election symbol of the US Democratic Party has been changed to a rat within the Google search knowledge panel that shows when searching for the party's name, instead of the usual donkey-themed one.

While no one knows how this happened, the new rat-themed symbol displayed when searching for "democratic party" on Google is now automatically loaded from a post made by a now-banned user on a history forum in January.

US Democratic Party Symbol Changed to a Rat in Google Search
The rat election symbol is currently being shown for all search results that show the Democratic Party symbol.

The Republican Party symbol remains unchanged for now. but does display the changed Democratic Party symbol in the bottom of their knowledge panel.

Republican Party Knowledge Panel
Researchers from cybersecurity intelligence company Under the Breach, who first discovered this change, say it is unclear how this was done.

BleepingComputer has reached out to Google for comment but had not heard back at the time of this publication. This article will be updated when a response is received.

This is a developing story ...

H/T Under the Breach

Update March 16, 18:41 EDT: "Most images in Knowledge Panels are automatically generated from pages on the web," a Google spokesperson told BleepingComputer.

"When errors are reported, we fix them quickly. We encourage people and organizations to claim their Knowledge Panels, which allows them to select a representative image."

The Democratic Party rat election symbol was automatically displayed in the Knowledge Panel based on a web source and Google will remove it since the image is not representative to the entity.

Google Chrome 82 to Enhance Privacy via New Cookie Settings
21.3.2020  Bleepingcomputer  Privacy

Google is making progress on expanding the control users have over cookies in the Chrome browser with a new flag in Canary that enables an improved interface with more buttons and information.

The experimental feature is available in the Android version 82 of the browser and adds two more options for cookie management.

No 3rd-party cookies in incognito mode
In the current configuration of Chrome 80 stable for all supported platforms, you can allow/block cookies on all sites or just block third-party ones. The latter comes with the warning that some sites may not work properly when the restriction is active.

The new Cookies user interface in Canary for Android shows four controls instead of just two currently available in the stable version of the browser and there is a brief description for cookie data:

"Cookies are files created by websites you visit. Sites use them to remember your preferences. Third-party cookies are created by other sites. These sites own some of the content, like ads or images, that you see on the webpage you visit."

One option that becomes available when enabling the experimental feature can prevent websites from reading and saving cookie data when browsing in incognito mode.

A browsing session in incognito mode starts with a blank internal profile void of cookies or session data but get added when you visit websites. They do not affect the normal browsing session and are purged when closing the last incognito window.

The other option allows you to block all cookies. This is not a recommended option, though, since it will likely impact your experience on many websites.

The option to add sites that are exempt from the active setting is still available below the buttons.

The flag that enables the four buttons is called "Enable improved cookie controls in UI in incognito mode." You can look for it in the 'chrome://flags' experimental area.

You can also find the experimental flag in the current stable version of Chrome but it appears that the new Cookie menu does not activate with it.

Windows 10 2004 to Upgrade WSL2 Linux Kernels via Windows Update
21.3.2020  Bleepingcomputer  OS

Microsoft has announced that the upcoming Windows 10 2004 release will also include Windows Subsystem for Linux 2 (WSL 2) whose Linux kernel will be kept updated via Windows Update.

When Microsoft announced WSL2, they explained that all WSL2 distributions would use a real Microsoft-compiled Linux kernel based on the stable 4.19 version release of Linux at Kernel.org.

Starting with Windows 10 2004, which is expected to be released shortly, and in the latest Windows 10 Insider build 19041.153, when using WSL2 the Linux kernel will first need to be upgraded.

After upgrading, when you attempt to convert a WSL distribution to WSL2 or to launch an existing WSL2 distro, Windows 10 will prompt you to first update to the latest Linux kernel by displaying the following message.

"WSL 2 requires an update to its kernel component. For information please visit https://aka.ms/wsl2kernel"

Prompt to update Windows Linux kernel
For now, Windows 10 users will need to manually download and install the latest WSL 2 kernel using these instructions.

At this time, after installing the available Linux kernel update, WSL 2 distributions will be using the following kernel:

Linux version 4.19.84-microsoft-standard (oe-user@oe-host) (gcc version 8.2.0 (GCC)) #1 SMP Wed Nov 13 11:44:37 UTC 2019
In a future update to Windows 10 2004, though, Microsoft plans on distributing new WSL 2 kernels via Windows Update.

Similar to Windows Defender updates and Security Intelligence definition updates, if a new Linux kernel is available it will be downloaded when a user checks for new updates via Windows Update.

"If you’ve ever gone to your Windows settings, and clicked ‘Check for Updates’ you might have seen some other items being updated like Windows Defender malware definitions, or a new touchpad driver, etc. The Linux kernel in WSL2 will now be serviced in this same method, which means you’ll get the latest kernel version independently of consuming an update to your Windows image," Microsoft explained in a new blog post.

WSL2 being generally available soon is exciting news for users who use this feature as it brings numerous performance improvements to Windows

As WSL2 uses a true Linux kernel, Linux apps will now have full access to their normal system calls, which will bring increased compatibility with existing Linux apps and greater performance.

FBI Warns of Human Traffickers Luring Victims on Social Networks
21.3.2020  Bleepingcomputer  BigBrothers

FBI's Internet Crime Complaint Center (IC3) today issued a public service announcement on human traffickers' continued usage of online platforms like dating sites and social networks to lure victims.

"The FBI warns the public to remain vigilant of the threat posed by criminals who seek to traffic individuals through force, fraud, or coercion through popular social media and dating platforms," the PSA says.

"Offenders often exploit dating apps and websites to recruit—and later advertise—sex trafficking victims. In addition, offenders are increasingly recruiting labor trafficking victims through what appears to be legitimate job offers."

Online platforms tools used against vulnerable targets
According to the FBI's investigations, victims from various different backgrounds from rural areas to large cities are being lured by human traffickers into forced labor or sex work using online platforms.

In many cases, the criminals will pose as legitimate job recruiters or agents of employment agencies and will bait potential victims with the promise of fake employment and a better life.

Individuals who share personal information on online platforms are the ones most likely to be targeted by such criminals, especially after posting about "financial hardships, their struggles with low self-esteem, or their family problems."

The traffickers will use their targets' stories as the base for well-planned attacks via the Internet, convincing them that they want to be helpful or that they are interested in a relationship.

However, their victims will subsequently be coerced into sex work or forced labor after the traffickers manage to establish a false sense of trust and they persuade them to meet in person.

Human traffickers using online platforms
During the last few years, the FBI discovered multiple cases of human traffickers using popular social networks and dating sites to recruit victims.

Among the multiple such cases identified over the years, the FBI shares the following three examples:

In July 2019, a Baltimore, Maryland, man was convicted on two counts of sex trafficking of a minor and one count of using the Internet to promote a business enterprise involving prostitution. The perpetrator targeted two girls after they posted information online about their difficult living and financial situation. After meeting them in person, the man forced the two girls into sex work.
In March 2019, a married couple was found guilty of conspiracy to obtain forced labor and two counts of obtaining forced labor. The couple employed foreign workers to perform domestic labor in their home in Stockton, California. The defendants used the Internet and an India-based newspaper to post false advertisements about the wages and nature of the employment at their home. Upon arrival, the workers were forced to work 18-hour days with little to no wages.
In October 2017, a sex trafficker was convicted on 17 counts of trafficking adults and minors. Additional charges included child pornography and obstruction of justice. The perpetrator received a 33-year sentence. A victim from the Seattle area met the sex trafficker's accomplice on a dating website. The trafficker and his accomplice later promised to help the victim with her acting career. After a few months, the victim was abused and forced into prostitution.
Report (potential) trafficking situations
"Human trafficking occurs in every area of the country and occurs in many forms, from forced labor to sexual exploitation, including the sexual exploitation of children," FBI Criminal Investigative Division Section Chief Michael Driscoll said last year.

"The FBI operates Human Trafficking and Child Exploitation Task Forces throughout the country to aggressively investigate the perpetrators and also provides resources to assist the victims of these crimes.”

Victims and those who think that they witnessed a potential human trafficking situation are encouraged by the FBI to contact their local law enforcement agencies, the local FBI field office, or to reach out to:

the National Human Trafficking Hotline—Call 1-888-373-7888 (TTY: 711) or text 233733;
file a complaint online with the FBI's Internet Crime Complaint Center at www.IC3.gov; or
contact the FBI's National Threat Operations Center at 1-800-CALL-FBI or tips.fbi.gov.
To report possible trafficking involving minors, contact the National Center for Missing and Exploited Children (NCMEC) at 1-800-THE-LOST (1-800-843-5678) or at Cybertipline.org.
Victims and witnesses are also urged by the FBI to keep as much evidence as possible including emails, text messages, or any other logs of communication with the traffickers to make it easier to identify, retain, and prosecute them.

"The FBI produced this public service announcement to alert Internet users of the continuing threat posed by human traffickers online and what you should do if you or someone you know suspects human trafficking," the PSA concludes.

U.S. Health Department Site Hit With DDoS Cyber Attack
21.3.2020  Bleepingcomputer  Attack

The United States Health and Human Services Department's web site was hit with a DDoS cyber attack Sunday night to take it offline in the middle of the Coronavirus outbreak.

Since the COVID-19 outbreak, there has been a tremendous spike in people searching for HHS information about the Coronvirus as shown by the graph below.

Increased searches for HHS.gov site
First reported by Bloomberg, attackers on Sunday night attempted to disrupt the dissemination of Coronavirus information by performing a DDoS attack against the HHS.gov web site.

A DDoS attack is when attackers send a huge amount of connections to a web site or IP address at the same time to overwhelm the server so that it is no longer accessible.

"The attack appears to have been intended to slow the agency’s systems down, but didn’t do so in any meaningful way, said the people, who asked for anonymity to discuss an incident that was not public," Bloomberg reported.

Later that night, the National Security Council tweeted an alert to ignore text messages spreading "rumors of a national quarantine" and that there is no national lockdown.

According to one of Bloomberg's sources, this tweet was in response to a disinformation campaign being conducted by the attackers in conjunction with the attempt to take down the HHS.gov site.

Government officials are aware of the attack and assume it was a foreign cyber attack, but have not been able to confirm that at this time.

"Secretary of State Michael Pompeo and other Trump administration officials are aware of the incident, one of the people said," Bloomberg continued.

Coronavirus related cyber attacks becoming common
Whenever a world event brings panic and anxiety, criminals attempt to take advantage of the situation.

Such is the case with the Coronavirus where we are seeing related phishing campaigns, malware and ransomware, and cyber attacks against hospitals and testing centers.

This past Friday, the University Hospital Brno in the Czech Republic was shut down due to a cyber attack that started in the early morning hours.

This hospital hosts one of the 18 labs used to test for the Coronavirus and was performing 20 tests a day until the attack.

Windows 10 KB4551762 Security Update Fails to Install, Causes Issues
21.3.2020  Bleepingcomputer  OS

The Windows 10 KB4551762 security update is reportedly failing to install and throwing 0x800f081f, 0x80004005, 0x80073701, 0x800f0988, 0x80071160, and 0x80240016 errors during the installation process according to user reports.

KB4551762 is an out of band security update released by Microsoft last week to patch the critical remote code execution vulnerability (CVE-2020-0796) affecting devices running Windows 10, versions 1903 and 1909, and Windows Server Server Core installations, versions 1903 and 1909.

To install KB4551762, you can check for updates via Windows Update or manually downloading it for your Windows version from the Microsoft Update Catalog. Admins can distribute the update to enterprise environments via Windows Server Update Services (WSUS).

If you have automatic updates enabled on your device, the update will install automatically and you do not need to take any further action.

Usual workarounds not working
While usually there is a workaround to install the update manually or by going through a specific procedure when encountering errors, this time users who have encountered these issues (1, 2, 3, 4, 5, 6, 7) report via Microsoft's official Feedback Hub, on the Microsoft Community website, and on Reddit that none of the usual workarounds for the errors helped.

0x800f0988 and 0x800f0900 installation errors were also spotted and reported by Günter Born, one day after KB4551762 was released by Microsoft.

"Manual Windows Update on the local client works ONCE. It finds the patch, then does nothing! One can attempt to download and install from that page, but it doesn't work! Next, go to the Catalog," one user reported through Microsoft's Feedback Hub. "Attempt to select the correct configuration. Download the patch. Attempt to install it. Doesn't install!"

"When downloading this update my PC started becoming slow and sluggish, the update got stuck at 100%," another one reported. "I restarted the PC then windows updates broke and started looping for a while when checking updates, its now back to normal but now I have a failed cumulative update."

"So I've had this issue since KB4497165, but the latest KB4551762 is also giving me the same problem," another one said on Reddit. "Basically after it installs, it gets to 7% on the "working on updates" part, then tells me that it failed, and it's undoing changes."

Feedback Hub KB4551762 user reports

Feedback Hub KB4551762 reports
Also plagued by CPU spikes, random restarts, boot failures
Other reports, although not as numerous as the ones saying that KB4551762 comes packed with installation issues, mention CPU spikes, high disk usage, system slowdowns, and system freezes.

"These issues began yesterday 3/13/20. The update, '2020-03 Cumulative Update for Windows 10 Version 1909 for x64-based Systems (KB4551762)' has failed every time I try to install it with the error code, '0x80071160', one user says. "When this issue began my disk drive also went up to 100% with little change. I restarted my pc multiple times but both issues persisted."

"After installing KB4551762 and KB4540673, my system has gone to thrash. Extremely slow and takes ages to get past the Welcome screen," another one explains. "After spending hours trying to login, I somehow managed to uninstall both the updates, rebooted, disabled and re-enabled HyperV but my system won't go back to being normal."

"Simply downloading the update caused my computer to overheat and freeze multiple times," a bug report on the Feedback Hub says. "Finally, with no programs open in the background, the download was able to go through. When I attempted to restart so the update could take effect, it would get stuck at 93% installing the update. Always stuck at 93%."

To top it all off, there are also reports of random restarts or failures to boot, as well as users who are having gaming issues after installing KB4551762 with the monitor starting to flicker after a game starts and the issue going away after closing the game.

Windows 10 in-place upgrade: a potential solution
While the KB4551762 installation issues are quite widespread according to users, there are some who have successfully managed to deploy the security update using a Windows 10 in-place upgrade.

Using this method you will be able to clean-up your system to resolve some issues, and it should not affect your programs and files.

The procedure is detailed in the video embedded below and it requires you to download and install the Windows 10 installation media, sign in to your account, and accept privacy settings. Additionally, you will need admin rights to upgrade.

Verily Coronavirus Screening Site Launches, Quickly Runs Out of Slots
21.3.2020  Bleepingcomputer  Security

Verily has launched its Project Baseline Coronavirus screening site for people living in the San Francisco Bay Area that lets people check if they need a test and where to get one.

This new site is being launched by Verily, an Alphabet company and sister company to Google, and allows only those people living in the Bay Area to enter their symptoms, recent travel, and other information to determine if a Coronavirus test is necessary.

COVID-19 Screening site
This site is only available for residents living in Santa Clara County and San Mateo County with the hopes of eventually expanding to other locations in the future.

Using this site, though, does have some requirements such as being 18 or older, a U.S. Resident, living in one of the two counties, able to speak and read English, and willing to sign a COVID-19 Public Health authorization form.

Screening requirements
Initially announced as a Google nationwide testing site by President Trump during a Friday press conference, it was quickly clarified as being only available to Bay Area residents.

Since then, Google has announced that they will be working with the U.S. government to release a nationwide site for Coronavirus information.

There is no timeline yet as to when this nationwide site will become available.

Testing appointments quickly run out
Since launching late last night, the screening site's available appointment slots quickly ran out.

When users start the screening process and specify they live in the required regions, the site will immediately state "Unfortunately, we are unable to schedule more appointments at this time. Appointments will continue to expand through this program as we scale capacity in the near future."

BleepingComputer has contacted Verily for more information about how many people scheduled appointments and when more slots would be available but have not heard back as of yet.

Xbox Live and Support.xbox.com Experiencing an Outage
21.3.2020  Bleepingcomputer  IT

Microsoft is currently experiencing an outage where some users are unable to login to Xbox Live, have issues with matchmaking, and are unable to access support.xbox.com.

At approximately 5:00 PM EST, users started reporting that they were unable to login to Xbox Live, access their saved games, or have issues with matchmaking. Since then, users have also been having issues opening support.xbox.com.

Microsoft has confirmed these issues in the Xbox Support Twitter account as can be seen below.

Tweet about Xbox Live being down

Tweet about support.xbox.com being down
When users try to access support.xbox.com, they will simply be greeted with the animated Xbox loading circle as seen below.

Support.xbox.com outage
At approximately 7:30 PM EST, service was restored for both Xbox Live and support.xbox.com

Folding@Home Now Has 23 Coronavirus Projects, Donate CPU Power!
21.3.2020  Bleepingcomputer  IT

The Folding@home distributed computing project has added twenty new Coronavirus (COVID-19) projects since earlier this week that uses donated CPU or GPU power to research new treatment methods.

Folding@home allows researchers to use donated CPU and GPU cycles to simulate protein folding to research new drug opportunities against diseases and a greater understanding of various diseases.

Last week, we reported that the Folding@home added three new projects (11741, 11742, and 11743) that were being used to research the COVID-19 virus and how to create potential drug therapies

Since we last looked on March 9th, 2020, researchers from Memorial Sloan Kettering Cancer Center, Washington University in St. Louis, and Temple University have added 20 new projects, for a total of 23, that are all being used to analyze the proteins of Coronavirus virus.

"To help tackle coronavirus, we want to understand how these viral proteins work and how we can design therapeutics to stop them," Folding@home's announcement stated.

The Current Folding@home project IDs that correspond with Coronavirus (COVID-19) research are 11741, 11742, 11743, 11744, 11745, 11746, 11747, 11748, 11749, 11750, 11751, 11752, 11759, 11760, 11761, 11762, 11763, 11764, 14328, 14329, 14530, 14531, and 14532.

Getting started with Folding@home
To get started with Folding@home, download the Folding@home client and install it.

Once installed, Folding@home will automatically be configured to lightly use your computer's CPU and GPU processing power to perform protein-folding when you log into Windows. A GPU will only be used if it's hardware and software is supported.

If you wish to increase the amount of CPU and GPU utilization, you can right-click on the Folding@home icon in your Windows system and select either from 'Light', 'Medium', or 'Full'.

It should be noted that the higher the intensity you select, the slower your computer will become, the more heat it will generate, and the more electricity it will use.

Folding@home options
If you want to check what project you are currently working on or change some of the program's settings via a web GUI, you can select the 'Web Control' option as shown in the image above.

This will open a web page showing your current work-in-progress, your settings, and the project ID you are currently working on. To support Coronavirus projects, make sure to support research fighting 'Any Disease'.

Folding@Home
After determining the project ID number, you can look up the project ID you are working on here. For example, in the image above you can see that the project ID is 14329, which is for Coronavirus/COVID-19 research.

The Folding@home project has said that due to the increasing interest in the project and CPU and GPU cycles being donated, it may take some time before you receive a job to work on.

"Each simulation you run is like buying a lottery ticket. The more tickets we buy, the better our chances of hitting the jackpot. Usually, your computer will never be idle, but we’ve had such an enthusiastic response to our COVID-19 work that you will see some intermittent downtime as we sprint to setup more simulations. Please be patient with us! There is a lot of valuable science to be done, and we’re getting it running as quickly as we can," Folding@home stated.

If you have an idle computer sitting around doing nothing, please contribute it to the project. Who knows, the data you are assigned and solve could be what helps to create a cure!

List of Free Software and Services During Coronavirus Outbreak
15.3.2020  Bleepingcomputer  IT

In response to the Coronavirus (COVID-19) outbreak, many organizations are asking their employees to work remotely. This, though, brings new challenges to the workplace as users adapt to video meetings, screen sharing, and the use of remote collaboration tools.

To assist a new wave of remote works and get some publicity at the same time, many software developers and service providers have started to offer free licenses or enhanced versions of their software and services.

Below is a roundup of all the free upgrades to services and software licenses being offered during the Coronavirus outbreak.

If you are a software developer or technology service provider and would like to add any free offers to this list, please contact us and let us know.

AT&T
According to a report by Vice, AT&T is suspending broadband data caps during the Coronavirus outbreak.

AT&T is the first major ISP to confirm that it will be suspending all broadband usage caps as millions of Americans bunker down in a bid to slow the rate of COVID-19 expansion. Consumer groups and a coalition of Senators are now pressuring other ISPs to follow suit.

Cisco
Cisco is changing its free Webex meeting software so that it supports unlimited usage, supports up to 100 people per meeting, and has toll dial-in availability.

For businesses that are not currently a customer, Cisco is also offering free 90-day trials.

"Additionally, through our partners and the Cisco sales team, we are providing free 90-day licenses to businesses who are not Webex customers in this time of need. We’re also helping existing customers meet their rapidly changing needs as they enable a much larger number of remote workers by expanding their usage at no additional cost."

Cloudflare
Cloudflare has made its Cloudflare for Teams service free for small businesses for at least six months.

"Beginning today, we are making our Cloudflare for Teams products free to small businesses around the world. Teams enables remote workers to operate securely and easily. We will continue this policy for at least the next 6 months."

Using Cloudflare for Teams, remote workers can gain access to a company's internal resources using a secure VPN.

Discord
Discord has enhanced its free Go Live streaming service so that it can now support 50 simultaneous users rather than 10.

"We wanted to find a way to help, so we’re temporarily upping the limit on Go Live to 50 people at a time, up from 10. Go Live is free to use and lets people privately stream or screen share apps from a computer while others watch on any device — so teachers can conduct a class, co-workers can collaborate, and groups can still meet. You can learn more about how to get started with Go Live here," Discord stated in a blog post.

Google
Google is giving G Suite and G Suite for Education customers free access to their Hangouts Meet video-conferencing features.

This includes these features:

Larger meetings, for up to 250 participants per call
Live streaming for up to 100,000 viewers within a domain
The ability to record meetings and save them to Google Drive
Instant Housecall
Subscribers to Instant Housecall can now create subaccounts that allow remote workers to take over their office PC. This offer will be available until the World Health Organization (WHO) designates the end of the pandemic.

"All plans now include subaccounts that let your customers work remotely. Using a subaccount that you create, your customers can login and control their own unattended PC," the announcement states.

Logmein
LogMeIn is providing a free Emergency Remote Work Kit that gives free 3-month site-wide licenses to GoToMeeting to make it easier for remote workers to conduct meetings.

"Starting immediately, we will be offering our critical front-line service providers with free, organization-wide use of many LogMeIn products for 3 months through the availability of Emergency Remote Work Kits. These kits will include solutions for meetings and video conferencing, webinars and virtual events, IT support and management of remote employee devices and apps, as well as remote access to devices in multiple locations. For example, the “Meet” Emergency Remote Work Kit will provide eligible organizations with a free site-wide license of GoToMeeting for 3 months," LogMeIn CEO Bill Wagnar said in a blog post.

Loom
The Loom video messaging platform has announced that through July 1st, 2020 they will provide these additional features:

Remove the recording limit on our free plan — what was 25 is now unlimited
Cut the price of Loom Pro in half — what was $10/month is now $5/month
Extend all trials of Loom Pro from 14 to 30 days
Microsoft
Microsoft is making Microsoft Teams for free for the next six months to aid businesses who move towards a remote workplace during the outbreak.

"At Microsoft, the health and safety of employees, customers, partners and communities is our top priority. By making Teams available to all for free for six months, we hope that we can support public health and safety by making remote work even easier," Microsoft EVP and President JP Courtois stated on Twitter.

Splashtop
Splashtop is offering free 60-day licenses to its Business Access remote access software.

"In response to the recent coronavirus outbreak, many organizations, businesses, educational institutions, and governments are recommending that people work from home to help reduce the spread of the virus. To support these remote work initiatives, Splashtop is offering its Splashtop Business Access remote computer access software free for 60 days in some of the most affected countries.

Residents of China, Hong Kong, Macau, and Taiwan are eligible for the free license,"

TechSmith
TechSmith is giving free licenses to their TechSmith Snagit screen capture software and the TechSmith Video Review software through June 30th, 2020.

"Our screen recording tool, TechSmith Snagit, and our asynchronous collaboration platform, TechSmith Video Review, will be provided for free through the end of June 2020 to any organization that needs it," TechSmith announced.

For existing customers of the TechSmith Relay or Video Review products, TechSmith is providing free increased usage with no charge.

Zoho
Zoho is now offering free access to its Remotely remote work software suite through July 1st, 2020.

"Zoho Remotely will enable you to take your work remote by offering a complete suite of web and mobile apps that will help you communicate, collaborate and be productive."

Zoom
For people in China, Zoom has enhanced the Basic (free) license by removing the 40-minute meeting limit.

With this tenet in mind, Zoom is doing everything we can to provide resources and support to those navigating the coronavirus outbreak, including:

For our Basic (free) users in China, we’ve lifted the 40-minute limit on meetings with more than two participants, providing unlimited time to collaborate.
We’re proactively monitoring servers to ensure maximum reliability amid any capacity increases, as uptime is paramount.
We’re scheduling informational sessions and on-demand resources so anyone can learn how to use the Zoom platform with ease — and at their convenience.

BlackWater Malware Abuses Cloudflare Workers for C2 Communication
15.3.2020  Bleepingcomputer  Virus

A new backdoor malware called BlackWater pretending to be COVID-19 information while abusing Cloudflare Workers as an interface to the malware's command and control (C2) server.

Cloudflare Workers are JavaScript programs that run directly on Cloudflare's edge so that they can interact with connections from remote web clients. These Workers can be used to modify the output of a web site behind Cloudflare, disable Cloudflare features, or even act as independent JavaScript programs running on the edge that displays output.

For example, a Cloudflare Worker can be created to search for text in a web server's output and replace words in it or to simply output data back to a web client.

BlackWater uses Cloudflare Workers as a C2 interface
Recently MalwareHunterTeam discovered a RAR file being distributed pretending to be information about the Coronavirus (COVID-19) called "Important - COVID-19.rar".

It is not known at this time how the file is being distributed, but it is most likely being done through phishing emails.

Inside this RAR file is a file called "Important - COVID-19.docx.exe" that uses a Word icon. Unfortunately, as Microsoft hides file extensions by default, many will simply see this file as a Word document rather than an executable and be more likely to open it.

Extracted file with extensions off and on
When opened, the malware will extract a Word document to the %UserProfile%\downloads folder called "Important - COVID-19.docx.docx" and opens it in Word.

The opened document is a document containing information on the COVID-19 virus and is being used by the malware as a decoy as it installs the rest of the malware and executes it on the computer.

Decoy COVID-19 Information Document
While victims are reading the COVID-19 document, the malware is also extracting the %UserProfile%\AppData\Local\Library SQL\bin\version 5.0\sqltuner.exe file.

This is where things get a bit interesting as the malware is then launched using a command line that causes the BlackWater malware to connect to a Cloudflare Worker that acts as a command and control server or at least a passthrough to one.

sqltuner.exe lively-dream-c871.m7.workers.dev
If visiting this site directly, users will be shown the following 'HellCat' image.

Cloudflare worker
Head of SentinelLabs Vitali Kremez told BleepingComputer that this worker is a front end to a ReactJS Strapi App that acts as a command and control server.

Kremez stated that this C2 will respond with a JSON encoded string that may contain commands to execute when the malware connects to it with the right authentication parameters.

The BlackWater malware is, by and large, a newer generation malware taking advantage of the ReactJS Strapi App for the backend checking, leveraging Cloudflare workers resolvers and employing JSON-based parser inside its DLL passing the server argument directly. The check-ins bear the "blackwater" marker as well passing either email @ black.water or @ black64.water depending on the architecture.

The malware appears to be novel and its JSON-based parser with the newer generation ReactJS backend server architecture is indicative of the active development amid the CoronaVirus outbreak.

When we asked why they were using a Cloudflare Worker rather than connecting directly to the C2, Kremez felt it was to make it harder to for security software to block IP traffic without blocking all of Cloudflare's Worker infrastructure.

"I think this is why they employ as it returns back the legit Cloudflare proxy IP which acts as a reverse proxy passing the traffic to the C2. It makes blocking the IP traffic impossible given it is Cloudflare (unless the whole Cloudflare worker space is banned) infrastructure while hiding the actual C2."

While there is still plenty to learn about this new malware and how it operates, it does provide an interesting glimpse of how malware developers are utilizing legitimate cloud infrastructure in novel ways.

Using Cloud Workers, traffic to malware command & control servers become harder to block and the malware operation can be easily scaled as needed.

Research Finds Microsoft Edge Has Privacy-Invading Telemetry
15.3.2020  Bleepingcomputer  OS  Privacy

While Microsoft Edge shares the same source code as the popular Chrome browser, it offers better privacy control for users. New research, though, indicates that it may have more privacy-invading telemetry than other browsers.

According to Microsoft, telemetry refers to the system data that is uploaded by the Telemetry components or browser's built-in services. Telemetry features aren't new to Microsoft and the company has been using Telemetry data from Windows 10 to identify issues, analyze and fix problems.

Professor Douglas J Leith, Chair of Computer Systems at Trinity College in Ireland, tested six web browsers to determine what data they were sharing. In his research, he pitted Chromium-based Microsoft Edge, Google Chrome, Brave, Russia's Yandex, Firefox and Apple Safari.

Unfortunately, Microsoft Edge didn't perform well in various privacy tests.

Too much telemetry in Microsoft Edge
When testing the Edge Browser, Leith saw that every URL that was typed into Edge would be sent back to Microsoft sites.

For example, every URL typed into the address bar is shared with Bing and other Microsoft services such as SmartScreen. This was confirmed by BleepingComputer who used Fiddler to see the JSON data being sent to Microsoft.

Unhashed URL being sent to SmartScreen
This could be fixed by using a technique similar to Google's Safe Browsing implementation that downloads a a list of known malicious sites and saves it locally. This list is the checked by the browser and if any data needs to be sent to Google's servers, will only send a hashed partial URL fingerprint that can be used to track browsing behavior.

The browser also sends unique hardware identifiers to Microsoft, which is a "strong and enduring identifier" that cannot be easily changed or deleted.

User tracking information being sent
Russian web browser Yandex is also engaged in similar anti-privacy activities:

From a privacy perspective Microsoft Edge and Yandex are qualitatively different from the other browsers studied. Both send persistent identifiers than can be used to link requests (and associated IP address/location) to back end servers. Edge also sends the hardware UUID of the device to Microsoft and Yandex similarly transmits a hashed hardware identifier to back end servers. As far as we can tell this behaviour cannot be disabled by users. In addition to the search autocomplete functionality that shares details of web pages visited, both transmit web page information to servers that appear unrelated to search autocomplete.

It's important to note that Microsoft Edge for Enterprise gives administrators a lot of control in deployments to disable all these trackers, but the trackers are enabled by default in all Edge installations.

While Microsoft Edge didn't fare well in the tests, the researcher has also questioned Chrome's and other browser's behaviour.

Users have previously noticed that Chrome scans the entire computer and reports hashes of executable programs back to Google to build Chrome's Safe Browsing platform.

Chrome, Firefox and Safari share details of every webpage you visit with their services. All these browsers use autocomplete feature to send web addresses to their services in realtime.

Firefox's telemetry transmissions, which is silently enabled by default, can potentially be used to link these over time. In Firefox, there is also an open WebSocket for push notifications and it is linked to a unique identifier, which could be used for tracking, according to the researcher.

COVID-19 Testing Center Hit By Cyberattack
15.3.2020  Bleepingcomputer  Attack

Hospitals around the world struggle with ever-growing waves of COVID-19 infections but the efforts in one testing center in Europe are being hampered by cybercriminal activity.

Computer systems at the University Hospital Brno in the Czech Republic have been shut down on Friday due to a cyberattack that struck in the wee hours of the day.

This comes at a time when there are more than 140 confirmed infections in the country and around 4,800 people in quarantine. The government has declared a state of emergency and imposed stern restrictions on crossing the border.

The University Hospital Brno hosts one of the 18 laboratories the Czech Republic uses for testing for the new coronavirus. Since the outbreak, the institution did up to 20 tests a day.

Not all systems are down
Little information has been released about the attack, which occurred on Friday morning, around 2 a.m. local time. Its nature remains unknown but it would not be a surprise if it were a ransomware incident. At the time of writing, the hospital's website was down.

Due to the attack, the results for COVID-19 tests in the past couple of days, estimated to dozens, have been delayed. It typically takes a day to get the results.

According to the Czech News Agency (ČTK), the director of the hospital, Jaroslav Štěrba, told reporters that computer systems started "falling gradually" and "had to be shut down." Members of the staff received instructions not to turn on the computers.

Systems serving laboratories like hematology, microbiology, biochemistry, tumor diagnostics, or radiology appear to be on a different network than the affected systems as they continue to work.

Basic operations are still possible at the hospital and patients are still being investigated, despite the attack. However, medical data collected by lab systems is stuck there and cannot be recorded in databases.

Recipes are written by hand or typed, leading to longer examination times. This happens at a point when every minute counts and doctors need all the help in dealing with COVID-19 infections.

The National Cyber and Information Security Agency (NÚKIB) has been called in and is working to identify the root of the problem and remedy the situation. The National Organized Crime Center is also involved in the case.

Because the state of emergency had already been declared in the country when the attack occurred, the investigators will treat it with priority and aggravated circumstances will be considered for prosecution.

Malware in the time of COVID-19
Some ransomware operators, like Maze, intentionally avoid targeting critical services. They told BleepingComputer that they "don’t attack hospitals, cancer centers, maternity hospitals and other socially vital objects."

Other ransomware actors, though, have no problem attacking healthcare units. At the beginning of 2018, SamSam hit at least two hospitals in the U.S.

Ryuk also has no remorse attacking hospitals. Last year, DCH hospitals in Alabama paid what the cybercriminals demanded for the decryption key that unlocked the medical data.

Other threat actors are also trying to capitalize from this global health crisis and created malware or launched attacks with a COVID-19 theme. A new ransomware strain discovered this week, BEC scammers are using the outbreak in an attempt to persuade victims to send money to a different account.

DomainTools also found a new malware for Android phones that locks them up and demands a ransom of $100 in bitcoin. CovidLock, as the researchers named it, locks the phone screen and threatens to delete contacts, pictures, and videos. The ransom note also claims to leak social media accounts to the public.

This is a screen-locker and starting Android 7.0 (Nougat) there is protection against it if a password is already set. CovidLock can still affect devices where unlocking the screen is not password protected.

DomainTools have obtained the decryption key for the unlock password set by CovidLocker and will soon make it public, along with the technical details of their research.

Slack Bug Allowed Automating Account Takeover Attacks
15.3.2020  Bleepingcomputer  Vulnerebility

Slack has fixed a security flaw that allowed hackers to automate the takeover of arbitrary accounts after stealing session cookies using an HTTP Request Smuggling CL.TE hijack attack on https://slackb.com/.

Web security researcher and bug bounty hunter Evan Custodio reported the bug to the team collaboration platform's security team via Slack's HackerOne bug bounty program on November 14th.

The researcher discovered the vulnerability after targeting several HTTP Request Smuggling (1, 2) exploits on Slack in-scope assets using tooling he developed.

Slack fixed the bug within 24 hours according to the bug report's timeline and rewarded Custodio with a $6,500 bounty, with the report being publicly disclosed just two days ago.

Bug could have lead to a massive data breach
Custodio says that the bug was "extremely critical" for both Slack and all the platform's customers and organizations that share private data, channels, and conversations on Slack as it "could lead to a massive data breach of a majority of customer data."

Using an attack targeting this bug would have allowed malicious actors to create automated bots that could attack the vulnerable in-scope Slack asset continuously, jump onto a victim's session, and steal all reachable data.

As Custodio further explained in his detailed write-up, the bug chain that allowed him to steal sessions cookies included multiple steps.

Gaining access to the session cookies
The researcher "exploited an HTTP Request Smuggling bug on a Slack asset to perform a CL.TE-based hijack onto neighboring customer requests," the bug report reads.

"This hijack forced the victim into an open-redirect that forwarded the victim onto the researcher's collaborator client with slack domain cookies.

"The posted cookies in the customer request on the collaborator client contained the customer's secret session cookie. With this attack, the researcher was able to prove session takeover against arbitrary slack customers."

Once the cookies got stolen, attackers would only have to plug the cookies into a browser and gain full control of the account, being able to collect and exfiltrate all the data.

So I did promise blog posts on RS CLTE-style attacks, I guess this will have to do for now. Often times with RS hijacking you can throw a victim into an open redirect to steal their tokens/cookies. Many thanks to @SlackHQ for fixing this within 24-hours of discovery #bugbounty https://t.co/EUm6pNgjlF

— Evan Custodio (@defparam) March 12, 2020
Slack fixed another bug — within five hours from disclosure — that would have allowed attackers to steal a user's authentication token that could then provide full control over their messages and account.

That security flaw was reported by Detectify security researcher Frans Rosén three years ago, in March 2017, and it allowed attackers to set up malicious sites for stealing XOXS tokens.

The bug's disclosure earned Rosén $3,000, Slack confirmed that they "resolved the postMessage and call-popup redirect issues, and performed a thorough investigation to confirm that this had never been exploited."

Google Is Not Creating a Nationwide Coronavirus Info Site
15.3.2020  Bleepingcomputer  IT

In a press conference in the White House Rose Garden, President Trump announced that Google and 1,700 of its engineers are working on a new web site devoted to information about Coronavirus.

President Trump and Vice President Pence stated that this site would allow people to enter their symptoms and determine if a test was needed. If a test is recommended, the site would then direct them to the nearest location that is offering Coronavirus tests.

To help facilitate the testing for Coronavirus, Walmart, CVS, Target, and Walgreens have announced that they will be volunteering a portion of their parking lots to be set up as drive-through Coronavirus testing sites.

These locations would allow people to drive up and receive a test without having to leave their car.

Vice President Pence said that more information about the availability of Google's site will be ready this weekend.

"By this Sunday evening, we will be able to give specific guidance on when the web site will be available. You can go to the web site, as the President said, you type in your symptoms and be given direction whether or not a test is indicated. And then at the same web site, you will be directed to one of these incredible companies that are gonna give a little bit of their parking lot so that people can come by and be given a drive-by test," Vice President Pence stated.

Soon after this press conference, the Google Communications Twitter account stated that another Alphabet company named Verily is in the early stages of creating a tool for testing in the San Francisco Bay area, with possible expansion at a later date.

This tool, though, is not being designed for nationwide access and it not ready as of yet.

This press conference can be seen below.

Update 3/14/20: This story has been updated to reflect Google's statement that they are not creating a nationwide web site.

Ancient Tortoise BEC Scammers Launch Coronavirus-Themed Attack
15.3.2020  Bleepingcomputer  Spam

A Business Email Compromise (BEC) cybercrime group has started using coronavirus-themed scam emails that advantage of the COVID-19 global outbreak to convince potential victims to send payments to attacker-controlled accounts.

In a report shared with BleepingComputer, Agari Cyber Intelligence Division (ACID) researchers say that they "believe this attack is the first reported example of BEC (business email compromise) actors exploiting the global COVID-19 event."

This scammer group tracked by Agari researchers as Ancient Tortoise is known for actively using financial aging reports in BEC attacks.

Aging reports (also known as a schedule of accounts receivable) are sets of outstanding invoices that help a company's financial department to track customers who haven't paid goods or services bought on credit.

Ancient Tortoise gains the trust of employees by asking for aging reports while impersonating a company's executives and then asking the customers to pay the outstanding invoices listed in the aging report.

Coronavirus-powered BEC scam
Yesterday, as part of an ongoing BEC scam investigation and multiple email exchanges with Ancient Tortoise actors, Agari researchers received a coronavirus-themed scam email that instructed the personas (aka unpaying customers listed on a face aging report) used as part of the research to pay an overdue invoice using a different bank account.

"Due to the news of the Corona-virus disease (COVID-19) we are changing banks and sending payments directly to our factory for payments, so please let me know total payment ready to be made so i can forward you our updated payment information," the scam email reads.

Agari's researchers received a Hong Kong mule account where the money should be sent once the scammers were told that the payment will be wired as soon as possible.

It took about three weeks for the attackers to send the coronavirus-themed scam email after their initial contact with the researchers, between February 17th when the request for an aging report landed in Agari's inboxes and March 9th when they launched the final attack on the fake vendor.

Until now, although threat actors have been sending coronavirus-themed spam emails to targets since January, most were sent as part of spam campaigns used to deliver malware payloads and to phish for credentials.

Coronavirus-themed scam email (Agari)
Several BEC groups are using aging report in attacks
Ancient Tortoise is just one of the BEC scammer groups tracked by Agari, with Silent Starling, Curious Orca, and Scattered Canary being other actors known for running elaborate BEC schemes leading to the compromise of hundreds of employees from companies from all over the world.

"In one case, Silent Starling received a consolidated aging report that included details for more than 3,500 customers with past due payments totaling more than $6.5 million," Agari said.

To defend against BEC attacks, Agari recommends vendors and suppliers who are initially targeted via executive impersonation attacks to implement strong email authentication and anti-phishing email protections focused on defending against advanced identity deception attacks and brand spoofing.

Companies working with external suppliers are advised to also set up a formal process for handling outgoing payments when suppliers are changing the normal payment account to efficiently prevent such attacks.

BEC scams behind $1.8 billion in losses in 2019
FBI's Internet Crime Complaint Center (IC3) 2019 Internet Crime Report published in February says that BEC was the cybercrime type with the highest reported total victim losses last year as it reached almost $1.8 billion in losses following attacks that targeted wire transfer payments of individuals and businesses.

IC3 also observed an increased number of diversion of payroll funds BEC complaints where fraudsters change employees' direct deposit information by tricking their company's human resources or payroll departments.

The FBI also warned private industry partners in early March that threat actors are abusing Microsoft Office 365 and Google G Suite as part of BEC attacks.

"Between January 2014 and October 2019, the Internet Crime Complaint Center (IC3) received complaints totaling over $2.1 billion in actual losses from BEC scams targeting Microsoft Office 365 and Google G Suite," the FBI said in a Private Industry Notification (PIN) from March 3.

US Govt Shares Tips on Securing VPNs Used by Remote Workers
15.3.2020  Bleepingcomputer  BigBrothers

The Department of Homeland Security's cybersecurity agency today shared tips on how to properly secure enterprise virtual private networks (VPNs) seeing that a lot of organizations have made working from home the default for their employees in response to the Coronavirus disease (COVID-19) pandemic.

"As organizations elect to implement telework, the Cybersecurity and Infrastructure Security Agency (CISA) encourages organizations to adopt a heightened state of cybersecurity," an alert published today says.

Malicious actors expected to focus attacks on teleworkers
Since more and more employees have switched to using their org's VPNs for teleworking, threat actors will increasingly focus their attacks on VPN security flaws that will be less likely to get patched in time if work schedules will be spread around the clock.

CISA also highlights the fact that malicious actors might also increase their phishing attacks to steal the user credentials of employees working from home, with orgs that haven't yet implemented multi-factor authentication (MFA) for remote access being the most exposed.

Is your organization teleworking because of #COVID19? Here are some https://t.co/tcA8Kr6DTq key recommendations on enterprise VPN security. #CyberVigilance #Cyber Cybersecurity #Infosec

— US-CERT (@USCERT_gov) March 13, 2020
"Organizations may have a limited number of VPN connections, after which point no other employee can telework," CISA adds.

"With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks."

Mitigations for boosting enterprise VPN security
Among the mitigation measures recommended for organizations considering telework options for their employees because of the Coronavirus disease (COVID-19) pandemic, CISA lists:

• Keeping VPNs, network infrastructure devices, and devices used for remote work up to date (apply the latest patches and security configs).
• Notifying employees of an expected increase in phishing attempts.
• Ensuring that IT security staff are ready for remote log review, attack detection, and incident response and recovery.
• Implementing MFA on all VPN connections or required employees to use strong passwords to defend against future attacks.
• Testing VPN infrastructure limitations in preparation for mass usage and take measures such as rate-limiting to prioritize users that will require higher bandwidths.

As part of its teleworking guidance, CISA also advises organizations to review DHS documentation on how to secure network infrastructure devices, avoid social engineering and phishing attacks, choose and protect passwords and supplement passwords, as well as the National Institute of Standards and Technology (NIST) guide to enterprise telework and BYOD security

The DHS cybersecurity agency previously warned orgs to patch Pulse Secure VPN servers against ongoing attacks trying to exploit a known remote code execution (RCE) vulnerability tracked as CVE-2019-11510.

One week later, the FBI said in a flash security alert that state-backed hackers have breached the networks of a US financial entity and a US municipal government after exploiting servers left vulnerable to CVE-2019-11510 exploits.

Unpatched Pulse Secure VPN servers remain an attractive target for malicious actors. @CISAgov released an Alert on continued exploitation of CVE-2019-11510 in Pulse Secure. Update ASAP! https://t.co/n7mx9juifv #Cyber #Cybersecurity #InfoSec

— US-CERT (@USCERT_gov) January 10, 2020
CISA also published information on how to defend against scammers who use the Coronavirus Disease 2019 (COVID-19) health crisis as bait to push their scams over the Internet.

The World Health Organization (WHO) and the U.S. Federal Trade Commission (FTC) issued warnings about ongoing Coronavirus-themed phishing attacks and scam campaigns in February.

Microsoft, Google, LogMeIn, and Cisco have also announced last week that they are offering free licenses for their meeting, collaboration, and remote work tools so that teleworkers can join virtual meetings and chat with colleagues while working remotely.

Microsoft Unveils New Windows 10 Automatic Driver Update Plan
15.3.2020  Bleepingcomputer  OS

Microsoft has unveiled a new plan for the delivery of automatic driver updates that they hope will reduce the number of reliability issues users experience in Windows 10.

When a hardware driver is marked as automatic, Microsoft will automatically download and install the driver in Windows 10.

Marking drivers as automatic
Pushing out a new driver to a large Windows 10 population, though, can cause reliability issues, hardware conflicts, or bugs to appear as they begin to be used within a much larger user base.

To resolve these types of issues, this month Microsoft will use a new automatic driver update plan that performs gradual rollouts of new drivers to a small group of programmatically chosen users before slowly releasing the driver to the rest of the Windows 10 population.

This initial population will be made up of Windows 10 devices that are highly active so that there is a higher chance that Microsoft will receive diagnostic data about the quality of the driver and if it is causing any issues.

"The initial set is programmatically selected and is typically both highly active and representative of targeted clusters of hardware ID (HWID) and computer hardware ID (CHID) combinations for the particular driver. The initial rollout targets highly active devices as there is a higher chance of getting diagnostic data from these devices, which enables early failure detection," Microsoft explains.

Microsoft says this initial rollout stage will take approximately 8 days and the rest of the rollout can continue up to 30 days as they gradually increase its availability and the collection of diagnostic data.

This timeframe, though, can vary between drivers depending on whether the drivers has been assessed as a low or high-risk driver as seen by the graph below.

Gradual Rollout Graph
Once satisfactory data has been analyzed and determined to meet the required thresholds for what is considered a successful rollout, the driver will be made available to 100% of the users for install via Windows Update.

Europol Dismantles SIM Swap Criminal Groups That Stole Millions
15.3.2020  Bleepingcomputer  CyberCrime  Mobil 

Europol arrested suspects part of two SIM swapping criminal groups in collaboration with local law enforcement agencies from Spain, Austria, and Romania following two recent investigations.

SIM swap fraud (also known as SIM hijacking) happens when a scammer takes control over a target's phone number via social engineering or by bribing mobile phone operator employees to port the number to a SIM controlled by the fraudster.

Subsequently, the attacker will receive all messages and calls delivered to the victim onto his own phone, thus being able to bypass SMS-based multi-factor authentication (MFA) by gaining access to one-time password (OTP) codes, to steal credentials, and to take control of online service accounts.

Successful SIM hijacking attacks allow criminals to log in to their victims' bank accounts and steal money, take over their email or social media accounts, as well as change account passwords and locking victims out of their accounts.

"Fraudsters are always coming up with new ways to steal money from the accounts of unsuspecting victims," acting Head of Europol’s European Cybercrime Centre Fernando Ruiz said.

"Although seemingly innocuous, SIM swapping robs victims of more than just their phones: SIM hijackers can empty your bank account in a matter of hours," he added. "Law enforcement is gearing up against this threat, with coordinated actions happening across Europe."

Millions of euros stolen from victims
12 individuals suspected to be part of a hacking ring which was able to steal more than €3 million in several SIM swapping attacks were arrested in Spain by the Spanish National Police (Policía Nacional) in collaboration with Europol and the Civil Guard (Guardia Civil), during 'Operation Quinientos Dusim.'

"Composed of nationals between the ages of 22-52 years old from Italy, Romania, Colombia and Spain, this criminal gang struck over 100 times, stealing between €6,000 and €137,000 from bank accounts of unsuspecting victims per attack," Europol said.

"The criminals managed the obtain the online banking credentials from the victims of the different banks by means of hacking techniques such as the use of banking Trojans or other types of malware. Once they had these credentials, the suspects would apply for a duplicate of the SIM cards of the victims, providing fake documents to the mobile service providers.

"With these duplicates in their possession, they would receive directly to their phones the second-factor authentication codes the banks would send to confirm transfers."

As Europol explains, once they gained access to their victims' bank accounts, the suspects made transfers to mule accounts within a time frame of two hours so that their victims weren't able to realize that something was wrong with their phones.

Image: Europol
Another 14 members of a SIM hijacking gang were also arrested as part of 'Operation Smart Cash' following an investigation led by the Romanian National Police (Poliția Română) and the Austrian Criminal Intelligence Service (Bundeskriminalamt), in collaboration with the Europol.

"The thefts, which netted dozens of victims in Austria, were perpetrated by the gang in the spring of 2019 in a series of SIM swapping attacks," Europol said.

"Once having gained control over a victim’s phone number, this particular gang would then use stolen banking credentials to log onto a mobile banking application to generate a withdraw transaction which they then validated with a one-time password sent by the bank via SMS allowing them to withdraw money at cardless ATMs."

This crime group was able to steal more than €500,000 from dozens of Austrian during the spring of 2019 and until they were arrested at their homes in Romania during early February.

Defending against SIM swapping attacks
Europol also shared measures you can take if you want to prevent SIM hijackers from stealing your credentials and locking out of your accounts.

To make sure that SIM swapping doesn't affect you, Europol recommends the following:

• Keep your devices’ software up to date
• Do not click on links or download attachments that come with unexpected emails
• Do not reply to suspicious emails or engage over the phone with callers that request your personal information
• Limit the amount of personal data you share online
• Try to use two-factor authentication for your online services, rather than having an authentication code sent over SMS
• When possible, do not associate your phone number with sensitive online accounts
• Set up your own PIN to restrict access to the SIM card. Do not share this PIN with anyone.

If you lose mobile connectivity where you normally have no issues, you should immediately contact your provider and the bank if you spot any suspicious activity on your bank account.

Depending on what your mobile provider says, you might have to quickly change passwords for your online accounts to avoid further compromise in case scammers got your SIM ported to an attacker-controlled device.

The Federal Bureau of Investigation (FBI) also issued a SIM swapping alert last year with guidance on defending against such attacks after observing an increase in the number of SIM jacking attacks.

The FTC provides detailed info on how to secure personal information on your phone and on how to keep personal information secure online.

VMWare Releases Fix for Critical Guest-to-Host Vulnerability
15.3.2020  Bleepingcomputer  Vulnerebility

A security update has been released that fixes a Critical vulnerability in VMware Workstation Pro that could allow an application running in a guest environment to execute a command on the host.

This vulnerability is in the Windows vmnetdhcp service, which is used to assign IP addresses to the guest host via DHCP.

According to a VMware advisory, this vulnerability could allow attackers to perform a denial-of-service attack or execute commands on the Windows host.

"Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service condition of the vmnetdhcp service running on the host machine."

This could allow a malicious program, such as malware, to utilize the vulnerability to escape from the guest and take full control over the host PC.

While no known vulnerability exists at this point, as shown by Microsoft's recent SMBv3 vulnerability, researchers and attackers are known to quickly analyze and create proof-of-concept exploits once a vulnerability is announced.

Due to the critical nature of this vulnerability, it is strongly advised that users upgrade VMware Workstation as soon as possible.

The list of affected products are:

VMware Workstation Pro / Player (Workstation)
VMware Fusion Pro / Fusion (Fusion)
VMware Horizon Client for Windows
VMware Remote Console for Windows (VMRC for Windows)
To resolve this vulnerability, VMware Workstation users should upgrade to version 15.5.2.

PornHub Helps Italians Stay Indoors with Free Premium Access
15.3.2020  Bleepingcomputer  IT

To help ease the boredom and isolation caused by a country-wide coronavirus lockdown in Italy, PorbHub is offering a helping hand by providing Italians free access to their premium service.

On March 10th, 2020, Italy began a nationwide Coronavirus lockdown to help prevent the community spread of the virus. As part of this lockdown, Italians are requested to stay indoors, a 6 PM curfew is being enforced, and people should only travel if necessary.

To offer some entertainment for those stuck indoors, PornHub has announced that they are donating their March proceeds from ModelHub to Italy and that Italians can get free Premium access through March.

"Pornhub is donating its March proceeds from Modelhub to support Italy during this unfortunate time (model earnings will remain untouched). Italy will also have free access to Pornhub Premium throughout the month. Forza Italia, we love you! heart"

Users in Italy can sign up for free premium access through by going to pornhub.com/free-italy.

Free PornHub Premium offer to Italy
Unfortunately, this outbreak will most likely last far longer than March and with Italy getting hit so hard with this virus, it is hoped that PornHub and other streaming services will continue to offer free services to the country.

WordPress Plugin Bug Allows Malicious Code Injection on 100K Sites
15.3.2020  Bleepingcomputer  Virus

Vulnerabilities in the Popup Builder WordPress plugin could allow unauthenticated attackers to inject malicious JavaScript code into popups displayed on tens of thousands of websites, to steal information, and to potentially fully take over targeted sites.

Popup Builder enables site owners to create, deploy, and manage customizable popups containing a wide range of content from HTML and JavaScript code to images and videos.

Sygnoos, the plugin's developer, markets it as a tool that can help increase sales and revenue via smart pop-ups used to display ads, subscription requests, discounts, and various other types of promotional content.

Unauthenticated XSS and information disclosure flaws
The security flaws discovered by Defiant QA Engineer Ram Gall affect all versions up to and including Popup Builder 3.63.

"One vulnerability allowed an unauthenticated attacker to inject malicious JavaScript into any published popup, which would then be executed whenever the popup loaded," Gall said.

"Typically, attackers use a vulnerability like this to redirect site visitors to malvertising sites or steal sensitive information from their browsers, though it could also be used for site takeover if an administrator visited or previewed a page containing the infected popup while logged in."

The other bug made it possible for any logged-in user (with permissions as low as a subscriber) to gain access to plugin features, to export newsletter subscribers lists, as well as to export system configuration info with a simple POST request to admin-post.php.

No nonce and permission checks in vulnerable code (Defiant)
Vulnerabilities patched, tens of thousands still exposed
The flaws tracked as CVE-2020-10196 and CVE-2020-10195 allow for unauthenticated stored XSS, configuration disclosure, user data export, and website settings modification.

Sygnoos fixed the security issues with the release of Popup Builder version 3.64.1, one week after Defiant reported the bugs.

Since the fixed Popup Builder release was published, just over 33,000 users have updated the plugin, which still leaves over 66,000 sites with active installation exposed to attacks.

"While we have not detected any malicious activity targeting Popup Builder, the stored XSS vulnerability can have a serious impact on site visitors and potentially even allow site takeover," Gall added.

Since late February, hackers are actively trying to take over WordPress sites by exploiting plugin vulnerabilities allowing them to plant backdoors and to create rogue administrator​​​ accounts, with hundreds of thousands of website sites being exposed to attacks.

Open Exchange Rates Data Breach Affects Users of Well-Known Orgs
15.3.2020  Bleepingcomputer  Incindent

Open Exchange Rates has announced a data breach that exposed the personal information and salted and hashed passwords for customers of its API service.

Open Exchange Rates provides an API that allows organizations to query real-time and historical exchange rates for over 200 world currencies. The service's web site states that their API is used by companies such as Etsy, Shopify, Coinbase, Kickstarter, and more.

In data breach notification emails sent today, Open Exchange Rates explains that while investigating a network misconfiguration that was causing delays in their service, they discovered that an unauthorized user had gained access to their network and a database that included user information.

Open Exchange Rates Data Breach Notification
Source: Twitter
After further investigations, it was discovered that the hacker had access to their system for almost a month between February 9th, 2020, and March 2nd, 2020 and that the data was most likely extracted from their systems.

"Upon further examination, we determined that the unauthorised user appeared to have initially gained access on 9 February 2020, and could have gained access to a database in which we store user data. Whilst our investigations are ongoing, we have also found evidence indicating that information contained in this database is likely to have been extracted from our network." the email stated.

The following user information was exposed by this data breach:

The name and email address you registered with;
An encrypted/hashed password used by you to access your account connected with the platform;
IP addresses from which you have registered and/or logged into your account with us;
App IDs (32-character strings used to make requests to our service) associated with your account;
Personal and/or business name and address (if you have provided these);
Country of residence (if provided);
Website address (if provided).
Due to this breach, Open Exchange Rates has disabled the password for all accounts created before March 2nd, 2020 and users should use this link to set a new password.

If the same password is used at other sites, BleepingComputer strongly recommends that the password be changed at those sites as well.

As the customer API keys for the service may have also been exposed, Open Exchange Rates is recommending that all users generate new API IDs to access the service.

"As the App IDs (API keys) connected to your account are also potentially affected, you may also wish to generate new ones to access the service via your account dashboard. We do not have any evidence of these being used to gain access to the API, however they could be used to query exchange rate information from our service using your account."

As this API is used by well-known organizations, Open Exchange Rates is warning that the stolen data could be used in targeted spear-phishing campaigns and users should be suspicious of any email, phone calls, or texts asking to confirm their account information.

It is also recommended that users enable two-factor authentication at all sites that they have an account.

Discord Offers Enhanced Go Live Streaming Due to Coronavirus
15.3.2020  Bleepingcomputer  IT

Discord has increased the number of people who can join a Go Live streaming session at the same time to aid those affected by the Coronavirus (COVID-19) outbreak.

Discord offers a free private streaming and screen sharing service called Go Live that normally only allows 10 users to connect to a streaming session at once.
Discord Go Live Service
To help those who are quarantined or just feel isolated during the virus outbreak, Discord has raised the limit of their Go Live streaming service from 10 simultaneous users to 50 users at once.

"We wanted to find a way to help, so we’re temporarily upping the limit on Go Live to 50 people at a time, up from 10. Go Live is free to use and lets people privately stream or screen share apps from a computer while others watch on any device — so teachers can conduct a class, co-workers can collaborate, and groups can still meet. You can learn more about how to get started with Go Live here," Discord stated in a blog post.

TechSmith also offering free licenses
TechSmith also announced that they are offering free licenses of their TechSmith Snagit and TechSmith Video Review software through June 30th, 2020.

"Our screen recording tool, TechSmith Snagit, and our asynchronous collaboration platform, TechSmith Video Review, will be provided for free through the end of June 2020 to any organization that needs it," TechSmith announced today.

For existing customers of the TechSmith Relay or Video Review products, TechSmith is providing free increased usage with no charge.

Office 365 ATP To Block Email Domains That Fail Authentication
15.3.2020  Bleepingcomputer  Safety

Microsoft is working on including a new Office 365 Advanced Threat Protection (ATP) feature that would block email sender domains automatically if they fail DMARC authentication as part of an effort to make Office 365 ATP secure by default.

This change was prompted by the fact that, for some custom Office 365 ATP configurations, the default email threat-protection filters might be bypassed and malicious content could inadvertently reach customers' inboxes.

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an email authentication, policy, and reporting protocol that uses the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) email authentication methods to validate mail senders.

As Microsoft explains, "DMARC helps receiving mail systems determine what to do with messages sent from your domain that fail SPF or DKIM checks."

Reject emails if sender domain validation fails
"We see lots of cases where configuration of our protection stack has enabled malicious content to be inadvertently delivered to end users," Microsoft explains on the new feature's Microsoft 365 Roadmap entry. "We’re working on a few features that will help address this problem."

As mentioned in the beginning, the newest Office 365 feature planned is the addition of an automated block for email domains that fail authentication.

"The Antispam policy allows administrators to 'Allow' domains regardless of the reputation of the domain," Microsoft adds. "We’re changing our policies to not honor Allow rules when the domain fails authentication."

Admins who will want to get around it can address the auth issue with the domains they want to whitelist or to add new Exchange mail flow rules (also known as transport rules) to allow messages from sender on specific domains despite the newly imposed block designed to boost email security.

At the moment, until this new Office 365 ATP feature will be rolled out sometime around April 2020, inbound email that fails DMARC are marked by Office 365 as spam instead of automatically being rejected.

Office 365 fighting attacks (Microsoft)
Part of a larger effort to secure Office 365
This feature is planned to roll out to all environments together with another one designed to also boost the default security of email inboxes protected by Office 365 ATP.

Microsoft is also planning to block malicious content in Office 365 regardless of the custom configurations unless manually overridden by admins or users. Once the new features will be enabled, Office 365 will honor EOP/ATP malware analysis (detonation) verdicts to block known malicious files and URLs automatically.

In October 2019, Microsoft enabled Authenticated Received Chain (ARC) for all for hosted mailboxes to improve anti-spoofing detection and to check authentication results within Office 365. The ARC protocol supplements the DMARC and DKIM email authentication protocols as part of Internet Mail Handlers' effort to combat email spoofing especially when dealing with forwarded messages.

Microsoft also warned Office 365 admins and users against bypassing the built-in spam filters in June 2019, in a support document that also shares guidelines for cases when this can't be avoided.

"If you have to set bypassing, you should do this carefully because Microsoft will honor your configuration request and potentially let harmful messages pass through," the support document says. "Additionally, bypassing should be done only on a temporary basis. This is because spam filters can evolve, and verdicts could improve over time."

New CoronaVirus Ransomware Acts as Cover for Kpot Infostealer
15.3.2020  Bleepingcomputer  Ransomware

A new ransomware called CoronaVirus has been distributed through a fake web site pretending to promote the system optimization software and utilities from WiseCleaner.

With the increasing fears and anxiety of the Coronavirus (COVID-19) outbreak, an attacker has started to build a campaign to distribute a malware cocktail consisting of the CoronaVirus Ransomware and the Kpot information-stealing Trojan.

This new ransomware was discovered by MalwareHunterTeam and after further digging into the source of the file, we have been able to determine how the threat actor plans on distributing the ransomware and possible clues suggesting that it may actually be a wiper.

CoronaVirus Ransomware spread through fake WiseCleaner site
To distribute the malware, the attackers have created a web site that impersonates the legitimate Windows system utility site WiseCleaner.com.

Fake WiseCleaner Site
The downloads on this site are not active but have distributed a file called WSHSetup.exe that currently acts as a downloader for both the CoronaVirus Ransomware and a password-stealing Trojan called Kpot.

When the program is executed, it will attempt to download a variety of files from a remote web site. Currently, only the file1.exe and file2.exe are available for download, but you can see that it attempts to download a total of seven files.

Installer downloading malware
The first file downloaded by the installer is 'file1.exe' and is the Kpot password-stealing Trojan.

When executed, it will attempt to steal cookies and login credentials from web browsers, messaging programs, VPNs, FTP, email accounts, gaming accounts such as Steam and Battle.net, and other services. The malware will also take a screenshot of the active desktop and attempt to steal cryptocurrency wallets stored on the infected computer.

This information is then uploaded to a remote site operated by the attackers.

The second file, file2.exe, is the CoronaVirus Ransomware, which will be used to encrypt the files on the computer.

When encrypting files, it will only target files that contain the following extensions:

.bak, .bat, .doc, .jpg, .jpe, .txt, .tex, .dbf, .xls, .cry, .xml, .vsd, .pdf, .csv, .bmp, .tif, .tax, .gif, .gbr, .png, .mdb, .mdf, .sdf, .dwg, .dxf, .dgn, .stl, .gho, .ppt, .acc, .vpd, .odt, .ods, .rar, .zip, .cpp, .pas, .asm, .rtf, .lic, .avi, .mov, .vbs, .erf, .epf, .mxl, .cfu, .mht, .bak, .old
Files that are encrypted will be renamed so that it continues to use the same extension, but the file name will be changed to the attacker's email address. For example, test.jpg would be encrypted and renamed to 'coronaVi2022@protonmail.ch___1.jpg'.

In some cases, like below, it may prepend the email address multiple times to the file name.

CoronaVirus Encrypted Files
In each folder that is encrypted and on the desktop, a ransom note named CoronaVirus.txt will be created that demands 0.008 (~$50) bitcoins to a hardcoded bitcoin address of bc1qkk6nwhsxvtp2akunhkke3tjcy2wv2zkk00xa3j, which has not received any payments as of yet.

CoronaVirus Ransom Note
The ransomware will also rename the C: drive to CoronaVirus as shown below, which adds nothing other than the attacker trolling the victims.

Renamed C: Drive to Troll victim
On reboot, the ransomware will display a lock screen displaying the same text from the ransom note before Windows is loaded as seen below.

CoronaVirus Ransomware MBRLocker component
Head of SentinelLabs Vitali Kremez told BleepingComputer that this is being displayed through a modification of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager "BootExecute" Registry value that launches an executable from the %Temp% folder before loading any Windows services on boot.

Modified BootExecute Key
After 45 minutes, the lock screen will switch to a slightly different message. You are still unable to enter any code, though, to get back into the system.

Changed MBRLocker screen
After 15 minutes, it boots back into Windows and upon login will display the CoronaVirus.txt ransom note.

This is a strange ransomware and is still being analyzed for weaknesses.

Based on the low ransom amount, static bitcoin address, and political message, it is strongly suspected that this ransomware is being used more as a cover for the Kpot infection rather than to generate actual ransom payments.

"Donations to the US presidential elections are accepted around the clock."

BleepingComputer's theory is that the ransomware component is being used to distract the user from realizing that the Kpot information-stealing Trojan was also installed to steal passwords, cookies, and cryptocurrency wallets.

Anyone who has been infected with this attack should immediately use another computer to change all of their online passwords as they have now been compromised by the Kpot info-stealer.

Microsoft Releases KB4551762 Security Update for SMBv3 Vulnerability
15.3.2020  Bleepingcomputer  OS

Microsoft released the KB4551762 security update to patch the pre-auth RCE Windows 10 vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3), two days after details regarding the flaw were leaked as part of the March 2020 Patch Tuesday.

The KB4551762 security update tracked as CVE-2020-0796 addresses "a network communication protocol issue that provides shared access to files, printers, and serial ports," according to Microsoft.

KB4551762 can be installed by checking for updates via Windows Update or by manually downloading it for your Windows version from the Microsoft Update Catalog.

"While we have not observed an attack exploiting this vulnerability, we recommend that you apply this update to your affected devices with priority," Microsoft says.

The vulnerability, dubbed SMBGhost or EternalDarkness, only impacts devices running Windows 10, version 1903 and 1909, and Windows Server Server Core installations, versions 1903 and 1909.

Microsoft explained that the vulnerability only exists in a new feature added to Windows 10 version 1903 and that older versions of Windows do not offer support for SMBv3.1.1 compression, the feature behind this bug.

Confirmed Microsoft pushing KB4551762 OOB security update to affected systems via Windows Update
SMBv3 RCE vulnerability
Microsoft shared details on CVE-2020-0796 only after security vendors part of the Microsoft Active Protections Program who got early access to the flaw's details released information during the March 2020 Patch Tuesday.

At the time, Microsoft published an advisory with more info on the leaked bug and mitigation designed to block potential attacks after news of a wormable pre-auth RCE vulnerability affecting SMBv3 spread.

"Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests," the advisory reads. "An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client."

"To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it."

DoS and LPE proof-of-concepts demoed by researchers
Researchers at cybersecurity firm Kryptos Logic discovered 48,000 Windows 10 hosts vulnerable to attacks targeting the CVE-2020-0796 vulnerability and also shared a demo video of a denial-of-service proof-of-concept exploit created by security researcher Marcus Hutchins.

SophosLabs' Offensive Research team also developed and shared a video demo of a local privilege escalation proof-of-concept exploit that allows attackers with low-level privileges to gain SYSTEM-level privileges.

"The SMB bug appears trivial to identify, even without the presence of a patch to analyze," Kryptos Logic said, with malicious actors probably being also close to developing their own exploits for CVE-2020-0796.

For admins who cannot apply the security update at the moment, Microsoft provides mitigation measures for SMB servers and recommends disabling SMBv3 compression using this PowerShell command (no restart required, doesn't prevent SMB clients' exploitation ):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Enterprise customers are also advised to block the TCP port 445 at the enterprise perimeter firewall to prevent attacks on SMB servers attempting to exploit the flaw.

While malicious scans for vulnerable Windows 10 systems haven't been detected so far, attacks targeting unpatched devices are close seeing that PoC exploits have already been developed and that the bug is easy to analyze.

Hackers Get $1.6 Million for Card Data from Breached Online Shops
15.3.2020  Bleepingcomputer  Incindent

Hackers have collected $1.6 million from selling more than 239,000 payment card records on the dark web. The batch was assembled from thousands of online shops running last year a tainted version of Volusion e-commerce software.

The compromise was discovered in October 2019 by Check Point security researcher Marcel Afrahim and affected stores hosted on the Volusion cloud platform.

Wide-scope operation
This was a web-skimming incident, where attackers use malicious JavaScript that steals payment data when customers provide it at checkout.

In this case, the hackers modified a resource used on Volusion-based stores for navigating the UI menu. This resource loaded the skimmer from an external path.

Evidence found by Trend Micro indicates that the attack started on September 7 and is the work of FIN6.

RiskIQ refers to them as MageCart Group 6 and assesses that it goes only after high-profile targets that ensure a large volume of transactions.

Significant damage
A report from Gemini Advisory today informs that whoever compromised the Volusion infrastructure waited until November 2019 to start selling the data on the dark web.

Until now, they offered more than 239,000 payment card records on a single dark web marketplace and made $1.6 million. This data was from hundreds of different merchants.

Gemini determined that the number of compromised stores is as high as 6,589, which is in line with results from a search for sites with the modified Volusion JavaScript.

The researchers estimate that the attackers have up to 20 million records, though, which may trickle on the dark web for a long time. If true, they could have a potential maximum value of more than $100 million, if prices don’t fall.

“The average CNP [card-not-present] breach affecting small to mid-sized merchants compromises 3,000 records; scaling this figure to the 6,589 merchants using Volusion affected by this breach, the potential number of compromised records is up to nearly 20 million. Given this figure, the maximum profit potential would be as high as $133.89 million USD” - Gemini Advisory

This profit is just an estimation, though. However, even if hackers make just a 10th of it, the figure is still impressive. Buyers also stand to make significant profits from using the stolen card data, Gemini told BleepingComputer.

As for the domains affected by the attack, almost 5,900 were registered in the U.S., with less than 200 registered in Canada.

From the 239,000 records already sold on the dark web, 98.97% are for cards issued in the U.S., the researchers found. The next-largest issuer countries, each of them accounted for just several hundred records.

48K Windows Hosts Vulnerable to SMBGhost CVE-2020-0796 RCE Attacks
15.3.2020  Bleepingcomputer  Attack

After an Internet-wide scan, researchers at cybersecurity firm Kryptos Logic discovered roughly 48,000 Windows 10 hosts vulnerable to attacks targeting the pre-auth remote code execution CVE-2020-0796 vulnerability found in Microsoft Server Message Block 3.1.1 (SMBv3).

Several vulnerability scanners designed to detect Windows devices exposed to attacks are already available on GitHub, including one created by Danish security researcher ollypwn and designed to check if SMBv3 is enabled on the device and if the compression capability that triggers the bug is enabled.

The vulnerability, dubbed SMBGhost, is known to only impact desktop and server systems running Windows 10, version 1903 and 1909, as well as Server Core installations of Windows Server, versions 1903 and 1909.

Microsoft explains that "the vulnerability exists in a new feature that was added to Windows 10 version 1903" and that "older versions of Windows do not support SMBv3.1.1 compression."

ollypwn's CVE-2020-0796 scanner in action (server without and with mitigation)
DoS proof-of-concept already demoed
They also shared a demo video of a denial-of-service proof-of-concept exploit developed by researcher Marcus Hutchins (aka MalwareTech).

"The SMB bug appears trivial to identify, even without the presence of a patch to analyze," according to Kryptos Logic which means that malicious actors might soon be able to develop their own CVE-2020-0796 exploits.

While no malicious scans for Windows 10 hosts without mitigations put in place haven't yet been detected, the fact that PoC exploits have already been developed and the bug is so easy to analyze that it could lead to malicious attacks soon.

The CVE-2020-0796 pre-auth RCE vulnerability
Microsoft publicly disclosed details about the SMBGhost vulnerability only after some security vendors part of the Microsoft Active Protections Program who get early access to vulnerability information released information during this month's Patch Tuesday.

After the news of a wormable pre-auth RCE vulnerability affecting SMBv3 spread, Microsoft published a security advisory with info on the leaked bug and mitigation measures designed to block potential attacks.

"Microsoft is aware of a remote code execution vulnerability in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests," the advisory reads. "An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target SMB Server or SMB Client."

"To exploit the vulnerability against an SMB Server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 Server. To exploit the vulnerability against an SMB Client, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it."

Microsoft shares mitigation measures for SMB servers
As a workaround until a security update is released, Microsoft's advisory recommends disabling SMBv3 compression using this PowerShell (Admin) command (no reboot required, does not prevent the exploitation of SMB clients):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Additionally, enterprise customers are advised to block the TCP port 445 at the enterprise perimeter firewall to prevent attacks attempting to exploit the flaw.

"This can help protect networks from attacks that originate outside the enterprise perimeter," Redmond explains. "Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks."

"However, systems could still be vulnerable to attacks from within their enterprise perimeter," Microsoft adds.

We've just finished our first internet wide scan for CVE-2020-0796 and have identified 48000 vulnerable hosts. We'll be loading this data into Telltale for CERTs and organisations to action. We're also working on a blog post with more details (after patch).

— Kryptos Logic (@kryptoslogic) March 12, 2020

Advanced Russian Hackers Use New Malware in Watering Hole Operation
15.3.2020  Bleepingcomputer  APT

Two previously undocumented pieces of malware, a downloader and a backdoor, were used in a watering hole operation attributed to the Russian-based threat group Turla.

To reach targets of interest, the hackers compromised at least four websites, two of them belonging to the Armenian government. This indicates that the threat actor was after government officials and politicians.

Simple, yet effective trick
The new tools are a .NET malware dropper called NetFlash and a Python-based backdoor named PyFlash. They would be delivered following a fake Adobe Flash update notification received by victims.

At least four Armenian websites were infected by yet unknown means in this campaign, which started since at least the beginning of 2019.

armconsul[.]ru: The consular Section of the Embassy of Armenia in Russia
mnp.nkr[.]am: Ministry of Nature Protection and Natural Resources of the Republic of Artsakh
aiisa[.]am: The Armenian Institute of International and Security Affairs
adgf[.]am: The Armenian Deposit Guarantee Fund
After gaining access to the website, the hackers added a piece of malicious JavaScript code that loaded from the external source ‘skategirlchina[.]com’ a script designed to fingerprint the visitor’s web browsers.

Visitors landing on the compromised website for the first time would get a persistent cookie whose code is publicly available. This is used for tracking future visits to sites compromised for this operation.

Security researchers from ESET believe that Turla (a.k.a. Waterbug, WhiteBear, Venomous Bear, Snake) hackers were very selective about their targets, moving to the next stage of the attack only for a small number of visitors.

In the first stage of the attack, victims would see a fake warning for updating Adobe Flash Player, shown in an iFrame. If the visitor acted on it, they would get a malicious executable that installed both a legitimate copy of Flash and a Turla malware variant, ESET says in a report today.

Starting September 2019, the first stage payload from a backdoor named Skipper to the new NetFlash malware downloader, which appears to have been compiled at the end of August and early September of last year.

It is NetFlash’s job to retrieve the second-stage PyFlash backdoor from a hard-coded URL and to make it persistent on the system via a Windows scheduled task.

ESET created the image below to show how Turla used this watering hole operation to target and compromise systems deemed of interest:

The attackers used the ‘py2exe’ extension to convert their PyFlash script into an executable that runs on Windows without the need of Python.

PyFlash was mainly used to send to the command and control (C2) server information about the victim host. Supported commands are relate to the OS and the network (systeminfo, tasklist, ipconfig, getmac, arp).

The C2 can send additional commands such as for downloading files from a given link, running a Windows command, change the delay time for launching the malware, or removing infection traces by uninstalling the backdoor.

For the last one, confirms the instruction via POST‌ request to the C2 with the following string:

I'm dying :(
Tell my wife that i love her...
Watering hole attacks are a known tactic for Turla but researchers are somewhat surprised that the group used a common trick to deliver their malware. This shows that even sophisticated threat actors can choose a simple solution to achieve their goal.

However, ESET points out that the actor did make an effort to evade detection by using a different payload than Skipper, which was essentially burned from long-time use.

Google Chrome Gets 'Default to Guest' Mode for Stateless Browsing
15.3.2020  Bleepingcomputer  Security

Google announced today that a new 'Default to Guest mode' feature is now available for Windows, Linux, and macOS power users of the Chrome web browser.

The new Google Chrome feature can be enabled using a command-line switch or an enterprise policy, and it allows users to configure the web browser to always launch into Guest Mode.

In this browsing mode, Chrome will delete all browsing activity from the computer after exiting the browser, providing its users with "a stateless browsing experience from session to session."

Google Chrome Guest mode
'Default to Guest' mode for Chrome
The Guest mode can be used to allow others to use your computer for browsing or for surfing the web on someone else's device without access to any Chrome profiles.

The difference between Guest mode and Incognito mode is that you will still be able to access all the info in your profile while using the latter.

"Pages you view in this window won’t appear in the browser history and they won’t leave other traces, like cookies, on the computer after you close all open Guest windows," Google explains. "Any files you download will be preserved, however."

While browsing the web in Guest mode, Chrome will not save any info on:

Websites you visit, including the ads and resources used on those sites
Websites you sign in to
Your employer, school, or whoever runs the network you’re using
Your internet service provider
Search engines (search engines may show search suggestions based on your location or activity in your current Incognito browsing session.)
Toggling on Chrome's Default to Guest mode
Windows users can enable the new feature by following these steps:

Exit all running instances of Chrome.
Right-click on your "Chrome" shortcut.
Choose properties.
At the end of your "Target:" line add the following: chrome.exe --guest
Once complete, use the shortcut to launch Chrome.
Windows users can also open the Command Prompt or PowerShell app (or any other Terminal program), browse to Google Chrome's folder, and launch the browser with the --guest parameter.

Launching Chrome in Guest Mode from Windows PowerShell
For macOS and Linux users, Google provides this procedure:

Quit all running instances of Chrome.
Run your favorite Terminal application.
In the terminal, find your Chrome application and append --guest as a command-line parameter and hit ENTER to launch Chrome.
To get back to your Chrome profile, users will have to exit all Chrome instances and relaunch the web browser without the --guest command-line switch — Windows users who edited the shortcut will have to change the "Target:" line to its previous contents.

Windows Registry Helps Find Malicious Docs Behind Infections
15.3.2020  Bleepingcomputer  Spam  Virus

If a Windows computer becomes infected and you are trying to find its source, a good place to check is for malicious Microsoft Office documents that have been allowed to run on the computer.

Ransomware, downloaders, RATs, and info-stealing Trojans are commonly distributed through phishing emails containing Word and Excel documents with malicious macros.

When a user opens one of these documents in Microsoft Office, depending on the protection of the document or if the document contains macros, Office will restrict the functionality of the document unless the user clicks on 'Enable Editing' or 'Enable Content' buttons.

When a user enables a particular feature such as editing or macros, the document will be added as a Trusted Document to the TrustRecords subkey under the following Registry keys depending if it's a Word or Excel document:

HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Word\Security\Trusted Documents\TrustRecords
HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Excel\Security\Trusted Documents\TrustRecords
This allows Microsoft Office to remember the decision a user made and not prompt them again in the future.

This also means that if a user allowed editing or macros in a document by pressing the appropriate button, Office will remember this decision the next time you open the document and not ask again.

The good news is we can use this information to our advantage to find Word and Excel documents with macros that have been enabled on the computer.

Trusting Microsoft Office Documents
To illustrate how a document becomes a Trusted Document, let's walk through the steps of opening an actual Word document with malicious macros that were being distributed in a phishing campaign.

As the ultimate goal for a bad actor is for you to enable macros in the document, they commonly display a message walking the user through clicking on the 'Enable Content' button so that macros will be executed and malware will be installed on the computer.

In this particular example, the malicious document is protected, which means it cannot be edited until a user clicks on the 'Enable Editing' button. Furthermore, if a document is protected a user must Enable Editing before they can get to the prompt to enable macros.

Protected Malicious Word document
When a user clicks on 'Enable Editing', the full path to the document will be added as a value under the HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Word\Security\Trusted Documents\TrustRecords key.

This contains individual values for each document that has been trusted in some manner; either the Enable Editing or Enable Content button has been clicked.

TrustRecords Key
A created value's data will consist of a timestamp, some other information, and finish with four bytes that determine what action has been trusted. In this case, we clicked on 'Enable Editing, so the four bytes will be set to 01 00 00 00.

Last four bytes set to 01 00 00 00
Now that the document has been enabled for editing, Word will prompt the user if they want to enable macros by clicking on the 'Enable Content' button.

Malicious document prompting to enable macros
If a user clicks on the 'Enable Content' button, Office will update the TrustRecord for the document to indicate that macros have been allowed with this document and will always be allowed going forward.

This is done by changing the last four bytes of the document's TrustRecord to FF FF FF 7F as seen below.

Macros are allowed to run in this document
The use of Trusted Documents does not only apply to Word but also other Office applications. For example, if the user clicks on Enable Editing or Enable Content in an Excel spreadsheet, a TrustRecord will be created under the HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Excel\Security\Trusted Documents\TrustRecords Registry key as shown below.

Excel Trust Records
Putting it all together
Now we know that every time a user clicks on 'Enable Editing; or 'Enable Content', Microsoft Office will add the path to the document as a Registry value under the program's TrustRecords key.

We also know that if the last four bytes of the trusted document's value data is set to FF FF FF 7F it means that the user enabled macros in the document, which is a very common vector for a computer to become infected.

Using this information, we can check for potential malicious documents whose macros have been enabled by checking the values under the following keys and then collecting the documents for further forensics.

HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Word\Security\Trusted Documents\TrustRecords
HKEY_CURRENT_USER\Software\Microsoft\Office\[office_version]\Excel\Security\Trusted Documents\TrustRecords
This method is especially useful for tracking down Emotet, TrickBot, Ransomware, or RAT infections.

Clearing Trusted Documents
As TrustRecords remember a user's action's forever and would allow macros to run automatically on a previously enabled document, it is best if the Trusted Documents are removed from the Registry at regular intervals.

This can be done through login scripts, scheduled tasks, or other methods.

Users can also clear their Trusted Documents through the Microsoft Office Trust Center, which can be accessed by performing the following steps:

From within Word or Excel, click on File and then Options.
Under Trust Center, click on the Trust Center Settings button.

Opening the Trust Center
When the Trust Center opens, click on the Trusted Documents section in the left column.
In the Trusted Documents section, click the Clear button and all of the Trusted Documents will be cleared. This also means that if you open a previously trusted document, Word or Excel will prompt you to 'Enable Editing' or 'Enable Content' again.

Clear Trusted Documents
Repeat this same process in your other Office applications.
Close the Trust Center.

DDR4 Memory Still At Rowhammer Risk, New Method Bypasses Fixes
15.3.2020  Bleepingcomputer  Attack

Academic researchers testing modern memory modules from Samsung, Micron, and Hynix discovered that current protections against Rowhammer attacks are insufficient.

Current mitigation solutions are efficient against known Rowhammer variants but attack possibilities are not exhausted and exploitation is still possible.

The new findings show that memory bit flipping works on many devices, including popular smartphones from Google, Samsung, and OnePlus.

Rowhammer risk lingers on
The attack works by taking advantage of the close proximity of memory cells available in a dynamic random access memory (DRAM).

By hammering one row with sufficient read-write operations, the value of the nearby data bits can change from one to zero and vice-versa (bit flipping). Current variants of the attack access two memory rows (called aggressors), at most.

This modification can lead to a denial-of-service condition, increased privileges on the machine, or it can even allow hijacking the system.

Rowhammer attacks have been demonstrated over time by compromising the Linux kernel, breaking cloud isolation, rooting mobile devices, taking control of web browsers, targeting server applications over the network, or extracting sensitive info stored in RAM.

The best defense to date is commonly referred to as Target Row Refresh (TRR) and it is supposed to eradicate the risk of Rowhammer attacks.

But there is little information about TRR, how it works, and how it is deployed by each vendor/manufacturer - because they need to protect proprietary technology.

Contrary to common belief, TRR is not a single mitigation mechanism, say researchers from VUSec (Systems and Network Security Group at VU Amsterdam).

It is an umbrella term that defines multiple solutions at various levels of the hardware stack and manufacturers took different routes to obtain the same result.

VUSec tested against all known Rowhammer variants a batch of 42 DDR4 modules that had TRR enabled and found that no bit flipping occurred, showing that the defenses were effective for the known attacks.

VUSec found that there are multiple implementations for TRR in DRAM chips from various vendors and that vulnerable cells are not distributed in the same way for every chip.

TRRespass - the Rowfuzzer
With help from researchers at ETH Zurich, who provided SoftMC (an FPGA-based infrastructure), VUSec was able to experiment with DRAM chips and understand the internal operations.

This showed them that it is easy to flip the bits after understanding how the mitigation works. Also, they noticed that the vulnerability is worse on DDR4 chips than on DDR3 because of the difference in tolerated row activation counts, which is higher for the latter.

They found that current TRR implementations track a limited number of aggressor rows hammered by the attacker, two being the most used in currently demonstrated attacks.

"The mitigation clearly cannot keep the information about all accessed rows at the same time, since it would require an unaffordable amount of additional memory nor can it refresh all the victims" - VUSec

So they tried using more aggressor rows. With the newly-gained insight from experimenting with SoftMC, VUSec created a fuzzing tool they named TRResspass, "to identify TRR-aware RowHammer access patterns on modern systems."

"While fuzzing is a common technique in software testing, we implemented the first fuzzer aimed at triggering Rowhammer corruptions in DRAM" - VUSec

TRResspass is open source and works by repeatedly selecting random rows at various locations in DRAM. Starting from the initial hammering patterns produced by TRResspass, the researchers developed a broader class, which they call "Many-sided Rowhammer."

In a paper describing their research and results, VUSec says that their fuzzer recovered effective access patterns for 13 of the 42 memory modules they tested with the TRR protection enabled.

They emphasized that all the modules where TRResspass induced bit flips are vulnerable to at least two hammering patterns. Also, the patterns vary from one module to another.

Getting the fuzzer to work on low-power DDR4 modules in 13 smartphones, allowed it to successfully find Rowhammer patterns that induced bit flips in 5 models: Google Pixel, Google Pixel 3, LG G7 ThinQ, OnePlus 7, and Samsung Galaxy S10e (G970F/DS).

Exploiting the vulnerability with the more sophisticated patterns yielded impressive results, despite not tweaking the attacks for increased efficiency.

The worst time needed to obtain kernel privileges was three hours and 15 minutes, while the best was 2.3 seconds.

They were able to forge a signature from a trusted RSA-2048 key in up to 39 minutes (on other chips this was possible in a little over a minute).

Bypassing sudo permission checks was possible with just one memory module and took around 54 minutes of hammering.

VUSec published the research paper "TRRespass: Exploiting the Many Sides of Target Row Refresh" that provides extensive details about their findings and results achieved with TRResspass.

They disclosed the new type of Rowhammer attacks to all affected parties in November 2019 but new mitigations are not easy to implement and will take some time to deploy. The new method is now tracked as CVE2020-10255.

A statement from Intel says that VUSec's does not show a vulnerability in Intel CPUs and recommends contacting the memory chip supplier for appropriate mitigations.

"Enabling Error Correcting Code (ECC) and/or utilizing memory refresh rates greater than 1X can reduce susceptibility to this and other potential Rowhammer-style attacks" - Intel

Citing previous research (1, 2, 3), VUSec says that there are no reliable solutions older hardware against Rowhammer, and that "stopgap solutions such as using ECC and doubling (or even quadrupling) the refresh rate have proven ineffective." They showed in research published last year that ECC has its limitatations against this type of attack.

AMD also issued a statement, saying that their "microprocessor products include memory controllers designed to meet industry-standard DDR specifications."

Intel Patches High Severity Flaws in Windows Graphics Drivers
15.3.2020  Bleepingcomputer  Vulnerebility

Intel released security updates to address 27 vulnerabilities as part of March 2020 Patch Tuesday, with ten of them being high severity security flaws impacting Intel's Graphics Drivers for Windows and the Smart Sound Technology integrated audio DSP in Intel Core and Intel Atom CPUs.

The security issues patched today are detailed in the nine security advisories published by Intel on its Security Center, with the company providing download links for security updates available through the drivers and software download center.

The vulnerabilities disclosed today may allow authenticated or privileged users to potentially access sensitive information, to trigger denial-of-service states, and escalate privileges via local access.

Some of the advisories feature a detailed list of all affected products, recommendations for vulnerable products, as well as contact details for users and researchers who want to report other security flaws found in Intel branded software or hardware products.

Full list of March 2020 Patch Tuesday advisories
A list of all security advisories issued by Intel during this month's Patch Tuesday is available below, ordered by highest CVSS score rating to help prioritize patch deployment.

Advisory ID Title CVSS Score Range Severity rating
INTEL-SA-00354 Intel® Smart Sound Technology Advisory 8.6 HIGH
INTEL-SA-00315 Intel® Graphics Driver Advisory 3.2 – 8.4 HIGH
INTEL-SA-00352 BlueZ Advisory 7.1 HIGH
INTEL-SA-00343 Intel® NUC™ Firmware Advisory 7.7 - 7.8 HIGH
INTEL-SA-00349 Intel® MAX® 10 FPGA Advisory 6.1 MEDIUM
INTEL-SA-00319 Intel® FPGA Programmable Acceleration Card N3000 Advisory 4.4 – 6 MEDIUM
INTEL-SA-00330 Snoop Assisted L1D Sampling Advisory 5.6 MEDIUM
INTEL-SA-00334 Intel® Processors Load Value Injection Advisory 5.6 MEDIUM
INTEL-SA-00326 Intel® Optane™ DC Persistent Memory Module Management Software Advisory 4.4 MEDIUM
New Spectre-type data injection vulnerability
As part of this month's Patch Tuesday, Intel also addressed a vulnerability (CVE-2020-0551) disclosed by researchers yesterday and allowing for a novel class of attack techniques against modern Intel processors that can help attackers inject malicious data into apps via transient-execution attacks and steal sensitive data.

According to the researchers who discovered and reported the new vulnerability dubbed LVI (short for Load Value Injection), it bypasses all transient-execution attack mitigations developed for Intel's processors so far, like Meltdown, Spectre, Foreshadow, ZombieLoad, RIDL, and Fallout.

"Load value injection in some Intel processors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side-channel with local access," Intel's security advisory explains.

LVI impacts Intel Skylake Core-family processors and newer, with a list with all affected CPUs being provided by Intel here.

Icelake Core-family processors aren't affected by LVI the researchers say, while Meltdown-resistant processors are "only potentially vulnerable to LVI-zero-data (aka loads exhibiting zero injection behavior only)."

A video showcasing two LVI (Load Value Injection) proof of concept demo attacks against vulnerable Intel platforms is embedded below.

"Due to the numerous complex requirements that must be satisfied to successfully carry out the LVI method, Intel does not believe LVI is a practical exploit in real-world environments where the OS and VMM are trusted," Intel Director of Communications Jerry Bryant said.

"New mitigation guidance and tools for LVI are available now. These work in conjunction with previously released mitigations to substantively reduce the overall attack surface associated with speculative execution side channels."

Intel released updates to the SGX Platform Software (PSW) and SDK to mitigate potential exploits of Load Value Injection (LVI) on platforms and apps using Intel SGX, with impacted system users having to install the latest Intel SGX PSW 2.7.100.2 or above for Windows and 2.9.100.2 or above for Linux.

An academic research paper with more technical information on LVI attacks is available here in PDF format and Intel's white paper can be found here.

Nasty Phishing Scam Pretends to Be Your HIV Test Results
14.3.2020  Bleepingcomputer 

A new phishing scam is pretending to be your HIV test results to make you more likely to open up a malicious Excel document and become infected.

Over the past year, phishing campaigns have been getting nastier and nastier with scammers coming up with wild stories to get you to open a malicious document or click a link.

In what could be a new low, Proofpoint researchers have found scammers sending phishing emails with malicious Excel spreadsheets that pretend to be your HIV test results from Vanderbilt University.

Fake HIV Test Results
While the scammers mess up and misspell 'Vanderbit University', unless you pay close attention you can easily miss the spelling mistake.

Attached to these emails is an attachment named TestResults.xlsb that when opened will state that your data is protected and that you need to 'Enable Content' to view the document.

Malicious Excel Spreadsheet
Once you enable content, though, malicious macros will be executed that downloads and installs the Koadic penetration test and post-exploitation toolkit.

Using Koadic, the attackers gain complete control over the infected computer and can execute any command they wish, such as downloading further malware or stealing files.

"In recent years it has been used by a variety of nation state actors, including both Chinese and Russian state-sponsored groups, as well as attackers associated with Iran," Proofpoint explained in their report.

It is important to remember that medical institutions will never send medical results via ordinary email and will instead have you log in to a secure portal to view results.

"This latest campaign serves as a reminder that health-related lures didn’t start and won’t stop with the recent Coronavirus-themed lures we observed. They are a constant tactic as attackers recognize the utility of the health-related “scare factor.” We encourage users to treat health-related emails with caution, especially those that claim to have sensitive health-related information. Sensitive health-related information is typically safely transmitted using secured messaging portals, over the phone, or in-person," Proofpoint reiterated.

It is also important to never open attachments from strangers or organizations when they were unexpected. Even if the user is familiar, it is better to confirm they sent the email with a phone call or in-person than to open a potentially malicious document.

Microsoft March 2020 Patch Tuesday Fixes 115 Vulnerabilities
14.3.2020  Bleepingcomputer  OS

Today is Microsoft's March 2020 Patch Tuesday and is always stressful for your Windows administrators, so be especially nice to them today.

With the release of the March 2020 security updates, Microsoft has released fixes for 115 vulnerabilities in Microsoft products. Of these vulnerabilities, 24 are classified as Critical, 88 as Important, and 3 as Moderate.

Users should install these security updates as soon as possible to protect Windows from known security risks.

For information about the non-security Windows updates, you can read about today's Windows 10 KB4540673 & KB4538461 cumulative updates.

The curious case of the missing CVE-2020-0796 vulnerability
Earlier today, BleepingComputer was told that Microsoft was releasing a fix for a wormable SMBv3 RCE vulnerability (CVE-2020-0796), but Microsoft never released it.

Not much information was available, but the vulnerability was very severe and felt like another EternalBlue type of vulnerability.

While Microsoft never shared any info, sites for security companies such as Fortinet and Cisco Talos did originally publish information about the vulnerability. Cisco Talos has since removed it.

"The exploitation of this vulnerability opens systems up to a "wormable" attack, which means it would be easy to move from victim to victim," Cisco Talos stated.

Unfortunately, not much other information is available other than allegedly disabling SMBv3 compression will mitigate the vulnerability and that everyone should block public access to port 445.

For more detailed information on this vulnerability and how to disable SMBv3 compression, please see our dedicated "Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw" article.

BleepingComputer has sent multiple emails to Microsoft but has not heard back yet with an official statement.

This month's interesting vulnerabilities
Stealing source code with CVE-2020-0872
The CVE-2020-0872 vulnerability titled "Remote Code Execution Vulnerability in Application Inspector" can be used by a malicious actor to try and steal the source code of files opened in Application Inspector.

"A remote code execution vulnerability exists in Application Inspector version v1.0.23 or earlier when the tool reflects example code snippets from third-party source files into its HTML output. An attacker who exploited it could send sections of the report containing code snippets to an external server.

To exploit the vulnerability, an attacker needs to convince a user to run Application Inspector on source code that includes a malicious third-party component."

More info can be found here.

Weaponized LNK files and Word documents
Two new vulnerabilities were fixed today that could allow attackers to create specially crafted .LNK files or Word documents that can perform code execution when opened.

The first vulnerability is CVE-2020-0684 and is titled "LNK Remote Code Execution Vulnerability" and allows an attacker to create malicious LNK files that can perform code execution. If we see a large spam campaign using .LNK files in the near future, we know someone came up with a PoC.

The second vulnerability is CVE-2020-0852 and is titled "Microsoft Word Remote Code Execution Vulnerability". This vulnerability would allow an attacker to create malicious Word documents that perform code execution simply by opening them.

Even worse, this vulnerability works in Outlook's preview pane.

The March 2020 Patch Tuesday Security Updates
Below is the full list of resolved vulnerabilities and released advisories in the March 2020 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

Tag CVE ID CVE Title Severity
Azure CVE-2020-0902 Service Fabric Elevation of Privilege Important
Azure DevOps CVE-2020-0758 Azure DevOps Server and Team Foundation Services Elevation of Privilege Vulnerability Important
Azure DevOps CVE-2020-0815 Azure DevOps Server and Team Foundation Services Elevation of Privilege Vulnerability Important
Azure DevOps CVE-2020-0700 Azure DevOps Server Cross-site Scripting Vulnerability Important
Internet Explorer CVE-2020-0824 Internet Explorer Memory Corruption Vulnerability Critical
Microsoft Browsers CVE-2020-0768 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Dynamics CVE-2020-0905 Dynamics Business Central Remote Code Execution Vulnerability Critical
Microsoft Edge CVE-2020-0816 Microsoft Edge Memory Corruption Vulnerability Critical
Microsoft Exchange Server CVE-2020-0903 Microsoft Exchange Server Spoofing Vulnerability Important
Microsoft Graphics Component CVE-2020-0774 Windows GDI Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0788 Win32k Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0791 Windows Graphics Component Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0690 DirectX Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0853 Windows Imaging Component Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0877 Win32k Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0882 Windows GDI Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0883 GDI+ Remote Code Execution Vulnerability Critical
Microsoft Graphics Component CVE-2020-0881 GDI+ Remote Code Execution Vulnerability Critical
Microsoft Graphics Component CVE-2020-0880 Windows GDI Information Disclosure Vulnerability Important
Microsoft Graphics Component CVE-2020-0887 Win32k Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0898 Windows Graphics Component Elevation of Privilege Vulnerability Important
Microsoft Graphics Component CVE-2020-0885 Windows Graphics Component Information Disclosure Vulnerability Important
Microsoft Office CVE-2020-0850 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-0852 Microsoft Word Remote Code Execution Vulnerability Critical
Microsoft Office CVE-2020-0892 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-0851 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office CVE-2020-0855 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Office SharePoint CVE-2020-0795 Microsoft SharePoint Reflective XSS Vulnerability Important
Microsoft Office SharePoint CVE-2020-0891 Microsoft SharePoint Reflective XSS Vulnerability Important
Microsoft Office SharePoint CVE-2020-0893 Microsoft Office SharePoint XSS Vulnerability Important
Microsoft Office SharePoint CVE-2020-0894 Microsoft Office SharePoint XSS Vulnerability Important
Microsoft Scripting Engine CVE-2020-0830 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0829 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0813 Scripting Engine Information Disclosure Vulnerability Important
Microsoft Scripting Engine CVE-2020-0826 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0827 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0825 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0831 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0847 VBScript Remote Code Execution Vulnerability Moderate
Microsoft Scripting Engine CVE-2020-0811 Chakra Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0828 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0848 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0823 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0832 Scripting Engine Memory Corruption Vulnerability Moderate
Microsoft Scripting Engine CVE-2020-0812 Chakra Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Scripting Engine CVE-2020-0833 Scripting Engine Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0897 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0896 Windows Hard Link Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0871 Windows Network Connections Service Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0874 Windows GDI Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0876 Win32k Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0775 Windows Error Reporting Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0879 Windows GDI Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0793 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0776 Windows Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0869 Media Foundation Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0861 Windows Network Driver Interface Specification (NDIS) Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0863 Connected User Experiences and Telemetry Service Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0860 Windows ActiveX Installer Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0857 Windows Search Indexer Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0858 Windows Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0865 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0866 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0864 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0820 Media Foundation Information Disclosure Vulnerability Important
Microsoft Windows CVE-2020-0819 Windows Device Setup Manager Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0804 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0779 Windows Installer Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0802 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0803 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0778 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0809 Media Foundation Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0810 Diagnostic Hub Standard Collector Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0807 Media Foundation Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0808 Provisioning Runtime Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0797 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0785 Windows User Profile Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0786 Windows Tile Object Service Denial of Service Vulnerability Important
Microsoft Windows CVE-2020-0787 Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0783 Windows UPnP Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0800 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0801 Media Foundation Memory Corruption Vulnerability Critical
Microsoft Windows CVE-2020-0781 Windows UPnP Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0780 Windows Network List Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0777 Windows Work Folder Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0772 Windows Error Reporting Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0849 Windows Hard Link Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0845 Windows Network Connections Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0684 LNK Remote Code Execution Vulnerability Critical
Microsoft Windows CVE-2020-0769 Windows CSC Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0771 Windows CSC Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0841 Windows Hard Link Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0840 Windows Hard Link Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0806 Windows Error Reporting Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0843 Windows Installer Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0844 Connected User Experiences and Telemetry Service Elevation of Privilege Vulnerability Important
Microsoft Windows CVE-2020-0842 Windows Installer Elevation of Privilege Vulnerability Important
Open Source Software CVE-2020-0872 Remote Code Execution Vulnerability in Application Inspector Important
Other CVE-2020-0765 Remote Desktop Connection Manager Information Disclosure Vulnerability Moderate
Visual Studio CVE-2020-0789 Visual Studio Extension Installer Service Denial of Service Vulnerability Important
Visual Studio CVE-2020-0884 Microsoft Visual Studio Spoofing Vulnerability Important
Windows Defender CVE-2020-0763 Windows Defender Security Center Elevation of Privilege Vulnerability Important
Windows Defender CVE-2020-0762 Windows Defender Security Center Elevation of Privilege Vulnerability Important
Windows Diagnostic Hub CVE-2020-0854 Windows Mobile Device Management Diagnostics Elevation of Privilege Vulnerability Important
Windows IIS CVE-2020-0645 Microsoft IIS Server Tampering Vulnerability Important
Windows Installer CVE-2020-0814 Windows Installer Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0773 Windows ActiveX Installer Service Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0770 Windows ActiveX Installer Service Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0822 Windows Language Pack Installer Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0859 Windows Modules Installer Service Information Disclosure Vulnerability Important
Windows Installer CVE-2020-0868 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0798 Windows Installer Elevation of Privilege Vulnerability Important
Windows Installer CVE-2020-0867 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2020-0834 Windows ALPC Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2020-0799 Windows Kernel Elevation of Privilege Vulnerability Important
Update 3/10/20: Fixed incorrect title

Microsoft Leaks Info on Wormable Windows SMBv3 CVE-2020-0796 Flaw
14.3.2020  Bleepingcomputer  OS

Microsoft leaked info on a security update for a 'wormable' pre-auth remote code execution vulnerability found in the Server Message Block 3.0 (SMBv3) network communication protocol that reportedly should have been disclosed as part of this month's Patch Tuesday.

The vulnerability is due to an error when the SMBv3 handles maliciously crafted compressed data packets and it allows remote, unauthenticated attackers that exploit it to execute arbitrary code within the context of the application.

Even though the vulnerability advisory was not published by Microsoft (no explanation for this was released by Redmond so far), a number of security vendors part of Microsoft Active Protections Program who get early access to vulnerability information did release details on the security flaw tracked as CVE-2020-0796.

MalwareHunterTeam
@malwrhunterteam
CVE-2020-0796 - a "wormable" SMBv3 vulnerability.
Great...
😂

1,486
7:01 PM - Mar 10, 2020
Twitter Ads info and privacy
990 people are talking about this
Desktop and server Windows 10 versions impacted
Devices running Windows 10 Version 1903, Windows Server Version 1903 (Server Core installation), Windows 10 Version 1909, and Windows Server Version 1909 (Server Core installation) are impacted by this vulnerability according to a Fortinet advisory, although more versions should be affected given that SMBv3 was introduced in Windows 8 and Windows Server 2012.

"An attacker could exploit this bug by sending a specially crafted packet to the target SMBv3 server, which the victim needs to be connected to," Cisco Talos explained in their Microsoft Patch Tuesday report — this was later removed by the Talos security experts.

"The exploitation of this vulnerability opens systems up to a 'wormable' attack, which means it would be easy to move from victim to victim," they also added.

Fortinet says that upon successful exploitation, CVE-2020-0796 could allow remote attackers to take full control of vulnerable systems.

Due to Microsoft's secrecy, people are coming up with their own theories regarding the malware and its severity, some comparing it to EternalBlue, NotPetya, WannaCry, or MS17-010 (1, 2).

Others have already started coming up with names for the vulnerability such as SMBGhost, DeepBlue 3: Redmond Drift, Bluesday, CoronaBlue, and NexternalBlue.

Available CVE-2020-0796 mitigations
Until Microsoft will release a security update designed to patch the CVE-2020-0796 RCE vulnerability, Cisco Talos shared that disabling SMBv3 compression and blocking the 445 TCP port on client computers and firewalls should block attacks attempting to exploit the flaw.

While no proof-of-concept exploits have been released yet for this wormable SMBv3 RCE, we recommend implementing the mitigation measures shared by Cisco Talos until Microsoft will release an out-of-cycle security update to fix it seeing that almost all the info is out anyway.

BleepingComputer has reached out to Microsoft for more details but had not heard back at the time of this publication.

Brian in Pittsburgh
@arekfurt
If you're Microsoft you basically have little choice now but to release the patch for 2020-0796 out-of-cycle as soon as it meets quality standards, right? There's too much info out there to just hope somebody won't find it before April.

Fun times for sysadmins everywhere.

7
8:49 PM - Mar 10, 2020
Twitter Ads info and privacy
See Brian in Pittsburgh's other Tweets
Update: Microsoft published a security advisory with details on how to disable SMBv3 compression to protect servers against exploitation attempts.

You can disable compression on SMBv3 servers with this PowerShell command (no reboot required, does not prevent the exploitation of SMB clients):

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

What steps can I take to protect my network?

1. Block TCP port 445 at the enterprise perimeter firewall

TCP port 445 is used to initiate a connection with the affected component. Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.

2. Follow Microsoft guidelines to prevent SMB traffic leaving the corporate environment

Guidelines for blocking specific firewall ports to prevent SMB traffic from leaving the corporate environment

Entercom Radio Giant Says Data Breach Exposed User Credentials
14.3.2020  Bleepingcomputer  Incindent

US radio giant Entercom reported a data breach that took place in August 2019 after an unauthorized party was able to access database backup files stored third-party cloud hosting services and containing Radio.com user credentials.

Entercom's national network is comprised of more than 235 radio stations broadcasting news, sports, and music across the country and live the Radio.com online live streaming service to over 170 million people each month.

"As one of the country’s two largest radio broadcasters, Entercom offers integrated marketing solutions and delivers the power of local connection on a national scale with coverage of close to 90% of persons 12+ in the top 50 markets," the company says.

Data breach exposes Radio.com users' credentials
Entercom says in a notice of data breach sent to affected customers and filed with California's Office of the Attorney General that the data breach was detected while investigating a cyberattack that took place in September 2019.

"As part of our investigation into that attack, we became aware of unauthorized activity relating to third-party cloud hosting services, which we use to store information relating to Radio.com users," Entercom explains.

"Specifically, our investigation determined that for approximately three (3) hours on August 4, 2019, an unauthorized actor accessed information relating to Radio.com users contained in database backup files."

The company discovered that an unauthorized actor was able to access the protected personal information of an undisclosed number of Radio.com users.

During the investigation conducted with the help of third-party data privacy and computer forensics specialists, Entercom discovered that the attacker was able to gain access to the names, usernames, and passwords of the impacted Radio.com users.

We sincerely regret any inconvenience this incident may cause you. We remain committed to safeguarding the information in our care and will continue to take steps to ensure the security of our systems. - Radio.com Customer Support Team

Following the data breach, the radio giant implemented several measures designed to prevent similar incidents in the future, including but not limited to passwords rotations, cloud services multifactor authentication and stronger password policies, and staff data security training.

Entercom also urges users who received the data breach notification letters to change their passwords for Radio.com accounts and for any other accounts where the same password was used.

This suggests that the credentials accessed during the data breach were stored in plain text, something BleepingComputer tried to confirm by reaching out to an Entercom spokesperson but did not hear back at the time of publication.

Previous attacks targeting Entercom
This is the third time in the last year that Entercom was targeted in a security incident. Last September, a cyberattack that had all the signs of a ransomware attack affected all Entercom offices across the country.

At the time, online reports said that the attackers asked for a $500,000 ransom and the attack led to the disruption of telephone and email communication, music scheduling, production, billing, and various other internal digital systems.

In response to a media inquiry, Entercom said that they are "experiencing a disruption of some IT systems, including email." However, an internal memo explaining what was happening to employees also prohibited them from sharing any of the information outside the company.

Just before Christmas eve, in December 2019, Entercom suffered a second cyberattack that led to Internet connectivity problems disabling email communication, access to files, and content to the radio network digital platforms.