Search This Blog

Showing posts with label SMB. Show all posts

SLP Vulnerability Exposes Devices to Powerful DDoS Attacks

Security researchers have recently discovered a new vulnerability that has the potential to launch devastating Distributed Denial of Service (DDoS) attacks. The Server Message Block (SMB) protocol, which is widely used in various devices and systems, including Windows machines and some network-attached storage devices, contains the SLP vulnerability. Attackers can exploit this vulnerability to send specially crafted SMB packets that force the target device to allocate excessive memory or processing power to the request, ultimately causing a crash or downtime.

The SLP vulnerability is particularly dangerous because it enables attackers to amplify the impact of their DDoS attacks by up to 2200 times more than previous methods. This increased power can overwhelm the target’s defenses and cause lasting damage. Unfortunately, there is no straightforward solution for this vulnerability as it is deeply embedded in the SMB protocol and affects various devices and systems. However, organizations can take some steps to mitigate the risk of attack, such as implementing access controls, and firewalls, and monitoring their networks for any suspicious SMB activity.

The discovery of the SLP vulnerability highlights the need for robust cybersecurity measures and constant vigilance against evolving threats. As attackers develop new tactics and exploit new vulnerabilities, organizations must stay ahead of the curve and protect their networks and systems from harm.

The SLP vulnerability is a significant concern for organizations that use SMB protocol, as it exposes them to potential DDoS attacks. The impact of these attacks can be devastating and long-lasting, highlighting the need for constant vigilance and strong cybersecurity measures. Organizations must take proactive steps to monitor their networks, implement access controls, and limit the exposure of SMB services to the internet to mitigate the attack risk. The discovery of the SLP vulnerability underscores the critical importance of staying ahead of the curve in cybersecurity and constantly adapting to new threats.

Ransomware Attacks on the Small and Medium Businesses are on the Rise


The risk of being victimised by ransomware has grown over time. The frequency and sophistication of these attacks, which affects every industry, have both steadily increased. Additionally, when these attacks become more well-known among businesses, they search for fresh defenses against them. 

61 percent of all cyberattacks targeted small firms, according to a survey by Checkpoint. The report also notes that few small and medium-sized enterprises (SMBs) are aware that they are vulnerable to these internet risks just like the larger corporations. SMEs may strengthen their internet security by using the three steps Checkpoint has provided. 

Maintain IT equipment, and make routine repairs

Keeping your systems updated with the most recent software and security updates can prove to be extremely beneficial when it comes to safeguarding your organisation against any cyber-attacks. 

According to a recent report, 80% of all BYODs (bring your own devices) at a firm are not monitored, which presents a chance for hackers to exploit these unattended systems. Updates for tablets, smartphones, laptops, and PCs used for office work should be installed as soon as they are made available. This is one of the most crucial steps you can take to increase security. By ensuring that their operating systems, software, phones, and apps are set to update automatically, users can also prevent gaps in their security posture. 

Monitor the usage of hard drives and USB sticks

For at least part of the week, 40% of SMB employees must work remotely. The security of these gadgets must be controlled properly at all times, and that is the top responsibility of the company. Using an external USB drive or memory stick, workers frequently transfer files between teams or to different businesses.

The fact that one unsecured device is all it takes to compromise an entire network should not be overlooked. It is exceedingly challenging to trace the files that are stored on storage devices because they are shared publicly. The likelihood of a breach can be decreased by using endpoint protection measures, restricting access to physical ports, and only permitting the use of authorised sticks or memory cards. 

Avoid backing up data on the main server 

If you keep all of your company's data on the same server, there is a potential that a hacker may access it all in the event of an assault. Organizations should determine the critical information that is necessary for their operations and establish an entirely separate, off-site network backup. Employees will be able to access crucial files, allowing them to carry on with daily operations, and this will assist the company in recovering from a ransomware assault. 

Emails are Vulnerable to Cyber Threat

Small businesses and organizations of various sizes worldwide rushed to upload patches and assess what had been compromised. Hacks expose the vulnerability of the 32 million small businesses, which are largely unable to afford to work with cybersecurity firms and also who primarily rely on built-in security measures of software and hardware providers.

As per Iram, a former Israeli intelligence officer, large tech firms can improve their systems prior to being released in order to block hackers before they impact small and medium-sized firms. He adds that cybercrime reduced each time major software companies modified default settings or other general updates with cybersecurity in mind.

According to market research company Gartner, Microsoft has more than 86% of the enterprise e - mails processing market whereas Google has just under 13%.

Challenges with email 

The notion that several components of today's technological stack were created before cybercriminals became a concern is the root of many of its problems. Big firms that predominate the industry typically have still not added security as a default feature to basic software, leaving it to the cybersecurity market to do so. This has led to explosive growth in a new category of companies.

Microsoft Defender for Office 365 finds and stops thousands of user compromise actions each month in addition to nearly 40 million emails with Business Email Compromise, or BEC, and 100 million emails with harmful credential phishing links.

Some cybersecurity enterprises with a focus on the small business sector have launched in the last three to five years, such as Huntress and SolCyber. Even the slightest flaws in one organization, in a highly networked society, can spread to another. An NPR investigation into the significant Microsoft Exchange data breach came to the conclusion that Chinese hackers were targeting American businesses in an effort to collect consumer data on Americans for an unidentified reason.

The American government has so far adopted a conservative stance; a representative for the U.S. Cybersecurity Infrastructure Agency claimed that the agency does not regulate software for small businesses.

Performance Hit Experienced By File Copying Due to Windows 11 22H2


According to reports, Microsoft began rolling out Windows 11 version 22H2 last month, just a few months after announcing it. The experience has not been completely smooth as one might think. 

"22H2 has a performance problem when copying large files from a remote computer to a Windows 11 computer or when copying files on a local drive," explains Ned Pyle, Principal Program Manager at Windows Server engineering.

There have been several reports of users reporting that the update failed with an error code of "0x800f0806". Interestingly enough, one of our Neowin members was able to figure out a workaround for this problem. There are also the usual suspects, like printer problems as a result of a revised printer policy that leads to printers not being detected after the 2022 Update, which can result in a lot of frustration. 

There was another related issue that caused Microsoft to block the whole update on affected devices due to this problem. Afterward, Microsoft issued a warning to IT admins on the issue, stating that provisioning for Windows 11 22H2 is currently broken, as it discovered the existence of this issue.

Additionally, the Redmond-based firm revisited another problem that was resulting in the massive slow-down in the speed at which large files could be copied remotely on 22H2 systems as a result of a power failure. 

There have been reports that speeds are around 40% lower than expected, according to the company. Although users are experiencing more performance issues than before, the situation seems to be getting increasingly problematic.

Earlier this week, Microsoft released KB5017389 preview cumulative update for Windows operating systems. This update included the fixes for this issue as well as a free trial of the update for those who have not yet downloaded it. The support document provides more information regarding this issue and also offers a free trial of the release.

It might take longer than expected for Windows 11 version 22H2 to copy large files with multiple gigabytes (GB) to complete the task as previously thought.

Despite the newly acknowledged issue, Microsoft added that Windows devices that are used in small or personal networks are less likely to be affected by it than those used for business networks.

A workaround is available for this issue, it has also been reported that Microsoft has shared a workaround for customers who are affected by the known issue after updating their devices to Windows 11 22H2.

There are several ways in which impacted users can mitigate the performance hit of file copying over SMB by using file copy tools that do not use a cache manager (buffered I/O) such as any of the freeware applications available on the Internet.

To resolve this issue, Microsoft is currently investigating and working on a solution to address it. As part of a future release, the issue will be addressed in a more detailed way, and this will be included in a more detailed update. 

It has been more than two years since Microsoft released Windows 11 22H2, and they have now added compatibility holds to make sure the upgrade is no longer available on some systems, due to printer problems or blue screens.

As part of this week's announcement, Microsoft confirmed that the Windows 11 2022 Update is also causing provisioning issues, which is causing Windows 11 endpoints to be partially configured and not complete the installation process. 

After entering a new deployment phase on Tuesday, October 4, Windows 11 22H2 is now available to all seekers on qualifying devices, and it has been installed on some of the devices already.

Users of Intuit QuickBooks Targeted in Phishing Scams


Intuit, a financial software business based in the US, has issued a warning to its clients about a new QuickBooks phishing effort. The current phishing campaign, which is the company's fifth big security threat this year, involves deceiving consumers into believing one‘s account has been suspended. 

"We're writing to advise you that we were unable to confirm certain information on your account after performing an assessment of your company. As a result, we've placed a temporary hold on your account." The phishing message goes as follows: "If you believe we've made a mistake, please let us know as soon as possible so we can correct it. Please fill out the verification form below to assist us with effectively revisiting your account. We will re-evaluate your account within 24-48 hours after verification is finished." 

Malicious material within the bogus Intuit support team message would send the target to a phishing website where criminals may steal personal data or install malware on infected devices if they clicked the "Complete Verification" button. The sender "is not linked with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit's logos permitted by Intuit," according to the accounting software Intuit. Customers are advised not to open these phishing messages.

Small and medium-sized businesses (SMBs) all over the world utilize Intuit's QuickBooks software. According to the company's website, there are 4.5 million users globally. This year, cyber attackers have targeted the company's vast user base, particularly around tax season in the United States, when the corporation was compelled to release two separate security advisories in as many days in February. 

The email in both phishing scams pretended to be an account inactivity warning, suggesting that the user's account had been disabled due to inactivity. Victims were sent links to a bogus Intuit website, which could have been used to steal account information. 

It also advises consumers to delete the communications from email inboxes to avoid personal data being stolen and a possible malware infection. Customers who opened the email clicked a link, or downloaded a possibly harmful attachment should take the following precautions: 
  • Delete the downloaded attachment right away. 
  • Passwords should be changed regularly. 
  • Run a complete scan on the machine that may have been hacked. 
  • Intuit also offers a comprehensive list of security advice that can assist customers in avoiding common cyberattacks such as phishing emails, customer service scams, and identity theft.

Indexsinas SMB Worm Attacks Vulnerable Environments


The  Indexsinas SMB worm is aiming for susceptible situations in which scientists cautioned – focusing on healthcare, hospitality, education, and the telecommunications industries. Its ultimate objective is to reduce crypto miners on hacked PCs. 

Since 2019, Indexsinas, aka NSABuffMiner, has been lurked. It uses the old weapon arsenal Equation Group, along with EternalBlue and EternalRomance, to invade Windows SMB shares and DoublePulsar backdoor. Indexsinas is using lateral mobility to assimilate specific environments aggressively. 

“Propagation is achieved through the combination of an open-source port scanner and three Equation Group exploits – EternalBlue, DoublePulsar, and EternalRomance,” as per a Guardicore Labs analysis 

Since 2019, Indexsinas has deployed a broad infrastructure consisting of over 1,300 devices operating as sources of attack, and every device is accountable for only certain cases of attack (most likely hacked systems, Guardicore observed, particularly in India, the USA, and Vietnam). To date, almost 2,000 different attacks have been reported in Guardicore's telemetry. 

The shroud of attacks to find out more about cyber attackers behind Indexsinas is quite difficult to breach. 

“The Indexsinas attackers are careful and calculated,” according to the firm. “The campaign has been running for years with the same command-and-control domain, hosted in South Korea. The [command-and-control] C2 server is highly protected, patched, and exposes no redundant ports to the internet. The attackers use a private mining pool for their crypto mining operations, which prevents anyone from accessing their wallets’ statistics.” 

According to Guardicore Labs, the attack commences when a machine is infringed using the NSA's tools. These attacks run code in the kernel of the victim and can inject payloads to user mode utilizing asynchronous procedure calls (APCs). 

Researchers noted, “Indexsinas uses the exploits to inject code to either explorer.exe or lsass.exe. The injected payloads – EternalBlue.dll for 32-bit and DoublePulsar.dll for 64-bit – download three executable files from the main C2 server.”

It has been reported that there is a whole reversed DLL file in the file downloads which is a Portable Executable file, a version of a Gh0stCringe remote access tool (RAT). 

The first one installs the RAT, while the second provides a key feature for C2 commands and reporting machine information, including computer name, malware group ID, date of installation, and technical specs of CPUs. 

The files iexplore.exe and services.exe meanwhile install two services utilizing the tool which impersonates the Windows svchost.exe function. The first service has to drop the crypto miner, whereas the second just runs the crypto miner module. 

c64.exe, which in turn dumps two files is yet another payload downloaded as part of the initial stage. One is the executable ctfmon.exe — the propagation tool. 

“Ctfmon.exe is responsible for finding potential victims and exploiting them using Equation Group’s tools – and it does that extremely thoroughly,” researchers said. “It uses exploits for both 32-bit and 64-bit machines and scans both RPC (TCP 139) and SMB (TCP 445) ports. Moreover, it tries to move laterally within the organizational network as well as spread across the internet.” 

A timetabled task performs a batch script that installs a service. The service launches a second batch script that scans and uses the port. 

The batch scripts in these flows also uninstall the services of competitors, end their operations and erase their files. 

“It is crucial that network administrators, IT teams, and security personnel be able to easily identify assets and the services they run,” they explained. “Specifically, it should be easy to spot internet-facing servers, SMB included. With visibility in place, network admins would want to limit the access from and to different assets and the network services they expose.” 

Corporate functions and production activities, for example, should be separated. Policy rules can also be applied that secure SMB servers of an organization, such as the interdiction of internet access via SMB or only permit specified IP addresses to access the firm's internet fileserver. This can help in prevention against Indexsinas Worm Infections.

New Worm Capabilities Targets Windows Machines


A malware that has verifiably targeted exposed Windows machines through phishing and exploit kits have been retooled to add new "worm" capabilities. Purple Fox, which originally showed up in 2018, is an active malware campaign that as of, not long ago required user interaction or some kind of third-party tool to infect Windows machines. However, the assailants behind the campaign have now upped their game and added new functionality that can force its way into victims' systems on its own, as indicated by new Tuesday research from Guardicore Labs.

“Guardicore Labs have identified a new infection vector of this malware where internet-facing Windows machines are being breached through SMB password brute force,” Guardicore Labs Amit Serper said. In addition to these new worm abilities, Purple Fox malware now additionally incorporates a rootkit that permits the threat actors to conceal the malware on the machine and make it hard to distinguish and eliminate, he said. 

Researchers examined Purple Fox's most recent activity and discovered two huge changes to how assailants are spreading malware on Windows machines. The first is that the new worm payload executes after a victim machine is undermined through a weak exposed service. Purple Fox additionally is utilizing a past strategy to contaminate machines with malware through a phishing effort, sending the payload by means of email to exploit a browser vulnerability, researchers observed. When the worm infects a victim's machine, it creates a new service to establish persistence and execute a simple command that can iterate through a number of URLs that include the MSI for installing Purple Fox on a compromised machine, said Serper. 

“msiexec will be executed with the /i flag, in order to download and install the malicious MSI package from one of the hosts in the statement,” he explained. “It will also be executed with the /Q flag for ‘quiet’ execution, meaning, no user interaction will be required.”

Gadgets caught in this botnet incorporate Windows Server machines running IIS form 7.5 and Microsoft FTP, and servers running Microsoft RPC, Microsoft Server SQL Server 2008 R2, and Microsoft HTTPAPI httpd 2.0, and Microsoft Terminal Service.

The Blue Mockingbird Malware Group Exploits Vulnerabilities in Organizations' Networks

Another notorious crypto-currency mining malware has surfaced which allegedly has been infecting the systems of countless organizations. The group with the control of operations goes by the code name of “Blue Mockingbird”.

The researchers who discovered it have reasons to believe that the Blue Mockingbird has been active since 2019’s last month. Per them, it also targets “public-facing servers” that run “ASP.NET” apps that use the “Telerik framework” for their User Interface (UI) aspect.

Reportedly, the vulnerability that the hackers exploit in the process is the “CVE-2019-18395” vulnerability which is then employed to embed a web shell on the target’s server. Per the same report, later on they employ a version of “the Juicy Potato technique” to obtain the admin-access and alter the server settings to get access to the “(re)boot persistence”.

After having obtained complete access to a system, sources mention, the malware group installs a version of XMRRig which is a famous crypto-currency mining application particularly for the “Monero (XMR)” crypto-currency.

As per reports, if the public-facing IIS servers are linked with a company’s internal network, the malware group has a probability of trying to expand internally through an improperly-secured Server Message Block (SMB) connections or Remote Desktop Protocol ((RDP).

The exact number of infections that the botnet has caused isn’t all too clear but if an estimate was to be made the operations include 1,000 infections at the least. There also doesn’t seem to be a way to find the intensity of the threat.

Not many organizations out of the ones that were being observed by the researchers have been hit with this particular threat. And over a really little amount of time that they were tracked the above-mentioned number of infections surfaced.

Nevertheless, all companies alike are susceptible to this attack, even the ones that think they are safe and the number of infections could be more than estimated.

As per sources, the Telerik UI component which is allegedly vulnerable is a part of ASP.NET applications that run on their latest versions, even then the Telerik component may have versions that are out-dated but harmful to organizations, nonetheless. This component could exist in the applications used by a company and they might not even know about it leaving them endangered.

The Telerik UI CVE-2019-18935 vulnerability, per reports, has been widely let known as the one that is employed to embed web shells on servers. Another mentioned that this vulnerability is the most exploited and organizations need to better their firewalls to fight it. If for some reason the organizations don’t happen to have a web firewall they could always look for warning precursors in the server and workstation, reports cite.