STE WILLIAMS

A free coronavirus vaccine from the World Health Organization (WHO), for only $4.95 to cover shipping costs?!?

Nah, we didn’t think so, either. On Sunday, the US Department of Justice (DOJ) announced that it shut down what it called a wire fraud scheme being carried out by the operators of a site in order to squeeze profit from the confusion and widespread fear surrounding COVID-19 – by promising to ship coronavirus vaccine kits that don’t actually exist.

Let us state the obvious, or, rather, quote the DOJ’s statement as it states the obvious:

There are currently no legitimate COVID-19 vaccines and the WHO is not distributing any such vaccine.

The site – now offline but available as an exhibit attached to the DOJ’s civil complaint – was offering consumers access to WHO vaccine kits in exchange for a shipping charge of $4.95, which consumers would pay by entering their credit card information on the website.

Per DOJ request, US District Judge Robert Pitman issued a temporary restraining order requiring that the registrar of the scam site – listed as NameCheap in its Whois Record – immediately take action to block public access to it.

The DOJ says that this is its first enforcement action taken against COVID-19 fraud. Dollars to donuts says it won’t be the last, given that we’ve seen plenty of cyberscum trying to make money off of people’s misery and uncertainty.

Coronavirus-themed cybercrime

We’ve seen:

• Android malware that uses COVID-19 for a combination of sextortion and ransomware.
• A phishing scam hiding behind the mask of the WHO to offer coronavirus “safety measures” and to steal your credentials.
• A disinformation campaign carried out via SMS, email and social media that lied about a national quarantine of the US being imminent. The campaign coincided with a distributed denial of service (DDoS) attack on the place where people in the US go to get their health news: the US Department of Health and Human Services (HHS).

The DOJ says it’s still investigating the site, coronavirusmedicalkit.com. As of Sunday, investigators didn’t know who its operators are. The tech contact for the site is listed on the WhoIs registry as WhoIsGuard Protected, with an address in Panama and an IP address coming out of Lansing, Michigan, though who knows where its server is really hosted. It’s easy to obscure an IP address location through techniques such as using a virtual private network or Tor, for example.

What to do

The DOJ has the following slew of precautionary measures to take in order to keep from getting snared in any of the emerging COVID-19 scams. If they sound exactly like the general tips for staying safe online that we pass out all the time, that’s for a good reason: the crooks are always out there trying to scam us, and the pandemic is the most recent attention grabber that they’re hoping to use to exploit us, catching us when we’re feeling panicky and unsure of what to do.

Do what you normally do to stay safe online, in other words. Just beware that there’s a new angle the crooks are trying to leverage to get your attention, your financial details, your personally identifiable information (PII) and whatever else they can swipe. To say safe, make sure to take these steps:

• Independently verify the identity of any company, charity, or individual that contacts you regarding COVID-19.
• Check the websites and email addresses offering information, products, or services related to COVID-19. Be aware that scammers often employ addresses that differ only slightly from those belonging to the entities they are impersonating. For example, they might use “cdc.com” or “cdc.org” instead of “cdc.gov.”
• Be wary of unsolicited emails offering information, supplies, or treatment for COVID-19 or requesting your personal information for medical purposes. Legitimate health authorities will not contact the general public this way.
• Do not click on links or open email attachments from unknown or unverified sources. Doing so could download a virus onto your computer or device.
• Make sure the anti-malware and anti-virus software on your computer is operating and up to date.
• Ignore offers for a COVID-19 vaccine, cure or treatment. Remember, if a vaccine becomes available, you won’t hear about it for the first time through an email, online ad, or unsolicited sales pitch.
• Check online reviews of any company offering COVID-19 products or supplies. Avoid companies whose customers have complained about not receiving items.
• Research any charities or crowdfunding sites soliciting donations in connection with COVID-19 before giving any donation. Remember, an organization may not be legitimate even if it uses words like “CDC” or “government” in its name or has reputable looking seals or logos on its materials. For online resources on donating wisely, visit the Federal Trade Commission (FTC) website.
• Be wary of any business, charity, or individual requesting payments or donations in cash, by wire transfer, gift card, or through the mail. Don’t send money through any of these channels.
• Be cautious of “investment opportunities” tied to COVID-19, especially those based on claims that a small company’s products or services can help stop the virus. If you decide to invest, carefully research the investment beforehand. For information on how to avoid investment fraud, visit the U.S. Securities and Exchange Commission (SEC) website.

For the most up-to-date information on COVID-19, visit the Centers for Disease Control and Prevention (CDC) and WHO websites.

The DOJ is urging people in the US to report suspected fraud schemes related to COVID-19 by calling the National Center for Disaster Fraud (NCDF) hotline (1-866-720-5721) or by emailing the NCDF at [email protected].

In the UK, contact Action Fraud. Also, bear in mind that the UK has seen a motley collection of pandemic-related scams, including sales of hand sanitizer containing an ingredient banned for human use years ago. They were being sold for £5 a bottle, according to trading standards officers in Birmingham.

Stay safe, wash your hands for 20 seconds a pop, and good luck avoiding the crooks!

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/12Trojp_C-E/

If you thought the Mirai botnet was bad, what about a version under the control of Russia’s military that it could point like an electronic cannon at people it didn’t like? That’s the prospect we could face after the reported emergence of secret Russian project documents online last week.

The documents, which come from hacking group Digital Revolution but haven’t been verified, suggest that Russia’s Federal Security Service (in Russian, the FSB), has been working on an internet of things (IoT) botnet of its own called Fronton.

Mirai was a botnet that infected IoT devices by the million, taking advantage of default login credentials to co-opt them for attackers. They then pointed it at DNS service provider Dyn, mounting a DDoS attack that took down large internet services for hours.

That happened in late 2016. Shortly after, the documents suggest, the FSB decided to get in on the act by commissioning its own botnet that would infect and control connected small footprint devices. The evidence apparently shows a procurement order from unit 64829, an internal FSB department, for a project put together in 2017 and 2018. They reference Mirai, suggesting that the FSB could develop something similar.

BBC Russia, which saw the 12 documents in the dumped cache first hand, said they refer to three variations of the project: Fronton, Fronton-3D, and Fronton-18. Each describes a botnet of infected IoT devices under the FSB’s control.

The documents include a schematic of victims’ computers communicating with back-end servers via a range of VPNs to anonymise the chain of command. The diagram shows the back-end servers connecting via the Tor anonymous onion routing system to a search server that apparently indexes the infected boxes.

The FSB seems to be at pains to hide the botnet’s origin. BBC Russia found this specification among the documents (translated):

The use of the Russian language and a connected Cyrillic alphabet is excluded, authorization is required to access the server.

The design instructions are said to detail the targeting of security cameras and digital video recorders almost exclusively, adding that because they are able to send video they would be useful source points for DDoS attacks.

Digital Revolution is a group dedicated to exposing FSB projects online. It has dropped file collections allegedly from the Russian agency before, including 170Mb of files related to projects that would scrape social networks for user data and intercept traffic using fake Tor relays.

As with last year’s 170Mb file drop, this hack details third-party contractors that the FSB appears to have enlisted to carry out the work. The primary contractor was reportedly InformInvestGroup, a Russian company that has worked extensively with the Russian Ministry of Internal Affairs. The documents suggest that this company subcontracted at least some of the work to another, called 0day (LLC 0DT), in Moscow.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/EpF4YGlIJDk/

Facebook Messenger may ban mass-forwarding of messages in an effort to lasso the runaway forwarding of COVID-19 fake news and rumors, it confirmed on Sunday.

Facebook has done this before when its other messaging services have gone berserk with forwarding hysterical misinformation – misinformation that led to people getting lynched in the fake-news crisis that seized India, Myanmar and Sri Lanka in 2018.

India was torn apart as rumors spread virally on social media sparked dozens of mob lynchings. Over the period of 18 months, 33 people were killed and at least 99 injured in 69 reported lynchings. At least 18 of those incidents were specifically linked to WhatsApp.

In July 2018, the Facebook-owned company said that it would limit forwarding to everyone using WhatsApp, with the limit being most restrictive in India, where people forward more messages, photos and videos than any other country in the world. In India, WhatsApp tested a lower limit of 5 chats at once and removed quick-forward button next to media messages. WhatsApp also imposed a larger limit globally of 20 recipients.

In January 2019, WhatsApp applied the lower limit of five forwarded chats on a global scale.

On Saturday, Jane Manchun Wong, a hacker who reverse-engineers apps, spotted Facebook’s test of a new feature in Messenger: a 5-chat forwarding limit. She tweeted an example of how it might work that she’d found hidden inside the app.

A Facebook spokesperson confirmed that the company’s working on limiting the spread of misinformation on Messenger. This was Alexandru Voica’s response to Wong’s tweet:

We’re working hard to limit the spread of misinfo on our platforms, especially with #COVID19, and we’re exploring more options like testing stricter limits for how many chats you can fwd a message to at one time. This feature is still in development and not testing externally yet

The confirmation of the new feature came as Facebook announced it would try to use Messenger to help health organizations push out accurate coronavirus information.

On Monday, Facebook Messenger said it’s launching a new program to help government health organizations and UN health agencies team up with developers so they can use the social network’s messaging service to share accurate information and respond to people’s questions. Developers will help these groups for free in the wake of the pandemic, showing these critical organizations how to use Messenger to share timely information with local communities and speed up their replies to commonly asked questions with tools like automated responses.

Facebook Messenger is also starting an online hackathon, inviting developers to come up with messaging solutions that help with things such as physical distancing and getting access to accurate information. Participants will get special access to Messenger tools and content as well as educational materials from Facebook to support their innovation. Facebook engineers will be mentoring the winners to “help make their idea a reality,” the company says.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/MXNlSpEeisI/

An annoying security flaw been disclosed and promptly fixed in the fairly popular memcached distributed data-caching software.

On Monday morning a netizen with the handle IceJi publicly revealed the presence of that could be exploited to crash the software: specifically, the flaw is a buffer-overflow in the binary protocol header in memcached versions 1.6.0 and 1.6.1. Developers were not warned of the bug prior to the public disclosure.

A project maintainer, Dormando, told The Register that the bug was addressed just hours after being reported, and admins can get the fix by updating to the new version 1.6.2.

The flaw itself appears to be down to a simple missing sanity check on the parameter extlen in an memcpy() function call:

6178   char extbuf[sizeof(c-binary_header) + BIN_MAX_EXTLEN];
6179   memcpy(extbuf + sizeof(c-binary_header), c-rcurr + sizeof(c-binary_header), extlen);

If an attacker can make extlen large, a buffer overflow occurs, crashing the software. There is no word on whether this can be used to achieve remote-code execution.

The decision to drop the bug as a zero-day drew criticism from many on the project, who pointed out that conventionally developers are given advance, private notice of several weeks to patch bugs before their details become public.

Debates about the merits of coordinated disclosure aside, server admins will want to patch this bug promptly. You shouldn’t really leave memcached facing the internet, just in case, but to be safe rather than sorry: update when you can. Having said that, there are tens of thousands of servers facing the internet that appear to be running memcached on its default port of 11211.

According a quick Shodan.io probe by El Reg on Monday, some 83,000 machines worldwide have something running on that port exposed to the open internet – some could be other services, though, it may not all be memcached.

It is not known how many of those would have the vulnerable component accessible, or how many are even running one of the two vulnerable versions: the flaw was introduced in 1.6.0. Still, it would be wise to get updated ASAP. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/24/memcached_denial_of_service/

Updated The parent firm of directory enquiry service 118 118 has yanked offline its finance division’s website after detecting unauthorised access by a person or persons unknown, The Register can reveal.

118 118 Money wrote to personal loans and credit card customers on 23 March to confirm the intrusion, saying in the letter – seen by us – that it is trying to ascertain what happened.

The letter states:

We have taken our network offline temporarily while we investigate an unauthorised access to our systems. Our team is working urgently to restore our normal functions and will provide updates as soon as we able.

The mandatory apology for the inconvenience was issued, though there was no detail on whether any data has been snatched in the digital burglary.

“Credit card customers can continue to use their cards as normal. However, for the time being, we will not be processing new applications,” the letter added.

Any punter who wants to contact 118 118 Money about their loans or credit card can use the chat function at the bottom of the mail it sent to customers, or they can call 08000 118 222.

“Given the high volume of calls at this time, customers may experience longer than normal wait times,” the letter ended. Current working hours, it should be noted, are 11am to 5pm.

We have asked 118 118 Money if it had additional comment on the type of attack and whether ransomware was involved; when it spotted the intrusion and how entry was gained; and the sorts of data exposed.

Professor Alan Woodward of the University of Surrey told us: “We cannot assume the criminals will cut anyone any slack in the current situation, so those phishing emails, watering hole attacks, and so on will continue.”

Although not commenting specifically on the 118 118 Money incident, he said that in recent ransomware attacks, hackers “grabbed data as well as locking up systems,” and this gave them two “levers” to “extort money”.

The personal loans business was launched by US parent group kgb (a privately held, New York-based company) in 2013. In its latest full accounts on Companies House – for the year ended 31 December 2018 – Madison CF UK Ltd, which trades under the name of 118 118 Money, earned £62.929m in interest income, and accrued a £1.559m tax benefit due to an £8.14m loss before taxation, leaving it with a total comprehensive loss of £6.57m. It received a similar amount in tax benefit in the year ended 2017, when it declared a total loss of £6.72m.

Its fellow subsidiaries in the UK include 118 Ltd, which provides outsourced services support for other firms, mostly from the healthcare sector, and The Number UK Ltd, which provides directory assistance.

118 118 Money started off providing loans to Brits of £1,000 to £5,000 that carried annual interest rates of between 36 and 80 per cent. Among its target market were people with a low credit score.

The credit card side was launched in 2018 with customers charged a monthly subscription fee based on a credit limit. No interest is charged. However, folks at This is Money have pointed out that the monthly fees are the equivalent of high interest annual percentage rates compared to the average credit card. The minimum income requirement to get the 118 credit card is £8,400.

The 118 118 Money website remains down for a second day.

Updated at 14.44GMT on 24 March to add:

118 118 Money made contact following publication of the article but sent us the same statement that it distributed to customers. It refused to make any further comment at this stage. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/24/got_yuor_number_maybe_118/

Attackers work 24/7, so you have to be vigilant around the clock. Time for some game theory.

Organizations will be quickly overwhelmed if they try to treat all vulnerabilities equally. Given the sheer volume of vulnerabilities, limited resources, and varying objectives across the teams involved, effective cybersecurity requires the ability to view vulnerabilities in the proper context and prioritize them accordingly for treatment — whether to remediate or mitigate or accept the risk.

Redefining “Vulnerability”
For starters, organizations must establish what it means to say they have a vulnerability. Vulnerabilities are often defined and interpreted in a silo or vacuum that fails to consider other relevant factors such as availability of exploits, threat actors, motivation, etc. Thus, the reality is that a vulnerability is only as bad as the threat exploiting it and the potential impact that a successful exploit could have on an organization or business.

Organizations often focus on CVSS (Common Vulnerability Scoring System) and CVE (Common Vulnerabilities and Exposure) numbers to rank or prioritize vulnerabilities, but neither can be used by itself to effectively manage vulnerabilities. 

CVSS measures the severity of a vulnerability but does not consider risk. It represents a worst-case scenario of the extent of the impact or damage if the vulnerability is successfully exploited but not how plausible it is that the exploit will occur. The CVE is even less useful from a risk management perspective because it is just a naming convention or library for identifying unique vulnerabilities. 

Context Is Key for Prioritizing Vulnerabilities
A vulnerability can be severe but be a low risk, or a vulnerability can be high risk but not severe. The two terms are not interchangeable, and it’s important to understand the difference. 

IT security teams tend to focus on the most recent vulnerabilities — especially high-severity vulnerabilities. Attackers, on the other hand, don’t necessarily prioritize based on severity. They have nothing to prove. Attackers are generally focused on ease of exploitation, and high return on investment. Many attacks target old vulnerabilities for which patches have existed for months or years because attackers can just buy an exploit, or make use of an existing exploit tool and automate the process of discovery and exploitation. Attackers tend to take an industrialized approach toward launching attacks.  

Game Theory and Vulnerability Management
One of the biggest fallacies when it comes to vulnerability management is that it’s a numbers game. Many organizations have a skewed, metric-driven approach to vulnerability management that creates the illusion of progress and success while leaving the company exposed to significant risk.

If there are 1,000 vulnerabilities detected and the IT security team manages to patch (or remediate) or mitigate 990 of them, they’ve closed 99% of the vulnerabilities. At face value, that sounds impressive, but attackers only need one exploitable vulnerability to get into the enterprise network. The real questions are: What are the 10 vulnerabilities that are left, and what is the potential impact the organization faces if one of them is successfully exploited? 

Instead of viewing vulnerability management as a numbers game and measuring success based on an arbitrary percentage of the total vulnerabilities detected, organizations should view vulnerability management as a function of game theory. 

What do I mean by that? Game theory uses rational choice theory along with assumptions of adversary knowledge in order to predict utility-maximizing decisions. It allows someone to predict their opponents’ strategies. Applying game theory to vulnerability management is a more effective and practical strategy than just counting vulnerabilities. 

There are a variety of factors to consider to effectively prioritize vulnerabilities and maintain effective vulnerability management. IT security teams must consider and negotiate multiple factors — vulnerability severity, asset criticality, asset accessibility, mitigating controls, potential impact, etc.  and think tactically about the opponent to develop a successful strategy.

Continuous Vigilance Is Crucial
The final piece of an effective vulnerability management strategy is that it has to be continuous. Running a monthly — or even a weekly — vulnerability scan to identify vulnerabilities to address only provides a snapshot of that moment in time. 

Attackers don’t work on a weekly or monthly schedule. The Internet is global, and it’s 10 a.m. somewhere all the time. Attackers work around the clock, so your vulnerability management efforts have to be vigilant 24/7.

Having an understanding of how to consider context when prioritizing vulnerability remediation efforts, a strategy based on game theory rather than treating vulnerability management as a pure numbers game, and a system of continuous vulnerability monitoring will help you reduce your attack surface and improve your security posture.

Related Content:

• 8 Trends in Vulnerability and Patch Management
• How the Rise of IoT Is Changing the CISO Role
• Why CSP Isn’t Enough to Stop Magecart-Like Attacks
• Assessing Cybersecurity Risk in Today’s Enterprise

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Three Ways Your BEC Defense Is Failing How to Do Better.“

Prateek Bhajanka (CISA, CEH) is a VP of Product Management, where he is responsible for product definition, road map, marketing and strategy for the VMDR product offering. He has comprehensive experience in the security domain, where he has played roles across the board, … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/vulnerability-management-isnt-just-a-numbers-game/a/d-id/1337313?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Gone are the days when threat actors had to actually spend time and effort planning and developing an attack on their own, Recorded Future says.

Just as security automation is helping organizations more effectively detect, respond to, and remediate cyberthreats, it is making life easier for cybercriminals as well.

Recorded Future recently analyzed data from its threat intelligence platform, open source intelligence sources, and public reporting to see whether it could identify the automated tools and services that threat actors are most commonly using to facilitate attacks.

The threat intelligence vendor discovered a thriving ecosystem of merchants selling a variety of products for automating almost every aspect of the attack chain — from initial reconnaissance and network break-in to payload delivery, defense evasion, data exfiltration, and monetization of stolen data.

Recorded Future found malware that once might have taken attackers months to develop, test, and deploy now readily available off-the shelf, giving both sophisticated and unsophisticated actors the ability to execute malicious campaigns with little effort.

In a report this week, the vendor released a list of 10 automated tools and services it found threat actors are most commonly using to automate attacks currently. Among them are products that allow attackers to quickly validate or access passwords for thousands of accounts, and products that allow attackers to bypass antimalware products to deliver payloads and tools for stealing credentials and other sensitive data from compromised systems. The list also includes sniffers for stealing payment card data from e-commerce sites and underground marketplaces, where threat actors can sell stolen credentials and other data in a fully automated fashion.

Many of the tools and services that attackers are using these days are automated and commoditized and therefore easier to use by threat actors, says Roman Sannikov, director of analyst services at Recorded Future. “We found tools that allow cybercriminals to brute-force access without even opening a command line, with bots at their disposal,” he says.

The trend highlights the need for organizations to keep up to date on the tactics, techniques, and procedures of threat actors and the tools and service they use, he says.

“Really, the biggest difference is the speed and ease with which a threat actor can stand up a campaign,” Sannikov says.”When so many things that in the past had to be done manually now come off the shelf, so to speak, a threat actor can just grab a tool that suits their needs.”

One example of how simple it has become for threat actors to launch a malicious campaign is the easy availability of access to breached entities, he says. No longer do attackers have to spend time and effort trying to hack into a target network on their own. Numerous sources are available underground where a would-be attacker can purchase — or even get for free — entire databases of credentials that other attackers might have previously extracted from compromised websites. Often the contents of these databases are not sold entirely but in chunks, such as email accounts and passwords or other personally identifiable information.

Access to Compromised Networks
Other sources are available where cybercriminals can buy access to compromised networks belonging to business, government, and educational entities for prices ranging from a few hundred to a few thousand dollars, Recorded Future said.

“In these instances, cybercriminals have obtained access to an organization’s network using different methods such as compromised third-party software (such as Citrix, TaxSlayer, or LexisNexis), RDP access, compromised Internet routers, or phishing,” the vendor noted.

Similarly, so-called “checkers” and “brute-forcers” are readily available that allow attackers to direct large-scale, automated login requests against target websites to identify and break into valid accounts. Popular tools in this category, such as STORM, Black Bullet Account Cracker, and Sentry MBA, allow attackers to target and attempt account takeovers at almost any company with an online presence.

“Checkers and brute-forcers have become significantly more sophisticated and one step [better] than they were in the past,” Sannikov says. “Threat actors can run exposed user name and password combinations against multiple potential entities” at the same time.

Recorded Future researchers also found multiple “loaders,” with names such as “Amadey,” “Diamond Fox,” and “Smoke Bot,” that allow attackers to drop malicious payloads on victim systems, as well as “crypters” for obfuscating and encrypting malware to evade detection. “Stealers,” for extracting credentials and other sensitive data from systems, and banking injects, which are often used in conjunction with banking Trojans to steal a user’s bank account login credentials, are other commonly available tools.

Recorded Future discovered that cybercriminals these days do not even have to worry about finding a buyer for their stolen data. Several markets are available underground where they can sell their content for a fixed amount or for a share of the profit from sales of the data.

Related Content:

• Cybercriminal’s Black Market Pricing Guide
• Search Engine Aims to Make Dark Markets More Accessible
• When Rogue Insiders Go to the Dark Web
• Security Lessons We’ve Learned (So Far) from COVID-19

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Three Ways Your BEC Defense Is Failing How to Do Better.”

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/automated-tools-make-cyberattacks-easier-to-pull-off/d/d-id/1337391?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

There is no available patch for the vulnerabilities, which Microsoft says exist in all supported versions of Windows.

Microsoft today posted an advisory to inform users of active attacks targeting unpatched flaws in Adobe Type Manager Library. The vulnerabilities affect all supported versions of Windows.

Two remote code execution vulnerabilities exist in Microsoft Windows when the Adobe Type Manager Library improperly handles a specially crafted multimaster font called Adobe Type 1 PostScript format, Microsoft explains in the advisory. The company is aware of “limited targeted attacks” that could leverage the unpatched vulnerabilities, which the company ranked as Critical.

There are several ways an attacker could successfully take advantage of these flaws. For example, they could convince a user to open a specially crafted document or view it in the Windows Preview pane. Opening or viewing the file would let the attacker remotely run malicious code on the target machine. While the Windows Preview pane could be an attack vector, Microsoft says Outlook Preview Pane is not an attack vector for these vulnerabilities.

“For systems running supported versions of Windows 10, a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities,” officials explain of the potential effects on supported Windows 10 machines.

Microsoft is working on a fix for the vulnerabilities. The company usually releases patches on the second Tuesday of each month, a schedule it says allows for both quality assurance and IT planning. It has been known to issue out-of-band patches for urgent vulnerabilities as needed. Microsoft did not provide details on when a patch for these vulnerabilities will be released. 

In the meantime, its advisory offers workarounds for companies vulnerable to these attacks. For example, admins can disable the Preview and Details panes in Windows Explorer to prevent the automatic display of OTF fonts in Windows Explorer. This prevents malicious files from being views in Windows Explorer, Microsoft says, but it does not block a local authenticated user from running a specially crafted program to exploit the flaw.

Another workaround involves disabling the WebClient service, which helps protect against potential exploits by blocking the most likely remote attack vector via the Web Distributed Authoring and Versioning (WebDAV) client service. With this workaround, it would still be possible for attackers to cause the system to run programs on the target machine or local area network; however, users will be asked for confirmation before opening malicious programs.

Microsoft provides guidance for completing these workarounds and others, as well as how to undo them, for different affected versions of Windows in its advisory on the vulnerabilities.

To protect against the attacks that exploit these flaws, Synopsys senior security strategist Jonathan Knudsen emphasizes the importance of not clicking links or attachments in unexpected emails:

“You should never, ever, ever click on links in emails or open documents whose origin is uncertain,” he says. “The attack that exploits this vulnerability depends on tricking users into opening specially crafted malicious documents. Every time you are tempted to click a link or open an attachment, take a moment and think about what you’re doing.”

Related Content:

• 8 Infosec Page-Turners for Days Spent Indoors
  
• Attack Surface, Vulnerabilities Increase as Orgs Respond to COVID-19 Crisis
• VPN Usage Surges as More Nations Shut Down Offices
• Assessing Cybersecurity Risk in Today’s Enterprise

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Security Lessons We’ve Learned (So Far) from COVID-19.“

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/microsoft-publishes-advisory-for-windows-zero-day/d/d-id/1337387?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

If you follow @NakedSecurity on Twitter, you’ll have noticed that we warned last week about an old WhatsApp hoax that suddenly reappeared.

The bogus news is generally known as the “Martinelli hoax”, because it starts like this:

If you know anyone using WhatsApp you might pass on this. An IT colleague has advised that a video comes out tomorrow from WhatsApp called martinelli do not open it , it hacks your phone and nothing will fix it. Spread the word.

When we last wrote about “Martinelli”, back in 2018, we noted that the hoax was given a breath of believability because the text above was immediately followed by this:

If you receive a message to update the WhatsApp to WhatsApp Gold, do not click!!!!!

This part of the hoax has a ring of truth to it.

Back in 2016, hoax-checking site Snopes reported that malware dubbing itself WhatsApp Gold, was doing the rounds.

The fake WhatsApp was promoted by bogus messages that claimed, “Hey Finally Secret WhatsApp golden version has been leaked, This version is used only by big celebrities. Now we can use it too.”

So WhatsApp Gold was actual malware, and the advice to avoid it was valid, so the initiator of the Martinelli hoax used it to give an element of legitimacy to their otherwise fake warning about the video.

The latest reincarnation of the hoax has kept the text of the original precisely, including the five-fold exclamation points and the weird extra spaces before punctuation marks.

The new hoax even claims that the video first mentioned several years ago still “comes out tomorrow.”

But there’s a new twist this time, with yet another hoax tacked on the end referring to yet another video “that formats your mobile.”

This time, the video is called Dance of the Pope:

Please inform all contacts from your list not to open a video called "Dance of the Pope". It is a virus that formats your mobile. Beware it is very dangerous. They announced it today on BBC radio. Fwd this message to as many as you can!

Ironically, Snopes suggests that this piece of the hoax – which is basically the same as the Martinelli hoax but with a different video name – is even older than the Martinelli part, dating back to 2015.

Quite why the hoax has reappeared now is not clear, though it may have been triggered by March 2020 news headlines about wunderkind Brazilian footballer Martinelli.

Martinelli currently plays for Arsenal in England, but has been tipped to appear in the Brazilian national squad at just 18 years of age; he’s also been the subject of media speculation that he might get poached from Arsenal by Spanish heavyweights Real Madrid.

Is it even possible?

In theory, playing a deliberately booby-trapped video file on your mobile phone could end up in a malware infection, if your phone has an unpatched bug in its media player software that a crook could exploit.

In practice, however, that sort of bug is very rare these days – and typically gets patched very rapidly and reported very widely.

In other words, if the creator of this warning knew enough about the “bug” to predict that it could infect any mobile phone, and could warn you about this “attack” in a video that isn’t even out yet, it’s highly unlikely that you wouldn’t have heard about the actual bug itself either from the vendor of your phone or from the world’s cybersecurity news media.

Additionally, even if there were a dangerous bug of this sort on your phone and your phone were at risk, it’s unlikely that “nothing would fix it”.

As for the imminent and unconquerable danger of an alleged double-whammy video attack of “threats” that first surfaced in 2015 and 2016…

…well, if the videos were supposed to “come out tomorrow” more than four years ago, we think you can ignore them today.

What to do?

• Don’t spread unsubstantiated or already-debunked stories online via any messaging app or social network. There’s enough fake news at the moment without adding to it!
• Don’t be tricked by claims to authority. Anyone can write “they announced it today on BBC radio,” but that doesn’t tell you anything. For all you know, the BBC didn’t mention it at all, or announced it as part of a hoax warning. Do your own research independently, without relying on links or claims in the message itself.
• Don’t use the “better safe than sorry” excuse. Lots of people forward hoaxes with the best intentions, but you can’t make someone safer by “protecting” them from something that doesn’t exist. All you are doing is wasting everyone’s time.
• Don’t forward a cybersecurity hoax because you think it’s an obvious joke. What’s obvious to you might not be to other people, and your comments may get repeated as an earnest truth by millions of people.
• Don’t follow the advice in a hoax “just in case”. Cybersecurity hoaxes often offer bogus advice that promises a quick fix but simply won’t help, and will certainly distract you from taking proper precautions.
• Patch early, patch often. Security updates for mobile phones typically close off lots of holes that crooks could exploit, or shut down software tricks that adware and other not-quite-malicious apps abuse to make money off you. Take prompt advantage of updates!
• Use a third-party anti-virus in addition to the standard built-in protection. Sophos Intercept X for Mobile is free, and it gives you additional protection not only against unsafe system settings and malware, but also helps to keep you away from risky websites in the first place.
• Don’t grant permissions to an app unless it genuinely needs them. Mobile malware doesn’t need to use fancy, low-level programming booby-traps if you invite it in yourself and then give it more power that it needs or deserves.

---

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xEmEiF4gQ5I/

Hackers are commandeering victims’ Windows PCs by exploiting at least one remote-code-execution flaw in the Adobe Type Manager Library included with the Microsoft operating system. No patches are available right now.

Redmond today warned of two flaws, not yet assigned CVE numbers, present in the font parser – and at least one has been exploited in a “limited number of attacks” to hijack vulnerable computers. The only way to prevent trivial automatic exploitation is to disable the preview and details panes in Windows Explorer, though that will not kill off the bugs entirely unless you disable the library.

That “limited number” of victims may well change in the near future as it’s likely exploit developers will hunt for the flaws to leverage now that the word is out.

Thought you were done after Tuesday’s 115-fix day? Not yet: Microsoft emits SMBv3 worm-cure crisis patch

READ MORE

Adobe, for what it’s worth, said this is Microsoft’s problem. “This library is exclusively supported by Microsoft, and customers using Adobe products are not at risk,” Adobe helpfully told The Register.

To exploit the bugs, a miscreant can include a malformed multi-master font in a document, and send it to a victim. When the victim’s PC tries to view the file, either in an application or in a preview pane, the operating system passes the embedded font, in Adobe Type 1 PostScript format, to the Adobe Type Manager Library, which mishandles the corrupt data and causes arbitrary code smuggled within the font to execute.

We’re told Windows 10 with AppContainer setup will at least contain any intrusion to a single application sandbox, rather than allow the malicious code to gain full access to a box.

One mitigation is to disable the Windows Explorer Preview Pane and Details Pane. This can be done through the Advanced Settings option in the OrganizeLayout menu. Note that this will only prevent exploitation during preview. Opening a poisoned file in an application will still trigger exploitation.

To really close off the flaw, you will also need to disable the WebClient service and/or rename the library, ATMFD.DLL, so that it cannot be loaded. Those with Windows 8.1 or earlier can also edit the registry to disable the vulnerable components. Check the Microsoft advisory for the pitfalls associated with these workarounds.

Otherwise, it is going to be a bit of a wait to get a fix for this. From the sound of things, Redmond is waiting until the next Patch Tuesday, scheduled for April 14, more than three weeks from now, to address the flaws. If a patch is issued now, exploit developers will be able to reverse engineer changes to the code to figure out how to attack those unable to apply a fix immediately. And given that businesses, tidied up with the coronavirus pandemic, may not be able to install patches across their fleets right now, outside of the Patch Tuesday cycle, Microsoft has decided to keep its cards close to its chest.

Should the number of attacks expand significantly beyond a “limited number,” we could see an emergency out-of-band update released sooner, or at least you’d hope so. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/23/microsoft_issues_red_alert/