STE WILLIAMS

A serious vulnerability found in Microsoft’s Credential Security Support Provider protocol (CredSSP) could allow a hacker to gain control of a domain server and other systems in the network.

Researchers from Preempt unearthed the previously unknown remote code execution vulnerability, which affects all versions of Windows, and reported it to Microsoft in August of last year. Microsoft today issued a fix (CVE-2018-0886) for the protocol as part of its Patch Tuesday release.

The logical cryptographic vulnerability in CredSSP can be exploited via a man-in-the-middle attack when a client machine and server authenticate to one another over the Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM) connection protocols. CredSSP forwards credentials, encrypted, from the Windows client to the server for authentication.

“We were able to find a classic mistake in the protocol and use that mistake to launch a man-in-the-middle attack,” says Yaron Zinar, lead security researcher for Preempt. Zinar and his team will demonstrate the attack next week in Singapore at Black Hat Asia, where they also will release an open source tool that exploits the vulnerability.

Zinar says with CredSSP, the server’s certificate doesn’t get validated by the client; it’s just signed and not hashed. “That allows us to create a malicious [and forged server] certificate that contains” a malicious executable, he says. The client then can be duped with a forged server cert.

Exploiting the flaw requires the attacker to wage a man-in-the-middle attack between the client and server in an RDP or WinRM session. He or she would need WiFi or physical access to the targeted network. A WiFi exploit could be set up using a key reinstallation attack such as KRACK, for example, according to the researchers. Other vectors are Address Resolution Protocol (ARP) poisoning and exploiting vulnerable network devices such as routers, to reach servers inside.

During the man-in-the-middle attack, the attacker basically awaits a CredSSP session to compromise the authentication between the client and server, and employ a remote procedure call attack on that server. “An attacker which have stolen a session from a user with sufficient privileges could run different commands with local admin privileges,” according to a blog post by Preempt on the attack. “This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default.”

All the client machine user sees is a failed RDP message, so there’s little evidence that something went wrong with the remote session. An attacker then could end up with full control of the network if he or she then targets the victim’s domain controller.

“Exploiting the vulnerability was very difficult,” notes Zinar. “There were a lot of constraints about which packets we could use, and which certs we could use.”

Microsoft in its update today said the patch “addresses the vulnerability by correcting how CredSSP validates requests during the authentication process.” It recommends also using Group Policy settings or registry-based settings: “We recommend that administrators apply the policy and set it to ‘Force updated clients’ or ‘Mitigated’ on client and server computers as soon as possible.  These changes will require a reboot of the affected systems,” Microsoft said in its update.

To defend against the CredSSP exploit, Preempt recommends patching workstations and servers, but warns that patching alone is not sufficient to stop this attack. Special configuration changes also need to be made, and blocking RDP and DCE/RPC can help. “If you don’t use RDP, turn it off on the machine. And if you are not using remote procedure calls, turn them off,” Zinar advises. “Also, decrease the use of privileged credentials. An admin should not use privileged credentials from WiFi, and sometimes not even from his personal workstation. From a dedicated workstation, maybe.

“And don’t use domain admins at all,” he adds.

Related Content:

• CIGslip Lets Attackers Bypass Microsoft Code Integrity Guard
• 7 University-Connected Cyber Ranges to Know Now
• Millions of Office 365 Accounts Hit with Password Stealers
• Vulnerabilities Broke Records Yet Again in 2017

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/microsoft-remote-access-protocol-flaw-affects-all-windows-machines/d/d-id/1331257?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The deadline is fast approaching for organizations to replace Symantec-issued SSL digital certificates, spurred by a Google decision last year to gradually deprecate all Symantec digital certificates because of failures on Symantec’s part to properly validate its SSL certificates before issuance.

Symantec, at the time, characterized Google’s claims as misleading and grossly exaggerated. The company claimed that only 127 certificates were identified as mis-issued and not 30,000. Symantec said that Google was singling it out for blame though the mis-issuance involved multiple certificate authorities (CAs).

Fast forward to today: Google has created a path for Symantec certificate holders to replace these certificates simply through DigiCert, in a fashion similar to a renewal process. The first of two dates related to this change will occur Thursday, March 15, and security teams need to be aware of how to deal with the process. But first, a bit of history and context.

When an SSL certificate is installed on a Web server, the connection between the server and browser is encrypted. Users know this security is in place because they see a padlock and the word “secure” at the start of the URL line as well as “https.” To enable this, businesses need to purchase and install a certificate from a valid CA. These certificates need to be renewed and reinstalled periodically — typically, every two to three years — to stay in compliance.

In early 2017, an issue was raised concerning a number of certificates issued by Symantec’s SSL business, which operated several CAs under Symantec ownership with the brand names of VeriSign, Equifax, GeoTrust, Thawte, and RapidSSL. For a number of reasons, these did not comply with industry requirements for browsers. There was an investigation, and it was deemed that Symantec had entrusted a number of organizations to issue certificates without the necessary oversight.

Google Steps In
The net result was that Google put a plan in place to distrust certificates issued by Symantec and all its subsidiaries over a period of time. At the time, Symantec was the largest CA and instead of making the necessary changes, it decided to sell the business to the second-largest CA, DigiCert, in November 2017, making DigiCert the overwhelming market share leader.

Google’s plans included three critical dates:

December 1, 2017: One month after the DigiCert/Symantec deal closed, validation and issuance of Symantec certificates were handled by DigiCert. No changes were required by the customers of either of the two companies.

March 15, 2018: Chrome 66 beta will distrust all Symantec certificates issued prior to June 1, 2016. Around April 15, 2018, the general, or stable, version of Chrome will feature untrusted warnings for these certificates.

September 13, 2018: Chrome 70 beta will distrust all certificates issued by Symantec. In October 2018, the general, or stable, version of Chrome will feature untrusted warnings for these certificates.

Companies that don’t comply with this will experience a situation in which users connecting to their site get directed to a page that warns them that the communication isn’t secure. That may or may not be a problem, depending on the site, but it’s often enough to scare people away and go click somewhere else, so keeping those certificates up to date is crucial.

A Headache for Big Business
Upgrading the certificates isn’t a big deal if you’re a small business with one or two Web servers. However, for large companies with thousands of servers, this can be a huge headache. Certificates are also now being deployed on Internet of Things devices, so if they aren’t upgraded, the communications won’t be encrypted or may stop transmitting information. 

To help its customers make this shift, DigiCert has made available a website checker to see if companies needs to take action. For example, if “Symantec.com” is put into the URL line, the site issues a warning to replace the certificate before September 13, 2018. This simple tool lets customers quickly check which sites need upgrading and when. 

DigiCert also has greatly simplified the process of procuring the certificates. What used to be a rather cumbersome set of tasks has been simplified to literally a couple of mouse clicks, and the certificate is renewed and upgraded. For companies investing in automation technologies, including the robust set of APIs that DigiCert offers, those few mouse clicks can be removed from the equation entirely.

In conversations with a number of customers, I’ve learned that these automation tools have been a huge time saver, with companies now able to upgrade all their servers in a fraction of the time it previously took. It’s important to note that SSL certificates are now being used on IoT devices as a way of encrypting the traffic to and from them, so many organizations should expect to see the number of certificates they need to manage grow exponentially.

One other important consideration: While most Web users won’t notice warnings until the April stable release of Chrome, I recommend that organizations upgrade their affected certificates now. Domains and organizations need to be validated before DigiCert can issue the certificate, and delays by customers can sometimes cost them a couple of days in getting their certificates. There’s actually no reason not to upgrade the ones affected by the September date either. Not getting it done in time will mean that when customers access the business website, they will be greeted with a Chrome security warning and that could drive them to a competitor.  

In truth, a migration of this magnitude, which is unprecedented in the CA industry, could have been a disaster. Given that the acquisition of the Symantec CA business was only completed in November, DigiCert has done a remarkable job in consolidating the platforms and support organizations. All the tools are now there for customers to ensure that their Web servers won’t have a problem, so the ball is now in the court of security teams. The Google distrust dates are coming fast — are you ready?

Related Content:

• Symantec Sells Digital Certificate Business to DigiCert
• CAs Need To Force Rules Around Trust
• How Why the Cybersecurity Landscape Is Changing

Join Dark Reading LIVE for two cybersecurity summits at #Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here. Save $200 off your conference pass with Promo Code 200MC.

Zeus Kerravala provides a mix of tactical advice and long term strategic advice to help his clients in the current business climate. Kerravala provides research and advice to the following constituents: end user IT and network managers, vendors of IT hardware, software and … View Full Bio

Article source: https://www.darkreading.com/endpoint/google-distrust-dates-are-coming-fast-/a/d-id/1331253?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Adobe Stock (zapp2photo)

Quantum computing is quickly moving from the theoretical world to reality. Last week Google researchers revealed a new quantum computing processor that the company says may beat the best benchmark in computing power set by today’s most advanced supercomputers.

That’s bad news for CISOs because most experts agree that once quantum computing advances far enough and spreads wide enough, today’s encryption measures are toast. General consensus is that within about a decade, quantum computers will be able to brute-force public key encryption as it is designed today.

Here are some key things to know and consider about this next generation of computing and its ultimate impact on security.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/cloud/what-cisos-should-know-about-quantum-computing/d/d-id/1331239?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

AMD found itself in the bullseye this week as an Israel-based security firm today published a report of multiple critical vulnerabilities in the microprocessor vendor’s latest EPYC, Ryzen, Ryzen Pro, and Ryzen Mobile product families.

CTS Labs said it found exploitable manufacturer hardware-backdoors in the microprocessors that could allow an attacker to wrest away control of a victim’s machine. The vulns, which it dubbed Chimera, Ryszenfall, Fallout, and Masterkey, can bypass security protections, including Microsoft’s Windows 10 Virtualization Based-Security (VBS). 

Details on how to exploit the flaws were redacted from the whitepaper, which CTS provided to AMD, some security firms, and US government regulators, CTS said. No other details were available as of this posting.

AMD apparently had little time to respond to the disclosure. “We have just received a report from a company called CTS Labs claiming there are potential security vulnerabilities related to certain of our processors. We are actively investigating and analyzing its findings. This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings. At AMD, security is a top priority and we are continually working to ensure the safety of our users as potential new risks arise. We will update this blog as news develops,” the company wrote in an online post.

See the CTS report here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/amd-investigating-report-of-vulnerabilities-in-its-microprocessors/d/d-id/1331267?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Microsoft today addressed 75 unique vulnerabilities as part of its monthly Patch Tuesday update: of these, 14 flaws were categorized as critical and 61 as important. None were listed as under active attack.

Two of the flaws patched this month had been publicly disclosed. One of these was CVE-2018-0886, a CredSSP remote code execution bug that could enable an attacker to control a domain server and other systems throughout the network. Another is CVE-2018-0940, a privilege escalation vulnerability in Exchange Outlook Web Access (OWA) that would let an attacker replace a legitimate OWA interface with a fake login page.

Many key patches released for this month address flaws in the browser, points out Jimmy Graham, director of product management at Qualys. Microsoft issued 21 browser-related fixes, which included the 14 total bugs rated as Critical on Patch Tuesday.

“All of the critical vulnerabilities from Microsoft are in browsers and browser-related technologies,” he notes. “It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.”

Read more details here.

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/microsoft-patch-tuesday-prioritize-browser-updates/d/d-id/1331269?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The future of digital currencies may be ambiguous, but their effect on cybercrime is crystal-clear. Cryptocurrencies have changed criminals’ motivation and the nature of cyberattacks.

As consumers explored the new frontier of digital wealth, so too have cybercriminals and malware developers. Both the anonymity and sharp value increase of cryptocurrency appeal to threat actors, who have most notably used Bitcoin to extort funds from ransomware victims.

Criminal activity related to cryptocurrency has driven a surge in different forms of cryptocurrency miners, otherwise known as cryptominers or coin miners. Microsoft’s Alden Pornasdoro, Michael Johnson, and Eric Avena, all with the Windows Defender Research team, have published a new report on the rise of various coin miners and their enterprise presence.

“Mining is the process of running complex mathematical calculations necessary to maintain the blockchain ledger,” the researchers explain. It’s not malicious, but it does require hefty computing resources to generate coins. Many people and businesses invest in the equipment to legitimately do it. Some people don’t want to make this infrastructure investment, and instead explore ways to use coin mining code to tap into the computing resources of somebody else’s devices.

For cybercriminals, this is a chance to build coin miners and use them nefariously. The researchers’ report digs into the details of coin mining malware, web-based mining scripts, and legitimate but unauthorized cryptomining applications, and how they are deployed and used.

Trojanized coin miners

Oftentimes, cybercriminals change existing cryptominers and drop them on target computers using malware, social engineering, and exploits. Between Sept. 2017 and Jan. 2018, an average of 644,000 machines encountered coin mining malware each month, Microsoft states. Some are more sophisticated than others, using exploits or self-distributing malware to spread.

“The vast majority of attacks are financially motivated and based on the return-on-investment for attackers,” says Kevin Epstein, vice president of Threat Operations at Proofpoint. As ransomware campaigns have proven less lucrative amid growing consumer awareness, many criminals are turning to cryptominers and integrating coin mining into Trojans to make money.

Exploit kits, once used to mainly deploy banking Trojans and, most recently, ransomware, are now used to spread coin miners. Researchers point to the example of DDE exploits: One sample of the malware is delivered as a malicious Word document that launches a PowerShell script and downloads a Trojanized version of Monero cryptominer XMRig. Some criminals use social engineering: one malicious file called “flashupdate,” disguised as Flash Player, also uses an altered version of XMRig. 

Once a coin miner makes its way onto a target machine, it aims to stay there.

“For cryptocurrency miners, persistence is a key element,” Microsoft researchers explain. “The longer they stay memory-resident and undetected, the longer they can mine using stolen computer resources.” Criminals use scheduled tasks, autostart registry entries, code injection, and other fileless techniques to maintain their presence by evading detection.

Browser-based miners

Some coin-mining scripts are hosted on websites, a trend also known as “cryptojacking” that has increased amid the interest in cryptocurrency. These websites mine coins using the computing power of people who visit. Some sites prompt visitors to run the script; others do not.

To keep people from leaving, some of these malicious sites host video streams. Researchers have also found tech support scam sites that double as coin miners. Visitors are distracted with pop-ups and stay on the site as criminals mine coins in the background.

Legitimate miners, illegitimate use

A growing enterprise problem is the presence of legitimate but unauthorized coin miners that people use in business environments because they don’t want to use their resources at home. These drive energy consumption and costs, and are tougher for security teams to detect because they don’t arrive through traditional infection vectors.

Microsoft reports in 2018, Windows enterprise users running potentially unwanted application (PUA) protection saw coin miners on more than 1,800 enterprise machines. The number is expected to increase as organizations keep a closer eye out for these programs.

PUAs are different from Trojanized miners, which are considered malware, and “unwanted software,” which are considered harmful because they change Windows without users’ control. PUA protection, enabled by default in the System Center Configuration Manager, can be configured by security admins with PowerShell cmdlets or Microsoft Intune.

Windows Defender antivirus blocks PUAs when users attempt to install programs meeting certain conditions, researchers explain. These mostly include software bundling programs, browser modifiers, and programs with poor reputations. They increasingly include coin miners, which made up 2% of PUAs in Sept. 2017 and 6% of PUAs in Jan. 2018.

Related Content:

• Microsoft Remote Access Protocol Flaw Affects All Windows Machines
• Malware Leveraging PowerShell Grew 432% in 2017
• FlawedAmmyy RAT Campaign Puts New Spin on Old Threat
• Chinese APT Backdoor Found in CCleaner Supply Chain Attack

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. #InteropITX 2018 Early Bird Rates Expire March 16. Use Promo Code 200KS to Save an Extra $200.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/microsoft-report-details-different-forms-of-cryptominers/d/d-id/1331266?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple