Microsoft Windows, Windows 10, Microsoft Corporation, Computer, Printer, Blue screen of death, Crash, .sys Deep Dive on Exchange Vulnerability, Chrome to Block Port 554 & More
Software, where you use group policy or mdm to remove admin rights, manage lockdown applications, java, browsers and mitigate ransomware, plus, more and also by goliath, technologies who help it pros, be proactive and anticipate troubleshoot and prevent end user experience issues, regardless of where i t workloads our Users are located if you enjoy the show each week. You have them to thank and now for some news. So much like the solarwinds hack story was just like this snowball that just kept gathering pace and gathering more and more snow as a roll down that hill. This story regarding the microsoft exchange, server vulnerability is really gathering pace and escalating quickly. So the first few stories, or the first long story even is related to that. If you didn’t catch last week’s episode last week, i reported on a critical vulnerability in microsoft exchange. That was under active attack by a cyber gang named hafnium this week. Things have snowballed with a lot more information now available. Krebsonsecurity.Com has reported that more than 30 thousand organizations have been hacked by the vulnerability they report. This is a unique and particularly aggressive chinese espionage unit, who has hacked businesses across various different verticals and even town cities and local governments. If you are on the ball and patched quickly, you may not necessarily be completely protected. Either reports suggest there were several mass scan events and that some attackers left web shells behind on servers. These web shells are an easy to use password protected hacking tool that can be accessed over the internet from any browser.
The web shells give the attackers admin access to any victims. Computer servers, malware tech on twitter suggests he confirmed his suspicions that someone is scanning for exchange web shells left behind by hafnium and trying to piggyback off them once you patch, you need to make sure to find and remove any web shells left behind now. Luckily, microsoft have released a free scanner tool that you can use and run against your exchange servers to ensure that not only after you’ve patched. Are you secure from that standpoint, but also that there are no nasty web shells left behind that are continuing to leave. You vulnerable bleepingcomputer.com have reported that other hacking groups have also joined the attack frenzy, making it kind of sound like sharks in a frenzied feed, and the article by bleepcomputer.com also highlights countries with active attacks. Most have not been spared with the us uk and germany. Looking pretty heavily attacked in the map, flippy computer i’ve also shared a pretty cool and useful timeline of events too. This is so bad that christopher krebs has suggested. If you have an oa server exposed on the internet, you should consider a compromise between february 26 and march 3rd. He recommends checking for an a character.aspx file within a system underscore web in a pub directory. If you find it, you are an incident response mode. You are compromised. One such very large victim is the european banking authority who have now taken down all email systems after their exchange, servers were hacked as part of the ongoing attacks targeting organizations worldwide.
The eba is part of the european system of financial supervision and it oversees the functioning of the eu banking sector. Forensic experts were engaged and have found no signs of data exfiltration. In that case, many security, vendors and microsoft are confirming reports that a new strain of ransomware is being deployed via the exchange server vulnerability, with confirmed cases in the united states, luxembourg, indonesia, ireland, india and germany and while there’s a somewhat small footprint to this. So far, it is growing when encrypting the files, the attackers append with dot crypt, so dot c r y p t as the extension of the file name and the ransomware will also prepend the dearcry d e, a r c r y string to the beginning of Each encrypted file for at least one of the victims, leaping computer.com reports, the ransomware group, demanded a sixteen thousand dollar ransom. Unfortunately, the ransomware does not appear to have any weaknesses that would allow victims to recover their files for free. So if you were reasonably early and maybe patched at the beginning of this month at beginning of march, unfortunately, you still may be compromised with those web shells left behind so it’s worth going back and running the scanner tool which i’ll include a link to with this Episode, which is episode 167 on fivebytespodcast.com under reference links, it’s good to download that and run that against your exchange servers just to give extra peace of mind and sorry to martin, my buddy in the uk, because there are several more stories of vulnerabilities and security related Topics it is a little bit anxiety inducing, but next up, cve 2021, which is an internet explorer memory.
Corruption, vulnerability has also been highlighted this week, it’s a pretty severe vulnerability as an attacker could host a specially crafted website designed to exploit this vulnerability through internet explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites or websites that accept or host user provided content or advertisements by adding specially crafted content that could exploit the vulnerability. However, in all cases, an attacker would have no way to force a user to view the attacker controlled content. Instead, an attacker would have to rely on and convince a user to take action so kind of like phishing, but the microsoft security advisory states. It is important to patch against this vulnerability. On march 10th, f5 networks announced four critical cves, along with three other related cves, two of which were high in severity and one which is medium. These four critical vulnerabilities all rate over 9 out of 10 on the severity scale and because of the severity of the vulnerabilities f5, recommends that all customers install fixed software as soon as possible. All seven vulnerabilities are fixed in big ip versions: 16.011. 220.127.116.11. 14.1.4. 13.1. 3.6. 18.104.22.168 and 22.214.171.124, and if you stayed tuned while i was reading out these random version numbers and kudos to you, the cve, 2021 22 vulnerability in particular also affects big iq, and this is fixed in versions, 8, 7.1.03 and 126.96.36.199. So patch, your big ip appliances now and don’t forget, if you’re using big iq, you need to patch that too ryan naraine, who curates a list of known vulnerabilities and exploits made a pretty big statement this week, he said quote in my 20 plus years: writing about Hackers and tracking advanced threats, i’ve never seen this volume of in the wild, zero day, exploitation.
End quote, and i could say just as the host of a very humble small podcast which covers enterprise. It news so far, i’d have to concur in the three years or so that have been hosting this podcast. I don’t think i’ve ever covered as many actively exploited vulnerabilities, so it is pretty worrying and the trends have been there. Things are ramping up big time for phishing attacks, ransomware and all those nasty attack, vectors and threats that cyber gangs use so stay. Vigilant. Bleepingcomputer.Com has reported that google planned to block chrome’s access to tcp port 554 to protect against attacks using nat slip. Streaming version 2 vulnerabilities security researchers disclosed a new nat vulnerability that allows malicious scripts to bypass a website, visitors, nat, firewall and access any tcp udp port on the visitor’s internal network, so that’s a pretty big threat in the past. Google also blocked this port but removed the block after complaints from enterprise users with the clear and present threat that’s. Currently there it makes sense for them to take this action. So if you happen to be using port 554 for something in your organization and you’re, relying on google chrome, now is the time to consider changing that port. And if you host a website, then you should switch to a different port to allow visitors to continue accessing your application and i’ve been having a lot of stories from bleepyourcomputer.com this week, which is usually a bad sign. But they published that they have received several reports.
From people reporting blue screen of death issues when printing on windows 10 machines with the kb 5000 802 cumulative update installed. So if you get a blue screen of death – and you see the error code, apc underscore index underscore mismatch, then you’re being affected by this. While microsoft have not provided a workaround or suggestion at the time of this recording bleepitcomputer.com reports, you can uninstall the patch to prevent further reoccurrences of the blue screen of death. Nine to five google.com has reported that soon google voice will no longer forward messages to phones. Some on twitter had fun suggesting this is yet another case of google killing a product, but it appears this particular feature may reach its end due to more and more mobile carriers blocking these messages it’s a bummer to lose this feature. I found this very handy, particularly when on call i don’t want to give my personal number for work purposes, so i would set up a virtual number and then have the number forwarded to my personal phone, but i guess that option is going to be going away At least for google voice in future office 365 customers are said to be getting the ability to tag all emails from external recipients to show a warning banner along the top of all emails from outside your organization. I guess it’s cool, but i have to say i think such a blanket rule for all external to internal email can be ineffective.
If people see that banner, often throughout the day, they may just be inclined to ignore it, but still having the option is better than not having the option. I guess so, just as i scripted this week’s episode of the podcast, there was a lot of chatter online about microsoft, taking down a github repository belonging to security, researchers at proxy logon, who shared a sample exploit for the exchange vulnerabilities. There is outrage from some as though like this is like a big moment and they’ve basically breached the trust of these security researchers, who just simply want to share their work. But i have to say i agree with malwaretech on twitter, who suggests the benefits of posting were greatly outweighed by the risk and that there were still over 50 000 vulnerable exchange servers online at the time that he responded, i feel like people can be purists about Community and sharing and all this stuff, but reducing risk is worth it. In my opinion, ovh, who is the largest hosting provider in europe and the third largest in the entire world, suffered from a major fire at one of their data centers in strasbourg, france. This week, ovh customers were being advised at the time to enact their disaster recovery plans after the fire had rendered multiple data, centers unserviceable, impacting websites around the world. Bleepingcomputer.Com reports that the main suspect right now is a faulty ups power supply. It reads like they had some really snazzy thermal cameras over 300 cameras in total at the site and can trace back to the cause using those.
Luckily, no one was hurt or killed in the incident, and the company has already procured over 2000 servers to replace the ones lost, with an expectation to eventually return to the 10 000 server capacity they had within the next several weeks and to wrap up the news. Just a couple of quick hit stories: microsoft’s legacy edge browser reached end of support this week, so if you haven’t moved over to the new chromium browser, yet now is a good time and finally again, please fill in the vdi, like a pro state of the union Survey if you’re, using or administering or just working with, vdi or even server based computing for published applications, or what have you please take the 10 minutes or 15 minutes or so whatever, however long it takes. I think it was about 10 minutes to fill in, because that information is really useful for tracking trends within the community and now this episode scripts tricks and tips swift on security on twitter who’s, a very good follower. If you use twitter by the way had a pretty timely, useful short tip reminder, domain admin permissions under your primary account is not something you want. It means it’s going to be your name in the logs wiping every computer in your organization. So if you think oh it’s handy and convenient to just use a domain admin for all my work, nothing’s going to block me that way. Well, it could come back to bite you in the butt so best not to do it.
Helga klein shared a short blog post, explaining the wer fault.exe process and how it works. So, if you’re using windows, this is a process that gets invoked quite a bit so it’s worth knowing about and also how you can leverage it for your own troubleshooting purposes. Adam the automator at atomtheautomator.com shared a pretty cool blog post it’s. Pretty lengthy, too, gives great explanation on how to wrap your ps1, your powershell scripts into an executable and, finally, a very applicable tip, but maybe different to all the other ones i usually share, but your korean dad on twitter, who is another excellent, follow by the way He just posts very wholesome uplifting content all the time, but he said that when using hashtags on social media or websites it’s a good idea to capitalize each word in the hashtag as screen readers for those with accessibility challenges, who are maybe hard of seeing have vision. Impairment issues and rely on these screen. Readers have difficulty because the screen readers aren’t able to interpret the text if you use a hashtag that’s all lowercase, so he gives the example. He uses the hashtag your korean dad, in that case capitalize the ykd, your korean dad and then the screen reader is able to read it well, that’s it for another week.