Microsoft warns of easy Windows domain takeover via Active Directory bugs

Microsoft warns of easy Windows domain takeover via Active Directory bugs

Microsoft warns of easy Windows domain takeover via Active Directory bugs

Microsoft warned customers today to patch two Active Directory domain service privilege escalation security flaws that, when combined, allow attackers to easily takeover Windows domains.

The company released security updates to address the two security vulnerabilities (tracked as CVE-2021-42287 and CVE-2021-42278 and reported by Andrew Bartlett of Catalyst IT) during the November 2021 Patch Tuesday.

Redmond’s warning to immediately patch the two bugs — both allowing attackers to impersonate domain controllers — comes after a proof-of-concept (PoC) tool that can leverage these vulnerabilities was shared on Twitter and GitHub on December 11.

“When combining these two vulnerabilities, an attacker can create a straightforward path to a Domain Admin user in an Active Directory environment that hasn’t applied these new updates,” Microsoft explains in an advisory published today.

“This escalation attack allows attackers to easily elevate their privilege to that of a Domain Admin once they compromise a regular user in the domain.

“As always, we strongly advise deploying the latest patches on the domain controllers as soon as possible.”

Windows admins are urged to update devices exposed to attacks using the steps and information detailed in the following knowledgebase articles: KB5008102, KB5008380, KB5008602.

Researchers who tested the PoC stated that they were able to easily use the tool to escalate privileges from standard Active Directory user to a Domain Admin in default configurations.

CVE-2021-42278 exploit tool in action
CVE-2021-42278 and CVE-2021-42287 exploit tool in action (H*s*m)

How to detect exploitation, signs of compromise

Microsoft has also shared detailed guidance on detecting signs of exploitation in your environment and identifying potentially compromised servers using Defender for Identity advanced hunting query that looks for abnormal device name changes.

The step-by-step guide requires defenders to:

  1. The sAMAccountName change is based on event 4662. Please make sure to enable it on the domain controller to catch such activities. Learn more of how to do it here
  2. Open Microsoft 365 Defender and navigate to Advanced Hunting.
  3. Copy the following query (which is also available in the Microsoft 365 Defender GitHub Advanced Hunting query):
    | where Timestamp > ago(1d)
    | where ActionType == "SAM Account Name changed"
    | extend FROMSAM = parse_json(AdditionalFields)['FROM SAM Account Name']
    | extend TOSAM = parse_json(AdditionalFields)['TO SAM Account Name']
    | where (FROMSAM has "$" and TOSAM !has "$")
            or TOSAM in ("DC1", "DC2", "DC3", "DC4") // DC Names in the org
    | project Timestamp, Application, ActionType, TargetDeviceName, FROMSAM, TOSAM, ReportId, AdditionalFields
  4. Replace the marked area with the naming convention of your domain controllers
  5. Run the query and analyze the results which contain the affected devices. You can use Windows Event 4741 to find the creator of these machines if they were newly created
  6. We recommend investigating these compromised computers and determining that they haven’t been weaponized.

“Our research team continues its effort in creating more ways to detect these vulnerabilities, either with queries or out-of-the-box detections,” Microsoft added.

Police arrests ransomware affiliate behind high-profile attacks

Police arrests ransomware affiliate behind high-profile attacks

Police arrests ransomware affiliate behind high-profile attacks

Romanian law enforcement authorities arrested a ransomware affiliate suspected of hacking and stealing sensitive info from the networks of multiple high-profile companies worldwide, including a large Romanian IT company with clients from the retail, energy, and utilities sectors.

The 41-year-old Romanian national was arrested Monday morning at his home in Craiova, Romania, by the DIICOT (the Romanian Directorate for Investigating Organized Crime and Terrorism) and judicial police officers, on suspicions of unauthorized access to a computer system, unauthorized transfer of computer data, illegal interception of a computer transmission, and blackmail.

“The suspect, through various methods, managed to gain access to the computer networks of some companies (medium and large) in Romania, but also in other states, from where he extracted large volumes of data,” DIICOT said.

“The suspect would then ask for a sizeable ransom payment in cryptocurrency, threatening to leak the stolen data on cybercrime forums should his demands not be met,” the Europol added.

The apprehended ransomware affiliate stole a wide range of sensitive info from its targets’ systems according to the Romanian National Police, including companies’ financial information, employees’ personal information, and customers’ details.

DIICOT carried out the investigation in the European Multidisciplinary Platform Against Criminal Threats (EMPACT) framework with the help of the FBI and Europol’s EC3.

Europol announcement

Follows arrests of REvil and GandCrab affiliates

It’s not currently known which ransomware gang the suspect was working with, the only detail being that the hacker was targeting high-profile companies.

This lines up with previous arrests made by Romanian law enforcement last month, on November 8, when they apprehended two suspects believed to be Sodinokibi/REvil ransomware affiliates.

The same day, Kuwaiti authorities also arrested a GandGrab ransomware affiliate, with the three of them were believed to be behind roughly 7,000 attacks and asked over €200 million in ransoms.

“All these arrests follow the joint international law enforcement efforts of identification, wiretapping and seizure of some of the infrastructure used by Sodinokibi/REvil ransomware family, which is seen as the successor of GandCrab,” Europol said.

US Deputy Attorney General Lisa Monaco also said in November that the US will crack down on ransomware activity in an interview with the Associated Press.

While the core ransomware gang operators are still safe in Russia, these recent arrests show that law enforcement worldwide is now disrupting their Ransomware-as-a-Service (RaaS) operations by arresting affiliates located all over the world.

SonicWall ‘strongly urges’ customers to patch critical SMA 100 bugs

SonicWall ‘strongly urges’ customers to patch critical SMA 100 bugs

SonicWall ‘strongly urges’ customers to patch critical SMA 100 bugs

SonicWall ‘strongly urges’ organizations using SMA 100 series appliances to immediately patch them against multiple security flaws rated with CVSS scores ranging from medium to critical.

The bugs (reported by Rapid7’s Jake Baines and NCC Group’s Richard Warren) impact SMA 200, 210, 400, 410, and 500v appliances even when the web application firewall (WAF) is enabled.

The highest severity flaws patched by SonicWall this week are CVE-2021-20038 and CVE-2021-20045, two critical Stack-based buffer overflow vulnerabilities that can let remote unauthenticated attackers execute as the ‘nobody’ user in compromised appliances.

Other bugs patched by the company on Tuesday enable authenticated threat actors to gain remote code execution, inject arbitrary commands, or upload crafted web pages and files to any directory in the appliance following successful exploitation.

However, the most dangerous one if left unpatched is CVE-2021-20039. This high severity security issue can let authenticated attackers inject arbitrary commands as the root user leading to a remote takeover of unpatched devices.

Luckily, SonicWall says that it hasn’t yet found any evidence of any of these security vulnerabilities being exploited in the wild.

CVE Summary CVSS Score
CVE-2021-20038 Unauthenticated Stack-based Buffer Overflow 9.8 High
CVE-2021-20039 Authenticated Command Injection Vulnerability as Root 7.2 High
CVE-2021-20040 Unauthenticated File Upload Path Traversal Vulnerability 6.5 Medium
CVE-2021-20041 Unauthenticated CPU Exhaustion Vulnerability 7.5 High
CVE-2021-20042 Unauthenticated “Confused Deputy” Vulnerability 6.3 Medium
CVE-2021-20043 getBookmarks Heap-based Buffer Overflow 8.8 High
CVE-2021-20044 Post-Authentication Remote Code Execution (RCE) 7.2 High
CVE-2021-20045 Multiple Unauthenticated File Explorer Heap-based and Stack-based Buffer Overflows 9.4 High

“SonicWall urges impacted customers to implement applicable patches as soon as possible,” the company says in a security advisory published Tuesday.

Customers using SMA 100 series appliances are advised to immediately log in to their accounts to upgrade the firmware to versions outlined in this SonicWall PSIRT Advisory.

Upgrade assistance on how to upgrade the firmware on SMA 100 appliances is available in this knowledgebase article or by contacting SonicWall’s support.

To put the importance of patching these security flaws into perspective, SonicWall SMA 100 appliances have been targeted by ransomware gangs multiple times since the start of 2021.

For instance, Mandiant said in April that the CVE-2021-20016 SMA 100 zero-day was exploited to deploy a new ransomware strain known as FiveHands starting with January when it was also used to target SonicWall’s internal systems. Before patches were released in late February 2021, the same bug was abused indiscriminately in the wild.

In July, SonicWall also warned of the increased risk of ransomware attacks targeting unpatched end-of-life SMA 100 series and Secure Remote Access products. However, CrowdStrike, Coveware security researchers, and CISA warned that SonicWall appliances were already targeted by HelloKitty ransomware.

SonicWall’s products are used by over 500,000 business customers from 215 countries and territories worldwide, many deployed on the networks of the world’s largest companies and government agencies.

Microsoft previews new endpoint security solution for SMBs

Microsoft previews new endpoint security solution for SMBs

Microsoft previews new endpoint security solution for SMBs

Microsoft Defender for Business, a new endpoint security solution specially built for small and medium-sized businesses (SMBs), is now rolling out in preview worldwide.

It helps businesses with up to 300 employees defend against cybersecurity threats, including ransomware, malware, and phishing, across Windows, macOS, iOS, and Android devices.

It has a simplified client configuration via wizard-driven setup, and it comes with all recommended security policies enabled out-of-the-box, which makes it simple to use even by organizations without a dedicated security team.

Microsoft first announced Defender for Business last month and released it in response to the 300% increase in ransomware attacks in the previous year, with over 50% of them directly impacting SMBs, according to US Secretary of Homeland Security Alejandro Mayorkas.

Microsoft says the new enterprise-grade endpoint security solution for SMBs is rolling out worldwide to customers and IT partners who request access by signing up here.

After it reaches general availability, Defender for Business will be available directly from Microsoft and Microsoft Partner Cloud Solution Provider (CSP) channels at $3 per user per month, through a standalone license or included within Microsoft 365 Business Premium.

Defender comparison of capabilities
Defender comparison of capabilities (Microsoft)

“Once you’ve completed the sign-up process our team will evaluate your request and respond using the details you provided in the request form. Roll out of preview is gradual to customers and partners requesting the preview,” said Jon Maunder, a Senior Product Marketing Manager at Microsoft.

“We will onboard an initial set of customers and partners in the coming weeks and will expand the preview leading up to general availability.

“When you have a preview trial license, please visit Microsoft Defender for Business documentation for information about how to onboard devices, configure settings, and ongoing security management based on the preview scenarios.”

Key features bundled with Microsoft Defender for Business include:

  • Simplified deployment and management for IT administrators who may not have the expertise to address today’s evolving threat landscape.
  • Next-generation antivirus protection and endpoint detection and response to detect and respond to sophisticated attacks with behavioral monitoring.
  • Automated investigation and remediation to help customers react quickly to threats.
  • Threat and vulnerability management proactively alerts users to weaknesses and misconfigurations in software.
  • Microsoft 365 Lighthouse integration with Microsoft Defender for Business for IT service providers to view security events across customers, with additional capabilities coming.
Finland warns of Flubot malware heavily targeting Android users

Finland warns of Flubot malware heavily targeting Android users

Finland warns of Flubot malware heavily targeting Android users

Finland’s National Cyber Security Centre (NCSC-FI) has issued a “severe alert” to warn of a massive campaign targeting the country’s Android users with Flubot banking malware pushed via text messages sent from compromised devices.

This is the second large-scale Flubot campaign that hit Finland this year, with a previous series of attacks SMS spamming thousands of Fins each day between early June and mid-August 2021.

Just as it happened over the summer, the new spam campaign also uses a voicemail theme, asking the targets to open a link that would allow them to access a voicemail message or message from the mobile operator.

However, the SMS recipients are redirected to malicious sites pushing APK installers to deploy the Flubot banking malware on their Android devices instead of opening a voicemail.

Targets using iPhones or other devices will just get redirected to other fraudulent and likely also malicious pages such as phishing landing pages attempting to phish their credit card details.

“According to our current estimate, approximately 70,000 messages have been sent in the last 24 hours. If the current campaign is as aggressive as the one in the summer, we expect the number of messages to increase to hundreds of thousands in the coming days. There are already dozens of confirmed cases where devices have been infected,” the Finnish National Cyber Security Centre said in the alert issued on Friday.

“We managed to almost completely eliminate FluBot from Finland at the end of summer thanks to cooperation among the authorities and telecommunications operators. The currently active malware campaign is a new one, because the previously implemented control measures are not effective,” said NCSC-FI information security adviser Aino-Maria Väyrynen.

Android users who receive Flubot spam messages are advised not to open the embedded links or download the files shared via the link to their smartphones.

Android banking malware goes global

This banking malware (also known as Fedex Banker and Cabassous) has been active since late 2020 and is used to steal banking credentials, payment information, text messages, and contacts from infected devices.

Initially, the botnet mainly targeted Android users from Spain. However, it has now expanded to target additional European countries (Germany, Poland, Hungary, UK, Switzerland) and Australia and Japan in recent months, even though the Catalan police reportedly arrested the gang’s leaders back in March.

After infecting an Android device, Flubot spreads to others by spamming text messages to stolen contacts and instructing the targets to install malware-ridden apps in the form of APKs. Last month, Flubot also began tricking its victims into infecting themselves using fake security updates warnings of Flubot infections.

Once deployed on a new device, it will attempt to trick victims into giving additional permissions and grant access to the Android Accessibility service, allowing it to hide and execute malicious tasks in the background.

It then takes over the infected device, gains access to the victims’ payment and banking info via webview phishing pages overlayed on top of legitimate mobile banking and cryptocurrency apps’ interfaces.

Flubot also exfiltrates the address book to the command-and-control server (with the contacts later sent to other Flubot bots for pushing spam), reads SMS messages, makes phone calls, and monitors system notifications for app activity.

Those who have infected their devices with Flubot malware are recommended to take the following measures:

  • Perform a factory reset on the device. If you restore your settings from a backup, make sure you restore from a backup created before the malware was installed.
  • If you used a banking application or handled credit card information on the infected device, contact your bank.
  • Report any financial losses to the police.
  • Reset your passwords on any services you have used with the device. The malware may have stolen your password if you have logged in after you installed the malware.
  • Contact your operator, because your subscription may have been used to send text messages subject to a charge. The currently active malware for Android devices spread by sending text messages from infected devices.