Category Archives: Blog

Posted on Author Atlantic Computer Services Categories Blog

Internet Browsers Blocking Some Ports Due To Security Vulnerabilities

If you rely on TCP port 554, you’ll probably want to do a bit of reconfiguration.

Last year, security researchers discovered a new version of the NAT Slipstream vulnerability that allowed hackers to deploy malicious scripts in order to bypass a website visitor’s NAT firewall and access any TCP/UDP port on the visitor’s internal network.

If this issue sounds vaguely familiar, it’s because this isn’t the first time it has come up. When the issue was first reported, Google released Chrome 87, which began blocking HTTP and HTTPS access to TCP ports 5060 and 5061. Then in January of this year (2021) Google expanded their efforts, blocking HTTP, HTTPS, and FTP access to ports 69, 137, 161, 1719, 1720, 1723, and 6566.

Google has, in the past, also blocked port 554, but when they did so initially, they received push back from Enterprise users who asked that the port be unblocked. Google did so, but have now reversed course, and port 554 is once again on the blocked list.

It should also be noted that Google isn’t alone. In addition to Chrome 89, Firefox 84+ and Apple’s Safari browser are already blocking Port 554. So if you host a website on any of the ports mentioned above, you should reconfigure to allow visitors to continue to have unfettered access. Obviously, if you don’t currently utilize that port there’s nothing to do here. If you’re not sure, you will be soon enough, because you’re apt to get complaints from users who can no longer access your site or whatever web-based application you’re running that relies on it.

Despite some back and forth on the matter, this appears to be the path forward. So kudos to Mozilla, Google and Apple for getting on the same page and putting a halt to the threat, even if it took a bit longer than usual for the major forces in the browser ecosystem to all wind up on the same page.

0
Posted on Author Atlantic Computer Services Categories Blog

Now Hackers Are Attacking Exchange Server Vulnerabilities

In early January of this year (2021), Microsoft informed security expert Brian Krebs that the company found four zero-day security flaws in their Exchange Server. Those flaws were actively being exploited by a persistent threat group known as Halfnium, sponsored by the Chinese government.

According to Microsoft’s statistics, more than 30,000 Exchange Servers had already been impacted, with some industry experts putting that number closer to 60,000.

Halfnium was the first group to begin exploiting these security flaws. However, there is a growing body of evidence that the most recent attacks are coming from groups other than Halfnium, which means that word has gotten out.

If there’s a silver lining to be found in this news, it lies in the fact that Microsoft moved quickly and issued a patch to address all four of the security issues. Unfortunately, the speed at which new security patches varies wildly from one organization to the next, and at present there are millions of Exchange servers around the world still vulnerable to these attacks.

If you use Exchange Server, you owe it to yourself to make sure you’ve got the latest security patch installed.

For your reference, the four flaws addressed by the patch are as follows:

  • CVE-2021-26855: CVSS 9.1: A Server Side Request Forgery (SSRF) vulnerability leading to crafted HTTP requests being sent by unauthenticated attackers. Servers need to be able to accept untrusted connections over port 443 for the bug to be triggered.
  • CVE-2021-26857: CVSS 7.8: An insecure deserialization vulnerability in the Exchange Unified Messaging Service, allowing arbitrary code deployment under SYSTEM. Note that this vulnerability needs to be combined with another or stolen credentials must be used.
  • CVE-2021-26858: CVSS 7.8: and CVE-2021-27065: CVSS 7.8: A post-authentication arbitrary file write vulnerability to write to paths.

This is a serious issue that could have catastrophic ripple effects. Again, if you use Exchange Server, check your patch status right away.

0
Posted on Author Atlantic Computer Services Categories Blog

New Windows Server 2022 Includes Security Improvements

Recently, Microsoft made an announcement regarding the particulars of Windows Server 2022, and there’s a lot to like in terms of built-in protections. That is amazing, even if you’re not especially concerned about security.

Here’s a quick overview of what you can expect: First and foremost, Server 2022 will incorporate “Secured-Core” technology already in use on the PC market, bringing an additional layer of protection against the growing number of firmware threats posed by hackers around the world.

Combined with Secured-core, the new platform will offer:

  • Greater Connection Security – Server 2022 will have TLS (Transport Layer Security) 1.3 enabled as the default, which eliminates obsolete cryptographic algorithms, enhances security over older versions and encrypts as much of the handshake between devices as possible. As the latest version of the internet’s most widely deployed security protocol, this is a great thing indeed.
  • Better Account Support For Containers – Containers are the building blocks of a wide range of applications and services. The current paradigm forces everyone who uses Group Managed Service Accounts to domain join their container host to enable gMSA functionality. That sees many organizations running afoul of scalability and management issues. Server 2022 will offer improved gMSA support that won’t require domain joining the host, which should streamline and simplify on that front.
  • Enhanced Exploit Protection – Hardware innovations are playing an increasing role in terms of exploit mitigation, and Server 2022 takes full advantage of this. That includesoffering the latest in chipset security extensions, Control-flow enforcement Technology and hardware-enforced Stack Protection, making your server much more robust and better able to resist all but the most determined hacking attacks.

Naturally, there’s no such thing as a perfectly secure system, and even if such a system was invented, you can bet that it wouldn’t take the hackers of the world long to find a hole in the security.

Nonetheless, these are tremendously good improvements that will make you safer and more secure. In a dangerous and imperfect world, that’s saying a lot. Kudos to Microsoft.

0
Posted on Author Atlantic Computer Services Categories Blog

New Ryuk Ransomware Function Spreads Across Networks Quickly

In terms of ransoms paid, Ryuk is the most successful strain of ransomware in use today, having netted an estimated $150 million for the group behind the malicious code.

According to a recent report published by France’s national cybersecurity agency, it just got even more dangerous.

Ryuk has historically been used preferentially against hospitals and companies closely related to the healthcare industry, which is especially malicious during the ongoing pandemic. With its newly discovered capabilities, hospitals around the world are in even more danger.

French IT security professionals discovered a new module added to the core code. It gives the malware worm-like capabilities that enable it to self-replicate across any machine on the same network as an infected device. This allows the latest version of Ryuk to spread like wildfire across any network it can infect at a single point, making it virtually impossible to stop, once it gains a foothold.

If there’s a silver lining, it lies in the fact that hospitals have gotten significantly better at ensuring their backups are robust and taken at regular intervals. Even so, if a hospital network gets shut down because most of the computers on it have their files encrypted, it can put lives at risk in a way that a manufacturing plant or companies in the financial sector simply don’t. That makes the risks, and the stakes, even higher.

In a majority of cases, the initial Ryuk infection comes about when the hackers controlling it take advantage of unpatched system vulnerabilities. This is perhaps another silver lining, because that, at least, is something IT managers can control. The lesson here is simple: If you stay current where installing patches and security updates are concerned, you’re less likely to fall victim to a Ryuk attack. It’s not perfect protection, obviously, but anything that’s easy and inexpensive to do that reduces your risk is well worth doing. The question then, is simply this: Is your network running all the latest security patches? If you’re not sure, make finding out a priority.

0
Posted on Author Atlantic Computer Services Categories Blog

New Ransomware Strains Have Researchers On Their Toes

Recently, researchers have discovered two new ransomware strains, dubbed “AlumniLocker” and “Humble”, both of which have very different ways of doing what they do.

This highlights the ongoing development and diversification of the larger ransomware threat and underscores the fact that it will be a major cause for concern in the years ahead.

Both new strains were discovered by researchers at Trend Micro. In the case of AlumniLocker, it seems to be a new variant of the Thanos ransomware. Although new to the game, is notable for its exorbitant ransom demands, as high as $450,000, payable in Bitcoin, in one recent successful attack.

AlumniLocker

This one is delivered along fairly conventional means, via a malicious PDF that purports to be an invoice and delivered via phishing emails, hoping to lure unsuspecting victims into opening the file. As is increasingly the case in the world of ransomware attacks, AlumniLockers controllers threaten to publish stolen data if their demands are not met within 48 hours of the attack.

There are two competing theories about the high ransom demands: One is that the group behind the new strain isn’t in it for the money as much as they are the damage that publication of the data may cause. If they get a payout, great. If it proves too high, causing some companies to balk, then they get to inflict pain in the form of publication of sensitive and proprietary data.

Another theory is that the group is just starting out and still finding their footing. As such, they haven’t yet found the “sweet spot.” A payment demand low enough to be readily accepted by a desperate company but high enough to earn them consistent, easy profits.

Humble

This one is quite different. Although it is distributed in much the same way, their ransom demands are quite low; stunningly low in fact, in some cases as little as $10, again, payable in Bitcoin. This has led researchers to conclude that Humble is meant to target end users, rather than large organizations, or, if the hackers shift gears and begin targeting organization, we should expect to see the amount of the ransom increase quite a bit.

Another feature that makes Humble stand out is that they pressure victims into paying by threatening to rewrite their Master Boot Record, rendering the machine entirely unusable. Also of interest, it utilizes Discord (a voice, text and video service) to send reports back to its controllers.

If you have yet to encounter either of these new threats, stay tuned. It’s probably just a matter of time, so stay on your guard.

0
1 106 107 108 109 110 236