Category Archives: Blog

Posted on Author Atlantic Computer Services Categories Blog

Intel Users Should Update Firmware To Avoid This Ransomware

Not long ago, researchers at Eclypsium got a lucky break.  An unknown and unidentified individual began leaking communications from inside the Conti ransomware organization.

These leaked communications seemed to confirm what has long been suspected:  That there are strong ties between the Conti gang and Russia’s FSB (military intelligence).

This sounds like something right out of a spy movie, but it’s not.  The leaked messages indicate that several members of the Conti gang have been actively working on developing a new attack vector that specifically targets Intel firmware, allowing Conti to launch its ransomware attack.  Some of the black hat developers even got as far as to develop a working proof of concept for others to review.

Firmware attacks are fairly rare, but they do happen.  To pull it off, the attacker would first need to access the system via a conventional in-road.  For example, a phishing email where the victim would unwittingly give the hackers access, or perhaps by exploiting some other known vulnerability.

In one particularly exotic scenario, they could even make this attack work without prior access. They can do this by leveraging Intel’s Management Engine to force the target machine to reboot, then supply virtual media to draw from on the reboot.

It’s unlikely and would take a tremendous amount of skill, but Conti has shown in recent months that they have the expertise to pull something like that off.

Fortunately, word of the new attack vector has gotten out, the details have made their way to Intel, and Intel has updated their firmware.

If you’re using an Intel machine, you should grab the latest update as soon as possible.  Conti is a well-known, notorious gang with ties to Russia.  You don’t want your company in their crosshairs, so do everything you can do minimize that risk.

0
Posted on Author Atlantic Computer Services Categories Blog

The Windows Follina Vulnerability Has A Temporary Fix

File this away under “good news, bad news.”

The bad news is that there’s a new, critical zero-day threat to be concerned about.  The threat has been dubbed ‘Follina.’

It is being tracked as CVE-2022-30190 and is being described by Microsoft as an MSDT (Microsoft Windows Support Diagnostic Tool) remote code execution flaw that impacts all version of windows still getting security updates, including Windows 7+ and Server 2008+.

It’s a serious bug that puts your system at risk. Even worse is that Microsoft doesn’t currently have a patch to fix it. Although they have issued a bulletin outlining some mitigation steps you can take to help minimize your risk until an official patch is released.

The good news:

There’s an unofficial patch offered by opatch for Windows 11, v 21H2, Windows 10 (versions 1803 through 21H2), Windows 7 and Windows Server 2008R2.

Microsoft’s mitigation strategies advise disabling the MSDT URL protocol handler to minimize your risk. However, this mini patch provides a means of sanitizing the user-provided path to avoid rendering the Windows Diagnostic stuff inoperable.

Opatch co-founder Mitja Kolsek had this to say about their patch:

“Note that it doesn’t matter which version of Office you have installed, or if you have Office installed at all: the vulnerability could also be exploited through other attack vectors.

That is why we also patched Windows 7, where the ms-msdt: URL handler is not registered at all.”

Best of all is that the only thing you have to do to get this unofficial patch is register for an opatch account and install the opatch agent.  Once you run the agent, it will automatically download the patch and apply it for you unless your network has a security policy in place that prevents that.

It’s a good solution offered by a great company and is highly recommended.

0
Posted on Author Atlantic Computer Services Categories Blog

Microsoft Will Not Release Exchange Server Updates Until 2025

Are you planning on setting up an Exchange server soon or are you running one now?  If so, be aware that Microsoft is changing their guidance when it comes to the technology and specifically running a server on-premises.

Two years ago, the Redmond giant announced that the next versions of their Skype for Business Server, Project Server, SharePoint Server, and Exchange Server would be available during the second half of 2021. However, there was a catch:  All of those would require a subscription in order to get support, security updates, and product updates.

There were problems.  The launches for SharePoint and Project Server (subscription based) went according to plan, but the others did not.  Worse is that Microsoft has on repeated occasions refused to provide updates on the situation until now.

Here’s the official word from Microsoft:

“Microsoft will support Exchange 2016 and 2019 until October 14, 2025. And after October 14, 2025, only the next version of Exchange Server will be supported.”

As to the reasons for the delay, the company finally posted something official about that too, writing:

“Unfortunately, 2021 had other plans for Exchange Server. In March 2021, we confronted a serious reality: state-sponsored threat actors were targeting on-premises Exchange servers.”

The company responded to this threat by releasing several out of band security updates along with their usual cumulative updates.

The company added: “We are moving the next version of Exchange Server to our Modern Lifecycle Policy, which has no end of support dates. We plan on continuing to support Exchange Server as long as there is substantive market demand.”

Long story short, there were delays.  There were good reasons for those delays, and the company is committed to providing support for Exchange Server if there’s demand for it.  That’s very good news.

0
Posted on Author Atlantic Computer Services Categories Blog

Enemybot Malware May Go Beyond DDOS Attacks

Unless you’re an IT Security Professional, you may never have heard of EnemyBot.  It is a bit like the Frankenstein of malware threats, a botnet that has borrowed code from multiple different sources.

While that’s not terribly original, it does make it dangerous. The hackers behind the code are actively adding new exploits as newly disclosed critical vulnerabilities come to light in content management systems, IoT devices, Android devices, and web servers.

The botnet was first seen in action in March and is currently being tracked by researchers at Securonix.  By April, newer code samples were acquired, and the researchers found that EnemyBot had already integrated capabilities to attack flaws in more than a dozen processor architectures.

The botnet doesn’t do anything fancy and it mainly relies on DDoS (distributed denial of service) attacks. The latest version spotted has the capability to scan for new target devices and infect them.

According to AT&T’s Alien Labs, the most recent code samples contain several new exploits, including those for:

  • CVE-2022-22954: Critical (CVSS: 9.8) A remote code execution flaw impacting VMware Workspace ONE Access and VMware Identity Manager. PoC (proof of concept) exploit was made available in April 2022.
  • CVE-2022-22947: Another remote code execution flaw in Spring, fixed as zero-day in March 2022, and massively targeted throughout April 2022.
  • And CVE-2022-1388: Critical (CVSS: 9.8) Yet another remote code execution flaw impacting F5 BIG-IP, threatening vulnerable endpoints with device takeover. The first PoCs appeared in the wild in May 2022, and active exploitation began almost immediately.

Enemybot is a genuine threat and proof positive that you don’t have to be original or engage in out of the box thinking to engineer a serious piece of malware.  Watch out for this one because the developers behind it are clearly just getting warmed up.

0
Posted on Author Atlantic Computer Services Categories Blog

Your employee’ social media account was hacked How does it affect you?

Your employee’ social media account was hacked. How does it affect you?

Did you know that social media accounts are one of the favorite targets for cybercriminals? You may think cybercriminals would prefer to hack online banking accounts or shopping accounts, but that doesn’t seem to be the case. Here’s why. Social media accounts hold A LOT of personal information including name, email ID, date of birth, place of birth, place of work (your business!) high school attended, names of family, friends and pets, anniversaries, and more…which means, they are basically gold mines of Personally Identifiable Data (PII). Plus, if you play games and have your credit card details saved, there’s more information and better the chances for the cybercriminal to commit fraud. All of this data can then be used to hack into other accounts of the user, including financials. So, hacking into someone’s social media account can help cybercriminals gain entry into other, more ‘useful’ and secure accounts.

But, how does it matter to you, as a business? If your employee’s personal social media account is hacked, it shouldn’t affect you, as a company, right? Wrong…here’s how it can affect you.

  • If the employee whose social media account is hacked is the administrator of your company’s official social media handles, you are in big trouble as hackers will gain access to your company account and consequently to customer information, because you may be having clients who follow your business account on social media. The whole situation can result in a lot of damage to your business and brand reputation and also result in penalties and possible lawsuits.
  • Even if your employee doesn’t handle your company’s social handles, the hackers may have enough of their PII to try and pry open a small entryway into your IT network.

You can avoid such mishaps by

  • Training your staff on social media and cybersecurity best practices including advanced privacy and permission settings for social media accounts
  • Ensuring your employees are able to identify and steer clear of phishing and social media frauds
  • Helping your employees understand the importance of practicing good password hygiene across all their online accounts–social, work or personal.
  • Ensuring they realize that their Facebook or LinkedIn account is not ‘just another online socializing platform’, but an actual gold mine of information and only those who they really trust should be able to access them.
  • Sharing regular Day Zero Alerts and relevant news articles with your staff that keeps them updated on the latest modus operandi and happenings related to cybercrime

Your managed IT services provider will be able to help you in organizing and conducting these kinds of training and awareness sessions at regular intervals for your staff.

0
1 24 25 26 27 28 236