Tag Archives: Malware and Virus Protection

Posted on Author Atlantic Computer Services Categories Blog

Microsoft Releases PoC Code For MacOS App Sandbox Vulnerability

MacOS features a powerful sandbox restriction that helps keep modern Apple computers safe by limiting how code can run on the system.

Unfortunately, no system is bullet proof. There’s a way that a determined attacker could bypass sandbox restrictions and execute malicious code arbitrarily.  Engineers at Microsoft discovered the vulnerability, and independent security researcher Arsenii Kostromin discovered it independently.

Both groups responsibly disclosed their findings to Apple and the Microsoft team released the technical details along with a proof of concept that demonstrates how it works.

The vulnerability is being tracked as CVE-2022-26706, and the issue specifically relates to macros in Word documents opened on a machine running MacOS.  If that’s something you do on a regular basis, then it pays to be well versed in exactly how this vulnerability could be used against you.

Johnathan Bar Or is one of the researchers on the Microsoft 365 Defender Research Team.

Johnathan had this to say about the issue:

“Despite the security restrictions imposed by the App Sandbox’s rules on applications, it’s possible for attackers to bypass the said rules and let malicious codes ‘escape’ the sandbox and execute arbitrary commands on an affected device.”

The good news is that the issue was discovered in October 2021, and Apple released a fix for it in May of 2022 in the Big Sur 11.6.6 update.

Even if you’ve disabled auto updates and are leery about applying OS patches to your system, this one deserves a place on your list.  It’s not an incredibly technical exploit, which means that most any hacker could pull it off. The longer you leave your system unpatched, the more danger you’re in.

Kudos to the Microsoft team and to Arsenii Kostromin for discovering and then promptly responsibly reporting the issue, and to Apple for moving with some haste to release a patch.

0
Posted on Author Atlantic Computer Services Categories Blog

IoT Security With Microsoft Defender

The Internet of Things (IoT) has seen explosive growth in recent years.

If you like, you can now build your own smart home with intelligent toasters, washing machines, dishwashers, and refrigerators. They are all connected to your home network, and they all make vast amounts of data available to you at your fingertips.

Unfortunately, security is slim to non-existent on most of these “smart” devices.  We’ve seen botnets enslave those smart devices and put them to use in a wide range of malicious ways. Although many industry experts have been sounding the alarm, few of the smart device manufacturers have taken much of an interest in bolstering security on the products they sell.

The good news is that Microsoft may have an answer.  The Redmond giant recently released Microsoft Defender for IoT in a bid to secure smart TVs, printers, washing machines, and any other “smart” device you may have connected to your network.

The company previewed Defender for IoT in the waning days of 2021.  Back then it was called Azure Defender for IoT and before that it was Azure Security Center.  By any of those names however, it’s the same code and it’s clear that plugging this gigantic gap in device security has been on Microsoft’s radar for quite some time.

Now at last, the product is ready for a proper unveiling and it’s a solid solution. That is especially given the fact that it integrates seamlessly with Microsoft 365 Defender, which millions of users the world over already rely on.

Michal Braverman-Blumenstyk is Microsoft’s Corporate VP and Chief Technology Officer of Cloud and AI Security.

Michal had this to say about the new product:

“…Defender for IoT now delivers comprehensive security for all endpoint types, applications, identities, and operating systems.

The new capabilities allow organizations to get the visibility and insights they need to address complex multi-stage attacks that specifically take advantage of IoT and OT devices to achieve their goals.

Customers will now be able to get the same types of vulnerability management, threat detection, response, and other capabilities for enterprise IoT devices that were previously only available for managed endpoints and OT devices.”

If you have one or more smart devices connected to your network (and you probably do), you need Defender for IoT.  Kudos to Microsoft.

0
Posted on Author Atlantic Computer Services Categories Blog

Hackers Use VoIP Systems To Install PHP Web Shells

Security researchers at Unit 42, a division of Palo Alto Networks, have been tracking the efforts of a massive campaign aimed at Elastix VoIP telephony servers.

They are used by companies of all shapes and sizes to unify their communications, and it is especially attractive because it can be used with the Digium phones module for FreePBX.

So far, the team has collected more than half a million malicious code samples over a three-month period.  An analysis of those code samples reveals that the attackers are exploiting a remote code execution vulnerability. It is being tracked as CVE-2021-4561 and carries a severity rating of 9.8 out of ten.

Security researchers report that hackers have been actively exploiting this flaw since at least December 2021.

Based on the code samples collected, the Unit 42 team believes that the attackers’ goal was to plant PHP web shells on successfully penetrated systems. That would allow them to execute arbitrary commands on the compromised servers.

Another security firm, Check Point, confirms Unit 42’s findings and both teams stress that the campaign is still ongoing.  Worse, it appears that there are two different groups involved in the attack. Although it is not currently known whether they are coordinating their efforts or if that fact is coincidental. Perhaps it is a case of one following the other so as not to miss out on an opportunity.

The attackers behind the campaign are both clever and technically savvy.  They’ve built in some good anti-detection strategies into the attack, such as masking the name of the back door so that the file name resembles that of a known file already on the system.  It would take a sharp pair of eyes indeed to spot it.

In any event, if you use Elastix VoIP, be sure your IT people are aware of this threat.

0
Posted on Author Atlantic Computer Services Categories Blog

Raspberry Robin Worm In Hundreds Of Windows Networks

Analysts at Red Canary Intelligence have recently spotted a Windows worm on hundreds of networks belonging to a wide range of organizations around the world.

Dubbed “Raspberry Robin” by the research team that discovered it, this worm spreads via infected USB devices and was initially spotted in September of last year (2021).  Another firm, Sekoia, observed the worm even earlier, citing appearances of similar code strains on QNAP NAS devices as early as November of 2019.

So far, nothing is known about the threat group that created the worm.  There’s nothing in the code that ties it definitively to any of the large, organized, active groups of hackers around the world. Although a code analysis reveals that it is quite advanced.

Although it has spread far and wide, and it is clearly capable of unleashing untold amounts of harm, the threat actors behind the worm have simply opted not to. At least not yet.

It is not known whether it’s because they wish to give the worm more time to spread before inflicting harm to maximize the impact of that harm, or because the group is still in early stages and is essentially testing its capabilities to see how far and how easily it will spread.

Given how little is known about the particulars and the theoretical capabilities of the worm, Microsoft tagged this as a high-risk threat. They stress that although the hackers have, not opted to use it to deploy additional malicious payloads so far, that could change at literally any time.

This is one to be on the lookout for.  Make sure your IT staff are aware of it and on high alert.  As additional details emerge about the worm and who might be behind it emerges, we’ll almost certainly have more to say about this latest threat.

0
Posted on Author Atlantic Computer Services Categories Blog

Malware Is Targeting Small Office And Home Office Routers

Researchers at Lumen’s Black Lotus Labs recently spotted evidence of a highly sophisticated and tightly targeted campaign aimed at SOHO (small office/home office) routers across both Europe and North America.

Based on the evidence the team has collected thus far, their conclusion is that the unidentified actor must be state sponsored. This is because garden variety hackers do not typically have the tools, techniques, and procedures in place to pull off the kinds of attacks that the researchers are seeing.

It is telling that this campaign’s ramp up coincided with the pandemic-fueled shift to large numbers of employees working from home.

A recently published summary report about the campaign reads in part, as follows:

“This (the massive surge in people working from home) gave threat actors a fresh opportunity to leverage at-home devices such as SOHO routers – which are widely used but rarely monitored or patched – to collect data in transit, hijack connections, and compromise devices in adjacent networks.

The sudden shift to remote work spurred by the pandemic allowed a sophisticated adversary to seize this opportunity to subvert the traditional defense-in-depth posture of many well-established organizations.”

The report goes on to say that:

“The capabilities demonstrated in this campaign – gaining access to SOHO devices of different makes and models, collecting host and LAN information to inform targeting, sampling and hijacking network communications to gain potentially persistent access to in-land devices and intentionally stealth C2 infrastructure leveraging multi-stage siloed router to router communications – points to a highly sophisticated actor that we hypothesize has been living undetected on the edge of targeted networks for years.”

This is a genuine threat. Although your IT department is likely stretched as thin as it is, one of the best ways you can minimize your risk is to assist your employees who are working from home with patch planning to make sure their gear is up to date and as well protected as possible.

0
1 2 3 4 5 43