Tag Archives: Security

Posted on Author Atlantic Computer Services Categories Blog

Hackers Are Using Personal Messages On WhatsApp To Attack

Are you a WhatsApp user?  If so, be aware that hackers have worked out a means of hijacking a user’s WhatsApp account and gaining access to a user’s contact list and personal messages.

The attack relies on mobile carriers’ automated service to forward calls to different phone numbers, which is a service every major mobile carrier offers.

Unfortunately, it can be exploited by hackers by tricking users into forwarding their calls to a number that the hackers control. So when WhatsApp sends a one-time password (OTP) verification via voice call, the hackers wind up with the code.

Rahul Sasi is the CEO and founder of CloudSEK which is a digital risk protection company.

Sasi had this to say about the attack:

“First, you receive a call from the attacker who will convince you to make a call to the following number **67* or *405*. Within a few minutes, your WhatsApp would be logged out, and the attackers would get complete control of your account.”

Once the hackers have tricked a user into forwarding their calls, they initiate the WhatsApp registration process on their device, naturally choosing the option to receive the OTP via voice call.

There are a few caveats here, and this methodology is by no means fool proof.  For example, the victim does get a text message stating that his/her WhatsApp account is being registered on another device.  When there’s a lot going on that’s easy to miss, but an observant user won’t.

Also, if call forwarding has already been activated on the victim’s device, then the attacker must use a different phone number than the one used for the redirection.  This usually won’t stop a determined attacker, but it will take a bit more social engineering and moxie to pull off.

The bottom line is, if you’re a WhatsApp user, someone may try this on you. So be on the alert for it.

0
Posted on Author Atlantic Computer Services Categories Blog

Intel Users Should Update Firmware To Avoid This Ransomware

Not long ago, researchers at Eclypsium got a lucky break.  An unknown and unidentified individual began leaking communications from inside the Conti ransomware organization.

These leaked communications seemed to confirm what has long been suspected:  That there are strong ties between the Conti gang and Russia’s FSB (military intelligence).

This sounds like something right out of a spy movie, but it’s not.  The leaked messages indicate that several members of the Conti gang have been actively working on developing a new attack vector that specifically targets Intel firmware, allowing Conti to launch its ransomware attack.  Some of the black hat developers even got as far as to develop a working proof of concept for others to review.

Firmware attacks are fairly rare, but they do happen.  To pull it off, the attacker would first need to access the system via a conventional in-road.  For example, a phishing email where the victim would unwittingly give the hackers access, or perhaps by exploiting some other known vulnerability.

In one particularly exotic scenario, they could even make this attack work without prior access. They can do this by leveraging Intel’s Management Engine to force the target machine to reboot, then supply virtual media to draw from on the reboot.

It’s unlikely and would take a tremendous amount of skill, but Conti has shown in recent months that they have the expertise to pull something like that off.

Fortunately, word of the new attack vector has gotten out, the details have made their way to Intel, and Intel has updated their firmware.

If you’re using an Intel machine, you should grab the latest update as soon as possible.  Conti is a well-known, notorious gang with ties to Russia.  You don’t want your company in their crosshairs, so do everything you can do minimize that risk.

0
Posted on Author Atlantic Computer Services Categories Blog

The Windows Follina Vulnerability Has A Temporary Fix

File this away under “good news, bad news.”

The bad news is that there’s a new, critical zero-day threat to be concerned about.  The threat has been dubbed ‘Follina.’

It is being tracked as CVE-2022-30190 and is being described by Microsoft as an MSDT (Microsoft Windows Support Diagnostic Tool) remote code execution flaw that impacts all version of windows still getting security updates, including Windows 7+ and Server 2008+.

It’s a serious bug that puts your system at risk. Even worse is that Microsoft doesn’t currently have a patch to fix it. Although they have issued a bulletin outlining some mitigation steps you can take to help minimize your risk until an official patch is released.

The good news:

There’s an unofficial patch offered by opatch for Windows 11, v 21H2, Windows 10 (versions 1803 through 21H2), Windows 7 and Windows Server 2008R2.

Microsoft’s mitigation strategies advise disabling the MSDT URL protocol handler to minimize your risk. However, this mini patch provides a means of sanitizing the user-provided path to avoid rendering the Windows Diagnostic stuff inoperable.

Opatch co-founder Mitja Kolsek had this to say about their patch:

“Note that it doesn’t matter which version of Office you have installed, or if you have Office installed at all: the vulnerability could also be exploited through other attack vectors.

That is why we also patched Windows 7, where the ms-msdt: URL handler is not registered at all.”

Best of all is that the only thing you have to do to get this unofficial patch is register for an opatch account and install the opatch agent.  Once you run the agent, it will automatically download the patch and apply it for you unless your network has a security policy in place that prevents that.

It’s a good solution offered by a great company and is highly recommended.

0
Posted on Author Atlantic Computer Services Categories Blog

Microsoft Will Not Release Exchange Server Updates Until 2025

Are you planning on setting up an Exchange server soon or are you running one now?  If so, be aware that Microsoft is changing their guidance when it comes to the technology and specifically running a server on-premises.

Two years ago, the Redmond giant announced that the next versions of their Skype for Business Server, Project Server, SharePoint Server, and Exchange Server would be available during the second half of 2021. However, there was a catch:  All of those would require a subscription in order to get support, security updates, and product updates.

There were problems.  The launches for SharePoint and Project Server (subscription based) went according to plan, but the others did not.  Worse is that Microsoft has on repeated occasions refused to provide updates on the situation until now.

Here’s the official word from Microsoft:

“Microsoft will support Exchange 2016 and 2019 until October 14, 2025. And after October 14, 2025, only the next version of Exchange Server will be supported.”

As to the reasons for the delay, the company finally posted something official about that too, writing:

“Unfortunately, 2021 had other plans for Exchange Server. In March 2021, we confronted a serious reality: state-sponsored threat actors were targeting on-premises Exchange servers.”

The company responded to this threat by releasing several out of band security updates along with their usual cumulative updates.

The company added: “We are moving the next version of Exchange Server to our Modern Lifecycle Policy, which has no end of support dates. We plan on continuing to support Exchange Server as long as there is substantive market demand.”

Long story short, there were delays.  There were good reasons for those delays, and the company is committed to providing support for Exchange Server if there’s demand for it.  That’s very good news.

0
Posted on Author Atlantic Computer Services Categories Blog

Enemybot Malware May Go Beyond DDOS Attacks

Unless you’re an IT Security Professional, you may never have heard of EnemyBot.  It is a bit like the Frankenstein of malware threats, a botnet that has borrowed code from multiple different sources.

While that’s not terribly original, it does make it dangerous. The hackers behind the code are actively adding new exploits as newly disclosed critical vulnerabilities come to light in content management systems, IoT devices, Android devices, and web servers.

The botnet was first seen in action in March and is currently being tracked by researchers at Securonix.  By April, newer code samples were acquired, and the researchers found that EnemyBot had already integrated capabilities to attack flaws in more than a dozen processor architectures.

The botnet doesn’t do anything fancy and it mainly relies on DDoS (distributed denial of service) attacks. The latest version spotted has the capability to scan for new target devices and infect them.

According to AT&T’s Alien Labs, the most recent code samples contain several new exploits, including those for:

  • CVE-2022-22954: Critical (CVSS: 9.8) A remote code execution flaw impacting VMware Workspace ONE Access and VMware Identity Manager. PoC (proof of concept) exploit was made available in April 2022.
  • CVE-2022-22947: Another remote code execution flaw in Spring, fixed as zero-day in March 2022, and massively targeted throughout April 2022.
  • And CVE-2022-1388: Critical (CVSS: 9.8) Yet another remote code execution flaw impacting F5 BIG-IP, threatening vulnerable endpoints with device takeover. The first PoCs appeared in the wild in May 2022, and active exploitation began almost immediately.

Enemybot is a genuine threat and proof positive that you don’t have to be original or engage in out of the box thinking to engineer a serious piece of malware.  Watch out for this one because the developers behind it are clearly just getting warmed up.

0
1 13 14 15 16 17 155