Tag Archives: Windows

Posted on Author Atlantic Computer Services Categories Blog

New Method Hides Malware In Windows Event Logs

At least one group of hackers has learned a new trick you need to be aware of.  Security researchers at Kapersky Lab have discovered a malicious campaign-in-progress that is using event logs to store malware. That is a technique that has not been seen or documented until now.

This new methodology is designed for maximum stealth, allowing the threat actor to plant fileless malware in the target device’s file system.

The dropper used in this case makes a copy of the legitimate OS error handling file called “WerFault.exe.”  This is placed in C:WindowsTasks, and then it drops an encrypted binary resource to the wer.dll in the same location, which is used for Windows Error Reporting.

DLL hijacking is something that has been seen before.  It is a move that allows hackers to exploit a legitimate program that isn’t designed with many checks, which allows malicious code to be loaded into memory.

Denis Legezo is the lead security researcher at Kaspersky. Legezo notes that the loader itself is harmless, but the hackers have hidden shellcodes inside the Windows event logs, and that’s what allows it all to function.

Legezo’s team traced the attack back to its origins in September of 2021 when the victim was tricked into downloading a RAR file from the file sharing service File.io.

It’s a scary piece of work. Based on an analysis of the code, it seems clear that the threat actor behind this new technique is highly advanced.

The fear is that the details surrounding this new method will be widely shared on the Dark Web. This would allow other, less technically proficient threat actors to copy it. Given how difficult to detect the method is, it’s likely to become incredibly popular very quickly.

All that to say, if you’re an IT Security Professional, your life is probably about to get a whole lot harder unfortunately.

0
Posted on Author Atlantic Computer Services Categories Blog

Microsoft May Have A Fix For Windows 10 Freezing Issue

Has your Windows 10 machine been mysteriously freezing up on you lately?  If it has, you’re not alone.  Fortunately, Microsoft’s engineers have identified the root cause of that issue and have released a patch that fixes it.

The patch you’re looking for is KB5012636. Be aware that this is a cumulative update preview patch for both Windows 10 (1809) and Windows Server 2019.  It is part of the company’s scheduled April 2022 “Schedule C” update, which does not contain security fixes. The security fixes will be released on May 10th on Patch Tuesday.

Since the Schedule C patches don’t contain security updates, they are entirely optional. Although in this case, if you’ve been suffering through system freezes, you’ll probably want to make it a priority to grab and install this one.

If you’re not accustomed to installing Schedule C patches, the process is straightforward.  Just go to “Settings” and then “Windows Update.”  Once there, you’ll need to manually select “Check for Updates” since it’s optional and note that Windows won’t actually start installing it until you click the “Download Now” button.

In addition to addressing the mysterious freezing issue, this update does the following:

  • Adds improvements for servicing the Secure Boot component of Windows
  • Addresses an issue that caused VCO (Virtual Computer Object) password settings failure on a distributed network name resource
  • Addresses an issue that causes the KDC (Key Distribution |Center) code to incorrectly return the error message “KDC_ERR_TGT_REVOKED” during domain controller shutdown

Unless you’re a system admin, those changes may mean nothing to you, In fairness, they’re not earthshaking changes in any event.  The biggest reason you might want this patch is to address the freezing problem. So again, if you’ve been experiencing that and want to be rid of the headache and hassle, get the update today.

0
Posted on Author Atlantic Computer Services Categories Blog

Some Microsoft’s Source Code Was Stolen By Hacker Group

Microsoft recently confirmed that an account belonging to one of their employees was compromised by the Lapsus$ hacking group, which allowed them to abscond with portions of the company’s source code.

Yes, you read that correctly.  Microsoft got hacked.  They now join the latest in a seemingly unending parade of large tech companies to have been hacked by well-organized hackers.

In this case, the attackers made off with a head-spinning 37 GB of data. Most of it was in the form of source code for a wide range of internal Microsoft projects including those for Bing, Cortana, and Bing Maps.

The company had this to say about the incident:

“No customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.

Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk. The tactics DEV-0537 used in this intrusion reflect the tactics and techniques discussed in this blog.

Our team was already investigating the compromised account based on threat intelligence when the actor publicly disclosed their intrusion. This public disclosure escalated our action allowing our team to intervene and interrupt the actor mid-operation, limiting broader impact.”

An investigation into the matter is ongoing but already the company has assessed its own processes and is making changes to further bolster their security.

They recommend doing the following:

  • Strengthen MFA implementation
  • Require Healthy and Trusted Endpoints
  • Leverage modern authentication options for VPNs
  • Strengthen and monitor your cloud security posture
  • Improve awareness of social engineering attacks
  • Establish operational security processes in response to DEV-0537 (Lapsus$) intrusions

No one is safe, but kudos to Microsoft for their transparency here and for publishing specific steps that others can take to help minimize their risks.

0
Posted on Author Atlantic Computer Services Categories Blog

Mobile Devices Connected To Windows Known As Phone Link

Microsoft recently announced that it was doing a bit of re-branding.

The company’s apps that connect Android and iPhones to your Windows PC were formally called “Your Phone.” Under the new re-naming scheme, those apps will now be called “Phone Link.”

Hand in hand with that change, Microsoft is also re-naming the mobile companion app, which you now know as “Your Phone Companion.”  That’s going away and it will be restyled as simply “Link to Windows.”

The “Your Phone” app was launched just three years ago which doesn’t seem like enough time to warrant a rebrand. However, the company hasn’t shed any light on the thinking that lies behind the decision.

In any case, when it was originally launched, Microsoft envisioned it as a means for users to access the texts, photos, and apps on their phones from the comfort of their PCs. With that original vision in mind, the newly re-styled apps will get an updated interface that looks a bit more like Windows 11.

Support for previous iterations was somewhat limited, but the original “Your Phone” app worked seamlessly with most Samsung devices and was compatible with Microsoft’s own Surface Duo dual-screen.

With the recent changes, Microsoft is also adding support for several Honor phones to Phone Link. All that’s fine as far as it goes but in some ways this feels a bit like a solution looking for a problem. That is, at least for Google Pixel users.

Pixel users are likely already accessing their text messages from their PCs (which is probably the single biggest draw in terms of functionality) via Google Messages. Given the less than seamless experience with the former “Your Phone” app, there’s little incentive to change even with the improvements to the user experience. Although the company may have more luck drawing in non-Pixel users.

In any case, if you’re not a Pixel user and you’re looking for a way to access the messages and apps from your phone on your desktop, you may want to check out Microsoft’s latest on that front.

0
Posted on Author Atlantic Computer Services Categories Blog

A Disguised Windows License Activator May Actually Be Malware

People who are in the habit of pirating movies and software have something new to worry about.  It seems hackers have begun targeting at least some of them with a ubiquitous form of malware.

On the Dark Web, anyone who is willing to shell out twenty bucks or so can get their hands on a copy of BitRAT, which is a surprisingly capable bit of malicious code for the price.

Recently, an individual or a group of hackers got their hands on BitRAT and devised a new way to spread it around the internet.

They disguised their malicious payload as a Windows 10 Pro License Activator.  So a pirate downloads what he or she believes to be a “crack” for Windows 10 Pro. They install the software and not only do they not get the free copy of Windows 10 Pro that they were expecting, but they also wound up with an infected system.  Ouch.

You may shrug your shoulders at this and conclude that the pirates got what they deserved. Looking at it from an ethical/moral perspective, there’s an argument to be found there.

On the other hand, the person with the hacked PC may wind up interacting with and sharing files with you or someone at your company, which could allow the hacker who infected the initial machine to get his hooks into your network. Ultimately, that’s why this deserves your attention.

Software pirates are not only bad because of what they do, they’re bad business in general. If you associate with anyone who pirates wares (knowingly or not), you may be setting yourself up for trouble down the road.

This is hardly a new phenomenon.  Pirates are frequently seen as good targets for malware campaigns, and this is but the latest in a long line of campaigns that specifically set their sights on that group.  At the end of the day it’s a numbers game.  The more often you rely on pirated wares the greater your risk of infection. At the end of the day, it’s probably not worth it.

0
1 2 3 4 5 6 27