Aligning to industry best practices and standards of providing the best services to you, we publish security advisories that are designed to provide timely information to all our esteemed customers.

Advisories are a way for ZNetLive to communicate security information to customers about the issues that may not be classified as vulnerabilities and may not require a security bulletin.

Below are the threat information shared regarding recent critical vulnerabilities/threat reported.

WannaCry Ransomware That’s Hitting World Right Now Uses NSA Windows Exploit

A massive ransomware campaign hit computer systems of hundreds of private companies and public organizations across the globe – which is believed to be the most massive ransomware delivery campaign to date. The Ransomware has been identified as a variant of ransomware known as WannaCry also known as ‘Wana Decrypt0r,’ ‘WannaCryptor’ or ‘WCRY’.

Ransomware Using NSA’s Exploit to Spread Rapidly

Most interesting about this ransomware is that WannaCry attackers are leveraging a Windows exploit harvested from the NSA called EternalBlue, which was dumped by the Shadow Brokers hacking group over a month ago. Microsoft released a patch for the vulnerability in March (MS17-010), but many users and organizations who did not patch their systems are open to attacks. The exploit has the capability to penetrate into machines running unpatched version of Windows XP through 2008 R2 by exploiting flaws in Microsoft Windows SMB Server. Once a single computer in organization is hit by the WannaCry ransomware, the worm looks for other vulnerable computers and infects them as well.

Who are affected?

Like other nasty ransomware variants, WannaCry also blocks access to a computer or its files and demands money to unlock it. Once infected with the WannaCry ransomware, victims are asked to pay up to $300 in order to remove the infection from their PCs; otherwise, their PCs render unusable, and their files remain locked.
The ransomware targeted over 45,000 computers in 74 countries, including United States, Russia, Germany, Turkey, Italy, Philippines and Vietnam, and that the number was still growing

How to Protect Yourself from WannaCry:

1) First of all, patch your Windows machines and servers against EternalBlue exploit (MS17-010)
2) You should always be suspicious of uninvited documents sent an email and should never click on links inside those documents unless verifying the source.
3) Keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.
4) Make sure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.

Reference: https://www.tripwire.com/state-of-security/latest-security-news/wannacryptor-ransomware-strikes-nhs-hospitals-telefonica-and-others/

Threat Summary: Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

Microsoft patched a severe code-execution vulnerability in the malware protection engine that is used in almost every recent version of Windows (7, 8, 8.1, 10, and Server 2016), just three days after it came to its attention. Notably, Windows Defender is installed by default on all consumer-oriented Windows PCs. The exploit allows a remote attacker to take over a system without any interaction from the system owner: it’s simply enough for the attacker to send an e-mail or instant message that is scanned by Windows Defender. Likewise, anything else that is automatically scanned by Microsoft’s malware protection engine – websites, file shares—could be used as an attack vector.

Google Project Zero researchers who discovered the flaw, warned that exploits were “wormable,” meaning they could lead to a self-replicating chain of attacks that moved from vulnerable machine to vulnerable machine.

The Google researchers found that MsMpEngine contains a component called NScript that analyses any file system or network activity that looks like JavaScript. NScript isn’t sandboxed and runs at a very high privilege level, and it’s used to evaluate untrusted code by default on almost every modern Windows system. NScript can be exploited with a few lines of JavaScript, which can be injected via a specially crafted Web page, e-mail, or just about any other attack vector.

Who are affected?

Microsoft says the risk of remote code execution is lower on Windows 10 and Windows 8.1 because of CFG, a security feature that protects against memory corruption. CFG is an optional compilation flag in Visual Studio 2015.

Reference: https://arstechnica.com/information-technology/2017/05/windows-defender-nscript-remote-vulnerability/

Threat Summary: Microsoft Issues Patches for Another Four Zero-Day Vulnerabilities

As part of this month’s Patch, Microsoft has released security patches for a total of 55 vulnerabilities across its products, including fixes for four zero-day vulnerabilities being exploited in the wild.. Just, Microsoft released an emergency out-of-band update separately to patch a remote execution bug in Microsoft’s Antivirus Engine that comes enabled by default on Windows 7, 8.1, RT, 10 and Server 2016 operating systems.

Affected Software:

Out of 55 vulnerabilities, 17 have been rated as critical and affect the company’s main operating systems, along with other products like Office, Edge, Internet Explorer, and the malware protection engine used in most of the Microsoft’s anti-malware products.

First Zero-Day Vulnerability (CVE-2017-0261)

This vulnerability could be exploited by tricking victims into opening a file containing a malformed graphics image in an email. The=is vulnerability is due to insufficient rate limiting protection. An attacker could exploit this vulnerability by sending the affected device a high rate of SIP messages. An exploit could allow the attacker to cause the device to reload unexpectedly. The device and services will restart automatically.

Who are affected?

Affects the 32- and 64-bit versions of Microsoft Office 2010, 2013 and 2016, and resides in how Office handles Encapsulated PostScript (EPS) image files, leading to remote code execution (RCE) on the system.

Second Zero-Day Vulnerability (CVE-2017-0262)

FireEye and ESET researchers believe that the APT28 hacking group, also known as Fancy Bear, or Pawn Storm, was actively using this EPS-related Microsoft Office zero-day vulnerability which leads to remote code execution on opening a malformed file.

Third Zero-Day Vulnerability (CVE-2017-0263)

The third zero-day bug is an elevation of privilege (EoP) vulnerability in all supported versions of Microsoft’s Windows operating system.

Fourth Zero-Day Vulnerability (CVE-2017-0222)

Another zero-day vulnerability affects Internet Explorer 10 and 11 and resides in how Internet Explorer handles objects in memory.

Reference: http://thehackernews.com/2017/05/patch-windows-zero-days.html

Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290

Overview

The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the Local System account and take control of the system.

Who are affected?

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected.

• Microsoft Forefront Endpoint Protection 2010
• Microsoft Endpoint Protection
• Microsoft Forefront Security for SharePoint Service Pack 3
• Microsoft System Center Endpoint Protection
• Microsoft Security Essentials
• Windows Defender for Windows 7
• Windows Defender for Windows 8.1
• Windows Defender for Windows RT 8.1
• Windows Defender for Windows 10, Windows 10 1511,
• Windows 10 1607, Windows Server 2016, Windows 10 1703
• Windows Intune Endpoint Protection

Microsoft Malware Protection Engine Remote Code Execution Vulnerability – CVE-2017-0290

An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine.

There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use an email message or in an Instant Messenger message, websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.

Who are affected?

All systems running an affected version of antimalware software are primarily at risk.

Reference: https://technet.microsoft.com/en-us/library/security/4022344.aspx

To know more, use ZNetLive’s 24×7 Member Panel for immediate resolution.

This is to inform you that as part of its monthly update releases, Microsoft has released Windows critical patches for the month of April 2017.

This mail is with regards to the newly released critical patches by Microsoft for the flaws relating to all Windows 2008/2008R2/2012/2012R2 server versions. Although, we have tested all the patches at our end but we humbly request you also, to review at your end.

We understand that security updates are often viewed as inconvenience but in real they are the best defense against the common viruses, malware or any other security threats prevalent in the online environment.

So to minimize the risk of exposure or low performance, please perform these updates.

Please test each patch’s compatibility with your business-critical applications and software and provide us with a suitable window to apply the patches.

– Expected Downtime: 30-45 mins

– Effect of Maintenance: We shall be restarting the servers after the patch update, so there can be 30-45 mins (approx) downtime on the servers, during the maintenance window provided by you.

To know more, use ZNetLive’s 24×7 Member Panel for immediate resolution.

Note: Click here to download the details of Patches released in April, 2017.

This is to inform you that we are performing urgent maintenance processes on the system, due to which ZNetLive’s member panel: https://manage.znetlive.com and ZNetLive website: https://www.znetlive.com will not be accessible to you.

However, it will not impact any of your services.

The schedule of the activity is as per the given time frame:

Maintenance Window Details :

Activity Date : Thursday, 27 April, 2017.

Activity Time : 00:00 A.M. to 00:30 AM

We regret any inconvenience caused due to this maintenance.

This is to inform you that due to some technical reasons, our phone support will not be available on April 17, 2017.

Our experts are working on the issues and it will take few hours to resume phone services.

During this period  you can reach us via Live Chat and Support tickets.

If there is any further change, we will keep you updated through our portal Znetlivestatus.com

Please be patient and any inconvenience is sincerely regretted.

This is to bring to your notice that we are facing an issue while connecting to the  .Club registry for nameservers updation. Our team is in touch with the registry and is coordinating directly with their backend team too.

We hope the issue will get resolved soon. We will keep you updated of the same.

We sincerely regret any inconvenience this may cause you.

Regards,

Team ZNetLive.

This is to inform you that we are performing financial year end processes on the system, due to which ZNetLive’s member panel: https://manage.znetlive.com and ZNetLive website: https://www.znetlive.com will not be accessible to you.

However, it will not impact any of your services.

The schedule of the activity is as per the given time frame:

Maintenance Window Details :

Schedule Date : Friday, 31st March, 2017.

Schedule Time : 11:00 P.M. to 3:00 AM (1st April’17)

We regret any inconvenience caused due to this maintenance.

Updated: 27/03/2017- 12:19 PM

Dear Customer,

We are facing critical issues on multiple shared/re seller servers which are impacting the availability of Shared/Reseller Services. In order to resolve the issue, we will do an Emergency Maintenance on Shared/Reseller Infra.

Details of this maintenance are:

Time: 11:45 PM

Date: 27/03/2017

Duration: 4-5 Hours expected

Availability of Services: You may face fluctuations in the availability of services.

Technical Support: Tech support would be available over phone, chat and tickets.

Thank you for your cooperation.

Regards,

ZNET Team

Update: 27/03/2017: 11:45 PM: Activity Started

Update: 28/03/2017: 12:53 AM: Activity stopped.

Results: Network changes are done. Will need to do it again.

We are conducting an urgent network maintenance activity for the Noida facility.

Activity Date: Friday, 24th March, 2017.

Activity Time: 10:00 P.M. to 12:00 A.M.

There is no complete downtime but you may face network fluctuation during the activity.

Communication Plan: Our helpdesk would be fully staffed & functional during the activity period. Please feel free to get in touch with our support team at support@znetlive.com, in case of any queries/doubts.

Please be patient & support us in our endeavor of serving you with better network facility.

Thank you for your co-operation and support.

Dear Customer,

We would like to update you that we are currently facing file system issue on our reseller server name: Plesk-14. Our maintenance team is currently working on this actively to resolve the issue asap.

During this maintenance, you may face down time or fluctuations in the availability of the services.

The impact level of this is critical and it has impacted on Websites, Mail, MySQL DB services, Plesk Panel Services. Though client’s website, mail and database data is secured and safe as it is placed on another separate drive.

Currently we are expecting this to resolve in next 3-4 hours.

We request you to please keep checking this post for further updates.

Our helpdesk is fully staffed on phone, chat and tickets.

Thanks for your cooperation.

Regards,

ZNET TEAM

===========

Update-1: 3:08 PM: We are expecting it to take more time around next 2-3 hours. Kindly bear with us.

===========

Update-2: 5:30 PM: Currently all services are resumed and we are monitoring it further. You can also check your services and let us know if you face any issue. Though you may face some slow performance issue on which we are still active.

===========

Update-3: 25/03/2017 at 3:17 PM: We are still getting issues regarding performance and we are working on it. It is assumed to take more 24-36 hours.

Update-4: Issue resolved.

We are conducting an urgent network maintenance activity for the Noida facility.

Activity Date: Friday, 17 March, 2017

Activity Time: 11:00 P.M. to 11:30 P.M.

There is no complete downtime but you may face network fluctuation during the activity.

Communication Plan: Our helpdesk would be fully staffed & functional during the activity period. Please feel free to get in touch with our support team at support@znetlive.com, in case of any queries/doubts.

Please be patient & support us in our endeavor of serving you with better network facility.

Thank you for your co-operation and support.

This is to inform you that we are going to have a scheduled maintenance activity for https://www.znetlive.com/ and https://manage.znetlive.com in order to provide you with better ZNET services and better performance.

During this activity, ZNetLive’s member panel: https://manage.znetlive.com and ZNetLive website: https://www.znetlive.com will not be accessible to you.

However, it will not impact any of your services.

The schedule of the activity is as per the given time frame:

Maintenance Window Details :

Schedule Date : Thursday, 16th March, 2017.

Schedule Time : 10:30 P.M. to 12:30 AM (17March’17)

We regret any inconvenience caused due to this maintenance.

Keep visiting announcement section or http://znetlivestatus.com for further updates!

Thank you in anticipation of your co-operation and support.

Our phone lines are not working, due to some disruption in the services from Internet Service Provider’s end.

It might take 4-5 hours to resume phone services.

During this period, you can reach us via Live Chat and tickets.

Please be patient and accept our apologies for any inconvenience this may cause you.

Our phone lines are not working, due to some disruption in the services from Internet Service Provider’s end.

It might take 2-3 hours to resume phone services.

During this period, you can reach us via Live Chat and tickets.

Please be patient and accept our apologies for any inconvenience this may cause you.

We are performing an emergency maintenance on linuxindia2.securehostdns.com server due to file system corruption.

Concerned Senior System Admins are working to resolve the issue as quickly as possible.

The schedule of the maintenance is as given below:

Maintenance Date: Wednesday, 8th February , 2017.

Maintenance Time: The maintenance is in progress.

We will update you once the issue has been rectified.

Please be patient and support us in our endeavor of serving you with better hardware.