Real Time Updates About Different Issues at ZNetLive

Real Time Updates About Different Issues at ZNetLive

Live update on service issues and scheduled maintenances at ZNetLive
Resolved Issues
May 13 2017

{Urgent} Security Advisory for May 2017

Aligning to industry best practices and standards of providing the best services to you, we publish security advisories that are designed to provide timely information to all our esteemed customers.

Advisories are a way for ZNetLive to communicate security information to customers about the issues that may not be classified as vulnerabilities and may not require a security bulletin.

Below are the threat information shared regarding recent critical vulnerabilities/threat reported.

WannaCry Ransomware That’s Hitting World Right Now Uses NSA Windows Exploit

A massive ransomware campaign hit computer systems of hundreds of private companies and public organizations across the globe – which is believed to be the most massive ransomware delivery campaign to date. The Ransomware has been identified as a variant of ransomware known as WannaCry also known as ‘Wana Decrypt0r,’ ‘WannaCryptor’ or ‘WCRY’.

Ransomware Using NSA’s Exploit to Spread Rapidly

Most interesting about this ransomware is that WannaCry attackers are leveraging a Windows exploit harvested from the NSA called EternalBlue, which was dumped by the Shadow Brokers hacking group over a month ago. Microsoft released a patch for the vulnerability in March (MS17-010), but many users and organizations who did not patch their systems are open to attacks. The exploit has the capability to penetrate into machines running unpatched version of Windows XP through 2008 R2 by exploiting flaws in Microsoft Windows SMB Server. Once a single computer in organization is hit by the WannaCry ransomware, the worm looks for other vulnerable computers and infects them as well.

Who are affected?

Like other nasty ransomware variants, WannaCry also blocks access to a computer or its files and demands money to unlock it. Once infected with the WannaCry ransomware, victims are asked to pay up to $300 in order to remove the infection from their PCs; otherwise, their PCs render unusable, and their files remain locked.
The ransomware targeted over 45,000 computers in 74 countries, including United States, Russia, Germany, Turkey, Italy, Philippines and Vietnam, and that the number was still growing

How to Protect Yourself from WannaCry:

1) First of all, patch your Windows machines and servers against EternalBlue exploit (MS17-010)
2) You should always be suspicious of uninvited documents sent an email and should never click on links inside those documents unless verifying the source.
3) Keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC.
4) Make sure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.

Reference: https://www.tripwire.com/state-of-security/latest-security-news/wannacryptor-ransomware-strikes-nhs-hospitals-telefonica-and-others/

Threat Summary: Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

Microsoft patched a severe code-execution vulnerability in the malware protection engine that is used in almost every recent version of Windows (7, 8, 8.1, 10, and Server 2016), just three days after it came to its attention. Notably, Windows Defender is installed by default on all consumer-oriented Windows PCs. The exploit allows a remote attacker to take over a system without any interaction from the system owner: it’s simply enough for the attacker to send an e-mail or instant message that is scanned by Windows Defender. Likewise, anything else that is automatically scanned by Microsoft’s malware protection engine – websites, file shares—could be used as an attack vector.

Google Project Zero researchers who discovered the flaw, warned that exploits were “wormable,” meaning they could lead to a self-replicating chain of attacks that moved from vulnerable machine to vulnerable machine.

The Google researchers found that MsMpEngine contains a component called NScript that analyses any file system or network activity that looks like JavaScript. NScript isn’t sandboxed and runs at a very high privilege level, and it’s used to evaluate untrusted code by default on almost every modern Windows system. NScript can be exploited with a few lines of JavaScript, which can be injected via a specially crafted Web page, e-mail, or just about any other attack vector.

Who are affected?

Microsoft says the risk of remote code execution is lower on Windows 10 and Windows 8.1 because of CFG, a security feature that protects against memory corruption. CFG is an optional compilation flag in Visual Studio 2015.

Reference: https://arstechnica.com/information-technology/2017/05/windows-defender-nscript-remote-vulnerability/

Threat Summary: Microsoft Issues Patches for Another Four Zero-Day Vulnerabilities

As part of this month’s Patch, Microsoft has released security patches for a total of 55 vulnerabilities across its products, including fixes for four zero-day vulnerabilities being exploited in the wild.. Just, Microsoft released an emergency out-of-band update separately to patch a remote execution bug in Microsoft’s Antivirus Engine that comes enabled by default on Windows 7, 8.1, RT, 10 and Server 2016 operating systems.

Affected Software:

Out of 55 vulnerabilities, 17 have been rated as critical and affect the company’s main operating systems, along with other products like Office, Edge, Internet Explorer, and the malware protection engine used in most of the Microsoft’s anti-malware products.

First Zero-Day Vulnerability (CVE-2017-0261)

This vulnerability could be exploited by tricking victims into opening a file containing a malformed graphics image in an email. The=is vulnerability is due to insufficient rate limiting protection. An attacker could exploit this vulnerability by sending the affected device a high rate of SIP messages. An exploit could allow the attacker to cause the device to reload unexpectedly. The device and services will restart automatically.

Who are affected?

Affects the 32- and 64-bit versions of Microsoft Office 2010, 2013 and 2016, and resides in how Office handles Encapsulated PostScript (EPS) image files, leading to remote code execution (RCE) on the system.

Second Zero-Day Vulnerability (CVE-2017-0262)

FireEye and ESET researchers believe that the APT28 hacking group, also known as Fancy Bear, or Pawn Storm, was actively using this EPS-related Microsoft Office zero-day vulnerability which leads to remote code execution on opening a malformed file.

Third Zero-Day Vulnerability (CVE-2017-0263)

The third zero-day bug is an elevation of privilege (EoP) vulnerability in all supported versions of Microsoft’s Windows operating system.

Fourth Zero-Day Vulnerability (CVE-2017-0222)

Another zero-day vulnerability affects Internet Explorer 10 and 11 and resides in how Internet Explorer handles objects in memory.

Reference: http://thehackernews.com/2017/05/patch-windows-zero-days.html

Microsoft Malware Protection Engine Remote Code Execution Vulnerability- CVE-2017-0290

Overview

The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the Local System account and take control of the system.

Who are affected?

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected.

  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft Endpoint Protection
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft System Center Endpoint Protection
  • Microsoft Security Essentials
  • Windows Defender for Windows 7
  • Windows Defender for Windows 8.1
  • Windows Defender for Windows RT 8.1
  • Windows Defender for Windows 10, Windows 10 1511,
  • Windows 10 1607, Windows Server 2016, Windows 10 1703
  • Windows Intune Endpoint Protection

Microsoft Malware Protection Engine Remote Code Execution Vulnerability – CVE-2017-0290

An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine.

There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use an email message or in an Instant Messenger message, websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.

Who are affected?

All systems running an affected version of antimalware software are primarily at risk.

Reference: https://technet.microsoft.com/en-us/library/security/4022344.aspx

To know more, use ZNetLive’s 24×7 Member Panel for immediate resolution.