Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for EDR functionality in ...

 Business

Most security solutions for small and medium-size businesses exist simply to prevent malware from running on a workstation or server — and for years, that was enough. As long as an organization could detect cyberthreats on end devices, it could arrest the spread of infection over its network and thus protect the   show more ...

corporate infrastructure. Times change. A typical modern cyberattack is not an isolated incident on one employee’s computer but a complex operation affecting a sizable portion of the infrastructure. Therefore, minimizing the damage of a modern cyberattack requires not just blocking malware, but also quickly understanding what happened, how it happened, and where it could happen again. What’s changed Modern cybercrime has evolved such that even a small company might reasonably fall prey to a full-featured, targeted attack. To some extent, that’s a result of the increasing availability of the tools needed for a complex, multistage attack. Also, however, criminals always try to maximize their profit-to-effort ratio, and ransomware operators really stand out in that regard. Lately, we’ve seen true research and lengthy preparation for ransomware operations. Sometimes, operators lurk in a target network for weeks, exploring the infrastructure and stealing vital data before striking with encryption and ransom demands. A small business may instead serve as an intermediate target in a supply-chain attack — attackers sometimes use the infrastructure of a contractor, an online service provider, or a small partner to assault a larger organization. In such cases, they may even exploit zero-day vulnerabilities, which is normally a costly option. Understanding what happened Ending a complex, multilevel attack requires a clear picture of how an attacker penetrated the infrastructure, how much time they spent inside, which data they may have accessed, and so forth. Simply deleting malware would be akin to treating a disease’s symptoms without addressing its causes. In enterprise-level companies, the SOC, IS department, or an outside party performs such investigations. Big companies use EDR-class solutions for that. Limited budgets and staff tend to place those options out of reach of a small business. Small businesses still need specialized tools, though, to help them respond promptly to complex threats. Kaspersky Endpoint Security Cloud with EDR Setting up our SMB solution with EDR functionality doesn’t take a security expert — the updated Kaspersky Endpoint Security Cloud Plus offers improved visibility of the infrastructure. The administrator can quickly identify the paths a threat uses to spread, view detailed info on affected machines, quickly view the details of malicious files, and see where else the files are currently used. That helps admins promptly detect all threat hot spots, block the execution of dangerous files, and isolate affected machines, thus minimizing potential damage. While we monitor the tool’s usage to determine its relevance in the field, we’ve made EDR functionality available through 2021 to users of Kaspersky Endpoint Security Cloud Plus in test mode. You can learn more and order a trial version here.

image for Desktop Window Manag ...

 Business

Kaspersky researchers have found a zero-day vulnerability (CVE-2021-28310) in a Microsoft Windows component called Desktop Window Manager (DWM). We believe several threat actors have already exploited the vulnerability. Microsoft just released the patch, and we suggest applying it immediately. Here’s why. What   show more ...

is Desktop Window Manager? Pretty much everyone is familiar with the windowed interface of modern operating systems:  each program opening in a separate window that doesn’t necessarily take up the whole screen. Windows may overlap, for example, one casting a shadow over others as if it were physically blocking the light. In Microsoft Windows, the component responsible for rendering features such as shadows and transparency is Desktop Window Manager. To understand why Desktop Window Manager is important in a cybersecurity context, consider that programs don’t just draw their windows on the screen; they put the necessary information in a buffer. Desktop Window Manager grabs that information from each program’s buffer and creates the overall composite view that the user sees. When a user moves one window over another, the open programs don’t know anything about whether their windows should be casting a shadow or having a shadow cast on them, for example. Desktop Window Manager does that job, and as such it is a key service in Windows that has existed in every version of Windows since Vista — and cannot be deactivated in Windows 8 or later versions. Desktop Window Manager’s vulnerability The vulnerability our advanced exploit prevention technology discovered is an elevation of privilege vulnerability. That means a program can trick Desktop Window Manager into giving it access that it shouldn’t have. In this case, the vulnerability allowed the attackers to execute arbitrary code on victims’ machines — it essentially gave them full control over the computers. How to avoid CVE-2021-28310 exploitation It’s critical to act quickly. Here’s what you can do: Install the patches Microsoft released on April 13, immediately and on all vulnerable computers; Protect all of your devices with a robust security solution such as Kaspersky Endpoint Security for Business, whose advanced exploit prevention component blocks attempts to exploit CVE-2021-28310.

image for Microsoft Patch Tues ...

 Time to Patch

Microsoft today released updates to plug at least 110 security holes in its Windows operating systems and other products. The patches include four security fixes for Microsoft Exchange Server — the same systems that have been besieged by attacks on four separate (and zero-day) bugs in the email software over the   show more ...

past month. Redmond also patched a Windows flaw that is actively being exploited in the wild. Nineteen of the vulnerabilities fixed this month earned Microsoft’s most-dire “Critical” label, meaning they could be used by malware or malcontents to seize remote control over vulnerable Windows systems without any help from users. Microsoft released updates to fix four more flaws in Exchange Server versions 2013-2019 (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483). Interestingly, all four were reported by the U.S. National Security Agency, although Microsoft says it also found two of the bugs internally. A Microsoft blog post published along with today’s patches urges Exchange Server users to make patching their systems a top priority. Satnam Narang, staff research engineer at Tenable, said these vulnerabilities have been rated ‘Exploitation More Likely’ using Microsoft’s Exploitability Index. “Two of the four vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw,” Narang said. “With the intense interest in Exchange Server since last month, it is crucial that organizations apply these Exchange Server patches immediately.” Also patched today was a vulnerability in Windows (CVE-2021-28310) that’s being exploited in active attacks already. The flaw allows an attacker to elevate their privileges on a target system. “This does mean that they will either need to log on to a system or trick a legitimate user into running the code on their behalf,” said Dustin Childs of Trend Micro. “Considering who is listed as discovering this bug, it is probably being used in malware. Bugs of this nature are typically combined with other bugs, such as browser bug of PDF exploit, to take over a system.” In a technical writeup on what they’ve observed since finding and reporting attacks on CVE-2021-28310, researchers at Kaspersky Lab noted the exploit they saw was likely used together with other browser exploits to escape “sandbox” protections of the browser. “Unfortunately, we weren’t able to capture a full chain, so we don’t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities,” Kaspersky’s researchers wrote. Allan Laska, senior security architect at Recorded Future, notes that there are several remote code execution vulnerabilities in Microsoft Office products released this month as well. CVE-2021-28454 and CVE-2021-28451 involve Excel, while CVE-2021-28453 is in Microsoft Word and CVE-2021-28449 is in Microsoft Office. All four vulnerabilities are labeled by Microsoft as “Important” (not quite as bad as “Critical”). These vulnerabilities impact all versions of their respective products, including Office 365. Other Microsoft products that got security updates this month include Edge (Chromium-based), Azure and Azure DevOps Server, SharePoint Server, Hyper-V, Team Foundation Server, and Visual Studio. Separately, Adobe has released security updates for Photoshop, Digital Editions, RoboHelp, and Bridge. It’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any kinks in the new armor. But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files. So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide. As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

 Breaches and Incidents

An email sent by LogicGate to customers earlier this month said on February 23 an unauthorized third party obtained credentials to its AWS-hosted cloud storage servers storing customer backup files for its flagship platform Risk Cloud.

 Breaches and Incidents

Threat actors struck the Australian island state's sole casino operator Federal Group with ransomware. The attack affected hotel booking systems in the company's Wrest Point and Country Club venues, sited in Sandy Bay and Launceston, respectively.

 Govt., Critical Infrastructure

The pandemic has forced state and local governments to shift so much of their operations and provision of services online, but their technology has often struggled to keep up, and even worse it has exposed their cybersecurity vulnerabilities.

 Malware and Vulnerabilities

A new malicious package has been spotted on the npm registry, which targets NodeJS developers using Linux and Apple macOS operating systems. The malicious package is called "web-browserify," and imitates the popular Browserify npm component.

 Malware and Vulnerabilities

The underlying loophole abuses a lapse in security of two independent WhatsApp processes, according to Forbes, which quoted research by Luis Márquez Carpintero and Ernesto Canales Pereña.

 Feed

Red Hat Security Advisory 2021-1195-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. Issues addressed include bypass and null pointer vulnerabilities.

 Feed

Red Hat Security Advisory 2021-1197-01 - The libldb packages provide an extensible library that implements an LDAP-like API to access remote LDAP servers, or use local TDB databases. Issues addressed include an out of bounds read vulnerability.

 Feed

URLCrazy is a tool that can generate and test domain typos and variations to detect and perform typo squatting, URL hijacking, phishing, and corporate espionage. It generates 15 types of domain variants, knows over 8000 common misspellings, supports multiple keyboard layouts, can check if a typo is a valid domain, tests if domain typos are in use, and estimates the popularity of a typo.

 Feed

Red Hat Security Advisory 2021-1196-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector, the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. Issues addressed include bypass and null pointer vulnerabilities.

 Feed

Red Hat Security Advisory 2021-1169-01 - The ovirt-engine package provides the manager for virtualization environments. This manager enables admins to define hosts and networks, as well as to add storage, create VMs and manage user permissions. Issues addressed include code execution, cross site scripting, and denial of service vulnerabilities.

 Feed

Red Hat Security Advisory 2021-1016-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.5.37. Issues addressed include a denial of service vulnerability.

 Feed

Red Hat Security Advisory 2021-1184-01 - The ovirt-hosted-engine-setup package provides a self-hosted engine tool for the Red Hat Virtualization Manager. A self-hosted engine is a virtualized environment in which the Manager runs on a virtual machine on the hosts managed by the Manager. Bug Fix: In this release, it is   show more ...

now possible to enter a path to the OVA archive for local appliance installation using the cockpit-ovirt UI. Previously, following a successful migration on the Self-hosted Engine, he HA agent on the source host immediately moved to the state EngineDown, and shorly thereafter tried to start the engine locally, if the destination host didn't update the shared storage quickly enough, marking the Manager virtual machine as being up. As a result, starting the virtual machine failed due to a shared lock held by the destination host. This also resulted in generating false alarms and notifications. In this release, the HA agent first moves to the state EngineMaybeAway, providing the destination host more time to update the shared storage with the updated state. As a result, no notifications or false alarms are generated. Note: in scenarios where the virtual machine needs to be started on the source host, this fix slightly increases the time it takes the Manager virtual machine on the source host to start.

 Feed

Red Hat Security Advisory 2021-1189-01 - The redhat-virtualization-host packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only   show more ...

the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. The ovirt-node-ng packages provide the Red Hat Virtualization Host. These packages include redhat-release-virtualization-host, ovirt-node, and rhev-hypervisor. Red Hat Virtualization Hosts are installed using a special build of Red Hat Enterprise Linux with only the packages required to host virtual machines. RHVH features a Cockpit user interface for monitoring the host's resources and performing administrative tasks. Issues addressed include bypass and null pointer vulnerabilities.

 Feed

Red Hat Security Advisory 2021-1186-01 - The ovirt-engine package provides the manager for virtualization environments. This manager enables admins to define hosts and networks, as well as to add storage, create VMs and manage user permissions. Bug Fix: Previously, saving user preferences in the Red Hat Virtualization   show more ...

Manager required the MANIPULATE_USERS permission level. As a result, user preferences were not saved on the server. In this release, the required permission level for saving user preferences was changed to EDIT_PROFILE, which is the permission level assigned by default to all users. As a result, saving user preferences works as expected. Issues addressed include a cross site scripting vulnerability.

 Feed

Ubuntu Security Notice 4905-1 - Jan-Niklas Sohn discovered that the X.Org X Server incorrectly handled certain lengths of XInput extension ChangeFeedbackControl requests. An attacker could use this issue to cause the server to crash, resulting in a denial of service, or possibly execute arbitrary code.

 Feed

Google on Tuesday released a new version of Chrome web-browsing software for Windows, Mac, and Linux with patches for two newly discovered security vulnerabilities for both of which it says exploits exist in the wild, allowing attackers to engage in active exploitation. One of the two flaws concerns an insufficient validation of untrusted input in its V8 JavaScript rendering engine (

 Feed

In its April slate of patches, Microsoft rolled out fixes for a total of 114 security flaws, including an actively exploited zero-day and four remote code execution bugs in Exchange Server. Of the 114 flaws, 19 are rated as Critical, 88 are rated Important, and one is rated Moderate in severity. Chief among them is CVE-2021-28310, a privilege escalation vulnerability in Win32k that's said to be

 Feed

One of the biggest consequences of the rapidly evolving cybersecurity threat landscape is that defenses must constantly build bigger systems to defend themselves.  This leads to both more complex systems and often less communication between them. More importantly, it can lead companies to invest in disparate “best in class” components instead of finding the best fit for their needs. The constant

 Feed

Facebook-owned WhatsApp recently addressed two security vulnerabilities in its messaging app for Android that could have been exploited to execute malicious code remotely on the device and even compromise encrypted communications. The flaws take aim at devices running Android versions up to and including Android 9 by carrying out what's known as a "man-in-the-disk" attack that makes it possible

 Feed

Academics from Vrije University in Amsterdam and ETH Zurich have published a new research paper describing yet another variation of the Rowhammer attack. Dubbed SMASH (Synchronized MAny-Sided Hammering), the technique can be used to successfully trigger the attack from JavaScript on modern DDR4 RAM cards, notwithstanding extensive mitigations that have been put in place by manufacturers over the

 Business + Partners

In the United States, there are approximately 350,000 companies contracting for the Department of Defense. Each of these companies have to meet varying degrees of compliance and are now subject to the Cybersecurity Maturity Model Certification (CMMC). Effectively, CMMC means that before a DoD contractor can execute   show more ...

on their contract, they have to receive an independent, third-party verification certifying whether they meet the correct security and compliance criteria. The process is expensive and it’s pass/fail.F1 Solutions, an MSP based in Huntsville, Alabama, has been working to align their security stack to the CMMC guidelines to help ensure that all of their customers, whether DoD contractors or otherwise, benefit from the comprehensive level of security the regulation requires. DNS protection, in particular, is a must-have under these rules. With over 5,000 endpoints under management, F1 has set itself quite a task. But with cyber resilience solutions from Webroot in their security stack, they’re up to the challenge. “Of all our clients on our full stack (about 140), we’ve never had a client fall victim to cryptojacking or any significant virus, for that matter, unless the system was not using part or all of our stack or being managed by us. That’s pushing 5,000 endpoints, including all servers, terminal servers, Macs and PCs.” – James VanderWier, CEO, F1 Solutions Hear how F1’s overall security and compliance offering changed for the better since they made the switch to Webroot endpoint security solutions in F1 CEO James VanderWier’s video testimonial. Watch the video: https://vimeo.com/487018201 The post What Real Security and Compliance Look like when Managing 5000+ Endpoints appeared first on Webroot Blog.

2021-04
Aggregator history
Wednesday, April 14
THU
FRI
SAT
SUN
MON
TUE
WED
AprilMayJune