virtuallyonit

Microsoft Hijacks Necurs Botnet that Infected 9 Million PCs Worldwide

necurs botnet takedown

Microsoft today announced that it has successfully disrupted the botnet network of the Necurs malware, which has infected more than 9 million computers globally, and also hijacked the majority of its infrastructure.

The latest botnet takedown was the result of a coordinated operation involving international police and private tech companies across 35 countries.

The operation was conducted successfully after researchers successfully broke the domain generation algorithm (DGA) implemented by the Necurs malware, which helped it remain resilient for a long time.

DGA is basically a technique to unpredictably generate new domain names at regular intervals, helping malware authors to continuously switch the location of C&C servers and maintain undisrupted digital communication with the infected machines.

“We were then able to accurately predict over six million unique domains that would be created in the next 25 months. Microsoft reported these domains to their respective registries in countries around the world so the websites can be blocked and thus prevented from becoming part of the Necurs infrastructure,” Microsoft said.

Additionally, with the help of court orders, Microsoft has also obtained control over the U.S.-based infrastructure Necurs uses to distribute malware and infect victim computers.

Necurs botnet Domain generation algorithm

“By taking control of existing websites and inhibiting the ability to register new ones, we have significantly disrupted the botnet.”

First detected in 2012, Necurs is one of the world’s most prolific spam botnet that infects systems with banking malware, cryptojacking malware and ransomware, and then further abuses them to send out massive amounts of spam emails to new victims.

To avoid detection and maintain persistence on targeted computers, Necurs utilizes its kernel-mode rootkit that disables a large number of security applications, including Windows Firewall.

Necurs was noticed mainly in 2017 when it started spreading Dridex and Locky ransomware at the rate of 5 million emails per hour to computers across the globe.

“From 2016 to 2019, it was the most prominent method to deliver spam and malware by criminals and was responsible for 90% of the malware spread by email worldwide,” researchers at BitSight said in a separate report published today.

“During 58 days of investigation, for example, we observed that one Necurs-infected computer sent a total of 3.8 million spam emails to over 40.6 million potential victims,” Microsoft said.

In some cases, the attackers even started blackmailing victims for a ransom claiming that they have knowledge of their extramarital affairs and threatened to send proof to the victim’s spouse, family, friends, and co-workers.

According to the latest stats published by researchers, India, Indonesia, Turkey, Vietnam, Mexico, Thailand, Iran, the Philippines, and Brazil are the top countries that have been hit by the Necurs malware.

“I’ve bounced back!”

Alan Partridge Bouncing Back — “I’ve bounced back”

If ransomware were a person, then it must be Alan Partridge, it just keeps bouncing back!

I have been speaking about this very annoying yet simple problem to fix since 2015, just a reminder its 2019 and still Ransomware dominates news headlines and talk tracks from vendors. Forewarning this article is loaded with Partridge quotes, sorry…..

I recall speaking in Boston at ZertoCON 2015, 16 & 17 deep diving how ransomware works, and throwing out scary statistics like “50% of organizations believe they are not prepared to combat a ransomware attack” and guess what those predictions are still here today, I do think the scare tactics were a a bit Alan Partridge:

“The temperature inside this apple turnover is over 1,000 degrees. If I squeeze it, a jet of molten bramley apple will squirt out. Could go your way; could go mine. Either way, one of us is going down.”

A new organization will fall victim to ransomware every 14 seconds in 2019, and every 11 seconds by 2021. (Source: Cyber Security Ventures)
1.5 million new phishing sites are created every month. (Source: webroot.com)
Ransomware attacks have increased over 97 percent in the past two years. (Source: Phishme)
A total of 850.97 million ransomware infections were detected by the institute in 2018.
34% of businesses hit with malware took a week or more to regain access to their data. (Source: Kaspersky)
In 2019 ransomware from phishing emails increased 109 percent over 2017. (Source: PhishMe)

And it goes on…….

An IBM study suggested that over a quarter of all companies would pay more than $20,000 to hackers to retrieve data that had been stolen.
Ransomware generates over $25 million in revenue for hackers each year. (Source: Business Insider)
The NotPetya ransomware attack cost FedEx $300 million in Q1 2017. (Source: Reuters)
More than half of ransoms were paid bitcoin.
The average ransom demand increased in 2018 to $1,077.
Ten percent of all ransom demands are over $5,000. (Source: Datto)
Fewer than a third of organizations who pay the ransom receive all of their money back. (Source: Courant
97% of United States’ companies refused to pay a ransom. 75% of Canadian companies paid, followed by, 22% of German businesses, and 58% in the UK.

And on…….

81 % of cybersecurity experts believe there will be a record number of ransomware attacks in 2019. (Source: CIO Dive)
McAfee analysts suggest that individuals with a large number of connected devices and a high net worth are some of the most attractive targets.
Attacks against Linux and Macs are expected to rise, according to IT Security Guru.
The average costs of data breaches will reach into the hundreds of millions of dollars by 2020. (Source: Juniper Research)
Recent studies have shown that ransomware attacks are increasing more than 300% year over year. (dimensiondata.com)
Cybercriminals will target SaaS (Software as a Service) and cloud computing businesses, which store and secure private data. (Source: Massachusetts Institute of Technology)
The cyber security research body suggests that ransomware damage costs will rise to $11.5 billion in 2019.
Mobile malware, banking malware, and ransomware are the primary threats to expect in 2019 according to Fortinet.
The Internet of Things (IoT) is primed to revolutionize life for businesses and consumers alike. However, the inherent vulnerability of this nascent technology can leave it wide open to ransomware attacks. A report by Kaspersky Lab indicated that new malware targeting IoT enabled devices grew threefold in 2018. Since 2017, the number of IoT focused malware attacks rose 10x from 2016.

“Needless to say, I had the last laugh”

And even crazier now some organizations have been paying attackers their ransom to release / un-encrypt their systems. That is beyond comprehension in my book on this, it is annoying after all that has happened with ransomware, it still actually exists.

Attackers used to deliver / distribute malware with a spray and pray approach, since certainly “WannaCry” they have got smarter and target organizations who have legacy IT systems, security practices, essentially anyone they think is vulnerable & hold critical data. Unfortunately companies that fit that profile are often within the public eye such as government or public organizations and well the end result is that Alan keeps bouncing back! Just look at the recent infrastructure targets within cities and towns, post here explaining the Bruce Willis one if you are interested.

There have also been cases where Ransomware is used to mask a wider breach or data theft.

What is even more annoying with this, is everyone jumps to recovery solutions and front end protection solutions all without little thought about what they could do today within their environment to minimize risk across people and technology, see very outdated post here.

“Because I’m a soft target. They’re not going to go for the Prime Minister, he’s surrounded by bouncers. Yet everyone knows I will be in Swaffham at 3pm”

This has been more of a rant than a factual post so I do apologize, I just do not see progress on our ability to deal with ransomware and watching companies be struck by this is annoying. Ransomware will continues on targeting soft targets, what we should be asking is why these attacks happened in those organizations and / or was it a smoke screen for something else not paying the ransom!

Like Alan’s book “Bouncing back” I sincerely hope ransomware gets pulped soon, although if you are interested it is still available in second hand shops in the Norfolk area.

See you on the horizon no doubt ransomware!

Vidar & Grandcrab will steal your wallet and lock you out!

Data theft and ransomware double whammy discovered, in short it will search for files containing personal information, send to C&C servers then just for good measure encrypt your machine so you get robbed then locked out! Not surprised these two methods have been combined, it had me wondering why it took so long for someone to combine the two, full blurb below:

The software nasty, bestowed the moniker Vidar combines the GandCrab ransomware with parts of the Arkei data-harvesting trojan to create a two-pronged attack that, on infected Windows PCs, first copies documents to outside servers, then locks away that personal information with a ransom demand.

According to Malwarebytes researcher Jerome Segura, the infection has been spreading in the wild via malicious advertising being piped into torrent and video streaming sites. The poisoned ads redirect users to a server hosting two exploit kits, Fallout EK and GrandSoft EK, which try to worm their way onto the target’s computer.

Should the exploit kit succeed in breaking in, it launches the data-stealing component of the infection. Segura said that the data-slurper, which looks to lift things like payment card numbers, site passwords, and cryptocoin wallets, is easy to mistake for the Arkei malware.

“Upon closer look, while the sample did share a lot of similarities with Arkei (including network events), it was actually a newer and, at the time, not yet publicly described piece of malware now identified as Vidar,” Segura explained.

After looking to scrape whatever valuable data it can find from the victim’s machine, the Vidar infection then dials up a control server and launches its second phase: the Gandcrab ransomware.

If the Vidar infection has been set up to give out the ransomware, the victim’s machine will then be locked off and the wallpaper changed to a notification on how to pay in order to get the files unencrypted.

Segura’s says the entire process, from loading up the malicious add to stealing the data and encrypting all of the victim’s files, takes roughly one minute to complete. The researcher suspects that, in this case, Vidar is using the ransomware as cover for its data-harvesting components.

The idea is that the victim will be so concerned with cleaning up the Gandcrab malware infection that they won’t notice the malware was also lifting their passwords, payment card numbers, and unique system configuration information.

“Threat actors can use ransomware for a variety of reasons within their playbook. It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data,” Segura said.

“But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted.”

Nasty stuff!

The worlds dumbest ransomware!

A new ransomware called CommonRansom was discovered that has a very bizarre request. In order to decrypt a computer after a payment is made, they require the victim to open up Remote Desktop Services on the affected computer and send them admin credentials in order to decrypt the victim’s files. Yup you read that right, lets give access to an infected machine over RDP! Just brilliant……………………………

CommonRansom was discovered by Michael Gillespie after a victim uploaded a ransom note and an encrypted file to his ID Ransomware service.

When encrypting a victim’s computer, it will append the .[old@nuke.africa].CommonRansom extension to encrypted files. It will also create a ransom note named DECRYPTING.txt, which is displayed below.

In this ransomware’s bizarre request, the attacker is telling victims to pay 0.1 btc and then send an email to old@nuke.africa with the following information:

1. This ID-[VICTIM_ID]
2. [IP_ADDRESS]:PORT(rdp) of infected machine
3. Username:Password with admin rights
4. Time when you have paid 0.1 btc to this bitcoin wallet:
35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF

This is where it is crazy, sure Mr Cyber criminal who I trust 100% sure go ahead and have admin rights in my environment!

While we have not been able to find a sample of the actual ransomware as of yet, the one ransom note we have seen is utilizing the 35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF bitcoin address, which has seen some activity in the past.

Of particular interesting is a transaction of 65 bitcoins being sent from this address to the 1CnCfvUTFQf11QNeBEpk29rRXfNFg75R9n bitcoin address, which has received over 11,000 bitcoin addresses. The 1CnCfvUTFQf11QNeBEpk29rRXfNFg75R9n address could be used as a mixer to make it harder to law enforcement to track these bitcoins.

When we locate a sample of this ransomware, we will update this article with more information.

IOCs

Associated Files:

DECRYPTING.txt

Ransom Note Text:

+-----------------------+
¦----+CommonRansom+-----¦
+-----------------------+
Hello dear friend,
Your files were encrypted!
You have only 12 hours to decrypt it
In case of no answer our team will delete your decryption password
Write back to our e-mail: old@nuke.africa


In your message you have to write:
1. This ID-[VICTIM_ID]
2. [IP_ADDRESS]:PORT(rdp) of infected machine
3. Username:Password with admin rights
4. Time when you have paid 0.1 btc to this bitcoin wallet:
35M1ZJhTaTi4iduUfZeNA75iByjoQ9ibgF


After payment our team will decrypt your files immediatly


Free decryption as guarantee:
1. File must be less than 10MB
2. Only .txt or .lnk files, no databases
3. Only 5 files


How to obtain bitcoin:
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Overthinking, Thinking about Thinking…

I previously wrote this article and while I was writing that I was wondering do I think to much? Am I thinking about thinking? Welcome to over-thinking…

Does your brain go at 1 million miles per hour bouncing between one thought and the next? Over thinking is a common issue these days and most of us do not even know we have it, fortunately I have the cure “Everyone once in a while look out the f*****g Window”

cat-looking-out-of-the-window-wallpaper — A cat looking out the window, as why not!

I have actually been thinking probably over thinking on posting this blog since my girlfriend was in the hospital about to give birth to our first born which was 3 months ago now and in classic tradition my mind was wandering. At first glance that may seem a bad trait, yet reading Adrian Newey’s book “how to build a car” over Xmas I could relate a lot to the great F1 designer, he had a passion and he could not switch it off, and it was often in times of relative surprise he found answers to his most challenging design problems.

Now far be it from me on this blog to write above my station, yet I do genuinely suffer from overthinking, a small tiny detail can keep me awake at night and it will not go away until my brain has cycled every possibility of what that detail was. Sometimes to my amazement I actually get the answer. Back to my point look out the f*****g window!

I can only relate to my role and industry but I digest so much information on a daily basis, deal with so many different scenarios that I am mostly a passenger, and then in the evening a little thought comes to the front of my mind asking “Were you correct there?”

Some claim over thinkers are in secure or not good at their role, I highly question that, without reflection and overthinking how do you improve? The suggestion of others constantly? A vital part of pre-sales is to question yourself and if you do not then frankly your doing it wrong.

Constant rumination could be a sign of intelligence.

Its actually a good thing, see I told you….if you think a lot it means you do not switch off and think about what is going on

While this is frustrating at times lay staring at the ceiling or staring at my phone blankly I can tell you this is also a gift! If you do not question / analyze what you have acted on then you will never know if that was correct until someone corrects you.

Some science: Meta-cognition is the ability to think about thinking, and while that may sound crazy let me give you a real world example. “A lack of meta-cognition sets up a vicious loop in which people who do not know much about a subject, do not know when they are in over their head” This is a dangerous trait and one you should avoid.

I read this in Micheal Hayden’s latest book “The assault on intelligence”. The book is in reference mostly to Mr Trump, in which he reveals Mr Trump is dangerous as he does not appear to have meta-cognition, just watch some videos of him! So thinking about thinking is actually a thing!

This now may explain the image at the top of this post

I should note I am not a political person, I just found it interesting in Hayden’s book on Trump and it kind of related, and well its Trump!

In the world or a pre-sales engineer you are hit with a barrage of tasks on a daily basis, its easy to become swamped, become frustrated, voice concern, shout, hit your desk, scream that someones software , solution, proposal, all of the above is rubbish yet I have found the answer for the over thinkers out there, you guessed it, look out the f*****g window.

Over-thinker’s by the way are some of the smartest and successful people, it just needs to be harnessed for a healthy brain life, exercise, take a break, see friends, have a work life balance, switch off before bed, throw your phone away………….whats-app can wait believe me it doesn’t care and if you respond you will be in a tangle of msgs which will last until midnight.

Serious note, if you have read this and relate to it, over thinking leads to stress, digestive problems and high blood pressure get it under control, de-tune let Donald Trump run twitter for a while and you know what, Trump will be still news in the morning, It is about discipline, go back to basics remove all distractions, Instagram, Facebook, email, whats-app, twitter etc they will not help.

While over-thinking is great, balance is better, just now I am on a train to London and I have spent almost an hour reading a book (assault on intelligence) and starring out the window when I thought I should write this as it seemed an apt point. Finally to that point if I was asked what a good trait is of a pre-sales engineer I would state “Must be an over-thinker but enjoy looking out the f*****g window”

Anyway back to over-thinking….

Install a wireless adapter on Kali Linux

I have been doing a course recently which requires both Kali Linux and a wireless adapter which supports both “monitor” mode and “packet” mode….no prizes for guessing what kind of course this is.

Anyway I thought I would post this short write up on how to do this as installing a USB wireless adapter in Kali, as it has its issues. I recently posted this in a another forum and it seems to work for most so thought I would share.

Wireless adapater chipset is: “Realtek AR8812AU 2.4 & 5 Ghz USB Wireless Adapter” and my setup is 1 x server running Windows 2016 with Virtual box 5.2.18 with extension pack 5.2.18 installed & Kali Linux 2018.2 x64 (note these instruction sets work for all versions)

First time Install

sudo apt-get install realtek-rtl88xxau-dkms, verify it installs correctly by running the cmd again and this should say the below:

Power down your Kali Machine
Remove the USB adapter
Boot until host OS is up and ensure USB is recognized (devices > USB)
Start your virtualization platform (mine is Virtual box) in “settings” under “USB” leave the wireless adapter un-checked so it is not available when Kali boots.
- Note repeat this when starting Kali normally, un-known reason why Kali does not like the adapter being present when booting. (see below)

sudo apt-get update

sudo apt-get upgrade

If the “upgrade” fails as mine did then try with the below key:

sudo apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys 7D8D0BF6

Add in USB adapter – In “Virtual Box” this is top menu bar “devices” > “USB” > and select your adapter

Note the failed upgrade is what seemed to stall my installation heavily so the above is key.

Note even when now added the below commands do not seem to register the adapter so we need to restart the network manager

ifconfig or iwconfig

To restart network manager follow the below:

sudo systemctl restart network-manager

Now if you try to list USB devices attached to the machine you should get a list as pictured below:

lsusb

If you now run the below commands you can see the adapter registered:

iwconfig ifconfig

You can then go ahead and change your MAC address and switch your network adapter in to monitor mode, for example:

ifconfig wlan 0 down 
macchanger --random 
ifconfig wlan 0 up

and

ifconfig wlan0 down 
iwconfig wlan0 mode monitor 
ifconfig wlan0 up 
iwconfig

Restarting Kali Machine

So that covers the first time install, but you will find that even when you restart Kali the adapter is not recognized and your iwconfig commands return no value. To get around this its simple just follow the below steps:

Start Kali without the USB attached (under devices > USB)
Wait for Kali to boot and login
Add the USB device

sudo systemctl restart network-manager

Then run to verify adapter is up and running

iwconfig

I hope this helps as it took me a while to get this running and installed, so thought I would share.

Atlanta reveal their Ransomware Impact

I have recently been presenting at events and used the image above to make a light humorous gesture at the ransomware attack in Atlanta in reference to Die Hard 4 and “hacking a city”. So lets take a look at the Atlanta attack in detail:

How bad was the Atlanta attack?

Well in short “It was not as advertised!”

More than 140 applications hit by the attack
Around 30% of those applications were mission critical used by either Police or Courts
Municipal courts in Atlanta were close for several weeks during the height of the attack
Documents stretching back decades were lost due to this attack
Video footage in particular dashboard camera footage used to prosecute has been lost and is unrecoverable.
Atlanta has assigned $9.5M to finance its recovery efforts

So in summary, pretty bad! The applications mentioned were down for weeks not days, the actual ransom from Sam Sam was just $51,000. An expenditure of $9.5M in recovery efforts alone is a huge amount.

I hope that Atlanta city are also budgeting for more robust security and have a root cause analysis of why this attack happened.

I have often spoke this year around the fact that ransomware is dead, yet there have been 32 reported attacks this year, some very large and public. I have said this time and time again, ransomware is a silly problem to have in the fact it can be stopped easily enough or recovered from easily enough providing some thought has gone in to it. When I see a city paying $9.5M in costs for recovery it makes me wonder what other governments are actually secure, quick fact in a ranking of secure infrastructure government ranked 16th out of a total 18 on how secure they are!

So with some ransomware impact in the front of our minds here are my predictions for the remainder of 2018 in regard to ransomware:

I spoke too soon…Zenis Ransomware Strikes

Yesterday I posted about ransomware cutting a rather low key figure so far in 2018, and then today Zenis strikes! Perfect timing as always! The attack surface is not known yet, researchers came across this and its not clear how it is being distributed to targets.

This is a new strain of ransomware discovered this week and at present there is no way to decrypt Zenis, but it does standout from other ransomware in that it also is deleting backups, not uncommon for sophisticated ransomware such as Cryptowall4 and Cerber 6 for example. It of course is deleting shadow copies but actively hunting for a range of backup files locally and on the network (see below). It is at present thought to be distributed via remote desktop services but research and investigation is still on going.

This is what we know so far:

When executed, the current Zenis Ransomware variant will perform two checks to see if it should begin encrypting the computer. The first check is to see if the file that executed is named iis_agent32.exe, with this check being case insensitive. The other check is to see if a registry value exists called HKEY_CURRENT_USER\SOFTWARE\ZenisService “Active”.

If the registry value exists or the file is not named iis_agent32.exe, it will terminate the process and not encrypt the computer.

If it passes the checks, it will then begin to get the ransom note ready by filling in some information, such as emails and encrypted data.

After that is completed it will execute the following commands to delete the shadow volume copies, disable startup repair, and clear event logs.

cmd.exe /C vssadmin.exe delete shadows /all /Quiet
cmd.exe /C WMIC.exe shadowcopy delete 
cmd.exe /C Bcdedit.exe /set {default} recoveryenabled no 
cmd.exe /C Bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures 
cmd.exe /C wevtutil.exe cl Application 
cmd.exe /C wevtutil.exe cl Security 
cmd.exe /C wevtutil.exe cl System"

Zenis will then search for various processes and terminate them. The processes terminated are:

sql
taskmgr
regedit
backup

Now that it has prepared the system to its liking, it will begin encrypting the files on the computer. It does this by scanning the drives on the computer for files with certain extensions. If it finds a file that matches one of the following extensions, it will encrypt it using a different AES key for each file.

.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpeg, .png, .csv, .sql, .mdb, .sln, .php, .asp, .aspx, .html, .xml, .psd, .sql, .mp4, .7z, .rar, .m4a, .wma, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .gdb, .tax, .pkpass, .bc6, .bc7, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .p7c, .pk7, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps, .docm, .docx, .doc, .odb, .odc, .odm, .odp, .ods, .odt

When encrypting a file it will change the file name to the following format. Zenis-[2 random chars].[12 random chars]. For example, test.jpg would be encrypted and renamed to something like Zenis-4Q.4QDV9txVRGh4. The original file name and the AES key use to encrypt the file will be encrypted and saved to end of the file.

When looking for files to encrypt, if it finds files associated with backup files, it will overwrite them three times and then delete them. This is to make it more difficult for the victim to restore files from a backup.

The list of extensions targeted for deletion are:

.win, .wbb, .w01, .v2i, .trn, .tibkp, .sqb, .rbk, .qic, .old, .obk, .ful, .bup, .bkup, .bkp, .bkf, .bff, .bak, .bak2, .bak3, .edb, .stm

While encrypting, it will also create ransom notes named Zenis-Instructions.html in every file that it traverses. This ransom note contains instructions on how to contact the ransomware developer in order to get their files back. The current email addresses included in the ransom notes are TheZenis@Tutanota.com, TheZenis@MailFence.com, TheZenis@Protonmail.com, and TheZenis@Mail2Tor.com.

The reason they ask for the ransom note is because it contains a hidden base64 encoded string that can be decrypted using the private RSA key that only the ransomware developer has possession of. When this data is decrypted, the ransomware developer can decrypt the sample file sent to them or create a decryptor.

So far that is what is known, backup, backup, backup! Do not rely on local backup’s!

Ransomware is Dead……..

It seems we have beaten ransomware and it will never surface again! Okay maybe not but lets be honest it has been fairly quiet in the news about ransomware especially after last years huge news around #wannacry #nonpetya etc. But does this mean that ransomware has had its time and is no longer around? Well lets look…………….

List of recorded / reported Ransomware attacks of 2018 in North & South America:

January

Belle Fourche City Hall – South Dakota
Hancock Regional Hospital – Indiana
City of Farmington – New Mexico
Adam’s Memorial Hospital – Indiana
Allscripts – North Carolina
DGH Engineering Ltd. – Manitoba and Alberta
Pulmonary Physicians – Ohio –
Chester County School District – South Carolina
Spartanburg County Library – South Carolina
Sacramento Bee Newspaper – California
Children’s Aid Society of Oxford County

February

March

Connecticut Court Systems – Connecticut – No

That is a fair few with some big names in there like “All Scripts” which was a big attack and outage yet had very little air time. But there is little hype around ransomware at present, maybe in part this is due to crypto currency mining, are organizations now making enough money from mining crypto that Ransomware is not needed? It will be interesting to watch.

Quick Ransomware Fact

The first ever recorded ransomware virus was written in 1989 and distributed by floppy disk. It targeted AIDS researchers by posing to be a questionnaire designed to determine patients risks to AIDS, Joseph Pop the author distributed 20,000 copies of this to 90 countries. It pretty much behaved like a ransomware virus does today, locks you out of your files for a fee, but no bitcoin this time, you had to send your money via post, it was the 80’s after all!

So what does 2018 hold for ransomware?

Well given the above results it is not off to a bad start is it? This is purely and simply as this ransomware business is so lucrative to cyber criminals and put simply there are no shortage of targets. Here are some predictions and talking points for 2018 & ransomware:

RaaS – Ransomware as a service will continue to grow, commercially off the shelf available ransomware means less development time and its a service just like the cloud.
As a result of #1 the amount of ransomware families will decrease as main stream RaaS takes over.
Weaponization of AI – well more machine learning as we know AI is mostly marketing at the moment. Security firms and researchers have been using machine learning models, neural networks and other AI technologies to better anticipate, classify and take action on attacks. We would be foolish to think that cyber criminal organizations are not doing the same. Welcome to the battle of the machines!
Ransomware as a smoke screen – Ransomware can cause enough significant disruption in an organization for another attack to actually be happening. Think about it ransomware is easy to disrupt an organization for long enough so that a group of cyber criminals can obtain from your networks what they want or deploy what they want. It was widely though last year that #wannacry was an attack of this kind but in truth I always thought that attack was a mistake.
New targets – I think large scale big data systems have gone largely un-noticed in the ransomware world, odd when you think that there are over 4,487 HDFS systems connected to the internet with only basic authentication. Last year (Jan 2017) saw 10,500 Mongo DB servers hacked. When you think of these systems they usually carry anywhere between 25TB to 5PB of data and that data is important!

In conclusion I do not think ransomware is going to go away anytime soon, so keep on following best practices and use software which is out there to mitigate any risks, I hope no one has to post money off to pay a ransom! – Brilliant!

Please like, share, comment

What have I learnt? A letter to a young pre-sales engineer…

This blog stemmed from me being asked by a recent graduate what he should take in to pre-sales. I thought about it and wondered what would I tell a 22-year-old (ten years ago) me turning up for his first job as a pre-sales engineer? Below are my rules to survive pre-sales (Zombie land Style):

“Yes, you are part of a sales team” – Little did I know as I turned up at my first job that the “sales” element in the title “pre-sales technical consultant” was actually real! You are part of a sales team whether you like it or not. I say embrace this, the competition, the pressure, the sheer amount of work. I often hear “sales” tarnished with a bad brush, do not underestimate your sales team, and you will find in any good organization that “pre-sales” are the life blood of an organization. A company leader once instilled in the organization “pre-sales are worth their weight in gold” and be it your undoing if you do not use / trust them, pre-sales have an enormous impact on an organizations success.
“Say YES not NO” – Throughout my career I have always had managers telling me to say NO. While their reasons may have been founded, I have always had a no fear approach and in honesty found myself in some difficult situations, BUT I have also done some amazing things simply by sticking my hand up and saying YES. If you say NO all the time don’t expect to get anywhere or learn anything new. It is an approach I used to get a job once where I went (company shall remain nameless) for an interview and I had to present on a subject I have never even heard about, yet alone the company which I later found out was huge. It was that no fear I will give anything a go approach that got me in honesty my first break in pre-sales and it is an approach I will always abide by.
“Be a Sponge” – Learning is key, if you are not learning chances are you are not doing something right, I am not talking about the traditional learning with death by power point while someone reads a slide to you. Think wider, find likeminded engineers ask them questions, learn how they approach challenges, how they pitch a solution. The term “Sponge” in pre-sales you need to absorb (pun intended) as much as possible, and one track will not suffice, you need to absorb as much as you can from a wide range of sources. Never stop this! Never think you are the best at something, someone always has a different approach – STEAL IT if it is good.
“Understand how you Learn” – See point 3, throughout my education and some of my professional career I was always that person that appeared never to listen, I was always dismantling whatever was in front of me while someone talked to me. It was not until one employer put the entire team and himself in to a “train the trainer” course where the trainer being a savvy man had laid the desks out with a wild range of toys and attention diverters. This was heaven to me for 3 days I had a range of stuff I could fiddle with, much to my boss at the time’s annoyance. In a demonstration of the fact I do listen, the trainer at the end of 3 days asked “What was the memorable date I mentioned on day one?” My boss nearly fell off his chair when without a pause I recalled the date. My point here is find how you learn, I would love to be a person who can digest a 700 page manual and not drift off, watch a video and know all the facts. Truth is I cannot, I learn by doing which is a kinaesthetic learner, get me the product and let me try to break it and I will understand it. Find how you learn and try different approaches, believe me it works.
“You’re not an expert if you read TripAdvisor” – I will relate this to point 4. If you have read a review on TripAdvisor have you experienced that hotel? Or are you at best reading someone else’s opinion which is likely skewed? Apply the same mantra when absorbing competitive information, companies and rightly so will skew their competitive information to make you think and believe your product is the best. While I condone this attitude, I would hazard caution with drinking the cool aid, get your competitors documentation, product / service and form your own opinion. Back to point 1 “competition” in a competitive situation do not under estimate your competitor they could be a Rockstar. Leverage point 11 and if you cannot obtain a view for yourself rely on your network and get some stories. I have been guilty of being blinkered in the past and it will catch you out.
“Freestyling is fun but flawed” – I am guilty of this, freestyling a meeting whatever it may be with no set outcome or agenda will more than likely land you in trouble. As talented and experienced as you may be just put aside 5 minutes for a basic plan or framework with your sales team, you will be surprised on its effectiveness.
“The 24-hour rule” – To the engineering side, it does not matter if you have found / made a solution or fixed a problem. Never rush to show that idea off without sitting on it for 24 hours and coming back and leveraging point 11 to get feedback and ensure your thoughts are correct. We engineer’s are a proud bunch of people and love to hit the mark first with an idea, I speak from experience, if you run and throw that idea at a problem, it may take 1 day it may take 1 year but eventually the lack of full thought through that idea will come back and bite you. Enforce the 24-hour rule which brings me on to point 8.
“Dumbledore’s Thought Pensive” – If you want 9-5 then this just isn’t the job for you, my reason, in this role your brain never really switches off. Which is why I enforce point 7 and the 24-hour rule, your brain works in weird and wonderful ways. Mine personally likes to wake me at stupid O’clock and provide me with an answer…..this is not bad, you need to learn how to work throughout the day, constantly staring at a problem won’t work, but also have the mantra that if an idea does pop in to your head, at the very least record it (anyway you like) and please do not just write one line, empty that thought and all its context to a point where you can come back the next day and challenge that thought.
“Be Creative” – I am personally a fan of coming up with new ideas, I am not a fan of improving process. Creativity in whatever form in your role will give you an edge, in 2 companies I came up with ideas which were implemented globally, remember your employer is not always doing everything correctly and ideas should be welcomed at the very least explored. Also look outside of your role, related to point 3 if something interests you go and learn it, don’t stay in a bubble you will be surprised how often technology crosses use cases. Look for user groups, communities or grab a source of learning on that subject.
“Don’t be a yes person” – if you have read this blog post I do thank you for reading so far, you may be thinking “hang on a minute you said always say yes in point 2?”. There is an exception and this is with your customers, if you say “yes” to questions you are not 100% on it will bite you, back to point 1 and sales. Saying “No” or “I don’t know” is not a crime, in pre-sales we are tasked with understanding such a broad spectrum of technologies and customers are often focussed on a smaller subset which makes them the experts. Have humility when dealing with customers, think how you are perceived and put yourself in the customers shoes and honestly ask yourself “is this the right answer for this use case / scenario?”
“Tanks and Planes” – One eye on the current one eye on the future, this upside-down world of pre-sales is quite small, we are fantastic gossips and your reputation is your key to your next role. Networking I know sounds like an old 90’s business video delivered on a business park in Slough but find people you share interests with, get along with and stay in touch. Back to point 2 you will be surprised how your career can accelerate in that way!

I appreciate this is a long blog post, I still have more weird and wonderful points, I suppose the resounding question would be “Would you do it all again?” and I would say categorically “Yes sign me up Morpheus I will take the blue pill!” If you have thoughts, experiences, comments on this topic please comment below and let me know! Back to point 2! Ha….

Microsoft Patch Tuesday

Its that time again! Today Microsoft has released its monthly set of security advisories for vulnerabilities that have been identified and addressed in various products. This month’s advisory release addresses 56 new vulnerabilities with 16 of them rated critical, 39 of them rated important and 1 of them rated Moderate. These vulnerabilities impact ASP.NET, Edge, Internet Explorer, Office, Windows, and more.

In addition to the 56 vulnerabilities addressed, Microsoft has also released an update that addresses Meltdown and Spectre. Mitigation for these two vulnerabilities were published for Windows in ADV180002. Note that due to incompatibilities with anti-virus products, users and organizations may not have received this update yet. For more information, users should refer to Microsoft’s knowledge base article which covers this issue.

This patch Tuesday does have a lot of elevated privilege exploits, remote code exploits on office along with SMB vulnerabilities, the below ones caught my eye, thinking in terms of ransomware or Cyber breaches.

CVE-2018-0792 to 0796
CVE-2018-0751-0752
CVE-2018-0749
CVE-2018-0803, 0805 & 0806

Happy patching! Blog courtesy of Talos Blog, if you do not subscribe to them then sign up they are an amazing source of information on patching, exploits, threats etc.

Vulnerabilities Rated Critical

Microsoft has assigned the following vulnerabilities a Critical severity rating:

CVE-2018-0758 – Scripting Engine Memory Corruption Vulnerability
CVE-2018-0762 – Scripting Engine Memory Corruption Vulnerability
CVE-2018-0767 – Scripting Engine Information Disclosure Vulnerability
CVE-2018-0769 – Scripting Engine Memory Corruption Vulnerability
CVE-2018-0770 – Scripting Engine Memory Corruption Vulnerability
CVE-2018-0772 – Scripting Engine Memory Corruption Vulnerability
CVE-2018-0773 – Scripting Engine Memory Corruption Vulnerability
CVE-2018-0774 – Scripting Engine Memory Corruption Vulnerability
CVE-2018-0775 – Scripting Engine Memory Corruption Vulnerability
CVE-2018-0776 – Scripting Engine Memory Corruption Vulnerability
CVE-2018-0777 – Scripting Engine Memory Corruption Vulnerability
CVE-2018-0778 – Scripting Engine Memory Corruption Vulnerability
CVE-2018-0780 – Scripting Engine Information Disclosure Vulnerability
CVE-2018-0781 – Scripting Engine Memory Corruption Vulnerability
CVE-2018-0797 – Microsoft Word Memory Corruption Vulnerability
CVE-2018-0800 – Scripting Engine Information Disclosure Vulnerability

The following is a brief description of each vulnerability.

Multiple CVEs – Scripting Engine Memory Corruption Vulnerability

Multiple remote code execution vulnerabilities have been discovered that affect Microsoft Edge and Internet Explorer. These vulnerabilities manifest due to Internet Explorer and Edge not properly handling objects in memory. Successful exploitation of these vulnerabilities could result in an attacker obtaining the ability to execute code within the context of the current user. Scenarios where these vulnerabilities would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit this vulnerability or, in some cases, opens a Microsoft Office document that utilizes the browser rendering engine.

The following is a list of CVEs related to these vulnerabilities.

CVE-2018-0758
CVE-2018-0762
CVE-2018-0769
CVE-2018-0770
CVE-2018-0772
CVE-2018-0773
CVE-2018-0774
CVE-2018-0775
CVE-2018-0776
CVE-2018-0777
CVE-2018-0778
CVE-2018-0781

Multiple CVEs – Scripting Engine Information Disclosure Vulnerability

Two information disclosure vulnerabilities have been discovered that affect Microsoft Edge. These vulnerabilities manifests due to Microsoft Edge not properly handling objects in memory. These vulnerabilities could be leveraged by an attacker to obtain sensitive information from an affected system. This information could then be utilized to launch additional attacks against the system. Scenarios where these vulnerabilities would like be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit this vulnerability.

The following is a list of CVEs related to these vulnerabilities.

CVE-2018-0767
CVE-2018-0780
CVE-2018-0800

CVE-2018-0797 – Microsoft Word Memory Corruption Vulnerability

A remote code execution vulnerability has been discovered that affects Microsoft Office. This vulnerability manifests due to Microsoft Office failing to properly handle RTF files. Successful exploitation of this vulnerability could result in an attacker gaining the ability to execute code within the context of the current user. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page containing a specially crafted RTF file or in email-based attacks where the user opens a specially crafted file that has been received as an email attachment.

Vulnerabilities Rated Important

Microsoft has assigned the following vulnerabilities an Important severity rating:

CVE-2018-0741 – Microsoft Color Management Information Disclosure Vulnerability
CVE-2018-0743 – Windows Subsystem for Linux Elevation of Privilege Vulnerability
CVE-2018-0744 – Windows Elevation of Privilege Vulnerability
CVE-2018-0745 – Windows Information Disclosure Vulnerability
CVE-2018-0746 – Windows Information Disclosure Vulnerability
CVE-2018-0747 – Windows Information Disclosure Vulnerability
CVE-2018-0748 – Windows Elevation of Privilege Vulnerability
CVE-2018-0749 – SMB Server Elevation of Privilege Vulnerability
CVE-2018-0750 – Windows GDI Information Disclosure Vulnerability
CVE-2018-0751 – Windows Elevation of Privilege Vulnerability
CVE-2018-0752 – Windows Elevation of Privilege Vulnerability
CVE-2018-0753 – Windows IPSec Denial of Service Vulnerability
CVE-2018-0754 – ATMFD.dll Information Disclosure Vulnerability
CVE-2018-0764 – .NET and .NET Core Denial Of Service Vulnerability
CVE-2018-0766 – Microsoft Edge Information Disclosure Vulnerability
CVE-2018-0768 – Scripting Engine Memory Corruption Vulnerability
CVE-2018-0784 – ASP.NET Core Elevation Of Privilege Vulnerability
CVE-2018-0786 – .NET Security Feature Bypass Vulnerability
CVE-2018-0788 – ATMFD.dll Information Disclosure Vulnerability
CVE-2018-0789 – Microsoft Office Spoofing Vulnerability
CVE-2018-0790 – Microsoft Office Information Disclosure Vulnerability
CVE-2018-0791 – Microsoft Outlook Remote Code Execution Vulnerability
CVE-2018-0792 – Microsoft Word Remote Code Execution
CVE-2018-0793 – Microsoft Outlook Remote Code Execution
CVE-2018-0794 – Microsoft Word Remote Code Execution
CVE-2018-0795 – Microsoft Office Remote Code Execution
CVE-2018-0796 – Microsoft Excel Remote Code Execution
CVE-2018-0798 – Microsoft Word Memory Corruption Vulnerability
CVE-2018-0799 – Microsoft Access Tampering Vulnerability
CVE-2018-0801 – Microsoft Office Remote Code Execution Vulnerability
CVE-2018-0802 – Microsoft Office Memory Corruption Vulnerability
CVE-2018-0803 – Microsoft Edge Elevation of Privilege Vulnerability
CVE-2018-0805 – Microsoft Word Remote Code Execution Vulnerability
CVE-2018-0806 – Microsoft Word Remote Code Execution Vulnerability
CVE-2018-0807 – Microsoft Word Remote Code Execution Vulnerability
CVE-2018-0812 – Microsoft Word Memory Corruption Vulnerability
CVE-2018-0818 – Scripting Engine Security Feature Bypass
CVE-2018-0819 – Spoofing Vulnerability in Microsoft Office for MAC

The following is a brief description of each vulnerability:

CVE-2018-0741 – Microsoft Color Management Information Disclosure Vulnerability

An information disclosure vulnerability has been discovered affecting Microsoft Graphics Component. This vulnerability manifests due to the Color Management Module (ICM32.dll) not properly handling objects in memory. Successful exploitation of this vulnerability could provide an attacker with the information required to bypass Address Space Layout Randomization (ASLR). While this vulnerability does not provide code execution, it could make it easier to successfully exploit remote code execution vulnerabilities due to the ability of the attacker to bypass ASLR.

CVE-2018-0743 – Windows Subsystem for Linux Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been discovered affecting Windows Subsystem for Linux. This vulnerability manifests due to an integer overflow present in Windows Subsystem for Linux. Successful exploitation of this vulnerability requires an authenticated local attacker to run a specially crafted program and could allow them to execute code with elevated privileges on affected systems.

CVE-2018-0744 – Windows Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been discovered affecting the Windows Kernel. This vulnerability manifests due to the Windows kernel failing to properly handle objects in memory. Successful exploitation of this vulnerability requires an authenticated local attacker to run a specially crafted program and could allow them to execute code with elevated privileges on affected systems.

Multiple CVEs – Windows Information Disclosure Vulnerability

Multiple information disclosure vulnerabilities have been discovered affecting Windows kernel. Successful exploitation of these vulnerability could provide an attacker information required to bypass ASLR as they allows the retrieval of the memory address of kernel objects. Exploitation of these vulnerability would require an authenticated local attacker to run a specially crafted program.

The following is a list of CVEs related to these vulnerabilities.

CVE-2018-0745
CVE-2018-0746
CVE-2018-0747

Multiple CVEs – Windows Elevation of Privilege Vulnerability

Multiple privilege escalation vulnerabilities have been discovered affecting the Windows kernel. These vulnerabilities manifests due to the Windows Kernel API failing to properly enforce permissions. Successful exploitation of these vulnerability would require an authenticated local attacker to execute a specially crafted program and could result in the attacker having the ability to impersonate processes, inject cross-process communications, or interrupt system functionality.

The following is a list of CVEs related to these vulnerabilities.

CVE-2018-0748
CVE-2018-0751
CVE-2018-0752

CVE-2018-0749 – SMB Server Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been discovered affecting Windows SMB Server. This vulnerability manifests when an attacker with valid credentials to authenticate to an affected system opens a specially crafted file locally using the SMB protocol. Successful exploitation of this vulnerability could allow an attacker to bypass certain security checks. An attacker must have valid credentials and be authenticated to the affected system.

CVE-2018-0750 – Windows GDI Information Disclosure Vulnerability

An information disclosure vulnerability has been discovered affecting Microsoft Graphics Component. This vulnerability manifests due to the Windows GDI component improperly disclosing kernel memory addresses. Successful exploitation of this vulnerability could result in an attacker obtaining sensitive information that could be used to further attack the system. In order to exploit this vulnerability an attacker need to log on to the affected system and execute a specially crafted program.

CVE-2018-0753 – Windows IPSec Denial of Service Vulnerability

A denial of service vulnerability has been discovered that affects IPSec. This vulnerability manifests due to Windows improperly handling objects in memory. Successful exploitation of this vulnerability could allow an attacker to cause a system to stop responding, preventing the system from being used by authorized users.

CVE-2018-0754 – ATMFD.dll Information Disclosure Vulnerability

An information disclosure vulnerability exists affecting Graphics Fonts. This vulnerability manifests due to the Adobe Type Manager Font Driver (ATMFD.dll) improperly handling objects in memory. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information that could be used to further attack affected systems. Scenarios where this vulnerability would likely be exploited include an attacker opening a document containing specially crafted fonts on an affected system.

CVE-2018-0764 – .NET and .NET Core Denial Of Service Vulnerability

A denial of service vulnerability has been discovered affecting the .NET Framework. This vulnerability manifests due to .NET and .NET core improperly processing XML documents. Successful exploitation of this vulnerability could cause a denial of service in an affected .NET application. This vulnerability could be exploited by an attacker by sending specially crafted requests to a vulnerable .NET or .NET core application.

CVE-2018-0766 – Microsoft Edge Information Disclosure Vulnerability

An information disclosure vulnerability have been identified that affects Microsoft Edge. This vulnerability manifests due to Microsoft Edge PDF reader improperly handling objects in memory. This vulnerability could be leveraged by an attacker to obtain information that could be used for subsequent attacks against an affected system. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious PDF hosted on an attacker controlled website.

CVE-2018-0768 – Scripting Engine Memory Corruption Vulnerability

A remote code execution vulnerability have been discovered that affects Microsoft Edge and Internet Explorer. This vulnerability manifests due to Internet Explorer and Edge not properly handling objects in memory. Successful exploitation of this vulnerability could result in an attacker obtaining the ability to execute code within the context of the current user. Scenarios where this vulnerability would likely be exploited include web-based attacks where the user navigates to a malicious web page designed to exploit this vulnerability.

CVE-2018-0784 – ASP.NET Core Elevation Of Privilege Vulnerability

A vulnerability have been discovered in the ASP.NET Core that could allow a privilege escalation attack to occur. This vulnerability manifests when an ASP.NET Core web application, based on a vulnerable project template, incorrectly utilizes input without first sanitizing it. An attacker who exploits this vulnerability could perform content injection attacks and run scripts in the context of the current user. Exploitation of this vulnerability could be achieved in email-based attack scenarios or via other social engineering means where the user clicks on a specially crafted link.

CVE-2018-0786 – .NET Security Feature Bypass Vulnerability

A security feature bypass vulnerability in the Microsoft .NET Framework and .NET Core have been identified that could allow attackers to bypass certificate validation. This vulnerability manifests in the way certificates are handled where certificates marked invalid for specific use may still be used for that purpose.

CVE-2018-0788 – OpenType Font Driver Elevation of Privilege Vulnerability

A privilege escalation vulnerability has been discovered in the Windows Adobe OpenType Font Driver. This vulnerability manifests as a result of the library incorrectly handling objects in memory. Exploitation of this vulnerability could be achieved by running a specially crafted application that exploits this flaw.

Multiple CVEs – Microsoft SharePoint Cross Site Scripting Elevation of Privilege Vulnerability

Two cross-site scripting vulnerabilities have been identified in Microsoft Sharepoint that could allow an attacker to perform a privilege escalation attack. These vulnerabilities manifest as a result of improper input sanitization for specially crafted web requests. An attacker who exploits these vulnerabilities would be able to run scripts in the context of the affected user, allowing the attacker to read content or perform actions based on that user’s permission.

The following is a list of CVEs related to these vulnerabilities.

CVE-2018-0789
CVE-2018-0790

Multiple CVEs – Microsoft Outlook Remote Code Execution Vulnerability

Two remote code execution vulnerabilities have been identified in Microsoft Outlook that could allow an attacker to execute arbitrary code of their choice on targeted hosts. These vulnerabilities manifest as a result of Microsoft Outlook incorrectly parsing specially crafted emails. An attacker who sends a user a specially crafted email and socially engineers them to open a specially crafted attachment in Outlook could exploit this vulnerability.

The following is a list of CVEs related to these vulnerabilities.

CVE-2018-0791
CVE-2018-0793

Multiple CVEs – Microsoft Word Remote Code Execution Vulnerability

Multiple arbitrary code execution vulnerabilities have been identified in Microsoft Word. These vulnerabilities manifest as a result of Microsoft Word incorrectly handing objects in memory. An attacker who exploits one of these vulnerabilities could execute arbitrary code of their choosing on targeted hosts. Scenarios where this could occur include email-based attacks or other scenarios involving social engineering where the attackers convince the user to open a specially crafted Word document.

The following is a list of CVEs related to these vulnerabilities.

CVE-2018-0792
CVE-2018-0794
CVE-2018-0805
CVE-2018-0806
CVE-2018-0807
CVE-2018-0812

CVE-2018-0796 – Microsoft Excel Remote Code Execution Vulnerability

An arbitrary code execution vulnerabilty have been identified in Microsoft Excel. This vulnerability manifests as a result of Microsoft Excel incorrectly handing objects in memory. An attacker who exploits this vulnerability could execute arbitrary code of their choosing on targeted hosts. Scenarios where this could occur include email-based attacks or other scenarios involving social engineering where the attackers convince the user to open a specially crafted Excel spreadsheet.

Multiple CVEs – Microsoft Office Memory Corruption Vulnerability

Multiple arbitrary code execution vulnerabilities have been identified in Microsoft Office. These vulnerabilities manifest as a result of Microsoft Office incorrectly handing objects in memory. An attacker who exploits one of these vulnerabilities could execute arbitrary code of their choosing on targeted hosts. Scenarios where this could occur include email-based attacks or other scenarios involving social engineering where the attackers convince the user to open a specially crafted Office file.

The following is a list of CVEs related to these vulnerabilities.

CVE-2018-0795
CVE-2018-0798
CVE-2018-0801
CVE-2018-0802

CVE-2018-0799 – Microsoft Access Tampering Vulnerability

A cross-site scripting vulnerability has been identified in Microsoft Access. This vulnerability manifests as a result of Microsoft Access incorrectly handling and sanitizing inputs to image fields editing within Design view. An attacker who exploits this vulnerability could execute arbitrary JavaScript in the context of the current user. An attacker could then read content or perform actions on behalf on the user on a remote site. Exploitation of this vulnerability could be achieved by opening a specially crafted Access file.

CVE-2018-0803 – Microsoft Edge Elevation of Privilege Vulnerability

A vulnerability in Microsoft Edge has been identified that could result in privilege escalation if exploited. This vulnerability manifests as a result of Edge incorrectly enforcing cross-domain policies. Successful exploitation could result in a user obtaining elevated privileges.

CVE-2018-0818 – Scripting Engine Security Feature Bypass

A security feature bypass vulnerability has been identified in Microsoft Chakra that could allow an attacker to bypass Control Flow Guard. An attacker could exploit this vulnerability by creating a specially crafted web page designed to exploit this vulnerability and convincing a user to visit the web page.

CVE-2018-0819 – Spoofing Vulnerability in Microsoft Office for Mac

A spoofing vulnerability in Microsoft Outlook for Mac has been discovered and manifests as a result of Outlook for Mac incorrectly handling the encoding and display of email addresses. As a result, antivirus and anti-spam scanning may not work as intended.

Vulnerabilities Rated Moderate

Microsoft has assigned the following vulnerabilities an Moderate severity rating:

CVE-2018-0785 – ASP.NET Core Cross Site Request Forgery Vulnerability

The following is a brief description of this vulnerability:

CVE-2018-0785 – ASP.NET Core Cross Site Request Forgery Vulnerability

A Cross Site Request Forgery (CSRF) vulnerability has been discovered affecting ASP.NET Core web applications that were created using vulnerable project templates. Successful exploitation of this vulnerability could allow an attacker to modify recovery codes associated with accounts to which the attacker should not have access to, resulting in the user being locked out of their account in situations where the user attempts to access their account after losing their 2FA device.