Category Archives: Security

Onboarding Linux Client (DEEPIN) to Microsoft Azure Threat protection ATP using ubuntu repository

Installing Microsoft Azure Threat Protection (ATP) on Linux Devices

While playing with ATP on some windows devices, I was in the mood of trying the new Deepin 20 desktop flavor which is a famous Chinese Linux OS based system.

Microsoft doesn’t indicate anywhere that installation of ATP on a Linux client is possible but Linux server is mentioned in the official ATP installation documents.

How to Install?

After I installed the Deepin OS, I was really impressed by the new beautiful Linux design so I plan to use it and have it secure with ATP.

image

Prerequisites:

  1. Configure the Linux software repository for Ubuntu and Debian
  2. Application Installation
  3. Download the onboarding Package
  4. Client Config

1-Configure the Linux software repository for Ubuntu and Debian

You will need to install the required libraries, install Gpg, apt-transport-https and update repository metadata using the following commands one by one.

  • sudo apt-get install curl

image

  • sudo apt-get install libplist-utils

image

image

  • sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-ubuntu.list
  • sudo apt-get install gpg

image

image

image

After successfully installing all the libraries, I will go ahead and install the application

2- Application Installation

From the Linux client Terminal using sudo power user run the following script

sudo apt-get install mdatp

image

Once finished, You can go back to the ATP portal and download the Linux Onboarding package on the linux server/client you want to onboard

3- Download the onboarding Package

Since I am doing a single deployment not bulk, then I will go to the Microsoft Defender Security Center’s setting page and download the Linux package from the device management section.

image

The steps for the onboarding is already mentioned on that page so after you download the script you’ll know exactly what to do next.

The file is 9kb python in size

image

Copy the file to your Linux Desktop

image

4- Client Config

From the terminal type in chmod a+x MicrosoftDefenderATPOnBoardingLinuxServer.py and hit enter

Note: python must be installed on this linux dervice.

Then type python /MicrosoftDefenderATPOnBoardingLinuxServer.py

image

This will run pretty quick and will assign your Linux server/client with your Organization ID.

To see the Organization ID type:

mdatp –health orgId

image

Few minutes later you’ll be able to see the installation completion and the status through this command

Check if WDATP is functioning as expected

mdatp –health healthy

image

Check if WDATP agent is enabled

mdatp –health realTimeProtectionEnabled

image

Let’s check on our ATP portal and see if the machine is showing there.

Note: It might take 5-15 mins to update the definitions of WDATP when onboarding.

image

Running a detection Test:

curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt

image

In few seconds the file has disappeared

image

Checking for threats

mdatp –threat –list –pretty

image

Let’s see this on the ATP Portal

image

image

This is just a test malware not a real one therefore it wont harm your machine at all.

Hope this helps you with your deployments

Ref:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually

Deepin 20 Beta version

https://www.deepin.org/en/2020/04/15/deepin-20-beta/

Microsoft Exchange 2010 SP3 Link HACKED

WATCH Microsoft Exchange URL Hacked

If you have Exchange 2010 SP3 and planning to download the latest Rollup , Google will take you to the following link

https://www.microsoft.com/en-us/download/details.aspx?id=100910

Once you click on that link to download the RollUp update, You might want to check the system requirements links and that would list two main links

image

The Exchange 2010 Prerequisites link will first redirect you to this URL which has an expired certificate.

http://www.microsoftpinpoint.com/

And that will then redirect you to this link (Seems to be a Chinese website)

http://123.wo80.com/

Luckily the antivirus managed to catch and block this page however, on any server that’s not running any antivirus this would certainly infect the server.

Phishing Alert!

image

image

Video here

Microsoft Exchange Vulnerability affects all Exchange versions

image

CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Security Vulnerability

Date of Publishing: February/11/2020

Microsoft has announced a vulnerability has been found in all Exchange Server 2010 through 2019 versions, The vulnerability allows an attack to send a specially crafted request to the affected server in order to exploit it.

When could this happen?

A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.

Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.

Affected Versions:

  • Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
  • Microsoft Exchange Server 2013 Cumulative Update 23   
  • Microsoft Exchange Server 2016 Cumulative Update 14   
  • Microsoft Exchange Server 2016 Cumulative Update 15   
  • Microsoft Exchange Server 2019 Cumulative Update 3   
  • Microsoft Exchange Server 2019 Cumulative Update 4

image

Solution:

Until now Microsoft has not provided any solution or work around to cover this vulnerability.

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

NOTE:

Keep an eye on the below link for any change

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

Microsoft Windows 10 security updates KB4532695 and KB4528760 causes TPM driver to fail and results in windows 10 BSOD

Windows 10 Update :

Yesterday and today Microsoft released KB4532695 and KB4528760 causes TPM 2.0 driver to stop functioning and causes BSOD with error “Memory Management” Issue.

clip_image001

image

Windows Hello Face Authentication

In the first KB Microsoft says they have improved the accuracy of Windows Hello Face authentication however this would cause your PIN to be reset, TPM driver stop functioning and BitLocker to change in Pause state.

Check KB Article here

clip_image001[4]

image

The BSOD will generate an event ID 1001 stating the bugcheck code and saves a dump. ( I haven’t analyzed that yet).

clip_image001[6]

I suggest not to run it till Microsoft releases a bug fix

Warning for millions of Windows 10 users

The “Windows List” website, which follows the news of the famous operating system “Windows 10“, issued a warning to the users of the Operating system after it monitored a new security update for the operating system, which is “KB4528760” causing serious problems, noting that the problem “appears to be widespread now.”

Related image

In its interpretation of the sequence of events, the site says that this update initially fails to install on the device, issuing “a number of general error messages” that do not provide any indication of the cause of the problem, then the problem escalates as the next time you restart the computer it fails to boot .

“The recent update KB4528760 for Windows 1909 (the Windows build version number) appears to cause problems with some computers and prevents them from Starting up, causing the oxcooooooe error code. The number of devices affected by this problem has increased after installing this update,” says a user on the official Microsoft Community Forum. .

Image result for windows 10 error code oxcooooooe

Some users attribute the problem to Microsoft’s Connect app, which the company has terminated. Although it is not the only scenario of the cause of the problem, the users who installed the app or had it installed and then uninstalled it, have been particularly severely affected. It is only Windows Vista that completely re-installs the Windows 10 operating system.

What increases the importance of the warning issued by “Windows Light” is precisely that Microsoft is not yet aware of this problem. Indeed, until the moment the company states on the support page of the latest update that it is “currently not aware of any problems with this update.”

This is a recurring series of slow responses in recent years, as Windows 10 users have experienced problems caused by system updates, and this is disappointing because it encourages users to continue to download the update that might harm their computers

The good thing here is that Microsoft is working on substantive modifications to improve the updates of “Windows 10”, but the bad thing is that the process of testing the modifications in its entirety is fundamentally flawed, according to the site mentioned

MICROSOFT EXPOSES A SECURITY ISSUE THAT AFFECTS MILLIONS OF WINDOWS 10 COMPUTERS, RDP AND DHCP ON WIN2008R2

Windows 10 Crypto API Spoofing

Microsoft has released a new security patch for a vulnerability that could affect millions of Windows 10 Users world wide. The decades old CryptoAPI tool validates and signs packages/software which could be utilized by hackers/developers to sign and execute illegitimate software thus would allow users to run anything without user’s nor Antivirus/Internet Security software’s notice.

Microsoft mentioned that the vulnerability could also allow hackers to change or modify encrypted communications.

It’s important to notice that CryptoAPI is a legacy API that’s being replace by a new CNG (Cryptography Next Generation API) which also supports CryptoAPI.

CryptoAPI Key Storage Architecture

cryptoapi architecture

Download Patch

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

Windows 2008 R2, Windows 7 RDP

A day ago Microsoft released two very important security patches on May 14, 2019. One of these patches has been detected in the RDP service (CVE-2019-0708) which affects Windows 7 and Windows 2008 R2. According to MS’s Article a remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Download Patch

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Windows 2008R2, 2012R2, 2016 and 2019 DHCP

The other one is in the DHCP service (CVE-2019-0725), and both exploitations are very critical. When we look at CVE-2019-0708, which is related to the RDP service, we see that attackers are able to run code on systems by sending specially produced packages without any user interaction and authentication and manage to install malware like Ransomware or other execution files.

Download Patch

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0725

Sources:

Microsoft, NSA, Other Security Researchers

Powershell script to audit users who authenticated against DC servers

The story:

I have got a request from a client asking to find out which server(s) is using which domain admin or a highly privileged account as a service.

To find this I already wrote a powershell script that does this, Search the non standard/(Domain only users) and show the services and name of the servers where those accounts are configured on utilizing Remote powershell to do so and the use of a Domain Admin user.

You can refer to this link to see this article by clicking here

Creating the script process:

The same client wanted to also know which of those accounts did authenticate and wanted to know from which server/Computer did the request originate from and to which DC did it go.

I have started thinking of the process of doing so by again utilizing remote PowerShell to check against certain security events on AD to check which user among the Domain admin members did authenticate.

After sometime and with the help of some forums I managed to get script ready which looks in all Domain Controllers for users that are members of the Domain Admin groups who triggered an event ID 4624 and from which Computer did this request came from.

The Script :

# Get domain admin user list
$DomainAdminList = Get-ADGroupMember -Identity 'Domain Admins'
# Get all Domain Controller names
$DomainControllers = Get-ADDomainController -Filter * | Sort-Object HostName
# EventID
$EventID = '4624'
#
# Get only last 24hrs
$Date = (Get-Date).AddDays(-3)
# Limit log event search for testing as this will take a LONG time on most domains
# For normal running, this will have to be set to zero
$MaxEvent = 100

# Loop through Dcs
$DALogEvents = $DomainControllers | ForEach-Object {
    $CurDC = $_.HostName
    Write-Host "`nSearching $CurDC logs..."
    Get-WinEvent  -ComputerName $CurDC -FilterHashtable @{Logname='Security';ID=$EventID;StartTime = $Date} -MaxEvents $MaxEvent |`
    Where-Object { $_.Properties[5].Value -in $DomainAdminList.SamAccountName } |`
    ForEach-Object {
        [pscustomobject]@{SourceIP = $_.Properties[18].Value; SamAccountName = $_.Properties[5].Value;Time = $_.TimeCreated;LogonEventLocation = $CurDC}
    }
}
$DALogEvents

How to run:

The Script must be run on DC with a privileged account in order to get the write results, The default time interval is set to 3 days but you can choose to increase that.

You can also change the default group where you want to search for members by changing Domain Admin groups to something else.

Screenshot of the result

Russian cyberspies are using one hell of a clever Microsoft Exchange backdoor

Turla APT found exploiting LightNeuron backdoor, a first of its kind targeting Microsoft Exchange email servers.

image

A Russian cyber-espionage group has developed and has been using one of the most complex backdoors ever spotted on an email server, according to new research published today by cyber-security firm ESET.

The backdoor, named LightNeuron, was specifically designed for Microsoft Exchange email servers and works as a mail transfer agent (MTA) –an approach that no other backdoor has ever taken.

“To our knowledge, this is the first malware specifically targeting Microsoft Exchange,” ESET Malware Researcher Matthieu Faou told ZDNet via email.

“Turla targeted email servers in the past using a malware called Neuron (a.k.a DarkNeuron) but it was not specifically designed to interact with Microsoft Exchange.

“Some other APTs use traditional backdoors to monitor mail servers’ activity. However, LightNeuron is the first one to be directly integrated into the working flow of Microsoft Exchange,” Faou told us.

Because of the deep level the backdoor works, LightNeuron allows hackers to have full control over everything that passes through an infected email server, having the ability to intercept, redirect, or edit the content of incoming or outgoing emails.

LIGHTNEURON DEVELOPED BY TURLA GROUP

This makes LightNeuron one of the most powerful tools of its kind, and a tool fit to be in the arsenal of Turla, one of the world’s most advanced nation-state hacking units.

The Turla APT (advanced persistent threat) is infamous for past operations that seem to be pulled out of Hollywood movies. The group has been known to hijack and use telecommunications satellites to deliver malware to remote areas of the globe, has developed malware that hid its control mechanism inside comments posted on Britney Spears’ Instagram photos, and has hijacked the infrastructure of entire ISPs to redirect users to malware.

In a report released today, ESET says that Turla has been using LightNeuron for almost five years, since 2014, which again shows the tool’s advanced capabilities, being able to avoid detection for so many years.

To be fair, the first mention of LightNeuron was in a Kaspersky Lab report on the APT Trends of Q2 2018. However, Kaspersky only described the tool in brief. The ESET report released today shines more light on the tool’s unique capabilities that make it stand out from all other backdoors deployed on email servers up until now.

Researchers warn that LightNeuron is currently being used in live attacks and that Turla also appears to have created a UNIX port –which ESET hasn’t been able to find until now.

The Slovak cyber-security firms said it detected three victim organizations infected with Turla’s LightNeuron backdoor. The company did not name the victims, but provided general descriptions:

– Unknown organization in Brazil
– Ministry of Foreign Affairs in Eastern Europe
– Regional diplomatic organization in the Middle East

A CLEVER WAY OF CONTROLLING LIGHTNEURON

According to researchers, the thing that made LightNeuron stand out, besides being the first backdoor for Microsoft Exchange servers, was its command-and-control mechanism.

Once a Microsoft Exchange server is infected and modified with the LightNeuron backdoor, hackers never connect to it directly. Instead, they send emails with PDF or JPG attachments.

Using the technique of steganography, Turla hackers hide commands inside PDF and JPG images, which the backdoor reads and then executes.

Per ESET, LightNeuron is capable of reading and modifying any email going through the Exchange server, composing and sending new emails, and blocking a user from receiving certain emails.

Furthermore, victim organizations will have a hard time detecting any interactions between Turla operators and their backdoor, mainly because the commands are hidden inside PDF/JPG code and the incoming emails could be disguised as banal spam.

In addition, if anyone had any doubts LightNeuron was the work of Russian hackers, ESET researchers said that in the cases they investigated they found that Turla operators only sent commands to backdoored servers during a typical 9-to-5 workday in the UTC+3 (Moscow) timezone, and took a break from all operations between December 28, 2018, and January 14, the typical Christmas and New Year holidays for Eastern Orthodox Christians –Russia’s main religion.

LightNeuron working hours

Image: ESET

Because LightNeuron works at the deepest levels of a Microsoft Exchange server, removing this backdoor is quite problematic.

ESET released a white paper today with detailed removal instructions.

DOT/H Google Launches Secure DNS but not supported by Chrome yet

You might have heard that very recently Google has launched their DNS over TLS which is based on their Google Public DNS service the most commonly used DNS recursive resolver worldwide.

In a statement Google published the following article

https://security.googleblog.com/2019/01/google-public-dns-now-supports-dns-over.html

 

Google Public DNS is the world’s largest public Domain Name Service (DNS) recursive resolver, allowing anyone to convert Internet domain names like www.example.com into Internet addresses needed by an email application or web browser. Just as your search queries can expose sensitive information, the domains you lookup via DNS can also be sensitive. Starting today, users can secure queries between their devices and Google Public DNS with DNS-over-TLS, preserving their privacy and integrity.

 

(DOH) Support for Google Chrome

Although the service is now available however, you still can’t use it on your Windows 10 OS since Microsoft didn’t add the support yet. Linux OS like Ubuntu supports DOT.

 

Alternative Browsers with DOH support

Firefox’s Nightly browser which is dedicated to power users or developers already have the support for DNS over HTTPS (DOH) and upon testing it I could clearly see no indication of any plain text in my wireshark traffic for the websites that I have visited.

I used Godaddy.com as an example to see if whether Wireshark would show the requested website in the DNS filtered traffic. Using Firefox Nightly, didn’t show any DNS result in Wireshark.

image

 

Checking result with Chrome

visiting Godaddy.com on Chrome gave a different result. Here everything is clear text. Although I am using Simple DNScrypt app but still exposes the DNS traffic.

image

 

Even if I changed the DNS settings on my NIC to 1.1.1.1 (cloudflare’s DOT) it would still show the result on Wireshark.

 

image

 

On November 3rd 2018, Chromium released the following article stating:

 

Add DoH UI setting. This CL adds a UI setting allowing users to enable DNS over HTTPS (DoH). Users may select a DoH server from a dropdown menu of preapproved options or enter a DoH server of their choosing. Bug: 878582 Test: out/Default/chrome –enable-features=”SecureDnsSetting” Cq-Include-Trybots: luci.chromium.try:linux_mojo Change-Id: I1138c3b8e77aea10a0d4e8a542b889a285a1a492

 

How to secure your Windows 10 ? 

Lots of tools out there that support Dns over TLS, one of them is dns simple DNSCrypt which uses the protocol dnscrypt. The application can be used temporarily or as a service. 

Windows 10 

I have installed the tool on my Windows 10 as a service and ran a test to see if resolving Google or any other domain would come as clear text but result was negative. 

The app uses various range of DNS recursive resolver services like Google, Cloudflare, Freesta… etc 

To Encrypt your DNS traffic, use Simple DNSCrypt

No More Privacy, Says Microsoft and MasterCard

MONITORING SOCIETY. Mobile Bank ID and Swish were just the beginning. Now, Mastercard and Microsoft are to produce digital identities for everyone. Your identity should be known no matter what you do. The system will also simplify for increased invasion of racial strangers to the West.

Microsoft Logo

Last Month, Mastercard and Microsoft announced in a joint communication that they intend to produce new digital identity documents for all people, who will work in all contexts.

All choices and social actions performed in agreements with authorities and companies must be linked through this new digital identity document that will always prove your identity and your actions.

The new identity document should “simplify” our interactions, no matter what we do. It should also be used to verify Facebook users and the like.

“To vote, drive, search for jobs, rent a home, get married and board an aircraft: All such acts mean you have to prove your identity. Together with Microsoft, we work to create a universally valid digital identity document, ”writes Mastercard in his communication.


image

Mastercard explains the companies’ new projects as follows:

Verifying their identity on the Internet is still dependent on physical or digital evidence handled by a central player, whether it be a passport number, accounting address, driver’s license, user identities or other things.

This dependency puts a heavy burden on individuals who must be able to remember hundreds of passwords for different identities, and they must perform increasingly complex actions to prove their identity and manage their data.

Mastercard and Microsoft aim to provide people with a safe and fast way to verify their identity to anyone, whenever they want.

The answer to these challenges is a service that lets users enter, control and share their identity data in their own ways – on devices they use every day. This is Mastercard’s intention, in close collaboration with players such as Microsoft.

– Today’s digital identity landscape is a jungle, inconsistent; and what works in one country often does not work in another. We have the opportunity to establish a system that puts people first and gives them control over their identity data and where they are used, ”says Ajay Bhalla , head of cyber and information solutions at Mastercard.

“By working with Microsoft, we are one step closer to the realization of a globally interoperable digital identity service,” continues Bhalla.

The new digital identities will create opportunities for new and improved user experiences for people who interact with businesses, service entities and virtual networks, such as:

  • Financial Services : Enhance and speed up identification processes to open new bank accounts, create loans, or make payments.
  • Kommers : Enable a more individualized and effective shopping experience both on the Internet and in business, regardless of the form of payment, portable device or service provider.
  • Contact with authorities : Simplification of communication with authorities and services, such as declaring income, ordering pass documents, voting or ensuring that your contributions are paid.
  • Digital Services : Streamlined and simpler ways to use email, social media, music and movie streaming services and car pools.

A new way of managing one of the cornerstones of life
– The digital identity is a cornerstone of how people live, work and entertain themselves every day, says Joy Chik , Microsoft’s vice president of identities.

– We believe that individuals should have control over their digital identity and data, and we are enthusiastic about working with Mastercard to give life to new decentralized innovations, says Chik.

This digital solution will also solve many common challenges:

  • Identity conclusion : Over one billion people, the majority of them women, children and refugees, do not have official identity. A digital identity can improve their access to health, money and social services.
  • Identity Verification : A single, reusable digital identity can help people interact with a vendor, bank, authority, and impersonal other digital service broker with greater integrity, lower cost, and less friction.
  • Fraud Prevention : A single digital identity can reduce the number of payment fraud and various forms of identity theft.

Displeased individuals can be immediately blocked all over the world
With integrated systems, it is easy to lock identities for all or selected forms of transactions. An identity that is used for a purpose that displeases some of the more influential operators, can with some keystrokes be prevented from, for example, taking bank loans, opening a bank account, starting a car or flying aircraft. This may apply, for example, to “suspected Muslim terrorists”.

A nationalist who is opposed to the globalized world can with the coming system be prevented from voting in elections so that “undemocratic parties” cannot flare up, and so on.

This is nothing that is written in the communiqué, but it is technically easy to manage the identity in this way. The purpose of the new digital identities is that all people’s identity should be transparent and undoubtedly identifiable. All their doings and songs should always be obvious and easy to trace and “manage”.

Logical development
Mastercard has previously had global payment solution projects that will facilitate migration across the world. Financial man George Soros , together with Mastercard and the UN, have various migration projects where “refugees” get access to bank accounts and payment solutions in order to more easily infiltrate the West.

At the same time, the UN’s new global migration agreement – which among other things Norway and the Swedish transitional government that governs overtime intends to write on December 10 – aims, among other things, to reduce transaction costs for “refugees” who want to move financial resources from their new contributing industrialized host countries, to the countries from which they have fled.

With Mastercards, Microsoft’s and the UN’s new global ventures, the “friction” will thus decrease between what the racially invasive invaders and the asylum seekers want from the West, and the fulfillment of these desires.