Monthly Archives: August 2018

0patch releases micropatch for Windows Task Scheduler zero-day

Earlier this week a security researcher that goes by “SandboxEscaper” published details and a PoC exploit for a zero-day local privilege escalation vulnerability affecting Windows.

Microsoft has, so far, been cagey about when they will push a fix for it. In the meantime, those who don’t want to wait have one other option: implement a temporary micropatch (a tiny security patch that’s implemented in memory, while the software is running).

micropatch Windows Task Scheduler zero-day

Get a micropatch

Acros Security, the company behind 0patch, has released a micropatch for the flaw that can be applied to fully updated 64bit Windows 10 version 1803 and 64bit Windows Server 2016.

“As far as we know at this point, the vulnerability was confirmed to also be present and exploitable on 32bit Windows 10 and 32bit Windows 7, so it’s safe to assume that at least all Windows versions from Windows 7 and Windows Server 2008 are likely affected. We can quickly port the micropatch to other affected versions but we’ll only do that on request,” noted Mitja Kolsek, the company’s CEO.

The micropatch will be effective even if the exploit is modified, he explained, as it changes the code to close the hole.

Still, he noted, this should be considered only a temporary fix. Microsoft’s update will not only fix this issue in a more informed way, but will also bring fixes for other vulnerabilities.

“When Microsoft makes their official fix available, you simply apply it as you would if you had never heard of 0patch. Applying it will automatically obsolete this micropatch on your computer as the update will replace a vulnerable executable with a fixed one, thereby changing its cryptographic hash. Since our micropatches are associated with specific hashes, this will make the micropatch inapplicable without intervention on either your end or ours,” he explained.

To implement the micropatch, users must download and launch the 0patch Agent installer, create a free 0patch account and register the agent to that account. “You will immediately receive all micropatches including this one, and it will automatically get applied to Task Scheduler,” he added.

What’s the deal with micropatching?

Creating patches is a long and complex process.

They have to be comprehensive and they have to be ported to all supported software versions. They also have to be extensively tested before being deployed. Finally, they can still result in problems after deployment and the changes may be difficult to revoke.

Creating micropatches is a much quicker and focused process and disruptions to regular operations is minimized.

With 0patch, Acros Security aims to fix 0days, unpatched vulnerabilities, end-of-life and unsupported products, provide patches for legacy operating systems, as well as vulnerable third party components and customized software.

from Help Net Security – News

How lucrative is web-based cryptojacking?

1 out of 500 of the one million most visited websites according to Alexa contains a web-based cryptominer that starts mining as soon as the website has been opened in the browser, researchers from the Braunschweig University of Technology have found.

 web-based cryptojacking

Still, despite not being rare, web-based cryptojacking is not hugely lucrative.

“Based on the configuration of typical desktop computers and statistics about website visits, we estimate the revenue generated by individual miners in the Alexa ranking at a range of a few cents up to 340 USD per day under the current price of the respective cryptocurrencies,” they say.

The rise of cryptojacking

Memory-bound cryptocurrencies like Monero, Bytecoin and Electroneum don’t require dedicated mining rigs – they can be easily and profitably mined on regular computer systems.

But cryptojackers don’t want to use their own computers and pay for the tech and electricity and, since the advent of CoinHive and similar web-based cryptominers, they don’t have to.

These cryptominers work on all major browsers and the mining script can even be injected into web pages on the fly through compromised routers.

Is it worth it?

Revenue of a cryptojacking campaign depends on how aggressive the miner occupies the visitor’s CPU cores. But if the mining is too aggressive, users are bound to notice and put a stop to it (e.g., by leaving the website).

By taking as an example the 10 most profitable sites that hold mining code, the researchers estimated that they are able to generate between 0.53 and 1.51 Monero per day, i.e., between 119 to 340 USD (at the time).

While it’s not much, given that the revenue is achieved without any cost to the miner, this is still a notable profit.

“However, we conclude that current cryptojacking is not as profitable as one might expect and the overall revenue is moderate,” the researchers noted.

How to stop it?

The researchers found that existing blacklist-based approaches used by web browsers are trivial to evade and the actual lists outdate fast.

Instead of static blacklists, they leveraged a set of heuristic indicators for candidate selection and a dedicated performance measurement step for precise miner identification. But, however suitable this approach is, they pointed out that it likely works well only because today’s mining operators don’t anticipate it.

As the only reliable indicator of active mining is prolonged and excessive CPU usage, their advice for browser makers is to implement CPU allotments for tabs.

“As soon as a tab runs out of its quota, the browser could take actions, such as throttling the tab’s scripts or warning the user,” they explained.

from Help Net Security – News

Proposed US law would require President to act against overseas hackers

US senators from both sides of the housee have announced a bill that would force the President to act against overseas hackers found targeting the US, or explain why he hadn’t.

Senators Cory Gardner (R-CO) and Chris Coons (D-DE) announced the Cyber Deterrence and Response Act (S.3378) this week.

The text of the bill cites several cybersecurity incidents, including the charging of Chinese military hackers for allegedly attacking a range of US industries, and the indictment of seven Iranians for alleged cyberattacks in the US, including DDoSes against 46 different financial institutions.

The document also pointed to a May 2018 State Department recommendation to the President. That document cited a rising number of cyberattacks that were serious, but not serious enough to warrant a counterattack. That document proposed:

…developing a broader menu of consequences that the United States can swiftly impose following a significant cyber incident, and taking steps to help resolve attribution and policy challenges that limit U.S. flexibility to act.

This bill seems to provide a framework for those consequences. It requires the President to label any foreign individual or agency that knowingly participates in an attack as a ‘critical cyber threat actor’, and publish their identity in the Federal Register.

The President can avoid publishing those details if it is important to national security or law enforcement to do so, but he must tell Congress about it, the bill said. Specifically:

The President shall transmit to the appropriate congressional committees in classified form a report containing any such identification, together with the reasons for exercising such authority.

The President must then impose sanctions on these threat actors, says the bill. These could take the form of removing security assistance, blocking US loans, investments and business purchases, and stopping technology exports. He could also revoke visas.

If he waives those sanctions, he can do so for up to a year but must explain to Congress why he is doing so on economic, national security, law enforcement or humanitarian grounds, the legislation said.

The bill explicitly calls out election tampering, which has become an increasingly critical problem for the US, citing as an infraction:

Interfering with or undermining election processes or institutions by tampering with, altering, or causing misappropriation of data.

Publicly naming and shaming overseas hackers tampering in US elections would complement a new DoJ policy to publicly disclose election tampering schemes.

SS.3378 is a companion bill to H.R.5576, introduced in the House of Representatives in April 2018. To reach the President’s desk, a bill must eventually go through both the House of Representatives and the Senate, but introducing a companion to an existing bill lends support to it.

Senator Gardner said:

This bipartisan legislation is another step that Congress and the Administration can take to deter foreign actors from carrying out cyberattacks against the United States. Our legislation will help provide additional tools for the Administration to impose significant costs against malicious cyber actors, including state-sponsored actors, around the world that aim to endanger U.S national security and our economy.

This proposed legislation punctuates a chaotic period for the White House’s cybersecurity policy. The National Infrastructure Advisory Council (NIAC), which advised the President on cybersecurity issues, quit a year ago, citing “insufficient attention to the growing threats to the cybersecurity of the critical systems upon which all Americans depend, including those impacting the systems supporting our democratic election process”.

More recently, national security advisor John Bolton removed the position of cybersecurity advisor from the National Security Council, and the President issued an Executive Order rolling back Obama-era guidelines for launching cyberwarfare attacks on other nations.

from Naked Security – Sophos

New infosec products of the week​: August 31, 2018

Moogsoft announces Observe expanding its AIOps platform capabilities

Moogsoft Observe ingests time-series and metrics data in real-time and applies AI to detect incidents at the source of the problem. Observe stores anomalous and contextual data, giving IT teams knowledge to improve their online services and applications while lowering data transport, ingestion, and storage costs.

infosec products week august 2018

Inseego launches new IoT cloud solution for Industrial IoT applications

Inseego announced the availability of its all-new, enterprise-grade Inseego IoT Connect solution. The intelligent device-to-cloud management platform optimizes Industrial Internet of Things (IIoT) use cases. Its user-friendly, service provider agnostic design allows IT managers and systems integrators to simplify management of assets across an enterprise.

infosec products week august 2018

TP-Link introduces AC2600 Wi-Fi router with enhanced security

TP-Link announced the upcoming launch of the Archer C2700, a next level AC2600 Dual-Band WiFi Router that utilizes Intel technology to provide WiFi at speeds up to 1733Mbps on the 5GHz band and 800Mbps on the 2.4GHz band. TP-Link HomeCare comes with antivirus, parental controls and QoS, helping to protect data and IoT devices from intruders. A security database updates automatically to keep the home safe from the latest cyber threats.

infosec products week august 2018

SevOne expands SD-WAN Monitoring Solution by adding support for VMware NSX SD-WAN

Based on the SevOne Data Platform, the SD-WAN Monitoring Solution, released earlier this year, increases operational agility of MSPs offering network services over their networks. The SevOne solution, scheduled for release in calendar Q4, will deliver the visibility into enterprise and service provider networks with dashboards for network operations/engineering, product owners and business executives.

infosec products week august 2018

from Help Net Security – News