ESC-20 Conference Building
Programs and Services » Technology Services » Cyber Security Alerts

Cyber Security Alerts


Warning IconMicrosoft released an out-of-band security update for CVE-2020-1472 currently being exploited

(SWTFC) CVE-2020-1472: Zerologon Attack Allows Hackers to Hijack Enterprise Networks. Microsoft recently released a significant security patch to its customers worldwide which addresses one of the most severe bugs reported to the company. According to Microsoft, the patch fixes an issue since dubbed “Zerologon” where bad online actors were able to elevate privileges in Netlogon (protocol which authenticates users against domain controllers), which would then allow them to disable security features and change computer passwords on domain controller active directories. The name of the exploit is attributed to the attack’s requirement of adding zero characters in specific Netlogon authentication parameters, allowing to conduct an attack and compromise the entire network in as little as three seconds. Originally the details of CVE-2020-1472 were not disclosed due to the severity of the exploit. Since then, security researchers are attempting to spread awareness of Zerologon due to its large impact to many industries. Source: ZDNET, MITRE, ThreatPost

 
MS-ISAC ADVISORY NUMBER:
2020-126 - UPDATED

DATE(S) ISSUED:
09/08/2020
09/16/2020 - UPDATED

SUBJECT:
Critical Patches Issued for Microsoft Products, September 08, 2020

OVERVIEW:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

THREAT INTELLIGENCE:
There are no reports of these vulnerabilities being exploited in the wild.

September 16 - UPDATED THREAT INTELLIGENCE:
Microsoft announced patches for vulnerabilities relating to Microsoft Office (including remote code execution) are now available for MacOS
.

SYSTEMS AFFECTED:
• Microsoft Windows
• Microsoft Edge (EdgeHTML-based)
• Microsoft Edge (Chromium-based)
• Microsoft ChakraCore
• Internet Explorer
• SQL Server
• Microsoft JET Database Engine
• Microsoft Office and Microsoft Office Services and Web Apps
• Microsoft Dynamics
• Visual Studio
• Microsoft Exchange Server
• SQL Server
• ASP.NET
• Microsoft OneDrive
• Azure DevOps
RISK:
Government:
• Large and medium government entities: High
• Small government entities: Medium
Businesses:
• Large and medium business entities: High
• Small business entities: Medium
Home users: Low

TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution.

A full list of all vulnerabilities can be found at the link below:
https://portal.msrc.microsoft.com/en-us/security-guidance

Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:
• Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing.
• Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
• Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
• Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
• Apply the Principle of Least Privilege to all systems and services.

REFERENCES:
Microsoft:
https://portal.msrc.microsoft.com/en-us/security-guidance
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Sep

Warning IconSUBJECT: Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails

DATE: August 13, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown malicious cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 loan relief webpage via phishing emails. These emails include a malicious link to the spoofed SBA website that the cyber actor is using for malicious re-directs and credential stealing.

Further information including screenshots, downloadable IOCs, and recommendations can be found at the link below.

https://us-cert.cisa.gov/ncas/alerts/aa20-225a

Exercise the same level of awareness and vigilance when working with email whether you are working from home or from the office. 

 

Adhere to the following recommended guidelines when reacting to high-profile events, including news associated with the Coronavirus, and securing ESC-20 assets and information in general.  Working remotely may require that you take immediate action if you believe your account has been compromised or your system is infected because Tech Support will not be at your location to provide immediate assistance.

 

  • Do not enter network credentials to view news associated with COVID-19.
  • Users should exercise extreme caution when responding to individual pleas for financial assistance such as those posted on social media, crowdfunding websites, or in an email, even if it appears to originate from a trusted source.
  • Be cautious of emails or websites that claim to provide information, pictures, and videos.
  • Do not open unsolicited (spam) emails or click on the links or attachments in those emails.
  • Never reveal personal or financial information in an email or to an untrusted website.
  • Do not go to an untrusted or unfamiliar website to view the event or information regarding it.
  • Verify the legitimacy of an email by contacting the sender by opening another channel of communication, do not reply to the email you are suspicious of.  See the attached Phish Button Guidance document for tips on evaluating email.
  • Ensure your systems are getting software updates and anti-virus updates from Sophos (the AV software on your ESC-20 laptop).  If you determine that your system is not getting updates create a Samanage ticket indicating your concerns.
  • Backing up project documents is essential and safeguards against numerous forms of data loss.  If you cannot reach your network drives using the Forticlient VPN application back up your files to your O365 One drive or your Google Drive.  BE CAREFUL THAT YOU ARE NOT STORING SENSITIVE OR CONFIDENTIAL INFORMATION IN THESE LOCATIONS.
    • Examples of sensitive or confidential information may include but is not limited to Personally Identifiable Information (PII – a combination of name, DoB, Social Security Number, address, phone number, email address), FERPA, HIPPA, Student Information that can be traced to an individual, or proprietary information.
  • If you do suspect that your ESC-20 network credentials have been compromised, change your password immediately.  See the attached Change Password Using Self-Service document for guidance.
    • You do not have to create a ticket to request a password change.
    • You do not have to contact tech support or call Network Services to change your password.
    • Upon suspicion of compromised credentials use AD Self Serve to change your password immediately.  Go to ESC20.net, STAFF LOGIN.  Login and select Account Unlock.  Once there you will have the option to RESET your password.  IF YOU BELIEVE YOUR ACCOUNT HAS BEEN COMPROMISED DO NOT SELECT UNLOCK ACCOUNT.  YOU MUST SELECT RESET PASSWORD.  Ensure that your new password does not resemble the one believed to be compromised.
    • After you have changed your password please notify ESC-20 Security Administrator, Mike Garcia to provide details regarding the incident and assess the need for follow up actions if needed.
Alert Level Legend, Green is Low, Blue is Guarded, Yellow is Elevated, Orange is High, Red is Severe.