Wednesday, April 24, 2019

Watch Out Crime, Cybercrime is Giving You a Run For Your Money!

Holy Cow!!  According to the FBI's Internet Crime Complaint Center (IC3) cybercrime made $2.7 billion(that's billion with a *B*) in 2018.  And that's just from the complaints that they got!  So can you imagine how much money was lost to cybercrime last year?

According to IC3 there were 351,936 complaints of cybercrime last year, leading to the $2.7 billion in losses.  That just boggles my mind.  And you HAVE to know that a lot of people just didn't report when they got attacked. 

How about an example?  :-)   Sextortion has been huge lately and do you think I'm going to call the FBI if some Threat Actor threatened to expose my pornographic tendencies to all my friends?  Yeah that would be awesome, here goes my thought on how the call would go....

"Ugh yeah, is this the FBI?"

"Yes Sir it is, how can we help you?"

"Ummm, yeah, some dude sent me an email and said he broke into my computer and was going to lock up my computer but decided that since I was such a pervert and had horded tons of pornographic material he was going to extort me for a bunch of money or he would contact my wife and all of my friends and tell them I'm a pervert and would release a video of me entertaining myself!"

Yeah, I can see that going REALLY well...  What the heck do you say to something like that if you're the FBI???

But I digress... 

IC3 has been tracking this since May of 2000, so they've got about 19 years of data on this.  From May of 2000 till 2018, 4,415,870 complaints have been reported to the FBI with about 300,000 complaints a year and about 900 per day.  That's a lot of hacking.

Now this is very interesting.  The crimes with the largest losses were business email compromise (BEC), confidence/romance fraud, non-payment/non-delivery and extortion.  So what's BEC you ask?  It's a form of attack where the Threat Actor does a very targeted attack to YOU.  Yep, as creepy as it sounds, Threat Actors do a lot of research on their mark. 

Where does all this information come from?  Think about it, how much information do you have about yourself on LinkedIn, Facebook, Instagram, Twitter, shall I go on?  And I'm not saying unplug, live in a cave and wear furry animal skins.  Just be a little mindful of what you're putting up on the Internet because it's public.  Let that sink in just a little bit before you read on.

BEC is very popular with Threat Actors because targeted attacks make more money.  According to the BleepingComputer article I'm getting this information from (https://www.bleepingcomputer.com/news/security/cybercrimes-total-earnings-skyrocketed-to-27-billion-says-the-fbi/)  BEC made $1.2 billion last year.  So almost half of all the money came from these targeted attacks.

Here's an example.  I'm a threat actor and I find out you're the controller of a company.  Suddenly you get an email from your CEO addressed to you.  It states that he/she is working on an important deal and it's extremely time sensitive.  The email looks legitimate, the names are correct and there's a bank routing number where to transfer the money. 

Do you transfer the money or do you do more research?  If it's real, the CEO might get really pissed if you cause him/her to miss out on this deal.  If it's fake you could end up sending the wrong person a chunk of money.  What to do?

But Neil, it has the correct names on it...  Yep, that's easy to fake.
But Neil, they knew my name...  Yep, that's easy to find.
But Neil, they knew what I did...  Yep, that's easy to find.

So see why it's so successful?  Traditional phishing is usually pretty spammy with mis-spellings and grammatical mistakes and is easier to spot.  BEC is personal and it should worry you.

Well on that sunny note, I think I'll stop scaring everyone.  :-)  If it seems fishy, it's probably cause it is.  If it seems to good to be true, it's probably cause it is.  Threat Actors do a lot of stuff to hit us in the gut and make us ask "how high" when they say jump.

Be careful out there!
Neil

Tuesday, April 16, 2019

Zero Day Exploits Patched by Microsoft (CVE-2019-0859 & CVE-2019-0803)

Hi Friends,

You know how much I LOVE patches, actually they scare they heck out of me...  Here comes the, "When I was a <fill in the blank>" moment.  Ready?  Let me get my rocking chair.

When I was a system administrator patches were the bane of my existence.  Why?  If it isn't broken, DON'T fix it!!  When you work in a production environment, you don't want anything messing up your up-time.  Business people tend to get very fussy when their production applications aren't available and the last thing I wanted to do was add an unknown into a working system.  Yes I know that's what test environments are for, but remember, test isn't something you want to break either.  Where do you think these business folks do all their testing?

But alas, being in the security industry has given me a new perspective on patches that I've never had.  Now that I know about some of the creepy crawly code running around the Internet, it scares me even more than patches!

Zero day this, malware that, exploit this, it's enough to make me want to unplug my Ethernet cable and never plug it back in.  But that doesn't even work anymore because of wireless.  ;-)  So what does this paranoid technical guy do?  Patch.  I'm not saying run out and patch your production environment immediately without some sort of test, but we can no longer hide our heads in the sand and hope it goes away.


















With that said, let's talk about the latest "Patch Tuesday" Microsoft went through.  Microsoft tends to release patch bundles on the second or fourth Tuesday of each month.  It's a practice they started back in 2003.  Unfortunately Patch Tuesday is now followed by Exploit Wednesday.  Yep, just like the rest of us, Threat Actors get to see what Microsoft patched and it's an opportunity to go after vulnerable systems that haven't been patched yet.

Hold onto your socks for this one.  This latest bundle contained patches for 74 vulnerabilities with 15 being classified as critical.  Let's break it down a bit more.  Within that bundle was also a patch for CVE-2019-0859 and CVE-2019-0803.  These two Common Vulnerabilities and Exposures patched a problem with win32k.sys.  Win32k.sys is a very important file and is critical in the startup of Windows.  No file, no boot.

These vulnerabilities are what's called a Use-After-Free, which is the incorrect usage of dynamic memory during the programs operation.  Basically it's a problem of freeing up the memory when a program is done using it.   Because of this situation, Threat Actors have been seen creating PowerShell "HTTP Reverse Shell"  or a backdoor into a system.

Yep it's as bad as it sounds.  The attacker is able to run code in kernel mode and game over man!  They can then install programs, view, change or delete data or create new accounts with full rights.  And FYI, this isn't for some antiquated OS, this is for Windows 7 and 10.

Believe me, I'm not trying to scare you, just tell you the facts.  But if it does scare you a little, you're starting to understand how I feel.  :-)

There's tons of information about this patch bundle and these two CVE's, but here's a great article from BleepingComputer:
https://www.bleepingcomputer.com/news/security/patched-windows-zero-day-provided-full-control-over-vulnerable-systems/

Be safe out there!
Neil

Tuesday, April 9, 2019

Java Catch-22

Hi Friends,

Today I found myself in a Java "Catch-22" and wanted to let you know how I got past it.  I loaded up a webpage that needed Java to run the utility.  The page told me that only Internet Explorer and Firefox were supported.  If you've read my last blog, I let you know that Windows 7 is going away so I decided to jump on the Windows 10 band wagon.  I know, about time Neil!

Anywho, I'll just load up Edge cause that's the IE replacement right?  Nope, the page didn't recognize Edge as IE.  Ah crap!  But that's okay, I still have Firefox!  Firefox will work right?  I load the page and I'm told I need to update Java.  No problem, a couple of clicks and Viola!!  Hmmm, still not working...  Maybe a restart of Firefox will work!  Nope...

Okay, okay, time for my buddy Google.

Firefox:
Apparently Firefox version 52 and above have removed the NPAPI plugin support for Java.  So I can't enable the plug-in.  Doh!!!
https://java.com/en/download/help/enable_browser.xml

Edge:
Apparently the Edge browser does not support plug-ins and won't run Java....  UGH!!
https://www.java.com/en/download/faq/win10_faq.xml

So see my predicament...  I tried Chrome for the heck of it, but nope, that didn't work either.  So I looked around a bit and realized that Edge can open a page in IE.  Whaaaaat?!?!?


























So I went to the page that needed Java in Edge, then selected the Open with Internet Explorer and it worked!!

I'm not sure how long that will be in Edge or how secure it is, but bravo Microsoft for helping me out of the difficult predicament I was in!

All the best,
Neil