A Month In Breaches: November

This is an initiative by our Security Operations Centre team who have their eyes on the prize 24/7 and are proactively observing breaches and critical security trends.

Part of protecting our clients is also promoting good security practices and raising awareness of current security trends. We hope this will give some extra boost to your overall understanding of security breaches happening in the expansive and scary internet.


Privilege Escalation Using Windows UAC Flaw (CVE-2019-1388)

Exploiting the recent bug found in Microsoft Window’s User Account Control (UAC), attackers can gain elevated privileges allowing them to install malicious programs; read, modify and change data. UAC is a security feature provided by Microsoft to prevent unauthorised modifications on a windows machine by running the system with least user privileges. In order to perform the exploit, the attackers must first have the access to a desktop as a low-privilege user on the target system. Then the underprivileged attacker could download a Microsoft signed executable from the attacker-controlled website and run it as an administrator. This will make the UAC window pop-up asking for administrative password. At this point if the attacker chooses ‘show details’ and clicks the link that gives issuer certificate information, another browser window will open but this time with SYSTEM privileges (which are the maximum privileges).

Microsoft had wasted no time in releasing a patch that mitigates the UAC flaw as a part of its patch Tuesday program. This patch will ensure the Windows Certificate Dialog properly enforces the user privileges. CTRL Group suggests updating the latest security patch on your windows devices as soon as it is made available. Failing to do so can leave the devices in your environment open for privilege escalation attacks which can give an attacker unnecessary rights to perform malicious activities on that device and gain further access to your network.


Bogus Windows Update Email Installs Cyborg Ransomware

A spam email campaign which reads, ‘critical windows update’, contained a .exe file disguised as a jpg to spread Cyborg Ransomware. The subject of the email has 2 lines: Install Latest Microsoft Windows Updates now! Critical Microsoft Windows Update! This email contained a 28KB file which says .jpg but is actually an executable .NET downloader (changing the file extension of an executable is a common trick to evade email filter). This will download bitcoingenerator.exe from a GitHub account. The ransomware will encrypt the user’s files and appends .777 extension at the end of encrypted files. Then a ransom note is left asking to send $500 or more to a wallet. Looking at the trends, researchers are expecting a surge in ransomware incidents in 2020.

Sometimes it gets hard for the email guards to filter out emails based on content if defence evasion techniques are used, like in this particular scenario where the executable was hidden behind jpg extension. Hence, it is highly important to train the staff and make them aware to neglect such phishing emails. Also, keeping backups of sensitive information that can be leveraged for ransom is always a better idea than paying the ransom. Therefore, CTRL Group recommends its clients to keep an online and offline copies of backups which could be restored in case of a security incident.


Malware Attack On A School

The Waterloo Catholic District School Board (WCDSB) is putting the pieces together following what was described as a ‘significant’ malware incident. According to John Shewchuk, chief managing officer of the Catholic board, all services are back up and running and the IT team is in the process of conducting an investigation with the assistance of an outside cyber-security expert. In the last seven days, there have been 540 attempted malware downloads, most of which are from phishing emails. The WCDSB says that its email and Compass for Success systems were among those that do not appear to be compromised while its student management system was among those that were.

In case of a malware attack, the immediate remediation is to remove the affected device from the network and backup all important files. This limits the spread of the infection. A full system scan must be performed to detect and clean any malicious files from the device. It is also recommended to remove any system restore points post attack as malware can infect those restore points. End point protection and anti-virus packages should be updated to its latest version to detect and new malware signatures. CTRL Group recommends educating the staffs about phishing. Most of the malware are spread through phishing campaigns, which exploits the weakest link in any organisation- staffs. Hence good staff awareness is essential in safeguarding the organisation.

 

– CTRL GROUP SECURITY OPERATIONS CENTRE ANALYSTS, M-Singh & V-MSK