by Carceron | Feb 20, 2022 | Techminutes
Microsoft recently announced an important upgrade to Microsoft Defender. It now supports vulnerability management for both Android and iOS. The company’s announcement reads in part as follows: “With this new cross-platform coverage, threat and vulnerability management capabilities now support all major device platforms across the organization - spanning workstations, servers, and mobile devices. Threat and vulnerability management in Microsoft Defender for Endpoint continuously monitors and identifies impacted devices, assesses associated risks in the environment, and provides intelligent prioritization and integrated workflows to seamlessly remediate vulnerabilities.” Although the new feature was introduced with very little fanfare, this is a significant change. This will make the lives of network admins much easier by significantly decreasing the surface attack area of mobile endpoints. This is part of Microsoft’s broader strategy to expand the security platform’s capabilities across all platforms to provide endpoint users with a unified security solution. Previous upgrades to Microsoft Defender’s capabilities included adding support for Linux users back in 2020. Just one month later, the company added a “Microsoft Secure Score for Devices” feature. This is a feature that that allows network security professionals to evaluate the state of security of all devices connected to the enterprise network. It also includes a “recommended actions” section to further bolster security. Then in October 2020 the company added another new feature that automatically generated reports to assist with the tracking of vulnerable Windows and macOS devices on the network. These included vulnerability severity levels, exploit availability, vulnerability age, and vulnerable devices sorted by OS. All these changes are superb when evaluated individually but taken together they demonstrate just how serious Microsoft...
by Carceron | Feb 19, 2022 | Techminutes
In late 2020 a new strain of malware called UpdateAgent appeared and began infecting Mac users. Initially the strain wasn’t all that worrisome. It stole system information but it was by no means the worst threat on a Mac user’s radar. Since that time, the hackers behind the malicious code have been busy. UpdateAgent has received a few developments, with each one adding a new element of danger to the equation. As things stand now UpdateAgent should be considered a serious threat to Mac users. As of its latest iteration UpdateAgent installs an annoyingly persistent adware strain called Adload. It has gained capabilities that make it easy for UpdateAgent to install other even more threatening and damaging payloads in the future. Microsoft has been investigating and following the development of UpdateAgent. The company has discovered that the hackers who created the strain are hosting a wide range of other payloads on Amazon Web Services’ S3 and CloudFront services. While these have not yet been tied to UpdateAgent, it’s a clear sign of the shape of things to come. In addition to that, the code is now capable of fetching compressed zip files instead of .dmg files. It has been modified to prevent Gatekeeper from displaying pop-up warnings to users. It can also inject persistent code inside background processes that are invisible to the user. Microsoft had this to say about their study of the malware strain: “UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns. Like many information-stealers found...
by Carceron | Feb 18, 2022 | Techminutes
Back in September of 2020 Microsoft announced that it was experimenting with the addition of SMTP MTA Strict Transport Security (MTA-STS) support to Exchange Online. This was done in a bid to ensure the email communication and security of their Office 365 customers. In a recent statement by the company the Exchange Online Transport Team said: “We have been validating our implementation and are now pleased to announce support for MTA-STS for all outgoing messages from Exchange Online.” While it may not sound like a terribly exciting change, it truly is a big step forward. Now that the feature is in place in Office 365, any emails sent by users via Exchange Online will be delivered using connections with both authentication and encryption protocols. This is for protecting them from interception and attack attempts and includes both man-in-the-middle and downgrade attacks. Again, per the Exchange Online Transport Team: “Downgrade attacks are possible where the STARTTLS response can be deleted, thus rendering the message in cleartext. Man-in-the-middle (MITM) attacks are also possible, whereby the message can be rerouted to an attacker’s server. MTA-STS (RFC8461) helps thwart such attacks by providing a mechanism for setting domain policies that specify whether the receiving domain supports TLS and what to do when TLS can’t be negotiated, for example stop the transmission.” In addition to the feature addition Microsoft has also provided guidance on how to adopt MTA-STS. This includes where to host the policy file on your domain’s web infrastructure. Additionally, the Exchange Team announced that they’re in the process of rolling out SANE for SMPT (with DNSSEC support). That provides better protection...
by Carceron | Feb 17, 2022 | Techminutes
BRATA malware was first spotted in the wilds by Kaspersky back in 2019. Its earliest incarnation saw it targeting e-banking users and it was designed to steal banking and login credentials of anyone infected. That’s undeniably bad but according to researchers the latest version of BRATA has gotten downright nasty. Security professionals have discovered a dangerous new variant in the wild that adds a raft of new features. One of the features includes allowing BRATA to steal a wide range of user data before resetting the infected device back to factory defaults when it’s done. That means it is essentially wiping away most of a user’s data. Most users aren’t very good at backing up their data regularly and don’t always save their most cherished photos and videos to the cloud. So that could add a devastating personal loss on top of a hefty financial one. The even worse news is that the hackers behind BRATA seem to be branching out. In December of last year (2021) researchers started seeing BRATA pop up in Europe. Based on recently analyzed code samples, the group behind BRATA is beginning to experiment with variants custom tailored to the country or region it is released in. So far, researchers have found distinct variants targeting e-banking users in the UK, Poland, Italy, Spain, China, and Latin America. The bottom line is that BRATA is a serious threat and the group behind the code is clearly setting their sights far beyond Brazil. This one is one to watch in 2022. If it’s not already on your employees’ radar it certainly needs to be. So make...
by Carceron | Feb 15, 2022 | Techminutes
If you have Google Drive, there’s good news. The company has recently announced that soon they’ll be rolling out a new feature to help alert users to the presence of suspicious documents. Google Drive users will soon start seeing banners alerting them to possible dangers This will serve as an additional layer of defense that will hopefully keep people from clicking on links embedded in malicious files, which may guide victims to poisoned sites. The company first announced the new feature back in October during the Google Cloud Next 2021 user conference. The company explained the functioning of the new feature as follows: “If a user opens a potentially suspicious or dangerous file in Google Drive, we will display a warning banner to help protect them and their organization from malware, phishing, and ransomware. Google will automatically evaluate any files that are shared with you from outside of your organization for phishing or malware. If detected, Google will block your access to the file in order to protect you.” As to the message, Google kept it simple. If you open a suspect file, you’ll see a bold yellow banner across the top of your screen with a message reading: “This file looks suspicious. It might be used to steal your personal information.” This is the latest in a series of moves the company plans to make to help protect its user base and prevent Google Drive abuse. Last year the company added phishing and malware protections in their Enterprise environments that automatically tagged all suspicious files and only left them visible to their owners and Admins. It’s a small...
by Carceron | Feb 14, 2022 | Techminutes
Hackers have recently hit upon a new money-making scheme. Some groups have started breaking into Instagram accounts belonging to people with high numbers of followers. They are then holding those accounts hostage until the owner agrees to pay the ransom. In some cases, the hackers are charging as much as $40,000 USD to return an account back to its user. They’re gaining control of the accounts initially via some clever social engineering. The attack begins when the hackers contact the Instagram user claiming copyright infringement. The email they send contains a link that takes the victim to a website the hackers control. The user is prompted to enter their Instagram account information (username and password) which of course is harvested by the hackers. Once they have that they log in and immediately change the victim’s password. They then modify the account profile so that it includes the phrase: ”this Instagram account is held to be sold back to its owner,” followed by a contact link. Clicking the contact link opens a WhatsApp chat session where the hackers make the ransom demands and wait. If the victim doesn’t initiate contact via the profile link, the hackers will start sending text messages to the phone number associated with the account. Either way, the negotiation process begins Security researchers who have begun investigating the scam have concluded that at least one of the threat actors involved is based in Turkey. At this point, there is no reliable information about how many Instagram attacks have been compromised in this manner. There also isn’t any information about how much money the hackers have made...
(770) 424-3393
Atlanta, GA 