Attackers Continue to Exploit Outlook Home Page Flaw

Attackers Continue to Exploit Outlook Home Page Flaw

FireEye issues guidance on locking down Outlook, claiming that security researchers, at least, are able to work around the patch issued by Microsoft.

A 2-year-old vulnerability in Microsoft Outlook continues to cause headaches for companies, as attackers are able to use a specific feature of the program to execute code and persist on previously infected systems, according to an advisory published by cybersecurity services firm FireEye.

The attack, which uses the Microsoft Outlook Security Feature Bypass Vulnerability (CVE-2017-11774) patched in October 2017, abuses the Outlook Home Page feature that allows a customized view to be shown for any e-mail folder. When exploited, the vulnerability allows code to run whenever an Outlook client homepage is opened. 

While the issue was patched, and the vast majority of companies have the update, attackers have been able to circumvent the fix to gain persistence on already-compromised systems, says Matthew McWhirt, senior manager at FireEye.

“We definitely continue to see the Home Page functionality being used by attackers, even though it was patched back in 2017, over two years ago,” he says. “We are also seeing attackers attempting to disable protections that the patch provides by circumventing some controls by modifying the registry on endpoints.”

The alert comes after the United States’ military warned in July that Iranian cyber espionage groups were using the issue as part of their attacks on targets in the United States, Europe, and the Middle East. Two Iranian groups — APT33 and APT34 — have used the attack since June 2018, according to FireEye. APT33, also known Elfin, has attacked industries and government agencies in the United States, Saudi Arabia, and South Korea, focusing the aerospace and oil-and-gas sectors. APT34, also known as Helix Kitten, has focused on financial, government, energy, chemical, and telecommunications targets in the Middle East and has operated since 2014.

Both groups seem to use the Outlook vulnerability as a way to gain persistence on systems that are already compromised. In addition, a recent submission to VirusTotal included an automated version of the attack for working around patched Outlook systems, FireEye stated in its alert.

“APT33 is a heavy user of this technique, and we have also seen APT34 using it as well,” McWhirt says. “I wouldn’t call it an ‘uptick’ — that is not why we are calling this out — but companies may think they are safe because they applied the Outlook patch, and they are not.”

In the automated version, submitted as an Excel file to VirusTotal, the persistence technique aims to modify the WebView registry key with an external URL in a type of cloud storage common to Azure, known as a storage blob, and has a method to “walk through the registry and reverse the … patch,” FireEye stated. Dark Reading could not confirm the existence of the file through a search on the hash provided by FireEye, but the company stated that the file appears to be attributable to an authorized red-team operation.

To foil such attacks, companies should enforce specific values for the registry keys used by the attack, or the use of Group Policy Objects (GPOs) in Windows. In its alert, FireEye listed the complete hardening guidelines that companies can put in place to prevent attackers from bypassing the Outlook patch.

“Without continuous reinforcement of the recommended registry settings for … hardening [against the attack], an attacker can add or revert registry keys for settings that essentially disable the protections provided by the patches,” FireEye warned in the alert.

While the specific attack appears to be industry-generated — with one security company detecting another security company’s exploit — malicious attackers and groups often adopt techniques pioneered by security researchers.

FireEye cautioned organizations to check to ensure that the specified registry changes do not break third-party applications that use the Outlook Home Page functionality. 

Because rolling back the patch’s hardening measures requires “some form of initial access,” the issue is not considered a failure of the patch by Microsoft, according to FireEye’s alert.

“However, the technique is under-reported, no public mitigation guidance is available, and — as a fresh in-the-wild example demonstrates … — initial access and patch overriding can be completely automated,” the alert stated.

 

We’re Urban Network, we can help save your Business.

We specialise in managed IT & technology services to help businesses across London & the wider-South East, from our base in Wapping, East London.

Urban Network has a proven track record, with extensive experience and a full portfolio of industry accreditations & certifications.

Among our range of skills, we have a specialism in boosting productivity. Ensuring we aid our clients with employing the best & most appropriate practices, procedures and tools to increase efficiency in the workplace.

If you have any concerns or challenges with your technology generally, we would like to hear from you. Please contact the team today.

 

News Source: https://www.darkreading.com/vulnerabilities—threats/attackers-can-circumvent-outlook-homepage-flaw/d/d-id/1336513

 

4 Reasons why Security Awareness Training is very important

4 Reasons why Security Awareness Training is very important

 Back in 2018 data breaches cost UK organisations an average of £6.4 million.
Human error, meanwhile, accounted from anywhere between 60% and 90% of them.
Those facts alone are usually enough to convince people security awareness training is very important.
Usually….

As a Managed Service Provider, we can only advise our Client base of the benefits of why they need to introduce Security Awareness Training.

1. To prevent Data breaches and cyber attacks

Starting with the most obvious, security awareness training helps prevent data breaches.

The precise number of breaches security awareness training prevents is difficult to count. In an ideal world, we’d be able to run a controlled trial in which the exact same people working for the exact same company were divided into two groups: a control and a test group. The latter would be given training, the former would not. The two could then be compared to see the difference in knowledge.

Such situation is almost impossible – but that doesn’t mean advanced security awareness training providers are unable to demonstrate the ROI of security awareness software. Although an imperfect measure, it’s possible to measure the incidence and prevalence of breaches pre- and post-awareness campaigns and use the resulting metrics to glean an indication of ROI.

This is your first line of defence. If someone wants to access your device, they will first need to break this code. This is not an easy task, and can operate as a deterrent against theft. Some device manufacturers have an option to automatically wipe your device after a few unsuccessful attempts at your pass code or pin; so, even if your phone is stolen, your information cannot be accessed. For this reason, you should consider mobile device management for your users.

2. To influence company culture in security

A culture of security has long been seen as the holy grail for chief information security officers. Equally, such a culture is seen as notoriously difficult to achieve.

With the aid of security awareness training, some are heading in the right direction to gain this credible reputation.

By keeping an eye on indicators of culture, advanced security awareness training platforms can actually help security professionals monitor, nurture and develop a culture of security – making their people a proactive defence.

3. To make technological defences stronger

Technological defences are, clearly, a valuable weapon in preventing breaches. But technological defences require input from people. Firewalls need to be turned onto maximum security. Security warnings need to be acknowledged. Software needs to be constantly updated.

Few businesses today would dream of operating without technological defences. And yet, without security awareness training, technological defences are not used anywhere near their full potential.

To make matters worse, attackers today rarely bother attempting to penetrate businesses through purely technological means. Today’s attackers typically prefer to target people, who are sceptical but suffer from accidental clicking & lack of knowledge.

4. GDPR compliance

To be clear, compliance alone is no reason to introduce security awareness training. Those who introduce training solely to comply with regulations are heading for trouble.

But more and more regulators are demanding specific industries implement security awareness training throughout the entire Business.

Compliance can be a happy offshoot of security awareness training. Those who introduce it become more secure and, in many industries, meet a regulatory requirement to be secure & protected.

 

We’re Urban Network, we can help save your Business.

We specialise in managed IT & technology services to help businesses across London & the wider-South East, from our base in Wapping, East London.

Urban Network has a proven track record, with extensive experience and a full portfolio of industry accreditations & certifications.

Among our range of skills, we have a specialism in cyber security. Ensuring we aid our clients with employing the best & most appropriate security practices, procedures and tools to protect their sensitive data.

If you have any concerns or challenges with your cyber security, or with your technology generally, we would like to hear from you. Please contact the team today.

 

Your servers are full of Data, Cyber Criminals love them.

Your servers are full of Data, Cyber Criminals love them.

P 37% of cyber attacks are discovered directly on servers, making them the most likely place to identify an attack within an organisation. That’s one of the alarming stats taken from a recent survey of 2,700 IT managers around the world.

 

 But why are servers such tempting targets for cyber hackers?

1. Servers are at high value

Servers often contain an organisation’s most valuable data. For example, personally identifiable information (PII) such as employee and customer records could be stolen if they’re not adequately secured (for example, with encryption) on the server.

Regulations, such as the strongly introduced GDPR that protects EU citizens’ data, levy significant fines for non-compliance. Attackers know this and will threaten to release sensitive data if their demands are not met.

2. Server downtime is very costly

Servers are the motherboard of organisations and are critical to their day-to-day functioning. Unexpected downtime can seriously impact productivity by revoking access to important files or communication tools such as Microsoft Teams. Ransomware attacks can cause organisations to grind to a halt unless a costly ransom is paid.

In instances where an organisation is reliant on servers for commercial function downtime can be even more severe.

3. Servers are the perfect staging ground to attack

Servers are usually strongly connected in an organisation’s network. They are also online & running 24/7 all year round, which makes them an ideal platform for launching further attacks and performing reconnaissance looking for weak spots to exploit across the entire network. If you can’t identify a compromised server, the gates to your IT stronghold could be wide open to the elements.

So what can be done in order to secure your organisation’s servers? The answer is in the right combination of advanced protection, visibility with powerful tools like Endpoint Detection and Response (EDR) and server specific features such as File Integrity Monitoring.

With Sophos Sandstorm, you’ll receive a next-gen advanced threat defence. It provides a whole new level of targeted attack protection, visibility & Analysis. IT can quickly & accurately identify evasive threats before they enter your network.

What other solutions miss, Sophos Sandstorm uses powerful, cloud-based, next-generation sandbox technology.

 

We’re Urban Network, we can help save your Business.

We specialise in managed IT & technology services to help businesses across London & the wider-South East, from our base in Wapping, East London.

Urban Network has a proven track record, with extensive experience and a full portfolio of industry accreditations & certifications.

Among our range of skills, we have a specialism in cyber security. Ensuring we aid our clients with employing the best & most appropriate security practices, procedures and tools to protect their sensitive data.

If you have any concerns or challenges with your cyber security, or with your technology generally, we would like to hear from you. Please contact the team today.

 

GDPR Fines are nasty, here’s a few ways to avoid them.

GDPR Fines are nasty, here’s a few ways to avoid them.

In the recent months as you’re well aware of, both British Airways (BA) and Marriott Hotels have hit the headlines because of eye-watering GDPR fines – £183 million for BA and £99 million for Marriott.

The fines show that the GDPR (General Data Protection Regulation), has given enforcers like the UK’s ICO (Information Commissioner’s Office), some serious tools to play with. BA’s fine is almost 400 times larger than the ICO’s previous record fine – a unworthy $645,000 penalty handed to Facebook for the Cambridge Analytica scandal.

With these new fines in play, we highly recommend you make sure you’ve minimised your risk of being next in the firing line.

GDPR is focused on protecting European Union citizens and it applies to anyone who holds personal data on an EU citizen, wherever in the world you are located. Marriott, a U.S. organisation, is a case in point.

Here are five best rules we recommend all organisations stick to, in order to minimise the risk of a GDPR data loss fine:

  1. Patch early, patch often. Minimise the risk of a cyber attack by fixing vulnerabilities that can be used to gain entry to your systems illegally. There is no perimeter, so everything matters: patch everything you can get hold of.
  2. Secure personal data that’s in the cloud. Treat the cloud like any other computer you own – close unwanted ports and services, encrypt data and ensure you have proper access controls in place. And do it on all your environments, including QA and development.
  3. Minimise access to personal data. Reduce your exposure by collecting and retaining only the information you need, and making sure the only people with access to it are the people who need it to do their jobs. Not everyone needs access to certain data.
  4. Educate your entire team. Ensure that everyone who might come in to contact with personal data knows how they need to handle it – this is a GDPR requirement. Whether they’re invovled with computers or not, everyone needs to know.
  5. Document and prove data protection activities. Be able to show that you have thought about data protection, and have taken sensible precautions to secure personally identifiable information.

We can help

Urban Network can perform tests on your systems to ensure they are protected, as well as information that your business is conforming to best practice, including penetration testing and intrusion testing, however the very basic elements of patching endpoints with vendor security patching, and ensuring antivirus is up to date is the often overlooked start point.

Our Sentinel monitoring software can cover these elements of your network, and coupled with one of our recommended Enterprise Firewalls, the basics are all covered.

To add extra layers of additional security, Urban Network can liaise with you to ensure that there are comprehensive policies in place for password control, access control and network housekeeping and importantly remote access and BYOD policies. We can look at the current implementations of any other facet of your network, and give advice on industry best practices to ensure your business is sufficiently covering your risk.

 

We’re Urban Network, we can help save your Business.

We specialise in managed IT & technology services to help businesses across London & the wider-South East, from our base in Wapping, East London.

Urban Network has a proven track record, with extensive experience and a full portfolio of industry accreditations & certifications.

Among our range of skills, we have a specialism in cyber security. Ensuring we aid our clients with employing the best & most appropriate security practices, procedures and tools to protect their sensitive data.

If you have any concerns or challenges with your cyber security, or with your technology generally, we would like to hear from you. Please contact the team today.

 

With the power of Firewall, you can prevent Ransomware.

With the power of Firewall, you can prevent Ransomware.

Ransomware has vaulted to the top of the news, again. With devastating attacks continuing to impact governments, education and business operations in multiple states, counties and countries, With the United States being the most recent under attack.

Capital One was a major firm recently caught under fire of Ransomware.

These attacks can start in a number of different ways – some start with a simple phishing email, others begin with hackers leveraging vulnerabilities in networking stacks to gain a foothold and move quickly to other systems on the network. One of the most devastating network vulnerability exploited in a ransomware attack was Capital One a couple of months ago.

Since then, new vulnerabilities have been discovered, but there are still many networks out there that are vulnerable.

Unfortunately, many of these un-managed networks stack vulnerabilities that are ‘wormable’ which means that hackers & malware can exploit these holes in an automated method with no user interaction, enabling the infection to spread quickly and easily to a wide group of systems.

Of course, deploying an industry leading protection product like Sophos SG Series, and maintaining a strict patch management strategy are top best practices. But there are also other best practices you should consider to help keep ransomware, hackers, and attacks off your network in the first place.

Your firewall provides essential protection against exploits by closing up or protecting vulnerable ports, as well as blocking attacks using an Intrusion Prevention System (IPS). IPS looks at network traffic for vulnerabilities, and exploits and blocks any attempt for attackers to get through your network perimeter or even cross boundaries or segments within your internal network.

Here are the essential firewall best practices to prevent ransomware attacks from getting into and moving laterally on your network:

 

  • Reduce the surface area of attack: Review and revisit all port-forwarding rules to eliminate any non-essential open ports. Where possible use VPN to access resources on the internal network from outside rather than port-forwarding. Specifically for RDP, ensure port 3389 is not open on your firewall.
  • Apply IPS protection: Apply suitable IPS protection to the rules governing traffic to/from any Windows hosts on your network.
  • Minimise the risk of lateral movement: Protect against threats moving laterally on your network and consider segmenting your LANs into smaller sub-nets, assigning those to separate zones that are secured by the firewall. Apply suitable IPS policies to rules governing the traffic traversing these zones to prevent worms and bots from spreading between LAN segments.

We’re Urban Network, we can help save your Business.

We specialise in managed IT & technology services to help businesses across London & the wider-South East, from our base in Wapping, East London.

Urban Network has a proven track record, with extensive experience and a full portfolio of industry accreditations & certifications.

Among our range of skills, we have a specialism in cyber security. Ensuring we aid our clients with employing the best & most appropriate security practices, procedures and tools to protect their sensitive data.

If you have any concerns or challenges with your cyber security, or with your technology generally, we would like to hear from you. Please contact the team today.