Since the end of May, several critical flaws have been discovered in Progress Software’s MOVEit Transfer managed file transfer application. The first flaw involves a SQL injection (SQLi) vulnerability that could potentially lead to privilege escalation and unauthorized system access. Depending on the specific database engine in use, such as MySQL, Microsoft SQL Server, or Azure SQL, an attacker may be able to gather information about the database’s structure and contents. Furthermore, they could execute SQL statements that have the capability to modify or delete elements within the database.
Microsoft has attributed the ongoing exploitation of this vulnerability to a threat actor known as Lace Tempest. Lace Tempest (also known as Storm-0950) is associated with ransomware groups like FIN11, TA505, and Evil Corp. They are also linked to the operation of the Cl0p extortion site. The attacker’s objective is data theft and subsequent extortion.
This vulnerability is used to recover the cleartext master password from a memory dump. This can be achieved regardless of whether the KeePass workspace is locked or if the program is completely closed. It is important to note that the successful exploitation of the vulnerability requires an attacker to have already compromised a potential target’s computer. It also requires that the password is typed on a keyboard and not copied from the device’s clipboard.
This means that the usage of a keyfile or hardware key is not impacted.
here is more information about the big MDE incident of Friday 13.01.23. #ASRmageddon.
Management Summary: On Friday, January 13, 2023, some customers running Microsoft Defender for Endpoint (MDE) experienced “false-positive” detections by ASR (Attack Surface Reduction) rules in the context of Office macro blocks after a signature update. These detections led to the deletion of files (ink, exe, etc.). The incorrect detection logic/signature was fixed in Security Intelligence version 1.381.2164.0 (and newer). With this updated version, the problem no longer occurs. For devices that were affected before the fix, the links and exe files must be explicitly restored. For customers who do not configure the ASR rule “Block Win32 API calls from Office macros” to “Block” mode, there is no false positive / “data loss”.
There are now several good summaries on the general incident, the content sequence, the best detection methods for (still) affected endpoints, and scripts for link recovery.
I’m thrilled to be speaking again at Microsoft Ignite (spring edition). In fall 2020 I already had the chance to speak about Zero Trust in 2020 in front of a fully packed session. Table Talks in my oppinion are a very smooth and successful way to interact with experts on specific topics all around the globe. That’s why I’m really excited to be nominated to speak with Gokan Ozcifci, Dr. Mike Jankowski-Lorek, Paula Januszkiewicz and Tomas Vileikis about The Future of Cybersecurity.
2019 was already an incredible year. I was allowed to be on stages this year that I would never have dreamed of. Fantastic!
Definitely an absolute highlight has been RSA 2019, where I was invited to speak with my buddy Josh Harriman about “The Lost Boys: How Linux and Mac Intersect in a Windows-Centric Security World”. An awesome experience to be on stage with an expert like Josh!
Now two more top conferences are casting their shadow – Microsoft Ignite and ExpertsLive Europe.
in the previous post we’ve focused on the authentication technique of Kerberos, we went through the 3 way handshake and had a look at the encryption types. With that in mind we will have a look at goldenticket attacks.
within the last year, we have focused on Windows Defender ATP and ran through several PoCs. I’ve prepared several scenarios for you, where I will guide you trough WDATP from the tenant creation to high end scenarios. In this first post, we will go through the tenant creation process itself.
from time to time I consult customers in the configuration of Windows 10 AppLocker. I really love AppLocker because it’s super simple, reliable and enterprise ready in terms of administrative overhead. Furthermore it’s the recommended tool for the configuration of unwanted / not needed apps within Windows 10. But sometimes AppLocker kind of “breaks” my Windows 10 start menu and stops Apps from strarting up. Although the AppLocker enforcement is disabled.
The current Windows 10 Insider Build 16257 includes upcoming features of Redstone 3 and Windows 10 1709. Also included are all the features of the Windows Defender Application Guard (WDAG). The feature will work like a sandbox. The feature is intended to prevent malicious content and downloaded files from harming the system. After surfing, the isolated tab closes and clears all malicious code together with the temporary container. Admins can already create Whitelists from harmless pages that start in conventional Edge windows. Pages not listed then open in an application guard container within Edge.
With the Windows 10 Creators Update (1703) we have received a possibility to configure the “Windows Settings”. The Windows settings are the new, unified system control menu that was introduced with Windows 10. This menu is particularly critical because many of the Enterprise’s unsuitable features can be configured through this menu. This created the need to remove or hide specific settings.