Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Windows 7. Show all posts

UK Military Data Breach via Outdated Windows 7 System

A Windows 7 machine belonging to a high-security fencing company was the stunning weak link in a shocking cybersecurity incident that exposed vital military data. This hack not only underlines the need for organizations, including those that don't seem to be in the military industry, to maintain strong digital defenses, but it also raises questions about the health of cybersecurity policies.

The attack was started by the LockBit ransomware organization, which targeted Zaun, the high-security fencing manufacturer, according to reports from TechSpot and CPO Magazine. The attackers took advantage of a flaw in the Windows 7 operating system, which Microsoft no longer officially supports and as a result, is not up to date with security patches. This emphasizes the dangers of employing old software, especially in crucial industries.

The compromised fencing company was entrusted with safeguarding the perimeters of sensitive military installations in the UK. Consequently, the breach allowed the attackers to access vital data, potentially compromising national security. This incident underscores the importance of rigorous cybersecurity measures within the defense supply chain, where vulnerabilities can have far-reaching consequences.

The breach also serves as a reminder that cybercriminals often target the weakest links in an organization's cybersecurity chain. In this case, it was a legacy system running an outdated operating system. To mitigate such risks, organizations, especially those handling sensitive data, must regularly update their systems and invest in robust cybersecurity infrastructure.

As investigations continue, the fencing company and other organizations in similar positions need to assess their cybersecurity postures. Regular security audits, employee training, and the implementation of the latest security technologies are critical steps in preventing such breaches.

Moreover, the incident reinforces the need for collaboration and information sharing between the public and private sectors. The government and military should work closely with contractors and suppliers to ensure that their cybersecurity practices meet the highest standards, as the security of one entity can impact many others in the supply chain.

The breach of military data through a high-security fencing firm's Windows 7 computer serves as a stark reminder of the ever-present and evolving cybersecurity threats. It highlights the critical importance of keeping software up to date, securing supply chains, and fostering collaboration between various stakeholders. 

Microsoft Fixes LPE Vulnerability Impacting Windows 7 and Server 2008

 

Microsoft quietly patched a local privilege escalation (LPE) flaw that affects both Windows 7 and Server 2008 R2 computers. This LPE flaw (which has yet to be assigned a CVE ID) is caused by a misconfiguration of two service registry keys, and it enables local attackers to escalate privileges on fully patched devices. 

On Windows 7 and Windows Server 2008R2, security researcher Clément Labro discovered that insecure permissions on the registry keys of the RpcEptMapper and DnsCache services enable attackers to trick the RPC Endpoint Mapper service into loading malicious DLLs. Attackers can execute arbitrary code in the sense of the Windows Management Instrumentation (WMI) service, which runs with LOCAL SYSTEM permissions, by leveraging this flaw. 

“In short, a local non-admin user on the computer just creates a Performance subkey in one of the above keys, populates it with some values, and triggers performance monitoring, which leads to a Local System WmiPrvSE.exe process loading attacker's DLL and executing code from it,” 0patch co-founder Mitja Kolsek explained when the flaw was first announced as a zero-day in November. 

Labro said he discovered the zero-day after releasing an update to PrivescCheck, a method for checking basic Windows protection misconfigurations that can be used by malware for privilege escalation. Labro said he didn't realize the latest tests were highlighting an unpatched privilege escalation process until he started looking at a series of warnings that appeared days after the update on older systems like Windows 7. 

Both Windows 7 and Windows Server 2008 R2 had passed their end-of-life (EOL) deadlines, and Microsoft had stopped offering free software patches for them. While the company's ESU (Extended Support Updates) paid support service included some security updates for Windows 7 users, no patch for this problem was announced at the time. 

Although Microsoft quietly solved the RpcEptMapper registry key vulnerability (as discovered by 0patch) in the April 2021 Windows Updates (ESU) release by modifying permissions for groups Authenticated Users and Users to no longer require 'Create Subkey,' the organization has yet to resolve the DnsCache vulnerability. Since February, an open-source exploit tool for the Windows 7 / 2008R2 RpcEptMapper registry key vulnerability has been available. 

However, "at this point, if you are still using Windows 7 / Server 2008 R2 without isolating these machines properly in the network first, then preventing an attacker from getting SYSTEM privileges is probably the least of your worries," as Labro said.

FBI Warns About Using TeamViewer and Windows 7

 

The FBI issued this week a Private Industry Notification (PIN) caution to warn organizations about the dangers of utilizing obsolete Windows 7 systems, poor account passwords, and desktop sharing software TeamViewer. The alert comes after the recent assaults on the Oldsmar water treatment plant's network where assailants attempted to raise levels of sodium hydroxide, by a factor of more than 100. The investigation into the occurrence uncovered that operators at the plant were utilizing obsolete Windows 7 systems and poor account passwords, and the desktop sharing software TeamViewer which was utilized by the assailants to penetrate the network of the plant. 

“The attempt on Friday was thwarted. The hackers remotely gained access to a software program, named TeamViewer, on the computer of an employee at the facility for the town of Oldsmar to gain control of other systems, Sheriff Bob Gualtieri said in an interview,” reported Reuters. 

The FBI alert doesn't explicitly advise associations to uninstall TeamViewer or some other sort of desktop sharing software but cautions that TeamViewer and other similar software can be abused if assailants gain access to employee account credentials or if remote access accounts, (for example, those utilized for Windows RDP access) are secured with frail passwords. 

Moreover, the FBI alert likewise cautions about the continued use of Windows 7, an operating system that has reached end-of-life a year ago, on January 14, 2020, an issue the FBI cautioned US organizations about a year ago. This part of the warning was incorporated in light of the fact that the Oldsmar water treatment plant was all the while utilizing Windows 7 systems on its network, as indicated by a report from the Massachusetts government. 

While there is no proof to suggest that the attackers abused Windows 7-explicit bugs, the FBI says that continuing to utilize the old operating system is risky as the OS is unsupported and doesn't get security updates, which presently leaves numerous systems exposed to assaults via newly discovered vulnerabilities. While the FBI cautions against the utilization of Windows 7 for valid reasons, numerous organizations and US federal and state agencies might not be able to do anything about it, barring a serious financial investment into modernizing IT foundation from upper management, something that is not expected at any point soon in many locations.

Windows 7 Remain Vulnerable to Blind TCP/IP Hijacking Attacks

 

Adam Zabrocki, a security researcher warned window operating system users regarding the susceptibilities of Windows 7 to blind TCP/IP hijacking attacks. Adam Zabrocki reported the vulnerability to Microsoft reported eight years ago.

Windows 7 was launched in the year 2009 and reached its end of life a year ago – which can be seen in users no longer receiving security updates. In 2008, Adam Zabrocki created a proof of concept of this venerable attack methodology with Windows XP as the target point. In 2012, a security researcher notified Microsoft regarding the same TCP/IP vulnerabilities that made the attack feasible in Windows 7 and all the subsequent versions. 

Microsoft only patched the bug in Windows 8 and considered the bug “very difficult” to be exploited. Nearly one in four PCs is still running on the old operating system and are potentially susceptible to form of cyber-attack. In 1994, Kevin Mitnick orchestrated the most infamous blind TCP/IP hijacking strike against the computer systems of Tsutomu Shimomura at the San Diego Supercomputer Centre on Christmas day. 

The impact of TCP/IP hijacking attacks is not as fatal as it was some years ago. If the threat actor can hijack any TCP/IP session which is established but the upper-layer structure properly executes encryption then the options of a threat actor are limited in terms of what they can do with it; with the assumption that the cyber attacker does not have the capability of generating encrypted messages.

However, one thing that persists is “widely deployed protocols which do not encrypt the traffic, e.g, FTP, SMTP, HTTP, DNS, IMAP, and more” that would allow a threat actor to “send any commands on behalf of the original client”, Zabrocki explained.

Packets containing IP header were sent to the victim’s user by Zabrocki to discover how many packets were sent to link each probe. This laid the path to a ‘covert channel’ via which Zabrocki could uncover the user IP and port, and sequence numbers for both users and server. 

Russian banks to face risk due to a cancellation of support for Windows 7


Termination of technical support for Windows 7 and Windows Server 2008 operating systems (OS) can become a serious problem for Russian banks. According to the architect of the Microsoft technology center in Russia, Ivan Budylin, now, banks are required to quickly switch to Windows 10, since working without technical support is contrary to information security requirements. He added that the lack of updates can lead to significant risks of data loss.

At the same time, according to the survey, credit institutions are not yet ready to completely abandon the old OS.

Some banks reported that they had signed an agreement with Microsoft for paid additional support for Windows 7 (EAS). However, the expert noted that paid support is not an alternative to updating the operating system, but a temporary measure.

A similar situation was already with the Windows XP operating system, which was not supported in 2017 but continued to be used. During WannaCry ransomware virus epidemic, some XP users faced a situation where the malware appeared on the computer, was blocked and deleted by the antivirus.
However, then the virus repeatedly tried to get into the computer again and was blocked again. This caused a huge load on the network, processor, and disk. The devices started working so slowly that it was almost impossible to do anything on them.

Therefore, experts recommended updating Windows 7 as soon as possible, even though antiviruses can protect an already unsupported system.

Yuri Brisov, a member of the Commission on legal support of the digital economy, said that by denying the ability to regularly and timely update systems, banks put their customers at risk, which is unacceptable.

According to Boris Yedidin, a lawyer and co-founder of Moscow Digital School, for using outdated programs and operating systems, banks can bring to administrative responsibility under the article “Violation of information protection rules”.

Recall that Microsoft has refused to support the Windows 7 operating system since January 14. The computer will work with the old OS, but the company does not provide technical support for any software updates, as well as security updates and fixes.

An Ex-Operating System Hit by an Exploit Found In Audio Files



A crypto-mining exploit attack, has as of late been discovered in Windows 7 , the ex-operating system which ceased to exist only a couple of days back as per the official announcement by Microsoft, hidden away in sound WAV records.

Ophir Harpaz and Daniel Goldberg, two security analysts at Guardicore Labs, have uncovered how a medium-sized medical tech sector business was attacked by cryptominers utilizing WAV audio files to muddle the malware.

While trying to exploit the EternalBlue vulnerability the attackers focused on the organization's system, running Windows 7 machines in December 2019. The EternalBlue exploit has been around for quite a few years now and was even behind the scandalous WannaCry attacks that hit the U.K. National Health Service (NHS) in 2017.

The Guardicore research journey started in October 2019, when a number of blue screens of death began coming up on Windows machines in the target network. Further investigations unveiled that over half of the system, some 800 endpoints, were getting to suspicious data in a registry key.

And soon enough the Guardicore researchers found a Monero crypto-mining module, utilizing steganography to hide within the audio WAV files.

Daniel Goldberg, a senior cybersecurity researcher at Guardicore Labs and one of the report authors, when asked to comment on the risk-level for those still running Windows 7 replied that, "The risks are crazy high to organizations facing this WAV-based attack if they are running a Windows 7 system after EoL. Before the quarter is over, there will be other vulnerabilities discovered in Windows 7 too that will not be fixed by Microsoft and will also be easy to exploit."

Further going on to describe the WAV-based attack threat to Windows 7 as being "like a hot knife through butter." 

Apart from updating to Windows 7 , whether there exists any other way for those who will not or cannot make a move away from Windows 7, Goldberg points out, "Segment machines you can't support away from the internet and the rest of your network, your old windows 7 machine running this critical but obsolete application should not be accessible from the internet, or most of the machines in your networks."

Additionally arguing that the best offense is a good defense, Terry Ray, senior vice-president and fellow at Imperva, a cyber-security software and services company, says, "Businesses must be responsible, and act in favor of their customers, who trust them with their information, by updating their systems, if not, they will face severe consequences which will come at a huge cost to the customer, and the future of the business. Simply put, don’t fall victim and instead, upgrade to up to date systems which generate regular security updates and have the right systems in place to deter attacks."