Newsletter Archives

Kaseya VSA has been hit with a ransomware attack

Posted on July 2nd, 2021 at 14:25 Susan Bradley Comment on the AskWoody Lounge

https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/

https://twitter.com/markloman/status/1411035534554808331

“We are monitoring a REvil ‘supply chain’ attack outbreak, which seems to stem from a malicious Kaseya update. REvil binary C:\Windows\mpsvc.dll is side-loaded into a legit Microsoft Defender copy, copied into C:\Windows\MsMpEng.exe to run the encryption from a legit process.”

This not good for those who rely on consultants who then use common tools. Kaseya is the name of a company that provides various tools for consultants to remotely access and manage networks for their customers.

Consumer/Home user impact: You don’t use Kasaya VSA so you are safe.

Small business impact/Consultant impact: So far it looks like it’s only 4 MSPs that Huntresslabs are tracking, but you may want to check your networks to be safe.

Security, Small Business Computing Kaseya, Patch Lady Posts
Got a Western Digital NAS?

Posted on July 2nd, 2021 at 11:24 Susan Bradley Comment on the AskWoody Lounge

I just told a coworker to unplug his WD mycloud/mybook devices. We have another zero day for the Western Digital line up.

Brian Krebs has the details.

I’m going back to plain old external hard drives as the backup media of choice these days.

Security Patch Lady Posts, Western Digital My Cloud
Got a Western Digital My book?

Posted on June 24th, 2021 at 18:37 Susan Bradley Comment on the AskWoody Lounge

Dan Goodwin on Twitter says:

Western Digital is advising customers to disconnect their My Book storage devices while the company investigates the mass wiping of data from devices all over the world.

See more here

Security Patch Lady Posts, Western Digital
Norton 360 adds crypto mining

Posted on June 2nd, 2021 at 22:22 Susan Bradley Comment on the AskWoody Lounge

Once upon a time we all bought IBM 8088 computers. To that we all added the yellow box better known as Norton antivirus.

Over time we moved away from Norton to various other antivirus platforms to where it’s no longer the defacto antivirus we all use.

Now Norton 360 will be adding crypto mining to it’s antivirus suite.

Let me just say that I don’t think this is a good idea. One of the ways you know a system isn’t doing well is when you experience slow downs, and other issues. This would just mask one of the ways we can tell if something is wrong with our systems.

Sorry, yellow box, I’m going to pass.

So? What do you think?

Security Patch Lady Posts
Dell computers put at risk

Posted on May 6th, 2021 at 14:21 Susan Bradley Comment on the AskWoody Lounge

So today’s headline that I wrote above is one that I see too often. It gets you to be worried about something that I honestly don’t think attackers will use as a means to attack us.

Here’s the background (thanks to reader RougeSec58 for the links:)

Dell support article

Reddit thread with N-Able script to remove it.

So the other day I read this twitter post….

Due to the introduction of Driver Signature Enforcement & Kernel Patch Protection, it’s become increasingly rare for attackers to create and execute #Windows rootkits.

All of these firmware/rootkit headlines make me ponder… gee… why is it that attackers use phishing lures so much? Because that’s the low hanging fruit. It’s not easy to attack us to go after Spectre style attacks. I see this Dell issue in the same way. It’s way easier to get us with phishing lures and click baits than it is with these sort of attacks.

“there is no evidence at this time that its flaws have been exploited in the wild.”

Just because there is a possibility of attack doesn’t mean it is probable that it’s being attacked.

As always, feel free to disagree with me and educate me that I’m in the wrong. That’s what security is all about anyway ….weighing the risks and trying to determine if THAT is going to get me or if it’s just headlines to make me worry.

Security Patch Lady Posts
Inside tech support scams

Posted on April 10th, 2021 at 12:03 Susan Bradley Comment on the AskWoody Lounge

My Dad spotted this article in the latest AARP bulletin:

Inside an International Tech-Support Scam (aarp.org)

It’s an interesting read.

As he says… “What’s the ultimate solution to this growing fraud menace? Realistically, it will require a mix of tough law enforcement, tighter regulations and increased education to warn consumers of these evil practices.”

Just a reminder, if you have any stories or tips you can send them to Brian Livingston, Public Defender as scams and tricks are what he loves to investigate best.

Security Patch Lady Posts
March patching madness begins

Posted on March 9th, 2021 at 14:19 Susan Bradley Comment on the AskWoody Lounge

EDIT 3/10/2021: We are seeing issues with printing after the March updates. Ghacks reports BSODs are being triggered after printing. It’s unclear if it’s all of the March operating system updates or just the Windows 10 versions. The Windows 10 updates include this fix:

Addresses an elevation of privilege security vulnerability documented in CVE-2021-1640 related to print jobs submitted to “FILE:” ports. After installing Windows updates from March 9, 2021 and later, print jobs that are in a pending state before restarting the print spooler service or restarting the OS will remain in an error state. Manually delete the affected print jobs and resubmit them to the print queue when the print spooler service is online.

Note it appears that Microsoft has pulled the updates from Windows update but NOT from WSUS or the catalog site.

It’s that time of the month that I take a quick look at the patches that are released to see if there are any that I think we need to quickly act on. I used to joke that there were times that I would slam my Mountain Dew can on my desk and run screaming to the server to patch. These days I can just take remote control of systems and patch remotely.

Nothing in the March security updates (besides the Exchange ones released last week) is causing me to want to urge you to go running to your machines and patch at this time. That said if I change my mind I will let you know. A full “Askwoody-ized” analysis of the updates will be in the Plus newsletter. Until then if you are a small business running an on premises Microsoft Exchange email server, you can use this site to check to see if you are vulnerable.

For those of you that want a bit of early reading here are various sites that I turn to:

Zero Day blog

Ghacks blog

Zdnet

Security week

Bleepingcomputer

Remember for those of you that don’t want to read, just stay tuned and we’ll do the research and reading on your behalf and will let you know of any side effects we spot.

Security, Windows Patches/Security March 2021 Black Tuesday, Patch Lady Posts
Tasks for the weekend March 6 – check your logins

Posted on March 6th, 2021 at 23:32 Susan Bradley Comment on the AskWoody Lounge

Youtube video here

For those of you that do use Microsoft accounts, do you check your log in history?

I mean your ONLINE log in history?

Go here – sign in – and see if you see any suspicious activity. Do you recognize all of those log ins and where they came from?

If you do see unusual activity, investigate if anyone got into your accounts. Change your password and investigate two factor protection. Consider shutting down whatever access you don’t want.

Security, Tech Help Patch Lady Posts
Do you still patch on premises Exchange servers?

Posted on March 2nd, 2021 at 16:29 Susan Bradley Comment on the AskWoody Lounge

Do you still patch a Microsoft Exchange server in your network? If you do, heads up. There is ~~limited/targeted attacks~~ widespread attacks underway. Microsoft has released patches for it. While they say “Exchange online is not impacted”… my guess is that it’s already patched and/or mitigated for the issue.

What’s interesting to me is that the attackers are coming FROM the United States. It’s like the SolarWinds attacks, they aren’t coming from outside the USA, but inside. Thus geo blocking no longer works to keep the bad guys out.

https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901

https://krebsonsecurity.com/2021/03/microsoft-chinese-cyberspies-used-4-exchange-server-flaws-to-plunder-emails/

Note this is no longer “limited attacks”. Many small businesses have been impacted as well.

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM. https://t.co/tdsYGFICML

— Microsoft Security Intelligence (@MsftSecIntel) March 2, 2021

Security Exchange 0day, Patch Lady Posts
Here’s looking at you, kid: the child-cam scam

Posted on March 1st, 2021 at 01:06 Brian Livingston Comment on the AskWoody Lounge

PUBLIC DEFENDER

Here’s looking at you, kid: the child-cam scam

By Brian Livingston

It’s terrible when no one is paying attention to you. But it’s much worse when someone is paying attention to you whom you don’t WANT to be paying attention to you.

Around the world, millions of nursery schools, daycare centers, and private homes have installed “child cams.” These are intended to allow parents to see what their kids and caregivers are doing at daycare, how their infants are sleeping in a crib room, and so on. Many of the systems allow the video to be viewed from a distance across the Internet.

Read the full story in AskWoody Plus Newsletter 18.8.0 (2021-03-01).

AskWoody Plus Newsletter, Public Defender, Security AskWoody Plus Newsletter, Internet of Things, privacy, Public Defender
Emotet malware disrupted

Posted on January 27th, 2021 at 10:31 Susan Bradley Comment on the AskWoody Lounge

https://www.europol.europa.eu/newsroom/news/world%E2%80%99s-most-dangerous-malware-emotet-disrupted-through-global-action

https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware/

Woo hoo!! What does that mean to you and me? A slight lowering of attacks until…. well until they figure out a new way to attack us.

Security Patch Lady Posts
What does the SolarWinds attack mean to us?

Posted on January 4th, 2021 at 11:12 Susan Bradley Comment on the AskWoody Lounge

Heard about the SolarWinds attack and how attackers had access to Microsoft’s source code? Here’s my views on the SolarWinds attack.

I don’t think it means that attackers can inject things into Windows. I don’t think it gives them any more information than they probably already had.

But I think that over time Microsoft will make the Attack Surface Reduction rules to be easier to use to add protection even down to us lowly home and small businesses.

I currently do not enable these rules on my home computers. But I’m keeping an eye on them for sure. And patching my machines, but just not immediately.

More at Computerworld.

Security Patch Lady Posts
« Older Entries

Welcome to our unique respite from the madness.

It's easy to post questions about Windows 10, Win8.1, Win7, Surface, Office, or browse through our Forums. Post anonymously or register for greater privileges. Keep it civil, please: Decorous Lounge rules strictly enforced. Questions? Contact Customer Support.

Plus Membership

Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.

AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments. Click here for details and to sign up.