Archive

Archive for January, 2015

The Importance of Effective Information Sharing

January 29th, 2015 No comments

SCharney2 012815

This week, I testified before the U.S. Senate Committee on Homeland Security and Governmental Affairs at a hearing on “Protecting America from Cyber Attacks: the Importance of Information Sharing.” It was good to see that the committee’s first hearing of the 114th Congress focuses on cybersecurity issues generally, and information sharing in particular, and I’d like to summarize the key points of my testimony.

There is no doubt that cybersecurity is an important issue for America, other nations, the private sector, and individuals. In an effort to better understand and help address the challenges we face, I regularly engage with government leaders from around the world, security-focused colleagues in the IT and Communications Sectors, companies that manage critical infrastructures, and customers of all sizes. From those interactions, I have concluded that cyber-attacks have joined terrorism and weapons of mass destruction as one of the new, asymmetric threats that puts countries, corporations, and its citizens at risk.

With global threats, global actors, and global networks, no one organization – public or private – can have full awareness of all the threats, vulnerabilities, and incidents that shed light on what must be managed. There is no doubt that sharing such information can and has protected computer users and increased the effectiveness of the security community’s response to attacks. For example, in 2009, the Conficker Working Group came together to share information and develop a coordinated response to the Conficker worm, which had infected millions of computers around the world. After the working group developed a mitigation strategy, Information Sharing and Analysis Centers (“ISACs”) were mobilized, company incident response teams were activated, government responders were engaged, and the media reported as milestones were reached and services were restored. The challenge was addressed, and quickly.

Why is it, then, that after 20 years of discussion and proof of effectiveness, information sharing efforts are viewed as insufficient? The short answer is that while there are success stories, it is often true that those with critical information are unable or unwilling to share it. They may be unable to share it due to law, regulation, or contract, all of which can create binding obligations of secrecy and expose a company to legal risk if information is shared. Even when those restrictions permit sharing pursuant to authorized exceptions, legal risks remain, as parties may disagree on the scope of the exception. There are also non-legal, non-contractual risks; for example, a company that discloses its vulnerabilities may suffer reputational risk, causing both customers and investors to become concerned. It may even suggest to hackers that security is inadequate, encouraging other attacks.

With all these challenges in mind, we believe there are six core tenets that must guide information sharing arrangements:

1. Information sharing is a tool, not an objective.

2. Information sharing has clear benefits, but poses risks that must be mitigated.

3. Privacy is a fundamental value, and must be protected when sharing information to maintain the trust of users – individual consumers, enterprises, and governments – globally.

4. Information sharing forums and processes need not follow a single structure or model, and governments should not be the interface for all sharing.

5. Government and industry policies on information sharing should take into account international implications.

6. Governments should adhere to legal processes for law enforcement and national security requests, and governments should not use computer security information sharing mechanisms to advance law enforcement and national security objectives.

Information sharing has and does work. But it works because the parties see that the benefits (better protection, detection and response) outweigh the risks. History also teaches, however, that information sharing tends to work best when those involved trust each other to respect informal and sometimes formal agreements (e.g., non-disclosure agreements) on information use and disclosure.

The two most important things Congress can do are (1) ensure that the information sharing arrangements that are working effectively are left undisturbed; and (2) encourage additional information sharing by providing protections for shared information and addressing risks posed by information sharing, including privacy risks.

You can read my full testimony here.

Data Privacy Day in a World of Cloud Computing

January 28th, 2015 No comments

Since 2006, some European countries have marked Data Privacy Day, initially to raise awareness. Today, privacy is a critical consideration to cloud computing. People will not use technology they do not trust, and data privacy is an important consideration in building that trust.

New technologies can make people question how their own information is controlled. As Brendon Lynch, Chief Privacy Officer mentions in his Microsoft on the Issues blog, Microsoft is putting you in control in three ways:

  • Building privacy into products. We design and build products with security and privacy in mind, from our software development processes to using best-in-class encryption to protect your data. These steps are critical to keeping your information safe from attacks.
  • Building privacy into policies and practices. Putting you in control means offering transparency, starting with company policies that provide simple and easy to understand explanations of how your personal information is used and stored on Microsoft’s platforms.
  • Advocating laws and legal processes that keep people in control. We require governments around the world to use legal process to request customer data. We have challenged laws to make privacy protections stronger. And we advocate for better public policy to balance privacy and public safety.

Microsoft takes a principled approach to building trust in the cloud focusing on Cybersecurity, Data Privacy, Compliance and Transparency. Data Privacy Day is an excellent time to evaluate privacy within your own organization.

Categories: Cloud Computing, Data Privacy Tags:

Putting Information Sharing into Context

January 27th, 2015 No comments

Putting Information Sharing into Context: New Whitepaper Offers Framework for Risk Reduction

The nearly incessant drumbeat of cybersecurity incidents over the past weeks and months has brought about renewed interested in information sharing across the technical and political spheres. For example, earlier this month the White House proposed legislation to encourage information sharing which President Obama also referred to in his State of the Union address. When it comes to cybersecurity, the right information exchanged or shared at the right time can enable security professionals and decision makers to reduce risks, deflect attacks, mitigate exploits and enhance resiliency. In this case, forewarned really can mean forearmed.

Information sharing is not a novel idea. A number of initiatives around the world have been in place and working successfully for some time. For example, here at Microsoft we have a program in place that gives security software providers early access to vulnerability information so that they can provide updated protections to customers faster. From this and other programs of various sizes we have learned that despite the increased focus on collective action from both private practitioners and policy makers around the world, effective information sharing is not an easy undertaking. It requires clear definitions and objectives rather than solely words of encouragement, or mandatory requirements. Furthermore, it is all too often viewed simply as a goal in and of itself rather than as a mechanism for improving security, cybersecurity assessment, and risk management. Finally, and from the public-private partnership perspective most pressingly, information sharing can quickly expand into controversies involving originator control, trust, transparency, privacy and liability.

To help put this complex issue into context, today we are releasing a new white paper: A framework for cybersecurity information sharing and risk reduction. Leveraging Microsoft’s decades of experience in managing security for our products, infrastructure, and customers, the paper provides a taxonomy for information exchanges including types, actors, and methods. We believe that understanding how to incentivize information sharing and how to better harness the practice for risk reduction can help move policy and strategy debates forward and support better defence of cyber assets and infrastructure. The paper concludes with a discussion of best practices and seeks to lay the groundwork for a more formalized, collaborative approach to information sharing and implementing exchanges through a set of recommendations. I hope that it can serve as a relevant and timely guide for anyone with responsibility for developing new ideas and solutions for information exchanges.

Information Sharing Infographic

2755801 – Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – Version: 36.0

Revision Note: V36.0 (January 27, 2015): Added the 3035034 update to the Current Update section.
Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11.

Categories: Uncategorized Tags:

System Center Endpoint Protection support for Windows Server 2003

January 23rd, 2015 No comments

From July 14, 2015, Windows Server 2003 will cease to be a supported operating system. From this date Windows Server 2003 customers will no longer receive:

  • Definition updates for System Center Endpoint Protection and Forefront Endpoint Protection
  • Free or paid assisted support options
  • Online technical content updates
  • Security updates

We recommend finalizing your Windows Server migration plans today. Our research in the Security Intelligence Report Volume 17 has shown some of risks associated with unsupported operating systems.

The following links have more information about the end of support for Windows Server 2003:

MMPC

Categories: Uncategorized Tags:

System Center Endpoint Protection support for Windows Server 2003

January 23rd, 2015 No comments

From July 14, 2015, Windows Server 2003 will cease to be a supported operating system. From this date Windows Server 2003 customers will no longer receive:

  • Definition updates for System Center Endpoint Protection and Forefront Endpoint Protection
  • Free or paid assisted support options
  • Online technical content updates
  • Security updates

We recommend finalizing your Windows Server migration plans today. Our research in the Security Intelligence Report Volume 17 has shown some of risks associated with unsupported operating systems.

The following links have more information about the end of support for Windows Server 2003:

MMPC

Categories: Uncategorized Tags:

2755801 – Update for Vulnerabilities in Adobe Flash Player in Internet Explorer – Version: 35.0

Revision Note: V35.0 (January 22, 2015): Added the 3033408 update to the Current Update section.
Summary: Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer on all supported editions of Windows 8, Windows Server 2012, Windows RT, Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11.

Categories: Uncategorized Tags:

MS15-006 – Important: Vulnerability in Windows Error Reporting Could Allow Security Feature Bypass (3004365) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (January 21, 2015): Bulletin revised to correct Server Core installation entries in the Affected Software and Severity Ratings tables. This is an informational change only. Customers who have already successfully installed the update do not have to take any action.
Summary: This security update resolves a privately reported vulnerability in Windows Error Reporting (WER). The vulnerability could allow security feature bypass if successfully exploited by an attacker. An attacker who successfully exploited this vulnerability could gain access to the memory of a running process. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

MS15-006 – Important: Vulnerability in Windows Error Reporting Could Allow Security Feature Bypass (3004365) – Version: 1.1

Severity Rating: Important
Revision Note: V1.1 (January 21, 2015): Bulletin revised to correct Server Core installation entries in the Affected Software and Severity Ratings tables. This is an informational change only. Customers who have already successfully installed the update do not have to take any action.
Summary: This security update resolves a privately reported vulnerability in Windows Error Reporting (WER). The vulnerability could allow security feature bypass if successfully exploited by an attacker. An attacker who successfully exploited this vulnerability could gain access to the memory of a running process. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Categories: Uncategorized Tags:

MAPS in the cloud: How can it help your enterprise?

January 21st, 2015 No comments

Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud.  

Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can:

  1. Consult the cloud upon detecting suspicious malware behaviors.
  2. Respond by blocking malware based on derived logic from the account ecosystem data, and local signals from the client.

How? Through the Microsoft Active Protection Service (MAPS). 

What is MAPS?

The Microsoft Active Protection Service is the cloud service that enables:

  • Clients to report key telemetry events and suspicious malware queries to the cloud
  • Cloud to provide real-time blocking responses back to the client

The MAPS service is available for all Microsoft's antivirus products and services, including:

  • Microsoft Forefront Endpoint Protection
  • Microsoft Security Essentials
  • System Center Endpoint Protection
  • Windows Defender on Windows 8 and later versions

What can MAPS do for your enterprise software security?

Enabling MAPS in your system gives you:

  • Greater malware protection through cloud-delivered malware-blocking decisions

Enable MAPS to trigger cloud calls for suspicious events. Doing so helps ensure that the machine uses the latest malware information available from the Microsoft Malware Protection Center (MMPC) research team, back-end big data, and machine learning logic.

  • Aggregated protection telemetry

    Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

How the MAPS cloud protection and telemetry works from the endpoint and back

Figure 1: How the cloud protection and telemetry works from the endpoint and back.

Client machines selectively send telemetry in real-time (for detection), or periodically (for health checks) to the Microsoft Malware Protection Center’s (MMPC) cloud service which includes:

  • Threat telemetry –  to identify the threats, threat-related resources, and remediation results
  • Suspicious behavior – to collect samples, determine what to monitor and remediate
  • Heartbeat – to check the system's pulse to know if the antivirus application is still running, and if it has the updated version

The MMPC cloud service responds to client telemetry with: 

  • Cloud actions – which include context and a set of instructions from the cloud on how to handle a potential threat (for example, block it).
  • Cloud false positive mitigation response – to suppress false positive malware detections

The data gathered is treated with confidentiality. See the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details. To help protect your privacy, reports are sent to Microsoft over an encrypted connection. Relevant data is analyzed

 

What the data shows

Figure 2: Percentage of protection MAPS can contribute over a six-month period

Figure 2: Percentage of protection MAPS can contribute over a six-month period

If we take the System Center Endpoint Protection data as an example, you'll see how MAPS is contributing 10% of protection to enterprise users on SCEP systems.

Imagine living without it – there'll be 10% more machines infected, and 10% more chance of intruders.

 

Prerequisites 
Both Basic membership and Advanced membership enable cloud protection. See the Microsoft Active Protection Service (MAPS) section of the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details.

By default, MAPS Basic is enabled in all of Microsoft’s new antimalware products. For enterprise customers, you have to enable it to get cloud protection from new threats that are coming in.

With the Advanced membership, you can get more information about the malware and/or suspicious behaviour. Such information can give your enterprise infrastructure better protection.

To get your system ready for MAPS, see the Introduction to Endpoint Protection in Configuration Manager.   

 

So, what can you do to protect your enterprise? 

Keep MAPS enabled on your system.  

Join the Microsoft Active Protection Service Community.

To check if MAPS is enabled in your Microsoft security product, select Settings and then select MAPS:

With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

Figure 3: With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

 

MMPC

MAPS in the cloud: How can it help your enterprise?

January 21st, 2015 No comments

Malware can easily send a huge enterprise infrastructure into a tailspin. However, you can get greater protection from malware by using services in the cloud.  

Yes, there’s an opportunity to get real-time results from suspicious malware triggers where your system can:

  1. Consult the cloud upon detecting suspicious malware behaviors.
  2. Respond by blocking malware based on derived logic from the account ecosystem data, and local signals from the client.

How? Through the Microsoft Active Protection Service (MAPS). 

What is MAPS?

The Microsoft Active Protection Service is the cloud service that enables:

  • Clients to report key telemetry events and suspicious malware queries to the cloud
  • Cloud to provide real-time blocking responses back to the client

The MAPS service is available for all Microsoft's antivirus products and services, including:

  • Microsoft Forefront Endpoint Protection
  • Microsoft Security Essentials
  • System Center Endpoint Protection
  • Windows Defender on Windows 8 and later versions

What can MAPS do for your enterprise software security?

Enabling MAPS in your system gives you:

  • Greater malware protection through cloud-delivered malware-blocking decisions

Enable MAPS to trigger cloud calls for suspicious events. Doing so helps ensure that the machine uses the latest malware information available from the Microsoft Malware Protection Center (MMPC) research team, back-end big data, and machine learning logic.

  • Aggregated protection telemetry

    Leverage the latest ecosystem-wide detection techniques offered through the cloud. Microsoft aggregates protection telemetry from over one billion clients, and cross-references them with numerous signals.

MMPC threat intelligence leverages algorithms to construct and manage a view of threats in the ecosystem. When the endpoint product encounters suspicious activities, it can consult the cloud for real-time analysis before acting on it.

The vast data and computing resources available in the cloud allows the fast detection of polymorphic and emerging threats and the application of advanced protection techniques.

At a high level, here's what the MAPS protection looks like:

How the MAPS cloud protection and telemetry works from the endpoint and back

Figure 1: How the cloud protection and telemetry works from the endpoint and back.

Client machines selectively send telemetry in real-time (for detection), or periodically (for health checks) to the Microsoft Malware Protection Center’s (MMPC) cloud service which includes:

  • Threat telemetry –  to identify the threats, threat-related resources, and remediation results
  • Suspicious behavior – to collect samples, determine what to monitor and remediate
  • Heartbeat – to check the system's pulse to know if the antivirus application is still running, and if it has the updated version

The MMPC cloud service responds to client telemetry with: 

  • Cloud actions – which include context and a set of instructions from the cloud on how to handle a potential threat (for example, block it).
  • Cloud false positive mitigation response – to suppress false positive malware detections

The data gathered is treated with confidentiality. See the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details. To help protect your privacy, reports are sent to Microsoft over an encrypted connection. Relevant data is analyzed

 

What the data shows

Figure 2: Percentage of protection MAPS can contribute over a six-month period

Figure 2: Percentage of protection MAPS can contribute over a six-month period

If we take the System Center Endpoint Protection data as an example, you'll see how MAPS is contributing 10% of protection to enterprise users on SCEP systems.

Imagine living without it – there'll be 10% more machines infected, and 10% more chance of intruders.

 

Prerequisites 
Both Basic membership and Advanced membership enable cloud protection. See the Microsoft Active Protection Service (MAPS) section of the Microsoft System Center 2012 Endpoint Protection Privacy Statement for details.

By default, MAPS Basic is enabled in all of Microsoft’s new antimalware products. For enterprise customers, you have to enable it to get cloud protection from new threats that are coming in.

With the Advanced membership, you can get more information about the malware and/or suspicious behaviour. Such information can give your enterprise infrastructure better protection.

To get your system ready for MAPS, see the Introduction to Endpoint Protection in Configuration Manager.   

 

So, what can you do to protect your enterprise? 

Keep MAPS enabled on your system.  

Join the Microsoft Active Protection Service Community.

To check if MAPS is enabled in your Microsoft security product, select Settings and then select MAPS:

With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

Figure 3: With the MAPS option enabled, Microsoft anti-malware security product can take full advantage of Microsoft's cloud protection service

 

MMPC

Six Proposed Norms to Reduce Conflict in Cyberspace

January 20th, 2015 No comments

Last month, my team launched a new white paper, “International Cybersecurity Norms, Reducing conflict in an Internet-dependent world” at the EastWest Institute’s 2014 Global Cyberspace Cooperation Summit in Berlin. In the paper we explained the unique cyber risks posed by nation states’ offensive activities, and how these risks could escalate – perhaps unintentionally – to catastrophic consequence. Our goal was to outline the risks faced by society, and propose six cybersecurity norms that nation states can consider for reducing risk in cyberspace.

The framework we propose for developing norms evaluates various actors in cyberspace, the objectives those actors are seeking to advance, the corresponding actions that could be taken, and, finally, the potential impacts that can result. Governments, often among the most advanced actors in cyberspace, can take a multitude of actions in cyberspace, both offensively and defensively, to support acceptable objectives. These actions and their resulting impacts, both intended and unintended, can precisely support defined objectives but can also advance one generally acceptable objective while simultaneously challenging another. In many cases, societal debate is not about objectives, such as degrading or delaying the spread of nuclear weapons or preventing terrorism, but whether the actions that can be taken—and the impact of those actions—are acceptable. With this framework in mind, when developing cybersecurity norms for governments, we can focus on discussing acceptable and unacceptable objectives, which actions may be taken by governments, in pursuit of those objectives, what the possible impacts are, and whether they are acceptable for a civilized, connected society.

Cybersecurity norms should be designed not only to increase the security of cyberspace but also to preserve the utility of a globally connected society. As such, norms should define acceptable and unacceptable state behaviors, with the aim of reducing risks, fostering greater predictability, and limiting the potential for the most problematic impacts, including (and in particular) impacts which could result from government activity below the threshold of war.

Cybersecurity norms that limit potential conflict in cyberspace can bring predictability, stability, and security to the international environment. With a wide acceptance of these norms, governments investing in offensive cyber capabilities would have a responsibility to act and work within the international system to guide their use, and this would ultimately lead to a reduction in the likelihood of conflict. In many cases the norms are either rooted in principles not dissimilar from those governing the Law of Armed Conflict, or derived from international best practices currently employed globally by the Information Communication and Technology sector.

The following norms, and the framework, used to build them, enable states to make choices that appropriately balance their roles as users, protectors, and exploiters of cyberspace.

1. States should not target ICT companies to insert vulnerabilities (backdoors) or take actions that would otherwise undermine public trust in products and services.

2. States should have a clear principle-based policy for handling product and service vulnerabilities that reflects a strong mandate to report them to vendors rather than to stockpile, buy, sell, or exploit them.

3. States should exercise restraint in developing cyber weapons and should ensure that any which are developed are limited, precise, and not reusable.

4. States should commit to nonproliferation activities related to cyber weapons.

5. States should limit their engagement in cyber offensives operations to avoid creating a mass event.

6. States should assist private sector efforts to detect, contain, respond to, and recover from events in cyberspace.

Download the paper to learn more about these proposed norms for cybersecurity. http://aka.ms/cybernorms

Crowti update – CryptoWall 3.0

January 14th, 2015 No comments

After almost two months of hiatus over the holidays, a new campaign of Crowti tagged as 'CryptoWall 3.0' has been observed. It uses a similar distribution channel as before, having been downloaded by other malware and serving as a payload through exploits.

The graph below shows the spike after two days of no activity from 288 unique machines affected by this malware:

Figure 1. Sudden spike from CryptoWall 3.0 activity this month.

Figure 1.  Sudden spike from CryptoWall 3.0 activity this month.

It still follows the same behavior as previous variants, with minimal modifications such as changes in ransom notification file names: 

  • HELP_DECRYPT.HTML
  • HELP_DECRYPT.PNG
  • HELP_DECRYPT.TXT
  • HELP_DECRYPT.URL

The files are still customized for each infected user with a personal link to decryption instructions page that are still done over Tor network. Tor (anonymity network) is a free software which enables online anonymity for users who attempt to resist censorship.

Figure 2.  HELP_DECRYPT.PNG displays after the files have been encrypted in the system indication information about the malware attack.

Figure 2.  HELP_DECRYPT.PNG displays after the files have been encrypted in the system indication information about the malware attack.

Figure 3. HELP_DECRYPT.TXT details the instructions to go to the decryption page that is customized for each infected user.

Figure 3. HELP_DECRYPT.TXT details the instructions to go to the decryption page that is customized for each infected user.

Figure 4.  HELP_DECRYPT.HTML details the instructions to go to the decryption page that is customized for each infected user.

Figure 4.  HELP_DECRYPT.HTML details the instructions to go to the decryption page that is customized for each infected user.

Figure 5.  Decryption service or payment page that requests 500 USD/EURO for the first 167 hours or the ransom demand, which increases over time.

Figure 5.  Decryption service or payment page that requests 500 USD/EURO for the first 167 hours or the ransom demand, which increases over time.

As far as coverage goes, Microsoft detects this threat and encourages everyone to always have Microsoft security software up to date, and enable Microsoft Active Protection Service Community (MAPS).

Customers using MAPS can take advantage of Microsoft's cloud protection and are protected with the latest threat variants. MAPS is enabled by default for Microsoft Security Essentials and Windows Defender for Windows 8.1.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.  This is also referenced in our previous blog on Crowti, 'The dangers of opening suspicious emails: Crowti ransomware', which discusses other steps that users can take to protect their PC.

MAPS window

Marianne Mallen

MMPC

Categories: Uncategorized Tags:

Crowti update – CryptoWall 3.0

January 14th, 2015 No comments

After almost two months of hiatus over the holidays, a new campaign of Crowti tagged as 'CryptoWall 3.0' has been observed. It uses a similar distribution channel as before, having been downloaded by other malware and serving as a payload through exploits.

The graph below shows the spike after two days of no activity from 288 unique machines affected by this malware:

Figure 1. Sudden spike from CryptoWall 3.0 activity this month.

Figure 1.  Sudden spike from CryptoWall 3.0 activity this month.

It still follows the same behavior as previous variants, with minimal modifications such as changes in ransom notification file names: 

  • HELP_DECRYPT.HTML
  • HELP_DECRYPT.PNG
  • HELP_DECRYPT.TXT
  • HELP_DECRYPT.URL

The files are still customized for each infected user with a personal link to decryption instructions page that are still done over Tor network. Tor (anonymity network) is a free software which enables online anonymity for users who attempt to resist censorship.

Figure 2.  HELP_DECRYPT.PNG displays after the files have been encrypted in the system indication information about the malware attack.

Figure 2.  HELP_DECRYPT.PNG displays after the files have been encrypted in the system indication information about the malware attack.

Figure 3. HELP_DECRYPT.TXT details the instructions to go to the decryption page that is customized for each infected user.

Figure 3. HELP_DECRYPT.TXT details the instructions to go to the decryption page that is customized for each infected user.

Figure 4.  HELP_DECRYPT.HTML details the instructions to go to the decryption page that is customized for each infected user.

Figure 4.  HELP_DECRYPT.HTML details the instructions to go to the decryption page that is customized for each infected user.

Figure 5.  Decryption service or payment page that requests 500 USD/EURO for the first 167 hours or the ransom demand, which increases over time.

Figure 5.  Decryption service or payment page that requests 500 USD/EURO for the first 167 hours or the ransom demand, which increases over time.

As far as coverage goes, Microsoft detects this threat and encourages everyone to always have Microsoft security software up to date, and enable Microsoft Active Protection Service Community (MAPS).

Customers using MAPS can take advantage of Microsoft's cloud protection and are protected with the latest threat variants. MAPS is enabled by default for Microsoft Security Essentials and Windows Defender for Windows 8.1.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.  This is also referenced in our previous blog on Crowti, 'The dangers of opening suspicious emails: Crowti ransomware', which discusses other steps that users can take to protect their PC.

MAPS window

Marianne Mallen

MMPC

Categories: Uncategorized Tags:

January 2015 Updates

January 13th, 2015 No comments

Today, as part of Update Tuesday, we released eight security updates – one rated Critical and seven rated Important in severity, to address eight unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows.

We encourage you to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one Security Bulletin:

One Security Advisory was revised:

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

MSRC Team

January 2015 Updates

January 13th, 2015 No comments

Today, as part of Update Tuesday, we released eight security updates – one rated Critical and seven rated Important in severity, to address eight unique Common Vulnerabilities and Exposures (CVEs) in Microsoft Windows.

We encourage you to apply all of these updates. For more information about this month’s security updates, including the detailed view of the Exploit Index (XI) broken down by each CVE, visit the Microsoft Bulletin Summary webpage. If you are not familiar with how we calculate XI, a full description can be found here.

We re-released one Security Bulletin:

One Security Advisory was revised:

For the latest information, you can follow the MSRC team on Twitter at @MSFTSecResponse.

MSRC Team

MSRT January 2015 – Dyzap

January 13th, 2015 No comments

​This month we added the Win32/Emotet and Win32/Dyzap malware families to the Malicious Software Removal Tool.

Both Emotet and Dyzap are trojans that steal personal information, including banking credentials. In a previous blog we detailed how Emotet targets German-language banking websites. In this blog, we will focus on Dyzap – another prevalent banking trojan that predominantly targets English-speaking countries. Dyzap variants target credentials for online banking, crypto currency, payroll services, private keys, and enterprise software. Figure 1 shows how this family can get onto your machine.

Infection chain 

Figure 1: Dyzap infection chain

It is interesting to note that Win32/Upatre was distributing Win32/Zbot (aka Gameover v1) and Win32/Crilock (aka CryptoLocker). Following a multi-national action against the GameOver Zeus botnet in June last year, Upatre slowly began distributing Dyzap instead. This change is reflected in the telemetry below.

telemetry for Dyzap 

Figure 2: Monthly machine telemetry for Dyzap

Monthly file telemetry  

Figure 3: Monthly file telemetry for Dyzap

Dyzap also seems to primarily target English-speaking countries such the USA, Canada, and the UK.

The ten countries most affected  

Figure 4: The ten countries most affected by Dyzap infections

Upatre distribution and the Dyzap payload

Upatre malware that distributes Dyzap typically uses spam email campaigns to spread and then downloads other malware onto the infected PC. Emails in the latest spam campaign (as shown below) claim to have sent the recipient a document and the body of email reads: “Please look your document attached”.

example spam email  

Figure 5: An example spam email sent by Upatre

The attachment contains a malicious ZIP file. We have seen it use the name document81723.zip, but this can change at any time. The file extracts as an SCR file that imitates a screen saver or Adobe PDF document as shown in the example below:

ZIP file 

Figure 6: Malicious ZIP file

We’ve also seen examples claim to be an invoice that has been paid, a wire transfer has been received, or an internal-only document:

Upatre spam email 

Figure 7: Another example of Upatre spam email

If this threat is successfully installed, the latest variant will try to connect to the following URLs to download other malware components:

  • nikahsekerievi.com/wp-includes/<removed>/<removed>.pne
  • morye.net/mandoc/<removed>.pne

The downloaded components are encrypted and contain PWS:Win32/Dyzap.F.

Dyzap – stealing your data

The Dyzap family is a banking and financial trojan that targets both enterprise and home users. For example, we have seen this family target the following services:

  • Bitcoin and crypto-currency websites
  • Online banking websites
  • Payroll systems
  • SalesForce enterprise software

The full list of targets that we have seen is included in the Appendix of this blog.

PWS:Win32/Dyzap.F downloads a memory-resident component called Grabber.dll that grabs the certificate stores as well as any referenced private keys from the system and browsers. Some enterprises using smart-cards for authentication or individuals using smart-cards for online banking two-factor authentication may see a prompt to insert a smart card as Dyzap searches for the private key contained on their smart card:

Windows 7 

Figure 8:  Smart card prompt on Windows 7

Windows 8 

Figure 9:  Smart card prompt on Windows 8.1

Grabber.dll 

Figure 10 – Dyzap’s 'Grabber.dll' memory-resident component code exporting certificates and corresponding private keys if available

Figures 8 and 9 show the user prompt from Microsoft Cryptographic Services provided through the crypt32.dll PFXExportCertStoreEx function. Smart cards are typically designed to make it difficult to extract their private keys, and even if the user were to insert a smart card containing their private key it would not be stolen by Dyzap in most cases. However, certificates and private key pairs not stored on smart cards are at a particularly high risk of being stolen. The implications of these stolen pairs can be severe, since they are often used for purposes such as code signing, file encryption, and authentication.

Dyzap also loads another memory-resident component that provides VNC access to the infected machine – giving a malicious hacker access to remotely monitor or control the infected machine. The attackers are able to use this feature to carry out a transaction, transfer, or payroll modification from the infected machine itself.

Detecting and removing Dyzap

Microsoft security products, such as Microsoft Security Essentials, include detection for Upatre and Dyzap. To help stay protected you should keep your security software up-to date.

After removing a Upatre or Dyzap infection, enterprises should:

  1. Reset any passwords on infected machines and any credentials that the machine can access. 
  2. Revoke and replace any keys which the infected machine had access to the private keys for. 
  3. Audit any enterprise systems, payroll systems, and bank accounts that the infected machines can access, for fraudulent transactions or manipulations.

Home users should :

  1. Change their online banking credentials after cleaning up the threat. 
  2. Review recent bank transfers to make sure there hasn't been any fraudulent transactions. 
  3. Change account passwords if the PC has been used to access crypto-currency related websites. 
  4. Review recent activities related to crypto-currency related tasks.

Geoff McDonald, Patrick Estavillo and Rodel Finones
MMPC

Appendix

Table 1 – Dyzap targets as of December, 2014

​365online.com
access.jpmorgan.com
accounts.expresscoin.com
achieveaccess.charterone.com
aibinternetbanking.aib.ie
alolb1.arbuthnotlatham.co.uk
anxbtc.com
anz.com
anztransactive.anz.com
ap.ebs.bankofchina.com
apps.bhw.de
apps.virginmoney.com
arabi-online.net
asbolb.com
asl.com
auth.globalpay.westernunion.com
bank.barclays.co.uk
bank.ruralbank.com.au
bankdirect.co.nz
banking.axa.de
banking.bankhaus-mayer.de
banking.bankofscotland.co.uk
banking.bmwbank.de
banking.commerzfinanz.com
banking.degussa-bank.de
banking.donner-reuschel.de
banking.ing-diba.de
banking.ireland-bank.com
banking.martinbank.de
banking.nfbank.de
banking.oyakankerbank.de
banking.steylerbank.de
banking.triodos.co.uk
banking.valovisbank.de
bankline.natwest.com
bankline.rbs.com
bankline.ulsterbank.ie
bankofirelandlifeonline.ie
barclayswealth.com
bbonline.bankofmelbourne.com.au
bbonline.banksa.com.au
bbonline.stgeorge.com.au
bcv.ch
bitbargain.co.uk
bitpay.com
bitstamp.net
blcweb.banquelaurentienne.ca
blockchain.info
bnz.co.nz
boi-bol.com
bol.westpac.co.nz
bolpp.bankofireland.com
brdoffice.ro
btultra.btrl.ro
bureau.bottomline.co.uk
business.co-operativebank.co.uk
business.hsbc.co.uk
business.santander.co.uk
business2.danskebank.co.uk
business2.danskebank.ie
businessaccess.citibank.citigroup.com
businessbankingcpo.tdcommercialbanking.com
businesscenter.mysynchrony.com
business-eb.ibanking-services.com
businessonline.mutualofomahabank.com
businessonline.westpac.com.au
butterfieldonline.co.uk
bv-activebanking.de
cardonebanking.com
cashproonline.bankofamerica.com
caterallenonline.co.uk
cbfm.saas.cashfac.com
cbionline.cbi.ae
ceconline.ro
charisma.btdirect.ro
chsec.wellsfargo.com
cib.uab.ae
citibank.com.au
cityntl.webcashmgmt.com
clients.tilneybestinvest.co.uk
cmo.cibc.com
cmol.bbt.com
coinbase.com
commerceconnections.commercebank.com
commercial.bnc.ca
commercial.hsbc.com.hk
corporate.adcb.com
corporate.metrobankonline.co.uk
corporate.santander.co.uk
corporate-clients.commerzbank.com
dab-bank.de
dashboard.gocoin.com
db-direct.db.com
db-sg.db.com
deutschebank-dbdirect.com
e-access.compassbank.com
eadibcorp.adib.ae
ebaer.juliusbaer.com
ebank.turkishbank.co.uk
ebanking.schwaebische-bank.de
ebanking2.danskebank.co.uk
ebanking-ch2.ubs.com
esavings.shawbrook.co.uk
express.53.com
extra.unicreditbank.hu
fareastnationalbank.ebanking-services.com
fastbanking.bancpost.ro
fcsolb.com
fdonline.co-operativebank.co.uk
fidelitytopeka.btbanking.com
financepilot-pe.mlp.de
finanzportal.fiducia.de
firstmerit.com
firstmeritib.com
flexipurchase.com
fx.regions.com
globalpay.westernunion.com
goldman.com
halifax-online.co.uk
hbciweb.olb.de
home1.ybonline.co.uk
home2.cybusinessonline.co.uk
homebank.tsbbank.co.nz
ht.businessonlinepayroll.com
ib.banksyd.com.au
ib.boq.com.au
​ib.btrl.ro
ib.kiwibank.co.nz
ib.tmbank.com.au
ibank.gtbankuk.com
ibank.reliancebankltd.com
ibank.sbs.net.nz
ibank.theaccessbankukltd.co.uk
ibank.zenith-bank.co.uk
ibb.firsttrustbank1.co.uk
ibs.bankwest.com.au
ibusinessbanking.aib.ie
inba.lukb.ch
inetbnkp.adelaidebank.com.au
infinity.icicibank.co.uk
ingonline.com
internationalpayments.co.uk
internet-banking.dbs.com.sg
internetbanking.suncorpbank.com.au
investbank.ae
iombankibanking.com
kbinternetbanking.com
ktt.key.com
kunden.commerzbank.de
kunden-mkb-bank.de
leumionline.bankleumi.co.uk
lloydslink.online.lloydsbank.com
localbitcoins.com
login.24banking.ro
login.isso.db.com
login.salesforce.com
login.smartbusiness.ae
meine.deutsche-bank.de
mercantilcbonline.com
mkbag.de
my.banklenz.de
my.commbank.com.au
my.hypovereinsbank.de
my.sjpbank.co.uk
my.statestreet.com
myinvestorsbank.btbanking.com
nabconnect2.nab.com.au
natwestibanking.com
nebasilicon.fdecs.com
net.crediteurope.ro
netbanking.mashreqbank.com
netbanking.ubluk.com
netteller2.tsw.com.au
netteller3.pnbank.com.au
noorinternetbanking.com
northrimbankonline.btbanking.com
nwolb.com
online.adambank.com
online.bankmecu.com.au
online.bankofcyprus.co.uk
online.bankofscotland.co.uk
online.citi.eu
online.corp.westpac.com.au
online.coutts.com
online.dib.ae
online.duncanlawrie.com
online.ebs.ie
online.hbs.net.au
online.hoaresbank.co.uk
online.kbc.ie
online.multiport.com.au
online.nbad.com
online.ybs.co.uk
onlinebanking.bankcoop.ch
onlinebanking.iombank.com
onlinebanking.natwestoffshore.com
online-business.bankofscotland.co.uk
onlinebusiness.lloydsbank.co.uk
open24.ie
personal.co-operativebank.co.uk
pfo.us.hsbc.com
private.bankofsingapore.com
raiffeisenonline.ro
rakbankonline.ae
rbsdigital.com
rbsidigital.com
rbsiibanking.com
retail.santander.co.uk
ro.unicreditbanking.net
s2b.standardchartered.com
safello.com
santander.hpdsc.com
secure.ampbanking.com
secure.anz.co.nz
secure.coinjar.com
secure.defencebank.com.au
secure.handelsbanken.com
secure.internetbanking.ro
secure.macquarie.com.au
secure.membersaccounts.com
secure.tddirectinvesting.co.uk
secure1.rabodirect.co.nz
secure2.alphabank.ro
securentrycorp.amegybank.com
securentrycorp.calbanktrust.com
securentrycorp.nsbank.com
securentrycorp.zionsbank.com
sg.bibplus.uobgroup.com
signatureny.web-access.com
standardlife.co.uk
svbconnect.com
tb.raiffeisendirect.ch
tdetreasury.tdbank.com
treasury.pncbank.com
ulsterbankanytimebanking.ie
uniservices2.uobgroup.com
us.hsbcprivatebank.com
usgateway.rbs.com
velocity.ocbc.com
wealth.goldman.com
webcmpr.bancopopular.com
wellsoffice.wellsfargo.com
www1.firstdirect.com
www1.my.commbiz.commbank.com.au
www1.rbcbankusa.com
www22.bmo.com
www6.rbc.com
www8.comerica.com
wwwsec.ebanking.zugerkb.ch
wwwsec.valiant.ch
youinvest.co.uk

 

Categories: Uncategorized Tags:

MSRT January 2015 – Dyzap

January 13th, 2015 No comments

​This month we added the Win32/Emotet and Win32/Dyap malware families to the Malicious Software Removal Tool.

Both Emotet and Dyzap are trojans that steal personal information, including banking credentials. In a previous blog we detailed how Emotet targets German-language banking websites. In this blog, we will focus on Dyzap – another prevalent banking trojan that predominantly targets English-speaking countries. Dyzap variants target credentials for online banking, crypto currency, payroll services, private keys, and enterprise software. Figure 1 shows how this family can get onto your machine.

Infection chain 

Figure 1: Dyzap infection chain

It is interesting to note that Win32/Upatre was distributing Win32/Zbot (aka Gameover v1) and Win32/Crilock (aka CryptoLocker). Following a multi-national action against the GameOver Zeus botnet in June last year, Upatre slowly began distributing Dyzap instead. This change is reflected in the telemetry below.

telemetry for Dyzap 

Figure 2: Monthly machine telemetry for Dyzap

Monthly file telemetry  

Figure 3: Monthly file telemetry for Dyzap

Dyzap also seems to primarily target English-speaking countries such the USA, Canada, and the UK.

The ten countries most affected  

Figure 4: The ten countries most affected by Dyzap infections

Upatre distribution and the Dyzap payload

Upatre malware that distributes Dyzap typically uses spam email campaigns to spread and then downloads other malware onto the infected PC. Emails in the latest spam campaign (as shown below) claim to have sent the recipient a document and the body of email reads: “Please look your document attached”.

example spam email  

Figure 5: An example spam email sent by Upatre

The attachment contains a malicious ZIP file. We have seen it use the name document81723.zip, but this can change at any time. The file extracts as an SCR file that imitates a screen saver or Adobe PDF document as shown in the example below:

ZIP file 

Figure 6: Malicious ZIP file

We’ve also seen examples claim to be an invoice that has been paid, a wire transfer has been received, or an internal-only document:

Upatre spam email 

Figure 7: Another example of Upatre spam email

If this threat is successfully installed, the latest variant will try to connect to the following URLs to download other malware components:

  • nikahsekerievi.com/wp-includes/<removed>/<removed>.pne
  • morye.net/mandoc/<removed>.pne

The downloaded components are encrypted and contain PWS:Win32/Dyzap.F.

Dyzap – stealing your data

The Dyzap family is a banking and financial trojan that targets both enterprise and home users. For example, we have seen this family target the following services:

  • Bitcoin and crypto-currency websites
  • Online banking websites
  • Payroll systems
  • SalesForce enterprise software

The full list of targets that we have seen is included in the Appendix of this blog.

PWS:Win32/Dyzap.F downloads a memory-resident component called Grabber.dll that grabs the certificate stores as well as any referenced private keys from the system and browsers. Some enterprises using smart-cards for authentication or individuals using smart-cards for online banking two-factor authentication may see a prompt to insert a smart card as Dyzap searches for the private key contained on their smart card:

Windows 7 

Figure 8:  Smart card prompt on Windows 7

Windows 8 

Figure 9:  Smart card prompt on Windows 8.1

Grabber.dll 

Figure 10 – Dyzap’s 'Grabber.dll' memory-resident component code exporting certificates and corresponding private keys if available

Figures 8 and 9 show the user prompt from Microsoft Cryptographic Services provided through the crypt32.dll PFXExportCertStoreEx function. Smart cards are typically designed to make it difficult to extract their private keys, and even if the user were to insert a smart card containing their private key it would not be stolen by Dyzap in most cases. However, certificates and private key pairs not stored on smart cards are at a particularly high risk of being stolen. The implications of these stolen pairs can be severe, since they are often used for purposes such as code signing, file encryption, and authentication.

Dyzap also loads another memory-resident component that provides VNC access to the infected machine – giving a malicious hacker access to remotely monitor or control the infected machine. The attackers are able to use this feature to carry out a transaction, transfer, or payroll modification from the infected machine itself.

Detecting and removing Dyzap

Microsoft security products, such as Microsoft Security Essentials, include detection for Upatre and Dyzap. To help stay protected you should keep your security software up-to date.

After removing a Upatre or Dyzap infection, enterprises should:

  1. Reset any passwords on infected machines and any credentials that the machine can access. 
  2. Revoke and replace any keys which the infected machine had access to the private keys for. 
  3. Audit any enterprise systems, payroll systems, and bank accounts that the infected machines can access, for fraudulent transactions or manipulations.

Home users should :

  1. Change their online banking credentials after cleaning up the threat. 
  2. Review recent bank transfers to make sure there hasn't been any fraudulent transactions. 
  3. Change account passwords if the PC has been used to access crypto-currency related websites. 
  4. Review recent activities related to crypto-currency related tasks.

Geoff McDonald, Patrick Estavillo and Rodel Finones
MMPC

Appendix

Table 1 – Dyzap targets as of December, 2014

​365online.com
access.jpmorgan.com
accounts.expresscoin.com
achieveaccess.charterone.com
aibinternetbanking.aib.ie
alolb1.arbuthnotlatham.co.uk
anxbtc.com
anz.com
anztransactive.anz.com
ap.ebs.bankofchina.com
apps.bhw.de
apps.virginmoney.com
arabi-online.net
asbolb.com
asl.com
auth.globalpay.westernunion.com
bank.barclays.co.uk
bank.ruralbank.com.au
bankdirect.co.nz
banking.axa.de
banking.bankhaus-mayer.de
banking.bankofscotland.co.uk
banking.bmwbank.de
banking.commerzfinanz.com
banking.degussa-bank.de
banking.donner-reuschel.de
banking.ing-diba.de
banking.ireland-bank.com
banking.martinbank.de
banking.nfbank.de
banking.oyakankerbank.de
banking.steylerbank.de
banking.triodos.co.uk
banking.valovisbank.de
bankline.natwest.com
bankline.rbs.com
bankline.ulsterbank.ie
bankofirelandlifeonline.ie
barclayswealth.com
bbonline.bankofmelbourne.com.au
bbonline.banksa.com.au
bbonline.stgeorge.com.au
bcv.ch
bitbargain.co.uk
bitpay.com
bitstamp.net
blcweb.banquelaurentienne.ca
blockchain.info
bnz.co.nz
boi-bol.com
bol.westpac.co.nz
bolpp.bankofireland.com
brdoffice.ro
btultra.btrl.ro
bureau.bottomline.co.uk
business.co-operativebank.co.uk
business.hsbc.co.uk
business.santander.co.uk
business2.danskebank.co.uk
business2.danskebank.ie
businessaccess.citibank.citigroup.com
businessbankingcpo.tdcommercialbanking.com
businesscenter.mysynchrony.com
business-eb.ibanking-services.com
businessonline.mutualofomahabank.com
businessonline.westpac.com.au
butterfieldonline.co.uk
bv-activebanking.de
cardonebanking.com
cashproonline.bankofamerica.com
caterallenonline.co.uk
cbfm.saas.cashfac.com
cbionline.cbi.ae
ceconline.ro
charisma.btdirect.ro
chsec.wellsfargo.com
cib.uab.ae
citibank.com.au
cityntl.webcashmgmt.com
clients.tilneybestinvest.co.uk
cmo.cibc.com
cmol.bbt.com
coinbase.com
commerceconnections.commercebank.com
commercial.bnc.ca
commercial.hsbc.com.hk
corporate.adcb.com
corporate.metrobankonline.co.uk
corporate.santander.co.uk
corporate-clients.commerzbank.com
dab-bank.de
dashboard.gocoin.com
db-direct.db.com
db-sg.db.com
deutschebank-dbdirect.com
e-access.compassbank.com
eadibcorp.adib.ae
ebaer.juliusbaer.com
ebank.turkishbank.co.uk
ebanking.schwaebische-bank.de
ebanking2.danskebank.co.uk
ebanking-ch2.ubs.com
esavings.shawbrook.co.uk
express.53.com
extra.unicreditbank.hu
fareastnationalbank.ebanking-services.com
fastbanking.bancpost.ro
fcsolb.com
fdonline.co-operativebank.co.uk
fidelitytopeka.btbanking.com
financepilot-pe.mlp.de
finanzportal.fiducia.de
firstmerit.com
firstmeritib.com
flexipurchase.com
fx.regions.com
globalpay.westernunion.com
goldman.com
halifax-online.co.uk
hbciweb.olb.de
home1.ybonline.co.uk
home2.cybusinessonline.co.uk
homebank.tsbbank.co.nz
ht.businessonlinepayroll.com
ib.banksyd.com.au
ib.boq.com.au
​ib.btrl.ro
ib.kiwibank.co.nz
ib.tmbank.com.au
ibank.gtbankuk.com
ibank.reliancebankltd.com
ibank.sbs.net.nz
ibank.theaccessbankukltd.co.uk
ibank.zenith-bank.co.uk
ibb.firsttrustbank1.co.uk
ibs.bankwest.com.au
ibusinessbanking.aib.ie
inba.lukb.ch
inetbnkp.adelaidebank.com.au
infinity.icicibank.co.uk
ingonline.com
internationalpayments.co.uk
internet-banking.dbs.com.sg
internetbanking.suncorpbank.com.au
investbank.ae
iombankibanking.com
kbinternetbanking.com
ktt.key.com
kunden.commerzbank.de
kunden-mkb-bank.de
leumionline.bankleumi.co.uk
lloydslink.online.lloydsbank.com
localbitcoins.com
login.24banking.ro
login.isso.db.com
login.salesforce.com
login.smartbusiness.ae
meine.deutsche-bank.de
mercantilcbonline.com
mkbag.de
my.banklenz.de
my.commbank.com.au
my.hypovereinsbank.de
my.sjpbank.co.uk
my.statestreet.com
myinvestorsbank.btbanking.com
nabconnect2.nab.com.au
natwestibanking.com
nebasilicon.fdecs.com
net.crediteurope.ro
netbanking.mashreqbank.com
netbanking.ubluk.com
netteller2.tsw.com.au
netteller3.pnbank.com.au
noorinternetbanking.com
northrimbankonline.btbanking.com
nwolb.com
online.adambank.com
online.bankmecu.com.au
online.bankofcyprus.co.uk
online.bankofscotland.co.uk
online.citi.eu
online.corp.westpac.com.au
online.coutts.com
online.dib.ae
online.duncanlawrie.com
online.ebs.ie
online.hbs.net.au
online.hoaresbank.co.uk
online.kbc.ie
online.multiport.com.au
online.nbad.com
online.ybs.co.uk
onlinebanking.bankcoop.ch
onlinebanking.iombank.com
onlinebanking.natwestoffshore.com
online-business.bankofscotland.co.uk
onlinebusiness.lloydsbank.co.uk
open24.ie
personal.co-operativebank.co.uk
pfo.us.hsbc.com
private.bankofsingapore.com
raiffeisenonline.ro
rakbankonline.ae
rbsdigital.com
rbsidigital.com
rbsiibanking.com
retail.santander.co.uk
ro.unicreditbanking.net
s2b.standardchartered.com
safello.com
santander.hpdsc.com
secure.ampbanking.com
secure.anz.co.nz
secure.coinjar.com
secure.defencebank.com.au
secure.handelsbanken.com
secure.internetbanking.ro
secure.macquarie.com.au
secure.membersaccounts.com
secure.tddirectinvesting.co.uk
secure1.rabodirect.co.nz
secure2.alphabank.ro
securentrycorp.amegybank.com
securentrycorp.calbanktrust.com
securentrycorp.nsbank.com
securentrycorp.zionsbank.com
sg.bibplus.uobgroup.com
signatureny.web-access.com
standardlife.co.uk
svbconnect.com
tb.raiffeisendirect.ch
tdetreasury.tdbank.com
treasury.pncbank.com
ulsterbankanytimebanking.ie
uniservices2.uobgroup.com
us.hsbcprivatebank.com
usgateway.rbs.com
velocity.ocbc.com
wealth.goldman.com
webcmpr.bancopopular.com
wellsoffice.wellsfargo.com
www1.firstdirect.com
www1.my.commbiz.commbank.com.au
www1.rbcbankusa.com
www22.bmo.com
www6.rbc.com
www8.comerica.com
wwwsec.ebanking.zugerkb.ch
wwwsec.valiant.ch
youinvest.co.uk

 

Categories: Uncategorized Tags:

MS15-008 – Important: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (3019215) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (January 13, 2015): Bulletin published.
Summary: This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application on an affected system. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerability.

Categories: Uncategorized Tags:

MS15-005 – Important: Vulnerability in Network Location Awareness Service Could Allow Security Feature Bypass (3022777) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (January 13, 2015): V1.0 (January 13, 2015): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow security feature bypass by unintentionally relaxing the firewall policy and/or configuration of certain services when an attacker on the same network as the victim spoofs responses to DNS and LDAP traffic initiated by the victim.

Categories: Uncategorized Tags: