Archive

Archive for October, 2014

New trace package available for UAG versions through Service Pack 4 Rollup 1

October 31st, 2014 No comments

downloadgreen

 

An updated tracing package is now available from the Microsoft Download center page for Forefront Unified Access Gateway (UAG) Tracing Symbols.  This new trace package includes formatting for all UAG versions through Service Pack 4 Rollup 1.

Forefront UAG tracing can be run on the Forefront UAG server and on client endpoint devices connecting to Forefront UAG resources. You configure trace settings, start tracing, reproduce scenarios that require troubleshooting, stop tracing, and then convert the binary tracing output to text using the provided format files.

 

 

This download provides the following:
• A set of .tmf files in a zip file. These .tmf files can be used to convert binary trace files on the Forefront UAG server, and on client endpoint devices.
• A EULA license
• A document with instructions for configuring and running tracing

Note that the zip file provided by this download is cumulative. .tmf files included in the zip file can be used with the RTM version of Forefront UAG, and with subsequent Forefront UAG releases.

Versions of .tmf files provided by this download are as follows:

• UAG RTM (Version 4.0.1101.000)
• UAG Update 1 (Version 4.0.1152.100) KB Article 981323
• UAG Update 2 (Version 4.0.1269.200), KB Article 2288900
• UAG RTM MS10-089 bulletin (Version 4.0.1101.052), KB Article 2433585
• UAG Update 1 MS10-089 bulletin (Version 4.0.1152.150), KB Article 2433584
• UAG Update 2 MS10-089 bulletin (Version 4.0.1269.250), KB Article 2418933
• UAG SP1 (Version 4.0.1752.10000), KB Article 2285712
• UAG SP1 Rollup 1 (Version 4.0.1752.10020), KB Article 2475733
• UAG RTM MS11-079 bulletin (Version 4.0.1101.063), KB Article 2522482
• UAG Update 1 MS11-079 bulletin (Version 4.0.1152.163), KB Article 2522483
• UAG Update 2 MS11-079 bulletin (Version 4.0.1269.284), KB Article 2522484
• UAG SP1 MS11-079 bulletin (Version 4.0.1752.10073), KB Article 2522485
• UAG SP1 Update 1 (Version 4.0.1773.10100), KB Article 2585140
• UAG SP1 MS12-026 (Version 4.0.1753.10076), KB Article 2649261
• UAG SP1 Update 1 MS12-026 (Version 4.0.1773.10190), KB Article 2649262
• UAG SP2 (Version 4.0.2095.10000), KB Article 2710791
• UAG SP3 (Version 4.0.3123.10000), KB Article 2744025
• UAG SP3 Rollup 1 (Version 4.0.3206.10100), KB Article 2827350
• UAG SP4 (Version 4.0.4083.10000), KB Article 2861386
• UAG SP4 Rollup 1 (Version 4.0.4160.10100), KB Article 2922171

Thank you,

The Forefront UAG Product Team

 

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

New trace package available for UAG versions through Service Pack 4 Rollup 1

October 31st, 2014 No comments

downloadgreen

 

An updated tracing package is now available from the Microsoft Download center page for Forefront Unified Access Gateway (UAG) Tracing Symbols.  This new trace package includes formatting for all UAG versions through Service Pack 4 Rollup 1.

Forefront UAG tracing can be run on the Forefront UAG server and on client endpoint devices connecting to Forefront UAG resources. You configure trace settings, start tracing, reproduce scenarios that require troubleshooting, stop tracing, and then convert the binary tracing output to text using the provided format files.

 

 

This download provides the following:
• A set of .tmf files in a zip file. These .tmf files can be used to convert binary trace files on the Forefront UAG server, and on client endpoint devices.
• A EULA license
• A document with instructions for configuring and running tracing

Note that the zip file provided by this download is cumulative. .tmf files included in the zip file can be used with the RTM version of Forefront UAG, and with subsequent Forefront UAG releases.

Versions of .tmf files provided by this download are as follows:

• UAG RTM (Version 4.0.1101.000)
• UAG Update 1 (Version 4.0.1152.100) KB Article 981323
• UAG Update 2 (Version 4.0.1269.200), KB Article 2288900
• UAG RTM MS10-089 bulletin (Version 4.0.1101.052), KB Article 2433585
• UAG Update 1 MS10-089 bulletin (Version 4.0.1152.150), KB Article 2433584
• UAG Update 2 MS10-089 bulletin (Version 4.0.1269.250), KB Article 2418933
• UAG SP1 (Version 4.0.1752.10000), KB Article 2285712
• UAG SP1 Rollup 1 (Version 4.0.1752.10020), KB Article 2475733
• UAG RTM MS11-079 bulletin (Version 4.0.1101.063), KB Article 2522482
• UAG Update 1 MS11-079 bulletin (Version 4.0.1152.163), KB Article 2522483
• UAG Update 2 MS11-079 bulletin (Version 4.0.1269.284), KB Article 2522484
• UAG SP1 MS11-079 bulletin (Version 4.0.1752.10073), KB Article 2522485
• UAG SP1 Update 1 (Version 4.0.1773.10100), KB Article 2585140
• UAG SP1 MS12-026 (Version 4.0.1753.10076), KB Article 2649261
• UAG SP1 Update 1 MS12-026 (Version 4.0.1773.10190), KB Article 2649262
• UAG SP2 (Version 4.0.2095.10000), KB Article 2710791
• UAG SP3 (Version 4.0.3123.10000), KB Article 2744025
• UAG SP3 Rollup 1 (Version 4.0.3206.10100), KB Article 2827350
• UAG SP4 (Version 4.0.4083.10000), KB Article 2861386
• UAG SP4 Rollup 1 (Version 4.0.4160.10100), KB Article 2922171

Thank you,

The Forefront UAG Product Team

 

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

New trace package available for UAG versions through Service Pack 4 Rollup 1

October 31st, 2014 No comments

downloadgreen

 

An updated tracing package is now available from the Microsoft Download center page for Forefront Unified Access Gateway (UAG) Tracing Symbols.  This new trace package includes formatting for all UAG versions through Service Pack 4 Rollup 1.

Forefront UAG tracing can be run on the Forefront UAG server and on client endpoint devices connecting to Forefront UAG resources. You configure trace settings, start tracing, reproduce scenarios that require troubleshooting, stop tracing, and then convert the binary tracing output to text using the provided format files.

 

 

This download provides the following:
• A set of .tmf files in a zip file. These .tmf files can be used to convert binary trace files on the Forefront UAG server, and on client endpoint devices.
• A EULA license
• A document with instructions for configuring and running tracing

Note that the zip file provided by this download is cumulative. .tmf files included in the zip file can be used with the RTM version of Forefront UAG, and with subsequent Forefront UAG releases.

Versions of .tmf files provided by this download are as follows:

• UAG RTM (Version 4.0.1101.000)
• UAG Update 1 (Version 4.0.1152.100) KB Article 981323
• UAG Update 2 (Version 4.0.1269.200), KB Article 2288900
• UAG RTM MS10-089 bulletin (Version 4.0.1101.052), KB Article 2433585
• UAG Update 1 MS10-089 bulletin (Version 4.0.1152.150), KB Article 2433584
• UAG Update 2 MS10-089 bulletin (Version 4.0.1269.250), KB Article 2418933
• UAG SP1 (Version 4.0.1752.10000), KB Article 2285712
• UAG SP1 Rollup 1 (Version 4.0.1752.10020), KB Article 2475733
• UAG RTM MS11-079 bulletin (Version 4.0.1101.063), KB Article 2522482
• UAG Update 1 MS11-079 bulletin (Version 4.0.1152.163), KB Article 2522483
• UAG Update 2 MS11-079 bulletin (Version 4.0.1269.284), KB Article 2522484
• UAG SP1 MS11-079 bulletin (Version 4.0.1752.10073), KB Article 2522485
• UAG SP1 Update 1 (Version 4.0.1773.10100), KB Article 2585140
• UAG SP1 MS12-026 (Version 4.0.1753.10076), KB Article 2649261
• UAG SP1 Update 1 MS12-026 (Version 4.0.1773.10190), KB Article 2649262
• UAG SP2 (Version 4.0.2095.10000), KB Article 2710791
• UAG SP3 (Version 4.0.3123.10000), KB Article 2744025
• UAG SP3 Rollup 1 (Version 4.0.3206.10100), KB Article 2827350
• UAG SP4 (Version 4.0.4083.10000), KB Article 2861386
• UAG SP4 Rollup 1 (Version 4.0.4160.10100), KB Article 2922171

Thank you,

The Forefront UAG Product Team

 

Get the latest System Center news on Facebook and Twitter:

clip_image001

_64a4101d-1898-43ad-8493-b15123a8f037.gif” border=”0″ /> clip_image002

_e463ef66-6372-4614-ad1b-a2e20e16de5f.gif” border=”0″ />

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Users from a trusted forest are unable to change their password using the UAG portal Credentials Management option

October 30th, 2014 No comments

 

Once again the UAG product group have worked diligently on releasing a much awaited update for UAG – SP4 Rollup 1

This update includes numerous fixes for the issues we have heard from customers over the last 12 months, plus also some improvements. However, one particular issue is not included in this release, so we thought to share the details on this…

 

  Problem Scenario

Users from a trusted forest are unable to change their password using the Credentials Management option on the UAG portal page.

Portal CredMgr - Copy

E.g., a user from a trusted forest logs into the UAG portal and selects the Credentials Management icon on the toolbar. The user then chooses the “Change Password” option, which displays the password change dialog. After completing the form with their current and new password, the user clicks “Save” to apply the change. However, the password is not changed and the user receives an error message stating, “The password change cannot be applied”.

On the other hand, this behavior does not affect users from a domain within the UAG forest and their password is successfully changed. In this scenario, you may also observe that the “User name:” field appears to display the logged in user’s name as “Repositoryusername”, rather than “TrustedForestusername”.

 

  The Solution

The suggested fix is to make a modification to UAG’s LoginChangePassword.inc,so that the domain_name variable includes the user’s respective domain.

It’s not possible to customize the LoginChangePassword.incfile using the standard UAG CustomUpdate mechanism, and therefore it’s required to modify the built-in file using a manual method.

Note:Unless advised by Microsoft support personnel, making changes to core UAG files is wholly unsupported. You should not make changes to these files except under strict guidance set out by the UAG support team, or other exceptions provided through an official channel such as this blog. Applying any future updates or running repairs may overwrite the modified file.

1. Navigate to ..<UAG_Installation_path>Microsoft Forefront Unified Access GatewayvonInternalSiteinc and make a copy of the LoginChangePassword.incfile within the same folder

2. Now edit the original file and locate the below block of code…

repository = ""
user_name = ""
for each user in user_Vec.UserVec
if i = index then
repository = user.Repository
user_name = user.User
exit for
end if
i = i + 1
next
set user_vec = Nothing

3. Change this to include the following 6 lines…

repository = ""
user_name = ""
for each user in user_Vec.UserVec
if i = index then
repository = user.Repository
user_name = user.User

######### Below lines added to correct issue post SP4 RU1 ##########

domain_name = user.Domain
if ( (domain_name <> "") and (InStr(user_name, "@")=0) ) then
user_name = domain_name & "" & user_name
end if
##################################################

exit for
end if
i = i + 1
next
set user_vec = Nothing

4. Save the file and repeat these same steps on any other remaining UAG servers

 

AUTHOR

Rainier Amara

Support Escalation Engineer – Microsoft Edge Security Team

 

REVIEWERS

Lars Bentzen

Sr. Escalation Engineer – Microsoft Edge Security Team

Users from a trusted forest are unable to change their password using the UAG portal Credentials Management option

October 30th, 2014 No comments

 

Once again the UAG product group have worked diligently on releasing a much awaited update for UAG – SP4 Rollup 1

This update includes numerous fixes for the issues we have heard from customers over the last 12 months, plus also some improvements. However, one particular issue is not included in this release, so we thought to share the details on this…

 

  Problem Scenario

Users from a trusted forest are unable to change their password using the Credentials Management option on the UAG portal page.

Portal CredMgr - Copy

E.g., a user from a trusted forest logs into the UAG portal and selects the Credentials Management icon on the toolbar. The user then chooses the “Change Password” option, which displays the password change dialog. After completing the form with their current and new password, the user clicks “Save” to apply the change. However, the password is not changed and the user receives an error message stating, “The password change cannot be applied”.

On the other hand, this behavior does not affect users from a domain within the UAG forest and their password is successfully changed. In this scenario, you may also observe that the “User name:” field appears to display the logged in user’s name as “Repository\username”, rather than “TrustedForest\username”.

 

  The Solution

The suggested fix is to make a modification to UAG’s LoginChangePassword.inc,so that the domain_name variable includes the user’s respective domain.

It’s not possible to customize the LoginChangePassword.incfile using the standard UAG CustomUpdate mechanism, and therefore it’s required to modify the built-in file using a manual method.

Note:Unless advised by Microsoft support personnel, making changes to core UAG files is wholly unsupported. You should not make changes to these files except under strict guidance set out by the UAG support team, or other exceptions provided through an official channel such as this blog. Applying any future updates or running repairs may overwrite the modified file.

1. Navigate to ..\<UAG_Installation_path>\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\ and make a copy of the LoginChangePassword.incfile within the same folder

2. Now edit the original file and locate the below block of code…

repository = ""
user_name = ""
for each user in user_Vec.UserVec
if i = index then
repository = user.Repository
user_name = user.User
exit for
end if
i = i + 1
next
set user_vec = Nothing

3. Change this to include the following 6 lines…

repository = ""
user_name = ""
for each user in user_Vec.UserVec
if i = index then
repository = user.Repository
user_name = user.User

######### Below lines added to correct issue post SP4 RU1 ##########

domain_name = user.Domain
if ( (domain_name <> "") and (InStr(user_name, "@")=0) ) then
user_name = domain_name & "\" & user_name
end if
##################################################

exit for
end if
i = i + 1
next
set user_vec = Nothing

4. Save the file and repeat these same steps on any other remaining UAG servers

 

AUTHOR

Rainier Amara

Support Escalation Engineer – Microsoft Edge Security Team

 

REVIEWERS

Lars Bentzen

Sr. Escalation Engineer – Microsoft Edge Security Team

Users from a trusted forest are unable to change their password using the UAG portal Credentials Management option

October 30th, 2014 No comments

 

Once again the UAG product group have worked diligently on releasing a much awaited update for UAG – SP4 Rollup 1

This update includes numerous fixes for the issues we have heard from customers over the last 12 months, plus also some improvements. However, one particular issue is not included in this release, so we thought to share the details on this…

 

  Problem Scenario

Users from a trusted forest are unable to change their password using the Credentials Management option on the UAG portal page.

Portal CredMgr - Copy

E.g., a user from a trusted forest logs into the UAG portal and selects the Credentials Management icon on the toolbar. The user then chooses the “Change Password” option, which displays the password change dialog. After completing the form with their current and new password, the user clicks “Save” to apply the change. However, the password is not changed and the user receives an error message stating, “The password change cannot be applied”.

On the other hand, this behavior does not affect users from a domain within the UAG forest and their password is successfully changed. In this scenario, you may also observe that the “User name:” field appears to display the logged in user’s name as “Repositoryusername”, rather than “TrustedForestusername”.

 

  The Solution

The suggested fix is to make a modification to UAG’s LoginChangePassword.inc,so that the domain_name variable includes the user’s respective domain.

It’s not possible to customize the LoginChangePassword.incfile using the standard UAG CustomUpdate mechanism, and therefore it’s required to modify the built-in file using a manual method.

Note:Unless advised by Microsoft support personnel, making changes to core UAG files is wholly unsupported. You should not make changes to these files except under strict guidance set out by the UAG support team, or other exceptions provided through an official channel such as this blog. Applying any future updates or running repairs may overwrite the modified file.

1. Navigate to ..<UAG_Installation_path>Microsoft Forefront Unified Access GatewayvonInternalSiteinc and make a copy of the LoginChangePassword.incfile within the same folder

2. Now edit the original file and locate the below block of code…

repository = ""
user_name = ""
for each user in user_Vec.UserVec
if i = index then
repository = user.Repository
user_name = user.User
exit for
end if
i = i + 1
next
set user_vec = Nothing

3. Change this to include the following 6 lines…

repository = ""
user_name = ""
for each user in user_Vec.UserVec
if i = index then
repository = user.Repository
user_name = user.User

######### Below lines added to correct issue post SP4 RU1 ##########

domain_name = user.Domain
if ( (domain_name <> "") and (InStr(user_name, "@")=0) ) then
user_name = domain_name & "" & user_name
end if
##################################################

exit for
end if
i = i + 1
next
set user_vec = Nothing

4. Save the file and repeat these same steps on any other remaining UAG servers

 

AUTHOR

Rainier Amara

Support Escalation Engineer – Microsoft Edge Security Team

 

REVIEWERS

Lars Bentzen

Sr. Escalation Engineer – Microsoft Edge Security Team

Vulnerability in Microsoft OLE Could Allow Remote Code Execution – Version: 1.1

Revision Note: V1.1 (October 30, 2014): Advisory updated to include additional acknowledgments.
Summary: Microsoft is aware of a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. The attack requires user interaction to succeed on Windows clients with a default configuration, as User Account Control (UAC) is enabled and a consent prompt is displayed.

Categories: Uncategorized Tags:

3010060 – Vulnerability in Microsoft OLE Could Allow Remote Code Execution – Version: 1.1

Revision Note: V1.1 (October 30, 2014): Advisory updated to include additional acknowledgments.
Summary: Microsoft is aware of a vulnerability affecting all supported releases of Microsoft Windows, excluding Windows Server 2003. The vulnerability could allow remote code execution if a user opens a specially crafted Microsoft Office file that contains an OLE object. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights. The attack requires user interaction to succeed on Windows clients with a default configuration, as User Account Control (UAC) is enabled and a consent prompt is displayed.

Categories: Uncategorized Tags:

Security Advisory 3009008 updated

October 29th, 2014 No comments

Today, we announced the availability of SSL 3.0 fallback warnings in Internet Explorer (IE) 11. For more information please visit the IE blog.

We have also published an update on the status of the changes we have made to our Azure offerings in response to the SSL 3.0 vulnerability. For more information please visit the Azure blog.

 

Tracey Pretorius
Director, Response Communications

 

UPDATE October 29, 2014: Today, we revised Security Advisory 3009008 to provide an easy, one-click Fix it for customers to disable SSL 3.0 in all supported versions of Internet Explorer (IE).

We are committed to helping protect our customers and providing the best possible encryption to protect their data. To do this, we’re working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months.

Millions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact. That’s why we’re taking a planned approach to this issue and providing customers with advance notice.

We encourage everyone to use the workarounds and Fix it provided in Security Advisory 3009008 to investigate their websites, services and third-party applications now, and begin preparing for this change.

If you are currently using older versions of IE, such as IE 6, we recommend you upgrade to a newer browser as soon as possible, in addition to using the Fix it released today. IE 11 is our latest and most secure browser and customers who upgrade will continue to benefit from additional security features.

Please visit our Azure and Office 365 blogs for more detailed plans.

We’re taking ongoing steps to help ensure customers are protected on the Internet, and we’ll continue to provide updates on this journey over the coming months.

UPDATE October 19, 2014: Today, we published guidance on how to disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines. For more information, please visit the Azure blog.

Original post October 14, 2014: Security Advisory 3009008 released
Today, we released Security Advisory 3009008 to address a vulnerability in Secure Sockets Layer (SSL) 3.0 which could allow information disclosure. This is an industry-wide vulnerability that affects the protocol itself, and is not specific to Microsoft’s implementation of SSL or the Windows operating system.

This advisory provides guidance for customers so that they can disable SSL 3.0 in the browser. Customers should be aware that once they disable SSL 3.0, if they visit a website that supports only SSL 3.0 and does not support newer encryption protocols, they will receive a connection error message and will not be able to connect to that website.

 

Categories: Uncategorized Tags:

Security Advisory 3009008 revised

October 29th, 2014 No comments

Today, we revised Security Advisory 3009008 to provide an easy, one-click Fix it for customers to disable SSL 3.0 in all supported versions of Internet Explorer (IE).

We are committed to helping protect our customers and providing the best possible encryption to protect their data. To do this, we’re working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months.

Millions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact. That’s why we’re taking a planned approach to this issue and providing customers with advance notice.

We encourage everyone to use the workarounds and Fix it provided in Security Advisory 3009008 to investigate their websites, services and third-party applications now, and begin preparing for this change.

If you are currently using older versions of IE, such as IE 6, we recommend you upgrade to a newer browser as soon as possible, in addition to using the Fix it released today. IE 11 is our latest and most secure browser and customers who upgrade will continue to benefit from additional security features.

Please visit our Azure and Office 365 blogs for more detailed plans.

We’re taking ongoing steps to help ensure customers are protected on the Internet, and we’ll continue to provide updates on this journey over the coming months.

Tracey Pretorius
Director, Response Communications

UPDATE October 19, 2014: Today, we published guidance on how to disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines. For more information, please visit the Azure blog.

Original post October 14, 2014: Security Advisory 3009008 released
Today, we released Security Advisory 3009008 to address a vulnerability in Secure Sockets Layer (SSL) 3.0 which could allow information disclosure. This is an industry-wide vulnerability that affects the protocol itself, and is not specific to Microsoft’s implementation of SSL or the Windows operating system.

This advisory provides guidance for customers so that they can disable SSL 3.0 in the browser. Customers should be aware that once they disable SSL 3.0, if they visit a website that supports only SSL 3.0 and does not support newer encryption protocols, they will receive a connection error message and will not be able to connect to that website.

 

Categories: Uncategorized Tags:

Vulnerability in SSL 3.0 Could Allow Information Disclosure – Version: 2.0

Revision Note: V2.0 (October 29, 2014): Revised advisory to announce the deprecation of SSL 3.0, to clarify the workaround instructions for disabling SSL 3.0 on Windows servers and on Windows clients, and to announce the availability of a Microsoft Fix it solution for Internet Explorer. For more information see Knowledge Base Article 3009008.
Summary: Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.

Categories: Uncategorized Tags:

3009008 – Vulnerability in SSL 3.0 Could Allow Information Disclosure – Version: 2.0

Revision Note: V2.0 (October 29, 2014): Revised advisory to announce the deprecation of SSL 3.0, to clarify the workaround instructions for disabling SSL 3.0 on Windows servers and on Windows clients, and to announce the availability of a Microsoft Fix it solution for Internet Explorer. For more information see Knowledge Base Article 3009008.
Summary: Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.

Categories: Uncategorized Tags:

The dangers of opening suspicious emails: Crowti ransomware

October 29th, 2014 No comments

The Microsoft Malware Protection Center (MMPC) has seen a spike in number of detections for threats in the Win32/Crowti ransomware this month as the result of new malware campaigns. Crowti is a family of ransomware that when encountered will attempt to encrypt the files on your PC, and then ask for payment to unlock them. These threats are being distributed through spam email campaigns and exploits. 

Crowti impacts both enterprise and home users, however, this type of threat can be particularly damaging in enterprise environments. In most cases, ransomware such as Crowti can encrypt files and leave them inaccessible. That’s why it’s important to back up files on a regular basis. Cloud storage technologies such as OneDrive for Business can help with features such as built-in version history that helps you revert back to an unencrypted version of your files.

We also recommend you increase awareness about the dangers of opening suspicious emails – this includes not opening email attachments or links from untrusted sources. Attackers will usually try to imitate regular business transaction emails such as fax, voice mails, or receipts. If you receive an email that you’re not expecting, it’s best to ignore it. Try to validate the source of the email first before clicking on a link or opening the attachment. There is more advice to help prevent an infection from ransomware and other threats at the end of this blog.  

The graph below shows how Crowti ransomware has impacted our customer during the past month.

Daily encounter data 

Figure 1: Daily encounter data for Win32/Crowti ransomware

Computers in the United States have been most affected with 71 percent of total infections, followed by Canada, France and Australia. 

Geographic Telemetry data 

Figure 2:  Telemetry data for Win32/Crowti by country, 21 September – 21 October 2014

Infection and installation

Crowti is being distributed via spam campaigns with email attachments designed to entice the receiver to open them. We have seen the following attachment names:

  • VOICE<random numbers>.scr
  • IncomingFax<random numbers>.exe
  • fax<random numbers>.scr/exe
  • fax-id<random numbers>.exe/scr
  • info_<random numbers>.pdf.exe
  • document-<random numbers>.scr/exe
  • Complaint_IRS_id-<random numbers>.scr/exe
  • Invoice<random numbers>.scr/exe

The attachment is usually contained within a zip archive. Opening and running this file will launch the malware. An example of spam email messages is shown below:

Crowti spam mail 

Figure 3: Email spam message with Win32/Crowti as an attachment

Our telemetry and research shows that Win32/Crowti is also distributed via exploits kits such as Nuclear, RIG, and RedKit V2. These kits can deliver different exploits, including those that exploit Java and Flash vulnerabilities. Some of the exploits used to distribute Crowti are:

In the past, we have also seen Win32/Crowti being installed by other malware, such as Upatre, Zbot, and Zemot.

Figure 4 shows a typical infection chain:

Crowti infection chain 

 
Figure 4: Crowti infection chain

File encryption

Crowti's primary payload is to encrypt the files on your PC. It usually brands itself with the name CryptoDefense or CryptoWall. Below is a sample message shown once your files are encrypted.

Crowti encryption message 

Figure 5: Crowti encryption message

The links in the above message direct you to a Tor webpage asking for payment using Bitcoin.

Crowti payment message 

Figure 6: Crowti payment request

On September 29, 2014 we saw a Crowti sample distributed with a valid digital certificate which was issued to Trend, as shown below. This is not associated with Trend Micro and the certificate has since been revoked. Crowti has used digital certificates to bypass detection systems before – we have previously seen it using a certificate issued to The Nielsen Company.

digital certificate 

Figure 7: Crowti digital certificate

Protecting your PC

There is no guarantee that paying a ransom will give you access to your files or restore your PC to its pre-infection state. We do not recommend paying the ransom.

There are a number of security precautions that can help prevent these attacks in both enterprise and consumer machines. As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date. Attackers are taking advantage of unpatched vulnerabilities in software to compromise your machine. Most of the exploits used by Crowti target vulnerabilities found in browser plugin applications such as Java and Flash. Making a habit of regularly updating your software can help reduce the risk of infection.

We also encourage you to join our Microsoft Active Protection Service Community (MAPS). We use the data we gather from MAPS to create better detections, and to respond as fast as we can. This feature is enabled by default for Microsoft Security Essentials and Windows Defender for Windows 8.1. You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS:

enable MAPS 

Figure 8: With the MAPS option enabled Microsoft anti-malware security product can take full advantage of Microsoft’s cloud protection service

As always, we also recommend running a real-time security product such as Microsoft Security Essentials or another trusted security software product. You can read more about Win32/Crowti and ransomware in general on the Microsoft Malware Protection Center website.   

MMPC

Categories: Uncategorized Tags:

The dangers of opening suspicious emails: Crowti ransomware

October 29th, 2014 No comments

The Microsoft Malware Protection Center (MMPC) has seen a spike in number of detections for threats in the Win32/Crowti ransomware this month as the result of new malware campaigns. Crowti is a family of ransomware that when encountered will attempt to encrypt the files on your PC, and then ask for payment to unlock them. These threats are being distributed through spam email campaigns and exploits. 

Crowti impacts both enterprise and home users, however, this type of threat can be particularly damaging in enterprise environments. In most cases, ransomware such as Crowti can encrypt files and leave them inaccessible. That’s why it’s important to back up files on a regular basis. Cloud storage technologies such as OneDrive for Business can help with features such as built-in version history that helps you revert back to an unencrypted version of your files.

We also recommend you increase awareness about the dangers of opening suspicious emails – this includes not opening email attachments or links from untrusted sources. Attackers will usually try to imitate regular business transaction emails such as fax, voice mails, or receipts. If you receive an email that you’re not expecting, it’s best to ignore it. Try to validate the source of the email first before clicking on a link or opening the attachment. There is more advice to help prevent an infection from ransomware and other threats at the end of this blog.  

The graph below shows how Crowti ransomware has impacted our customer during the past month.

Daily encounter data 

Figure 1: Daily encounter data for Win32/Crowti ransomware

Computers in the United States have been most affected with 71 percent of total infections, followed by Canada, France and Australia. 

Geographic Telemetry data 

Figure 2:  Telemetry data for Win32/Crowti by country, 21 September – 21 October 2014

Infection and installation

Crowti is being distributed via spam campaigns with email attachments designed to entice the receiver to open them. We have seen the following attachment names:

  • VOICE<random numbers>.scr
  • IncomingFax<random numbers>.exe
  • fax<random numbers>.scr/exe
  • fax-id<random numbers>.exe/scr
  • info_<random numbers>.pdf.exe
  • document-<random numbers>.scr/exe
  • Complaint_IRS_id-<random numbers>.scr/exe
  • Invoice<random numbers>.scr/exe

The attachment is usually contained within a zip archive. Opening and running this file will launch the malware. An example of spam email messages is shown below:

Crowti spam mail 

Figure 3: Email spam message with Win32/Crowti as an attachment

Our telemetry and research shows that Win32/Crowti is also distributed via exploits kits such as Nuclear, RIG, and RedKit V2. These kits can deliver different exploits, including those that exploit Java and Flash vulnerabilities. Some of the exploits used to distribute Crowti are:

In the past, we have also seen Win32/Crowti being installed by other malware, such as Upatre, Zbot, and Zemot.

Figure 4 shows a typical infection chain:

Crowti infection chain 

 
Figure 4: Crowti infection chain

File encryption

Crowti's primary payload is to encrypt the files on your PC. It usually brands itself with the name CryptoDefense or CryptoWall. Below is a sample message shown once your files are encrypted.

Crowti encryption message 

Figure 5: Crowti encryption message

The links in the above message direct you to a Tor webpage asking for payment using Bitcoin.

Crowti payment message 

Figure 6: Crowti payment request

On September 29, 2014 we saw a Crowti sample distributed with a valid digital certificate which was issued to Trend, as shown below. This is not associated with Trend Micro and the certificate has since been revoked. Crowti has used digital certificates to bypass detection systems before – we have previously seen it using a certificate issued to The Nielsen Company.

digital certificate 

Figure 7: Crowti digital certificate

Protecting your PC

There is no guarantee that paying a ransom will give you access to your files or restore your PC to its pre-infection state. We do not recommend paying the ransom.

There are a number of security precautions that can help prevent these attacks in both enterprise and consumer machines. As well as being aware of suspicious emails and backing up your files, you should also keep your security products and other applications up-to-date. Attackers are taking advantage of unpatched vulnerabilities in software to compromise your machine. Most of the exploits used by Crowti target vulnerabilities found in browser plugin applications such as Java and Flash. Making a habit of regularly updating your software can help reduce the risk of infection.

We also encourage you to join our Microsoft Active Protection Service Community (MAPS). We use the data we gather from MAPS to create better detections, and to respond as fast as we can. This feature is enabled by default for Microsoft Security Essentials and Windows Defender for Windows 8.1. You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS:

enable MAPS 

Figure 8: With the MAPS option enabled Microsoft anti-malware security product can take full advantage of Microsoft’s cloud protection service

As always, we also recommend running a real-time security product such as Microsoft Security Essentials or another trusted security software product. You can read more about Win32/Crowti and ransomware in general on the Microsoft Malware Protection Center website.   

MMPC

Categories: Uncategorized Tags:

Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 4 is available for download

October 28th, 2014 No comments

downloadWe are happy to announce that Rollup 1 for Forefront UAG 2010 Service Pack 4 has been released.

UAG 2010 Service Pack 4 Rollup 1 is available as a hotfix download from Microsoft Support as an update to UAG 2010 Service Pack 4.

This update contains over 23 fixes for reported issues plus updates for application publishing templates. For details, please visit KB 2922171: Description of Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 4

Please download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 4 Rollup package and learn more about UAG 2010 SP4 by visiting our TechNet Library.

 

Thank you,

The Forefront UAG Product Team

 

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 4 is available for download

October 28th, 2014 No comments

downloadWe are happy to announce that Rollup 1 for Forefront UAG 2010 Service Pack 4 has been released.

UAG 2010 Service Pack 4 Rollup 1 is available as a hotfix download from Microsoft Support as an update to UAG 2010 Service Pack 4.

This update contains over 23 fixes for reported issues plus updates for application publishing templates. For details, please visit KB 2922171: Description of Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 4

Please download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 4 Rollup package and learn more about UAG 2010 SP4 by visiting our TechNet Library.

 

Thank you,

The Forefront UAG Product Team

 

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 4 is available for download

October 28th, 2014 No comments

downloadWe are happy to announce that Rollup 1 for Forefront UAG 2010 Service Pack 4 has been released.

UAG 2010 Service Pack 4 Rollup 1 is available as a hotfix download from Microsoft Support as an update to UAG 2010 Service Pack 4.

This update contains over 23 fixes for reported issues plus updates for application publishing templates. For details, please visit KB 2922171: Description of Rollup 1 for Forefront Unified Access Gateway 2010 Service Pack 4

Please download the Forefront Unified Access Gateway (UAG) 2010 Service Pack 4 Rollup package and learn more about UAG 2010 SP4 by visiting our TechNet Library.

 

Thank you,

The Forefront UAG Product Team

 

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/ 
The Forefront TMG blog: http://blogs.technet.com/b/isablog/ 
The Application Proxy blog: http://blogs.technet.com/b/applicationproxyblog/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ 

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

Novetta leads first coordinated malware eradication campaign

October 28th, 2014 No comments

​Earlier this month, Novetta took their initial public action in the first Coordinated Malware Eradication (CME) campaign against Win32/Hikiti and its associated threats.

Today, Novetta released a comprehensive report that describes in detail the threats and threat actors,  known as Axiom, targeted in this campaign.

Axiom is a well-resourced, disciplined, and sophisticated threat actor that analysts believe has been conducting espionage operations online since at least 2008. Since then, Axiom has pursued a wide variety of targets such as government agencies, global Fortune 500 companies, shapers of economic and environmental policies, and developers of cutting-edge information technology and telecommunications equipment. They have also targeted political activists, Non-Governmental Organizations (NGOs), and journalists.

If you know or suspect that your organization was affected by this threat, we highly recommend you run a full scan of your PC with a Microsoft security product or software from another trusted security vendor to ensure Hikiti and other malware are detected.

The Novetta report can help you discover other indicators and behaviors of Hikiti malware and other related threats used by these actors. It also explains how Axiom can set up their architecture in an infected environment.

Many thanks to our security partners F-Secure, FireEye, ThreatConnect, ThreatTrack Security, Volexity, Symantec, Tenable, Cisco, and iSIGHT for working with us and Novetta on this campaign. As we mentioned in our initial post, collaboration across private industry is crucial to addressing advanced persistent threats. This campaign is the first of many that we are launching through our CME program.

The Novetta paper focuses on the technical and operational aspect of Hikiti and Axiom, and I am going to focus on how this CME campaign got started, how it went, and what we learned.

Early beginnings

This campaign kicked off at the FIRST Conference in Boston just after the presentation on the CME program. I was introduced to Andre Ludwig from Novetta, who said he had an idea for a CME campaign. Hikiti, although small in overall prevalence, was broad in the number of environments it impacted globally. In other words, it takes only one infection to have a large impact to an organization or an individual.

Putting together the plan

We pulled together a long and distinguished list of security experts from multiple organizations and the campaign started to take shape. In a campaign, we typically analyze several aspects of the target malware to assess methods for eradication:

  • Distribution and infection vector
  • Monetization
  • Actor/attribution

Because Axiom targeted specific individuals and organizations, a methodical process of shutting down parts of the infection vectors (spear phishing, watering hole attacks) didn’t make sense. Although the malware authors may be interested in the value of intellectual property, there was no evidence of commercial buying and selling of the information they were collecting. From what the team knew about Axiom, it was unlikely they could be arrested (there are more details about this in the Novetta paper) meaning traditional tactics wouldn’t apply to this campaign. What was missing, however, was widespread detection and knowledge about how these actors worked and the tools they used so that every organization, both big and small, large security team or not, could have all the pertinent details to discover if they had been impacted by this threat and discover any collateral damage.

We developed a plan focused on two primary objectives. 

First, we planned a simultaneous release of widespread detection for one of the more advanced, later stage components of these actors (Hikiti), along with related initial and secondary stage threats, such as Derusbi, Mdmbot, Moudoor, Plugx, and Sensode (see the comprehensive list in the Novetta report). Second, we planned to release detailed information about Axiom’s toolkit to help any affected organization effectively detect and mitigate its impact (our action today). Essentially, our plan was to fight the adversary with a plethora of public information to make it difficult for them, in their current incarnation, to hide.

Executing the plan and lessons learned

From an operational perspective, this campaign had fewer logistical components. There were no take-downs to execute and no arrests, so the timeline moved fast. Novetta created several documents to foster collaboration, created a common voice for the group, organized all of the team’s research, and ensured that everyone was in synch with timelines and messaging. We are now building templates based on what we learned and putting them back into the program for others to use.

We have more lessons learned, of course. The team will be meeting to discuss these lessons in depth, so that we can incorporate them back into the program.

What’s next

This campaign was a great first for the CME program. Thanks goes to the entire team that contributed samples, insight, analysis, reviews, and telemetry to the campaign, including our own Francis Tan Seng and Peter Cap. A special thank you to Andre Ludwig, who was our model campaign leader, and the entire Novetta team. We learned much from the operational expertise brought to this campaign from Andre and the rest of our partners. We’re building those learnings back into the program so that all future campaign leaders can leverage that experience. We have several campaigns already in progress, so look for more information about them in the upcoming months.

If you are one of our VIA members, or want to join us to lead the fight against malware like Novetta, have a look at the CME program page or reach out to us at cme-invite@microsoft.com.

Holly Stewart
MMPC

Categories: Uncategorized Tags:

Novetta leads first coordinated malware eradication campaign

October 28th, 2014 No comments

​Earlier this month, Novetta took their initial public action in the first Coordinated Malware Eradication (CME) campaign against Win32/Hikiti and its associated threats.

Today, Novetta released a comprehensive report that describes in detail the threats and threat actors,  known as Axiom, targeted in this campaign.

Axiom is a well-resourced, disciplined, and sophisticated threat actor that analysts believe has been conducting espionage operations online since at least 2008. Since then, Axiom has pursued a wide variety of targets such as government agencies, global Fortune 500 companies, shapers of economic and environmental policies, and developers of cutting-edge information technology and telecommunications equipment. They have also targeted political activists, Non-Governmental Organizations (NGOs), and journalists.

If you know or suspect that your organization was affected by this threat, we highly recommend you run a full scan of your PC with a Microsoft security product or software from another trusted security vendor to ensure Hikiti and other malware are detected.

The Novetta report can help you discover other indicators and behaviors of Hikiti malware and other related threats used by these actors. It also explains how Axiom can set up their architecture in an infected environment.

Many thanks to our security partners F-Secure, FireEye, ThreatConnect, ThreatTrack Security, Volexity, Symantec, Tenable, Cisco, and iSIGHT for working with us and Novetta on this campaign. As we mentioned in our initial post, collaboration across private industry is crucial to addressing advanced persistent threats. This campaign is the first of many that we are launching through our CME program.

The Novetta paper focuses on the technical and operational aspect of Hikiti and Axiom, and I am going to focus on how this CME campaign got started, how it went, and what we learned.

Early beginnings

This campaign kicked off at the FIRST Conference in Boston just after the presentation on the CME program. I was introduced to Andre Ludwig from Novetta, who said he had an idea for a CME campaign. Hikiti, although small in overall prevalence, was broad in the number of environments it impacted globally. In other words, it takes only one infection to have a large impact to an organization or an individual.

Putting together the plan

We pulled together a long and distinguished list of security experts from multiple organizations and the campaign started to take shape. In a campaign, we typically analyze several aspects of the target malware to assess methods for eradication:

  • Distribution and infection vector
  • Monetization
  • Actor/attribution

Because Axiom targeted specific individuals and organizations, a methodical process of shutting down parts of the infection vectors (spear phishing, watering hole attacks) didn’t make sense. Although the malware authors may be interested in the value of intellectual property, there was no evidence of commercial buying and selling of the information they were collecting. From what the team knew about Axiom, it was unlikely they could be arrested (there are more details about this in the Novetta paper) meaning traditional tactics wouldn’t apply to this campaign. What was missing, however, was widespread detection and knowledge about how these actors worked and the tools they used so that every organization, both big and small, large security team or not, could have all the pertinent details to discover if they had been impacted by this threat and discover any collateral damage.

We developed a plan focused on two primary objectives. 

First, we planned a simultaneous release of widespread detection for one of the more advanced, later stage components of these actors (Hikiti), along with related initial and secondary stage threats, such as Derusbi, Mdmbot, Moudoor, Plugx, and Sensode (see the comprehensive list in the Novetta report). Second, we planned to release detailed information about Axiom’s toolkit to help any affected organization effectively detect and mitigate its impact (our action today). Essentially, our plan was to fight the adversary with a plethora of public information to make it difficult for them, in their current incarnation, to hide.

Executing the plan and lessons learned

From an operational perspective, this campaign had fewer logistical components. There were no take-downs to execute and no arrests, so the timeline moved fast. Novetta created several documents to foster collaboration, created a common voice for the group, organized all of the team’s research, and ensured that everyone was in synch with timelines and messaging. We are now building templates based on what we learned and putting them back into the program for others to use.

We have more lessons learned, of course. The team will be meeting to discuss these lessons in depth, so that we can incorporate them back into the program.

What’s next

This campaign was a great first for the CME program. Thanks goes to the entire team that contributed samples, insight, analysis, reviews, and telemetry to the campaign, including our own Francis Tan Seng and Peter Cap. A special thank you to Andre Ludwig, who was our model campaign leader, and the entire Novetta team. We learned much from the operational expertise brought to this campaign from Andre and the rest of our partners. We’re building those learnings back into the program so that all future campaign leaders can leverage that experience. We have several campaigns already in progress, so look for more information about them in the upcoming months.

If you are one of our VIA members, or want to join us to lead the fight against malware like Novetta, have a look at the CME program page or reach out to us at cme-invite@microsoft.com.

Holly Stewart
MMPC

Categories: Uncategorized Tags:

Interview on “Taste of Premier” about Security Guidance for Windows 8.1, Windows Server 2012 R2 and IE 11

October 22nd, 2014 No comments

Aaron Margosis interviewed on Channel 9's Taste of Premier about Security Guidance for Windows 8.1, Windows Server 2012 R2 and IE 11:
http://channel9.msdn.com/Blogs/Taste-of-Premier/Taste-of-Premier-Security-Guidance-for-Windows-8-1-Windows-Server…(read more)