Operators of the nearly-year-old eCh0raix ransomware strain that’s been used to target QNAP and Synology network-attached storage (NAS) devices in past, separate campaigns have, gotten more efficient. According to researchers, both have put out a new variant that can target either vendors’ devices in a single campaign.

In a report published Tuesday, Palo Alto Network Unit 42 researchers said the new variant of eCh0raix exploits a critical bug, CVE-2021-28799 – an improper authorization vulnerability that gives attackers access to hard-coded credentials so as to plant a backdoor account – in the Hybrid Backup Sync (HBS 3) software on QNAP’s NAS devices.

HBS is used for backup, restoration and synchronization between local, remote and cloud storage spaces. On April 21, users of devices marketed by the Taiwanese vendor – Quality Network Appliance Provider (QNAP) – began to report attacks that, it turned out, abused this same flaw. Hundreds of users were extorted, as Bleeping Computer reported at the time.

Timeline

As far as unit 42 can determine, there’s been no analysis yet of malware samples that would show eCh0raix ransomware targeting Synology devices before this. “Instances of Synology devices infected by eCh0raix have been reported from as far back as 2019, but the only previous research connecting the Synology attacks to eCh0raix actors is based on decryptors that were found,” they elaborated.

The first time that Unit 42 researchers saw this dual-vendor variant was September 2020. Maybe the combined variant was authored at that time and the attackers had separate code bases to target the vendors’ devices in separate campaigns before that, they suggested: a hypothesis that’s confirmed by the new variant’s project name, as revealed in compilation paths in GoLang binaries: “rct_cryptor_universal” (/home/dev/GoglandProjects/src/rct_cryptor_universal).

“Prior samples of eCh0raix use the project name qnap_crypt_worker,” researchers pointed out. Between June and September 2020, they did see other eCh0raix samples using that rct_cryptor_universal project name, but September 2020 was when they first saw a full-blown sample with two separate code flows.

Cover Your NAS

Unit 42 passed along these best practices for protecting home offices from ransomware attacks:

• Update device firmware to keep attacks of this nature at bay. Details about updating QNAP NAS devices against CVE-2021-28799 can be found on the QNAP website
• Create complex login passwords to make brute-forcing more difficult for attackers.
• Limit connections to SOHO connected devices from only a hard-coded list of recognized IPs to prevent network attacks that are used to deliver ransomware to devices.

On July 30, the Government of Japan declared that the State of Emergency currently in effect in Tokyo and Okinawa will be expanded to also cover the prefectures of Chiba, Kanagawa, Saitama and Osaka from August 2 to August 31. The State of Emergency for Tokyo and Okinawa will also be extended until August 31.

Residents are requested to refrain from unnecessary and non-urgent outings as much as possible, including during the day and especially after 8PM. Restaurants and other entertainment establishments are required to stop serving alcohol entirely and to close by 8PM.

Quasi-emergency measures will also apply to the prefectures of Hokkaido, Ishikawa, Kyoto, Hyogo and Fukuoka from August 2 to August 31.

For more information on the state of emergency, please visit https://corona.go.jp/en/

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Microsoft on Wednesday announced plans to end the online Microsoft Store for Business and Microsoft Store for Education in the "first quarter of 2023," per a Microsoft document on the topic.

These stores are different from the commercial Microsoft Store online application repository, which is currently undergoing a revamp. Microsoft Store for Business and the Microsoft Store for Education are used by businesses and schools to distribute applications to end users. Those applications might include private line-of-business apps or public apps that were customized by an independent software vendor.

The Shift to Windows Package Manager
Instead of using the Microsoft Store for Business and Microsoft Store for Education application repositories, Microsoft wants organizations to shift to using the Windows Package Manager and Microsoft Intune, or another "unified endpoint management (UEM) solution," to get their apps.

Windows Package Manager is a command-line tool, released as version 1.0 in May. It's used to install apps by sending text commands, either via the PowerShell console or a Windows Package Manager Client terminal. Windows Package Manager fetches apps that are housed in the Microsoft community repository.

Back in May, Microsoft had explained that Windows Package Manager, which is Microsoft's first "native" application installer, wasn't replacing the "Windows Store" (the old name for the Microsoft Store). It's not a store replacement because Windows Package Manager just has a text interface and doesn't have the ability to show marketing information.

Microsoft's Wednesday announcement indicated that it'll be possible for organizations to use the Microsoft Store for Business and the Microsoft Store for Education to get "free apps" until the 2023 end date. Microsoft had already killed off the use of those stores to get apps that need to be purchased, which happened back in April.

"Starting April 14, 2021, all apps that charge a base price above free will no longer be available to buy in the Microsoft Store for Business and Education," Microsoft's document had explained. The document added that apps already purchased will continue to run, but additionally licensing can't be bought.

Microsoft's plans to scrap these stores aren't wholly a surprise as they were described about a year and a half ago by veteran Microsoft reporter Mary Jo Foley.

Windows Package Manager Integration Milestones
Microsoft wants users of the Microsoft Store for Business and the Microsoft Store for Education to shift to using the Windows Package Manager tool, which will be integrated with Microsoft Intune or another UEM.

Currently, the integration work is still a work in progress for Microsoft. The announcement described the following "milestones" to that end:

• Windows Package Manager v1.0: generally available
• Intune integration with Windows Package Manager service, your private app repository, and the new Microsoft Store: Public Preview (Expected H1 2022)
• Intune integration with Windows Package Manager service, your private app repository, and the new Microsoft Store: General availability (Expected H2 2022)
• Retirement of Microsoft Store for Business and Education for Windows 10: expected Q1 2023

Microsoft's announcement included an FAQ section to clarify this rather confusing announcement. Essentially, the shift toward Windows Package Manager is just happening for users of free applications.

If organizations have installed Windows Store for Business or Windows Store for Education apps (free or paid), then those apps will continue to run "as long as the app is not removed from the device."

New Microsoft Store
Microsoft had described building a new Microsoft Store in this June 24 post. It will be arriving at some point for Windows 10 and Windows 11 devices. The new store isn't available for buying apps right now, but it's already described at this landing page.

The new Microsoft Store will have improvements to help users find applications. It'll be friendly to developers that offer their apps through install links on their Web sites. In such cases for Microsoft Store apps, a pop-up installer will appear when people click on the Web site link.

The new Microsoft Store will be capable of housing all types of applications, including the older Win32 (Windows 7-era) apps. Here's what it can hold, per the June 24 post:

Starting today, Windows developers can publish any kind of app, regardless of app framework and packaging technology -- such as Win32, .NET, UWP, Xamarin, Electron, React Native, Java and even Progressive Web Apps.

Microsoft also is giving developers a break if they use their own commerce platform to monetize their apps. In such cases, apps can be housed in the new Microsoft Store without any fee.

The new Microsoft Store is apparently at the preview stage right now. Its commercial-release timing wasn't described.

Microsoft’s scramble to address the fallout from the zero-day attacks against on-prem Exchange Server installations continued this week with the release of a one-click mitigation tool help businesses contain the damage.

The new Exchange On-premises Mitigation Tool (EOMT) is aimed at companies without dedicated security or IT teams to manage patching and post-incident forensics.

Microsoft said the tool has been tested across Exchange Server 2013, 2016, and 2019 deployments and is meant to be “an interim mitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises Exchange security update.”

The EOMT has been combined with the Microsoft Safety Scanner to automatically mitigate the dangerous CVE-2021-26855 vulnerability on any Exchange server on which it is deployed. 

“This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching,” Microsoft warned.

Here’s the latest list of Redmond’s recommendations:

1. Download the EOMT tool.
2. Run it on Exchange servers immediately.
3. Follow the more detailed guidance here to ensure that your on-premises Exchange is protected.
4. If you are already using Microsoft Safety Scanner, it is still live and Microsoft recommends keeping this running as it can be used to help with additional mitigations.

SecurityWeek has compiled a list of resources to help incident response teams and IT administrators respond to this global incident:

1. ProxyLogon — the researchers who reported some of the actively exploited vulnerabilities to Microsoft have named the issues ProxyLogon and have set up a dedicated website. They plan on publishing a technical paper in the future.
2. CISA advisory with instructions on how organizations can conduct a forensic analysis if they see evidence of compromise. 
3. CISA Emergency Directive with instructions for federal agencies, including for identifying potential compromises, conducting a forensic investigation, and responding to an incident. 
4. Huntress has been tracking attacks and vulnerable servers. The company has shared some recommendations for MSPs and technical information on the attacks. 
5. Joint advisory from CISA and FBI containing information on targeted sectors, attack techniques, mitigations, as well as technical details for detecting exploitation and attacker activities. 
6. Praetorian has reproduced the Exchange exploit chain and it has shared detailed technical information on the vulnerabilities. 
7. Unit 221B provides an online tool named Check My OWA, which is designed to “aid victim notification based on lists of compromised Exchange servers with Outlook Web Access(OWA) enabled, which were obtained from perpetrators of this mass breach event.”

Indicators of compromise (IOC) and other threat hunting resources

1. Volexity has shared information on the Exchange exploits, post-exploitation activity observed in attacks, and IOCs.
2. Microsoft provides technical details on the attacks it observed, instructions for checking if a system has been compromised, host IOCs, endpoint and Azure detections, and advanced hunting queries.
3. FireEye has shared information on attacks targeting Exchange servers, investigation tips and technical IOCs.
4. Scripts from Microsoft for checking IOCs related to the China-linked threat actor HAFNIUM, and for detecting malicious files on Exchange servers.
5. Pwndefend has made available a list of bad IP addresses, as well as an IOC hunting script that should provide a more detailed view in some areas.
6. Latvia’s CERT-LV has released a script that detects web shells dropped on Exchange servers following successful exploitation of the vulnerabilities. 

Tools and other resources for defenders

1. Nmap script made by researcher Kevin Beaumont can be used to scan a network for potentially vulnerable Microsoft Exchange servers.
2. DomainTools has conducted an analysis of the attacks and has shared some recommendations for network detection. 

The lifecycle of a wireless network is the process of designing, validating, optimizing, and troubleshooting that network. Whether upgrading an existing wireless network or designing a greenfield network, you have to account for capacity requirements or potential interferences in the environment. Before you deploy your new or upgraded network infrastructure, you need to ensure you have real-world data to provide insight and insurance for your wireless project. We’ve discussed Wi-Fi site surveys in a couple of Webinar. However, not all site surveys are equal. There’s three common types of on-site surveys that can be performed.

Passive site surveys

Performed to get an understanding of the RF characteristics on-site. By RF characteristics I mean Wi-Fi signal strengths, noise levels, SNR (signal-to-noise ratio), and the like.  The reason the site surveys are called “passive” is that your Wi-Fi network adapter is pretty much just listening to packets when performing passive site surveys. OK, the NIC might send some probes out, but that’s about it.

Active Site Surveys

Provide more insight on the network connectivity and/or performance. Things like packet loss, packet delay, and access points you’ve associated with, can be measured during active site surveys. As the name suggests, with active surveys the Wi-Fi adapter is receiving AND sending packets to figure out what’s truly going on with the network.

What is an AP on a Stick survey?

An AP on a Stick (APoS) survey is a method of temporarily staging APs at deployment height utilizing a tripod or other mounting options in order to validate your predictive design before a full site deployment. APoS surveys identify the RF signal propagation characteristics of the environment while providing additional confidence your proposed design will work as planned, reducing the need for costly AP location changes, and validating you have the correct number of APs in your design.

Adrozek is a malicious browser modifier that, when installed on users’ machines, infects them with adware. This particular strain of malware has been making rounds since May 2020; according to Microsoft, it was at its peak in August, when as many as 30,000 computers were affected per day. Although classified as adware, Adrozek is also designed to collect information extracted from browsers by modifying browser settings and extensions. It affects Google Chrome, Microsoft Edge, Mozilla Firefox, and the Yandex browser. Considering the risks Adrozek poses to organizations, IT admins need to take some preemptive measures to ensure security.

Adrozek is being distributed through drive-by attacks, where users are tricked into installing the malicious software, often bundled with or disguised as legitimate software. Once installed, it makes a number of modifications to browser settings and extensions. Adrozek disables browser updates and turns off Safe Browsing, which is a feature designed to prevent users from landing on malicious websites. It then installs and activates new browser extensions that run in incognito mode; these extensions run without explicit user permissions, and are hard to notice since they aren’t displayed in the toolbar. These modifications help the malware inject users’ search engines with ads. In certain browsers, the malware further steals users’ credentials. When users access enterprise web applications on the infected browsers, the organization’s data security is at risk.

It’s always better to be safe than sorry. IT admins can implement a stringent yet foolproof, three-step preventive mechanism to help secure their organizations against Adrozek.

1. Restrict users’ access to trusted websites

Implement URL filtering software to prevent users from accessing websites that are unauthorized by the IT teams. This ensures that users don’t land on infected websites, preventing the installation of malware.

2. Limit downloads to trusted websites

While step one eliminates the chances of users installing the malware, limiting downloads to trusted websites creates an additional layer of security, preventing it from being downloaded in the first place.

3. Restrict execution of untrusted applications

Restricting the execution of untrusted applications will prevent Adrozek from running if it’s present in the enterprise network. This final step creates a fortified boundary, preventing the execution of the malware.

BROCENT Managed IT Security Service (MSS) to implement these three-fold preventive measures. In case users’ machines are already infected with Adrozek, IT admins can implement a few best practices to limit the damage.

1. Deploy browser configurations to users’ browsers

Browser configurations and behavior can be managed from a central location with the managed antivirus console. Configurations deployed  cannot be overwritten by users, nor by Adrozek. For example, deploying a configuration to enable browser updates will prevent the malware from modifying the setting. Similarly, BROCENT support center can enable the Safe Browsing configuration, ensuring that Adrozek cannot disable it. This will minimize the impact of the malware.

2. Restrict installation of new browser extension and add-ons

IT admins can restrict the installation of new extensions and add-ons. This will prevent the malware from installing new extensions capable of injecting ads and stealing credentials. To prevent loss of productivity that could arise from lack of extensions, mission-critical extensions and add-ons can be distributed to users’ browsers BROCENT managed network behavior management console.

Password management within an enterprise environment can be difficult, more so when you consider the management and controlling of local administrator accounts across all Windows devices. Ensuring that everyone is using their computers with normal low-level privileged accounts can be a challenging task, more so when you need to ensure that any local administrator passwords should be secure and yet managed easily.

A lot of people will simply use the same password for all local administrator accounts, which can allow the management of machines to be frighteningly easy, however what happens if one machine is breached and the local credentials are dumped and then broken? The attacker has access to the whole estate.  This is where Microsoft LAPS comes into play.

Microsoft Local Administrator Password Solution (LAPS) is a password manager that when configured is integrated into Active Directory. LAPS allow domain administrators and/or help desk staff to manage and rotate passwords for local administrative accounts across all Windows devices. Having this tool setup within your Active Director environment is a great way to ensure that if anyone gains access to an endpoint that any lateral movement is restricted due to having unique passwords across all endpoints.

Another benefit of using LAPS is that it is not reliant upon additional computers, applications or services to manage these passwords, once setup its tightly integrated into Active Directory, thereby allowing you to integrate and manage passwords in AD compatible tools.

Before we begin, there’s a small disclaimer up front, installing and configuring LAPS is not as simple and download and execute a setup application, there is some manual configuration which is required using PowerShell and Group Policy.  If you aren’t sure what these are or how to use them, Microsoft does have some good documentation on installing and setting up LAPS, check out the ‘LAPS_OperationsGuide.docx’ document for more information. Note: You will need to be an AD Schema administrator for some parts of the setup process.

Once you have downloaded the LAPS installation application, run the application on a domain controller, you will be asked if you want to install the following items.

In this example, we’re going to select all items (for endpoints you only need to push out the ‘Adm GPO Extension’). Go ahead and install the features.

Once installed, the next step is to extend your Active Director Schema to allow the support of LDAPS. Microsoft provides a PowerShell module that will take care of this process (make sure you are an Active Directory Schema Administrator when running this). There will be two computer attributes added to your schema these are: ‘ms-Mcs-AdmPwd’ which stores the local administrator password and ‘ms-Mcs-AdmPwdExpirationTime’ which stores the time until the password expires.

Launch a PowerShell terminal and then import the ‘AdmPwd.ps’ module. Extend the AD Schema. Once you have extended the schema you will see the two new attributes

Now, if you go into Group Policy management editor, you can configure LAPS.

The ‘Password Settings’ GPO setting allows you to configure the password complexity for the passwords which are going to be used for the local administrator accounts, including the length and age. The ‘Enable local admin password management’ setting controls if the endpoints are governed by the GPO which are being managed by LAPS.

Before you can manage all the endpoints with LAPS you will have to deploy the ‘AdmPwd GPO Extension’ to all endpoints, this can be done a number of ways, some of these are:

1. Run the LAPS.x64.exe application on all endpoints and only install the GPO extension
2. Copy and deploy the dll file across all machines
3. Silently install the application via group policy

Once all set up, you can manage the passwords a number of ways, the easiest way is using the LAPS UI application, but you can also use PowerShell to manipulate the passwords.