Microsoft have announced a raft of new security features for Windows 11 – aimed squarely at the new trend of hybrid working.

With millions of users working remotely post-Covid, the enhancements largely focus on hardware security and identity protection, as end-user devices access ever more cloud-resources from a broader range of working environments.

Microsoft Pluton

‘Microsoft Pluton’ is the name of a new security processor integrated into CPUs on devices shipping with the new operating system – an App Control feature designed to prevent untrusted apps from running, block the theft of user credentials, and counter dangers from outdated drivers.

As we’ve noted before, Pluton (like Windows 11 itself) also relies upon Trusted Platform Module (TPM) technology to fire up a PC securely – but some TPM chips remain vulnerable to encryption keys being intercepted between components. Pluton devices are expected to close off that weakness, preventing this kind of hardware attack.

Smart App Control

As many predicted, Application Management begins taking centre-stage in 2022, as bigger organisations seek to prevent users introducing rogue software into their IT infrastructure (or worse, introducing it back into the company network themselves.)

Smart App Control blocks unsigned or suspicious apps at the OS level, and will receive regular updates daily.

However – it’s worth noting this core feature only applies to newly shipped devices – so even those who adopted Windows 11 early would have to complete a full operating system reinstall to ensure Smart App is live.

Microsoft Defender SmartScreen

SmartScreen helps protect identity by alerting the user if they’ve begun interacting with a known malicious application, fake or hacked website – with the added advantage that the safeguard is pre-installed for all users.

Microsoft are keen to demonstrate SmartScreen’s record of success elsewhere – blocking nearly 26 billion brute force attacks on Microsoft Azure Active Directory, and nearly 36 billion phishing emails that were intercepted by Microsoft 365, last year alone.

Credential Guard

Another ‘by default’ upgrade – Credential Guard isolates really important system secrets in a way that is designed to stop ‘pass the hash’ style attacks where a hacker is able to use the encrypted version of a password to gain entry, and (Microsoft claim) can even prevent malicious applications that have somehow obtained Admin-user privileges on their device from accessing those secrets.

You can discover the full list of the security enhancements coming to Windows 11 here.

Endpoint security specialist SentinelOne have isolated and demonstrated an installed instance of HermeticWiper malware currently destroying PCs across Ukraine.

First spotted on February 23rd, the 114kb ‘Hermetic Wiper’ malware gets its name from the (likely fictitious) ‘Hermetic Digital Ltd’ – a Cypriot company allegedly named on its digital certificate. The malware appears to have been circulated among a number of Ukrainian organisations, and abuses a partition management driver to begin corrupting a device’s physical drives.

Watch below as SentinelOne test-detonate an instance of Hermetic Wiper, first on an undefended PC, then with powerful endpoint protections in place:

Video Credit: SentinelOne.

Once activated, the malware initiates a device shutdown, making the system irretrievable and booting only as far as Windows’ ‘Your PC/Device needs to be repaired’ screen.

The timing and nature of the attack (crippling PCs in the short term, until they can be replaced) suggests an effort that has been coordinated with Russian military operations.

For cybersecurity advice and expertise, please contact Lineal today.

fake invoices

This week’s IT security alert from Lineal – fake invoices which ask users to run a dangerous piece of code.

The example above comes from a fake Word document emailed with a typical text line, such as ‘Please check this invoice’ or ‘Double check my numbers for me’, to an unsuspecting user.

Upon opening, the document appears to load a popup from Office 2016 prompting the user to ‘Enable Content’ for compatibility purposes, before they can view the detail of the ‘invoice.’

In fact, the display is just an image within the word file, and the ‘Enable Content’ content button instead runs a piece of Visual Basic code downloading unknown malware from the internet.

The scam relies on users’ curiosity at the unusual $1999.00 charge, and upon reaching a user still running an outdated version of Microsoft Office.

Several measures can be taken to prevent this kind of attack:

• Don’t click any popup that doesn’t visibly pop ‘open’ in Microsoft and don’t ‘Enable Content’ you can’t see in a document.

• Consider an email filtering service like Barracuda – in the above example, Barracuda had recognised this email as malicious and stripped the code from the document before placing it in the correct email inbox for the intended recipient.

• Invest in a high-quality antivirus and IT security software like ESET – using sophisticated heuristics and live scanning ESET can block this kind of threat, and advanced versions operate a comprehensive watchlist of fake ‘phishing’ scams which might try to imitate legitimate companies online.

• Move to Microsoft Office 365 – Microsoft’s cloud subscription model now ensures that you’ll always have the most up-to-date version of Microsoft Office, and therefore that if a document gives you this kind of message, it may be a scam.

For IT Security advice and guidance – speak to Lineal today.

Zepto

Yesterday Lineal’s team successfully rescued a client from a new ‘zero-day’ Cryptolocker Virus which nearly destroyed many of their files.

The dangerous variation of the ‘Zepto’ cryptolocker, only identified online during the last 24 hours, is believed to be a brand new threat originally derived from ‘Locky’ ransomware.

An employee at one of Lineal’s IT support clients recently opened an email containing an infected file – a malicious piece of obfuscated code written in Visual Basic scripting language. The installed Zepto cryptolocker began encrypting the company’s files, readying to demand a heavy ransom.

In a coordinated attack, an outside user also forced access to our client’s server, instructing it to begin sending fake Barclays ‘phishing’ emails, attempting to criminally capture banking details.

Our team caught both threats early, forcefully locking out the intruder in mid-session, identifying the employee who introduced the threat, and quarantining the infection with ESET’s business endpoint security. 

Lineal then notified ESET about Zepto to help with future identification, having avoided the need to restore all the clients files from backup at great disruption.

The landscape of online security threats is rapidly changing, and Cryptolocker variants have spread quickly in recent months.

In this case Lineal’s rapidly responding team and professional security software helped our client dodge the huge potential losses from the security breach – and highlighted how vital it is that organisations of all sizes take proactive steps to protect their IT from hostile intrusion.

For IT security advice and support, contact Lineal today.

Hundreds of people have received new types of phishing emails which knows the individual’s home address.

Clicking the link in the dangerous email, which as a appears very authentic request to pay an overdue invoice, installs devastating cryptolocker ‘ransomware’ on the user’s computer.

The virus then begins encrypting files, demanding a ransom be paid to unlock the user’s data.

According to the BBC the unconnected company cited in the email, cotton fabric manufacturer British Millerain Co Ltd, have received more than 150 phone calls from individuals concerned that they owe money.

Phishing emails and websites, which typically mimic official bank or company communications to trick vulnerable users into making payments to criminals, are becoming increasingly sophisticated.

The use of an individual’s personal address, and higher quality written English, suggests the original creator of the email has gone to greater lengths to make the email look convincing and to avoid detection.

It is also likely that the matching address originates from stolen, legitimate customer data, accounting for users’ recognition of the way they write their own home contact details.

New threats are constantly developing, and Lineal recommend installing an antivirus software with a strong record of catching emerging online threats – such as ESET.

Always follow some simple rules:

• Never click a link or open an attachment from any suspicious email whose origins you do not recognise.

• Banks and similar will NEVER request your private passwords, pin numbers or other confidential information. Do not disclose these to anyone.

• If hit by cryptolocker style ransomware, every second counts – seek professional technical support immediately.

• Always keep a regular, separate backup of your files.

• Invest in reliable Antivirus software like ESET to protect your device(s).

Photo Credit: BBC News

Smartphone banking app malware hacks SMS codes

A dangerous new banking app malware has successfully bypassed smartphone security used by some of the world’s biggest banks.

Customers of Australia’s four biggest banks, and numerous New Zealand Banks, have all been declared at risk from the malware which activates when using a banking app, copying details from login screens.

Most worryingly, the malware can also divert two-factor authentication codes sent to a given smartphone by SMS – and pass the code to criminals, breaking a tried and trusted system used by many online financial apps around the world.

ESET security systems (commonly deployed by commercial clients for server and endpoint security) recently detected the extremely sophisticated malware, which downloads via fake Adobe Flash windows on video streaming websites.

On Android, personal users can uninstall the malware manually via Settings > Apps > Flayer > Uninstall, and are advised to only accept approved downloads from trusted public sources such as Google Play.

Commercial clients should take similar precautions against banking app malware and similar, protecting company devices behind specialist security systems.

For IT security advice and support, contact Lineal today by clicking here.