As part of its monthly Update Tuesday , Microsoft announced Vulnerability-related.PatchVulnerability this week that they ’ ve released Vulnerability-related.PatchVulnerability a preliminary fix for a vulnerability rated important , and present in Vulnerability-related.DiscoverVulnerability all supported versions of Windows in circulation ( basically any client or server version of Windows from 2008 onward ) . The flaw affects Vulnerability-related.DiscoverVulnerability the Credential Security Support Provider ( CredSSP ) protocol , which is used in all instances of Windows ’ Remote Desktop Protocol ( RDP ) and Remote Management ( WinRM ) . The vulnerability , CVE-2018-0886 , could allow remote code execution via a physical or wifi-based Man-in-the-Middle attack , where the attacker steals Attack.Databreach session data , including local user credentials , during the CredSSP authentication process . Although Microsoft says Vulnerability-related.DiscoverVulnerability the bug has not yet been exploited Vulnerability-related.DiscoverVulnerability , it could cause serious damage if left unpatched . RDP is widely used in enterprise environments and an attacker who successfully exploits Vulnerability-related.DiscoverVulnerability this bug could use it to gain a foothold from which to pivot and escalate . It ’ s also popular with small businesses who outsource their IT administration and , needless to say , an attacker with an admin account has all the aces . Security researchers at Preempt say Vulnerability-related.DiscoverVulnerability they discovered and disclosed Vulnerability-related.DiscoverVulnerability this vulnerability to Microsoft last August , and Microsoft has been working since then to create Vulnerability-related.PatchVulnerability the patch released Vulnerability-related.PatchVulnerability this week . Now it ’ s out there , it ’ s a race against time to make sure you aren ’ t an easy target for an attacker who wants to try and kick the tires on this vulnerability . Obviously , patch as soon as possible and please follow Microsoft ’ s guidance carefully : Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers . We recommend that administrators apply the policy and set it to “ Force updated clients ” or “ Mitigated ” on client and server computers as soon as possible . These changes will require a reboot of the affected systems . Pay close attention to Group Policy or registry settings pairs that result in “ Blocked ” interactions between clients and servers in the compatibility table later in this article . Both the “ Force updated clients ” and “ Mitigated ” settings prevent RDP clients from falling back to insecure versions of CredSSP . The “ Force updated clients ” setting will not allow services that use CredSSP to accept unpatched clients but “ Mitigated ” will .

For their attacks , the groups are using a zero-day in Apache Struts , disclosed Vulnerability-related.DiscoverVulnerability and immediately fixed Vulnerability-related.PatchVulnerability last month by Apache . The vulnerability , CVE-2017-5638 , allows an attacker to execute commands on the server via content uploaded to the Jakarta Multipart parser component , deployed in some Struts installations . According to cyber-security firms F5 , attacks started as soon as Cisco Talos researchers revealed Vulnerability-related.DiscoverVulnerability the zero-day 's presence and several proof-of-concept exploits were published online Vulnerability-related.DiscoverVulnerability . F5 experts say Vulnerability-related.DiscoverVulnerability that in the beginning , attackers targeted Struts instances running on Linux servers , where they would end up installing the PowerBot malware , an IRC-controlled DDoS bot also known as PerlBot or Shellbot . In later attacks , some groups switched to installing a cryptocurrency miner called `` minerd '' that mined for the Monero cryptocurrency . In other attacks reported by the SANS Technology Institute , some attackers installed Perl backdoors . Both SANS and F5 experts report that after March 20 , one of these groups switched to targeting Struts instances installed on Windows systems . Using a slightly modified exploit code , attackers executed various shell commands to run the BITSAdmin utility and then downloaded ( via Windows ' built-in FTP support ) the Cerber ransomware . From this point on , Cerber took over , encrypted files , and displayed its standard ransom note , leaving victims no choice but pay the ransom demand Attack.Ransom or recover data from backups . `` The attackers running this [ Cerber ] campaign are using the same Bitcoin ID for a number of campaigns , '' the F5 team said . `` This particular account has processed 84 bitcoins [ ~ $ 100,000 ] . '' F5 experts also noted that , on average , roughly 2.2 Bitcoin ( ~ $ 2,600 ) go in and out of this particular wallet on a daily basis . It is worth mentioning that F5 published their findings last week , on March 29 . Today , SANS detailed similar findings , meaning the campaign spreading Cerber ransomware via Struts on Windows is still going strong . Some of the initial attacks on Struts-based applications have been tracked by cyber-security firm AlienVault

Microsoft is aware of the zero-day , but it 's highly unlikely it will be able to deliver Vulnerability-related.PatchVulnerability a patch until its next Patch Tuesday , which is scheduled in three days . McAfee researchers , who disclosed Vulnerability-related.DiscoverVulnerability the zero-day 's presence , say Vulnerability-related.DiscoverVulnerability they 've detected Vulnerability-related.DiscoverVulnerability attacks leveraging this unpatched vulnerability going back to January this year . Attacks with this zero-day follow a simple scenario , and start with an adversary emailing a victim a Microsoft Word document . The Word document contains a booby-trapped OLE2link object . If the victim uses Office Protected View when opening files , the exploit is disabled and wo n't execute . If the user has disabled Protected View , the exploit executes automatically , making an HTTP request to the attacker 's server , from where it downloads an HTA ( HTML application ) file , disguised as Attack.Phishing an RTF . The HTA file is executed automatically , launching exploit code to take over the user 's machine , closing the weaponized Word file , and displaying a decoy document instead . According to FireEye , `` the original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link . '' While the attack uses Word documents , OLE2link objects can also be embedded in other Office suite applications , such as Excel and PowerPoint . McAfee experts say Vulnerability-related.DiscoverVulnerability the vulnerability affects Vulnerability-related.DiscoverVulnerability all current Office versions on all Windows operating systems . The attack routine does not rely on enabling macros , so if you do n't see a warning for macro-laced documents , that does n't mean the document is safe .

Microsoft is aware of the zero-day , but it 's highly unlikely it will be able to deliver Vulnerability-related.PatchVulnerability a patch until its next Patch Tuesday , which is scheduled in three days . McAfee researchers , who disclosed Vulnerability-related.DiscoverVulnerability the zero-day 's presence , say Vulnerability-related.DiscoverVulnerability they 've detected Vulnerability-related.DiscoverVulnerability attacks leveraging this unpatched vulnerability going back to January this year . Attacks with this zero-day follow a simple scenario , and start with an adversary emailing a victim a Microsoft Word document . The Word document contains a booby-trapped OLE2link object . If the victim uses Office Protected View when opening files , the exploit is disabled and wo n't execute . If the user has disabled Protected View , the exploit executes automatically , making an HTTP request to the attacker 's server , from where it downloads an HTA ( HTML application ) file , disguised as Attack.Phishing an RTF . The HTA file is executed automatically , launching exploit code to take over the user 's machine , closing the weaponized Word file , and displaying a decoy document instead . According to FireEye , `` the original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link . '' While the attack uses Word documents , OLE2link objects can also be embedded in other Office suite applications , such as Excel and PowerPoint . McAfee experts say Vulnerability-related.DiscoverVulnerability the vulnerability affects Vulnerability-related.DiscoverVulnerability all current Office versions on all Windows operating systems . The attack routine does not rely on enabling macros , so if you do n't see a warning for macro-laced documents , that does n't mean the document is safe .

Security researchers from Pen Test Partners have discovered Vulnerability-related.DiscoverVulnerability pretty glaring security flaws in Aga 's line of smart ovens . According to researchers , these flaws can be exploited Vulnerability-related.DiscoverVulnerability via SMS messages . The reason appears to be that Aga management opted to use a GSM SIM module to control its devices , instead of the classic option of using a Wi-Fi module . This SMS-based management feature allows Aga users to turn ovens on or off from remote locations by sending an SMS to their device . In this scenario , an attacker would need a victim 's oven SMS number , but Pen Test Partners researchers say Vulnerability-related.DiscoverVulnerability the web-based administration panel contains Vulnerability-related.DiscoverVulnerability flaws that allow attackers to scrape for all active SIM card numbers assigned to Aga ovens . There 's no authentication involved with the SMS management commands , meaning anyone could send them , and mess around with people 's `` smart '' ovens . Professional cooking ovens , like the Aga iTotal Control , need hours of warming before reaching optimal cooking temperatures . While attackers could annoy oven owners by turning their ovens off , Pen Test Partners say that an ill-intent miscreant could also turn all known Aga ovens on , and cause a spike in electric energy consumption within an area , albeit this could be an exaggerated claim , as there would need to be thousands of these devices laying around . Besides the non-authenticated SMS-based remote management feature , the research team also discovered Vulnerability-related.DiscoverVulnerability other major problems with Aga 's smart ovens . For starters , the Aga web administration panel does n't use HTTPS and forces users to use a five-digit password , one that 's incredibly easy to brute-force . Second , the Aga mobile app also works via HTTP , but even if developers used HTTPS , the app disables certificate validation on purpose , meaning attackers could use any SSL certificate to intercept traffic coming in and to the app . After spending two weeks attempting to alert the UK-based IoT manufacturer , Pen Test Researchers decided to go public Vulnerability-related.DiscoverVulnerability with their findings yesterday . Furthermore , Pent Test Partners say that the GSM SIM remote management module used for Aga 's iTotal Control smart oven was created by a company called Tekelek , which also ships similar SMS management components for oil storage tanks , heating systems , process control and medical devices . `` These appear to be monitored using SMS , so I wonder where else this bizarre unauthenticated text messaging process might lead , '' said Ken Munro , Pen Test Partners expert . At the time of writing , and following the public disclosure Vulnerability-related.DiscoverVulnerability of the iTotal Control issues , Aga appears to have taken down its web-based administration portal , as Pen Test Partners initially suggested .

A group known as the Shadow Brokers published Vulnerability-related.DiscoverVulnerability on Good Friday a set of confidential hacking tools used by the NSA to exploit Vulnerability-related.DiscoverVulnerability software vulnerabilities in Microsoft Windows software . According to Fortune , Microsoft announced Vulnerability-related.PatchVulnerability on the same day that it had patched Vulnerability-related.PatchVulnerability the vulnerabilities related to the NSA leak Attack.Databreach . It was especially important that the company moved quickly since juvenile hackers — also known as script kiddies — were expected to be active over the holiday weekend while defenders were away . The threat was the latest and , according to security experts , the most damaging set of stolen documents published Attack.Databreach by the Shadow Brokers , which is believed to be tied to the Russian government . Experts say Vulnerability-related.DiscoverVulnerability the leak , which was mostly lines of computer code , was made up of a variety of “ zero-day exploits ” that can infiltrate Windows machines and then be used for espionage , vandalism or document theft . The group also published Attack.Databreach another set of documents that show that the NSA penetrated the SWIFT banking network in the Middle East . “ There appears to be at least several dozen exploits , including zero-day vulnerabilities , in this release . Some of the exploits even offer a potential ‘ God mode ’ on select Windows systems . A few of the products targeted include Lotus Notes , Lotus Domino , IIS , SMB , Windows XP , Windows 8 , Windows Server 2003 and Windows Server 2012 , ” said Cris Thomas , a strategist at Tenable Network Security . The Shadow Brokers have been threatening the U.S. government for some time but until last Friday had not released anything critical . There is speculation that this document dump Attack.Databreach could be retaliation by Russia ( if the hackers are indeed tied to the country ) in response to recent U.S. military actions .

Researchers say Vulnerability-related.DiscoverVulnerability several Motorola handset models are vulnerable Vulnerability-related.DiscoverVulnerability to a critical kernel command line injection flaw that could allow a local malicious application to execute arbitrary code on the devices . The two affected Motorola models are the Moto G4 and Moto G5 . The warnings Vulnerability-related.DiscoverVulnerability come from Aleph Research which said Vulnerability-related.DiscoverVulnerability it found Vulnerability-related.DiscoverVulnerability the vulnerability on up-to-date handsets running the latest Motorola Android bootloader . Motorola said patches to fix Vulnerability-related.PatchVulnerability the vulnerability in both devices are expected this month . “ Exploiting the vulnerability allows the adversary to gain an unrestricted root shell . ( And more ! ) , ” wrote Roee Hay , manager of Aleph Research . He said Vulnerability-related.DiscoverVulnerability vulnerable versions of the Motorola Android bootloader allow for a kernel command-line injection attack . The vulnerability ( CVE-2016-10277 ) is the same one found Vulnerability-related.DiscoverVulnerability by Aleph Research earlier this year and fixed Vulnerability-related.PatchVulnerability by Google in May , impacting Vulnerability-related.DiscoverVulnerability the Nexus 6 Motorola bootloader . “ By exploiting the vulnerability , a physical adversary or one with authorized USB fastboot access to the device could break the secure/verified boot mechanism , allowing him to gain unrestricted root privileges , and completely own the user space by loading a tampered or malicious image , ” wrote Hay . Despite the fact the vulnerability had been patched Vulnerability-related.PatchVulnerability for the Nexus 6 , Hay said the Moto G4 and G5 were still vulnerable Vulnerability-related.DiscoverVulnerability to the same kernel command line injection flaw . “ In the previous blog post , we suggested that CVE-2016-10277 could affect Vulnerability-related.DiscoverVulnerability other Motorola devices . After receiving a few reports on Twitter that this was indeed the case we acquired a couple of Motorola devices , updated to the latest available build we received over-the-air , ” the researcher wrote on Wednesday . Motorola told Threatpost via a statement that , “ A patch will begin rolling out Vulnerability-related.PatchVulnerability for Moto G5 within the next week and will continue until all variants are updated Vulnerability-related.PatchVulnerability . The patch for Moto G4 is planned to start deployment Vulnerability-related.PatchVulnerability at the end of the month and will continue until all variants are updated Vulnerability-related.PatchVulnerability . ” Researchers were able to trigger the vulnerability on the Moto devices by abusing the Motorola bootloader download functionality in order to swap in their own malicious initramfs ( initial RAM file system ) at a known physical address , named SCRATCH_ADDR . “ We can inject a parameter , named initrd , which allows us to force the Linux kernel to populate initramfs into rootfs from a specified physical address , ” the researcher wrote . Next , using malicious initramfs to load into a customized boot process they were able to gain root shell access to the device . Hay ’ s research into the Motorola bootloaders began in January when he identified Vulnerability-related.DiscoverVulnerability a high-severity vulnerability ( CVE-2016-8467 ) impacting Vulnerability-related.DiscoverVulnerability Nexus 6/6P handsets . That separate vulnerability allowed attackers to change the bootmode of the device , giving access to hidden USB interfaces . Google fixed Vulnerability-related.PatchVulnerability the issue by hardening the bootloader and restricting it from loading custom bootmodes . “ Just before Google released Vulnerability-related.PatchVulnerability the patch , we had discovered Vulnerability-related.DiscoverVulnerability a way to bypass it on Nexus 6 , ” Hay said in May of the second CVE-2016-10277 vulnerability . In an interview with Hay by Threatpost he said Vulnerability-related.DiscoverVulnerability , “ Yes , they are both bootloader vulnerabilities . The CVE-2016-10277 can be considered a generalization of CVE-2016-8467 , but with a much stronger impact , ” he said Vulnerability-related.DiscoverVulnerability .

IP cameras manufactured by Chinese vendor Fosscam are riddled Vulnerability-related.DiscoverVulnerability with security flaws that allow an attacker to take over the device and penetrate your network . The issues came to light yesterday when Finnish cyber-security firm F-Secure published Vulnerability-related.DiscoverVulnerability its findings after Fosscam failed to answer bug reports Vulnerability-related.DiscoverVulnerability and patch Vulnerability-related.PatchVulnerability its firmware . Below is a list of 18 vulnerabilities researchers discovered Vulnerability-related.DiscoverVulnerability in Fosscam IP cameras : The variety of issues F-Secure researchers discovered Vulnerability-related.DiscoverVulnerability means there are multiple ways an attacker can hack one of these devices and use it for various operations . `` For example , an attacker can view the video feed , control the camera operation , and upload and download files from the built-in FTP server , '' F-Secure says. `` They can stop or freeze the video feed , and use the compromised device for further actions such as DDoS or other malicious activity . '' `` If the device is in a corporate local area network , and the attacker gains access to the network , they can compromise the device and infect it with a persistent remote access malware . The malware would then allow the attacker unfettered access to the corporate network and the associated resources , '' researchers added . F-Secure researchers say Vulnerability-related.DiscoverVulnerability all these vulnerabilities have been confirmed Vulnerability-related.DiscoverVulnerability in Fosscam C2 models , but also in Opticam i5 , an IP camera sold by another vendor , but based on a white-label Fosscam device . In fact , researchers suspect that Fosscam has sold the vulnerable IP camera model as a white-label product , which other companies bought , plastered their logo on top , and resold as their own devices . F-Secure says it identified 14 other vendors that sell Fosscam made cameras , but they have not tested their products as of yet . F-Secure recommends that network administrators remove any Fosscam made IP camera from their network until the Chinese company patches Vulnerability-related.PatchVulnerability its firmware .