iDRAC Vulnerability ! Poweredge severs exposed

Dell issued a patch for a path traversal vulnerability found in the Integrated Dell Remote Access Controller (iDRAC) that could allow criminals to obtain full control of server operations.

The vulnerability scored a CVSS rating of 7.1. iDRAC was designed for secure local and remote server management to help IT administrators deploy, update and monitor Dell EMC PowerEdge servers.

A path transversal flaw allows hackers to read a file that stores data on Linux users. Just last week, Cisco urged organizations to implement its patch for a high severity directory traversal vulnerability that affected the web services interface of the Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software firewall products and which is being actively exploited in the wild.

More than 500 iDRAC controllers are accessible over SNMP, a standard protocol for administering devices on IP networks, according to a Positive Technologies blog post.

Dell gave the nod in its patch announcement to Positive Technologies for discovering the flaw, which enabled an attacker to turn on or off Dell EMC PowerEdge servers, or change the cooling settings

SkyArk.. New AWS Stealth watch for shadow IT

A new open-source tool designed to identify Shadow Admin accounts in Microsoft Corp. Azure and Amazon Web Services Inc. cloud environments.

Called CyberArk SkyArk, the tool is designed to help organizations combat Shadow Admins by targeting and securing the most privileged entities in both Azure and AWS environments.

Shadow Admin accounts have sensitive privileges on a network and are typically overlooked because they are not members of a privileged Active Direct group. Instead, Shadow Admin accounts are typically granted their privileges through the direct assignment of permissions.

They’re highly desired by attackers because they provide administrative privileges necessary to advance an attack while having a lower profile than well-known admin group members.

“While organizations may be familiar with their list of straightforward admin accounts, Shadow Admins are much more difficult to discover due to the thousands of permissions that exist in standard cloud environments (i.e. AWS and Azure each have more than 5,000 different permissions),” CyberArk explained. “As a result, there are many cases where Shadow Admins might be created. Despite the appearance of limited permissions, a Shadow Admin with just a single permission has the ability to gain the equivalent power of a full admin.”

SkyArk offers two main scanning modules, AzureStealth and AWStealth, to scan Azure and AWS environments. The tool only requires read-only permissions because it simply queries cloud entities and their assigned permissions before performing an analysis and providing results.

The results can be used by both internal red and blue teams. For red teams, which are used to break into systems to test security, the results can be used to target discovered Shadow Admins through password matching, spear-phishing or a targeted attack on the endpoints of the employee discovered to have admin or shadow rights. For blue teams, which defend against attacks, the results can be used to eliminate unintended admins and remove unnecessary permissions from Shadow Admins.

Office 365 phishing now with fake SharePoint alerts

Employees using Microsoft Office 365 are targeted in a phishing campaign that makes use automated SharePoint notifications to steal their accounts.

The phishing emails delivered as part of this phishing campaign are addressed to all employees working at targeted organizations and have until now reached an estimated number of up to 50,000 mailboxes based on stats from email security company Abnormal Security.

What makes these phishing messages potentially dangerous is the fact that they’re using a shotgun approach, trying to trick at least one employee and then use their credentials to further compromise their employer’s systems.

Fake SharePoint alerts used as lures
The attackers behind this phishing campaign did their best to keep the phishing messages as short and vague as possible, and they also made it a point to include the targeted company’s name multiple times within the emails.

This strategy is supposedly designed to help induce a feeling of trust and make the targets think that the phishing emails were really sent from within their organization.

“In the email body, the recipient’s company name was also used numerous times to impersonate an internal document shared by this service,”.

“Recipients may be convinced that the email is safe and coming from their company because of the repetitive inclusion of the company name.”

The phishing messages’ goal is to make the targets click on an embedded hyperlink that sends them to a SharePoint themed landing page through a series of redirects.

This is where they are required to click on a button to download “important documents” mentioned within the phishing emails, a button that will either download a PDF that sends them to another website or that will redirect them to a submission form where they are asked to input their credentials.

If the targets fall for the phishers’ tricks, their Microsoft credentials will give the attackers’ full control of their Office 365 accounts, with their information to be stolen and used as apart of identity theft and fraud schemes such as Business Email Compromise (BEC).

“This places employees and their networks at considerable risk as attackers can launch internal attacks to steal more credentials and information from the organization”.

Windows 10 unfaced with bug in built-in security feature

Microsoft says it is working on a fix for an error that prevents Windows Sandbox and Windows Defender Application Guard from opening.

The issue affects Windows 10 versions 1903, 1909, and 2004. When failing to open, the bug triggers the error message ‘ERROR_VSMB_SAVED_STATE_FILE_NOT_FOUND (0xC0370400)’ or ‘E_PATHNOTFOUND (0x80070003)’.

Windows Sandbox is a relatively new feature of Windows 10 Pro and Enterprise editions since version 1903 that lets users launch a virtual machine with a basic version of Windows 10 to run potentially suspicious software without the risk of it affecting the main Windows 10 installation.

The feature has proved popular with IT pros because of its ability to safely run potentially risky executables in a container, and Microsoft included several improvements to Windows Sandbox in Windows 10 version 2004.

Windows Defender Application Guard (WDAG) is also a relative newcomer in Windows 10 Pro and Enterprise editions that admins can use to create a list of trusted websites and local resources.

WDAG comes into play when users access a URL outside that list. It launches Microsoft Edge in a Hyper-V container to keep the browser isolated from the operating system. Microsoft released WDAG extensions for Chrome and Firefox last year.

“To mitigate this issue after receiving one of the above error messages, you will need to restart your device,”.Microsoft plans on addressing the bug in an upcoming release of Windows 10

A similar issue affected Windows Sandbox on Windows 10 Insider previews last year after users installed the KB4497936 update.