The Ivanti Threat Thursday Update for June 8, 2017

Greetings. This week, a malware fireball from China, a password management service is hacked, and a buggy Windows 10 update and a “time-traveling” fix. Feel free to let me know what you think.

Fireball: Chinese Marketing Firm Accused of Infecting 20 Percent of Corporate Networks with Freeware/Malware Bundles

A popular aphorism warns that there’s really no such thing as a “free” puppy or kitten. It seems to be increasingly true that there’s no such thing as free software, either. While much “freeware” is accompanied by advertisements that are merely annoying and distracting, free software allegedly distributed by a Chinese marketing firm came with a more troubling insidious payload: malware.

According to a Check Point Threat Intelligence blog post, Rafotech, a Beijing-based digital marketing firm, has infected some 250 million computers and 20 percent of corporate networks worldwide. The malware, known as “Fireball,” accompanies a variety of free, legitimate programs offered by Rafotech, according to Check Point’s research.

“Rafotech uses Fireball to manipulate the victims’ browsers and turn their default search engines and home-pages into fake search engines. This redirects the queries to either yahoo.com or Google.com. The fake search engines include tracking pixels used to collect the users’ private information. Fireball has the ability to spy on victims, perform efficient malware dropping, and execute any malicious code in the infected machines,” creating “a massive security flaw in targeted machines and networks,” Check Point reports.

What We Say: The Check Point blog post offers specific, step-by-step instructions for removing malware from infected systems. This is useful and welcome, but it’s not enough. Your defenses must be agile enough to detect rogue software, and prevent it from running or propagating across your network. You must also plug as many network access points as possible through user education and granular, comprehensive control of applications and admin privileges.

OneLogin: Popular Password Management Service Attacked; Data, Decryption Keys at Risk

OneLogin is a password and identity management service, used by millions for centralized access to online services. According to multiple media reports, the company was recently and significantly breached for the second time in two years.

As reported by ZDNet, “An attacker obtained and used highly-sensitive keys for [OneLogin’s] Amazon-hosted cloud instance from an intermediate host – effectively breaking into its service using its front-door key. The company added that while it encrypts sensitive data, the attacker may have ‘obtained the ability to decrypt’ some information.” OneLogin’s cybersecurity chief told ZDNet that his company is now encrypting more data, investing more in monitoring tools and technical staff. He added that OneLogin is also “investigating our ability to encrypt and decrypt, and how we manage our keys in that process.”

OneLogin posted instructions on its support pages intended to help its users to secure their data, but requiring registration online for access to those instructions. Fortunately, The Register made those same instructions available to anyone online, no registration required.

What We Say: Every enterprise should have comprehensive, secure, accessible backups of its most critical data as part of its multi-layered cybersecurity strategy. This is even and sometimes especially true about data stored on cloud services managed by others. However, no cybersecurity measures can successfully thwart every attack, seal off every vulnerability, or guarantee that no backup will fail. Every enterprise therefore needs a post-event communications plan that includes prompt, clear, focused disclosure of what happened, what’s being done, and what next is critical.

Windows 10: A Buggy Update and a “Time-Traveling” Fix

Microsoft accidentally released a bug-plagued Windows 10 build. As betanews.com reported, Microsoft recalled Build 16212 quickly after the bugs were discovered. However, many users had already installed the update. “In response, Microsoft issued an apology and offered some tips to help users who had installed the build to recover. However, despite this action, some users are still seeing Build 16212 waiting to be installed and for those people, Microsoft has an interesting solution — time travel.”

Specifically, “Windows Insider chief Dona Sarkar says you should turn off your Wi-Fi, set your PC or phone time to 40 years in future, and let her know what happens. Sarkar says the hack is ‘working for many’ and also that ‘it’s worked for lots of people in the office and in the community,’” the betanews.com report added. Separately, betanews.com reported that Windows 10 adoption was slowing, according to figures from NetMarketShare.com.

What We Say: Windows 10 migration has been challenging since the software was introduced, even without updates with bugs. Effective adoption strategies must enable streamlined provisioning, rapid rollbacks, and effective management of images, user profiles, data migration, and application configuration.

Ivanti: Solutions That Work

Ivanti solutions can help your enterprise fight ransomware and malware, migrate to Windows 10, and reduce network vulnerabilities with better patch management for endpoints and servers and admin rights control. Whatever your IT challenges, Ivanti can help. And if this post or series inspires you in any way, please let me know.

ransomware attack