Sep 17, 2018

Getting Fog PXE boot working on a Thinkpad T460P, T470P and a T480P

I've been using Fog Project for years. It's my favorite open source operating system imaging tools for large networks. We were using it at my company up until a few years ago when we started buying Thinkpad T460P laptops and my desktop technician at the time couldn't get these laptops to boot. Instead of doing some actual Googling he and my Systems Administrator at the time wanted to use WDS instead.

Well both of those guys have since moved onto other places, and I decided that we were going to save a Windows server license and go back to Fog!

The first thing I had to do was figure out how to get the T460P's, T470P's and now T480P's to boot up to the Fog boot menu. When I first tried booting my T460P, this is the message I received:


Long story short, it got stuck saying No configuration methods succeeded.... Boo!

Well the fix was actually pretty easy. Instead of using the undionly.kpxe tftp file like the documentation says, we used intel.kpxe instead and it worked like a charm! Now we get the Fog boot menu on all models of our Lenovo laptops!

Have you had problems with Lenovo and Fog? What did you have to do to get it to work? Let us know in the comments!

Sep 10, 2018

Active Directory Users and Computers Will Not Open After Azure Site Recovery Test Failover

The other day we wanted to test some database stuff in our Production Azure environment. Obviously, we didn't want to mess with actual Production data, so since we're using Azure Site Recovery for our disaster recovery plan, we decided to initiate a test failover of the impacted systems in an isolated network.

Also, since we're using our own domain controller VMs, we had to fail those over for authentication. This is where I ran into problems. After initiating the test failover of my domain controllers I couldn't open Active Directory Users and Computers. When I tried, I got this message:
Naming information cannot be located because: The specified domain either does not exist or could not be contacted. Contact your system administrator to verify that your domain is properly configured and is currently online.


Well, after banging by head on the wall for a few hours, I finally found a solution. Open a registry editor and browse to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Open the SysvolReady key. If the value of the key is 0 change it to 1. If the value is 1 change it to 0 and ‘Accept’, again change to 1 and accept. Exit registry editor.

Boom! After that I could open Active Directory Users and Computers again without a reboot!

One thing that still didn't work though was Netlogon and Group Policy. To fix that on my two domain controllers in the test environment I had to copy all contents from C:\Windows\SYSVOL\domain\NtFrs_PreExisting___See_EventLog on both domain controllers to C:\Windows\SYSVOL\domain\. When that was done I ran the following on both test domain controllers:

  • net stop netlogon
  • net start netlogon
After that, Netlogon and Group Policy were working again. I also took the extra steps seizing FSMO roles and deleting the other domain controllers from Active Directory Users and Computers, as well as Active Directory Sites and Services along with their sites. That way I wouldn't have to deal with replication issues in the isolated test environment.

Have you ever ran into something like this? Did you fix it differently? Let us know in the comments!

Aug 31, 2018

Alternative Download For HP Proliant SPP

Is it just me or should hardware manufacturers make their drivers easy to download regardless of support contracts? I've been a loyal HP server user for years, but just recently something really chapped my ass! I went to download the latest Service Pack for Proliant (SPP) so I could install drivers on an older Proliant system and couldn't! Why? Because I didn't have a current support contract with HP!

I've also been a loyal Lenovo user for years. Guess what? I can download their System Update tool fine! No need to have some bullshit login for it! In the past I could always download HP's SmartStart CD's without a login. Why now all of a sudden is there a change?

Now you're probably just saying, why not buy a support contract? Well, I already have full hardware support from our aftermarket re-seller Curvature at a fraction of the cost of HP's support. I don't feel the need to pay extra for roughly the same level support. The only draw back, at least for HP, is that I can't get tools like SPP!

Well, I found a good Samaritan that is making the downloads for the SPP available for free!  At the time of this writing the March and June 2018 versions of SPP are available here.

Hurry up and grab them before they are gone!

Aug 28, 2018

End of an Era: Coleman University is Out of Business



This is a real shame. I myself am a Coleman Alumnus. I just heard the news while interviewing someone for my company's open Systems Administrator position in San Diego.

Via Fox 5:
Coleman University -- a private college that's operated in San Diego since 1963 -- is closing at the end of the current term, school leadership announced Thursday. 
"To all our very fine students, staff, and faculty, I am personally sorry that we have to close Coleman University," President & CEO Norbert J. Kubilus said. 
In a letter to students, faculty and staff obtained by FOX 5, Kubilus said that Coleman learned in late June that they had lost a bid for accreditation from the Western Association of Colleges and Universities Senior College and University Commission, putting the school in a financial bind.
Continue Reading


Aug 27, 2018

Shadow Admins: What Are They and How Can You Defeat Them?

Managing something you don’t even know exists in your network is always a challenge. This is why the problem of stealthy or shadow admins needs to be acknowledged by security officers. after all, it only takes compromising a single account with elevated privileges to put the security of an entire company in jeopardy.

So, who are these shadow admins and what strategies may help you combat the threats they pose? Keep on reading to find answers to these questions.

Shadow admins: what are they?

When talking about the shadow or stealthy admins, we are referring to the accounts that were delegated admin-level privileges in Active Directory, usually with a direct permission assignment. This is why these shadow admins can also be called delegated admins.

In general, there are four main groups of privileged accounts:

  • Domain admins
  • Local admins
  • Application/services admins
  • Business privileged accounts

Any of these categories may have both legitimate and shadow administrative accounts. However, while legitimate privileged accounts are easy to identify, stealthy admins are not members of any of the default administrative groups in Active Directory and, therefore, can’t be found that easily. As a result, many organizations simply don’t take delegated admins into account when looking for privileged users in Active Directory.

Ignoring delegated admins is not an option though. These accounts can possibly have unrestricted control over legitimate Active Directory admins and be able to:

  • change passwords for privileged accounts
  • change permissions on the existing admin groups or accounts
  • add new accounts to the existing administrative groups
  • create new admin groups in Active Directory, and so on.

Therefore, a successful attack on just one delegated admin account can have consequences just as devastating as when a legitimate privileged account was compromised.

Let’s take a closer look at the main risks posed by shadow admins.

Top risks posed by unmanaged admin accounts


The presence of stealthy administrators in your network creates a variety of problems, including:

  • Cybersecurity risks
  • Financial risks

Unmanaged privileged accounts are like a Christmas gift for the attackers. Since they are often not taken into account by an organization’s cybersecurity policy, they can be easier to compromise while still providing the attackers with unrestricted access to your company’s critical data.

With the increased risks of data leakage, the presence of shadow admins in the network creates additional financial risks for the company. Not to mention that the news about the loss of valuable, sensitive data can cause severe damage to the company’s reputation.

In April 2017, for instance, Oracle’s Solaris operating platform was targeted by hackers using shadow admins to get into the system. In particular, there were two malicious programs discovered (EXTREMEPARR and EBBISLAND) that were able to elevate the rights of existing users to the administrative level. Thus, they turned regular users into shadow admins with remote root access to platform networks.

The only way to mitigate risks posed by such accounts is by identifying all shadow admins within your network and managing them effectively. In the next section, we talk about the ways you can find and manage all administrative accounts in your company’s network.

Best practices for detecting and managing shadow admins

As of today, there are two ways you can detect delegated admins in your network and mitigate the risks they pose:

  • By analyzing Access Control Lists (ACLs) on Active Directory
  • By building an effective privileged access management strategy

ACLs analysis. When trying to identify all of the privileged accounts present in your company’s network, look for the tools that scan ACLs and analyze effective permissions rather than an account’s presence in a particular Active Directory group. Thus, you’ll be able to find even the accounts that were delegated additional privileges without being added to any of the admin groups on Active Directory.

Once identified, make sure that only legitimate administrators (such as members of Domain Admin groups) are granted such critical privileges as Replicating Directory Changes All, Reset Password, or Full Control.

Privileged access management. Building a well thought out privileged access management strategy can also help you solve the problem of stealthy admins. Your cybersecurity strategy should include two measures:

  • Continuous monitoring and audit of the network
  • Effective management of privileged access to critical data and assets


Audit and monitoring are important for several reasons. First and foremost, it ensures a better level of visibility within the network: you gain the knowledge about who can access what. Secondly, all information gathered at this stage is essential for investigating security incidents should any of them take place in your organization.

When monitoring your network, pay special attention to the following factors:

  • What accounts have elevated privileges and can access your company’s critical assets (who can access particular servers or domains, who can work with your company’s sensitive information)
  • What privileged accounts and elevated permissions were added just recently (to identify a possible attack in progress)
  • If there’re any suspicious activities (a sudden use of a “dead” privileged account, an admin logging in from an unusual IP address, and so on)


Ensuring an appropriate level of privileged access management is the second step in building an efficient cybersecurity strategy and combating shadow admins. Once you know who can access your company’s valuable data, you can take necessary measures to either secure or dismiss these accounts. Consider implementing the least-privilege approach for all privileged accounts and assigning any elevated permissions only on an “as needed” basis.

When looking for an efficient solution to these problems, turn your attention to Ekran System. It’s a universal platform for monitoring, auditing, and managing both regular and privileged users. This platforms gives you a full visibility into your network and allows taking proactive measures for preventing privilege misuse at any level.

Conclusion

Delegated or shadow administrative accounts can pose a serious threat to an organization’s cybersecurity when remaining undiscovered. However, identifying stealthy admins isn’t enough – you need to manage them effectively in order to mitigate any cybersecurity and financial risks they can pose. While ACLs scanning works well for discovering accounts with elevated permissions, the only way you can effectively manage and secure these accounts is by implementing an appropriate level of Privileged Access Management.

Aug 24, 2018

Sandbox-Evading Malware Are Coming: 7 Most Recent Attacks

Nowadays, anti-malware applications widely use sandbox technology for detecting and preventing viruses. Unfortunately, criminals are developing new malware that can evade this technology. If such malware detects the signs of VM environment, it remains inactive until they are outside of the sandbox. Experts predicted that in 2018 we would see an increasing number of cyber attacks performed with sandbox-evading. However, the epidemic has actually started two years ago. Let's look at the most recent attacks that were successful because modern security solutions weren't able to detect sandbox-evading malware.

1. Grobios

Since early March 2018, there have been cases of attacks performed with the RIG Exploit Kit that infects victims with a backdoor trojan called Grobios. This malware is packed with PECompact 2.xx that allows it to evade static detection. Though the unpacked file has no functions, it uses hashing to obfuscate the names of API functions it invokes. It also divides the PE header of the DLL files to match the name of a function to its hash. In addition, the trojan performs a series of checks to become aware of its environment. Particularly, it looks for virtual machine software, like Hyper-V or VMWare, a username with the words "malware", "sandbox", or "maltest", and compares the driver names with its blacklist of VM drivers.

2. GootKit

This banking trojan attacks users mainly in Europe through spam sent via MailChimp since 2017. It steals the credentials of bank’s customers and manipulates their online sessions. Before installation, the malware uses a dropper to become aware of its environment. Thus, the dropper looks for specific names in the Windows Registry and virtual machine resources on disk. It also checks the device’s BIOS to discover whether there is a virtual machine client installation and examines the machine’s MAC address. If the dropper doesn't find any signs of the sandbox, the virus payload is executed and GootKit trojan carries out additional checks, like looking for hard drives, CPU names that confirm a physical machine, and virtual machine values.

3. ZeuS Panda

This is another banking trojan that uses environment-aware techniques to skip the sandbox. Its main goal is stealing user’s banking credentials and account numbers by implementing “man in the browser” attack. In order to infect a targeted computer, it changes the browser security settings and alarms. After loading, the trojan checks for indicators of the sandbox environment, like the presence of Sandboxie, ProcMon, SoftICE debugger, and other tools. In 2018, ZeuS Panda targeted banks in Japan, Latin America, the United States, as well as popular websites like YouTube, Facebook, and Amazon.

4. Heodo

Heodo is a banking trojan that was first detected in 2016 and subsequently was used in a 2017 attack against the US bank clients. This malware infects victims through invoice emails from a known contact that contains an attached PDF file. After a user clicks on the attachment, the trojan is loaded. It uses a technology known as a crypter that allows the malware to hide from the sandbox environment. Heodo imbeds itself within the software that is already installed on the infected computes and makes mutated copies of itself on the infected system.

5. QakBot Trojan

A massive attack with the QakBot Trojan was detected in 2017 when the malware caused the lockouts of Active Directory users from their company's domain by stealing user credentials. This malware infects victims with a dropper that uses delayed execution to evade the sandbox. It loads to the targeted computer and waits for 10 to 15 minutes before its execution. While antivirus sandboxes analyze newly loaded files for a short period of time, the dropper remains undetected.

6. Kovter

This trojan was initially developed as a police ransomware, but in 2017 it was detected as a fileless malware that can easily bypass the sandbox detection. It infects victims via a malspam email with an attachment that contains macros for Microsoft Office files or a .zip attachment that contains infected JavaScript files. By using the Windows registry, Kovter leaves the sandbox undetected. Victims are requested to pay a $1,500 ransom in Bitcoin.

7. Locky

Locky is a classic example of environment aware malware that was released in 2016. It was spread during an email campaign that contained an infected Microsoft Word document. The document had a malicious macros that saved and run a binary file that downloads the encryption trojan. This malware easily bypasses the sandbox, as the virus execution begins with a user interaction, such as starting the macros, but the VM environment doesn't perform any interactions with the infected document.
How to withstand sandbox-evading malware
As you can see, hackers are applying different sandbox evasion techniques to make their viruses undetectable in the sandbox. After infecting the victimized computer, this malware tries to understand its environment by doing the following:

  • looking for signs of virtual machine (ZeuS Panda)
  • detecting system files (GootKit)
  • waiting for user interactions (Locky, Kovter, Heodo)
  • beginning its execution in a specified time (QakBot Trojan)
  • obfuscating the system data (Grobios)

Sandbox technology is unable to detect environment-aware viruses and let them harm your computer. Thus, developers of security software should pay their attention to more progressive approaches of malware detection that are based on a customized sandbox environment, behavior analysis, machine learning, and others.

Conclusion

Sandbox-evading viruses are a new type of modern malware that can't be detected by traditional antivirus solutions. Computer users are now at a high risk to become a victim of cyber criminals as this malware is rapidly spreading across the Web. While users should follow the best cybersecurity practices, software developers should hurry up with the implementation of the latest technologies to improve their anti-malware solutions.

Jul 27, 2018

The Microsoft License Verification Process Scam

Oh man, oh man do I hate Microsoft! Not the software so much, I mean they do actually put out really good products. What I hate is their licensing rules, and how they make it so damned convoluted and confusing! On top of that, right after you've worked with your Microsoft Licensing re-seller to button up your licenses, you may periodically get contacted to participate in the Microsoft License Verification Process! Weeeeee!

I'm not sure what happened, but about two years ago was my first experience with this. We complied, and Microsoft came back and said we were out of compliance based on random changes they had made to their licensing since our last true-up with our re-seller, and we had to fork over about $30,000 that we didn't budget for to become compliant again.

To be fair, our previous re-sellers did give us some bad information about licenses, so after that audit we switched re-sellers.

Well, I just got picked again this year. In the 13 years I've worked in Information Technology, these last two years were the first time I'd ever seen this... And now I think I know why. It's basically a shady marketing tool!

I reached out to our new re-seller about this so called audit, and here is what they said:
We’ve run into this a lot recently and over the years. Their wording seems to hide the fact that you don’t have to do this. 
The emails starting with “v-“ are not Microsoft and they are not audits. They are voluntary, but the results are shared with Microsoft at which point you would be required to reconcile anything they find.  
If you want to do an engagement like this to assess your licensing, we can do it for you. We don’t share the results with Microsoft and just deliver them to you.
In their frequently asked questions, the people contacting me about this Microsoft Verification Process say this:


I asked my rep about that too and they said:
Man I don’t like that wording. “us” 
That v- in the email means that person doesn’t work for Microsoft, but is contracted. Microsoft allows this to happen, but it’s not really their employees. I see these all the time and we just ignore them unless you would like to do an engagement. 
Microsoft does audit occasionally, but this email is pretty threatening. Microsoft audits don’t come in email form, I’m 99% sure.
So long story short, if you are contacted about participating in a Microsoft License Verification and the people contacting you have a "v-" before their email address, you should ignore them and reach out to your re-seller instead. It's really just a ploy so Microsoft can increase their bottom line before your annual true-up!

Have you experienced one of these? Did you comply? Is my rep wrong? Let us know your story in the comments!




Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam