MS Office Zero Day – Another Exploit

There has been a new Zero-Day MS Office exploit in the wild.  All users are vulnerable, including fully patched Windows 10 computers.

The exploit does not even require macros to be enabled making this much more serious than before.  The vulnerability is in the Object Linking and Embedding (OLE).

A RTF format file contains an embedded OLE2link object which tells Word to contact a remote server and download an executable .HTA file, which in turn download additional payloads, restarts word and shows a decoy document.

We are hoping a patch will be issued quickly to mitigate this attack-vector.

Here is some more information:

http://www.theregister.co.uk/2017/04/09/microsoft_word_ole_bug/

https://www.helpnetsecurity.com/2017/04/10/ms-office-zero-day/

Please remind your users to be extra careful when opening or running attachments.

Fort Systems Ltd.

 

ClamAV Updates Error

ClamAV Updates Error

March 3rd, 2017 3PM EST

An update has been issued by ClamAV which can corrupt the AV Database.

We have a work around that needs to be put in place as soon as possible to prevent mail delivery issues.

This affects all customers using BarricadeMX, BarricadeMX PLUS and DefenderMX Lite.

Cleanfeed Customers are NOT affected as those systems have already been patched.

If you are on Platinum support and we have access to your system, we have already applied the update for you.  If you are unsure, just contact us at support@fsl.com

BarricadeMX and BarricadeMX PLUS

Directions:

  • Log in as user root.
  • Enter the command “cd /var/clamav”
  • Then issue the command “vi local.ign”
  • copy the following 3 lines EXACTLY into the editor and save the file making sure there are no extra spaces or characters added as this will cause an error and clamd will not start properly.

Doc.Macro.GenericHeuristic-5901772-0
Doc.Macro.GenericHeuristic-5913589-1
Doc.Macro.GenericHeuristic-5931846-1

  • Enter the command “service clamd restart”. Clamd will restart without any errors.
  • Enter the command “service MailScanner reload”

DefenderMX Lite

Directions:

  • Log in as user root.
  • Issue the command “cd /var/lib/clamav”
  • Then issue the command “vi local.ign”
  • copy the following 3 lines EXACTLY into the editor and save the file making sure there are no extra spaces or characters added as this will cause an error and clamd will not start properly.

Doc.Macro.GenericHeuristic-5901772-0
Doc.Macro.GenericHeuristic-5913589-1
Doc.Macro.GenericHeuristic-5931846-1

 

  • Issue the command “service clamd@haraka restart”. Clamd will restart without any errors.

If you are still experiencing any issues, please contact us immediately through your support channel.

Best regards,
Fort Antispam
www.fortantispam.com

Updates to DNS Real-Time Lists

Updates to DNS Real-Time Lists

January 26, 2017

Re: Updates to our Real-time DNS lists

Hi Everyone,

We constantly review effectiveness of the Real-time DNS lists that we use and as part of that process. We are very pleased to announce that we’re now offering the excellent Invaluement lists to everyone that already pays for DNS feeds from us, free until the end of 2017.

BarricadeMX PLUS Clients

You can add these lists by adding the following to your ‘DNS Blacklists or DNS BL’ settings in Setup -> BarricadeMX or in the BarricadeMX configuration:

invsip.ip.fslupdate.com
invsip24.ip.fslupdate.com

And add the following under ‘URI Blacklists or URI BL’:

invuri.uri.fslupdate.com

IMPORTANT** Remember to add a semicolon between entries.

The Invaluement lists work extremely well in our testing and compliment the Spamhaus feeds we already offer.

Additionally – for those that also subscribe to the Spamhaus domain blacklists, you can now get the new Spamhaus ZRD list (Zero-reputation Domains) as a free addition. We helped Spamhaus test this new list and it’s very effective at stopping ‘fresh’ domains that are created and used immediately on the same day, and then discarded.

To use the Spamhaus ZRD, add the following under ‘Domain Blacklists or Domain BL’:

fci2ohsclqcp5w24r3jeg4wsma.zrd.dq.spamhaus.net

(due to the nature of this list, you have to query Spamhaus directly using their data feed query service instead of via our mirrors).

Here are screenshots of a sample BarricadeMX PLUS configuration:

 

Platinum Support clients can optionally have us update their settings. Email support@fsl.com to start the process.

DefenderMX Clients

All DefenderMX clients with RBL Subscription will have these setting updated automatically. No manual update is required.

Cleanfeed Hosted Clients

No update from your end is required. These new lists are now active.

As always, if you have any questions or concerns, please email us at support@fsl.com.

Fort Systems Ltd.
www.fortantispam.com

FSL Support Access IP Changing

Between October 25 and November 4th we will be moving our Washington, DC office. One of the consequences of this move will be that we will be losing the dedicated IP address for dc1.fsl.com [74.93.209.150], the server that we use to login and support DefenderMX and BarricadeMX servers at your site.

Several months ago we sent out the information on the server that will be replacing dc1.fsl.com a while back and asked that you allow us to access your FSL server(s) from gw.fsl.com [69.63.143.54]. This server is located in a very secure data center in Baltimore MD.

To provide your systems  with timely support,  before we move, we now ask that you allow non-root access for our support username, fsl, from gw.fsl.com [69.63.143.54] and our new backup login server, repo2.fslupdate.com [69.63.142.92] through any Firewalls, Routers and Firewall software.

After November 3 2016, you can remove our access from dc1.fsl.com [74.93.209.150].

We would prefer to login as user fsl using secure ssh keys and gain root access, when needed, by using sudo. If you are not familiar with sudo, please refer to this link.

We will be happy to setup the user and sudo for you if we have access to your DefenderMX and BarricadeMX servers, just send a request to support@fsl.com and include the contact information for the the person(s) who will be coordinating the changes that need to be made to your systems.

For those of you who want to configure the systems yourselves. the necessary  steps to give us secure access are:

Read More »

ClamAV Updates Required

September 9, 2016 9:00AM EDT

Dear Clients,

An update has been issued to prevent any ClamAV failures.  We urge you to update your systems as soon as possible to prevent any service disruptions.

All updates are in the repository and available now.

Only clients using BarricadeMX and BarricadeMX PLUS are affected. DefenderMX customers are not affected.

If you are on Platinum support and we have access to your system, we will apply the update for you.  If you are unsure, just contact us.

Directions:

Read More »

Block of JAVA / JAR File Types

We have noticed a new type of Malware that is typically currently being quarantined as High Scoring Spam. To be more pro-active and block these types of files outright we STRONGLY recommend you take the following actions below.

DefenderMX Lite Users

Add the following extensions on the Configuration >> Attachments Page

1. Add *.jar to the Filename Rules:
2. Add *.jar to the Archive Filename Rules:

Click here to see a screenshot sample page.

For all Platinum Support customers, please email support@fsl.com and we can make arrangements to enable.

BarricadeMX PLUS Users

  1. Navigate to Setup >> MailScanner >> Attachments
    2. \.jar$ to Deny Filenames
    3. \.jar$ to Archives: Deny Filenames
    4. application\/java-archive to Deny File MIME Types
    ** NOTE: forward slash and back slash embedded**
    5. application\/java-archive to Archives: Deny File MIME Types
    ** NOTE: forward slash and back slash embedded**

    6. At bottom of screen click “Update” button
    7. Click “Commit Changes”
    8 Click “Apply Changes”

    Click here to see a screenshot sample page.

For all Platinum Support customers, please email support@fsl.com and we can make arrangements to enable.

BarricadeMX Users

Contact support@fsl.com to schedule the installation of your update** to DefenderMX Lite.

Cleanfeed Users

We have already enabled these changes on our servers. No action on your part is required.
Best regards,
FortAntispam

Block Javascript (JS) Attachments

Block Javascript (JS) Attachments

 There are blank emails containing a subject line of DocumentXX where the XX is a random number contain a zip file which downloads the Locky Ransomware or the Dridex Banking Trojan making the rounds on the internet.

 

As in the past, the spammers will start to modify these emails as time goes by so the best solution is to block them outright.

These emails are designed to entice users to read and open the attachment. Small and Medium size business are being targeted.

 

Here is a link to an article that contains more information.

 

https://myonlinesecurity.co.uk/document1-pretending-to-come-from-your-own-email-address-js-malware-leads-to-locky-ransomware/

 

We recommend that you block these attachments. If you have a requirement for a specific user to receive them, you can always setup a rule that allows a sender/receiver pair to bypass the block.

 

To block these attachments, please follow the instructions below:

Read More »

Microsoft Office VBA Macro Warning

Over the last few months there has been an increasing trend of malware being hidden inside Microsoft Office documents via Macros inside them which are used to download the real malware payload onto the user’s desktop.   Unfortunately because these Macros are easily mutated and obfuscated quickly, all of the anti-virus vendors are very slow at creating signatures for these thereby leaving a large window of opportunity for these messages to be sent via e-mail without any detection.

 

The only way we have been able to reliably catch 100% of these messages is to enable the option in ClamAV which detects any macros within Office documents and either quarantine or reject them.

 

Read More »

Critical glibc “Ghost” exploit

You are probably aware of the recently announced vulnerability by Qualys in the gethostbyname function in glibc

All versions of CentOS 5, CentOS 6 and CentOS 7 are affected.

Our software is not specifically vulnerable, but you should still update your packages and systems immediately.

During a code audit, Qualys discovered a buffer overflow in the _nss_hostname_digits_dots() function of glibc. This can be triggered both locally and remotely via all the gethostbyname*() functions.

To update your systems please do the following:

 

  1. Login in as root.  You must be root or su to complete the update.
  2. Enter the following command:  yum clean all && yum update -y

This will pull all updates from the RHEL or CentOS repository and any updates from

the FSL repositories and install them.  To be on the safe side, we would recommend a server restart as soon as possible.

If you have any issues or would like assistance, please send an email to support@fsl.com.

Here is a link to an article explaining the bug further:

https://www.centosblog.com/critical-glibc-remote-vulnerability-exploit-ghost-patch-glibc-now/

https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

 

If you have any issues updating your system or need assistance, please send an email to support@fsl.com.

 

Best regards,

Fort Systems Ltd.

www.fortantispam.com

Bash Bug / Shell Shock Vulnerability

Hello Everyone,

You are probably aware of the recently announced Bash Bug / Shell Shock vulnerability.

Our software is not specifically vulnerable, but you should still update your packages and systems immediately.

The bug allows specially crafted environment variables containing commands that will be executed on vulnerable systems.

Here is a quote from the NIST explaining the bug:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
– NIST

I will add some links to articles explaining the vulnerability in more detail.

To update your systems please do the following:

1.  Login in as root. You must be root or su to complete the update.

2.  Enter the following command:

yum update -y

This will pull all updates from the RHEL or CentOS repository and any updates from
the FSL repositories and install them.

3.  If there are kernel updates, please schedule a system restart to start using the new kernel.

If you have any issues or would like assistance, please send an email to support@fsl.com.

Here are some links to articles explaining the bug further:

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/

If you have any issues updating your system or need assistance, please send an email to support@fsl.com.

best regards,

Fort Systems Ltd.
www.fortantispam.com