 To track known issues in Windows 10 that Microsoft is aware of and actively resolving, you can use a Windows 10 Health Dashboard tool. Released on April 30th, 2019, Microsoft's Windows 10 Health Dashboard tracks the known issues in various versions of Windows 10, and even older versions such as Windows 7 and Windows 8.1. The Windows Health Dashboard is broken up into different sections based on the version of the operating system. This site allows Windows users to track the issues related to the feature update they currently have installed or are trying to install. For example, when the Windows 10 May 2020 Update was released, the operating system became Windows 10 version 2004. At the top of each section, Microsoft provides a brief message related to that version of Windows, including the status of the feature update's rollout and whether it is nearing the end of support. As you scroll further down the page, you will be shown the known issues being investigated, what cumulative update caused the problem, and when information about the issue was last updated. Finally, under each entry in the known issue list is a 'See details' link. When clicked on, this link will bring you to a more detailed description of the issue that may contain steps to resolving the issue. This detailed information will state if the issue has a 'compatibility hold' that would block a Windows user from upgrading to this new version of Windows. We will discuss compatibility holds in the next section. As Microsoft releases new feature updates, they also tweak the operating system or add new security features. The changes could cause conflicts with hardware drivers, antivirus software, or other programs that worked fine in the previous version of Windows 10. These conflicts can cause Windows 10 not to start, have degraded performance, cause games not to work, or even cause a blue screen of death (BSOD) crash. When a known conflict occurs, and a Windows user is affected, Microsoft blocks that user from upgrading to the new version of Windows 10. This upgrade block is called a compatibility hold. As it is not always clear if your device is on a compatibility hold, Microsoft has started to notify users if they are blocked from upgrading. If you are are not being offered a new Windows 10 feature update or Windows is having problems after upgrading, the Windows Health Dashboard can be a useful tool. It is useful because the dashboard will display all the known issues that are causing a hold or problems in Windows, and offer guidance on how to resolve them. For example, using the Health Dashboard, we learn that NVIDIA drivers older than version 358.00 is causing a compatibility hold. Using this information, a blocked user can upgrade their NVIDIA graphics drivers to a newer version and see if that removes the hold. Another example was when Microsoft used the Health Dashboard to warn about a bug preventing the 'Reset this PC' feature from working correctly. Until the issue was fixed, Microsoft offered a workaround to get it working again. We have more complete details along with images posted on OUR FORUM.
 A newly uncovered form of ransomware is going after Windows and Linux systems in what appears to be a targeted campaign. Named Tycoon after references in the code, this ransomware has been active since December 2019 and looks to be the work of cybercriminals who are highly selective in their targeting. The malware also uses an uncommon deployment technique that helps stay hidden on compromised networks. The main targets of Tycoon are organizations in the education and software industries. Tycoon has been uncovered and detailed by researchers at BlackBerry working with security analysts at KPMG. It's an unusual form of ransomware because it's written in Java, deployed as a trojanized Java Runtime Environment, and is compiled in a Java image file (Jimage) to hide the malicious intentions. "These are both unique methods. Java is very seldom used to write endpoint malware because it requires the Java Runtime Environment to be able to run the code. Image files are rarely used for malware attacks," Eric Milam, VP for research and intelligence at BlackBerry, told ZDNet. "Attackers are shifting towards uncommon programming languages and obscure data formats. Here, the attackers did not need to obscure their code but were nonetheless successful in accomplishing their goals," he added. However, the first stage of Tycoon ransomware attacks is less uncommon, with the initial intrusion coming via insecure internet-facing RDP servers. This is a common attack vector for malware campaigns and it often exploits servers with weak or previously compromised passwords. Once inside the network, the attackers maintain persistence by using Image File Execution Options (IFEO) injection settings that more often provide developers with the ability to debug software. The attackers also use privileges to disable anti-malware software using ProcessHacker in order to stop the removal of their attack. "Ransomware can be implemented in high-level languages such as Java with no obfuscation and executed in unexpected ways," said Milam. After execution, the ransomware encrypts the network with files encrypted by Tycoon given extensions including .redrum, .grinch, and .thanos – and the attackers demand a ransom in exchange for the decryption key. The attackers ask for payment in bitcoin and claim the price depends on how quickly the victim gets in touch via email. Get better informed by visiting OUR FORUM.
 A Chinese threat actor has developed new capabilities to target air-gapped systems in an attempt to exfiltrate sensitive data for espionage, according to a newly published research by Kaspersky yesterday. The APT, known as Cycldek, Goblin Panda, or Conimes, employs an extensive toolset for lateral movement and information stealing in victim networks, including previously unreported custom tools, tactics, and procedures in attacks against government agencies in Vietnam, Thailand, and Laos. "One of the newly revealed tools is named USBCulprit and has been found to rely on USB media in order to exfiltrate victim data," Kaspersky said. "This may suggest Cycldek is trying to reach air-gapped networks in victim environments or relies on physical presence for the same purpose." First observed by CrowdStrike in 2013, Cycldek has a long history of singling out defense, energy, and government sectors in Southeast Asia, particularly Vietnam, using decoy documents that exploit known vulnerabilities (e.g., CVE-2012-0158, CVE-2017-11882, CVE-2018-0802) in Microsoft Office to drop a malware called NewCore RAT. Kaspersky's analysis of NewCore revealed two different variants (named BlueCore and RedCore) centered around two clusters of activity, with similarities in both code and infrastructure, but also contain features that are exclusive to RedCore — namely a keylogger and an RDP logger that captures details about users connected to a system via RDP. "Each cluster of activity had a different geographical focus," the researchers said. "The operators behind the BlueCore cluster invested most of their efforts on Vietnamese targets with several outliers in Laos and Thailand, while the operators of the RedCore cluster started out with a focus on Vietnam and diverted to Laos by the end of 2018." Both BlueCore and RedCore implants, in turn, downloaded a variety of additional tools to facilitate lateral movement (HDoor) and extract information (JsonCookies and ChromePass) from compromised systems. What's more, the malware is programmed to copy itself selectively to certain removable drives so it can move laterally to other air-gapped systems each time an infected USB drive is inserted into another machine. A telemetry analysis by Kaspersky found that the first instance of the binary dates all the way back to 2014, with the latest samples recorded at the end of last year. The initial infection mechanism relies on leveraging malicious binaries that mimic legitimate antivirus components to load USBCulprit in what's called DLL search order hijacking before it proceeds to collect the relevant information, save it in the form of an encrypted RAR archive, and exfiltrate the data to a connected removable device. Visit OUR FORUM to learn more.
|
Latest Articles
|