Now Valak turned into an infostealer

Initially, Valak malware was a threat loader but lately, it has turned into a full infostealer program and attack US and German companies. Researchers write that over half of a year Valak has received more than 20 updates.
The malware spreads through phishing attacks via Microsoft Word documents with malicious macros. If the malware penetrated the system, a .DLL file with the name U.tmp is downloaded to the infected machine and saved in a temporary folder. Then the WinExec API call is made and the JavaScript code is loaded, establishing a connection with the management servers. After that, additional files are downloaded to the infected host, which are decoded using Base64 and XOR cipher, and the main payload is then deployed.

To absolutely gain a foothold in the infected system, the malware makes changes to the registry and creates a scheduled task. After that, Valak proceeds to download and run additional modules that are responsible for detecting and stealing data.

There are two main payloads (project.aspx и a.aspx) with different functions. The first manages registry keys, task scheduling, and malicious activity, and the second (internal name PluginHost.exe) is an executable file for controlling additional malware components.

The module ManagedPlugin has a variety of functions: collects system information (local and domain data); has an Exchgrabber function, the purpose of which is to penetrate Microsoft Exchange by stealing credentials and domain certificates; has a geolocation verifier and screenshot capture function; «Netrecon,» a network intelligence tool.

The researchers say:
«Extracting this sensitive data allows the attacker access to an inside domain user for the internal mail services of an enterprise along with access to the domain certificate of an enterprise. With systeminfo, the attacker can identify which user is a domain administrator. This creates a very dangerous combination of sensitive data leakage and potentially large scale cyber spying or infostealing. It also shows that the intended target of this malware is first and foremost enterprises.»

The Windows 7 broken desktop

The final update Windows 7 has broken the desktop. Three ways to solve the problem.

Microsoft has released the last patch for Windows 7 that broke the installing desktop wallpaper setting feature. Microsoft isn’t going to release updates for W7 anymore so users have to fix it by themselves.

 

Updates with surprise

 

The support period has expired on January 14, 2020 and the last update for Windows 7 OS has broken the desktop functionality. Users who installed the update complain that there is no way to set the desktop wallpapers.

№ KB4534310 patch released January 14, 2020 makes the issue which leads to changing desktop wallpaper to a black screen after each reboot. MSPowerUser resource says the issue is raised for discussion in Reddit, topics were created by MrMii-Already-Reddit users and Arilandon in the middle of January 2020. Additionally, there was created the topic on Microsoft forum and more than 30 persons confirmed the problem.

 

What has broken in Microsoft

 

Users from Reddit found out that Windows 7 with installed № KB4534310  update removes wallpaper from the desktop in case the “Stretch” parameter switched on in configurations. Other display options don’t cause the problem.

They suppose the system considers the parameter no more after updating this leads to filling the desktop with a black background after each rebooting. Bleeping Computer journalists confirmed the fact issue existing, they reproduced it on their own Windows 7 PCs.

 

How to fix the problem

 

There are three ways to solve the wallpaper problem. First of them is to refuse the installation, second one – to remove the update from the system(rollback to the previous restore point, backup deployment, and other options).

And the third variant is for people who updated but don’t want to remove it. If you are one of them you should set the desired picture, choose “Stretch”, take a screenshot (without desktop shortcuts) and set this picture with any other parameter, like “Tile”, “Center” etc.

Also, you can take any modern graphics editor and fit your image under the monitor screen resolution.

 

Windows 7 and bad-quality update

 

№ KB4534310 is a non-single Windows 7 problem patch released last years. For example, in January 2018 the CNews informed that emergency cumulative security updates to eliminate Meltdown and Spectre vulnerabilities lead to problems occurrence and unpredictable consequences. Especially people complained about the regular Blue Screen of Death (BSOD) appearance after patch installing on AMD Opteron processor PCs.

Some of the updates were not allowed to install by Windows 7. On May 2019 users whose PCs were equipped with the antivirus of almost every manufacturer encountered the problem that the system couldn’t deploy security KB4499164 patch. The update stuck on 30% and it was necessary to put the PC into safe mode and manually uninstall a partially installed package.

In spite of Microsoft’s stopped Windows 7 support corporate clients will keep going to receive Windows 7 updates.

So if you have already faced the Windows 7 updating problem you can solve them with ways above. Eventually, it’s up to you which way to choose.

A man is sitting at the computers and monitoring graphs, charts.

IT-monitoring

IT-monitoring is process of collecting indicators of hardware and software in the IT environment. The essence of it-monitoring is to ensure that the equipment works in the right way and on the needed level of the performance,   which is required for the normal maintenance of the business.

The basic monitoring solution often consists of sending a “ping” to the device and waiting for response. In case user has received the response, it means that server or router is turned on, has been not disconnected and there is no failure. This feature allows a system administrator to be abreast of the It systems’ state just by browsing  it-resources.

Basic monitoring is performed by checking the operation of the device, while more advanced monitoring gives detailed representations of operating conditions, including average response time, the number of errors and requests, CPU usage, application availability, and others.

So, how it works ?

Monitoring includes of three layers: foundation, software, interpretation.

  • Basic level or fundamental. Infrastructure is the lowest level of the software stack and includes tracking physical or virtual devices called “hosts”, such as a Windows server, Linux server, Cisco router, VMware virtual machine, etc.
  • People call it the monitoring level as well. It analyzes that works on devices at a fundamental level, including processor usage, load, memory, and the number of virtual machines that are running.
  • Collected indicators are presented in the form of graphs or data charts, often on a dashboard with a graphical interface.

Sometimes monitoring system can use agent software. Agents are independent software, that are installed on the monitored device  to collect data of the equipment’s performance and transfer them to the management server. Agentless monitoring uses existing protocols to emulate an agent with the same features.

AlertIn order to monitor server usage an admin should install the agent on the server. The management server receives this data from the agent and displays it to the user through the interface of the IT monitoring software, often in the form of a graph of performance over time.

If the server stops working properly, the tool will warn the administrator who can restore, update or replace the item until it meets the standard for work.

Although the task of monitoring may seem relatively simple, the potential consequences of this can be huge for an organization that is dependent on IT systems. Thus, monitoring is work on the timely identification of problems, analysis of consequences and prompt eliminate.

Monitor with logos of Windows 7 and Windows 10 OS

Microsoft stops supporting Windows 7

During the life cycle of the operating system, the company provides free update support, and the end of this cycle has to come. That’s what happens to Windows 7. The strategy of Microsoft is
to refuse of support Windows 7 in order to promote and popularize Windows 10 OS. They say that  Windows 10 has more modern security features and it’s more stable.

The lack of support of Windows 7 means that the computer will no longer install updates, security patches and add new features. It will reduce the security of the PC because the system will not receive patches and patches that eliminate potential threats from malicious software. During three years security updates will be available only with a paid subscription.

The release of security updates will cease on January 14, 2020, in addition, Internet Explorer support on Windows 7 will also be stopped.

Of course, Windows 7  support termination doesn’t mean that everything will stop working at once, users can continue to use the operating system, but the computer will become more vulnerable to security risks, which is fraught with a large number of possible negative consequences for the PC.

Microsoft
Microsoft Corporation offers two solutions:

— to start using Windows 10;

— to buy a new PC with preinstalled windows 7.

In the case of purchasing a license copy of the Windows 10 operating system, the user can reinstall the operating system on his computer. Download the Media Creation Tool from the official Microsoft website, with it’s help you can download and save the Windows 10 image to USB flash drive or DVD, or update the system in the application. Microsoft has provided a loophole for a free upgrade to Windows 10, which works for licensed versions of Windows 7. You must download and run the «Upgrade to Windows 10 Assistant.»

Before upgrading, it is advisable to familiarize yourself with the computer hardware settings. The fact is that Windows 10 has higher system requirements than Windows 7 does, so there is no sense to install the «tens» on a weak computer. It will become uncomfortable to work on this computer, as the operating system and applications will work slowly. Especially, It takes laptops released many years ago.

Between Windows 7 and Windows 10 there was another operating system — Windows 8, it is an alternative for those who are ready to leave Windows 7, but don’t want to use Windows 10. Windows 8 will be supported with updates until January 10, 2023, after this time, you still have to face the same problem and change to Windows 10.

Windows 7 is most popular Microsoft’s operating system, and it seems that it will be the leading computer OS in the world for some time even after 14 January, despite reduced support.
Those users who decide to remain faithful to it after January 14, 2020 can use third-party protective equipment that will be compatible with this OS for a long time.

Windows 10 Update

Windows 10 update

The point of an update policy is to make the update process predictable, with procedures for notifying users so that they can plan their work accordingly and avoid unexpected downtime. The policy needs to address several distinct types of updates.

The most familiar are the monthly cumulative security and reliability updates that are delivered on the second Tuesday of each month (aka Patch Tuesday). The Patch Tuesday release typically also includes the Windows Malicious Software Removal Tool and may include any of the following additional types of updates:

  • Security updates for .NET Framework
  • Security updates for Adobe Flash Player
  • Servicing stack updates (which must be installed before other updates)

The update policy should include the following elements for each managed PC:

  • When to install monthly updates: Using the default Windows settings, monthly updates are downloaded and installed within 24 hours of their release on Patch Tuesday;
  • When to install semi-annual feature updates: Using the default Windows settings, feature updates are downloaded and installed when Microsoft says they’re ready.
  • When to allow PCs to restart to complete installation of updates: Most updates require a restart to complete installation.
  • How to notify PC users of pending updates and restarts: To avoid unpleasant surprises, Windows 10 notifies users when updates are pending.
  • How to handle out-of-band updates: Occasionally, Microsoft releases critical security updates outside of its normal Patch Tuesday schedule. Typically, these are intended to address security vulnerabilities that are being exploited «in the wild.»

Managing updates manually

To configure Windows Update manually you need to start at Settings > Update & Security > Windows Update. There, you can adjust two groups of settings.

First, click Change Active Hours and adjust the settings to reflect your actual work habits.

Next, click Advanced Options and adjust the settings under the Choose When Updates Are Installed heading to reflect your policy.

  • Choose how many days to delay installation of feature updates. The maximum value is 365 days.
  • Choose how many days to delay installation of quality updates, including the cumulative security updates released on Patch Tuesday. The maximum value is 30 days.

Other settings on this page control the display of restart notifications (on by default) and whether to allow updates to download on metered connections (off by default).

UpdatingManaging updates using Group Policy

A significant number of policies are exclusively for Windows 10. The most important are those associated with the Windows Update for Business feature, which are located in Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business.

  • Select when Preview Builds and Feature Updates are received: Choose a servicing channel and set delays for feature updates.
  • Select when Quality Updates are received: Set delays for monthly cumulative updates and other security-related updates.
  • Manage preview builds: Specify whether users can join a machine to the Windows Insider Program and, if enabled, specify the Insider ring.

An additional group of policies are in Computer Configuration > Administrative Templates > Windows Components > Windows Update.

  • Remove access to «Pause updates» feature: Prevent users from interfering with installation of updates by removing the option to pause updates for up to 35 days.
  • Remove access to all Windows Update features: Prevent users from changing any Windows Update settings.
  • Allow updates to be downloaded automatically over metered connections: Allow updates to be installed on devices using a metered connection such as an LTE connection.
  • Do not include drivers with Windows Updates:  Prevent Windows Update from installing device drivers.

The following settings, all specific to Windows 10, apply to restarts and notifications:

  • Turn off auto-restart for updates during active hours: Ensure that devices don’t restart to install updates during normal working hours.
  • Specify active hours range for auto-restarts: Change the default active hours settings.
  • Specify deadline before auto-restart for update installation: Choose a deadline (between 2 and 14 days) after which a restart to apply updates will be automatic.
  • Configure auto-restart reminder notifications for updates: Increase the time prior to a scheduled restart when the user is notified. Acceptable values are 15 minutes (default) to 240 minutes.
  • Turn off auto-restart notifications for update installations: Completely disable restart notifications.
  • Configure auto-restart required notification for updates: Prevent notifications from disappearing after 25 seconds and instead require the user to dismiss.
  • Do not allow update deferral policies to cause scans against Windows Update: Use this policy to prevent PCs from checking Windows Update when a deferral is assigned.
  • Specify Engaged restart transition and notification schedule for updates: Use this policy to allow users to schedule restarts and «snooze» restart reminders.
  • Configure auto-restart warning notifications schedule for updates: Configure reminders of automatic restarts (from 4 to 24 hours) and warnings of imminent restarts (from 15 to 60 minutes).
  • Update power policy for Cart Restarts: This policy is for educational systems that remain on carts overnight and allows updates to be installed even on battery power.
  • Display options for update notifications: Use these settings to completely disable update notifications with the option to include or exclude restart warnings.

The following policies apply to Windows 10 as well as some older Windows versions:

  • Configure Automatic Updates: This powerful group of settings allows you to specify a consistent weekly, bi-weekly, or monthly update schedule, with the option to specify the day and time during which all available updates are automatically downloaded and installed.
  • Specify intranet Microsoft update service location: Use this policy to configure a Windows Server Update Services (WSUS) server on a Windows domain network. (See the following section for more on this option.)
  • Enable client-side targeting: This setting allows administrators to use Active Directory security groups to define deployment rings when using WSUS.
  • Do not connect to any Windows Update Internet locations: On PCs that are connected to a local update server, prevent any connections to outside update servers, including Microsoft Update and the Microsoft Store.
  • Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates: Enables the system to wake up a machine and install updates; the system will wake up only if updates are available.
  • Always automatically restart at the scheduled time: Use this setting to configure a timer (15 minutes to 180 minutes) and automatically restart after installing updates, rather than notifying users.
  • No auto-restart with logged on users for scheduled automatic updates installations: This policy overrides the previous policy and prevents restarts when users are signed in.

MicrosoftEnterprise management tools

There are two most popular options to bypass Microsoft’s update servers and deploy updates from a locally managed server.

Windows Server Update Services (WSUS) is the simpler of the two options. It runs as a Windows Server role and provides a central store for Windows updates within an organization. Using Group Policy, a network administrator points Windows 10 PCs to the WSUS server, which serves as the single source of downloads for the entire organization.

The second option, System Center Configuration Manager (SCCM), uses the powerful Configuration Manager for Windows, in combination with WSUS, to deploy quality and feature updates. A Windows 10 servicing dashboard lets network administrators monitor Windows 10 usage across the network and create group-based servicing plans that include information about PCs as they near their end of support life.

Windows 7

How to extend Security Updates of Windows 7

As we all know every operating system needs in support. But what will you do when the support will end? I should recommend you to look at such variant like extended Windows 7 support, cause the current support is going to end in January of 2020.

But if you need keep going to run Window 7 after January of 2020 without it being patched every month, you will risk to became a victim of external threats. Especially for such situations, Microsoft is providing three options that range from “free” to explicitly paying for updates.

A man is looking at the monitor There are three variants of maintaining a Windows 7 install :

— Using Microsoft’s new Windows Virtual Desktop service. This variant offers to move your install to the newly announced Windows Virtual Desktop platform, because Microsoft will supply three years of extended security updates for customers choosing a Windows 7 Enterprise VM.

— Be A Windows 10 Enterprise E5, Microsoft 365 E5, or Microsoft 365 E5 Security   Customer. Microsoft will provide a free year of support for Windows 7 for the customers who already pay  for Windows 10 Enterprise E5, Microsoft 365 E5, or Microsoft 365 E5 Security. For customers who are paying for Extended Security Updates (ESU) with this program, they will also receive discounts on years two ($50 per device, instead of $100) and three ($100 per device, instead of $200).

— Pay for additional updates. This option assumes that you didn’t pay for anything before but you can pay the fee to support Windows 7 after January 2020 with the following prices per device:

  • Year 1 (January 2020 through January 2021): Windows 7 Pro is $50 per device, Windows Enterprise (add-on) is $25 per device.
  • Year 2 (January 2021 through January 2022): Windows 7 Pro is $100 per device, Windows Enterprise (add-on) is $50 per device.
  • Year 3 (January 2022 through January 2023): Windows 7 Pro is $200 per device, Windows Enterprise (add-on) is $100 per device.

In case you need additional support for your Windows 7 devices after January 2020, you can choose between these variants. Also you can try to use several of these three options at once to lower the burden of running Windows 7, but after a while you will need to migrate to Windows 10 anyway.

Windows 10

How to protect your business with Windows 10 security

It would be great if the process of securing a Windows 10 device can be reduced to a simple checklist. But the process of securing is much more complicated than that. The initial setup simply establishes a security baseline. When this configuration is complete, security needs continued vigilance and ongoing effort. A big part of Windows 10 device  security work happens remotely from the device.

The best security plan pays attention to network traffic, email accounts, authentication mechanisms, management servers, and other external connections. IT specialists should be able to carry out Outsourcingthese points. What about the small business without IT staff, outsourcing could be the best way.

The updates are being installed regularly and it is one of the most important settings for Windows 10 devices. Quality updates are delivered monthly through Windows Update. They address security and reliability issues and do not include new features. All quality updates are cumulative, so you no longer have to download dozens of updates after performing a clean install of Windows 10. You need install the latest update only and you will be completely up to date. Feature updates are the equivalent of what used to be called version upgrades. They include new features and require a multi-gigabyte download and a full setup.

When the updates  are available on Microsoft’s update servers  Windows 10 devices download and install them at once.

In the big companies, administrators can apply Windows Update for Business settings using Group Policy or mobile device management (MDM) software. You can also administer updates centrally by using a management tool such as System Center Configuration Manager or Windows Server Update Services.

User account management

Devices with Windows 10 edition (like Pro, Enterprise, or Education) can be joined to a Windows domain. It gives domain administrators an access to the Active Directory features and can authorize users, groups, and computers to access local and network resources. If you’re a domain administrator, you can manage Windows 10 PCs using the full set of server based Active Directory tools.

The smaller businesses have Windows 10 PCs that are not joined to a domain and they can choose of few account types: Local account on a Windows 10 PC is a member of the Administrators group and has the right to install software and modify the system configuration. Microsoft and Azure Active Directory (Azure AD)  accounts should be set up as Standard users to prevent untrained users from inadvertently damaging the system or installing unwanted software. Windows Hello feature can be used for increasing the security of the sign-in process on your device. It requires a two-step verification process to enroll the device with a Microsoft account, an Active Directory account, an Azure AD account, or a third-party identity provider that supports FIDO version 2.0.

A man is typing on a laptop

Then the user can sign in using a PIN or biometric authentication for example a fingerprint, facial recognition. The biometric data is stored on the device only and prevents a variety of common password-stealing attacks. On devices connected to business accounts, administrators can use Windows Hello for Business to specify PIN complexity requirements.

It is necessary to set-up multi-factor authentication (MFA) for protection Microsoft or Azure AD accounts on business PCs from external attacks. On Microsoft accounts, the Two-step Verification setting is available at link. For Office 365 Business and Enterprise accounts, an administrator must first enable the feature from the Office portal, after which users can manage MFA settings by going to link.

Data protection          

No one can foresee theft of laptop or left behind it somewhere else, but such situations can lead to significant risk of data loss. Even worse if we are talking about regulated industries or where data breach laws require public disclosure. But there is an encryption tool that is available in business editions of Windows, called BitLocker. With BitLocker enabled, every bit of data on the device is encrypted using the XTS-AES standard. Using Group Policy settings or device management tools, you can increase the encryption strength from its default 128-bit setting to 256-bit. For full

Data protectionmanagement capabilities, you’ll also need to set up BitLocker using an Active Directory account on a Windows domain or an Azure Active Directory account. In either configuration, the recovery key is saved in a location that is available to the domain or AAD administrator.

On an unmanaged device running a business edition of Windows 10, you can use a local account, but you’ll need to use the BitLocker Management tools to enable encryption on available drives. Also you should encrypt portable storage devices. USB flash drives. MicroSD cards used as expansion storage, and portable hard drives are easily lost, but the data can be protected from prying eyes with the use of BitLocker To Go, which uses a password to decrypt the drive’s contents.

Blocking malicious code

Nowadays, antivirus software is just another layer in protecting system, although time ago it wat the main tool for blocking the installation of malicious code.

Installation of Windows 10 includes Windows Defender. It is a built-in antimalware software. And it updates by its own, when the new updates are available on Windows Update. But if you decide to install another security package, Windows Defender allows that software to function. Large companies that use Windows Enterprise edition can deploy Windows Defender Advanced Threat Protection, a security platform that monitors endpoints such as Windows 10 PCs using behavioral sensors. Using cloud-based analytics, Windows Defender ATP can identify suspicious behavior and alert administrators to potential threats. For smaller businesses, the most important challenge is to prevent malicious code from reaching the PC in the first place. Microsoft’s SmartScreen technology is another built-in feature that scans downloads and blocks execution of those that are known to be malicious. The SmartScreen technology also blocks unrecognized programs but allows the user to override those settings if necessary.

Cyber attack

Another important step for protecting your PC is to be attentive to your mail. Cause infection  PCs via attachment files in mails and links to malicious websites are common thing. Although email client software can offer some protection, blocking these threats at the server level is the most effective way to prevent attacks. An effective approach for preventing users from running unwanted programs (including malicious code) is to configure a Windows 10 PC from running any apps except those you specifically authorize. To adjust these settings on a single PC, go to Settings > Apps > Apps & Features; under the Installing Apps heading, choose Allow Apps From The Store Only. This setting allows previously installed apps to run, but prevents installation of any downloaded programs from outside the Microsoft Store.

Administrators can configure this setting over a network using Group Policy: Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure App install Control.

Networking

The Windows 10 firewall, supports three different network configurations: Domain, Private, and Public. Apps that need access to network resources can generally configure themselves as part of initial setup.

If you need to configurate  basic Windows firewall settings, you should use the Firewall & Network Protection tab in the Windows Security app.  «Advanced Settings» will lead you to expert-only set of configuration tools with  Advanced Security console. These settings can be controlled through a combination of Group Policy and server-side settings.

The most complex problems with Windows 10 PC security appear when you connect to wireless networks. To increase the level of security in large organizations should add support for the 802.1x standard. It uses access controls instead of shared password.  And when there is an attempt to connect to such type of network Windows 10 will reject unauthorized connections. On Windows domain-based networks, you can use the native DirectAccess feature to allow secure remote access.

Happens that it is important to connect to an untrusted wireless network. And the best way out is to configurate a virtual private network (VPN). To set up this type of connection, go to Settings > Network & Internet > VPN. Small businesses and individuals can choose from a variety of Windows-compatible third-party VPN services.