ARICOMA Group acquires the tech company Seavus Group acquires the tech company Seavus<p> <strong>ARICOMA Group representatives have announced a major step in the international expansion of the company, which is part of Karel Komárek’s KKCG Group. According to the purchase agreement, ARICOMA Group has acquired the technology company Seavus. With this acquisition, ARICOMA Group penetrates further markets in Europe and strengthens its position in the USA. At the same time, it becomes an international player in the IT industry, with consolidated revenues of EUR 300 million, earnings of over EUR 23 million before interest, taxes, depreciation, and amortization (EBITDA), and more than 2,800 employees.</strong></p><p> <em>“This acquisition fulfils the long-term strategy of the KKCG Group in the field of information technology. Ever since ARICOMA Group was founded, when we consolidated the big players on the Czech IT market, we always envisaged that the next step would be international expansion. Personally, I am delighted that we have been able to complete the transaction in these challenging times,”</em> says <strong>Michal Tománek, Technology Investment Director of KKCG</strong>. </p><p>ARICOMA Group (the IT services consolidation platform of the KKCG Group), continues to deliver on its ambition to become a major European IT services provider. According to Tománek, it will encompass a group of specialized companies, which together will offer customers an integrated range of digital transformation services.</p><p> <em>“With its range of services focused on IT consulting, software development, implementation of software solutions and products for maintenance and support, infrastructure management, cybersecurity and compliance, Seavus fits perfectly into the ARICOMA Group portfolio,”</em> says <strong>ARICOMA Group CEO, Milan Sameš</strong>. Sameš is also positive about the history of Seavus, which was founded in Malmö and Skopje in 1999 and has continued to develop ever since. Probably the best testament to the quality of its 800 employees is the fact that the company provides services in many countries in Europe including, its core Scandinavian region, the Benelux countries, Switzerland, and the USA. Its main clients include companies in the telecommunications sector (e.g. Sunrise, Tele2, A1, Globalstar), banking industry (Erste Bank, Banca Intesa, Marginalen Bank), and tech companies, such as Bosch. <em>“The experience we have gained this year, which has been so fundamentally marked by the coronavirus pandemic, tells us that the digital transformation of companies is proceeding faster than we had expected. We see in this a massive opportunity for further growth. The acquisition of Seavus fits into this plan perfectly,”</em> says <strong>Sameš</strong>. </p><p>One of the main objectives of ARICOMA Group is to establish itself more strongly in foreign markets while supporting the more dynamic development of its own SW solutions and services.</p><p> <em>“We strongly believe that the involvement of a strong strategic partner, such as ARICOMA Group of companies, will accelerate innovation and further strengthen our capabilities to offer high quality software development services and next generation solutions, to our customers worldwide. Now, we will remain not only dedicated to success, but even more motivated to accomplish our goals: expand our portfolio of customers, become a trustworthy partner in their process of digitalization, and to lead the way as one of Europe’s best IT providers. Seavus is going to be an immense part of the KKCG success story,” </em>says <strong>Igor Lestar, Chairman of the Board, Seavus Group</strong>. With this acquisition, all operations and lines of business will continue unchanged in the near future. ARICOMA Group is committed to maintaining the leadership and the core values that have made Seavus a trusted partner, service provider, and a reliable employer. </p><p>  </p><h2>Seavus</h2><p>Seavus is a software development and consulting company with a proven track-record in providing successful enterprise-wide business solutions. The company has over 800 IT experts worldwide and offers a variety of products and service options, successfully covering the European and US market from several offices in the world. Their expanding portfolio covers: BSS/OSS, CRM, CEM, Business Intelligence solutions, ALM, embedded programming, business and consumer products, mobile and gaming solutions, managed services, as well as custom development, consultancy and resourcing. Seavus’ portfolio includes over 4000 customers, among which are leading worldwide telecom and handset manufacturers, organizations from the banking and finance industry, consumer electronics, technology, education, government, health, etc.<br>As of today, Seavus has fifteen operating offices located in several countries, including Sweden, the United States of America, North Macedonia, Belarus, Moldova, Switzerland, Serbia, Bosnia and Herzegovina, with a continuous growth strategy.</p><h2>ARICOMA Group</h2><p>The largest ICT holding in the Czech Republic. The group includes the companies AUTOCONT, Cleverlance, DataSpring, AEC, Cloud4com and Internet Projekt. The companies in the ARICOMA group provide a wide range of services, starting with the design of ICT architecture, through infrastructure and Cloud services and the implementation of corporate applications, up to the development of its own comprehensive software solutions and outsourcing.  Last year, the group’s overall revenue exceeded 7 billion crowns.</p><h2>About KKCG</h2><p>KKCG Group, founded and led by successful Czech entrepreneur, Karel Komárek, is an in-ternational investment company which manages more than EUR 6 billion (book value) of assets. KKCG operates in 19 countries and its key strategic sectors include gaming, oil and gas, technology and real estate. KKCG Group includes SAZKA Group, ARICOMA Group, MND Group, US Methanol, the Springtide Ventures capital fund, and others. <br></p>
IMPORTANT WARNING: TrickBot-Ryuk Activity Increased WARNING: TrickBot-Ryuk Activity Increased<p> <strong>TrickBot malware and Ryuk ransomware activity has grown significantly over the past 48 hours. This activity has been noticed by our technology team in the AEC customer base, across several different segments. Therefore, we recommend taking this warning with the utmost seriousness.<br><br></strong></p><hr /><h2>Update 02/11/2020:</h2><p>Further indicators of compromise were added, connected with, among others, the Emotet botnet. When investigating incidents at our customers’, we identified additional IOCs, which have been newly added in the table below.</p><hr /><p> </p><p>You may be aware of this malicious software due to the attacks successfully executed both this and last year; TrickBot malware and Ryuk ransomware were also taking part in the attack on the Benešov Hospital last December. We have already written several times about the abovementioned attack as well as about other activities by attackers using the Emotet botnet or the malware in question [1, 2].</p><p style="text-align:center;"> <img class="maxWidthImage" alt="TrickBot Ryuk" src="/cz/PublishingImages/news/2020/aec-TrickBot-Ryuk.jpg" data-themekey="#" style="margin:5px;width:650px;" /> </p><p>On Wednesday October 25, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) reported on the increased activity of this malware and the likeness of attacks on hospitals and other healthcare facilities [3]. The Czech National Cyber and Information Security Agency (NÚKIB) also warned about the increased activity of the botnet Emotet in early October [4].</p><p>The current version of the TrickBot malware is no longer just your regular banking trojan. Now, after your computer has been attacked, the attackers have the ability to steal credentials and e-mail messages, to extract cryptocurrencies, steal data from payment systems, or to download additional malware or ransomware to the infected system.</p><p>We recommend all our customers to check how up-to-date is their endpoint protection solution and to scan for vulnerabilities, since the exploitation of vulnerabilities is the way this malware spreads across the network the most often. Companies with an IOC search tool can search the managed devices for IOCs listed in the table below. <br><br></p><table width="100%" class="ms-rteTable-default" cellspacing="0" style="height:33px;"><tbody><tr><td class="ms-rteTableEvenCol-default" bgcolor="#6773b6" style="text-align:center;"><h3> <span style="color:#ffffff;">IOC type</span></h3></td><td class="ms-rteTableEvenCol-default" bgcolor="#6773b6" style="text-align:center;"><h3> <span style="color:#ffffff;">IOC</span></h3></td><td class="ms-rteTableEvenCol-default" bgcolor="#6773b6" style="text-align:center;"><h3> <span style="color:#ffffff;">Note</span></h3></td></tr><tr><td class="ms-rteTable-default" rowspan="2"> <strong>File name</strong></td><td class="ms-rteTable-default">12 characters (including ".exe")</td><td class="ms-rteTable-default" rowspan="2">F.e. mfjdieks.exe</td></tr><tr style="border-bottom-color:#6773b6;border-bottom-width:2px;border-bottom-style:solid;"><td class="ms-rteTable-default">anchorDiag.txt</td></tr><tr><td class="ms-rteTable-default" rowspan="3"> <strong>Location of the suspicious file in the directory</strong></td><td class="ms-rteTable-default">C:\Windows\</td><td class="ms-rteTable-default" rowspan="3"></td></tr><tr><td class="ms-rteTable-default">C:\Windows\SysWOW64\</td></tr><tr style="border-bottom-color:#6773b6;border-bottom-width:2px;border-bottom-style:solid;"><td class="ms-rteTable-default">C:\Users\\AppData\Roaming\</td></tr><tr><td class="ms-rteTable-default" rowspan="2"> <strong>String</strong></td><td class="ms-rteTable-default">Global\fde345tyhoVGYHUJKIOuy</td><td class="ms-rteTable-default">Typically present in running memory</td></tr><tr style="border-bottom-color:#6773b6;border-bottom-width:2px;border-bottom-style:solid;"><td class="ms-rteTable-default">/anchor_dns/[COMPUTERNAME]_<br>[WindowsVersionBuildNo].[32CharacterString]/</td><td class="ms-rteTable-default">Typically present in the communication to the C&C server</td></tr><tr style="border-bottom-color:#6773b6;border-bottom-width:2px;border-bottom-style:solid;"><td class="ms-rteTable-default"> <strong>Planned tasks</strong></td><td class="ms-rteTable-default">[random_folder_name_in_%APPDATA%_excluding_Microsoft]<br>autoupdate#[5_random_numbers]</td><td class="ms-rteTable-default"></td></tr><tr><td class="ms-rteTable-default" rowspan="2"> <strong>CMD command</strong></td><td class="ms-rteTable-default">cmd.exe /c timeout 3 && del C:\Users\[username]\[malware_sample]</td><td class="ms-rteTable-default"></td></tr><tr style="border-bottom-color:#6773b6;border-bottom-width:2px;border-bottom-style:solid;"><td class="ms-rteTable-default">cmd.exe /C PowerShell \"Start-Sleep 3; Remove-Item C:\Users\[username]\[malware_sample_location]\"</td><td class="ms-rteTable-default"></td></tr><tr><td class="ms-rteTable-default" rowspan="6"> <strong>DNS</strong></td><td class="ms-rteTable-default">kostunivo[.]com</td><td class="ms-rteTable-default" rowspan="6">DNS names connected with Anchor_DNS (included in the TrickBot malware)</td></tr><tr><td class="ms-rteTable-default">chishir[.]com</td></tr><tr><td class="ms-rteTable-default">mangoclone[.]com</td></tr><tr><td class="ms-rteTable-default">onixcellent[.]com</td></tr><tr><td class="ms-rteTable-default">innhanmacquanaogiare[.]com<span style="color:#6773b6;"> - update 2020-11-02</span></td></tr><tr style="border-bottom-color:#6773b6;border-bottom-width:2px;border-bottom-style:solid;"><td class="ms-rteTable-default">edgeclothingmcr[.]com <span style="color:#6773b6;">- update 2020-11-02</span></td></tr><tr><td class="ms-rteTable-default" rowspan="8"> <strong>DNS</strong></td><td class="ms-rteTable-default">ipecho[.]net</td><td class="ms-rteTable-default" rowspan="8">DNS names used for connectivity checks</td></tr><tr><td class="ms-rteTable-default">api[.]ipify[.]org</td></tr><tr><td class="ms-rteTable-default">checkip[.]amazonaws[.]com</td></tr><tr><td class="ms-rteTable-default">ip[.]anysrc[.]net</td></tr><tr><td class="ms-rteTable-default">wtfismyip[.]com</td></tr><tr><td class="ms-rteTable-default">ipinfo[.]io</td></tr><tr><td class="ms-rteTable-default">icanhazip[.]com</td></tr><tr style="border-bottom-color:#6773b6;border-bottom-width:2px;border-bottom-style:solid;"><td class="ms-rteTable-default">myexternalip[.]com</td></tr><tr><td class="ms-rteTable-default" rowspan="11"> <strong>IP address</strong></td><td class="ms-rteTable-default">23[.]95[.]97[.]59</td><td class="ms-rteTable-default" rowspan="11">C&C servers IP addresses</td></tr><tr><td class="ms-rteTable-default">51[.]254[.]25[.]115</td></tr><tr><td class="ms-rteTable-default">193[.]183[.]98[.]66</td></tr><tr><td class="ms-rteTable-default">91[.]217[.]137[.]37</td></tr><tr><td class="ms-rteTable-default">87[.]98[.]175[.]85</td></tr><tr><td class="ms-rteTable-default">81[.]214[.]253[.]80 <span style="color:#6773b6;">- update 2020-11-02</span></td></tr><tr><td class="ms-rteTable-default">94[.]23[.]62[.]116 <span style="color:#6773b6;">- update 2020-11-02</span></td></tr><tr><td class="ms-rteTable-default">104[.]28[.]27[.]212 <span style="color:#6773b6;">- update 2020-11-02</span></td></tr><tr><td class="ms-rteTable-default">172[.]67[.]169[.]203 <span style="color:#6773b6;">- update 2020-11-02</span></td></tr><tr><td class="ms-rteTable-default">104[.]28[.]26[.]212 <span style="color:#6773b6;">- update 2020-11-02</span></td></tr><tr style="border-bottom-color:#6773b6;border-bottom-width:2px;border-bottom-style:solid;"><td class="ms-rteTable-default">93[.]114[.]234[.]109 <span style="color:#6773b6;">- update 2020-11-02</span></td></tr></tbody></table><p> </p><p> <span style="color:red;"> <strong>If you register any of the IOCs listed above or any other suspicious activity in your network, please do not hesitate to <a href="mailto:matej.kacic[@]">contact us directly</a> and ask for a consultation, incident analysis or the implementation of specific security measures. <br> <br></strong></span></p><hr /><h3>Sources:</h3><p>[1]: <a href="/cz/novinky/Stranky/zprava-o-bezpecnosti-v-prosinci-2019.aspx" target="_blank"></a><br>[2]: <a href="" target="_blank"></a><br>[3]: <a href="" target="_blank"></a><br>[4]: <a href="" target="_blank"></a><br></p>
Zerologon: Critical Vulnerability of Windows AD Critical Vulnerability of Windows AD<p style="margin:0px 0px 10px;text-align:justify;color:#696158;text-transform:none;line-height:1.6;text-indent:0px;letter-spacing:normal;font-family:source-sans-pro, open-sans, sans-serif;font-size:14px;font-style:normal;font-weight:400;word-spacing:0px;white-space:normal;orphans:2;widows:2;background-color:#ffffff;text-decoration-color:initial;text-decoration-style:initial;">The name of the vulnerability is closely related to the main attack vector exploiting the vulnerability, which is a bug in the configuration of the initialisation vector (IV) when encrypting Netlogon Remote Protocol (MS-NRPC) messages, allowing an internal attacker to fully break the encryption and to pass off as any computer of his choice in the network.</p><p style="margin:0px 0px 10px;text-align:justify;color:#696158;text-transform:none;line-height:1.6;text-indent:0px;letter-spacing:normal;font-family:source-sans-pro, open-sans, sans-serif;font-size:14px;font-style:normal;font-weight:400;word-spacing:0px;white-space:normal;orphans:2;widows:2;background-color:#ffffff;text-decoration-color:initial;text-decoration-style:initial;"> </p><p style="text-align:center;"> <img class="maxWidthImage" alt="Samsung zranitelnost" src="/cz/PublishingImages/news/2020/aec-zerologon.png" data-themekey="#" style="margin:5px;width:650px;" /> </p><p>The name of the vulnerability is closely related to the main attack vector exploiting the vulnerability, which is a bug in the configuration of the initialisation vector (IV) when encrypting Netlogon Remote Protocol (MS-NRPC) messages, allowing an internal attacker to fully break the encryption and to pass off as any computer of his choice in the network.</p><p>The impact of this vulnerability is enormous. So troubling in fact, that its severity in the Common Vulnerability Scoring System (CVSS) reached a critical 10 out of 10. A successful exploitation of the vulnerability allows an attacker who can establish TCP connections to a Domain Controller to escalate his privileges all the way up to the level of the domain admin, resulting in a complete compromising of the entire domain as well as all the systems connected to it. In most cases (unless the domain controller is publicly available from the Internet), the attack can only be performed from the internal network, therefore the chances of its misuse are reduced.</p><p>There are several scripts already circling on the Internet nowadays exploiting the vulnerability successfully (mostly to evidence the concept); also, due to the data available from some honeypot systems (systems that are intentionally vulnerable and accessible from the Internet, for which any attempts of exploit are actively monitored), the vulnerability is already actively and automatically exploited by several hacker groups on a global scale.</p><p>Microsoft announced two patches fixing the defect allowing this vulnerability. <a href=""><span lang="EN-GB">The first patch was issued on August 11, 2020</span></a> and it was labelled as critical. This patch fixes the bug enabling the attack and making it possible for an attacker to authenticate himself as any machine in AD. It should present a sufficient way of preventing the exploit. For this reason, we strongly recommend you to apply the patch and to update all domain controllers as soon as possible.</p><p>The second patch is planned for the beginning of the upcoming year and deals with one of the mechanisms of the RPC protocol related to the Signing and Sealing of RPC messages (RPC Signing and Sealing). This feature, set by a flag in the header of every message, determines whether the communication between the client and the DC is encrypted. By simply setting the value to 0, an attacker can turn this mechanism off and now he can send any messages without knowing the actual encryption key. This patch is not critical for the prevention of the vulnerability, since in order to be exploited, an authentication to the domain controller is required, which has been prevented by the first patch.</p><h2 dir="ltr" style="margin-right:0px;">Technical details</h2><p>The vulnerability was announced in a <a href=""><span lang="EN-GB">report published in September 2020 by Tom Tervoort, a security researcher</span></a> representing Secura. The report describes the flaws in the implementation of Netlogon Remote Protocol (MS-NRPC) encryption and the way in which it is possible to establish an authentication to a domain controller for any machine in the network, including the domain controller itself, with a simple brute force attack.</p><p>The MS-NRPC protocol is used in the AD environment for tasks related to the authentication of user and machine accounts. Most often, it is a matter of logging in to servers using the NTLM protocol, as well as changing the user password in the domain for example.</p><p>There is one thing peculiar about this protocol. And this is the fact that it does not use standard domain authentication mechanisms, such as Kerberos, but uses a different procedure instead. Simply put, for an authentication to be successful, the client and the server will exchange a set of random numbers (challenges) which they will combine with the user password hash, resulting in a common encryption key. Once the key generated by the client is identical to the key generated by the server, it is taken as a proof that the client knows the user's password and therefore, that it can be authenticated.</p><p>The issue lies in the manner in which the encryption key proving that the client knows its password is created. An AES<a href="/en/news/Pages/zerologon-kriticka-zranitelnost-windows-ad.aspx#_msocom_1">[ZN1]</a>  encryption is used to produce the key, but in a relatively obscure setting know as CFB-8, and in addition to it, also used in a wrong way, because it contains an initialisation vector with fixed value of 16 bytes of zeros (the initialisation vector is one of the primary mechanisms providing the proper functioning of this type of encryption, and it should be always a random number). Research has shown that this bug results in the fact that with the zero IV and for a randomly selected encryption key, the data containing only zeros will be encrypted as all zeros in one of about 256 cases (see the figure below).</p><p style="text-align:center;">   <img class="maxWidthImage" alt="Samsung zranitelnost" src="/cz/PublishingImages/news/2020/zerologon-01.png" data-themekey="#" style="margin:5px;width:650px;" /> </p><p style="text-align:justify;">The Zerologon vulnerability relies on this feature and bypasses the calculation of the client challenge required by the server to prove that the client knows the correct value of the encryption key calculated for this session. The value required by the server is calculated by encrypting the selected random number (which is chosen by the client in the previous authentication step) with an encryption key generated on the basis of both random numbers (from the client and the server). Therefore, due to the encryption flaw described above, it is possible to forge this answer, since in case the client selects its random key in the form of all zeros, the encrypted value will equal a chain of all zeros for 1 out of 256 encryption keys on average. Thus, it is sufficient for an attacker to repeat the log-in process approximately 256 times until this phenomenon occurs, resulting in a successful authentication and gaining the ability to perform actions on the user account, such as changing the password.</p><p style="text-align:justify;">In order to complete the attack successfully, it is necessary to exploit the second part of the vulnerability connected to RPC Signing and Sealing of messages. This feature determines whether the rest of the communication between the server and the client will be encrypted (using the encryption key obtained in the previous step), or if the communication will be unencrypted. However, the authentication handshake includes a header defined by the client allowing this feature to be disabled, thus enabling the attacker (not knowing the encryption key because the log in as such was executed with no knowledge of it by exploiting the first part of the Zerologon vulnerability) to send additional requests to the server without restriction and to continue doing so until the server is completely compromised by changing the password for the domain administrator.</p><p style="text-align:center;"> <img class="maxWidthImage" alt="Samsung zranitelnost" src="/cz/PublishingImages/news/2020/zerologon-02.jpg" data-themekey="#" style="margin:5px;width:650px;" /> </p> <h2>Patching the vulnerability</h2><p>To prevent the exploitation of the vulnerability, application of security patches to all Windows Servers version 2008 and later is required, according to the information available at <a href=""><span lang="EN-GB"></span></a>.</p><h3 style="margin:auto;text-align:justify;color:#262626;text-transform:none;line-height:1.4em;text-indent:0px;letter-spacing:normal;font-family:source-sans-pro, open-sans, sans-serif;font-size:14px;font-style:normal;font-weight:bold;word-spacing:0px;white-space:normal;orphans:2;widows:2;background-color:#ffffff;text-decoration-color:initial;text-decoration-style:initial;">Sources</h3><ul style="list-style:square;margin:0px;padding:0px 0px 0px 20px;text-align:justify;color:#696158;text-transform:none;text-indent:0px;letter-spacing:normal;font-family:source-sans-pro, open-sans, sans-serif;font-size:14px;font-style:normal;font-weight:400;word-spacing:0px;white-space:normal;orphans:2;widows:2;background-color:#ffffff;text-decoration-color:initial;text-decoration-style:initial;"><li> <a href="" target="_blank" style="color:#5c72b7;text-decoration:none;"></a></li><li> <a href="" target="_blank" style="color:#5c72b7;text-decoration:none;"></a></li><li> <a href="" target="_blank" style="color:#5c72b7;text-decoration:none;"></a></li><li> <a href="" target="_blank" style="color:#5c72b7;text-decoration:none;"></a></li><li> <a href="" target="_blank" style="color:#5c72b7;text-decoration:none;"></a></li><li> <a href="" target="_blank" style="color:#5c72b7;text-decoration:none;"></a></li><li> <a href="" target="_blank" style="color:#5c72b7;text-decoration:none;"></a></li><li> <a href="" target="_blank" style="color:#5c72b7;text-decoration:none;"></a></li></ul><p> </p><table width="390" style="border-width:0px;color:#696158;text-transform:none;text-indent:0px;letter-spacing:normal;font-family:source-sans-pro, open-sans, sans-serif;font-size:14px;font-style:normal;font-weight:400;word-spacing:0px;white-space:normal;border-collapse:collapse;orphans:2;widows:2;background-color:#ffffff;text-decoration-color:initial;text-decoration-style:initial;"><tbody><tr><td width="100" align="center" valign="middle"><img alt="Mikuláš Hrdlička, AEC" src="" data-themekey="#" style="margin:5px;border:currentcolor;width:100px;max-width:690px;" /></td><td width="290" align="left" valign="top"><p style="margin:0px 0px 10px;line-height:1.6;"><strong>Mikuláš Hrdlička</strong><br>Cyber Security Specialist<br>AEC a.s.</p><p style="margin:0px 0px 10px;line-height:1.6;"><img src="" data-themekey="#" alt="" style="margin:5px;border:currentcolor;width:150px;max-width:690px;" /> </p></td></tr></tbody></table>