Category Archives: Advice for SMEs

Puzzling: Five years old critical vulnerabilities exploited in November 2017

26 November 2017

Section Exploited Vulnerabilities of the Recorded Future Cyber Daily is sometimes really frightening. On November 9th, 2017, 249 successful exploits of CVE-2012-1823, a vulnerability in PHP, were recorded. This is hard to believe because CVE-2012-1823 was published on May 11th, 2012. Although a patch was available at the date of publication, it seems that the operators of this systems were not able to implement them within the past five years.

However, it would have been of urgent need in this case. CVE-2012-1823 is a so-called RCE (Remote Code Execution) vulnerability, which allows remote attackers to execute arbitrary code on a victim’s computer, and, in the worst case, to hijack the victim’s network.

RCE vulnerabilities are included in the critical vulnerabilities. Critical vulnerabilities are

  • exploitable from the network
  • need only low or medium skills to exploit
  • need no authentication
  • cause great damage, have high severity
  • allow remote attackers to execute arbitrary code on the victims computer

If an application system is operated in the DMZ, critical vulnerabilities must be patched directly upon publication to prevent attackers from getting onto your network. Or at least, between the time of publication and an exploit or proof of concept shows up. Since examples of how to exploit this PHP vulnerability were available in early May 2012, immediate action was required.

The big question is: Why were this vulnerable PHP versions not directly patched?

Exploitation of older vulnerabilities is not an isolated case. The HPE 2016 Cyber Risk Report shows, that in 2016

  • 47% of successful exploits use five or more years old vulnerabilities.
  • 68% of successful exploits use three or more years old vulnerabilities, 47% of them were critical vulnerabilities.
  • Stuxnet, CVE-2010-2568, was used in 29% of successful exploits.

An analysis of the critical vulnerabilities by vendors shows, that more critical vulnerabilities were found in non-Microsoft products than in Microsoft products.

Critical vulnerabilities 2010 - 2016

Critical vulnerabilities 2010 – 2016 by vendors. Click to enlarge.

But automated patch management is only available for Microsoft and few of the other vendors’ (e.g. Adobe, Oracle, SAP) products. Thus, we can expect that many critical vulnerabilities remain unpatched, which results in an ever-growing pool of opportunities for cyber criminals.

An ever growing pool of opportunities

An ever-growing pool of opportunities. Click to enlarge.

1) For the chart above I assumed that 50% of critical vulnerabilities remain unpatched. This assumption is based on the analysis of the 2017 NIST NVD data as of August 31st, 2017.

Since no automated patch management exists for PHP we can expect, that CVE-2012-1823 was rarely patched. But the worst is yet to come: From the HPE 2016 Cyber Risk Report we learn, that even six years old Microsoft vulnerabilities (Stuxnet, CVE-2010-2568) are not patched.

How to tackle this issue? From my point of view, the cause is compliance driven security. We often do patching of everything to meet compliance with a certain standard, instead of focusing on the real important issues, e.g., the critical vulnerabilities. Or, in other words, we close a lot of mouse holes while the barn door remains wide open.

WIth this, we must move from patching to vulnerability management, and priority patching for the critical vulnerabilities. Through a differentiated inspection of vulnerabilities we get out of the patch treadmill and can start working on the important cyber security issues.

By the way, if you haven’t subscribed to the Recorded Future Cyber Daily yet, consider to do it this week.

Have a great week.

Advertisements

AutoIt Scripting Used By Overlay Malware to Bypass AV Detection

13 November 2017

Seven Phases Cyber Kill Chain

Cyber Kill Chain

Anti-Virus (AV) protection works fine if the attacker uses a well-known malware, e.g. Locky, or one of its variants. In this case, the AV scan engine computes the fingerprint of the malicious object and checks it against its fingerprint database. Since a fingerprint is available, the attack is stopped in the delivery phase of a cyber attack the latest.

In the case of the AutoIt Overlay Malware the attacker hides the pattern in an AutoIt script which results in a modified fingerprint. Since this fingerprint is not known in the database the AV scan engine cannot stop the attack. For details about the AutoIt Overlay Malware see this excellent report by Gadi Ostrovsky published on November 8, 2017 in the IBM Security Intelligence blog

Anti-Virus evasion techniques are well known for years. Thus companies are well advised to rely not only on an anti-malware system in their endpoint protection strategy.

My favorite add-on to Anti-Malware systems is still Blue Ridge Networks AppGuard because its available for consumers as well as for businesses. AppGuard would block the AutoIt Overlay Malware during the installation phase the latest because it just blocks the execution of whatever objects from inside a user’s home directory.

Have a great week.

Microsoft announces unbreakable Edge Browser with Windows 10 Fall Creators Update

4 November 2017

On 13 July 2015 Bromium announced a partnership with Microsoft to integrate the Bromium micro-virtualization technology in Windows 10. Two years later, on 23 October 2017, Microsoft announced the Windows 10 Fall Creators Update. With this update, Microsoft enhances Systems Center Endpoint Protection by many new security functions. The Bromium micro-virtualization technology is integrated in Windows Defender Application Guard (WDAG):

Windows Defender Application Guard makes Microsoft Edge the most secure browser for enterprise by hardware isolating the browser away from your apps, data, network and even Windows itself. WDAG protects your Microsoft Edge browsing sessions so if users encounter malware or hacking attempts while online they won’t impact the rest of your PC.

This sounds very promising! For details see this post published on 23 October 2017 in the Windows Security blog.

Unfortunately, currently only enterprise customers benefit from WDAG. I would appreciate it if Microsoft would integrate WDAG as soon as possible in all Windows versions to allow consumers and small businesses to benefit from WDAG as well.

Have a great weekend.

New vulnerability in SIMATIC WINCC systems – Don’t Panic!

20 October 2017

Yesterday morning I found a notification about a new vulnerability in Siemens SIMATIC WINCC systems from the manufacturer’s product CERT on LinkedIn. CVE-2017-6867 is network exploitable, thus every WINCC system that is accessible from the internet is potentially vulnerable. But that is no reason for panic.

A closer look at the CVE details revealed that the vulnerability “could allow an authenticated, remote attacker who is member of the “administrators” group to crash services by sending specially crafted messages to the DCOM interface”.

To be honest, it is not worth studying more details. To exploit this vulnerability, the attacker needs to be a member of the administrators group of the WINCC system.

But why should the attacker send specially crafted messages to the DCOM interface if he can easily compromise the entire SCADA network by leveraging windows built-in utilities? 

Moreover, it’s not worth patching this vulnerability immediately, if at all. If patching is required due to compliance reasons, it can wait until the next scheduled maintenance.

This endless stream of new vulnerabilities pulls us away from doing the right and important things, e.g. implementing good account and password practice in the SCADA active directory.

Have a great weekend.

Top secret information about Australia’s military hacked – SME’s overstretched with Cyber Security Frameworks

15 October 2017

Lisa Martins report Top secret information about Australias military hacked, published on October 12th, 2017 at news.com.au, about a one year old attack on an Australian defense contractor is another example that small businesses are technically and organizationally overstretched with the challenges of cyber security.

The best approach for SMEs would be to set up a cyber security framework like the NIST Cyber Security Framework or an ISO 27001 based framework. But the effort to do this is for small businesses just too high.

For SMEs to stay ahead of the cyber security curve a light version of such frameworks is required, with focus put on actively managing the risk.

The Strategies to Mitigate Cyber Security Incidents of the Australian Signals Directorate (ASD) puts focus on the basics. If carefully implemented and regularly assessed, the security level goes up and this kind of attacks are no longer possible. Even large businesses can raise their security level when implementing the ASDs recommendations.

But when it comes to critical infrastructures a full implementation of a cyber security frameworks is the only way to survive in the long-term. By the way, the first task in the NIST CSF core is asset management…

Have a great week.

Critical vulnerabilities require immediate action – How to prevent Equifax like attacks

23 September 2017

Critical Vulnerabilities are

  • exploitable from the network (Access Vector: Network),
  • require only low or medium skills to exploit (Access Complexity: Low or Medium),
  • require no authentication (Authentication: None),
  • cause great damage (Severity: High), and
  • allow remote attackers to execute arbitrary code on the victims’ computer

Among the vulnerabilities with CVSS vector (AV:N/AC:L/Au:N) or (AV:N/AC:M/Au:N) which cause great damage the last property makes the difference.

The infographic below shows that the number of critical vulnerabilities (320) is very small compared to the total number of vulnerabilities in 2016.

Critical Vulnerabilities 2016

Critical vulnerabilities 2016. Click to enlarge.

Nevertheless, immediate action is required because the reach of attacks is technically unlimited if critical vulnerabilities can be exploited.

Once an attacker has exploited a critical vulnerability in the DMZ he is able to execute arbitrary code on this computer. With this, he can probe the network for other computers with critical vulnerabilities or leverage Windows built-in weaknesses, configuration issues, and tools to explore the network until he finally gets to a computer which has a connection across a firewall to the company network.

Both, NotPetya and WannaCry exploited critical vulnerabilities. While WannaCry was just annoying, NotPetya caused multi-million dollar damage in companies across the world.

Mitigation

The TEAM approach for handling risks shows the direction for dealing with critical vulnerabilities.

Transfer: No insurer will take the risk because in the case of a critical vulnerability on a server in the DMZ both the probability of occurrence and the impact are high.

Eliminate: Is not possible, because this will result in loss of business.

Accept: No option because the probability of occurrence and the impact are high.

Mitigate: Patching is the only possible response in this case. Isolation of the system from the network will result in loss of business.

Urgency

Under normal conditions, patches are available at the time of disclosure.

Rule: Critical vulnerabilities should be patched faster than exploits show up on the market.

With this, immediate action is required because very often exploits are available yet at the time of disclosure. In addition, we cannot expect that only ethical hackers publish vulnerabilities.

Equifax

Critical Vulnerabilities Mitigation Process

Critical vulnerabilities mitigation process.

In the Equifax attack the critical vulnerability CVE-2017-5638 in the Apache Struts framework was used. A patch was available at the time of disclosure but apparently not applied.

Patching the Apache Struts framework is a challenging job.

Firstly, it is a challenge to identify the systems with the vulnerable framework installed.

Secondly, patches must be carefully tested prior implementation to avoid business loss.

Finally, the patches must be implemented manually because automated patch management is not available.

Thus, an up-to-date asset repository, a current QA system, and actual automated test routines are required to get the job done in the required short time frame.

To be honest, the Equifax attack remains a mystery for me. The IT shop of a billion dollar company should be able to deal with critical vulnerabilities in the required short time. Perhaps someone simply underestimated the risk.

For more details on the Equifax attack see Steven Bellovin’s post Preliminary Thoughts on the Equifax Hack published at CircleID.

Have a great weekend.

German firms lost millions of euros in ‘CEO Fraud’ scam: BSI

23 July 2017

The report ‘German firms lost millions of euros in ‘CEO Fraud’ scam: BSI’ published in the Reuters Technology News on 10 July 2017 makes me really worry. Whaling, a special form of spear phishing aimed on corporate executives, is not new at all. For some samples see this slide show on CIO.com.

It appears to me that in Germany the first line of defense, the employees, are not adequately prepared in the detection and the correct handling of phishing attacks, even though anti-phishing training is the most effective and cost efficient defensive measure in the fight against all kinds of phishing.

In addition, some rules are helpful and should be communicated to all employees:

  1. Users should never act on a business request from a company executive if the email is not signed with a company owned and valid email certificate.
  2. Users should never trust an email of a business partner if it is not signed with the partners valid email certificate.

Technical implementation is very easy, thus even SMB can use email signing in daily communication.

Have a great week.