As usual, there have been a number of announcements regarding Microsoft vulnerabilities and risks over the last few weeks. This episode however is different than the usual list of critical patched or patchable issues and brings some serious underlying issues to light.
In this blog we will endeavour to put the pieces together in order to illustrate the potential risk and identify prioritised mitigation strategies to Prevent, Detect and React.
Netlogon
In the third week of September (this year), it was announced that a very, very serious vulnerability had been lurking in the Microsoft Netlogon Remote Protocol which enables an attacker to provide a password of all zeros and gain Administrator privileges. It was very well documented by Microsoft and the industry press in spades (here at Tiberium we can detect netlogon exploit attempts using sentinel)
Fortunately for the highly efficient, the issue was patched in the August 2020 Patch Tuesday, however we all know that in real life patching may not be, shall we say, optimised. This has left a truckload of Domain Controllers vulnerable, for the most part hiding in plain sight. Unloved, uncared for and just waiting to be busted by the exploit code that is very widely circulating the Interwebs.
What a lot of people do not realise is that the patch only fixed one of two issues with Netlogon and the second issue will not be fixed (according to Microsoft) until February 2021
You read that right.
Old code, new tricks??
We all know that a lot of old code is running everywhere, Servers, Workstations, Routers, Internet of Things devices, Software and Platform as a service offerings, everywhere. Much of this, predominately outside of Microsoft, is Open Source Code which can be examined and deconstructed by hackers and then used against itself – SSL library vulnerabilities, like Heartbleed https://heartbleed.com/, being a classic example.
Eagle eyed security types will have noticed the leak of the Windows XP (amongst Microsoft’s best work IOHU) source code on 4Chan on September the 24th. This was not all that was released as many will know. The package included Windows 2000, Embedded (CE 3, CE 4, CE 5, CE, 7), Windows NT (3.5 and 4), XP, and Server 2003.
The implications of this are obviously extremely serious. Embedded Windows (Cashpoints, POS machines, medical scanners, tanks, submarines, etc. etc.) are clearly in the crosshairs of hackers looking to profit or wreak havoc (for the fun of it).
The Walking Dead (AKA Windows 2003 Server)
As for Windows 2003……..How many businesses have 2003 servers humming away doing something mysterious with a “DO NOT TURN THIS OFF” sticker, Internet facing and everything ? (The answer is LOADS). (You will also fail Cyber Essentials if you still use 2003 servers as they are unsupported, this means you would not be able to supply to public sector customers or be in their supply chain)
We have seen primary schools being ransom-wared via external facing RDP servers – state, inner city primary schools with no money and loads of vulnerable kids at that. What terrible scumbags.
The attack surface is being magnified as you read this
In the face of these risks, knowing that you are exposed poses the question ‘what can I do to make an effective difference, manage my business risk, quantify and measure progress?’.
You may have a multitude of security products which can Prevent, Detect and React to and security issues. You may have them running like a Swiss Watch, but times have changed, the threat to your business has changed.
Here at Tiberium we have built a world class , innovative and efficient platform to Prevent, Detect and React to attacks against your systems. We can automate remediation, prioritise patching, and provide reporting on your security posture, backed up by an exceptional team of very experienced engineers and consultants.
We would welcome the opportunity to show you are wares and talk security. Any time. Please contact us if you would like a demo of our services or have any questions