RCE on DC? Defender for Identity saves the day
In this month’s ‘Patch Tuesday’ (so many bugs, so little time), Microsoft announced a patch for a critical remote code execution vulnerability (RCE) in the Windows Print Spooler CVE-20212-1675. Requiring local or remote access to the vulnerable host, Admin privileges were said to be potentially easily available, although with no public disclosure or exploit code in the wild the risk was very much theoretical.
That was at least until the very smart/not so smart researchers at Chinese security outfit QiAnXin leaked details of just how to exploit the bug via its ‘RedDrip Team’ Twitter channel – it really is not very difficult.
The rabbit holes that one goes down when writing a blog are many and varied. In this case a few of them went something like this:
What is the difference between the Windows Print Spooler and the Unix Line Printer Daemon? We are sure there is one because way back in the day a COBOL programmer (they still exist by the way, very highly paid on account of most of them being deceased) had some issues with network printing that required fixing.
The main difference (and how relieved we were to not be going mad) is that the Windows Printer Spooler is tightly integrated with the Windows Graphical API (the Graphical Device Interface), well that makes sense doesn’t it, what with the interface being graphical and all ! Readers wishing to take themselves back to the tortuous days of COBOL programming lectures or even worse, actual COBOL programming can fill their bootstraps here zzzz.
And why are UNIX service programs called daemons (spelt like that) anyway? Turns out that daemon, an ancient spelling of the word demon, means attendant. (also Genius, surprisingly since they are often very much not). Those legacy geeks were nothing if not well read and bearded.
Anyhow we digress. The real issue here is that this sort of monster bug which has obviously been around for eons, possibly even part of some outfits’ Zero Day toolkit, is perfect for not just privilege escalation but also for lateral infection. We all know the MO by now, reconnoitre, infect, spread, damage/exfiltrate/go up or down the supply chain or just sit there watching and waiting.
Good news then that Tiberium’s MSSP Services FROST and MYTHIC quickly identify vulnerable hosts (until they are patched, which in this case is obviously a priority) and they can be automatically quarantined or removed from the network if they appear to be compromised.
Detecting persistent threats on your domain controller and hybrid joined on-prem/cloud environment is facilitated by Microsoft Defender for Identity (Formerly known as Azure Advanced Threat Protection) which is integrated into our services (E5 license dependent, Obvs).
Domain controller remote code execution aside, another ripe target for exploiting this vulnerability on is your on-prem SCCM. It has highly privileged access to all your servers to deploy patches…maybe a rogue update might slip in? muhahaa.
Deploying Defender for Endpoint and Tiberium’s managed service effectively manages this risk. The direction of travel and roadmap for these products is very compelling. Bugs in old code notwithstanding!
Tiberium’s Play books and workflow which use Microsoft Teams (by default) to engage with your team (no pun intended) are unique and are, in our view, a game changer. Click on here to get in touch and let us show you the magic!
This week, in a first for any Cloud security provider, “MITRE’s Centre for Threat-Informed Defence (CTID) and Microsoft have jointly rolled out Security Stack Mappings for Azure, aimed at bringing the former’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework into the latter’s cloud platform”.
In our opinion, this is A Very Good Thing, and although other vendors will no doubt follow suit, this illustrates Microsoft’s commitment to measurable, actionable security going forwards. The Great Architects of our platform saw this some time ago and this is why our platform is Azure Sentinel based. This will no doubt facilitate future innovation and integration. That is what Tiberium is about.
As regular readers know, we always try and look out for friends and family, especially aged relatives. There is a very mysterious nasty doing the rounds which is deleting all of the data from Western Digital MyBook Live backups devices – basically network connected disk drives with a bit of software sold at a massive premium. Many of these devices are connected to the Internet and of course will store valuable data, pictures of the grandchildren, incriminating evidence on the Husband, you get the picture (or hopefully not).
The advice is that if have a MyBook Live, or if any of your friends or family do, unplug them from The Internet for now as recommended by the esteemed, we are not worthy, Brian Krebs Esq.
We can make changes.
If we open up we’ll see… the history they sell us
Holds the structure firm, reinforce the mold.
We need to strip it all away…
Who knew? Make sure you make changes – get patching.
Have a great weekend. Fingers crossed for England.