Showing a laptop being updated

Supply chain attacks and Zero-days

The year 2021 has seen several high profiled vulnerabilities being actively exploited in big
and popular software, including Microsoft Exchange and Solar Winds Orion.
Experience shows that in some cases it is too late to patch even after a few days.
Many organizations work with the guideline of patching within 30 days, if the vendor states the
update is of important nature. This is an attempt to verify that the patch does not cause any
adverse effects. The need for a vigilant Vulnerability Management process that continuously triage
published vulnerabilities is becoming clear.

Some of the issues published lately is Supply chain attacks, where an attacker manipulates
products or product delivery mechanisms prior to receipt by a final consumer or exploiting
previously unknown vulnerabilities (so called Zero Days). Defending against these attacks is in
some cases not possible, or at least demands such a high level of security that it often is difficult
to stay productive and profitable. Seemingly in some cases it seems like the best an organization
can do is to not be the weakest link and the easiest target.

It is important to prepare for an attack and have a plan for incident response. Perform exercises.
Deploy a security framework in order to engage in continuous improvement of the security
posture.

0-days in Microsoft exchange servers


Published: 2021-03-02
CVE-2021-26855
CVE-2021-26857
CVE-2021-26858 
CVE-2021-27065 

“Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, the threat actor used these vulnerabilities to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments.”

As these vulnerabilities are currently being exploited and used in targeted attacks, patching should be done as soon as possible.
Along with attack details and information about these vulnerabilities, Microsoft also published how to scan exchange log files for indicators of compromise, which is also recommended to do.

Update 2020-03-07: There are currently many published exploits for this vulnerability. Patching this vulnerability is not enough, one must also investigate for potential breaches.

Internally this is being tracked in BF-VLN-2229454.

Centreon IT monitoring software and Russian Sandworm hackers

Basefarm has become aware of published news telling of Russian-accredited advanced persistent threat actors, given the name of Sandworm, having exploited Centreon IT monitoring software. Basefarm is aware that some news report mention Orange as on the customer-list of Centreon and while Basefarm is owned by Orange Business Services we would like to make it very clear that Basefarm does not use Centreon software.

From an article: “The French national cyber-security agency has linked a series of attacks that resulted in the breach of multiple French IT providers over a span of four years to the Russian-backed Sandworm hacking group.” and “… it is not yet clear if the attackers exploited a vulnerability in the exposed Centreon software or the victims were compromised through a supply chain attack.”.

If Basefarm is made aware of any Centreon installations hosted within its manged hosting then Basefarm will work together with such a customer.

Microsoft Windows Multiple Security Updates Affecting TCP/IP | CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086

Published: 2021-02-09
MITRE CVE-2021-24074
MITRE CVE-2021-24094
MITRE CVE-2021-24086

“Microsoft released a set of fixes affecting Windows TCP/IP implementation that include two Critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-24074, CVE-2021-24094) and an Important Denial of Service (DoS) vulnerability (CVE-2021-24086). The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.”

CVSS Base Score is 9.8, 9.8 and 7.5.

All have potential workarounds that should have a minimal operational impact.

Currently there is no exploit in the wild. If an exploit is published this vulnerability will become critical to mitigate as fast as possible.

We are tracking this internally as BF-VLN-2216447 with the highest priority and is currently evaluating this vulnerability and how to best handle it and ensure operational stability for all our customers.

For further general details we point to the Microsoft Security Response Center blog post about the topic.

Don’t get caught in the cold with ransomware

Before prevention is enabled.

Ransoms is sadly the trend these days. We want to share a cheap and effective way to enable prevention that most probably fail to consider.

Using the ransomware simulator from KnowBe4, RanSim, we could see that our endpoints did no prevention previously.

An easy way to minimize the attack surface for ransomware is to use the built-in feature in Windows 10 and Server 2019 called “Controlled Folder Access”. This can be managed with the following:

  • Windows Security app
  • Microsoft Intune
  • Mobile Device Management (MDM)
  • Microsoft Endpoint Configuration Manager
  • Group Policy
  • PowerShell

More information can be found here:

Our results after we enabled this prevention (and enabled it for RanSims test-folder) look a lot better.

It notes some things that got denied that should not be denied, but testing did not show any impact to the users experience. This only affected this particular untrusted application.

After prevention is enabled

CVE-2021-3156 | Heap-Based Buffer Overflow in Sudo

Published: 2021-01-26
MITRE CVE-2021-3156

“The Qualys Research Team has discovered a heap overflow vulnerability in sudo, a near-ubiquitous utility available on major Unix-like operating systems. Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host.”

This is especially bad for multi-user environments where some users have login access, but should not have root access.

Through a responsible and coordinated vulnerability disclosure from Qualys’ part there should be updated version available for most affected systems. This vulnerability will probably affect most systems that make use of the sudo command.

CVSS Base Score is 7, but during our evaluation we did not agree that there are no privileges required. With the vector set to “Privileges Required” as “Low”, instead of “None” the CVSS score is 6.7. We consider this our environmental CVSS score for this vulnerability.

Currently there is no exploit in the wild. If an exploit is published this vulnerability will become critical to mitigate as fast as possible.

We are tracking this internally as BF-VLN-2208165 with an increased priority and have a goal of having all systems patched within 30 days.