Micro Soft Target

 In ITC's Threat of the Week

Over the previous weeks, months and even years you will have read about serious vulnerabilities in Microsoft’s RDP code which appear to be cropping up with increasing regularity.

Only last week we talked about the fact that RDP code is used in the management connectivity for Hyper-V and was vulnerable to fairly straightforward abuse enabling an attacker to traverse hosts on a V Server, a bug which until this was realised, Microsoft had refused to patch.

No doubt soon to be renamed Argh DP (something we have been suggesting for some time), the gift that keeps on giving has been exposed to have multiple wormable vulnerabilities this week and needs to be patched urgently.

ITC’s formidable SOC team have written a Threat Horizon about this which is very thorough and is recommended reading for everyone who has RDP installed, which by our reckoning is pretty much everyone.

You may be aware one of our bugbears is the re-use of code which leads to unforeseen consequences down the line, both in new cloud/container environments and also in legacy systems, the pair together (like the Hyper-V issue) being a perfect storm.

This week the ace security researcher, ubergeek and all round good guy Tavis Ormandy released some incredibly detailed research into how he discovered a bug in a piece of code central to Windows platforms since Windows XP.

Called the CTextFrameWork (CTF) it is at the core of windows instances communicating with each other and could be abused very simply for the last 20 years to escalate privileges, read data, the whole shebang. Nobody has reported this, but that doesn’t mean that parties third have not been doing it since the Jurassic period.

Tavis maintains that legacy bugs are becoming easier to identify due to improved tooling. This can only be a good thing, because if you read his analysis of this issue (and you should if you are geeky enough – here it is again) you will understand that there are not enough people whose brains work like this and have as much time on their hands (i.e. full time) to analyse all the junk code from the past. As Tavis himself references from an unnamed Twitter feed: Sometimes, hacking is just someone spending more time on something than anyone else might reasonably expect.

This bug has been patched (after 20 years) in this month’s Patch Tuesday. One less thing to worry about you poor overworked and underpaid sys-admins.

There has been much sniggering amongst the cyber fraternity about this report ,which talks about a ‘highly sophisticated ransomware virus’ which took the UK’s main forensic services provider (Eurofins Scientific) out of action for a couple of months.

Why the sniggering? Well, the suspicion is that this was probably just ‘a (bog standard) ransomware event’ for which Eurofins was not sufficiently prepared anywhere in the attack process (the kill chain as it is sometimes sickeningly called). Eurofins ended up paying the ransom (always a bad idea), so clearly didn’t have an effective backup and recovery strategy, let alone adequate tooling, processes or user training (probably the most important defence against ransomware) to prevent this attack early on. At least ‘highly sophisticated’ makes the management seem less culpable.

Finally, if you have implemented HTTP/2 services for public consumption, be aware that there are a number of network level bugs which can very simply take your servers off the air (the same servers that can be easily identified using Shodan for instance). The Hacker News has a decent write up here. If you are using HTTP/2 in a public facing capacity, it would be a good place to start if availability is critical for your business.

On which subject, does anyone know what happened to the London Stock Exchange this morning? Hacked, upgrade gone wrong, misconfiguration? The outcome is the same. Availability is everything.

If you would like to discuss any of these pretty serious issues, we are here to help. Please contact us at: [email protected] or call 020 7517 3900.

Author: Kevin Whelan

Recent Posts

Leave a Comment

Tel:
+44 (0) 20 7517 3900