Wasssssup?

 In ITC's Threat of the Week

The Greeks knew it, the Carthaginians knew it and you knew it. This week’s missive would at least start with a discussion around the shrieking headlines regarding a vulnerability in the ever so popular, free to use (ahem) communications tool, WhatsApp.

Hopefully we can take this discussion in a sensible(ish) direction without serving up lashings of Fear, Uncertainty and Doubt. Often the three pillars of cyber security sales.

As any punter will tell you (and often do, leading to lip biting and staring at one’s shoes), WhatsApp is secure because it encrypts your sordid, innocent and everything in between messages ‘end to end’. However, WhatsApp has serious access to your device’s facilities and also (unlike Wire or Telegram for instance) accepts inbound calls from World+Dog.

Any security person worth their salt will tell you, this is a ‘Permit ANY’ rule, and they, as you will know dear readers, are responsible for Worlds of Pain. In the security person’s world, pain in this case can mean both the English (think Game Of Thrones) pain, or the French, leading to paid work.

And so it transpires that a highly reputable, not at all shady, Israeli outfit called the NSO Group, who make no secret of being able to jack mobile devices, but have a licence to sell their warez to Nation States only, have exploited the ability of WhatsApp to accept inbound traffic from anyone to buffer overflow the session handling to deploy a really nasty payload they they call Pegasus (turn on your camera, record you, access your files, infect all your applications, pretend to be you, the full shebang and more besides).

Pegasus, apparently because it can fly in and be a trojan horse. See what they did there?  They have been at this for ages. Check this out from 2016, or indeed our very own blog about the same.

Nobody should be surprised, and unless you are being targeted by a Nation State, this current revelation should not worry you.

What should worry you however, is that criminals nefarious and manifest (mwahahaha), will of course be looking to exploit weaknesses like this, and probably have been for some time. If it can be broken, it will be broken.

Which brings us nicely onto the peril that is Microsoft’s Remote Desktop Protocol (RDP).

This week, Microsoft issued emergency patches for older versions of its Operating Systems because an exploit against RDP is viable and ‘wormable’ (think WannaCry).

Our fantastic SOC team released this Threat Horizon report, which sums the issue up perfectly, saving us the bother here, thank you very much.

Compared with the WhatsApp issue, this is much more serious to your business (unless of course you are working in Human Rights in the Gulf). So many businesses have RDP servers facing the Internet, another example of ‘Permit ANY’, and don’t know that they have. These may have been set up in the distant past by a third party or sysadmin for support and just left gathering dust. They are on the verge of being weaponised, almost certainly in untargeted, collateral damaged scenarios, just like WannaCry. If only Marcus hadn’t pleaded guilty, he could save the day again. Is he feeling sorry for himself? Does he want to…….?

It is absolutely crucial that you identify and patch these systems. On the inside of your network, a Vulnerability Intelligence (scanning in old money) tool is essential. On your Internet facing ranges, a VI tool will also work, but if you do not have access to one (money’s too tight to mention), you could do worse than having a look at the Shodan page to see if you might be amongst the afflicted. The Shodan tool is massively flexible, useful and a lifesaver.

ITC managed services customers will be advised of their exposure together with recommended remedial activity (‘turn it off if you can find it’). If you are not currently a managed services customer and would like some help, please contact us at: [email protected] or call 020 7517 3900.

Author: Kevin Whelan

Recent Posts

Leave a Comment

Tel:
+44 (0) 20 7517 3900