The SOC Briefing for Jul 1 - It's Fine

Ready to Pay the Ransomware Demand? Not So Fast.
Get answers from your peers along with millions of IT pros who visit Spiceworks.
Join Now

Good morning and welcome to today's briefing.  Starting off with patches and updates to worry about for this week.  There is an update with Ripple20 and a suggested read so you know what to expect in the coming months, VMware is represented as well as Nvidia and Palto Alto.  A more obscure one with Node.js, but good to know for anyone that uses it.  The some active threats and risks to be aware of such as printers, potential abuse with DLLs in Windows 10 and ransomware for Macs.  Then we'll finish off with what some companies found when moving into China and something I'm sure many feel right now.

   

>> Patches & Updates

Ripple20 Update: When this was brought up in the last briefing, I mentioned that this is one that will impact us all for quite some time.  A week later, and we've got a bit more info how bad this can be.  I highly recommend reading this over to see what patches or what devices are impacted.  "The most common types of equipment identified by Forescout to run Treck code are infusion pumps, printers, UPS (uninterruptible power supply) systems, networking equipment, point-of-sale devices, IP cameras, video conferencing systems, building automation devices, and ICS devices."

[ ] For You: This is something I recommend everyone take serious and to keep a close eye on for developments.  Run a risk assessment on any devices you have that are part of this and make decisions to reduce or eliminate that risk.

https://www.bleepingcomputer.com/news/security/list-of-ripple20-vulnerability-advisories-patches-and...

  

VMware Products: Multiple vulnerabilities have been recently in ESXi, Workstation, and Fusion, and a critical bug that impacts Workstation and Fusion.  "The critical security issue tracked as CVE-2020-3962 is a use-after-free flaw in the SVGA device that could allow local attackers to execute arbitrary code on the hypervisor from a virtual machine after successful exploitation."

[ ] For You: There are multiple versions, so they aren't listed here.  If you use ESXi, Workstation or Fusion, either push out updates or use the workaround available.

https://www.bleepingcomputer.com/news/security/vmware-fixes-critical-vulnerability-in-workstation-an...

https://www.vmware.com/security/advisories/VMSA-2020-0015.html

  

NVIDIA June 2020: If you're using an NVIDIA graphics card for either Windows or Linux and could lead to multiple issues, such as denial of service, info disclosure or escalation of privileges.  "By abusing these vulnerabilities, attackers can escalate privileges to gain permissions above the initial default ones granted by the OS, to render unpatched machines temporarily unusable by triggering denial-of-service states. or to locally execute malicious code on compromised Windows and Linux systems."

[ ] For You: The main thing to know is these aren't remotely exploitable, the attack has to have access to the machine.  Use that to adjust your risk assessment, but also since updates are available, these are easy to fix as well.  Links to each CVE are in the article for more info.

https://www.bleepingcomputer.com/news/security/nvidia-patches-high-severity-flaws-in-windows-linux-d...

  

Palo Alto Firewalls and VPNs: A PAN-OS vulnerability has been found that receives the score of 10 out of 10 on the CVE scale, and allows for attacker to bypass authentication.  "If successfully exploited the vulnerability creates a means for an unauthenticated, remote attacker to obtain access to “protected resources” within a network, network security utility firm Tenable notes. “The most ideal target, in this case, is Palo Alto Networks’ GlobalProtect VPN,” it warns in a blog post."

[ ] For You: While is comes across as a big issue, there are a few things that limit this quickly.  First, the attacker needs to have access to the network server.  Second, you need to have SAML-based authentication enabled.  This is often used for SSO capabilities.  As with my other recommendations, perform a risk assessment to gauge your risk.  No proof-of-concept or any known malicious attacks are known at this time.  There isn't a patch at this time.

https://portswigger.net/daily-swig/red-alert-palo-alto-firewall-authentication-bypass-flaw-ripe-for-...

  

Node.js url-regex Library: This will probably impact any development companies using Node.js.  If you have some code using this package, know that this hasn't been patched and it was reported on April 26 and the developers haven't replied.  "The ReDoS (Regular Expression Denial of Service) vulnerability in url-regex kicks in when the attacker provides a very long and invalid string to the expression parser, according to a proof-of-concept Baugh provided to Snyk.io’s vulnerability database. An attacker can exploit this vulnerability to “cause the service to excessively consume CPU, resulting in a denial of service,” Baugh wrote."

[ ] For You: If you're using this, remove it.  Multiple projects and services have already replaced this library with a different one that offers the same service.  This is why if you have development work and rely on outside code and libraries, to make sure they are checked on regularly for updates and to see if the maintainers are still maintaining it.  Supply-chain attacks are only going to get more popular.

https://portswigger.net/daily-swig/unpatched-regex-bug-leaves-node-js-apps-open-to-redos-attacks

  

>> Current Risks & Attacks

Online Printers: Shadowserver Foundation, which is a non-profit group on improving cybersecurity, has released a report of them scanning all available IPv4 addresses and founds A TON of printers with their Internet Printing Protocol (IPP) ports exposed.  "For starters, Shadowserver experts say this port can be used for intelligence gathering. This was possible because a large percentage of IPP-capable printers returned additional information about themselves, such as printer names, locations, models, firmware versions, organization names, and even WiFi network names."

[ ] For You: Simply, you're just opening yourself up to an attack leaving any device in your network connected to the internet without protections in place and preventing them from sharing more than they should.  If you have to offer this, limit what info it has, restrict what it shares and make sure it's fully segregated from your network.

https://www.zdnet.com/article/80000-printers-are-exposing-their-ipp-port-online/

  

Windows 10 DLL Hijacking: There is a list that currently has 287 EXEs and 263 DLLs that are at risk for abuse for privilege escalation and bypassing UAC.  "The vulnerability referred to here is relative path DLL hijacking, which is when an attacker can cause a legitimate Windows executable to load an arbitrary DLL of the attacker’s choice, most likely with malicious intent. DLL hijacking attacks can prove useful to a skilled attacker as they grant capabilities such as arbitrary code execution, privilege escalation, and persistence on the target system."

[ ] For You: It's important to know these techniques are 100% reliable and there are many conditions (listed in the article) that make this difficult to abuse.  Conditions like different Windows 10 builds or calling EXEs that don't require arguments.  There are also a few ways you can monitor for such attacks.  It's articles like these that show why knowing theoretical attacks are important, because you can risk assess them with your network and consider options before it's used against you.

https://www.bleepingcomputer.com/news/security/almost-300-windows-10-executables-vulnerable-to-dll-h...

  

EvilQuest Mac Ransomware: For those with Macs, make sure your users, friends or family are careful where they get their software.  "EvilQuest, first discovered by security researcher Dinesh Devadoss, goes beyond the normal encryption capabilities for run-of-the-mill ransomware, including the ability to deploy a keylogger (for monitoring what’s typed into devices) and the capability to steal cryptocurrency wallets on the victims’ systems. EvilQuest samples have been found in various versions of pirated software, which are being shared on BitTorrent file-sharing sites."

[ ] For You: An easy way to avoid this is not to try to get things for free and go to shady sites.  I feel it's important to continue to highlight when there are threats against Mac or similar devices where some tend to think that it's "immune" to malware.  Nothing is 100% safe.

https://threatpost.com/evilquest-mac-ransomware-keylogger-crypto-wallet-stealing/157034/

  

>> In the World

Backdoor in Tax Software: For those who are looking to expand into China, or are supporting companies that have operations in China, make sure to check things out so you don't get caught with installing a backdoor in your network.  "The cautionary tale, detailed in a report published Thursday, said the software package, called Intelligent Tax and produced by Beijing-based Aisino Corporation, worked as advertised. Behind the scenes, it also installed a separate program that covertly allowed its creators to remotely execute commands or software of their choice on the infected computer. It was also digitally signed by a Windows trusted certificate."

[ ] For You: Things are dangerous in the wide world out there, so it's good to keep a healthy does of skepticism and caution.  Relaying articles like this to upper management helps build the case that IT and/or Security need to be there with big changes to ensure what's happening is safe for the business.

https://arstechnica.com/information-technology/2020/06/chinese-bank-requires-foreign-firm-to-install...

  

It's Fine

This is how I felt twice at the bank before I left, and I'm sure many here are feeling this too.

  

Stay safe. Stay cautious.

That's all that I have for today. If you want to keep up with more stories as I find them, you can find me in the Spiceworks Unofficial Discord. I'll see you at the next brief.

Which was the most impactful to you?

The SOC Briefing for Jul 1 - It's Fine

TEST YOUR SMARTS
Which of the following retains the information it's storing when the system power is turned off?
  • ROM
  • CPU
  • RAM
  • GPU
87% of IT pros got this right.

22 Replies

· · ·
MichaelMTallman
Datil
OP
MichaelMTallman This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Ooooh, first vote and first comment ;)

I just got asked last Friday if I was interested in a 700 device Win7 -> Win10 upgrade project.  Considering I'm out of work, I might just do it to help do my part to practice safe computing.  

11
· · ·
Robert5205
Mace
OP
Robert5205 This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

MichaelMTallman wrote:

Ooooh, first vote and first comment ;)

I just got asked last Friday if I was interested in a 700 device Win7 -> Win10 upgrade project.  Considering I'm out of work, I might just do it to help do my part to practice safe computing.  

Better late than never. But better never late!

7
· · ·
MarkPayton
Thai Pepper
OP
MarkPayton This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Tough call today on what's most important for me. Thanks for these briefings. They are invaluable!

5
· · ·
BiscuitKing
Mace
OP
BiscuitKing This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

MarkPayton wrote:

Tough call today on what's most important for me. Thanks for these briefings. They are invaluable!

I am having a tough time trying to decide which item to vote for as well.

3
· · ·
Jimmy T.
Mace
OP
Jimmy T. This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

MarkPayton wrote:

Tough call today on what's most important for me. Thanks for these briefings. They are invaluable!

BiscuitKing wrote:

MarkPayton wrote:

Tough call today on what's most important for me. Thanks for these briefings. They are invaluable!

I am having a tough time trying to decide which item to vote for as well.

That's good to hear!  It means I'm picking the right items to share!

1
· · ·
Astimov
Tabasco
OP
Astimov This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

At least they're not still using XP. It's all on fire

3
· · ·
Milerky2
Cayenne
OP
Milerky2 This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

PC's haven't been secure since Windows 3.1 debuted... stupid Network stacks.

2
· · ·
Marvinthedepressedrobot
Thai Pepper
OP
Marvinthedepressedrobot This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Ahhhh Ripple20..... I mad jokes about my new favorite flavor of ice cream but you are turning out to be the covid of the digital world.

1
· · ·
DSumpter
Jalapeno
OP
DSumpter

Thanks again for the info.

2
· · ·
Bweber93
Habanero
OP
Bweber93 This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Thanks Jimmy!

1
· · ·
GeekyLibrarian
Datil
OP
GeekyLibrarian This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Thanks, Jimmy.

1
· · ·
Jimmy T.
Mace
OP
Jimmy T. This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

DSumpter wrote:

Thanks again for the info.

Bweber93 wrote:

Thanks Jimmy!

GeekyLibrarian wrote:

Thanks, Jimmy.

You're all welcome!

1
· · ·
Tim_Myth
Tabasco
OP
Tim_Myth This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Job I just left was almost all Win 7 devices (including IT's). Every year for the last 3 years I pointed out the need to upgrade. Every year it was denied. I suspect most businesses won't move on this until there are stories in the evening news about companies being hacked through Windows 7 devices.

The China thing is kinda scary. The new job is eying that market. I wonder if I can insist on a separate division with separate accounting and separate networks?

Edited Jul 1, 2020 at 16:57 UTC
2
· · ·
Jimmy T.
Mace
OP
Jimmy T. This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Tim_Myth wrote:

The China thing is kinda scary. The new job is eying that market. I wonder if I can insist on a separate division with separate accounting and separate networks?

I suggest bringing that up to management Tim_Myth​, it's the reason I shared this one.  As IT, I felt it was my responsibility to inform management of the risks and help them understand those risks so they have the info they need to make the decisions.

2
· · ·
John5152
Datil
OP
John5152 This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

I can never pick the most useful story so I voted for the cartoon!

1
· · ·
Cerbere
Tabasco
OP
Cerbere This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Thanks for your work, Jimmy.

I just found this on Naked Security. One more thing to take care of.

Microsoft issues critical fixes for booby-trapped images – update now!

2
· · ·
ShanePlus
Serrano
OP
ShanePlus

The "It's Fine" meme is easily my favorite one. Well played. Ha.

2
· · ·
ajh2
Poblano
OP
ajh2 This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Astimov​ I was with a company that was still using Windows XP on all their PCs until about three years ago.  We got four ransomware infections that took out every device on the network over the course of two months and required days of reimaging PCs each time before my boss finally allowed us to upgrade to Windows 10.

1
· · ·
Astimov
Tabasco
OP
Astimov This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

ajh2 wrote:

Astimov​ I was with a company that was still using Windows XP on all their PCs until about three years ago.  We got four ransomware infections that took out every device on the network over the course of two months and required days of reimaging PCs each time before my boss finally allowed us to upgrade to Windows 10.

That's messed up

1
· · ·
Kelly for Trusted Tech Team
Chipotle
OP
Kelly for Trusted Tech Team

Brand Representative for Trusted Tech Team

Oh boy... *anxiety increases*

1
· · ·
Tiffany for Vonage
Jalapeno
OP
Tiffany for Vonage

Brand Representative for Vonage

Oof. Both the picture for this post and the comic were spot-on. You're doing great work though, thank you so much for these updates!

1
· · ·
Sage_AJ
Datil
OP
Sage_AJ This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Yes it is all fine.

1
Oops, something's wrong below.