Microsoft BugFixes April

Microsoft Fixes 66 Bugs in April Patch Tuesday Release

Target: Users using the affected software.

Attack Vector: Various methods of delivery.

Summary: Microsoft Patch Tuesday updates have been released for April including 66 CVE listed vulnerabilities, 24 of which are rated critical. The count of patches are fewer than recently observed, however, the number of vulnerabilities rated critical has increased by almost 50 percent, the majority of these being in browsers and browser-related technologies. The security updates were rolled out across numerous pieces of software, with elevation of privilege, bypass and remote code execution vulnerabilities making up a large portion of this month’s issue.

One of the most notably important flaws Microsoft focused on is an elevation privilege bug, CVE-2018-1034, which could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines. Five font based flaws were also a major focus for Microsoft this month that could allow attackers to take control of the victim’s system through specially crafted websites and fonts. Furthermore, a Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability, CVE-2018-8117, has also been observed, which could allow an attacker to log keystrokes.

Risk assessment summary: The threat is assessed as 4c LOW. Although there are several vulnerabilities in this release which could potentially be exploited by actors and an increase in critical vulnerabilities compared to last month, there is only one zero-day flaw. This flaw is identified as CVE-2018-1034 which is most likely used for cross-site scripting attacks. The elevation of privilege vulnerability leaves users at risk who installed the security updates in January and can only be fixed by the user installing the new service updates. The Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability has been patched by Microsoft who have enhanced the security by mandating unique AES encryption keys. The last vulnerability detailed is the remote code flaw in the Microsoft Malware Protection Engine. Microsoft released an emergency patch to mitigate this flaw earlier in the week.

FireEye M-Trends Report 2018

M-Trends 2018 report covers incidents and investigations undertaken by Mandiant, a FireEye subsidiary, from 1st October 2016 to 30th September 2017. The wide ranging report highlights the amount of dwell time, given as the number of days between evidence of an attack to its discovery, the rise of Iranian APT groups, the problems associated with legacy systems and the re-attack rate, defined as companies that were successfully attacked again within a year of a previous significant attack. The figures are given by region and industry, which gives some useful insights, however, the report does suffer from the limitation that it is solely reliant on Mandiant’s industry view, which is acknowledged in the report.

Strategic assessment:

Dwell Time statistics give a concerning view of the threats seen by Mandiant, and is perhaps useful in their marketing. The dwell time statistics show that although a significant amount of threats are detected within 30 days, there are spikes of activity at the three month and year mark. Globally, the median dwell time for 2017 was 101 days, which is the first yearly increase since Mandiant released figures in 2011. This suggests a global detection issue.

The report also details the strategic overview of new APT activity discovered by FireEye, with high-level TTPs covered. APT32 through to APT35 are mentioned, with a separate focus on Iranian actors and APT35.

According to Mandiant, the number of attacks originating from threat actors sponsored by Iran has significantly increased. The group are thought to leverage strategic web compromises (SWC) to ensnare more victims with persistency across multiple organisations for months and sometimes years. Home-grown custom malware is used in both destructive attacks and espionage campaigns. With reference to PUPYRAT, the report details an attack methodology used by the group to steal credentials which even showed a level of adaption to accommodate cloud migration trends, as companies moved to off-premises email solutions.

In a titled “Once a target, always a target” segment, FireEye quantify the subsequent risk of a follow-up significant cyberattack, taken to mean activity that may include data theft, compromised accounts, credential harvesting, lateral movement and spear phishing. Nearly half of customers with at least one significant attack were successfully attacked again within one year. However, there is a big geographical divide in this statistic. Over 91% of Mandiant’s APAC customers with at least one significant attack will have attacker activity within the next year, compared to 44% in the Americas and 47% in EMEA.

High tech, telecommunications, and education top the charts for the number of attack groups and number of significant attacks by different threat actors, although the financial, high tech and healthcare sectors saw the highest number of significant attacks. Although, the industry preference identified could also be to some extent reflective of Mandiant’s customer base rather than pure attack preferences, it supports similar findings by other vendors.

Customer Records

2.4 Customer Records

Target, the major retailer, was hacked on Black Friday in 2013. Over 40 million debit card accounts were scooped up. The data was not encrypted. Groups of Target customers filed suit claiming that “Target failed to implement and maintain reasonable security procedures and practices.” Roll forward to 2015 when Target paid out $10 million to customers as a result of lawsuits. This $10 million does not include costs to notify, legal costs, loss of good will among existing customers, and the effect on Target’s reputation in the marketplace.

Go back

Human Resources Records

2.3 Human Resources (HR) Records

The largest HR or personnel records breach (break in with theft/manipulation of data) in history occurred in 2015 at the United States Office of Personnel Management or OPM for short. The breach involved the theft of 21.5 million US government employee records along with 5.6 million fingerprint records. Keep in mind that these records contain the contents of the SF86 a questionnaire completed when applying for a security clearance and include information not only about the applicant, but also about their extended families and neighbour’s. It is rumoured that the Chinese are using the information from these records to put together a “Facebook” of US government and military personnel that can be used to put pressure against them or co-opt them.

This breach was a classic case of risk versus reward. Enough golden eggs (records) existed in one place with the potential for enough damage that they were highly sought after and justified the expenditure of almost any effort to obtain them.

Access was obtained through a breach of a US Government contractor who had access, and, unfortunately, less security to go through. We the defensive team, the good guys failed to encrypt the records, disperse the records (so they’re not all in one place), and keep non-current records offline. To make matters worse, the intrusion was not detected for a long period of time.

Go back

Medical Records

2.2 Medical Records

Medical records are worth about ten times what credit card numbers are on the black market. “Why?” you ask. Because medical records can be used to file fraudulent claims. It takes much longer to realize your medical records have been compromised than to notice a problem with your credit card number. This time differential combined with the relatively poor cyber security of hospitals provides hackers with a very lucrative market.

Note that medical records fall under HIPAA. HIPAA is the Health Insurance Portability and Accountability Act—you probably signed a form at your doctor’s office. Health providers are legally obligated to take reasonable steps to protect your healthcare information. Penalties are based on the level of negligence and can range from $100 to $50,000 per violation. This is capped at $1.5 million per year for violations of each HIPAA provision.

Go back

Why Should I Care About Cyber Security?

Good cyber security is tedious and expensive. For businesses, though, the alternative is loss of customer good will and potential closing of the business. On the personal side, the inconvenience of identity theft, data loss, and invasion of privacy exact a heavy toll on your finances and your time. The result is an unfair burden on small businesses and individuals. It is important to recognize that this is the way it is, this is the world we live in, and accept a personal, even if limited, role in being a good data steward and protector. This article discusses a select few of the cyber security incidents of the last couple of years in various categories to help you understand the magnitude and variety of what’s out there.

By being aware of the targets, potential attacks, and the defensive tools you have, you can diminish the hacker’s perceived relative gain for the time spent on you. For example, if a hacker determined that the profit was only a few cents per hour for the time spent, the hacker would find something more lucrative to do. In time, if we (the defensive team, the good guys) diligently protect ourselves, the sheer number of hackers and attacks will be reduced. The rest of the battle will become easier to defend against and we might even be able to track down those few remaining bad actors.

Go back

Post Attack

1.5 Post Attack

After a successful attack, there is work to be done in the areas of forensics, legal, insurance (hopefully purchased before the attack), damage assessment, and target cleanup/validation. In addition, policies and defences must be examined to figure out what went wrong and how to do a better job next time.

It might be hard to get motivated and started on your defensive measures, if you don’t know why cyber security matters. Read on!

Go back

Defensive

1.4 Defensive

You or your team (the home team, the good guys) need to stop the offensive, otherwise the bad actors will win. The defensive has tactics that can be used to prevent a cyber security breach:

  1. Training and education
  2. Policies and procedures
  3. Law enforcement agreements
  4. Information sharing
  5. Threat intelligence
  6. Counter intelligence
  7. Hardware and software
  8. Current patches and techniques to improve security
  9. Encrypted data and hard drives on anything mobile—those things that are easily lost or stolen, such as phones, tablets, and laptops

Go back

Offensive

1.3 Offensive

Think football. This is the other team. The one wanting your data or wanting to do damage to you. The offensive has different plays that it can run such as distributed denial of service (DDos) attacks, phishing and spear phishing, malware, social engineering, software and hardware flaws, and insider threat. We’ll be calling the offensive “bad actors” or “hackers” throughout this article.

 

Go back

Hackers Targets

1.2 Targets

The target is what the attack is directed against. The primary target is whatever the main objective is think data, data, data. The intermediate target is the hacker’s means to achieving the primary target. Intermediate targets include a network or network appliance, server, workstation, and mobile device (tablet, laptop, phone). Also included are infrastructure devices such as network connected thermostats, circuit boards, and the software applications that run them. Many different types of devices are now connected to the Internet and controlled using webpage based interfaces. These devices can be particularly susceptible targets unless proper investment is made to produce secure programming code.

Data is the end goal of attacking a target. Data can take many forms. A few examples are records in a database containing customer data or health records, data files such as word processing documents or drawings of intellectual property, your GPS location, the words being said in a conference room, your personal credit card information or that of your customers, and even video information.

Go back