Category Archives: Patch management

Critical Industrial Flaws Pose Patching Headache For Manufacturers

When it comes to patching critical flaws, industrial firms face various challenges - with some needing to shut down entire factories in order to apply updates.

Admins urged to patch Windows Server immediately to close vulnerability

IT administrators are being urged to prioritize installing a security patch for Windows Server that Microsoft issued in August to close a vulnerability in Active Directory.

Dubbed Zerologon, if exploited, an attacker could gain a foothold on an internal network to become domain admin with one click. According to security firm Secura, which discovered the bug, all that is required is for a connection to the Domain Controller to be possible from the attacker’s viewpoint.

While the patch has been available for over a month, it’s considered so serious that on Friday the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency order to all federal departments to update all Windows Servers with the domain controller role by midnight tonight Eastern time.

CISA’s Canadian counterpart, the Canadian Centre for Cyber Security (CCCS) warned both public and private sector organizations on Sept. 16 to install the patch immediately.

Tracked as CVE-2020-1472, the exploit occurs when establishing a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol. The Netlogon Remote Protocol (also called MS-NRPC) is an interface that is used exclusively by domain-joined devices. MS-NRPC includes an authentication method and a method of establishing a Netlogon secure channel.

By forging an authentication token for specific Netlogon functionality, an attacker can call a function to set the computer password of the domain controller to a known value. After that, the attacker can use this new password to take control over the domain controller and steal the credentials of a domain admin.

The updates enforce the specified Netlogon client behaviour to use secure RPC with Netlogon secure channel between member computers and Active Directory domain controllers. To provide Active Director forest protection, all domain controllers must be updated since they will enforce secure RPC with Netlogon secure channel. This includes read-only domain controllers.

The August patch issued by Microsoft is actually the first phase of a fix. Starting with updates to be issued Feb. 9, 2021, enforcement mode will be enabled on all Windows domain controllers, regardless of the registry setting. Domain Controllers will deny vulnerable connections from all non-compliant devices unless they are added to the “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.

The post Admins urged to patch Windows Server immediately to close vulnerability first appeared on IT World Canada.

The History of Common Vulnerabilities and Exposures (CVE)

During the late 1990s, security professionals were using information assurance tools in concert with vulnerability scanners to detect and remove vulnerabilities from the systems for which they are responsible. There’s just one problem – each security vendor has its own database with little to no crossover. Each vendor’s tool generates its own alert for detected […]… Read More

The post The History of Common Vulnerabilities and Exposures (CVE) appeared first on The State of Security.

5 Patch Management Best Practices to Safeguard Your Business in 2020

Although patch management is not a novel activity, many organizations are still having a hard time following the industry’s best practices. Since patching is one of the key steps that ensure your proprietary and customers’ data is kept safe, bad patch management habits may have devastating consequences on your business.

A number of the most notable cybersecurity incidents in recent history have had their origins in the lack of patch management best practices. For instance, the WannaCry ransomware outbreak or the Equifax data breach can be traced back to uninstalled patches. These assaults are relevant examples of what can happen when patching is delayed. But don’t take my word for it – you can also review the latest software patching statics that highlight why software patching is so important.

In some of my previous posts, I also wrote about what patch management is and how you can set up your own patch management policy. In this article, I will take a closer look at patch management best practices that will add a substantial layer of protection to your business.

Why Patch Management is of paramount importance

Gartner predicted that

“99% of the vulnerabilities exploited by the end of 2020 will continue to be ones known by security and IT professionals at the time of the incident.”

As cyber threats are becoming more and more prevalent, it goes without saying that all organizations must be secured from multiple angles – and patch management is one of the main steps towards top-notch cybersecurity.

Following the latest patch management best practices will help you stay on top of your patching game and boost your company’s cybersecurity. But before I jump into the details, I will briefly explain what patching is and how it closes critical security holes in your organization.

What is patch management?

Here is how NIST defines patch management:

“Patch management is the process of identifying, acquiring, installing, and verifying patches for products and systems. Patches correct security and functionality problems in software and firmware. From a security perspective, patches are most often of interest because they are mitigating software flaw vulnerabilities; applying patches to eliminate these vulnerabilities significantly reduces the opportunities for exploitation. Patches serve other purposes than just fixing software flaws; they can also add new features to software and firmware, including security capabilities.”

In essence, due to the fact that vulnerabilities are often found in IT systems, companies routinely release security patches to fix them. Installing these patches (and patch management, in general) is a process widely referred to as patching, which typically addresses IT flaws before they end up being exploited by malicious hackers. Nonetheless, patching does not only involve fixing security issues, but also redressing software glitches, adding new functionalities, ensuring stability, and changing a software’s interface for enhanced user experience.

Heimdal Official Logo

Antivirus is no longer enough to keep an organization’s systems secure.

Thor Foresight Enterprise

Is our next gen proactive shield that stops unknown threats
before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Referring back to the main point – patch management best practices, that is – below I will list some recommendations that you should follow to ensure your company’s data privacy and security.

Patch Management Best Practices

Managing patches is both a crucial and time-consuming job that many organizations are failing to do effectively at the speed and size expected today. As I’ve previously stated, the main purpose of patch management is to protect your organization and avoid unplanned downtime – or, in other words, to approach the patching process in a proactive manner.

Below you will find five prominent aspects that will help you improve the efficiency and effectiveness of your patching.

#1. Asset inventory

Asset inventory should be the first step in your patching procedure. Knowing your assets will allow you to keep track of all existing hardware and software in your organization so that you are aware of what needs to be patched (the exact in-house and third-party applications and operating systems).

Patch management highly depends on keeping a full inventory of all software installed on each endpoint. At the same time, it’s really important for this repository to not only include the name of the currently installed software but also the exact version and number of installs. The reason why is simple: without knowing all these important details, you will be unable to identify the appropriate patches that need to be deployed. For example, our X-Ploit Resilience lets you do just that, allowing you to view and manage your software inventory and proactively manage vulnerabilities.

#2. Patch management schedules

One of the key aspects when it comes to patching is setting up a clear schedule. Patches should not be applied randomly, whenever you remember or when you find out a vulnerability is being actively exploited in the wild.

Actually, patch management should be a continuous and thorough procedure. In this respect, an automated patch management tool like X-Ploit Resilience will help you save valuable time and resources by scheduling your patches.

#3. Timely patch deployment

The release-to-install time may depend on the severity of the vulnerability and the time spent with testing. Nevertheless, patching should be delayed as little as possible or not at all, as unaddressed vulnerabilities may have dire consequences.

#4. Testing

There may be major risks associated with installing patches without testing them first, which could lead to serious disruptions and sometimes maybe even bring more damage than the security consequences of not patching at all. Every so often, testing and timing may come into conflict, as the testing phase can consume time and resources in an organization – still, it must not be skipped.

Keep in mind that it takes time for your IT staff to test all newly developed patches before pushing them out into the environment. When a patch damages something already in development and needs to be rolled back, deadlines for patching may not be met, so you need to make sure you allow enough time before inserting patches into your live systems to be able to watch out for negative effects.

#6. Reporting

How will a company assess how successful its patch management routine has turned out to be if it’s unable to have a comprehensive analysis over a period of time? Well, this issue can be solved if the patching process is also followed by the appropriate metrics.

With a solution like X-Ploit Resilience you will be able to have an extensive vulnerability intelligence at your fingertips and see all software that has been patched, as well as intervene on certain endpoints if needed. Our patching system and reporting work anywhere in the world, within full compliance, and provide you with CVE/CVSS audit trails and extensive lifetime history reporting available through Excel spreadsheets or API.

#5. Automation

Patch management can be done either automatically or manually. Obviously, the latter practice wastes significant amounts of time and resources and makes the entire process burdensome for sysadmins. This is why an automated patch management solution will clear your staff’s schedule and allow them to focus on other tasks, instead of manually deploying patches to your endpoints. In addition, businesses that are able to reduce the amount of time spent with patching can use the money and human resources to deal with other pressing security issues.

According to our findings, thanks to its automation capabilities, X-Ploit Resilience closes system vulnerabilities in enterprise environments, eliminating around 85% of all possible attack vectors.

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Conclusion

Traditional security solutions like Firewalls and Antivirus tools do not have sufficient capabilities to prevent security incidents on their own, this is why an ongoing patching process (alongside other layers of enterprise protection like DNS filtering, Privileged Access Management, and Advanced Email Security) becomes a vital requirement in today’s threat landscape.

Hopefully, I’ve managed to provide you with useful patch management best practices and shed some light on the importance of patching. And if this topic is of interest to you and you’d like to stay in the loop with the latest news around patching, you can also keep an eye on our Patch Tuesday blog section (a.k.a. Microsoft’s monthly security patches) that we’re covering every month.

Would you like to learn more about patch management best practices? Book a free consultation with one of our security experts here!

The post 5 Patch Management Best Practices to Safeguard Your Business in 2020 appeared first on Heimdal Security Blog.

Epiq Ransomware – A Team Effort

What do you get when you combine three virulent cyber attacks? An epiq ransomware case. 

As we have defined it in our Cybersecurity Glossary, ransomware is a type of malware (malicious software) which encrypts all the data on a PC or mobile device, blocking the data owner’s access to it until a ransom demand is fulfilled. As the notorious Epiq ransomware shows, the cybercriminals are getting more and more resourceful when it comes to finding methods for doing more and more harm. 

The name of the Epiq ransomware comes from its original victim – Epiq Global, a company that provides legal services to financial institutions and governments from 80 offices worldwide. The attack took place in March, forcing the company to go globally offline after the ransomware was deployed and began encrypting devices on its network. 

In a press release issued on the 2nd of March, representatives of Epiq declared:

On February 29, we detected unauthorized activity on our systems, which has been confirmed as a ransomware attack. As part of our comprehensive response plan, we immediately took our systems offline globally to contain the threat and began working with a third-party forensic firm to conduct an independent investigation.

Our technical team is working closely with world-class third-party experts to address this matter and bring our systems back online in a secure manner, as quickly as possible.

Federal law enforcement authorities have also been informed and are involved in the investigation.

As always, protecting client and employee information is a critical priority for the company. At this time there is no evidence of any unauthorized transfer or misuse or exfiltration of any data in our possession.

This came after 5 other law firms were hit by the notorious Maze group and, although Epiq claimed that no data were exfiltrated during the March attack, they are now facing “a federal lawsuit in California alleging it is at fault for malware and ransomware attacks that exposed data in violation of the state’s landmark privacy law.” 

Actors of the Epiq ransomware attack – TrickBot, Emotet and Ryuk

Apparently, the Epiq ransomware attack started with a TrickBot infection. Developed in 2016, TrickBot is a banking Trojan (a type of malware that acts according to the Greek legend: it camouflages itself as a legitimate file or program to trick unsuspecting users into installing it on their PCs. Upon doing this, users will unknowingly give unauthorized, remote access to the cyber attackers who created and run the Trojan) that targets Windows machines. 

The Trojan TrickBot comes in modules and is accompanied by a configuration file. The modules have specific tasks: gaining persistence, propagation, stealing credentials, encryption etc. The malware will communicate with TrickBot’s command and control infrastructure in order to exfiltrate data and receive tasks, but the end-users won’t notice any sign of an infection. TrickBot usually gets in a network via malicious spam campaigns, laterally by using the EternalBlue exploit or through infected attachments and embedded URLs. Trojan.TrickBot can also be a secondary infection dropped by Trojan.Emotet, an old cybersecurity threat. 

As BleepingComputer writes, 

Once TrickBot is installed, it will harvest various data, including passwords, files, and cookies, from a compromised computer and will then try spread laterally throughout a network to gather more data. When done harvesting data on a network, TrickBot will open a reverse shell to the Ryuk operators. The Ryuk Actors will then have access to the infected computer and begin to perform reconnaissance of the network. After gaining administrator credentials, they will deploy the ransomware on the network’s devices using PowerShell Empire or PSExec.In Epiq Global’s case, Ryuk was deployed on their network on Saturday morning, February 29th, 2020, when the ransomware began encrypting files on infected computers.

When the ransomware encrypts the files, it creates a ransom note called RyukReadMe.txt in any folder, and every file that is encrypted has the .RYK extension appended to it. 

The partnership of TrickBot and Ryuk was not a particularity of the Epiq ransomware attack only – Bleeping Computers also mentions that 

the Ryuk actors may be renting other malware as an Access-as-a-Service to gain entrance to a network.[…] TrickBot is being used by other actors to get access to an infected network. Once these bots infect a computer, they would create reverse shells back to other actors, such as the ones behind Ryuk, so that they can manually infiltrate the rest of the network and install their payloads.

Knocking out the Epiq ransomware attack – Ryuk. M.O., History, Targets. 

Ryuk (probably named like this after the name of a fictional character known as Shinigami – the God of Death – in the Death Note anime and manga series) represents a ransomware family that uses campaigns where extortion happens, unlike in other ransomware cases, days or weeks after the initial infection. As ComplexDiscovery.com says, “Ryuk has been observed as a second-stage payload delivered in campaigns that involved Emotet and Trickbot, two of the most widespread threats that are currently being used in malware campaigns”. It targets large companies and government agencies: among the companies that fell victims to Ryuk’s “death note” there are newspapers, restaurants, public institutions. 

epiq ransomware attack - ryuk concept image

Source: Security Boulevard

Ryuk ransomware was first mentioned in a Tweet in August 2018 and has been operated by the Russia-based criminal group Wizard Spider. Based on the Hermes ransomware code, the total value of Ryuk transactions has surpassed $3 million. 

How does Ryuk work?

Ryuk is not the beginning of a ransomware attack – it is the lethal end of an infection cycle. The stages it follows are dropper, binary setup, file encryption, Ryuk ransomware injection, ransom note

The dropper stage may include a phishing email, visiting a sketchy website or clicking on a random popup. After TrickBot and Emotet allow access to a victim’s network, they will start to spread laterally and deploy Ryuk ransomware. Before the deployment of Ryuk, Emotet and TrickBot will save some time to steal sensitive information. 

In the binary setup stage, Ryuk checks if the system is suited for it, and based on the results it drops the appropriate malware version and runs it using ShellExecuteW. 

During the file encryption stage,  two files are uploaded into the system ( PUBLIC: RSA Public Key and UNIQUE_ID_DO_NOT_REMOVE: Hardcoded Key). After each file of the system is encrypted, the encryption key is destroyed. 

During the Ryuk ransomware injection stage, the malware creates a preconfigured list of programs and services that get wiped out – including antivirus tools, databases, backups. 

After this, the victim receives the Ryuk ransom note. The ransom varies according to the size and value of the targeted organisation, and the emails typically include the name of obscure actors or Instagrams models. 

Famous targets 

The Epiq Ransomware Attack was not the only epic victory of the Wizard Spider Group. The attack on the state of Florida was pretty impressive too. As SecureWorld says, “in June 2019 alone, the Ryuk ransomware crew collected more than $1.1 million dollars from Florida municipalities.” Riviera Beach, for example, was completely shut down – “Cops started writing paper tickets, 9-1-1 was impacted, the city’s email, check payment, direct deposit services, and even SCADA (industrial control) systems related to the city’s water pump systems were impacted.”

Another example of Ryuk ransomware victims is a provider of end-to-end solutions for emergency care facilities in the U.S., T-System. BleepingComputer mentions that “the ransomware infection spread to public segments such as DMZ, extranet, and helpdesk”. 

Spanish Cadena SER, Spain’s largest radio station, and TECNOL, a manufacturer of products for waterproofing, insulating, cleaning and biotechnology have also felt victims to Ryuk, as well as Prosegur. Prosegur, a private security company that’s been on the market for more than 40 years and offers manned guarding, logistics and alarm services, had to shut down their systems “to prevent Ryuk from spreading to internal and external hosts.”  The customers were cut from the service for at least four days, and have complained they could not connect the alarm, nor check whether the alarm was armed or not. 

What can you do to avoid becoming the next target of a Ryuk /  Epiq ransomware attack? 

When it comes to Ryuk / Epiq ransomware attacks, there is some good news and some bad news. As SecureWorldExpo says, 

The bad news first: Ryuk ransomware can hide. The Ryuk ransomware is often not observed until a period of time after the initial infection—ranging from days to months—which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and therefore maximising the impact of the attack. The good news: you can short circuit it. It may also offer the potential to mitigate against a ransomware attack before it occurs, if the initial infection is detected and remedied.

The even better news? There are certain precautions you can take to avoid the initial infection in the first place.

Keep Informed about Phishing Techniques 

Cybercriminals develop more and more attack techniques, so if you don’t update your info on phishing techniques, you might inadvertently fall prey to one.  You can learn more about this kind of attack by checking out one of our previous articles. Make sure all your employees know what to look out for!

Think Before you Click 

You must always pay attention to every link you click on and every attachment you open. Keep in mind to hover over the links you want to access to make sure they lead where they’re supposed to lead. It can also help to have an automated solution guarding your e-mail communication, like our MailSentry E-mail Security. MailSentry E-mail Security offers protection against a wide range of cyber threats: phishing, spam, ransomware and malware, malicious attachments and malicious links. 

Heimdal Official Logo

Email communications are the first entry point into an organization’s systems.

MailSentry

is the next-level mail protection system which secures all your
incoming and outgoing comunications
  • Deep content scanning for attachments and links;
  • Phishing, spear phishing and man-in-the-email attacks;
  • Advanced spam filters which protect against sophisticated attacks;
  • Fraud prevention system against Business Email Compromise (BEC);
Try it for FREE today Offer valid only for companies.

Malware Scan

In terms of cybersecurity, we think it’s always a good idea to go from the hunted to the hunter and try to proactively search for malware and deal with it before it does any damage. We have the perfect solution for this too: our DarkLayer Guard module, present in Thor Foresight and Thor Vigilance, uses machine learning-driven intelligence for flawless threat hunting. 

Heimdal Official Logo

Antivirus is no longer enough to keep an organization’s systems secure.

Thor Foresight Enterprise

Is our next gen proactive shield that stops unknown threats
before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Patch Management 

85% of malware is deployed through exploit kits, so an up-to-date system is crucial if you want to secure your business and avoid being the next victim of an epiq ransomware attack. We know that manually dealing with patches is a resource and time-consuming task, so we would highly recommend trying an automated solution for this aspect too. 

Heimdal Official Logo

Simple Antivirus protection is no longer enough.

Thor Premium Enterprise

is the multi-layered Endpoint Detection and Response (EDR) approach
to organizational defense.
  • Next-gen Antivirus which stops known threats;
  • DNS traffic filter which stops unknown threats;
  • Automatic patches for your software and apps with no interruptions;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today Offer valid only for companies.

Risk Analysis and Penetration Testing 

A cybersecurity risk analysis can help you identify, manage and safeguard data, information and assets that could be vulnerable in case of a cyber attack. Of great help for creating a plan to secure your company can also be the so-called penetration testing. What better way to safely find out how secure your system is then hacking into it and testing its ability to defend against attacks? 

Backup Your Data 

When talking about any type of ransomware attack, having backups for your data as a precaution should go without saying. Make sure that you have backups for all the critical information, that it is stored both online and offline and that you take time to test your ability to revert to backups during a potential incident. 

Wrapping Up 

When cyberattacks become a team effort like Epiq Ransomware, where TrickBot, Emotet and Ryuk combined their forces to damage a worldwide provider of legal services, you also need to turn to both online (automated solutions) and offline (staff education) methods of ensuring your company’s cybersecurity.

Please remember that Heimdal™ Security always has your back and that our team is here to help you protect your home and your company and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it. 

Drop a line below if you have any comments, questions or suggestions – we are all ears and can’t wait to hear your opinion!

The post Epiq Ransomware – A Team Effort appeared first on Heimdal Security Blog.