Brace yourselves – this week’s Threat Thursday is a big one, covering some seriously critical patches across your integral software.
Elsewhere, hackers are joining forces and leveraging a long-running threat to businesses, using a severe Windows vulnerability.
There’s a LOT to get through this week, so we’ll keep it snappy and just dive straight in:
Fire up Those Firewalls – SMBGhost is Back
You may remember, back in March, how Microsoft fixed a critical flaw known as SMBGhost (also known as EternalDarkness, after the fantastic horror video game of the same name).
This remote code execution vulnerability allowed attackers to target and infiltrate SMB servers, executing their own code as they saw fit – at least before Microsoft patched it up.
Sadly, a Point-of-Contact code for the vulnerability has since been released, making it easier than ever for attackers to sniff out and exploit those unpatched servers. The US Cybersecurity and Infrastructure Security Agency (or CISA, to their mates) today warned that this could see a dramatic increase in compromised systems.
Affecting Windows 10 and Windows Server 2019, GhostSMB renders SMB-based file-sharing systems and servers vulnerable. If your company relies on any SMB systems, it’s utterly crucial that you ensure the KB4551762 update is installed and that your firewalls are all up to date.
Oh, and if you haven’t played Eternal Darkness yet, do. Just try not to investigate that noise in that top floor bathroom...
Maze Ransomware Group Adds Ragnar Locker to Its Polyamorous Relationship
Having settled down with the Ryuk cyber crime group earlier in the year, the Maze ransomware gang have now added Ragnar Locker to their cosy fraternity. Alongside LockBit, that’s four cyber crime gangs now making up one nasty-looking supergroup.
Ragnar Locker made a name for themselves – and a glimmer in Maze’s eye – following their sly exploitation of virtual machines to disguise a ransomware attack; a trick we at Threat Thursday missed back in May. Thanks for the heads up, SC Magazine.
This is a troubling development, yet it’s becoming ever-more common in cyber crime circles, with each of the members in any new union set to benefit from their combined efforts. In this instance, each of the aforementioned cyber crime groups have their own skills and specialties, and combined they’re set to offer the full suite of tactics in their next ransomware campaign.
There’s a Snake in My (Car) Boot!
It’s likely that the culprit of Honda’s recent ransomware infection is Snake (which is also known as Ekans, a popular Pokémon character and our second unexpected video game reference of the week).
In an interview with the BBC (or ‘Beeb’, to their mates), Chief Security Advisor of Sentinel One, Morgan Wright, explained:
“It looks like a case of Ekans ransomware being used. Ekans, or Snake ransomware, is designed to attack industrial control systems networks. The fact that Honda has put production on hold and sent factory workers home points to disruption of their manufacturing systems.” Morgan speculates that the attack was likely started via that good ol’ chestnut, the phishing email. Whether or not the email was one of the vast number exploiting the panic around Covid-19 is yet to be confirmed, but it’d be nice to go a week without having to refer to the ruddy thing one more time.
Honda’s just one of many high-profile companies to have been hit by a crippling ransomware strain in the past year, but don’t think that multi-national conglomerates are the only ones targeted by criminals; to them, everyone’s fair game. Honda’s recent disaster is an example of how little it takes to compromise a business and even a leading cyber security expert such as Morgan Wright can attest to the damage that a single malicious email can do.
We say it every week, but it’s always with good reason: don’t open unexpected attachments, check the sender identity of any unrecognised emails, and don’t click on any links that you can’t trust as reputable.
It’s Time for the Ever-Exciting Patch Tuesday Rundown!
There’s a wealth of Patch Tuesday updates to go through this week, with Microsoft, Adobe and Cisco to cover. Get a tea and some biscuits, folks, this one’s an absolute belter.
Exactly three months after their biggest update yet, Microsoft’s back with an all-new record-breaking update, this time kicking no less than 129 vulnerabilities to the curb.
If that sounds like a staggering number of updates, you’ll be pleased to learn that only 11 are rated critical, and none were ever in the wild long enough to be exploited for nefarious gains – at least, as far as the evidence suggests.
As is almost always the case, the most critical bugs pertained to remote code execution vulnerabilities. One of these affected Windows 7, 8 and 10, as well as Microsoft Server 2008, 2012, 2016 and 2019. Another vulnerability could reportedly have allowed remote code execution via SharePoint.
The exhaustive list is available here, and while lockdown may have bestowed enough time upon you to read all 129 patch notes, we’d suggest you just download the latest updates post haste and take up another activity instead. Like a jigsaw, or something.
Over at Adobe, their Patch Tuesday efforts continue to rub salt into the wound that is Flash’s slow demise. Besides that, it’s a comparatively low-key month for the company, with just a few further patches for FrameMaker and Experience Manager 6.5.
FrameMaker’s had multiple vulnerabilities patched, each rated critical, in the latest update. According to the Adobe security bulletin, their successful exploitation could allow for arbitrary code execution. More information is in their official bulletin, here.
Experience Manager 6.5 – as well as all its previous versions – has had vulnerabilities rated as ‘Important’ patched. The security bulletin notes that these could result in sensitive information disclosure.
Finally, there’s Flash Player. Oh, Flash. This outdated, flawed yet beautifully nostalgic software will be ruining New Year’s Eve for yours truly when it’s officially discontinued on December 31st, 2020. It’s had four critical code execution vulnerabilities patched this month, as this security bulletin outlines.
Flash may have been superseded by superior media formats, but it was instrumental in the creation of some of the internet’s most fondly-remembered created content; so much so that enthusiasts are racing to get many classic flash sites and animations preserved on other media formats, such as YouTube. Thankfully, the wonderfully silly Patrick Moore Plays the Xylophone has already been immortalised. Rejoice!
It’s hard to write a Cisco-related headline without relying on the rhyming of ‘Cisco’ and ‘Disco’ for a cheap laugh. So while they’re not typically a Patch Tuesday participant, I’m putting their latest patch notes under this headline to save all of us some dignity.
Of the 47 vulnerabilities fixed across Cisco’s IOS XE 16.3.1, NX-OS software and 809-829 industrial routers, three were rated critical. These vulnerabilities included privilege escalation vulnerabilities, channel command injection vulnerabilities and, of course, the ever-present remote code execution vulnerabilities. The full list of patches, and their related software and hardware, is available here.
Lorks-o-Lordy, it’s been a hefty serving this week, but with so many crucial updates to cover, we couldn’t leave any stones unturned.
If you’d rather we bring all the latest cyber security updates to you in future, why not sign up for our weekly updates?
We’ll drop every new edition of Threat Thursday off in your inbox as soon as they become available – simply leave your email in the box on the right ➡️ of this page, and we’ll add you to the mailing list.