Windows administrators might get a feeling of déjà vu with two of the vulnerabilities addressed in the April Patch Tuesday updates.
This month, Microsoft released 15 updates to resolve 74 unique vulnerabilities, including two zero-day exploits in the Win32k component of all supported Windows operating systems. These exploits might sound painfully familiar to administrators, because Microsoft had shut down two similar zero-day bugs in its March security updates.
The two April Patch Tuesday vulnerabilities (CVE-2019-0803 and CVE-2019-0859), rated important, deal with an escalation-of-privilege bug. An attacker could exploit the way an unpatched system fails to handle objects in memory to run arbitrary code in kernel mode.
“In a case like this, the attacker would have to do something else to get access to that box. But once they do that, the escalation-of-privilege attack would allow them to take a user-level privilege that they’ve already exploited and elevated that to pretty much owning the box,” said Chris Goettl, director of product management at Ivanti, based in South Jordan, Utah.
The Win32k bugs require an attacker to first get into an organization’s network, which emphasizes the need to patch all vulnerabilities, both great and small. Otherwise, the intruder can use various means to gather credentials or find other ways to establish a stronger position before launching a serious attack.
“Statistically, 90% or better of all breaches still start with some kind of phishing attempt to get that first foothold,” Goettl said.
April Patch Tuesday also spotlights a critical vulnerability in Internet Explorer 11 (CVE-2019-0753) for Windows desktop systems and several important Microsoft Office vulnerabilities. Beyond Microsoft products, administrators should address several critical bugs in multiple Adobe products, including Flash Player, Adobe Reader and Shockwave. Shockwave reached end of life on April 9, and organizations that don’t have the extended support contract will not receive the latest Shockwave updates.
“Everyone should remove Shockwave from their environments now, because that dinner bell just rang,” Goettl said. “There are seven vulnerabilities that will be unpatched for a majority of the world to give attackers time to look for ways to exploit them.”
Windows Deployment Services fix backfires
Chris GoettlDirector of product management at Ivanti
Administrators who rely on Windows Deployment Services (WDS) found themselves unable to install Windows on machines across the network after a March Patch Tuesday update broke the deployment tool.
Microsoft acknowledged last month’s rollup disabled WDS functionality for multiple Windows OSes, including Windows Server 2012 R2, Windows Server 2016 and Windows Server 2019, following a system update to close a critical remote code execution vulnerability (CVE-2019-0603).
“After installing this update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension. This may cause the connection to the WDS server to terminate prematurely while downloading the image. This issue does not affect clients or devices that are not using Variable Window Extension,” Microsoft wrote.
At time of publication, the company said it would release an update to correct the issue, but gave instructions to fix WDS by disabling the Variable Window Extension in a Knowledge Base article.
Failed recovery compounds problems from Windows ransomware attack
Despite the constant refrain from security professionals for organizations to prioritize timely patching, one company got caught flat-footed recently after sophisticated malware campaign overtook hundreds of Windows systems and disabled production, causing significant financial losses.
Arizona Beverages, known in U.S. markets for its iced tea product, got hit by an attack in March that locked up several hundred Windows machines, according to TechCrunch. The FBI had warned the company that it was the target of a cyberattack through Dridex malware, according to the article. The attackers apparently used a multistage campaign, using Dridex — possibly through a phishing email — to gain access and move laterally throughout the company’s network, and then deliver another type of ransomware that sabotaged the systems.
A blog from cloud security vendor Guardicore deduced the attackers relied on the IEncrypt ransomware to encrypt files across the Arizona Beverages network based on the ransom note displayed on computer screens and the extension used on the scrambled files.
The attack reportedly immobilized several hundred Windows-based systems, including multiple Windows Server machines that were no longer under support and “hadn’t received security patches in years,” according to TechCrunch. This highlights the risks and costs for organizations when they roll the dice with unsupported Windows systems in production.
“Obsolete software is vulnerable. If you do not enter into a paid support contract to continue getting updates, then you must take additional steps to secure the systems in question,” Goettl said.
To protect against this type of attack, a company should move critical workloads into a virtualized environment, tighten security around them, limit access and direct connectivity, and segregate portions of the network.
“The cost of doing nothing is a security incident,” Goettl said. “No matter what, a decision like this will cost you.”
To make matters worse, data recovery efforts failed when administrators found the backup system was not set up properly, and the company had to enlist Cisco for additional assistance, according to TechCrunch.
This case appears to be an example of a growing practice that security analysts call “big game hunting,” where attackers use advanced intrusion campaigns against large organizations that can afford large payoffs to regain access to files and systems.