Have you ever been around someone who is just better at something than you are? Like when you were in grade school and there was this person who was effortless at doing things correctly, like getting high grades? They had great study habits, they arrived on time, they were prepared and confident in the materials […]… Read More
The post The Four Stages to a Successful Vulnerability Management Program appeared first on The State of Security.
The world of cybersecurity never has a dull moment. While we are still recovering from the aftermath of Log4Shell, the recent ContiLeaks exposed multiple vulnerabilities that have been exploited by the Conti ransomware group. It’s critical for your team to identify the risk posed by such vulnerabilities and implement necessary remediation measures. As you will see, the product updates our vulnerability management (VM) team has made to InsightVM and Nexpose in the last quarter will empower you to stay in charge — not the vulnerabilities.
But that’s not all we’ve improved on. We’ve increased the scope of vulnerabilities tracked by incorporating CISA’s known exploited vulnerabilities (KEV) in the Threat Feed, usability enhancements, targeted reporting and scanning, and Log4Shell mitigation checks. And we’ve released our annual Vulnerability Intelligence Report to help you make sense of the vulns that impacted us last year and understand the trends that we will all be facing this year. Our team also offers practical guidance to help the security teams better protect themselves.
Let’s dive into the key feature releases and updates on the vulnerability management front for Q1 2022.
CISA’s KEV catalog is part of the agency’s binding operative directive that has reporting requirements for federal agencies and civilian contractors. The recent ContiLeaks revealed over 30 vulns that are now a part of CISA’s KEV. While users could always build a query in IVM to identify these vulns, doing so is time-consuming and can be prone to error. The ContiLeaks Helpful Query takes out the manual effort and lets customers easily locate 30+ ContiLeaks vulnerabilities in their environments. When the query is loaded into our Specific Vulnerability Dashboard template, it can give an at-a-glance view of the company’s risk posture as it relates to the Conti threat. In addition to helping customers identify the exploited vulnerabilities in their environment, the update will also help them stay within the bounds of CISA’s operative directive.
While we are on the topic of CISA, you will be excited to learn that we have expanded the scope of vulnerabilities tracked to incorporate CISA’s KEV catalog in the InsightVM Threat Feed Dashboard, including the Assets With Actively Targeted Vulnerabilities card and the Most Common Actively Targeted Vulnerabilities card. The CISA inclusion makes it easy to see how exposed your organization is to active threats and inform prioritization decisions around remediation efforts.
We have also added a new “CISA KEV (known exploited vulnerability)” vulnerability category to allow for more targeted scanning (i.e. scanning the environment for CISA KEV entries only). You can also use the CISA KEV category to filter scan reports.
InsightVM and Nexpose customers have always been able to scan Oracle databases using SIDs (system identifiers) but were previously unable to provide a Service Name in the credential. This meant a gap in visibility for Oracle databases that could only be accessed via their Service Name. We were not happy with this limitation. Now, you now configure Oracle Database scans to specify a Service Name instead of an SID (you can still use the SID, if you want!) when authenticating. You now have the visibility into a wider range of deployment configurations of Oracle Database and the ability to configure scan using Service Name or SID.
Last year, we introduced Scan Assistant, which alleviates the credential management (for Scan Engine) burden on vulnerability management teams. For the Scan Assistant to communicate with the Scan Engine, it requires digital certificates to be manually created and deployed on both the target assets and the Nexpose / IVM Security Console. Manually creating the public / private key pair is a complex and error-prone process.
With this update, we are taking some more burden off the vulnerability management teams. You can now use the Shared Credentials management UI to automatically generate Scan Assistant credentials. This not only reduces the technical expertise and time required to manage Scan Assistant credentials but also makes for a user-friendly experience for you.
Learn more in our recent blog post on passwordless scanning.
The product improvements list would be incomplete without an update on Log4Shell.
If you are vulnerable to Log4Shell, you can edit the JAR files on a system to take out the vulnerable code and thus not get exploited. However, it is difficult to keep a check on this manually. This update adds that extra capability to not only look at the version of Log4j that was present in your environment but also check if it has been mitigated — i.e., if the vulnerable code is removed.
Authenticated scans and Agent-based assessments can now determine whether the JNDILookup class removal mitigation for Log4Shell has been applied to Log4j JAR files on Windows systems. This will reduce the number of reports of the vulnerability on systems that are not exploitable. We also added an Obsolete Software vulnerability check for Log4j 1.x, which will let you find obsolete versions of Log4j in your environment.
As always, we hope these updates will make it easier for you to stay ahead of vulnerabilities.
It almost felt like the quarter might end on a calm note, but then the world of cybersecurity never has a dull moment. The end of the quarter saw Spring4Shell, another zero-day vulnerability in the Spring Core module of Spring Framework. Learn more about Rapid7 response to this vulnerability and how we are working around the clock to help our customers protect their own environments from Spring4Shell.
Additional reading:
From Defender to Windows, Office to Azure, this month’s Patch Tuesday has a large swath of Microsoft’s portfolio getting vulnerabilities fixed. 119 CVEs were addressed today, not including the 26 Chromium vulnerabilities that were fixed in the Edge browser.
One of these has been observed being exploited in the wild: CVE-2022-24521, reported to Microsoft by the National Security Agency, affects the Common Log File System Driver in all supported versions of Windows and allows attackers to gain additional privileges on a system they already have local access to. Another local privilege escalation (LPE), CVE-2022-26904 affecting the Windows User Profile Service, had been publicly disclosed but not reported as already being exploited – it’s harder for attackers to leverage as it relies on winning a race condition, which can be tricky to reliably achieve.
LPEs don’t always get the same attention that remote code execution (RCE) vulnerabilities do, but they can be a great help to attackers after they gain an initial foothold. These two categories dominate this month’s vulnerabilities, with 55 LPEs and 47 RCEs getting patched. 10 of the RCEs are considered “Critical,” affecting Windows Hyper-V (CVE-2022-22008, CVE-2022-23257, CVE-2022-24537); Windows SMB Client (CVE-2022-24500, CVE-2022-24541); Windows Network File System (CVE-2022-24491 and CVE-2022-24497); LDAP (CVE-2022-26919); Microsoft Dynamics (CVE-2022-23259); and the Windows RPC Runtime (CVE-2022-26809).
On the Office side of the house, Skype for Business Server was patched for spoofing (CVE-2022-26910) and information disclosure (CVE-2022-26911) vulnerabilities. Two RCEs affecting Excel (CVE-2022-24473 and CVE-2022-26901) were fixed, as well as a spoofing vulnerability in SharePoint Server (CVE-2022-24472).
With so many vulnerabilities to manage, it can be difficult to prioritize. Thankfully, most of this month’s CVEs can be addressed by patching the core OS. Administrators should first focus on updating any public-facing servers before moving on to internal servers and then client systems. The SMB Client vulnerabilities can also be mitigated by blocking port 445/tcp at the network perimeter – victims need to be enticed to connect to a malicious SMB server, and this would help against Internet-based attackers. Of course, this won’t help much if the malicious system was set up within the perimeter.
For any readers who enjoy deeper dives into vulnerabilities and exploits, Rapid7’s Jake Baines has a technical writeup of CVE-2022-24527, an LPE he discovered in the Connected Cache component of Microsoft Endpoint Manager that got fixed today. Check it out!
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|---|---|---|---|---|
| CVE-2022-26898 | Azure Site Recovery Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-26896 | Azure Site Recovery Information Disclosure Vulnerability | No | No | 4.9 | Yes |
| CVE-2022-26897 | Azure Site Recovery Information Disclosure Vulnerability | No | No | 4.9 | Yes |
| CVE-2022-26907 | Azure SDK for .NET Information Disclosure Vulnerability | No | No | 5.3 | Yes |
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|---|---|---|---|---|
| CVE-2022-24523 | Microsoft Edge (Chromium-based) Spoofing Vulnerability | No | No | 4.3 | Yes |
| CVE-2022-24475 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes |
| CVE-2022-26891 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes |
| CVE-2022-26894 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes |
| CVE-2022-26895 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes |
| CVE-2022-26900 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes |
| CVE-2022-26908 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes |
| CVE-2022-26909 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes |
| CVE-2022-26912 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | No | No | 8.3 | Yes |
| CVE-2022-1232 | Chromium: CVE-2022-1232 Type Confusion in V8 | No | No | N/A | Yes |
| CVE-2022-1146 | Chromium: CVE-2022-1146 Inappropriate implementation in Resource Timing | No | No | N/A | Yes |
| CVE-2022-1145 | Chromium: CVE-2022-1145 Use after free in Extensions | No | No | N/A | Yes |
| CVE-2022-1143 | Chromium: CVE-2022-1143 Heap buffer overflow in WebUI | No | No | N/A | Yes |
| CVE-2022-1139 | Chromium: CVE-2022-1139 Inappropriate implementation in Background Fetch API | No | No | N/A | Yes |
| CVE-2022-1138 | Chromium: CVE-2022-1138 Inappropriate implementation in Web Cursor | No | No | N/A | Yes |
| CVE-2022-1137 | Chromium: CVE-2022-1137 Inappropriate implementation in Extensions | No | No | N/A | Yes |
| CVE-2022-1136 | Chromium: CVE-2022-1136 Use after free in Tab Strip | No | No | N/A | Yes |
| CVE-2022-1135 | Chromium: CVE-2022-1135 Use after free in Shopping Cart | No | No | N/A | Yes |
| CVE-2022-1134 | Chromium: CVE-2022-1134 Type Confusion in V8 | No | No | N/A | Yes |
| CVE-2022-1133 | Chromium: CVE-2022-1133 Use after free in WebRTC | No | No | N/A | Yes |
| CVE-2022-1131 | Chromium: CVE-2022-1131 Use after free in Cast UI | No | No | N/A | Yes |
| CVE-2022-1130 | Chromium: CVE-2022-1130 Insufficient validation of untrusted input in WebOTP | No | No | N/A | Yes |
| CVE-2022-1129 | Chromium: CVE-2022-1129 Inappropriate implementation in Full Screen Mode | No | No | N/A | Yes |
| CVE-2022-1128 | Chromium: CVE-2022-1128 Inappropriate implementation in Web Share API | No | No | N/A | Yes |
| CVE-2022-1127 | Chromium: CVE-2022-1127 Use after free in QR Code Generator | No | No | N/A | Yes |
| CVE-2022-1125 | Chromium: CVE-2022-1125 Use after free in Portals | No | No | N/A | Yes |
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|---|---|---|---|---|
| CVE-2022-26924 | YARP Denial of Service Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-24513 | Visual Studio Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26921 | Visual Studio Code Elevation of Privilege Vulnerability | No | No | 7.3 | No |
| CVE-2022-24765 | GitHub: Uncontrolled search for the Git directory in Git for Windows | No | No | N/A | Yes |
| CVE-2022-24767 | GitHub: Git for Windows' uninstaller vulnerable to DLL hijacking when run under the SYSTEM user account | No | No | N/A | Yes |
| CVE-2022-26832 | .NET Framework Denial of Service Vulnerability | No | No | 7.5 | No |
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|---|---|---|---|---|
| CVE-2022-23259 | Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|---|---|---|---|---|
| CVE-2022-26910 | Skype for Business and Lync Spoofing Vulnerability | No | No | 5.3 | Yes |
| CVE-2022-26911 | Skype for Business Information Disclosure Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-24472 | Microsoft SharePoint Server Spoofing Vulnerability | No | No | 8 | Yes |
| CVE-2022-24473 | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-26901 | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|---|---|---|---|---|
| CVE-2022-23292 | Microsoft Power BI Spoofing Vulnerability | No | No | 5.9 | Yes |
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|---|---|---|---|---|
| CVE-2022-24548 | Microsoft Defender Denial of Service Vulnerability | No | No | 5.5 | Yes |
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|---|---|---|---|---|
| CVE-2022-24543 | Windows Upgrade Assistant Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-24550 | Windows Telephony Server Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26786 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26789 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26791 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26793 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26795 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-24491 | Windows Network File System Remote Code Execution Vulnerability | No | No | 9.8 | Yes |
| CVE-2022-24497 | Windows Network File System Remote Code Execution Vulnerability | No | No | 9.8 | Yes |
| CVE-2022-24487 | Windows Local Security Authority (LSA) Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-24483 | Windows Kernel Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2022-24545 | Windows Kerberos Remote Code Execution Vulnerability | No | No | 8.1 | Yes |
| CVE-2022-24486 | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-24490 | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | No | No | 8.1 | Yes |
| CVE-2022-24539 | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | No | No | 8.1 | Yes |
| CVE-2022-26783 | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-26785 | Windows Hyper-V Shared Virtual Hard Disks Information Disclosure Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-23257 | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-22008 | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-24537 | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-22009 | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-23268 | Windows Hyper-V Denial of Service Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-26920 | Windows Graphics Component Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2022-26808 | Windows File Explorer Elevation of Privilege Vulnerability | No | No | 7 | Yes |
| CVE-2022-24495 | Windows Direct Show - Remote Code Execution Vulnerability | No | No | 7 | Yes |
| CVE-2022-24547 | Windows Digital Media Receiver Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-24488 | Windows Desktop Bridge Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-24546 | Windows DWM Core Library Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26811 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-26823 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-26824 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-26825 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-26826 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-26814 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes |
| CVE-2022-26817 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes |
| CVE-2022-26818 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes |
| CVE-2022-26816 | Windows DNS Server Information Disclosure Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-24538 | Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability | No | No | 6.5 | No |
| CVE-2022-26784 | Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability | No | No | 6.5 | No |
| CVE-2022-24484 | Windows Cluster Shared Volume (CSV) Denial of Service Vulnerability | No | No | 5.5 | No |
| CVE-2022-26828 | Windows Bluetooth Driver Elevation of Privilege Vulnerability | No | No | 7 | Yes |
| CVE-2022-24549 | Windows AppX Package Manager Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-24482 | Windows ALPC Elevation of Privilege Vulnerability | No | No | 7 | Yes |
| CVE-2022-26914 | Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26788 | PowerShell Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-24496 | Local Security Authority (LSA) Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-24532 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-26830 | DiskUsage.exe Remote Code Execution Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-24479 | Connected User Experiences and Telemetry Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-24489 | Cluster Client Failover (CCF) Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE | Title | Exploited? | Publicly disclosed? | CVSSv3 base score | Has FAQ? |
|---|---|---|---|---|---|
| CVE-2022-24498 | Windows iSCSI Target Service Information Disclosure Vulnerability | No | No | 6.5 | Yes |
| CVE-2022-26807 | Windows Work Folder Service Elevation of Privilege Vulnerability | No | No | 7 | Yes |
| CVE-2022-24474 | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-24542 | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26904 | Windows User Profile Service Elevation of Privilege Vulnerability | No | Yes | 7 | Yes |
| CVE-2022-24541 | Windows Server Service Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-26915 | Windows Secure Channel Denial of Service Vulnerability | No | No | 7.5 | No |
| CVE-2022-24500 | Windows SMB Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-26787 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26790 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26792 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26794 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26796 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26797 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26798 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26801 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26802 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26803 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26919 | Windows LDAP Remote Code Execution Vulnerability | No | No | 8.1 | Yes |
| CVE-2022-26831 | Windows LDAP Denial of Service Vulnerability | No | No | 7.5 | No |
| CVE-2022-24544 | Windows Kerberos Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-24530 | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-24499 | Windows Installer Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26903 | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-26810 | Windows File Server Resource Management Service Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-26827 | Windows File Server Resource Management Service Elevation of Privilege Vulnerability | No | No | 7 | Yes |
| CVE-2022-26916 | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-26917 | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-26918 | Windows Fax Compose Form Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-24527 | Windows Endpoint Configuration Manager Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
| CVE-2022-26812 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-26813 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-24536 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-26815 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 7.2 | Yes |
| CVE-2022-26819 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes |
| CVE-2022-26820 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes |
| CVE-2022-26821 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes |
| CVE-2022-26822 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes |
| CVE-2022-26829 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 6.6 | Yes |
| CVE-2022-24521 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Yes | No | 7.8 | No |
| CVE-2022-24481 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-24494 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2022-24540 | Windows ALPC Elevation of Privilege Vulnerability | No | No | 7 | Yes |
| CVE-2022-21983 | Win32 Stream Enumeration Remote Code Execution Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-24534 | Win32 Stream Enumeration Remote Code Execution Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-24485 | Win32 File Enumeration Remote Code Execution Vulnerability | No | No | 7.5 | Yes |
| CVE-2022-26809 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 9.8 | Yes |
| CVE-2022-24528 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-24492 | Remote Procedure Call Runtime Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2022-24533 | Remote Desktop Protocol Remote Code Execution Vulnerability | No | No | 8 | Yes |
| CVE-2022-24493 | Microsoft Local Security Authority (LSA) Server Information Disclosure Vulnerability | No | No | 5.5 | Yes |
What does the term “Legacy Systems” mean to you? What image does it conjure up? Well, the word “legacy” can mean “something transmitted by or received from an ancestor or predecessor or from the past.” For example, the “legacy of the ancient philosophers”, or perhaps “legacy of ancient IT professionals.” A legacy is something that is […]… Read More
The post Legacy systems still in use: making a cybersecurity case for modernisation appeared first on The State of Security.
This post is co-authored by Chris Henderson, Senior Director of Information Security at Datto, Inc.
Welcome back for the second and final of our blogs on the fallacies and biases that perpetuate ransomware risk for SMBs. In part one, we examined how flawed thinking and a sense of helplessness are obstacles to taking action against ransomware. In this final part, we will examine fallacies number 3 and 4: the ways SMBs often fail to “trust but verify” the security safety of their critical business partners, and how prior investments affect their forward-looking mitigation decisions.
“You seem like someone I can trust to help support and grow my business.”
When SMBs create business partnerships, we do so with a reasonable expectation that others will do the right things to keep both them and us safe. SMBs are effectively placing trust in strangers. As humans, we (often unconsciously) decide who to trust due to how they make us feel or whether they remind us of a past positive experience. Rarely have SMBs done a deep enough examination to determine if that level of trust is truly warranted, especially when it comes to protecting against ransomware.
We reasonably — but perhaps incorrectly — expect a few key things from these business partners, namely that they will:
According to an economic theory, a rational actor maximizes benefits for themselves first and will exercise rational choice that determines whether an option is right for themselves. That begs the question: To what extent do SMBs understand if business objectives are aligned such that what is right for their business partners’ cyber protection is also right for them? In the SMB space, too often the answer is based on trust alone and not on any sort of verification, or what mature security programs call third-party due diligence.
Increasingly, ransomware attacks are relying on our business relationships (a.k.a. supply chains) to facilitate attacks on targets. End targets may be meticulously selected, but they could instead be targets of opportunity, and sometimes they are even impacted as collateral damage. In any case, in this ransomware environment, it is critical for SMBs to reassess the level of trust they place in their business partners, as their cyber posture is now part of yours. You share the risk.
Trust is a critical component of business relationships, but trust in a business partner's security must be verified upon establishment of the relationship and reaffirmed periodically thereafter. It is a reasonable expectation that, given this ransomware environment, your business partners will be able to prove that they take both their and your protection as being in your mutual best interests. They must be able to speak to and demonstrate how they work toward that objective.
Trust is no longer enough — SMBs have to verify. Unfortunately, there is no one-size-fits-all process for diligence, but a good place to start is with a serious conversation about your business partners’ attitudes, beliefs, current readiness, and their investments in cyber resilience, ransomware prevention, and recovery. During that conversation, ask a few key questions:
“We have already spent so much time and made significant investments in IT solutions to achieve our business objectives. It wouldn’t make sense at this point to abandon our solutions, given what we’ve already invested.”
Ransomware threat actors seek businesses whose IT solutions — when improperly developed, deployed, configured, or maintained — make compromise and infection easy. Such solutions are currently a primary access vector for ransomware, as they can be difficult to retrofit security into. When that happens, we are faced with a decision to migrate platforms, which can be costly and disruptive.
This decision point is one of the most difficult for SMBs, as it’s very easy to fall into a sunk cost fallacy — the tendency to follow through on an endeavor if we’ve already invested time, effort, or money into it, whether or not the current costs outweigh the benefits.
It’s easy to look backward at all the work done to get an IT solution to this point and exceedingly difficult to accept a large part of that investment as a sunk cost. The reality is that it doesn’t matter how much time has been invested in IT solutions. If security is not a core feature of the solution, then the long-term risk to an SMB’s business is greater than any sunk cost.
Sunk costs burn because they feel like a failure — knowing what we know now, we should have made a different decision. New information is always presenting itself, and the security landscape is changing constantly around us. It’s impossible to foresee every shift, so our best defense is to remain agile and pivot when and as necessary. Acknowledge that there will be sunk costs on this journey, and allowing those to stand in the way of reasonable action is the real failure.
“There’s a brighter tomorrow that’s just down the road. Do not look back; you are not going that way” - Mary Engelbreit
Realizing your SMB has real cyber risk exposure to ransomware requires overcoming a series of logical fallacies and cognitive biases. Once you understand and accept that reality, it's imperative not to buy into learned helplessness, because you need not be a victim. An SMB’s size and agility can be an advantage.
From here, re-evaluate your business partnerships and level of trust when it comes to cybersecurity. Be willing to make decisions that accept prior investments may just be sunk cost, but that the benefits of change to become more cyber resilient outweigh the risks of not changing in the long run.
Additional reading:
Every year, our research team at Rapid7 analyzes thousands of vulnerabilities to understand root causes, dispel misconceptions, and explain why some flaws are more likely to be exploited than others. By continuously reviewing the vulnerability landscape and sharing our research team’s insights, we hope to help organizations around the world better secure their environments and shore up vulnerabilities to keep bad actors at bay.
Today, we are proud to share Rapid7’s 2021 Vulnerability Intelligence Report, which provides a landscape view of critical vulnerabilities and threats and offers expert analysis of attack vectors and exploitation trends from a truly harrowing year for risk management teams. The report details 50 notable vulnerabilities from 2021, 43 of which were exploited in the wild. We also highlight a number of non-CVE-based attacks, including several significant supply chain security incidents.
In this post, we’ll take a big-picture look at the threat landscape in 2021 and reinforce key ways for organizations to protect themselves against high-priority vulnerabilities. For more insights and in-depth technical analysis, download the full report now.
As many security and IT teams experienced firsthand, 2021 saw notable increases in attack volume, urgency, and complexity. Many of 2021’s critical vulnerabilities were exploited quickly and at scale, dwarfing attacks from previous years and giving businesses little time to shore up defenses in the face of rapidly rising risk. Key findings across the 50 vulnerabilities in this year’s report include:
When a vulnerability is exploited by many attackers across many different organizations and industries, Rapid7 researchers classify that vulnerability as a widespread threat. In one of the year’s more jarring trends, 52% of 2021’s widespread threats began with a zero-day exploit. These vulnerabilities were discovered and weaponized by adversaries before vendors were able to patch them. A much higher proportion of zero-day attacks are now threatening many organizations from the outset, instead of being used in more targeted operations. 85% of the zero-day exploits in our 2021 data set, like the Microsoft Exchange ProxyLogon vulnerabilities and Log4Shell CVE-2021-44228, were widespread threats from the start.
Additional themes from 2021 included an increase in driver-based attacks and injection exploits, as well as ongoing threats to software supply chain integrity. In the full report, our team also enumerates high-level vulnerability root causes and attacker utilities to help readers understand which vulnerabilities may offer easy exploitability or deep access for attackers.
In summary, the threat landscape in 2021 was frenetic for many businesses. Not only was the world still grappling with the COVID-19 pandemic, which continued to put pressure on staffing and budgets, but security teams faced a rise in attack complexity and severity. Widespread attacks leveraging vulnerabilities in commonly deployed software were endemic, ransomware prevalence increased sharply, and zero-day exploitation reached an all-time high.
While this may sound grim, there is some good news. For one thing, the security industry is better able to detect and analyze zero-day attacks. This, in turn, has helped improve commercial security solutions and open-source rule sets. And while we would never call the rise of ransomware a positive thing for the world, the universality of the threat has spurred more public-private cooperation and driven new recommendations for preventing and recovering from ransomware attacks.
These are just a few examples of how the threat landscape has evolved — and how the challenges vulnerability risk management teams face are evolving along with it. We recommend prioritizing remediation for the CVEs in this year’s data set.
At Rapid7, we believe that research-driven context on vulnerabilities and emergent threats is critical to building forward-looking security programs. In line with that, organizations of all sizes can implement the following battle-tested tactics to minimize easy opportunities for attackers.
These are only some of the fundamental ways you can layer security to better protect your organization in the face of widespread and emergent threats. Many of the CVEs in our report can be used in concert with other vulnerabilities to achieve greater impact, so make sure to prioritize remediation of the vulnerabilities we’ve identified and implement control and detection mechanisms across the whole of your environment. We strongly recommend prioritizing remediation for the CVEs in this year’s data set.
Read the 2021 Vulnerability Intelligence Report to see our full list of high-priority CVEs and learn more about attack trends from 2021.
Additional reading:
Many UK business and technology executives aren’t hopeful about their digital security going into 2022. In a survey of 3,600 business and technology executives, of which 257 were from the UK, PwC learned that a majority (61%) of respondents expected to see an increase in reportable ransomware attacks next year. An even greater proportion (64%) […]… Read More
The post How Tripwire ExpertOps Can Help Solve the UK’s Cybersecurity Challenges appeared first on The State of Security.
Ransomware has focused on big-game hunting of large enterprises in the past years, and those events often make the headlines. The risk can be even more serious for small and medium-sized businesses (SMBs), who struggle to both understand the changing nature of the threats and lack the resources to become cyber resilient. Ransomware poses a greater threat to SMBs’ core ability to continue to operate, as recovery can be impossible or expensive beyond their means.
SMBs commonly seek assistance from managed services providers (MSPs) for their foundational IT needs to run their business — MSPs have been the virtual CIOs for SMBs for years. Increasingly, SMBs are also turning to their MSP partners to help them fight the threat of ransomware, implicitly asking them to also take on the role of a virtual CISO, too. These MSPs have working knowledge of ransomware and are uniquely situated to assist SMBs that are ready to go on a cyber resilience journey.
With this expert assistance available, one would think that we would be making more progress on ransomware. However, MSPs are still meeting resistance when working to implement a cyber resilience plan for many SMBs.
In our experience working with MSPs and hearing the challenges they face with SMBs, we have come to the conclusion that much of this resistance they meet is based on under-awareness, biases, or fallacies.
In this two-part blog series, we will present four common mistakes SMBs make when thinking about ransomware risk, allowing you to examine your own beliefs and draw new conclusions. We contend that until SMBs resistance to resilience improvement do the work to unwind critical flaws in thinking, ransomware will continue to be a growing and existential problem they face.
“I’m concerned about the potential impacts of ransomware, but I do not have anything valuable that an attacker would want, so ransomware is not likely to happen to me.”
These arguments are the most common form of resistance toward implementing adequate cyber resilience for SMBs, and they create a rationalization for inaction as well as a false sense of safety. However, they are formal fallacies, relying on common beliefs that are partially informed by cognitive biases.
Formal fallacies can best be classified simply as deductively invalid arguments that typically commit an easily recognizable logical error when properly examined. Either the premises are untrue, or the argument is invalid due to a logical flaw.
Looking at this argument, the conclusion “ransomware will not happen to me” is the logical conclusion of the prior statement, “I have nothing of value to an attacker.” The flaw in this argument is that the attacker does not need the data they steal or hold ransom to be intrinsically valuable to them — they only need it to be valuable to the attack target.
Data that is intrinsically valuable is nice to have for an attacker, as they can monetize it outside of the attack by exfiltrating it and selling it (potentially multiple times), but the primary objective is to hold it ransom, because you need it to run your business. Facing this fact, we can see that the conclusion “ransomware will not happen to me” is logically invalid based on the premise “I have nothing of value to an attacker.”
The belief “ransomware will not happen to me” can also be a standalone argument. The challenge here is that the premise of the argument is unknown. This means we need data to support probability. With insufficient reporting data to capture accurate rates of ransomware on SMBs, this is problematic and can lead to confirmation bias. If I can't find data on others like me as an SMB, then I may conclude that this confirms I'm not at risk.
I may be able to find data in aggregate that states that my SMB’s industries are not as commonly targeted. This piece of data can lead to an anchoring bias, which is the tendency to rely heavily on the first piece of information we are given. While ransomware might not be as common in your industry, that does not mean it does not exist. We need to research further rather than latching onto this data to anchor our belief.
The best way to combat these formal fallacies and biases is for the SMB and their MSP to acknowledge these beliefs and act to challenge them through proper education. Below are some of the most effective exercises we have seen SMBs and MSPs use to better educate themselves on real versus perceived ransomware risk likelihood:
“Large companies and enterprises get hit with ransomware all the time. As an SMB, I don't stand a chance. I don't have the resources they do. This is hopeless; there’s nothing I can do about it.”
This past year has seen a number of companies that were supposedly “too large and well-funded to be hacked” reporting ransomware breaches. It feels like there is a constant stream of information re-enforcing the mentality that, even with a multi-million dollar security program, an SMB will not be able to effectively defend against the adverse outcomes from ransomware. This barrage of information can make them feel a loss of control and that the world is against them.
These frequent negative outcomes for “prepared” organizations are building a sense of learned helplessness, or powerlessness, within the SMB space. If a well-funded and organized company can't stop ransomware, why should we even try?
This mentality takes a binary view on a ransomware attack, viewing it as an all-or-nothing event. In reality, there are degrees of success of a ransomware attack. The goal of becoming immune to ransomware can spark feelings of learned helplessness, but if you reframe it as minimizing the damage a successful attack will have, this allows you to regain a sense of control in what otherwise may feel like an impossible effort.
This echo chamber of successful attacks (and thus presumed unsuccessful mitigations) is driving a pessimism bias. As empathetic beings, we feel the pain of these attacked organizations as though it were our own. We then tie this negative emotion to our expectation of an event (i.e. a ransomware attack), creating the expectation of a negative outcome for our own organization.
Biases and beliefs shape our reality. If an SMB believes they are going to fall victim to ransomware and fails to protect against it, they actually make that exact adverse outcome more likely.
Despite the fear and uncertainty, the most important variable missing from this mental math is environment complexity. The more complex the environment, the more difficult it is to protect. SMBs have an advantage over their large-business counterparts, as the SMB IT environment is usually easier to control with the right in-house tech staff and/or MSP partners. That means SMBs are better situated than large companies to deter and recover from attacks — with the right strategic investments.
Check back with us next week, when we’ll tackle the third and fourth major fallacies that hold SMBs back from securing themselves against ransomware.
Additional reading: