patches - X-Industry - Red Sky Alliance2024-03-28T10:06:02Zhttps://redskyalliance.org/xindustry/feed/tag/patchesThe Cat Came Backhttps://redskyalliance.org/xindustry/the-cat-came-back2022-04-29T17:10:29.000Z2022-04-29T17:10:29.000ZMichael Brousseauhttps://redskyalliance.org/members/MichaelBrousseau<div><p><a href="{{#staticFileLink}}10448389092,RESIZE_400x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10448389092,RESIZE_400x{{/staticFileLink}}" width="250" alt="10448389092?profile=RESIZE_400x" /></a></p>
<p> </p>
<p>There are many things you can do to protect yourself against cyberattacks but if you still do not remember the basics, then your organization is an easy target for cyber criminals. Please review what Red Sky Alliance recommends at the end of this article.</p>
<p>A security vulnerability that was left unpatched for three years allowed a notorious cyber-criminal gang to breach a network and plant ransomware. The BlackCat ransomware attack against the undisclosed organization took place in March 2022 and has been detailed by cybersecurity researchers who investigated the incident. BlackCat ransomware, also known as ALPHV, is quickly becoming one of the most active ransomware groups. The group has compromised 60 organizations globally, warranting an <a href="https://www.ic3.gov/Media/News/2022/220420.pdf">FBI Flash report</a> highlighting Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) of the ransomware operation.</p>
<p><em>See link for past reporting:</em><br /> <a href="https://redskyalliance.org/xindustry/blackcat-is-no-nice-kitty">https://redskyalliance.org/xindustry/blackcat-is-no-nice-kitty</a></p>
<p>BlackCat has a reputation for running a sophisticated ransomware operation, however, it was a simple technique that allowed malicious cyber criminals to gain initial access to the network exploiting an SQL injection vulnerability in an internet-exposed, unpatched, and end-of-life SonicWall SRA appliance. </p>
<p>A security patch has been available to fix the vulnerability since 2019, but it had not been applied in this case, providing cyber criminals with an easy entry point into the network. From there, the attackers were able to gain access to usernames and passwords, using them to gain access to ESXi servers, where the ransomware payload was ultimately deployed. </p>
<p>BlackCat deploys several techniques not used by other ransomware groups designed to make attacks successful. For starters, the ransomware is written in the Rust programming language, which is unusual for malware and makes it more difficult to detect, examine, and reverse engineer. The ransomware also uses a unique binary for each victim, based around information found in the target environment. The unique binary makes it more difficult to identify attacks as the code used in each campaign will be slightly different. Investigators have reported a unique binary for each victim makes the detection harder.</p>
<p>In the case of the March 2022 incident, the attack was partially successful. BlackCat ransomware successfully encrypted servers and files, but the attack was not able to spread to other parts of the network because it had been segmented. While the attackers could control one area of the network, they could not move into other sections. The segmentation was well done in this case and that is the reason why it was contained.</p>
<p>BlackCat operates as a Ransomware-as-a-Service (RaaS) platform, and it is suspected that this attack was carried out by a new cybercriminal who was learning how to properly conduct attacks. Despite the inexperience of the attacker, some servers were still infected with malware. While no ransom was paid, and the network segmentation reduced the impact of the attack, the whole incident could have been avoided if some basic cybersecurity hygiene advice had been followed. </p>
<p>Those steps would have included applying the relevant security updates to fix a vulnerability that was first disclosed in 2019. It is also recommended that organizations monitor their networks for external access from known IP addresses or unusual patterns of behavior.</p>
<p>It is up to all organizations to take steps and adopt procedures to protect themselves from ransomware attacks. No government can stop these attacks except for the counties that are sponsoring or benefitting from the ransom payments.</p>
<p>The following is what Red Sky Alliance recommends:</p>
<ul>
<li>All data in transmission and at rest should be encrypted.</li>
<li>Proper data back-up and off-site storage policies should be adopted and followed.</li>
<li>Implement 2-Factor authentication-company wide.</li>
<li>For USA readers, join and become active in your local Infragard chapter, there is no charge for membership. infragard.org</li>
<li>Update disaster recovery plans and emergency procedures with cyber threat recovery procedures and test them.</li>
<li>Institute cyber threat and phishing training for all employees, with testing and updating.</li>
<li>Recommend/require cyber security software, services, and devices to be used by all at home working employees and consultants.</li>
<li>Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.</li>
<li>Ensure that all software updates and patches are installed immediately.</li>
<li>Your company/organization can enroll in our RedXray service for daily cyber threat notifications, which help to protect your valuable domain(s). RedXray service is only $500 a month and provides threat intelligence on ten (10) cyber threat categories including Keyloggers, without having to connect to your network.</li>
<li>Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.</li>
</ul>
<p>Pictured below are some IoCs provided by the FBI:</p>
<p><a href="{{#staticFileLink}}10448389855,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10448389855,RESIZE_710x{{/staticFileLink}}" width="635" alt="10448389855?profile=RESIZE_710x" /></a></p>
<p><a href="{{#staticFileLink}}10448389699,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10448389699,RESIZE_710x{{/staticFileLink}}" width="632" alt="10448389699?profile=RESIZE_710x" /></a></p>
<p><a href="{{#staticFileLink}}10448389891,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10448389891,RESIZE_710x{{/staticFileLink}}" width="631" alt="10448389891?profile=RESIZE_710x" /></a></p>
<p><a href="{{#staticFileLink}}10448390092,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10448390092,RESIZE_710x{{/staticFileLink}}" width="632" alt="10448390092?profile=RESIZE_710x" /></a></p>
<p><a href="{{#staticFileLink}}10448390658,RESIZE_710x{{/staticFileLink}}"><img class="align-center" src="{{#staticFileLink}}10448390658,RESIZE_710x{{/staticFileLink}}" width="633" alt="10448390658?profile=RESIZE_710x" /></a></p>
<p>Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs. com</a> </p>
<p>Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www. redskyalliance. org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www. wapacklabs. com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www. linkedin. com/company/64265941</a> </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/3702558539639477516">https://attendee. gotowebinar. com/register/3702558539639477516</a></p></div>PrintNightmare Fixes are now Availablehttps://redskyalliance.org/xindustry/printnightmare-fixes-are-now-available2021-07-13T17:28:04.000Z2021-07-13T17:28:04.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}9241445861,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}9241445861,RESIZE_400x{{/staticFileLink}}" width="250" alt="9241445861?profile=RESIZE_400x" /></a>Patches to fix a severe flaw in the Windows Print spooler are now available for Windows 10 Version 1607, Windows Server 2012 and Windows Server 2016. Microsoft (MS) has now released patches to protect all versions of Windows against the critical PrintNightmare flaw. MS recently deployed fixes to cover most but not all editions of Windows. They patched the remaining versions of Windows, according to an update on its message center page.</p>
<p>Newly patched as of 7 July 7 are Windows 10 version 1607, all editions of Windows Server 2012 (including Server Core) and all editions of Windows Server 2016 (including Server Core). This means that all 40 versions of Windows now have a patch for this flaw, including ones no longer supported by MS; such as Windows 7 and Windows Server 2008.<a href="#_ftn1">[1]</a></p>
<p>Pushing out patches for all versions of Windows, even unsupported ones, shows how serious MS considered this vulnerability. As another sign, the company deployed the patch as an out-of-band update, choosing not to wait to roll it out.</p>
<p>Jst today (13 July), a new emergency directive ordered by the US Cybersecurity and Infrastructure Security Agency (CISA) orders all US federal agencies to mitigate an actively exploited vulnerability in Pulse Connect Secure (PCS) VPN appliances on their networks by 16 July 2021. CISA issued the Emergency Directive 21-04 after MS released security updates on Friday to address an actively exploited Print Spooler vulnerability (PrintNightmare) in all supported Windows versions.<a href="#_ftn2">[2]</a> </p>
<p>To begin, a user needs to visit the Start Menu, and then click on the Settings icon on the left side of your screen. From there, you will be taken to the Windows 10 settings app, where you need to click Update & Security followed by ‘Check for Updates.’ Windows 10 will then begin checking for updates. Actually this should be a routine is you use MS products. </p>
<p>If you are using the latest version of Windows, which covers the May 2021 Update (21H1) to the May 2020 Update (20H1), you will need to make sure you see KB5004945 listed in Windows Update to fix PrintNightmare. This is the automatic patch for Windows 10 Home, Pro, and other versions of Windows 10 that addresses the issue.</p>
<p>Let Windows 10 download the update and install it in the background. After a few minutes, you will be prompted to restart your computer with the Restart Now button. Once you restart, the patch fix will be complete. </p>
<p>All individual users should check Windows Update to download and install the patch for their version of Windows, while organizations should deploy the update through their patch management system. The updates are also available by searching the Microsoft Update Catalog for the specific Knowledge Base number for your version of Windows and by using the Windows Server Update Services (WSUS).</p>
<p>Fixing this particular problem with the Windows Print spooler service was complicated because MS had to patch two different flaws. Known as CVE-2021-1675, the first flaw was patched through Microsoft's June 2021 security updates. But that still left a second and more serious flaw. Titled CVE-2021-34527 and nicknamed PrintNightmare, the second vulnerability concerned an issue in RpcAddPrinterDriverEx(), a function that allows users to install or update a printer driver. If exploited by an attacker, this one would have allowed them to take over a compromised computer to install software, modify data and create new user accounts.</p>
<p>The security updates released on 6 & 7 July 2021 include fixes for both flaws. Anyone unable to install the updates is advised to check the FAQ section in CVE-2021-34527 for steps on protecting their systems. Information on installing new printer drivers after applying the update is accessible in Microsoft's KB5005010 support document. MS has a robust cyber security unit and this proves they stand behind their products. </p>
<p>Red Sky Alliance is in New Boston, NH USA and we are proud to be helping in the over-all cyber defense posture. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a>.</p>
<p>Interested in a RedXray subscription to see what we can do for you? Sign up here: <a href="https://www.wapacklabs.com/RedXray">https://www.wapacklabs.com/RedXray</a> </p>
<ul>
<li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li>
<li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li>
<li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li>
</ul>
<p><a href="#_ftnref1">[1]</a> <a href="https://www.techrepublic.com/article/microsoft-patches-remaining-versions-of-windows-against-printnightmare-flaw/">https://www.techrepublic.com/article/microsoft-patches-remaining-versions-of-windows-against-printnightmare-flaw/</a></p>
<p><a href="#_ftnref2">[2]</a> <a href="https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-patch-windows-printnightmare-bug/">https://www.bleepingcomputer.com/news/security/cisa-orders-federal-agencies-to-patch-windows-printnightmare-bug/</a></p></div>