Highlights From Security Analysis – Message From The Head Of Security Analysis
- Perform regular patch management and updates
- Keep track of IT assets
- Perform regular cyber hygiene trainings against phishing attacks
- Conduct quarterly penetration testing on both internal and external networks
- If an organization or entity is operating in the financial sector, it should include Red Teaming at the top of their infrastructure penetration testings
- Change default passwords to more complex passwords
- Enable Multi Factor Authentication (MFA) for your organization users, even for personal login pages
- Don’t use company laptop for personal purposes
Our final advice is to never underestimate an attack, vulnerability or exposure of information as it can be a doorway for attackers to significantly ham your organization.
Most exploited vulnerabilities
CVE-2021-34527 – Print Nightware Vulnerability
Q2 of 2021 saw another devastating attack against Microsoft services which are actively used by end users and severs. This vulnerability affected the Pint Spooler service which allowed the attackers to un commands and preform remote code execution with system privileges. This one vulnerability alone could bring down the operation of IT or cause huge changes on the network.
It is highly recommended to install the updates released by Microsoft as well as preform the tweaks on the critical severs or workstations.
Registry settings to be set to 0 or not defined:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Pinters\PointAndPint
- NoWaningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
Option 1 – Disable the Pint Spooler service
- Stop-Sevice -Name Spooler -Force
- Set-Sevice -Name Spooler -StatupType Disabled
Option 2 – Disable inbound remote printing through group policy
In the group policy:
- Computer Configuration / Administrative Templates / Printers
- Disable the “Allow Pint Spooler to accept client connections:” policy to block remote attacks.
- For more information, visit this link.
CVE-2021-26855-8 and 2021-27065 – MS Exchange Remote Code Execution
Another set of vulnerabilities was around one of the most critical services, MS Exchange Severs, which allow the remote attacker to perform code execution via a combination of multiple attacks on the severs. This also enables the attacker to create a backdoor or implant ransomware on the target affected systems.
It is important to install the Microsoft release patch on the severs and follow guidelines set by Microsoft.
CVE-2021-21972 – vSphere Remote Code Execution
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Sever plugin. A malicious actor with network access to pot 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Sever.
It is important to install the patch and updates from the vendor.
CVE – 2021-1366 – AnyConnect Code Execution
This was a vulnerability on a Cisco AnyConnect protect. The vulnerability is executed by crafting IPC message to AnyConnect Process. To execute this attack, the valid credentials must be obtained by an attacker.
Currently there is no workaround, but an advisory and a patch are available.
CVE-2021-33739 – MS DWM Core Library LPE
Here we are shifting away from Remote Code Executions to Local Privilege Escalation for a change. There has been a new working attack against MS DWM Core Library which would allow the attacker to execute commands with higher privileges. To perform this attack, the attacker must have a low level privileged access to the system.