Home
Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

Summary

Welcome to your Cyber Risk Report for the period of May 2017.
This month has been an unusually busy month. There has been a great deal of activity from the criminal elements on the internets and a significant number of cyber-attacks have occurred.
On 26th of May 2017, the Cyber Risk Level was determined to be Severe.
This Cyber Risk Report uses the POST intelligence model.
Political Risk
Operational Risk
Security (Cyber) Risk
Threats
This report covers the period of May 1st through to May 31st 2017. This report was compiled by Peter Bassill, CEO of Hedgehog Security.

Political Risk

Domestic Government and Oppositions

The UK is facing an ongoing, persistent threat of cyber-attack from other states, terrorists and criminals operating in cyberspace. Cyber-attacks affecting UK businesses doubled last year representing 46% of companies have suffered from breaches of their systems or a cyber-attack. The most common forms of attack mechanisms are fraudulent emails, incidents involving downloading viruses and malicious software onto computer systems and employee identity theft. Common targets for these types of attacks are communications, real estates and the scientific and technical service industries. Principle targets are those directly connected to the National Critical Infrastructure although targets of opportunity, those connected within the governments supply chain, are being sought. Most recently is the cyber attacked on the NHS where hackers are demanding bitcoin ransom after infiltrating the health service's antiquated computer system.

Foreign Governments

The NHS attack has also affected multiple international companies and systems including FedEx Corp in the US, Telefonica a Spanish telecom and a German Rail operator. The top targets for these attacks appear to be focused on Russia, Ukraine and Taiwan. This most recent attack appears to have been conducted by a hacker group rather than a state.

Operational Risk

New Vulnerabilities

May has been an incredible month for new vulnerabilities being disclosed. As an average over the last twelve months, this month sees a threefold increase over the average number of vulnerabilities published in the first quarter of 2017, a whopping 3717 published vulnerabilities.
While that is a lot of vulnerabilities, there have been a considerable number of exploits released.
Exploit CategoryCount
Remote Exploits
This exploit category includes exploits for remote services or applications, including client side exploits.
19
Web Application Exploits
This exploit category includes exploits for web applications.
35
Local and Privilege Escalation Exploits
This exploit category includes local exploits and privilege escalation exploits
11
Denial of Service and Proof of Concept Exploits37
 

Patches

Microsoft

Windows Security Updates Here we are again, another Patch Tuesday without security bulletins. This month has a reported total of 243 listings. While this sounds like a lot of patches, this does include an entry for the same patch for each different version of Windows.
The release notes tell us that this month's releases include updates for Internet Explorer, Edge, Windows, Office/Office Services and Web Apps, the .NET Framework, and Adobe Flash Player.
But before we get to the Patch Tuesday updates, we need to highlight an emergency security fix that Microsoft released on Monday. This fix patches a security vulnerability in the Malware Protection Engine that is part of Windows Defender, Security Essentials, and Microsoft Forefront and Intune EndPoint Protection software (CVE-2017-0290). This was a critical issue that enabled attackers to automatically run malware, when the file was scanned by the MPE, that could lead to remote code execution or denial of service. You can read more about this one in Security Advisory 4022344.
Now on to the Tuesday releases. Most updates are now cumulative roll-ups for a particular operating system or software application. Thus, we have cumulative updates for the IE and Edge browsers, as well as for Windows 10, 8.1 and 7. For those of you still running Windows Vista, just a reminder that Microsoft ended support for it last month. And if by any chance, you're still running the RTM version of Windows 10, be aware that support for this product ended on this Patch Tuesday (May 9).
  • Cumulative update 2017-05 for Windows 10, also known as KB4016871 applies to the "Creators Update" edition of Windows 10 and replaces v15063.250 with v 15063.296. This cumulative update is also available for Windows 10 Mobile. Per Microsoft, the update includes security fixes for Edge, IE, the Microsoft Graphics Component, the Windows SMB server, the Windows COM component, the Microsoft scripting engine, the kernel, and the .NET Framework, along with some performance and reliability fixes.
  • Security update for Windows 7 and Server 2008 R2 (KB4019263) contains fixes for the Microsoft Graphics Component, Windows COM, ActiveX, Windows Server, Windows DNS and the Windows kernel, and deprecates the SHA-1 authentication method for SSL/TLS server authentication in the Windows Cryptography API.
  • Security update for Windows 8.1 and Server 2012 R2 (KB4019213) contains the same fixes as the Windows 7/2008 R2 update.
  • Cumulative update for Internet Explorer (KB4018271) applies to IE running on Windows 7 SP1, Windows 8.1, Windows 10, Server 2008 R2, 2012 R2 and 2016 and fixes multiple security vulnerabilities.
  • Security update for the .NET Framework versions 3.5.1, 4.5.2, 4.6, 4.6.1, and 4.62 running on Windows 7 SP1 and Windows Server 2008 SP2, 2008 R2 SP1, 2012 and 2012 R2 fixes a security feature bypass caused by incomplete validation of certificates.
  • Adobe Flash Player security update (KB4020821) applies the Flash Player software running on Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10, Windows 10 Version 1511, Windows 10 Version 1607, Windows 8.1, or Windows RT 8.1. This security was released by Adobe as APSB17-15, and addresses seven critical vulnerabilities that include memory corruption issues and a use-after-free vulnerability, both of which could be exploited to accomplish code execution.
  • Security update for Microsoft Office applications, services and web apps to address CVE-2017-0261 and CVE-2017-0254, both of which are memory corruption issues that can lead to remote code execution. The first is exploited when a user opens a specially crafted EPS file. The second could be exploited by an attacker to run remote code in the context of the current user, by persuading a user to open a specially crafted file or download it from a malicious or compromised web site. The update fixes it by changing the way Office handles objects in memory.
Some are the more critical and/or more exploitable vulnerabilities patched in today's updates, in addition to those mentioned above, include:
  • sys elevation of privilege vulnerability (CVE02017-0077) in supported versions of the Windows client and server operating systems (Windows 7, 8.1, 10 and Server 2008/2008 R2, 2012/2012 R2 and 2016), which is caused by improper handling of objects in memory. The update fixes the way the Microsoft DirectX graphics kernel subsystem handles certain calls and escapes to preclude improper memory mapping and prevent unintended elevation from user-mode.
  • Windows SMB remote code execution vulnerability (CVE-2017-0272) in supported versions of the Windows client and server operating systems (Windows 7, 8.1, 10 and Server 2008/2008 R2, 2012/2012 R2 and 2016), which can allow an unauthenticated attacker to remotely execute code, because of the way the Microsoft Server Message Block server handles certain requests. The update corrects the handling of specially craft requests by the SMB server.
  • Memory corruption vulnerability in Internet Explorer (CVE-2017-0222) in IE 10 and 11 running on Windows 7, 8.1, 10 and Server 2008 R2, 2012/2012 R2 and 2016 that is caused by improper handling of objects in memory, and can be exploited by an attacker to run arbitrary code in the context of the current user by luring the user to a malicious or compromised web site. The update fixes the problem by changing the way IE handles objects in memory.
This is only a sampling of some of the vulnerabilities that were patched in this month's releases.
Microsoft also issued a new build of Windows 10 version 1703 (Build 15063.250) today, which addresses a number of compatibility and non-security issues that include the following:
  • VMs losing network connectivity while provisioning IP addresses.
  • Remote ring not initiated on device when RemoteRing Configuration Service Provider (CSP) is used.
  • Memory leak in Internet Explorer when hosting pages containing nested framesets that load cross-domain content.
  • Internet Explorer 11 failure to save JavaScript files when exporting to an MHT file.
  • Unexpected intermittent logout from Web applications.
  • Monitor brightness issue when booting with the external monitor only and then switching to the built-in display only.
  • Unresponsive system (freeze) when running Win32 Direct3D applications or games in full-screen exclusive mode if you resume from Connected Standby.
  • Progress page displays incorrect characters when upgrading in Chinese language edition.
  • Can't disable lock screen via Group Policy on Professional SKUs.
  • Issue in Windows Forms configuration that causes antivirus applications to quit working when you start up.
  • Internet Explorer, and Microsoft Edge fixes.

Exchange 2016

Exchange 2016's latest update is Cumulative Update 5, which is kind of a milestone to some since that means both that it’s been a year since 2016 came out, and in the old way of reckoning things, you might have called this SP1. First up, with this CU comes a requirement for .Net Framework 4.6.2. If you're not on CU4 already, apply CU4, then apply .Net Framework 4.6.2, then finally you can apply CU5, which you can download from https://www.microsoft.com/en-us/download/details.aspx?id=54930. This CU contains the latest changes to Daylight Saving Time, and fixes a number of issues with Exchange 2016.

Exchange 2013

Exchange 2013 Cumulative Update 16 brings a number of fixes to 2013, as well as a significant change. Like Exchange 2016, the .Net Framework 4.6.2 is now required for Exchange 2013 and should be applied before applying this CU. If you are not current on your CUs already, apply CU15, upgrade .Net to 4.6.2, then apply this CU. This CU includes Daylight Saving Time updates, and one fix.

Exchange 2010

Exchange 2010 Service Pack 3 gets Update Rollup 17 this time around. Downloadable from https://www.microsoft.com/en-us/download/details.aspx?id=54934, this update includes the latest Daylight Saving Time changes, as well as fixes for four issues.

Exchange 2007

One more time... Exchange 2007 goes end of life next month, on May 11. If you're still on 2007, you might see some security patches next month, but then that is it. If you are not already well on your way to getting your users off 2007, I predict one of two things in your future. Either a cutover to a new platform, or a catastrophic failure. It's not that 2007 has a half-life or an expiration date and will start to smell funky in a few more weeks, but more that either a new vulnerability will be found, or a hardware failure will occur, or something else will go wrong and you won't have anywhere to turn.

Laws, Rules and Regulations

There are no updates to laws, rules and regulations for this period.

Regulatory Environment

There are no updates to the regulatory environment for this period.
 

Security (Cyber) Risk

WannaCry Ransomware Attack The biggest cyber security news this month is of course the global cyber-attack that affected the NHS and has been described by Mikko Hypponen, chief research officer at F-Secure, "the biggest ransomware outbreak in history. The attack affected over 150 countries which included Spain's Telefonica, FedEx and Deutsche Bahn, along with the NHS and many other countries and companies worldwide. Within four days of the initial outbreak, most organizations had applied updates and new infections had slowed down considerably.
Soon after the initial release of the ransomware on 12th May, a researcher known by the name MalwareTech discovered a "kill switch" hardcoded in the malware. Registering a domain name for a DNS sinkhole stopped the attack spreading as a worm. While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide.
Linguistic experts have suggested the WannaCry ransom note authors could be Chinese. Evidence suggests that out of the various ransom notes, it is the Chinese note, which mostly uses proper grammar, punctuation and syntax, was actually written with a Chinese-language keyboard. While the English note was well written, it contains major grammar errors and suggests that the author is either not a native speaker or not well educated.
Given these facts, it is possible that Chinese is the author(s)' native tongue, though other languages cannot be ruled out, Flashpoint said. It is also possible that the malware author(s) intentionally used a machine translation of their native tongue to mask their identity. It is worth noting that characteristics marking the Chinese note as authentic are subtle. It is thus possible, though unlikely, that they were intentionally included to mislead"

'Jihad' Wi-Fi halts flight

Flight TOM039 from Cancun to the UK was cancelled after a passenger noticed a fellow traveler had labelled their personal Wi-Fi as 'Jihadist Cell London 1'. The passenger then notified a crew member who took the phone to the cockpit. Mexican security services were brought on to investigate, however by this time the name had been changed and Police were brought on board. The pilot informed passengers, "Someone has something on their phone which had an extremely subversive title to it - Jihadists Cell London 1 - and obviously we have to take this kind of thing very, very seriously.
"Someone has managed to do this on a hot point and it is a security issue and I'm sure you'll understand I'm not prepared to depart with something like this on the aircraft."
As no one owned up to creating the Wi-Fi name, the flight was cancelled and passengers spent the night in a hotel.

Nigerians Sentenced Over Massive Fraud Scheme

Three Nigerian nationals have been sentenced to a total of 235 years by a U.S. court for their role in a massive international online scheme that involved romance scams, identity theft, fraud and money laundering. They were found guilty in early 2017 of committing mail fraud, wire fraud, credit card fraud, identity theft, and theft of government property. Two of them were also found guilty of conspiracy to commit bank fraud and money laundering.
According to the Department of Justice, the defendants have been involved in these activities since 2001, with intended losses totaling tens of millions of dollars. The scheme often started by tricking U.S citizens into believing they were in romantic relationships, which then led to the perpetrators asking the victims to send money or help carry out various activities, such as laundering money via Western Union and MoneyGram, cashing counterfeit checks, and reshipping items purchased with stolen credit cards. The scammers also used stolen personal information to take control of bank accounts.

Threats

Threats are as follows:
Phishing: The threat of phishing is Severe, with a marked increase in the complexity of the phishing attacks being observed globally.
Known Malware: The direct threat of malware is reduced to SEVERE due to the current prolific spread of new strains of WannaCry..
Zero-day Malware:  Zero day malware remains a problem and when combined with the current trends in Phishing this poses a Severe risk.
Script Kiddie Attack: The threat posed by "script kiddies" is Low.
Hacker Attack: The threat from a skilled hacker is Moderate. Often it would not be technically feasible for an attacker to gain access from the outside without first completing a phishing attack and luring a user into running a form of zero-day malware.
Insider Attack: An insider attack would pose a Severe risk to organisations due to the permissive nature of access to information within the networks.