“Do you know the way to San Jose?”

Another cyberattack targets the San Fran Transport Agency.

san fran

Normally the 181 Express to San Jose will cost you about $10 and take about 1 hour and 42 mins. But this weekend you could travel for free, thanks to another demonstration of cybercrime—this one reconfirming the dangers of ransomware and its potentially devastating effects when used against public service networks.

In this case, screens that would normally show train departure and arrival times displayed a message informing users they had been hacked, and that MUNI, San Francisco’s Municipal Transportation Agency, had one more day to pay the bitcoin ransom equivalent to $73K.

While it’s not yet known who’s responsible for the attack, nor exactly how they did it, numerous reports suggest the hacker used the email address previously linked to the Mamba ransomware strain first seen in September 2016.

mamba

A screen at a Muni train station shows the malware message from HDDCryptor. (Click for image source.)

Assuming this attack is linked or similar to Mamba, it’s worth looking at in a little more detail.

Mamba, named after the deadly snake, takes a different approach to encrypting files than other ransomware strains by trying to encrypt the entire drive—not just your data files. This means it’s not just your files but the whole OS, including the master file table, that could get encrypted.

Mamba uses the freeware DiskCryptor software to encrypt your files. It’s highly likely that unaware users are clicking on targeted emails, which download both scripts and the tools to encrypt the drive.

This type of ransomware is perfect for an attack on an organization like MUNI. Why? Unlike other attacks we have seen (like in healthcare), where the encrypted data and personal files are worth big money on the black market, knocking operating systems out at a public transportation agency brings operations to a screaming halt, causing service disruption, revenue loss, and a ransomware fine well worth paying. And what commuters don’t think about while they are enjoying a free ride is that the lost revenue and ransom costs are more than likely going to be recouped through increased commuter costs.

So, in the long run, everyone but the hacker loses out in the aftermath of an attack. That’s why organizations must do more to prevent attacks rather than simply detecting them.

Wherever you are in the world, you probably have organizations, governments, and security authorities providing recommendations on how to protect your organization from threats like Mamba. The FBI, the Australian Signals Directorate, the UK’s National Technical Authority for Information Assurance (CESG), and the SANS institute are just some examples.

These experts all agree that to protect against attack you should:

  • Patch the OS
  • Patch apps (not just Microsoft ones)
  • Remove local administrative privileges from the desktop estate
  • Implement application control or whitelisting to allow only the known good

Shavlik offers a solution that addresses all four of these prevention approaches: Shavlik Patch patches the OS and third-party applications, and Application Manager for SCCM removes local administrative privileges and application control.

November Patch Tuesday 2016

PatchTues-Blog-Nov2016

It’s Election Day! I hope you all voted or will be hitting the polls soon, as this election round has been one for the history books. November 8 also happens to be Patch Tuesday. While this is notably of far less concern than hitting the polls today, Patch Tuesday will be delivering updates from Microsoft, Adobe and Google this month and will, unfortunately, still require your attention tomorrow and in the weeks to come.

Microsoft has released 14 bulletins, six of which are rated as critical, resolving 68 unique vulnerabilities.  Two of the vulnerabilities have been exploited in the wild (Zero Days), and three of the bulletins contain public disclosures.

First off, we will get a little closure on the Adobe Flash/Microsoft Zero Day that was identified in October and to which Flash released an update on October 26 which resolved CVE-2016-7855. Microsoft has resolved CVE-2016-7255 as part of MS16-135.

Adobe has released another Flash Player update (which is rated as a priority one and resolves nine CVEs. If you haven’t already pushed the Flash update from October 26, ( ) this will be a high priority along with MS16-135.

Microsoft has a second Zero Day vulnerability this month (CVE-2016-7256). MS16-132 resolves an open type font vulnerability that can allow an attacker to remotely execute code. An attacker can target a user to exploit this vulnerability by crafting a document designed to exploit the vulnerability or by hosting a specially crafted website designed to exploit the vulnerability. The attacker would need to convince a user to click on or open the specially crafted content, but that’s really not a significant challenge. This bulletin should also be a high priority this month.

There are a number of public disclosures this month across several bulletins, which means enough information has been leaked to the public to give an attacker a head start on developing exploit code.  This increases the risk of exploit occurring for these vulnerabilities so we raise the risk level and priority of bulletins that contain public disclosures. See our Patch Tuesday infographics for more detail.

  • MS16-129 for the Edge browser resolves CVE-2016-7199 and CVE-2016-7209
  • MS16-135 for Windows resolves CVE-2016-7255 (which has already been exploited)
  • MS16-142 for Internet Explorer resolves CVE-2016-7199

Google Chrome went to beta last Wednesday. That along with another Flash Player update means we should expect a Chrome update in the foreseeable future. There is a chance it will come tonight, but it’s more likely to come in the next week. As always you will want to be sure that you have updated Chrome to support the latest Flash Player Plug-In.

If you have not already done so, you will want to make sure to include the Oracle updates from their Q4 CPU that released in October. This included a Critical Java JRE update as well as many other Oracle products.

November also marks the second month of the new servicing model. Here is what you should expect for actual packages to be deployed this month.

The Security Only Bundle (SB16-002) will include the following bulletins: MS16-130, MS16-131, MS16-132, MS16-134, MS16-135, MS16-137, MS16-138, MS16-139, MS16-140 and MS16-142.

The monthly rollup (CR16-002) will include the following bulletins in addition to quality fixes and previous months’ updates: MS16-130, MS16-131, MS16-132, MS16-134, MS16-135, MS16-137, MS16-138, MS16-139, MS16-140 and MS16-142.

As always, we will be running our monthly Patch Tuesday webinar where we will go deeper into the bulletins released and recommendations to prioritize what updates need to be put in place sooner than others. Make sure to sign up for the November Patch Tuesday webinar to catch playbacks of previous months and get access to our infographics and presentations to give you the information you need going into your monthly maintenance. www.shavlik.com/Patch-Tuesday

 

November Patch Tuesday Forecast

windows8patchtuesday

Since October Patch Tuesday there has been a lot of activity. Oracle released their quarterly CPU including an update for Java JRE, Adobe resolved a Zero Day in Flash Player, our tip of the month, and a quick look at what to expect next week as Patch Tuesday hits.

On the Horizon

Actually more of a continuation from last month. On October 17th Oracle released their quarterly CPU including an update for Java JRE resolving seven vulnerabilities. All seven are remotely executable without the need for authentication and three of these have a CVSS score of 9.6. Java was actually on the lower end of total vulnerabilities addressed in an individual Oracle product for this CPU.  Ensure to include this update in your November testing if you have not already deployed it out.

Later in the month Adobe released a Critical Update for Flash Player resolving a Zero Day vulnerability (CVE-2016-7855). On October 26th Adobe released the update for Flash Player (APSB16-36) which started the clock for all the other vendors using the Adobe Flash Plug-In. When a Flash update occurs the plug-ins for Internet Explorer, Firefox, and Chrome also need to be updated.

Firefox uses the NPAPI version of Flash which was also released on the 26th.  The update for Flash for IE (MS16-128) released on October 27th plugging the Flash vulnerability. Google Chrome has two install options for Flash, one which relies on Chrome updating.  If you are using the Pepper Plug-In it was released on October 26th.  If you are using the traditional plug-in, this requires Google Chrome to be updated which occurred on November 1st.

In October, Microsoft changed their servicing model for pre-Windows 10 systems. I covered this extensively in a previous blog post, but there is a little ambiguity with Server 2016’s servicing model options. In a blog post from Microsoft they talk about a Security Only and a Security Quality option each month. This statement specifically caused several people to ask me some questions about how exactly Microsoft is handling updates on Server 2016.

“You can then have the flexibility to choose the security only update, or the quality update to build your patch management strategy around.”

The reality right now is Server 2016 updates are exactly like Windows 10. Cumulative bundles that include all updates that came before.  It will be interesting to see if a Security Only option does make itself available in November or sometime in the near future.  I expect a number of Microsoft customers would appreciate Security Only as an option for Server 2016.

Patch Management Tip of the Month

Exceptions: You can never push all patches. There is always an update that will conflict with business critical apps which cause exceptions. Documenting these exceptions and the reason they occurred is very important, but documenting an exception is just the beginning.

With each exception you are increasing risk. Each exception is an exposure that will potentially allow malware or ransomware into your environment or allows a threat actor to gain a foothold or move closer to proprietary information or user data.  With an exception you should also identify mitigating steps to reduce the risk. This may come in many forms, but here are some examples:

  • Least Privilege Rules will often mitigate the impact if an attacker is able to exploit a vulnerability. If you take a look at our Patch Tuesday infographics on our Patch Tuesday page you will see a column labeled “Privilege Management Mitigates Impact”.  These vulnerabilities will only gain the attacker equal rights as the user who is exploited.  If they are a full Administrator the attacker gains pretty much full access to the system. If they are running reduced privileges then the attacker must use an escalation of privilege vulnerability to gain sufficient permissions to do more.
  • Application Control will allow you to control what applications can be installed or run on a system and can effectively block most malware, ransomware, and other forms of attack. Application control can take many forms like Whitelisting or Blacklisting. These would be static application controls. More dynamic forms would include Trusted Ownership or Trusted Vendor rules. These are significantly easier to implement and maintain and also allow you to more easily rollout an effective Application Control Policy. The dynamic approaches are less commonly found, but we have a solution that can help there.
  • Containerization can effectively contain the more highly vulnerable user experiences like browsing the web and accessing email. Anything that occurs during these user experiences happens in a virtual container. If you have an exception on the system that is exposed by a phishing attack or drive by download the malicious payload whether a malvertising attack, ransomware, or some other form of malware would execute in the container and be separated from the physical system. Close the container (Browser or email, etc) and the threat goes away.

There are many other strategies to reduce exceptions from exposing too much risk like moving the sensitive application into a virtual environment and locking down access to that system to only require users, but this gives you some ideas. With every exception we recommend documenting the reason why it was made and the additional steps taken to reduce risk to the system.

Your Patch Tuesday Forecast

We are less than a week away from Patch Tuesday and as you can see there is a significant buildup of issues to deal with already. I would forecast that the 3rd party front is going to be lighter than normal for Patch Tuesday and we can expect an average workload from Microsoft on the order of ten or so bulletins total being released.

As always, join us for our Monthly Patch Tuesday Webinar next Wednesday November 9th as we delve deeper into the bulletins and vulnerabilities resolved on Patch Tuesday.

 

 

 

 

Latest Updates for macOS Sierra and more…

Early last week Apple released update 10.12.1 for macOS Sierra, Security Update 2016-002 for El Capitan, and Security Update 2016-006 for Yosemite.  Updates were also released for 10.0.1 Safari and 10.1.1 for iOS. These updates were released just in time for an Apple hosted Mac-centric product event.

With update 10.12.1 for macOS Sierra being the first update available to Sierra since it was released, there are a number of fixes included for some of the most pressing issues identified in this latest operating system. Here are some of the fixes that are available with the 10.12.1 macOS Sierra:

  • An automatic smart album in Photos for Depth Effect images taken on iPhone 7 Plus
  • Improved compatibility between Microsoft Office and iCloud Desktop and Documents
  • Improved security and stability in Safari
  • Improved reliability of Auto Unlock with Apple Watch
  • Fixed issue where mail was prevented from updating when using a Microsoft Exchange account
  • Fixed issue where text was sometimes pasted incorrectly when using Universal Clipboard

macOS Sierra/El Capitan/Yosemite

macOS Sierra 10.12.1 includes fixes for 14 vulnerabilities, 2016-002 El Capitan includes fixes for 8 and 2016-006 Yosemite includes fixes for 5.

Many of the vulnerabilities relate to escalation of privilege, arbitrary code execution, information disclosure. Some of the more interesting vulnerabilities include:

  • CVE-2016-4661: An application may be able to cause a denial of service.
  • CVE-2016-4675: a libxpc component vulnerability where a local application may be able to execute arbitrary code with root privileges.
  • CVE-2016-4669: A local user may be able to cause an unexpected system termination or arbitrary code execution in the kernel.

These examples are noteworthy because they are often used as the starting point to exploiting a system through social engineering. Once the hacker has access, the other vulnerabilities may be useful to gain additional access or information.

Safari 10.0.1

This update includes fixes for 4 vulnerabilities, all of which address the issue where processing malicious web content may lead to arbitrary code execution.  Since these vulnerabilities have to do with users visiting bad websites or web ads which may result in running malware, this update should be applied on all systems.

iOS 10.1.1

This update includes fixes for 17 vulnerabilities, one of which was just added today. These vulnerabilities span issues from arbitrary code execution to the leaking of sensitive user information.

Summary

It is highly likely that additional fixes will be added to the iOS update in the upcoming days. You can also expect to see a macOS Sierra 10.12.2 update released to the general user base real soon since the macOS Sierra 10.12.2 update is already in beta.