Operation Don’t Cry – Part 1

Got Some Critical News to Share…

The Situation

Yesterday (May 14) Microsoft issued a global warning about a Monster Computer Bug. This article aims to get into some of the details about why this could be very important to your business and includes some steps you should take to prepare and protect your environment ahead of the expected volumes of attempted exploits of this vulnerability.

Microsoft’s Bug is among three very high-profile computer-security alerts issued just this week, along-side Cisco’s Massive Router Bug (global warning) and Intel’s Chip ZombieLoad Bug (affects nearly every Intel chip manufactured since 2011).  The flaw mainly affects older systems like Windows 7 and Windows Server 2008.  Microsoft is even issuing an update for affected, dead operating systems including Windows XP and Server 2003.

This vulnerability is viewed so critically that Microsoft added that the vulnerability and unpatched systems are “highly likely” to be exploited by malicious software similar to the WannaCry worm.  Any “future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe,” Microsoft said Tuesday in a blog post.

You remember how WannaCry spread across the globe two years ago, right?

WannaCry spanned 150 countries, crippled over 100,000 businesses (infecting several hundreds of thousands of systems), and amassed an estimated $4 billion in damages.

Nobody wants a repeat of WannaCry, and we can prevent it by taking immediate action.

“Fortunately, Windows 10 and Windows 8 are not affected by the flaw”, Microsoft said.

The Important Stuff

This is a Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services – (aka, Terminal Services) that affects older versions of Windows. Remote Desktop Protocol (RDP) itself is not vulnerable. The vulnerability however exists prior to authentication (pre-authentication) and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer just like WannaCry.

A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.

This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

  1. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP.
  2. The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.

 

What Spyglass is Doing to Stay Ahead?

Spyglass is the Security and Compliance Solutions team at Catapult.  We work with our Managed Services teams, Solution Practice Leaders, Communities of Practice, and partners to collaborate on security solutions, provide remediation assistance, and in this case share knowledge to proactively heed warnings of emerging threats – all, in order to protect our clients.  Below are a few practical tips that you can take to reduce your chances of becoming compromised by this particular vulnerability:

1 – Use Complex-Passphrases and MFA

Use a strong passphrases and multi-factor authentication on any accounts with access to Remote Desktop. This should be mandatory before enabling Remote Desktop to admins and/or users.   There are advanced capabilities for both passwords and MFA which be leveraged including password-less strong authentication and conditional multi-factor, but this article is designed to generalize an approach for all.

2 – Limit users who can log in using Remote Desktop

By default, all Administrators can log in to Remote Desktop. If you have multiple Administrator accounts on your computer, you should restrict remote access to only those that need it. If Remote Desktop is not used for system administration, remove all administrative access to RDP and only allow user accounts requiring RDP service.

To control access to the systems even more, using “Restricted Groups” via Group Policy is also helpful.

3 – Patch Your Systems

Apply all security patches and updates from Microsoft Updates.  Please check out the companion article “Operation Don’t Cry – Part 2” written by my colleague Cameron Fuller for some important advice and tips related to patching.

4 – Upgrade Your Operating Systems

Again, check out Cameron’s article for tips and details on migrated your environment to up-to-date operating environments.  Sure, we get it; everything is time consuming and migrations can be complex. That’s where Catapult Launch can help you. However, it should be intuitively obvious by now that nobody should be running on operating systems that are no longer supported (Windows XP, Vista, Windows Server 2003, etc.)

5 – Don’t Need RDP. Then Why Not Shut It Off.

Although Windows Remote Desktop is useful, bad-actors can attempt to exploit it to gain control of your system to install malware or exfiltrate sensitive information. It’s a good idea to keep the feature turned off unless you need it. You can disable it easily, and you should unless you need the service.  Our partners (such as 1E) create some powerful security solutions that Catapult and our clients leverage to help innovate “just-in-time”. 1E’s Tachyon solution, for example, can disable a service across your enterprise and enable it for only when it is needed.

6 – Set an Account Lockout Policy

Configure your systems to lock an account for a period of time after a number of incorrect attempts. This prevents bad-actors from using automated password-guessing tools from gaining access to your system

7 – Change the Listening Port for Remote Desktop

Changing the listening port will help to “obfuscate” Remote Desktop from hackers who are scanning the network for computers listening on the default Remote Desktop port (TCP 3389).  While obfuscation is not really considered a reliable security technique changing the RDP port can offer some protection against automated/unsophisticated drive-by worm attacks.

8 – Implement Windows Defender Advanced Threat Protection (WDATP)

While Win 10 is not necessarily vulnerable to this particular bug, Windows Defender ATP provides tremendous protection from unknown attack types (zero-day), malicious payloads, and even payload-less malware.  What if a server in your environment was compromised via the vulnerability cited here, and the bad-actor designed a zero-day attack to exfiltrate your data or deploy a unique ransomware. Then Windows Defender ATP might be the last line of defense.

9 – Call Us to Assist

Never hesitate to contact Catapult, if you need assistance. We are here to help.

 

Till next time,

Ed

Leave a Reply

x

We use cookies to ensure the best possible experience on our website. Detailed information on the use of cookies on this site is provided in our Privacy and Cookie Policy. Further instruction on how to disable our cookies can be found there.