A cyber security researcher has released an exploit for the Windows Netlogon vulnerability (CVE-2020-1472) on GitHub. This exploit allows an attacker to gain control of a Windows domain. It is highly recommended to install the patches as fast as possible because Microsoft has rated this vulnerability as critical with a 10/10 score. "An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network." More details and the Microsoft patches can be found here.
Virtual patching should be considered an integral component of every organization's patch management strategy. They not only protect against new threats but also provide an effective coverage for other scenarios, such as the one discussed above. With virtual patching, business-critical applications and data can be better secured as a virtual patch can quickly eliminate the window of exploit opportunity and thereby minimize the risk for the business by shutting down the avenue to exploitation. This enables organizations to reduce their exposure to vulnerabilities across the board, and scale their responses and coverage accordingly with appropriate defenses that can be put in place within minutes or hours.
The transition to the teleworking / remote working model opens users and companies up to myriad security threats including malware, all forms of phishing attacks, and many more. Ashco Systems innovation and cost effective cyber security solutions and services addresses remote worker scenarios with three primary levels of connectivity. If you have technical questions or need assistance, contact us at firstname.lastname@example.org.
CVE-2017-11151 indicates an attack attempt to exploit an Arbitrary File Upload vulnerability in Synology Photo Station. The vulnerability is due to insufficient sanitizing of user supplied inputs in the application. A remote attacker may be able to exploit this to upload arbitrary files into specific directories, leading to possible further attacks. The impact can lead to remote attackers bypassing security features of vulnerable systems. The affected products are Photo Station before versions 6.7.3-3432 and 6.3-2967. Ashco Systems security experts recommend updating their vulnerable devices.
Winnti Group and the Shadowpad Backdoor – The Winnti Group is a sophisticated threat actor with Chinese origins that has been active for at least 10 years. They mainly focus on the gaming industry but have expanded their scope of targets over time. The group is motivated by financial gain and espionage purposes. Security researchers discovered that Winnti's infrastructure is growing rapidly. They have compromised many environments and have added new types of malware to their arsenal. The latest findings reveal a backdoor called xDll and new malware samples, including ShadowPad and Python backdoors. ShadowPad is also known as a backdoor used in attacks on CCleaner and ASUS. They are placing those backdoors on the computers used by people who are working at home due to the COVID-19 pandemic.
Riskware/Lsadump Riskware/Mpacket Riskware/ReconTool
W32/APosT.JRH!tr W32/APosT.KCV!tr W32/APosT.KPI!tr W32/APosT.KXI!tr
W32/Agent.FBA!tr.dldr W32/Agent.MYTSMS!tr.bdr W32/Agent.UDE!tr
W32/Agentb.JQCO!tr W32/Androm.EGQQ!tr.bdr W32/Androm.RSPY!tr.bdr
W32/Backdoor!tr W32/Dllhijacker.BB!tr W32/Dloader.X!tr
W32/Generik.EFITIZG!tr W32/Inject.ALNQV!tr W32/Invader.D!tr
W32/PossibleThreat W32/Shadowpad.C!tr W64/Kryptik.BWC!tr
Our Research & Insights:
Whitepaper: Effective Cyber Security Strategies during the Covid-19 Pandemic
Whitepaper: The Essential Guide to Securing Remote Access
Secure Devops: Learn how to make security integral into your DevOps process.
E-Book: Effective Security Strategies for Devops & Application Services
E-Book: How to Build a Next Generation Security Operations Center