Vulnerability Management news and publications #2. Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the avleonovcom and avleonovrus telegram channels. Therefore, if you want to read them earlier, subscribe to these channels.
The main idea of this episode. Microsoft is a biased company. In fact, they should now be perceived as another US agency. Does this mean that we need to forget about Microsoft and stop tracking what they do? No, it doesn’t. They do a lot of interesting things that can at least be researched and copied. Does this mean that we need to stop using Microsoft products? In some locations (you know which ones) for sure, in some we can continue to use such products if it is reasonable, but it’s necessary to have a plan B. And this does not only apply to Microsoft. So, it’s time for a flexible approaches. Here we do it this way, there we do it differently. It seems that rather severe fragmentation of the IT market is a long-term trend and it’s necessary to adapt to it.
Alternative video link (for Russia): https://vk.com/video-149273431_456239097
What’s in this episode:
- Microsoft released a propaganda report, what does this mean for us?
- Microsoft released the Autopatch feature, is it a good idea to use it?
- Ridiculous Vulnerability: Hardcoded Password in Confluence Questions
- The new Nessus Expert and why it’s probably Tenable’s worst release
- Rapid7 Nexpose/InsightVM features added in Q2 2022: what’s good and what’s weird
- Palo Alto: Malicious scan 15 minutes after CVE is released. Oh really?
- 6 groups of vulnerabilities that are most often used in attacks, according to Palo Alto, and the end of IT globalization
Microsoft released a propaganda report, what does this mean for us?
Let’s start with the most important topic. Microsoft released a propaganda report about the evil Russians and how they (Microsoft) defend one well-known country. I usually avoid such topics, but in this case, I just can’t.
- Most of the report is “water” and unproven “highly-likely” stuff. It’s boring to read. More than half of the report is not about cyber attacks at all, but about propaganda/disinformation “attacks” in media, social networks, etc. With strange historical digressions. For example, they give a photo of some article from an Indian newspaper of the 1980s and write that this publication was organized by the KGB. I’m not kidding, look at page 12.
- On the other hand, the most important thing in this report is not what is written, but who released it. It’s not mainstream media, it’s not a government agency like the NSA or CIA, it’s Microsoft – a global IT vendor that should, in theory, be more or less neutral. And now they are releasing such reports! If you still believe Microsoft is a non-government commercial company, look through this report. This position is the most official, the foreword was written by the current president of Microsoft.
- From a technical point of view, it is interesting that the state IT infrastructure was transferred to the cloud and Microsoft technologies (Defender for Endpoint?) were used to protect it. Almost all technical information is on the 9th page of the report.
- They write about 2 important security options. The first is that Microsoft made a free Vulnerability Management for them. “The first has been the use of technology acquired from RiskIQ that identifies and maps organizational attack surfaces, including devices that are unpatched against known vulnerabilities and therefore are the most susceptible to attack.” It’s not entirely clear how they did it. They could just connect hosts to Defender for Endpoint. But perhaps they massively activated the collection of data from hosts in some other way.
- The description of the second protection option hints at the existence of a such non-standard methods: “MSTIC recognized that XXX malware could be mitigated meaningfully by turning on a feature in Microsoft Defender called controlled folder access. This typically would require that IT administrators access devices across their organization, work made more difficult and potentially even dangerous in ZZZ conditions. The YYY government therefore authorized Microsoft through special legal measures to act proactively and remotely to turn on this feature across devices throughout the government and across the country.” And here it is not so important that Microsoft set up controlled folder access, it is important how they did it. It turns out that MS can massively remotely tweak security options if the government of a certain country has allowed them to do so. Wow! And what else can they do, on which hosts and under what conditions?
- The main concern, of course, is that Microsoft products, including cloud-based security services, are still widely used in Russian organizations. And not only in Russia, but also in other countries that have some disagreements with US policy. Such publications confirm that Microsoft is a highly biased and unstable IT vendor, and something needs to be done about it quickly.
And it would be fair to ask: “Weren’t you, Alexander, promoting Microsoft’s security services? And now you’ve turned against them?” 🤔
And it’s easy to point to some posts from my blog:
- Microsoft security solutions against ransomware and APT (the best business breakfast I’ve ever had – the catering was top notch 👍)
- Microsoft Defender for Endpoint: Why You May Need It and How to Export Hosts via API in Python
- Getting Hosts from Microsoft Intune MDM using Python
- How to get Antivirus-related Data from Microsoft Defender for Endpoint using Intune and Graph API
- Microsoft Defender for Endpoint: The Latest Versions of Antivirus Engine & Signatures
It’s paradoxical, but I don’t have a post about exporting vulnerabilities from Defender for Endpoint. 🙃 I was going to make a post about it, but there were always more important topics. 🙂
What can I say. I still think that Defender for Endpoint is a cool and user-friendly solution. Although sometimes it may be buggy. I also think it’s logical to use your OS vendor’s security services. Just because you already have complete trust in your OS vendor. Right? Аnd other OS vendors should provide security services, as Microsoft does. But the question is what to do if it has become very difficult to trust your OS vendor? To put it mildly.
Not to say that I did not write about such risks at all:
“It will be a difficult decision to store this critical data in Microsoft cloud. Even with Microsoft’s guarantees that all the data is stored securely and they touch it with AI only.”
But of course this was not enough. And 5 years ago, things looked very different.
¯_(ツ)_/¯
Microsoft released the Autopatch feature, is it a good idea to use it?
Continuing the topic of Microsoft security services. In mid-July, Microsoft released the Autopatch feature for Windows 10/11 with Enterprise E3 and E5 licenses (not regular, but more expensive licenses). Also Hybrid Azure Active Directory must be configured. But if everything is purchased and configured properly, then updates for MS products, drivers and other software (in perspective) can be automatically installed from the MS cloud. And it will be more often than once a month. And in the correct way. If you install all updates on all hosts at the same time, there will be a high risk of mass failures. Therefore, patches will be installed gradually. If a failure is detected, the system administrator will be able to react and roll back the problematic patch.
“The ‘test ring’ contains a minimum number of devices, the ‘first ring’ roughly 1% of all endpoints in the corporate environment, the ‘fast ring’ around 9%, and the ‘broad ring” the rest of 90% of devices.
The updates get deployed progressively, starting with the test ring and moving on to the larger sets of devices after a validation period that allows device performance monitoring and pre-update metrics comparison.
Windows Autopatch also has built-in Halt and Rollback features that will block updates from being applied to higher test rings or automatically rolled back to help resolve update issues.”
Is it convenient? Yes, of course it’s convenient. Is it dangerous? Well, it depends on trust in the vendor, faith in vendor’s stability and security. Speaking of Microsoft, this can be very controversial for many organizations in many locations. 😏
But in general, along with Defender for Endpoint (EDR, VM) and Intune this Autopatch feature looks like a step in the right direction for the OS vendor. At least if we’re talking about desktops. If you trust your OS vendor, it makes sense to trust that vendor’s services to make life easier for system administrators and security guys. I don’t know if vendors of commercial Linux distributions, including Russian ones, are thinking about this, but it seems it makes sense to take such concepts from MS.
On the other hand, such Autopatch is not a panacea of course. Everything is not so trivial with updating third-party software. But MS seems to have a lot of resources to gradually move in this direction. Vulnerability detection for third-party software in Defender for Endpoint works quite well, which is also not an easy task. Therefore, I think they will be able to update such software in future. If Qualys can, then MS will handle this as well.
Ridiculous Vulnerability: Hardcoded Password in Confluence Questions
There has been a lot of news about Confluence vulnerabilities this week. Atlassian has released three of them.
CVE-2022-26136 & CVE-2022-26137: Multiple Servlet Filter vulnerabilities (Authentication bypass, XSS, Cross-origin resource sharing bypass). Many Atlassian products are vulnerable. Not only Confluence and JIRA, but also Bitbucket for example. Everything is clear here, such installations need to be patched. And, ideally, it’s time to stop using Atlassian products if you live and work in certain locations, because this vendor is unstable.
CVE-2022-26138: Hardcoded password in Confluence Questions. This vulnerability is now the most hyped and ridiculous. If you install the optional Confluence Questions app, this will create a disabledsystemuser user with a hardcoded password. And this user is not disabled! 🤡 The password is already publicly available. If you are logged in as this user, you can read the pages accessible by the confluence-users group. Well, isn’t it funny? 🙂 This can be fixed by patching or blocking/deleting the user.
What can be said here:
- Plugins and extensions are evil and usually the most vulnerable. Try to avoid them.
- This is how backdoors in software can look like. The exploitation is very simple, and the vendor can always say that “oh, sorry, that was a bug”.
- Those who make Confluence and similar services available on the network perimeter are their own enemies.
The new Nessus Expert and why it’s probably Tenable’s worst release
Tenable introduced Nessus Expert. They have Nessus Professional, and now there will be Nessus Expert with new features:
- Infrastructure as Code Scanning. In fact, they added Terrascan (acquired this year) to Nessus. So far, it looks very sloppy. This is a separate independent tab in the menu and scan results cannot be viewed in the GUI and can only be downloaded as Json file.
- External attack surface scanning. They took these features from Bit Discovery (also acquired this year). You can run a scan that will look for subdomains for a domain. But only for 5 domains per quarter. If you want more, you need to pay extra. Not to say that this is some kind of exclusive feature. The results can be viewed in the GUI. But that’s all. There is no synergy with the usual functionality of Nessus.
The press release recalls how Renaud Deraison released first Nessus 24 years ago. But under him, and even more so under Ron Gula, there were no such terrible releases with freshly bought functionality, attached to the main product “with blue electrical tape”. And such a Frankenstein monster could never be presented as a new product. Sadness and marketing. Let’s see if it gets better with time.
Rapid7 Nexpose/InsightVM features added in Q2 2022: what’s good and what’s weird
I looked at the new features in Rapid7 Nexpose/InsightVM added in Q2 2022. Some changes are like “OMG, how did they live without it?!”
They just added support for CVSS v3 severity in dashboards. CVSS v3 was released in June 2015. CVSS v3 data has been available in NVD since 2017. And now, 5 years after that, Rapid7 decided to take into account these data as well? Well, ok.
Or that they used to have such weird patching dashboards that progress on the Remediation Project was only visible when the patches were applied to all assets. And now it’s better: “Yes, this means customers no longer have to wait for all the affected assets to be remediated to see progress”. Indeed, better late than never.
Rapid7 just added support for AlmaLinux and Rocky Linux. Although stable versions of these distributions appeared more than a year ago and are already actively used in enterprise businesses as a replacement for CentOS. It turns out that Rapid7 clients have just now got the opportunity to scan these distributions.
Rapid7 use the term “recurring coverage” for supported software products. And they have a public list of such products. “The following software list encompasses those products and services that we are specifically committed to providing ongoing, automated coverage”. The list is not very big, but it’s cool that it’s public.
On the other hand, there are cool features. At least one, Scan Assistant. This feature was introduced in December last year, but now it has been improved. This is an agent that does not collect or analyze data, but is only needed for authentication. It solves the problems of using system accounts for scanning, which can be very risky if the scanner host or one of the targets is compromised. This way you can install Scan Assistant on hosts and Vulnerability Scanner will authenticate to hosts using certificates rather than real system accounts.
“Scan Assistant, a lightweight service deployed on an asset that uses digital certificates for handshake instead of account-based credentials; This alleviates the credential management headaches VM teams often encounter.”
This is a cool and useful feature. As far as I know, other VM vendors do not have this. In Q2, Rapid7 added some automation for updating this Scan Assistant and rotating certificates. It’s cool that the functionality is evolving. But for now, it’s only for Windows.
And there are updates that did not cause any special emotions in me. These are, for example, Asset correlation for Citrix VDI instances and vulnerability detection for Oracle E-Business Suite and VMware Horizon. They added and it’s good.
Palo Alto: Malicious scan 15 minutes after CVE is released. Oh really?
The “Palo Alto 2022 Unit 42 Incident Response Report” makes the amusing claim that attackers typically start scanning organizations’ perimeters for vulnerabilities 15 minutes after a CVE is published.
Just like this:
“The 2021 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced.”
They do not write how exactly they got these 15 minutes. Or I didn’t find it. But apparently they could detect attempts to exploit some specific vulnerabilities. They could use honeypots or IDS for this. And then they could get the difference between the timestamp for exploitaition and the timestamp for vulnerability publication.
There is an example that 5 days after some vulnerability was published, they released a detection signature. And in 10 hours, they collected two and a half thousand attempts to exploit this vulnerability.
“For example, Palo Alto Networks released a Threat Prevention signature for the F5 BIG-IP Authentication Bypass Vulnerability (CVE-2022-1388), and within just 10 hours, the signature triggered 2,552 times due to vulnerability scanning and active exploitation attempts”.
It’s cool of course. But still, the signature was not released immediately. Therefore, it is difficult to say exactly when the malicious scans began.
But that’s not the point. It is not so important whether the scans really start after 15 minutes or some time later. The fact is that attackers monitor the news flow about vulnerabilities. And the fact that they are motivated to scan your perimeter more often than you. And they are motivated to use non-standard checks for this. Not just the ones in your commercial vulnerability scanner.
Therefore, there are only two options. You can compete in speed with attackers. Or you may know and control your perimeter far better than any outside researcher can. This means that you must understand why a particular service is needed on the perimeter. And whenever possible, try to minimize the number of such services as much as possible. For such services, you should specifically monitor security bulletins and start responding even before detection checks appear in vulnerability scanners. And of course before the media starts screaming about this vulnerability.
Of course, it’s easier said than done.
6 groups of vulnerabilities that are most often used in attacks, according to Palo Alto, and the end of IT globalization
In the same “Palo Alto 2022 Unit 42 Incident Response Report” there is one more interesting point. Groups of vulnerabilities that were most often used in attacks. “For cases where responders positively identified the vulnerability exploited by the threat actor, more than 87% of them fell into one of six CVE categories.”.
CVE categories:
- 55% Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)
- 14% Log4j
- 7% SonicWall CVEs
- 5% Microsoft Exchange ProxyLogon (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
- 4% Zoho ManageEngine ADSelfService Plus (CVE-2021-40539)
- 3% Fortinet CVEs
- 13% Other
On the one hand, this can be used to prioritize vulnerabilities. And also to identify software and software groups that need special monitoring. I would also like to look at the vulnerabilities in the Other category. But unfortunately they are not included in the report.
On the other hand, it shows how all these vulnerabilities and incidents depend on a particular region. Well of course Microsoft Exchange is used everywhere. Log4j has also affected almost every organization in one way or another. Perhaps in our region, I mean in Russia, some organizations use Fortinet. But SonicWall and Zoho look absolutely exotic. And in those locations where Unit 42 solves incident response cases, these are very important vendors and products.
Or we can remember last year’s story with Kaseya VSA. Thousands of companies have been affected by the ransomware. But again, it was not in our region and therefore it was not particularly interesting for us.
Taking into account the exodus of Western vendors from the Russian IT market, the landscapes “here” and “there” will differ more and more. More and more incidents in Russia, will occur due to vulnerabilities in our local software. In software that Western information security vendors may never have heard of. BTW, have you heard about 1C (Odin-Ass 😅)? And it works both ways. Does this mean that in Russia, we will need Vulnerability Management solutions focused on our Russian IT realities? Well apparently yes. And something tells me that this will not only happen in Russia.
It seems that the time of total globalization in IT is running out. And the ability of VM vendors to relatively easily take positions in new regions is also disappearing. The great fragmentation is coming. But it will be even more interesting that way. 😉
Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.
А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.
Pingback: Это второй выпуск Vulnerability Management news and publications | Александр В. Леонов