Blog > Threat Intelligence Patching Exploits

Friday, Feb 14, 2020

BY: Team Nuspire

If you’re familiar with our blogs and webinars, you’ll notice that we consistently mention the importance of patching. During our recent webinar, we dove into our Q4 Threat Report and Year in Review and discussed some of the biggest threats of the year and predictions for 2020. As we highlighted some of the most significant exploits of the year, we discuss reasons why patching is so critical. Take a look….

To watch the full webinar, click here.

 

Mike Devens: Anytime a vulnerability is announced, especially when it’s a real big severity one. It’s always a race to try to create that Metasploit module, trying to create a working proof of concept. And then if you’re a bad actor, infect as many devices as you can before the patches are rolled out. So that’s why we like to try to stick to defined patching Windows, and test those patches before we release them into production, but when Windows is rolling out a patch for a major security vulnerability for operating systems, they haven’t even supported for years. That’s when it’s really important to consider circumventing the normal approach for your patching and consider an emergency approach to get it in place fast. If you don’t pass quickly, someone out there is going to exploit it quickly.

Shawn Pope: “I mean, even recently we started off 20/20 in January with the Windows vulnerability for the certificate’s being able to be spoofed. And again, Windows 7 end of life was  January 14th, 2020, but again, they went out of the way to patch older systems for this because it was that bad. Basically, you could sign any type of executable as a Window Microsoft executable if you wanted to. So, I haven’t seen anything related to it. I’ve seen some proof of concepts, but I haven’t seen anything really related to it being used in the wild, which is a good thing.

That brings it back to my next point. There was one more exploit I want to talk about, and that goes back to what you were saying; whenever a CVE is released, we usually see all kinds of spikes. I know in the Q4 threat report we highlighted vBulliten, which I think was a remote code execution vulnerability. We saw a ton of hits for that. And that’s just what you said. As soon as it’s released, here comes the proof of concept, here comes people trying to figure it out. So, you see that, and we reflect that in our infections.

And the other one I want to talk about is something that’s always been really scary to me, and I’ve highlighted it a couple of times in our threat reports –BlueKeep. So, the vulnerability that exists in remote desktop protocol windows. That’s one that I know that we’ve seen a couple of things. I know there’s a working Metasploit module out there for it. They did hold that back for a while to give people time to patch for that. I was actually at the DerbyCon talk from Metasploit when they released that, which was pretty cool. But as I’m sitting around, I’m thinking this is going to be scary because everyone’s got access to it now. But, we haven’t really seen it used that widespread yet. I know there was an attempt to rewrite the Metasploit module that was made, but it was actually causing the machines to bluescreen, so it was basically ineffective. They wouldn’t even be able to do any of the computers because their code was messed up to the point where it would bluescreen a machine. But it’s one that still scares me. It needs to be patched. There’s obviously still vulnerable systems out there, RTP is widespread used everywhere. I mean you can go on Shodan.io and see thousands of RTP log in screens. But the thing about that that scares me the most is that it could be wormable, and it’s been talked about multiple times in the past that if it were to be exploited successfully, even if it was on one system, its ability to worm throughout a network would be that of WannaCry. It could be widespread in a matter of days or minutes at that point. So that’s another one. Again, they’ve gone out of their way to release security passes for things that didn’t even support. Try and stay on top of these patches. I know it’s not easy, you can’t just roll out a patch without testing it in your environment to make sure it doesn’t break everything, but it’s something you want to keep in mind.

If you want to catch our full webinar, click here. Or, if you are interested in what our security team found in the fourth quarter of 2019, view our Q4 threat report and Year in Review here.