Five vulnerabilities dangerous for remote work

Image: Unsplash

When transferring employees to remote mode, IT departments make various security errors and provide outsiders with access to the internal infrastructure.

To begin with, we’ll list the vulnerabilities that should be quickly eliminated in our infrastructure so that in these difficult months we won’t become “easy meat” for cryptographic virus operators or financially-oriented APT groups.

1. Since the end of February, the number of available nodes using the Remote Desktop Protocol (RDP) has been growing rapidly. Our monitoring shows that on average 10% of such nodes are vulnerable to BlueKeep ( CVE-2019-0708 ).

BlueKeep allows you to remotely gain full control over a computer based on the operating systems Windows 7, Windows Server 2008 and Windows Server 2008 R2 (have they switched to Windows 10 long ago and can be safe?). To attack, just send a special RDP request to vulnerable Remote Desktop Services (RDS), authentication is not required.

The faster the number of nodes with the RDP protocol grows, the more vulnerable machines are among them (as a rule). For example, in the Urals, the number of open nodes increased by 21%, and in 17% of systems there is a BlueKeep vulnerability. Next come the Siberian (21% and 16% respectively), North-West (19% and 13%), South (12% and 14%), Volga (8% and 18%), Far East (5% and 14%) and Central (4% and 11%) federal districts.

In addition to installing patches, to eliminate the BlueKeep vulnerability, as well as the CVE-2019-1181 / 1182 similar to it, it is necessary to provide remote access through a gateway. For RDP connections, this is Remote Desktop Gateway (RDG), for VPN - VPN Gateway. Remote connection directly to the workplace is contraindicated.

2. New versions of Windows also have vulnerabilities that allow an attacker to walk on a foreign network using Remote Desktop Services errors. This is CVE-2019-1181 / 1182 , named by a number of BlueKeep-2 experts. We recommend that you check and, if necessary, install fresh patches, even if remote access is organized by RDG on your network.

3. Bronze in the ranking of the most dangerous security problems we give vulnerabilities in Citrix software ( CVE-2019-19781), identified by Positive Technologies expert Mikhail Klyuchnikov and unofficially named Shitrix due to delays in updates and the presence of an exploit. A month and a half after the publication of the first details, vulnerability was present in about 16 thousand companies. The error is extremely dangerous and allows you to penetrate the local network from the Internet. It is used, in particular, by the ransomware virus operators Ragnarok and REvil / Sodinokibi .

4. Do not forget about the older vulnerability in the remote desktop protocol CVE-2012-0002 (MS11-065), which is still found on network perimeters. This flaw discovered in 2012 was remembered for leaking PoC code from one of Microsoft's partners in MAAP and allegationsallegedly an employee of the GRU in an attempt to buy an exploit for her.

5. Finally, it is worth paying attention to the error in the mechanism of deserialization of the programming language PHP 7 ( CVE-2019-11043 ). It also allows an unauthorized user to execute arbitrary code. At risk nginx servers with FPM enabled (a package for processing scripts in the PHP language). The flaw has caused NextCloud cloud storage users to be infected with NextCry.

The centralized management system for updates and patches will help automate the process of patching corporate systems, and security analysis tools will help verify that there are no vulnerabilities .

Install updates on employees PC

It is impossible not to recall that from many home PCs on which office employees moved, they just recently erased the dust, and they are a problem from the point of view of information security. In an ideal world, it’s better not to provide access for personal computers, but to highlight proven and prepared corporate systems. But now laptops may not be enough for everyone . Therefore, it is necessary to organize a large-scale process of updating home PCs remotely so that they do not become an entry point for attackers.

First of all, it is important to update operating systems, office products and antivirus software. In addition, you need to warn employees about the dangers of using outdated browsers, such as unsupported versions of Internet Explorer. Before updating home computers, you should create a recovery point or make a backup of the system to roll back in case of any problems, such as another failed Windows 10 update .

With regard to the password policy, we recommend that you use passwords of at least 12 characters for unprivileged accounts and at least 15 characters for administrative ones when connecting remotely. Use different types of characters at the same time (small and capital letters, special characters, numbers) and exclude easily guessed passwords. According to our data, in 2019, 48% of all selected passwords were made up of a combination of a word indicating the time of the year or month and four digits indicating the year (September2019 or in the English keyboard layout Ctynz, hm2019). Such passwords formally correspond to the password policy, but are selected according to dictionaries in a matter of minutes.

In general, leapfrog in remote control tools is harmful in the current conditions: our advice is to choose one program and differentiate the rights of local users. It will be correct if on some remote computers using, for example, Windows AppLocker, lists of allowed software are registered.

It should also be said about the possible problems associated with the organization of VPN access. IT specialists may not have time to reconfigure the equipment in a short time and provide all VPN users with the access they need without violating the rules of demarcation. As a result, to ensure business continuity, IT professionals will have to choose the fastest and easiest option - to open access to the required subnet not only to one employee, but to all VPN users at once. This approach significantly reduces security and opens up opportunities not only for attacks by an external attacker (if he can penetrate), but also significantly increases the risk of an attack by an insider. We recommend that you think over an action plan in advance to maintain network segmentation and allocate the required number of VPN pools.

Social engineering already makes full use of coronavirus stories, and we recommend that you familiarize employees with new topics of phishing attacks. APT groups such as Gamaredon and Higaisa exploit stories related to transfers, prohibitions, cancellations, remote work, and attack the personal email addresses of employees. A phishing mailing was carried out by unknown attackers to our company: the criminals tried to steal credentials. Employees must understand the severity of the threat and be prepared to distinguish legitimate mail from phishing. To do this, we recommend distributing brief visual training materials and memos on information security and social engineering. Dynamic phishing of files in corporate mail using sandboxes will help to identify phishing symptoms.

It is also necessary to pay attention to electronic document management systems and ERP. Nowadays, business applications that were previously accessible only from the inside and were not analyzed for vulnerabilities are being actively made publicly available. At the same time, the level of security of those analyzed was low . To protect against exploitation of web-based threats to mission-critical applications, we recommend using firewalls, application layer (web application firewall).

Availability and availability these weeks plays a key role, and many companies will not have time to eliminate vulnerabilities on the perimeter and fine-tune IS processes, so in some cases it will be necessary to focus on identifying violators who have already fallen into the infrastructure. In such cases, they may apply.deep network traffic analysis (NTA) systems designed to detect targeted attacks (in real time and in saved copies of traffic) and reduce the time of the covert presence of attackers.