Introduction

Details of a critical vulnerability impacting Microsoft’s Exchange 2013 and 2016 servers were recently discovered and made public.  If successfully exploited this vulnerability would allow an attacker to gain Domain Admin permissions within a company’s Active Directory infrastructure allowing nearly unrestricted access to a compromised server.  At this time Microsoft has not released a patch for this vulnerability.  Tier1Net customer’s which have implemented Tier1Net’s Cisco Umbrella Secure DNS and/or Duo Authentication services have their exposure to this vulnerability greatly reduced.

Technical Information

In order to successfully exploit this vulnerability an attacker would first need to gain the credentials to any existing mailbox on a targeted Exchange server.  This can be accomplished via phishing attacks or credential stuffing where an attacker uses breached credentials from one service to gain access to another service.  Once an attacker has access to a mailbox on the Exchange server they can then combine three known vulnerabilities to elevate the compromised account’s permissions to that of a Domain Admin.   A Domain Admin has full access to an Exchange server and can perform such tasks as resetting password, creating mailboxes, deleting mailboxes, etc.

Steps Being Taken by Tier1Net

Due to Tier1Net’s expertise and emphasis on cybersecurity, many of its customers are already protected from this latest vulnerability.  Furthermore, Tier1Net deploys multiple security layers to both its own internal and hosted infrastructures as well as client supported networks to greatly reduce the exploit risk of any single vulnerability.  To further reduce customer exposure to this vulnerability Tier1Net will be deploying a Microsoft supported mitigation tool to all managed and hosted Exchange servers.

Additional Information

https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/
https://nakedsecurity.sophos.com/2019/01/30/privilege-escalation-vulnerability-uncovered-in-microsoft-exchange/
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8581

 

 

 

 

 

 

Tier1Net would like to share the latest available information on the Spectre and Meltdown vulnerabilities.  First and foremost, it is important to note that there are still no known exploits actively targeting the vulnerabilities.

 

Firewall Layer

Tier1Net’s preferred firewall vendor, Sonicwall, has confirmed it has deployed antivirus and intrusion prevent signatures which will protect against attempted Spectre and Meltdown attacks.  These antivirus and IPS updates have already deployed to Tier1Net’s cloud and customer networks.

 

Patch Status

Tier1Net is actively tracking the status of patches as they are released.  Once released Tier1Net will evaluate patches for stability before releasing them for install.  A Tier1Net representative will contact you if it is determined that the installation of a particular patch requires manual intervention or a maintenance window.  Tier1Net recommends that its customers take immediate action to update their iPhone and Android devices using the Knowledgebase articles documented below.

To review the status of patches being released please see the following vendor list.

Microsoft

Microsoft has already released patches for the latest version of Windows 10 as well as patches for its web browsers, Internet Explorer and Edge.  With regards to older versions of Windows Microsoft will be releasing those patches this week.  PCs and servers within Tier1Net managed networks will automatically receive the patches via Tier1Net’s Windows Update service.

PCs not managed by Tier1Net (for example, personal use and home PCs) will automatically receive patches as long as they have been enabled to receive updates via Microsoft’s Windows Update service.  Please see the following for further information on enabling Microsoft’s Windows Update service: https://support.microsoft.com/en-us/help/12373/windows-update-faq

Apple

Apple has released iPhone iOS version 11.2.2 which includes code mitigating the Meltdown and Spectre vulnerabilities.  Tier1Net recommends installing the updates as soon as possible.  Please see the following KB detailing the steps required to update an iPhone’s iOS:  https://tier1net.itglue.com/DOC-1500653-1490177

Google

Google patched Android against Meltdown and Spectre in a January security update.  The specific availability of this update is based on the Android device manufacturer’s approval of the update.  Tier1Net recommends checking for and installing the most recent updates available as soon as possible.  Please see the following KB detailing the steps required to update an Android device:   https://tier1net.itglue.com/DOC-1500653-1490202

Google is also releasing an update for its Chrome web browser in the coming days which will obstruct attempts to exploit the Meltdown and Spectre flaws.  Chrome will automatically install the latest available version when the browser is launched.

Mozilla

Mozilla has released an update for Firefox to mitigate against Meltdown and Spectre.  The update will be installed automatically when the browser is launched.

VMware

VMware has released patches for its ESX hypervisor to address the Spectre and Meltdown vulnerabilities.  The ESX hypervisor typically operates on server hardware and is responsible for running virtual instances of Windows servers.  Tier1Net is in the process of evaluating these patches and will deploy them to its cloud and customer networks once patch stability has been fully confirmed.

 

Performance Concerns

There have also been reports of patches negatively impacting a device’s CPU performance once installed.  The initial reports of the performance impacts may have been overstated with conflicting reports on observed performance impact.  Microsoft has warned users of older PCs of a possible performance impact once patches are installed.  Regarding servers, any impact to performance is load dependent and may be further reduced by a new discovery made by Google researchers.

 

 

 

 

 

 

Introduction

Details on two security vulnerabilities impacting nearly all modern Operating Systems and Hardware were made public yesterday.  At this time new details are still emerging with many questions still unanswered.  Tier1Net has been evaluating information as it has been released and would like to share its findings with you.

Technical Information

The vulnerabilities have been named Meltdown and Spectre with Meltdown being the more serious of the two.  Based on current public information Meltdown impacts all devices running Intel CPUs while Spectre impacts nearly all CPUs made in the last 20 years including Intel and AMD.  A successful exploit of either would allow a bad actor or malicious program to read data as it passes from an Operating System to the CPU and back again.  This includes passwords and other sensitive data.  Spectre is less serious as it is much more difficult to exploit than Meltdown.  For further technical information please visit https://meltdownattack.com

Steps Being Taken by Tier1Net

As with all major security vulnerabilities there are a lot of news headlines sensationalizing the impact.  At this time there are no known exploits in the wild.  Furthermore, Tier1Net deploys multiple security layers to both its own internal and hosted infrastructures as well as client supported networks to greatly reduce the exploit risk of any single vulnerability.

With that in mind, Tier1Net is still taking all appropriate steps to address these vulnerabilities as quickly as possible.  Microsoft has released several patches via its updating service to mitigate the risk within its Windows Operating Systems while other patches from other vendors are still in development.  In the coming days and weeks Tier1Net will be testing and deploying patches as they become available with the goal of balancing security, vulnerability and stability.

Additional Information:

https://nakedsecurity.sophos.com/2018/01/03/fckwit-aka-kaiser-aka-kpti-intel-cpu-flaw-needs-low-level-os-patches/

https://www.pcworld.com/article/3245606/security/intel-x86-cpu-kernel-bug-faq-how-it-affects-pc-mac.html

https://www.theverge.com/2018/1/4/16848976/how-to-protect-windows-pc-meltdown-security-flaw

A vulnerability in the WiFi WPA2 security protocol which was discovered several months ago was made public earlier today.  The vulnerability named KRACK impacts the underlying WiFi WPA2 security protocol itself so all devices that interact with a WiFi network are potentially vulnerable.  This includes mobile phones, laptops and IoT devices (e.g., Alexa, Nest, etc).  To exploit the vulnerability a 3rd party would need to be within range of the wireless network to which a device is connected.  If exploited the vulnerability would allow a 3rd party to intercept and read traffic originating from a device and potentially inject malicious code into that traffic.  However, the 3rd party would NOT be able to read or inject code into any traffic that was sent over an encrypted session such as a HTTPS secured website or a VPN connection.  Furthermore, though the vulnerability has been made public, the code in which to exploit it has not been made public so there is little risk of widespread attacks.

Vendors were alerted of this vulnerability when it was first discovered in August and some have already released patches.  Apple and Microsoft devices are much less likely to be exploited due to the way in which they implement the WPA2 protocol.  Both have also issued statements that they have already patched the issue within their respective Operating Systems.  Google has acknowledged its aware of the issue but will not have a patch for its Android OS for several weeks.  Tier1Net is currently working with its WiFi vendor partners to obtain and deploy patches to Wireless Access Points as they become available.

In the meantime, Tier1Net recommends avoiding public WiFi hotspots unless your respective device is running the latest version of its Operating System with all appropriate security patches installed.  For a full list of vendors and their patch release dates please see: http://www.kb.cert.org/vuls/id/228519

For more information or assistance please contact Tier1Net Support at 781-935-8050 or at HELP@TIER1NET.NET.

On Tuesday, February 16th, Google posted a blog outlining a vulnerability in glibc (the GNU C library) which is used in many products and leaves those products vulnerable to remote exploitation. The vulnerability, identified as CVE-2015-7547, is similar to Heartbleed and Shellshock in terms of the scope of affected systems, but is not as serious as it is significantly more difficult to exploit.

Successful exploitation of the vulnerability relies on the potential victim communicating with a hostile/malicious DNS server or to be subject to a man-in-the-middle attack. Nevertheless, the vulnerability is considered to be critical by the industry since it can lead to remote exploitation of the client system.

This vulnerability is being seen across the industry and Dell SonicWALL is working quickly to provide a hot-fix and patch to ensure continued protection with Dell SonicWALL SRA/SMA Series.

For Tier1net customers using Dell SonicWALL SSLVPN SRA Appliances:

•  All SRA firmware versions prior to 8.1.0.1-11sv for SRA 4600/1600/Virtual Appliance and 8.0.0.4-25sv for SRA 4200/1200 are affected.
•  Action: Tier1net will open trouble tickets for all impacted customers and install the Dell SonicWALL patch to resolve this vulnerability

If you also have Dell SonicWALL firewalls deployed, please note: The Dell SonicWALL threat research team successfully published an Intrusion Prevention Service (IPS) signature on Tuesday, February 16th that automatically updated all customer systems running IPS worldwide, protecting networks behind our firewalls within 12 hours of identification. Dell SonicWALL firewalls are not susceptible to the glibc buffer overflow vulnerability.

Full details about the vulnerability and protection can be found in this SonicAlert article.

Read How Dell SonicWALL Guards Against the Glibc Vulnerability blog by Ken Dang from SonicWALL.

 

The POODLE vulnerability, or “Padding Oracle On Downgraded Legacy Encryption”, is a new security threat found within existing, though outdated, encryption technology.

This vulnerability is not as threatening as Heartbleed or Shellshock which could both be exploited via direct attack vectors. The POODLE vulnerability requires a man in the middle attack vector in order to be exploited.

Unfortunately this vulnerability does not have a specific solution or patch but rather multiple methods of reducing risk to exposure.  Experts at Google, Microsoft, Mozilla, and others, have all posted possible methods to mitigate against the POODLE vulnerability.

Tier1Net is actively following all POODLE developments and will release a more detailed notice with information regarding the vulnerability and steps that can be taken to reduce exposure.

This vulnerability is not as threatening as Heartbleed or Shellshock

POODLE exposes a vulnerability in an outdated – but still used – web encryption technology SSL 3.0.  Modern web browsers are designed to prefer the newer TLS encryption protocol when accessing a service secured via SSL.  But most browsers will still accommodate SSL 3.0 traffic, if the host or client demands it.  SSL 3.0 traffic, however, exposes a unique vulnerability for attackers to decrypt data sent between the client and server.

The conditions that are required for the attack to be applicable are hard to obtain.

It would not be easy to exploit this vulnerability however.  “The conditions that are required for the attack to be applicable are hard to obtain.” said Itsik Mantin, director of security research at Imperva. “In particular, the attacker needs to become a man-in-the-middle between the attacked client and server, and to generate, block and modify client messages to the server and vice versa.”  An attacker could then theoretically force the host/client connection to “fallback” to SSL 3.0, where the attacker could then potentially access data.  An attack such as this would most likely occur on an unsecured public network, such as a Wi-Fi network at an airport.

In order to safeguard against POODLE, SSL 3.0 fallback must be blocked on all levels.  Due to the scope and complexity of possible SSL 3.0 usage, a permanent blocking solution is not yet agreed upon.  Blocking SSL 3.0 prematurely could break many existing websites: potentially blocking users from accessing a client’s own site, and also blocking employee’s from accessing business critical sites.

Tier1Net is actively following all recommendations and will keep its clients apprised of new developments.

 

https://www.openssl.org/news/secadv_20141015.txt

https://threatpost.com/new-poodle-ssl-3-0-attack-exploits-protocol-fallback-issue/108844

http://www.pcworld.com/article/2834015/security-experts-warn-of-poodle-attack-against-ssl-30.html

 

 

Dell SonicWALL has identified multiple LDAP authentication protocol vulnerabilities exposed when SonicOS is configured to use Microsoft Active Directory / LDAP for authentication of AD/LDAP usernames who are members of SonicWALL Administrator groups.   Tier1Net’s infrastructure is not exposed to this vulnerability.  However, to mitigate against possible future exposure, Tier1Net will be performing firmware updates on all Dell SonicWALL firewalls within its network infrastructure.

If you have questions or concerns about this matter, please contact Tier1Net.

 

 

 

 

Two days ago, Hold Security revealed that Russian hackers have amassed over 1.2 billion usernames and passwords from various websites. The Milwaukee based firm would not elaborate on which websites were targeted, or how users could know if their credentials had been compromised.  Experts from within the firm, who played a role in identifying the previous security breaches with Adobe Systems and Target, say the latest Russian hacking scheme could be “the largest data breach known to date.”

Since the announcement, the scope and urgency of Hold Security’s claim has been questioned, with some arguing that the 1.2 billion usernames were amassed over multiple years via several hacking events: Stewart Baker, a partner at Steptoe & Johnson LLP and former general counsel of the National Security Agency, said, “1.2 billion is a very big number. If they got there by assembling two years’ worth of hacks, it is less impressive.”

Nevertheless, Tier1Net wants our clients to be aware that none of their Tier1Net hosted websites were affected by this alleged breach.

Meanwhile, we encourage all web users to review the Best Practices for Safe Web Use.

Please review Tier1Net’s Best Practices for Safe Web Use below.

1. Regularly change your passwords for any sites that contain sensitive information, such as anything related to your finances, healthcare, credit cards, and banking information.

2. Do not use the same password across multiple sites.

3. Do not store your online logins/passwords in a file on your computer.

4. Regularly review your bank, credit card, financial, and healthcare statements for accuracy. Report unknown or suspicious activity immediately to the account provider.

5. When offered by an online provider, always opt for two-factor authentication. Two-factor authentication relies on a second set of credentials for access (beyond your password.)

6. Proceed with caution.   When large scale malicious activity is reported, always assume that your accounts may have been targeted, and take the appropriate actions – such as changing your passwords – to safeguard against information breaches.

If you have questions about this latest security breach, or how to keep your web activity secure, please contact us.

Thanks,

Tier1Net

 

As seen in the news Microsoft has disclosed that there is a significant security vulnerability in Internet Explorer.

Here is a link describing the vulnerability in depth: http://www.zdnet.com/microsoft-discloses-zero-day-in-all-versions-of-internet-explorer-7000028803/

The important takeaways are that Microsoft has not released a patch for the vulnerability at this time and the vulnerability is already being exploited in limited attacks. It is a serious enough issue that the Dept of Homeland Security has released an advisory recommending that people not use Internet Explorer until it is patched. Also, since Windows XP is no longer supported by Microsoft they will not be releasing a patch for XP.

Most networks should have several layers of protection to mitigate exposure to the vulnerability. First thing to note is that a user will have to open a website that exposes the vulnerability in order for their PC to be attacked. A user would not be exposed simply by using Internet Explorer on legitimate websites. The most common attack vector will likely be phishing attempts sent via email that will try to trick users into clicking links to open a website with IE which would then expose the vulnerability. Tier1net’s McAfee Antispam/Antivirus service would quarantine those emails as spam, and/or modify the URL to pass it through its ClickProtect proxy. So, even if the user clicked the link and opened it with IE, McAfee should block the URL from loading within the browser.

All that being said, Tier1net recommends that Chrome or Firefox be used in place of Internet Explorer until a patch is released. Regarding Windows XP, since the patch will not be made available to XP PCs, Tier1net suggests installing Google Chrome on all XP PCs and setting it as the default browser. Tier1net’s Managed IT customers can have this process fully automated with no disruption to end users.

As always please contact Tier1net Support should you have any questions or concerns relating to this issue.