Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.
[vc_single_image source=”featured_image” img_size=”large”]
WannaCry is the worst malware attack of 2017. As computer virus outbreaks go, this ransomware attack is being called one of the biggest cyberattacks in history and continues to spread worldwide. In this post, we’ll explore WannaCry, its latest developments, and how to protect your organization.
WannaCry is an extremely dangerous trojan virus that infects Windows computers and promptly encrypts nearly all data. To decrypt the files and regain access, WannaCry demands that $300 in bitcoins be paid to an anonymous account. After three days, the $300 ransom increases to $600. After seven days without payment, the computer’s contents are deleted.
Why is this virus spreading?
The virus typically enters your organization through email when a user opens an infected attachment or link the malware will install. The malware then attempts to replicate itself via your computer networks and the Internet. Your entire IT infrastructure may be at risk.
Can I recover the encrypted files or should I pay the ransom?
It is currently impossible to decrypt the encrypted files. If you have backup copies of affected files, you may be able to restore them. Even if you pay the ransom there is no guarantee your files will be decrypted. We recommend that you do not pay the ransom.
Who is at risk?
WannaCry ransomware is targeting all versions of Windows, it is leveraging a hack discovered by the NSA. Microsoft patched this vulnerability in March, 2017.
Your first line of defense is always common sense. This applies to WannaCry and any other malware floating around out there. If you receive an email with an attachment from someone you don’t know, never open or download that attachment.
If you receive an attachment from someone you do know, but it looks odd or suspicious, never open or download it.
It is vital that every Windows device attached to your computer network have Microsoft Patch MS17-010 applied. Ensure that your IT department has strong patch management processes in place that regularly patch all devices. This patch was released over 60 days ago, so there is no reason your IT department should not have deployed this.
Microsoft took the very unusual step this weekend to release MS17-010 for its old unsupported operating systems, including:
Windows 8
Windows XP
Windows Server 2003
This old operating systems must also be patched – many of the organizations you might have seen in the press still use these old systems. Take caution with visitors to your organization connecting to your computer networks as they might infect your company.
Regardless of your operating system, you should install all available security updates. Implement a tool like Syxsense to automate the detection of all devices and patching processes.
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.
[vc_single_image source=”featured_image” img_size=”medium”]
On Friday, the security team at Syxsense was one of the first to break the news in the US about the WannaCrypt malware attack.
Over the weekend, a UK security blogger found a kill switch for the initial variant of WannaCrypt. The blogger found that each infected device checked for the existence of a long-unregistered URL before encrypting infected device files. The blogger registered the domain to allow him to track the progression of WannaCrypt.
Although the initial wave of attacks has been diminished by activating the kill switch, this is not over. New variants of WannaCrypt are still being released that ignore the kill switch.
WannaCrypt is exploiting weaknesses in the Microsoft Operating Systems that were identified by the NSA. Microsoft patched these weaknesses in March 2017 and tools like Syxsense, Windows Update or other patching solutions should be already protected by deploying MS17-010.
However, many organizations have older non-Microsoft supported operating systems still deployed – Windows Server 2003, Windows XP, Windows XP Embedded and Windows 8. Microsoft took the unusual step over the weekend of releasing a patch for these unsupported operating systems.
We strongly recommend identifying all vulnerable operating systems and deploying this patch immediately.
We strongly recommend using a solution like Syxsense, that supports older operating systems and has agentless ability to scan your entire IT environment for all devices and remediate without the need to have agents deployed.
This attack is not going away – expect new variants shortly.
Ashley Leonard
CEO | Syxsense
Verismic Software, Inc.
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.
A large ransomware attack has thrown the British healthcare infrastructure into uncertainty. The National Health Service confirmed in a statement that as of the morning of May the 12th “16 NHS organizations had reported that they were affected by this issue.” Photos circulating on Twitter showed both computer screens locked with a ransom message and ambulances backed up at hospitals. There are reports that doctors have had to resort to paper and pencil.
The release by the NHS also states “At this stage we do not have any evidence that patient data has been accessed.” As of this posting, the investigation is ongoing. However, the NHS has said that they believe the malware responsible is ‘Wanna Decryptor’.
The best way to protect against malware is keeping your systems up to date. While firewalls and antivirus are important outer defenses, protecting the interior of your network is also vital. As vulnerabilities are discovered, updates are released to fortify software. However, if you put off patching, you leave your environment vulnerable to exploits.
Microsoft says that an update they released on March 14th addresses this vulnerability. Deploying this patch should keep your Windows systems secure, but if you are running unsupported versions of Windows, like XP, you won’t receive this update. Learn more about the Security Bulletin here.
Syxsense is the solution for efficient, predictive patching. We test patches and then release them to you for a stable and secure environment. Not only do we have Microsoft updates, but we have an extensive library of third-party software vendors. Protect yourself against a major vulnerability or ransomware attack with Syxsense to secure your systems.
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.
[vc_single_image source=”featured_image” img_size=”medium”]
This week we have learned of a serious bug with Windows Defender which could effectively hand over control to an attacker simply by receiving a carefully crafted email – without you even opening it. The researchers with Google Project Zero responsible for finding the bug, Travis Ormandy and Natalie Silvanovich, tweeted that this was “the worst Windows remote code exec in recent memory.” We would highly recommend if you are using Windows Defender to update the protection engine as soon as possible.
You may remember last year we published an article called, “Hard Shell – Soft Center.” This article typified the common strategy of protecting company networks at the physical perimeter level only and having a reduced security presence once inside the network.
We have since learned that our concerns on this type of strategy have been realized, having learned that network security is falling behind as it is unable to dynamically change to meet the ever-increasing threats to company property.
[vc_single_image image=”12386″ img_size=”medium”]
Our clients must include a multi-factor protection strategy which includes both protection at the perimeter supported by a routine patching process.
This is what we like to call a software perimeter, and requires you to follow some simple steps to protect your environment from the inside. Should you need some free advice to get started, click here.
The May security release consists of security updates for the following software;
We have chosen a few updates to prioritize this month, this recommendation has been made using evidence from industry experts (including our own) and anticipated business impact.
| KB Info | Product | Platform | Severity | Impact |
| 4019473 | Microsoft Edge | Windows 10 Version 1511 for 32-bit Systems | Critical | Remote Code Execution |
| 4019473 | Microsoft Edge | Windows 10 Version 1511 for x64-based Systems | Critical | Remote Code Execution |
| 4019472 | Microsoft Edge | Windows 10 Version 1607 for x64-based Systems | Critical | Remote Code Execution |
| 4019472 | Microsoft Edge | Windows 10 Version 1607 for 32-bit Systems | Critical | Remote Code Execution |
| 4019474 | Microsoft Edge | Windows 10 for x64-based Systems | Critical | Remote Code Execution |
| 4019474 | Microsoft Edge | Windows 10 for 32-bit Systems | Critical | Remote Code Execution |
| 4016871 | Microsoft Edge | Windows 10 Version 1703 for x64-based Systems | Critical | Remote Code Execution |
| 4016871 | Microsoft Edge | Windows 10 Version 1703 for 32-bit Systems | Critical | Remote Code Execution |
| 4019473 | Internet Explorer 11 | Windows 10 Version 1511 for 32-bit Systems | Critical | Remote Code Execution |
| 4019215 | Internet Explorer 11 | Windows 8.1 for 32-bit systems | Critical | Remote Code Execution |
| 4019215 | Internet Explorer 11 | Windows 8.1 for x64-based systems | Critical | Remote Code Execution |
| 4019473 | Internet Explorer 11 | Windows 10 Version 1511 for x64-based Systems | Critical | Remote Code Execution |
| 4019472 | Internet Explorer 11 | Windows 10 Version 1607 for x64-based Systems | Critical | Remote Code Execution |
| 4019472 | Internet Explorer 11 | Windows 10 Version 1607 for 32-bit Systems | Critical | Remote Code Execution |
| 4019264 | Internet Explorer 11 | Windows 7 for x64-based Systems Service Pack 1 | Critical | Remote Code Execution |
| 4019474 | Internet Explorer 11 | Windows 10 for x64-based Systems | Critical | Remote Code Execution |
| 4019264 | Internet Explorer 11 | Windows 7 for 32-bit Systems Service Pack 1 | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows 10 Version 1511 for 32-bit Systems | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows 8.1 for 32-bit systems | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows 8.1 for x64-based systems | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows Server 2012 | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows 10 Version 1511 for x64-based Systems | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows 10 Version 1607 for x64-based Systems | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows 10 Version 1607 for 32-bit Systems | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows 10 for x64-based Systems | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows Server 2012 R2 | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows 10 for 32-bit Systems | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows RT 8.1 | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows Server 2016 | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows 10 Version 1703 for x64-based Systems | Critical | Remote Code Execution |
| 4020821 | Adobe Flash Player | Windows 10 Version 1703 for 32-bit Systems | Critical | Remote Code Execution |
| 4018466 | Windows Server 2008 for 32-bit Systems Service Pack 2 | Critical | Remote Code Execution | |
| 4019474 | Internet Explorer 11 | Windows 10 for 32-bit Systems | Critical | Remote Code Execution |
| 4019215 | Internet Explorer 11 | Windows RT 8.1 | Critical | Remote Code Execution |
| 4016871 | Internet Explorer 11 | Windows 10 Version 1703 for x64-based Systems | Critical | Remote Code Execution |
| 4016871 | Internet Explorer 11 | Windows 10 Version 1703 for 32-bit Systems | Critical | Remote Code Execution |
| 4019264 | Windows Server 2008 R2 for x64-based Systems Service Pack 1 | Critical | Remote Code Execution | |
| 4019215 | Windows Server 2012 R2 (Server Core installation) | Critical | Remote Code Execution | |
| 4019473 | Windows 10 Version 1511 for 32-bit Systems | Critical | Remote Code Execution | |
| 4018466 | Windows Server 2008 for x64-based Systems Service Pack 2 | Critical | Remote Code Execution | |
| 4018466 | Windows Server 2008 for Itanium-Based Systems Service Pack 2 | Critical | Remote Code Execution | |
| 4019215 | Windows 8.1 for 32-bit systems | Critical | Remote Code Execution | |
| 4019215 | Windows 8.1 for x64-based systems | Critical | Remote Code Execution | |
| 4019264 | Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 | Critical | Remote Code Execution | |
| 4019214 | Windows Server 2012 | Critical | Remote Code Execution | |
| 4018466 | Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) | Critical | Remote Code Execution | |
| 4019473 | Windows 10 Version 1511 for x64-based Systems | Critical | Remote Code Execution | |
| 4019472 | Windows 10 Version 1607 for x64-based Systems | Critical | Remote Code Execution | |
| 4019472 | Windows 10 Version 1607 for 32-bit Systems | Critical | Remote Code Execution | |
| 4019264 | Windows 7 for x64-based Systems Service Pack 1 | Critical | Remote Code Execution | |
| 4019474 | Windows 10 for x64-based Systems | Critical | Remote Code Execution | |
| 4019214 | Windows Server 2012 (Server Core installation) | Critical | Remote Code Execution | |
| 4019264 | Windows 7 for 32-bit Systems Service Pack 1 | Critical | Remote Code Execution | |
| 4019264 | Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) | Critical | Remote Code Execution | |
| 4019215 | Windows Server 2012 R2 | Critical | Remote Code Execution | |
| 4019474 | Windows 10 for 32-bit Systems | Critical | Remote Code Execution | |
| 4019215 | Windows RT 8.1 | Critical | Remote Code Execution | |
| 4019472 | Windows Server 2016 | Critical | Remote Code Execution | |
| 4019472 | Windows Server 2016 (Server Core installation) | Critical | Remote Code Execution | |
| 4016871 | Windows 10 Version 1703 for x64-based Systems | Critical | Remote Code Execution | |
| 4016871 | Windows 10 Version 1703 for 32-bit Systems | Critical | Remote Code Execution | |
| Microsoft Forefront Security for SharePoint Service Pack 3 | Critical | Remote Code Execution | ||
| Windows Defender | Windows 10 Version 1511 for 32-bit Systems | Critical | Remote Code Execution | |
| Windows Defender | Windows 8.1 for 32-bit systems | Critical | Remote Code Execution | |
| Windows Defender | Windows 8.1 for x64-based systems | Critical | Remote Code Execution | |
| Windows Defender | Windows 10 Version 1511 for x64-based Systems | Critical | Remote Code Execution | |
| Windows Defender | Windows 10 Version 1607 for x64-based Systems | Critical | Remote Code Execution | |
| Windows Defender | Windows 10 Version 1607 for 32-bit Systems | Critical | Remote Code Execution | |
| Windows Defender | Windows 7 for x64-based Systems Service Pack 1 | Critical | Remote Code Execution | |
| Windows Defender | Windows 10 for x64-based Systems | Critical | Remote Code Execution | |
| Windows Defender | Windows 7 for 32-bit Systems Service Pack 1 | Critical | Remote Code Execution | |
| Windows Defender | Windows 10 for 32-bit Systems | Critical | Remote Code Execution | |
| Windows Defender | Windows RT 8.1 | Critical | Remote Code Execution | |
| Windows Defender | Windows Server 2016 | Critical | Remote Code Execution | |
| Windows Defender | Windows Server 2016 (Server Core installation) | Critical | Remote Code Execution | |
| Windows Defender | Windows 10 Version 1703 for x64-based Systems | Critical | Remote Code Execution | |
| Windows Defender | Windows 10 Version 1703 for 32-bit Systems | Critical | Remote Code Execution | |
| 4018466 | Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) | Critical | Remote Code Execution | |
| Windows Intune Endpoint Protection | Critical | Remote Code Execution | ||
| Microsoft Forefront Endpoint Protection 2010 | Critical | Remote Code Execution | ||
| Microsoft Security Essentials |
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.
What is the best approach to patching for your environment? See our infographic to compare the difference between patch-centric and device-centric patching.
Although the strategies are similar, there is a key difference when it comes to selecting and deploying updates. Click on the infographic to save and reference for later.
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.
In the past, one way to defend yourself from a phishing attempt was to double check the URL. If something looked fishy, pun intended, you knew to navigate away.
However, a recent demonstration by a Chinese security researcher shows it’s possible to display a URL that appears correct. Safari isn’t tricked, but Chrome, Firefox and Opera all can display this convincing, fake URL.
The best defense is to update these browsers as soon as possible; Chrome has already released an update that now prevents this. You should also always visit websites from your own bookmarks or by typing in the URL.
HTTPS Vulnerable to a MiTM Attack
An alert was put out by the United States Computer Emergency Readiness Team (US-CERT) mid-March outlining the possibility that HTTPS is vulnerable.
In their alert, they point to issues detected with HTTPS inspection products that aren’t preforming the correct transport layer security certificate validation. Hackers could use a man-in-the-middle (MiTM) attack to intercept the connection and collect sensitive client data.
US-CERT recommends that any organizations using HTTPS should verify that their product properly validates certificate chains and passes any warnings/errors to the client.
Every month we see a bevy of new third party updates, and are always enhancing our library of supported vendors. Special requests and additions are welcomed. This month’s releases include:
| Product | Category | Patch |
| Chrome | Web Browser | Chrome_v58.0.3029.81 |
| Skype | Online calls | Skype_v7.35 |
| Adobe (Updates for Adobe Campaign, Flash Player, Acrobat, Reader, Photoshop CC, and the Creative Cloud Desktop Application) | APSB17-09
APSB17-10 APSB17-12 APSB17-13 |
|
| Firefox | Web Browser | Firefox_v53 |
| Thunderbird | Email Client | Thunderbird_v52.0.1 |
| WinSCP | File browser | WinSCP_v5.9.5 |
| Wireshark | Network protocol analyzer | Wireshark_v2.2.6 |
| Glary Utilities | PC cleanup | Glary_v5.74 |
| AIMP | Audio Player | AIMP_v4.13.1893 |
| Java | Programming language | Java_8u131 |
| Patch | Details |
| Chrome_58.0.3029.81 | Fixes include:
Type confusion in PDFium. Heap use after free in Print Preview. Type confusion in Blink. URL spoofing in Omnibox. Use after free in Chrome Apps. Use after free in Blink. Incorrect UI in Blink. Incorrect signature handing in Networking. Cross-origin bypass in Blink. |
| Skype_7.35 | When searching for new contacts, you will now see the number of mutual friends you have. Quality improvements and general fixes. |
| Adobe
APSB17-09 APSB17-10 APSB17-11 APSB17-12 APSB17-13 |
Adobe has released a security update for Adobe Campaign v6.11 for Windows and Linux. This update resolves an important input validation bypass that could be exploited to read, write or delete data from the Campaign database (CVE-2017-2989).
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe has released security updates for Adobe Acrobat and Reader for Windows and Macintosh. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe has released updates for Photoshop CC for Windows and Macintosh. These updates resolve a critical memory corruption vulnerability when parsing malicious PCX files that could lead to code execution (CVE-2017-3004). These updates also resolve an unquoted search path vulnerability in Photoshop on Windows (CVE-2017-3005). Adobe has released a security update for the Creative Cloud Desktop Application for Windows. This update resolves an important vulnerability related to the use of improper resource permissions during the installation of Creative Cloud desktop applications (CVE-2017-3006). This update also resolves a vulnerability related to the directory search path used to find resources (CVE-2017-3007). |
| Firefox_v53 | Faster and more stable with a separate process for graphics compositing (the Quantum Compositor). Compact themes and tabs save screen real estate, and the redesigned permissions notification improves usability. Plus various security fixes. |
| Thunderbird_52.0.1 | Fixed: Clicking on a link in an email may not open this link in the external browser. Crash due to incompatibility with McAfee Anti-SPAM add-on. Add-on is blocked in 52.0.1 |
| WinSCP_5.9.5 | SSH core and private key tools (PuTTYgen and Pageant) upgraded to PuTTY 0.68. It brings the following change: Security fix: an integer overflow bug in the agent forwarding code. vuln-agent-fwd-overflow
Translation completed: Traditional Chinese. Translation updated: Icelandic. De-duplicating Duplicate Session and Disconnect accelerators in Session menu. 1512 De-duplicating Quit and Queue accelerators in Commands menu. 1516 Increased length limit of host name. 1517 Bug fix: Failure when reloading non-current directory expanded in remote directory tree. 1514 Bug fix: Failure when moving Download and Delete operation to background. 1462 |
| Wireshark_2.2.6 | Various security and bug fixes |
| Glary_v5.74 | Faster scan and analyses. New Design. |
Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.
