domingo, 24 septiembre 2023
Visitas totales a la web: 88972888

El portal de los profesionales de seguridad y emergencias

Nº 1 del mundo en español en seguridad global

Soluciones de seguridad global

The Ancient Microsoft Security Flaws Driving Cybercrime In 2020

Davey Winder. Senior Contributor

A brand-new IBM Security «X-Force Threat Intelligence Index» report was published today and reveals some very old Microsoft vulnerabilities are still causing very real problems.

There was some good news to be found within the pages of the latest threat intelligence report from the IBM Security X-Force. Namely that phishing was used as a successful initial infection vector in just 31% of incidents analyzed. That is compared to half in the previous year. While it would be nice to lay this firmly at the feet of cyber-awareness initiatives working as they should, I’m afraid that’s not the case. Indeed, the bitter pill you need to swallow when reading the report is that twice as many initial infections (60%) of victim networks used either stolen credential reuse or known software vulnerabilities. Although deception certainly isn’t dead, cybercriminals aren’t exactly known for their work ethic: the simplest way to nefarious profit will always be route one. Increasingly, IBM’s X-Force report suggests, previously disclosed vulnerabilities are a contributing factor. With more than 150,000 vulnerabilities disclosed to date, the researchers found that vulnerability scanning and exploitation resulted in 8% of incidents during 2018, rising to 30% in 2019. But that’s not the real shocker: older, already well-known, vulnerabilities in Microsoft Office and Windows Server Message Block accounted for «high rates of exploitation» in 2019.

90% of one threat vector driven by just two old Microsoft vulnerabilities

So, just how old is «old» in the context of these Microsoft vulnerabilities? Well, the IBM X-Force analysis of global spam activity, often used as part of the attack chain, found that just two patched vulnerabilities accounted for nearly 90% of those that threat actors attempted to exploit via these campaigns. CVE-2017-0199, a Microsoft Word exploit, dates back to November 2016 as far as exploits are concerned, with a Microsoft patch available from April 2017. That’s pretty old, huh? Not as old as the other vulnerability, CVE-2017-11882, a memory corruption issue in Microsoft Office that apparently has roots that can be traced back nearly twenty years.

«While sophisticated adversaries may develop zero-day exploits,» the report states, «relying on known exploits occurs more frequently as such exploits allow adversaries to gain an initial foothold without having to expend resources to craft new tactics, techniques and procedures (TTPs), saving their best weapons for the most heavily defended networks.» You only have to look to the WannaCry infection, MS17-010, instances of which are still being seen more than two years after the patch became available.

To patch or not to patch? That is the question

This leads to the question of whether it’s a won’t patch or can’t patch situation that is the problem here. I put that precise question, as well as one asking what it will take to burst the unpatched old vulnerabilities bubble, to members of the Beer Farmers https://twitter.com/TheBeerFarmers information security collective.

Sean Wright, OWASP Scotland chapter leader, agrees with the X-Force report conclusion attackers tend to focus on known vulnerabilities. «A saying comes to mind from the attacker’s perspective, namely if it ain’t broke don’t fix it,» Wright says, «if old exploits work, then attackers don’t need to invest additional time and resources to create something new.» Application security specialist, Mike Thompson, tells me that he «knows for a fact,» that many hospitals are still running equipment using Windows XP, for example. «Why use a fresh exploit,» Thompson says, «when there’s still an unhealthy footprint like that kicking around?»

Within the SME space, there are plenty such cases of legacy applications integrating with old versions of Microsoft Office, says Ian Thornton-Trump, CISO at threat intelligence company Cyjax. «You think that an integrated app could support the latest versions of Office?» he says, «not a chance.» Many of the line of business client-server apps found in professional services firms date back to the early 2000s, meaning that «patching them may put at risk a critical billing, ERP, CRM or record system,» according to Thornton-Trump. «The business probably has looked at upgrading that legacy app and balked or rejected the upgrade cost outright,» he says, «that’s the primary reason I believe so much old on-premises SQL, SharePoint, and Exchange is still out there. If it works and makes money for the firm, why upgrade it?»

So how can this problem ever be resolved? «The biggest improvement to technical security an organization can make is to remove technological debt for hardware and software,» Thornton-Trump concludes. I won’t repeat just how easy it is to discover the system admin password for a SQL database using many apps from 15 years ago, with the method that Thornton-Trump showed me, but he’s certainly not the only one to know it works…

Fecha de publicaciónfebrero 11, 2020

BELT.ES no se hace responsable de las opiniones de los artículos reproducidos en nuestra Revista de Prensa, ni hace necesariamente suyas las opiniones y criterios expresados. La difusión de la información reproducida se realiza sin fines comerciales. 

Listado de Expertos

Recomendado

Profesión militar: Obediencia debida frente a la obligación de disentir

Con ocasión de la realización de estudios en el Instituto Universitario Gutiérrez Mellado tuve la ocasión de leer y analizar una serie de documentos de opinión que trataban en profundidad las diferentes facetas presentes en el campo de las relaciones cívico-militares; temas que , habitualmente, no han estado presentes en los diferentes cursos y actividades formativas en la enseñanza militar, ni, por supuesto, en la civil.

El amor de Macarena Olona por la Guardia Civil empieza por su pareja, un joven oficial condecorado

El padre de su hijo llegó a la Benemérita como militar de carrera y, los que le...

La artillería ‘made in USA’ comprada por Marruecos que deja fuera de juego a España

El país magrebí sigue reforzando sus fuerzas armadas a golpe de talonario, y no lo hace de...

Últimas noticias

Vae Victis!

Así se forjó el mundo a través de estas veinte batallas y derrotas

BOMBEROS FORESTALES SIN MEDIOS ANTE LA CAMPAÑA DE INCENDIOS: «VAMOS CON MIEDO»

Ya ha pasado un año, pero a los bomberos de Zamora todavía les tiembla la voz cuando recuerdan el verano de 2022. La virulencia de las llamas dejó 267.946,58 hectáreas calcinadas a lo largo del territorio en 12 meses, convirtiendo a 2022 en el año con más superficie afectada por el fuego de los últimos diez años, más del doble de la media anual registrada en España según los datos avanzados por el Ministerio para la Transición Ecológica y Reto Demográfico.

CORONACIÓN, «GLOBAL BRITAIN» Y SEGURIDAD (2ª parte)

El doble propósito de esta segunda parte del artículo titulado “Coronación, ‘Global Britain’ y seguridad”, es, por una parte, resaltar el papel fundamental de la seguridad para el normal desarrollo de todo evento de masas, y por otra parte, tratar de describir la planificación, aplicación y evaluación del dispositivo de seguridad realizado para la coronación del rey Carlos III del Reino Unido.

Grandes talentos españoles en el nuevo vídeo de seguridad a bordo de Iberia

Un tripulante de cabina de pasajeros (TCP) situado en un extremo del pasillo del avión, hace una demostración a los pasajeros de distintos elementos de seguridad a bordo mientras por la megafonía se escucha una locución que acompaña sus gestos con instrucciones en dos idiomas. Este pequeño ritual previo al despegue se repite miles de veces cada día en todo el mundo, forma parte ya del imaginario colectivo y es consustancial al hecho de viajar en avión. Ahora, ha sido recreado en clave promocional por un video que acaba de ser presentado en sociedad por Iberia y Turespaña como parte de una campaña impulsada por ambas instituciones para promocionar distintos destinos de nuestro país.

Executive Protection in the Age of Technology: Addressing the Risks

Executive protection (EP), in its original form, is purely physical. Over the years, however, it has evolved dramatically. Today’s understanding that prevention is the primary key has forever changed the traditional approach. As technology advances, the line between physical security and cybersecurity is becoming more blurred, exposing executives to numerous cyber threats that can result in physical vulnerabilities. And the risk of cyber threats can range from hacking of personal devices to surveillance via bugs in homes, vehicles, and offices.