HIMSS News

URGENT (PATCH & MITIGATE NOW): US-CERT Technical Alert (TA17-64A): HIDDEN COBRA DDoS Botnet Infrastructure and Microsoft June 2017 Critical Security Updates

Two major cybersecurity developments happened this week: (1) an alert by the United States Computer Emergency Readiness Team (US-CERT) on “HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure” (Alert No. TA17-64A) and (2) Microsoft’s June 2017 security update release (which address, in part, certain critical security vulnerabilities). 

Details on HIDDEN COBRA -- North Korea’s DDoS Botnet Infrastructure” (Alert No. TA17-64A)

On June 13, 2017, US-CERT released a Technical Alert (Alert No. TA17-64A) providing technical details, including indicators of compromise, on the tools and infrastructure used by nation state cyber threat actors to reportedly target the media, aerospace, financial, and critical infrastructure sectors in the United States and around the world.  Detection, response, and mitigation information are also provided.

Details on Microsoft June 2017 Security Updates (Addressing Vulnerabilities with Heightened Risk of Exploitation)

On June 13, 2017, Microsoft released security updates for vulnerabilities that “Microsoft presumes to be at risk of imminent attack” (according to Microsoft Security Advisory 4025685 (hereinafter, “Security Advisory”)).   Microsoft also stated, “we have taken action to provide additional critical security updates to address vulnerabilities that are at heightened risk of exploitation due to past nation-state activity and disclosures.”  Microsoft further stated in its Security Advisory: “Customers should prioritize deployment of these updates and plan to migrate to supported platforms if you have not already done so.”  Microsoft noted that it has released additional updates for older platforms to protect against potential nation-state activity.  The majority of these critical updates address remote code execution vulnerabilities. 

MS08-067 (from 2008) and the related Conficker Worm

The first item listed in the Security Advisory is Microsoft security bulletin no. MS08-067 (critical) of October 23, 2008, in which Microsoft released a patch for a remote code execution vulnerability in the Server Message Block (SMB) protocol.  An out-of-band netapi32.dll security update was released by Microsoft to address this vulnerability. As explained by Microsoft, an unauthenticated attacker may remotely trigger this vulnerability for code execution on Windows XP, Windows Server 2000, and Windows 2003.  On a related note, since at least as early as November 2008, the Conficker worm (which exploits the MS08-067 vulnerability) reportedly has been globally attacking computers and connected devices around the world.  (This vulnerability is also addressed in Volume 10 of the HIMSS Healthcare and Cross-Sector Cybersecurity Reports.)

MS09-050 (from 2009) and Server Message Block (SMB) v2 Vulnerabilities

The second item listed in the Security Advisory is Microsoft security bulletin no. MS09-050 (critical) of October 13, 2009.  When the server message block (SMB) v2 vulnerabilities disclosed in MS09-050 are exploited (i.e., on machines which have not been patched by this security update as disclosed in MS09-050), these exploits may result in either a denial-of-service of the target machine and/or the execution of arbitrary code by the attacker.  Additional open source information may be found here.

MS10-061 (from 2010) – Printer Spooler Service Vulnerabilities and the related Stuxnet malware

The third item listed in the Security Advisory is Microsoft security bulletin no. MS10-061 (critical) of September 14, 2010, which provides a security update to resolve a publicly disclosed remote code execution vulnerability for the printer spooler service.  As reported by Microsoft, this particular vulnerability is one of several used by the Stuxnet malware.  The Stuxnet malware, according to Microsoft, enumerates all printer shares on the network and tries to authenticate using the “guest” account.  If guest authentication is successful, the Stuxnet malware is said to call various application programming interfaces (APIs) to copy itself to remote systems and execute the malware.

MS14-068 (from 2014) – the Kerberos Checksum Vulnerability (exploited in the wild since at least as early as November 2014)

The fourth item listed in the Security Advisory is Microsoft security bulletin no. MS14-068 (critical) of November 18, 2014, (CVE-2014-6324 a.k.a. the "Kerberos Checksum Vulnerability”), which discloses (and patches) a Microsoft Windows Kerberos Key Distribution Center privilege escalation vulnerability.  A remote attacker may exploit this vulnerability using an unprivileged domain user account to a domain administrator account.  On unpatched machines (i.e., not applying the MS14-068 security update), an attacker could elevate unprivileged domain user account privileges to those privileges of a domain administrator account.  (In fact, this exploit has been exploited in the wild, as confirmed by Microsoft in its November 18, 2014, blog post.)  Accordingly, an attacker may be able to compromise the entire domain (with such elevated privileges).

MS17-010 (from March 2017) and Server Message Block (SMB) v1 Vulnerability and the related WannaCry Ransomworm

The fifth item listed in the Security Advisory is Microsoft security bulletin no. MS17-010 (critical) of March 14, 2017, to address (and fix) a vulnerability in the Microsoft Server Message Block (SMB) v1.0 server, which could allow remote code execution.  As discussed in the HIMSS WannaCry blog post, this SMB vulnerability is exploited by the WannaCry ransomworm. 

MS17-013 (from March 2017): Microsoft Graphics Device Interface (GDI) and Other Vulnerabilities

The sixth item listed in the Security Advisory is Microsoft security bulletin no. MS17-013 (critical) of March 14, 2017, (updated May 9, 2017), which discloses and patches vulnerabilities in the Windows graphics component.  Affected software includes certain versions of Microsoft Windows, Microsoft Office, Skype for Business, Microsoft Lync, and Microsoft Silverlight.  On unpatched machines, remote code execution is possible, if, according to Microsoft, a user either visits a specially crafted website or opens a specially crafted document.

The Security Advisory also disclosed additional vulnerabilities with mitigation and/or workaround information, as available.

Conclusion

Vulnerabilities do not go away—old vulnerabilities are still very much relevant.  Cyber threat actors count on people not patching their systems in a timely manner.  The same tactics, techniques, and procedures may be used by cyber threat actors time and time again, so long as they are effective and achieve the desired goals.  Essentially, cybersecurity defense can no longer be ignored.  Ignoring information about especially significant cybersecurity vulnerabilities may spell peril.

CALL TO ACTION: TAKE ACTION RIGHT NOW! (VERY IMPORTANT!)

Follow the suggested safeguards set forth in the HHS Healthcare Cybersecurity and Communications Integration Center (HCCIC) (TLP:WHITE) Microsoft Vulnerabilities & Hidden Cobra 101 Report, June 15, 2017:

  • Install the patches from Microsoft (please see Microsoft Security Advisory 4025685).
    • Author’s note: According to Microsoft Security Advisory 4025685: “Consumers who have automatic updates enabled through Windows Update are already protected and have no action to take. Windows 10 has automatic updates enabled. To check if automatic updates are enabled see Windows Update: FAQ.”
    • Please also take note of the vulnerabilities, workaround, and/or mitigation information and Advisory frequently asked questions (FAQ) as set forth in the Security Advisory, including but not limited to the entries for common vulnerabilities and exposures (CVEs).)
  • Review the vulnerabilities in the US-CERT “HIDDEN COBRA” report (Alert No. TA17-64A) and install associated patches.  (Author’s note: please also take note of the detection, response, and mitigation information in Alert No. TA17-64A.)
  • Review logs and consider implementing “blocks” for the potential indicators of compromise as set forth in the US-CERT “HIDDEN COBRA” report (Alert No. TA17-64A).

    Also, please be sure to stay tuned to the HIMSS blog and the HIMSS Healthcare and Cross-Sector Cybersecurity Report page (www.himss.org/cyberreport) (RSS feed available) for information on significant cybersecurity developments relevant to the healthcare sector and other critical infrastructure sectors.
Keywords: 
cybersecurity