Microsoft has asked users of the following Windows versions to urgently apply an update which is available today to protect against a potential widespread exploit:
- Windows XP — users of Windows XP will need to manually download the update from Microsoft’s update catalog
- Windows 7
- Windows Server 2003
- Windows Server 2008R2
- Windows Server 2008
Patches can be found on Microsoft’s Customer Guidance for CVE-2019-0708 web page.
Please note that Windows versions 10, 8.1 and 8, as well as Windows Server 2019, Windows Server 2016, Windows Server 2012R2 and Windows Server 2012 are not impacted by this vulnerability.
Although Microsoft has not yet observed attacks, they have described this vulnerability as “wormable” meaning that malware exploiting this vulnerability has the ability to propagate from vulnerable system to vulnerable system in a similar fashion to the WannaCry ransomware attack in 2017, which also targeted older Windows versions. Notably, the patch to prevent WannaCry was released by Microsoft before the attacks began, but it nevertheless remains an active exploit.
The vulnerability, identified as CVE-2019-0708, is a Remote Desktop Services (“RDS”) (formerly known as Terminal Services) remote execution vulnerability which requires no user interaction and would allow an unauthenticated malicious actor to execute arbitrary code on an affected system via Remote Desktop Protocol (“RDP”). An update will mitigate the vulnerability by correcting how RDS handles connection requests.
Confluence critical vulnerabilities detailed in CVE-2019-3396, are WebDAV and Widget Connector vulnerabilities. The following are two attacks related to these vulnerabilities that are being actively exploited:
- the infection of servers with GrandCrab ransomware. Please be advised that there are currently no tools available to decrypt files affected by GandCrab version 5.2 (which is being used in this attack).
- the distribution of Kerberods malware, which is a combination of a Monero crypto-miner and a rootkit to obfuscate activity.
Atlassian recommends upgrading to the latest version (6.15.1), and has also provided recommendations for versions that cannot be upgraded. For more information, see the Confluence Security Advisory – 3019-03-20.
Researchers from Dark Wolfe Consulting, a cybersecurity consulting firm and the Digital Citizens Alliance (“DCA”), which is a consumer focused group dedicated to making the internet safer have analyzed six pirated streaming devices using the Kodi platform and found that they are rigged with malware and open doors for malware entry.
Kodi devices are sometimes called “Kodi boxes” or “jailbroken Fire TV Sticks” and look like legitimate streaming devices, and are cheap in comparison to Apple TV or Roku. The price users pay upfront gives them access to illegally provided content. Researchers equate the use of one of these devices to letting a “Trojan horse in through the front door” for the following reasons:
- these devices allow hackers to bypass the security of home network router firewalls.
- normal security features and precautions are either not available or not in use to accommodate the illegal streaming of content.
- users often have to turn over full admin access, which includes access to the device’s memory, location history and other security features.
- malware can be used to snare devices into a botnet for use in cyber attacks or cryptocurrency mining.
- sensitive information stored on devices, such as credit cards, passwords and photos are vulnerable to exploit.
National Password Day is all about caring, but no sharing! Remember, do not use passwords that can be easily guessed . . . .
Image courtesy of nakedsecurity
Please also be reminded to activate Multi-Factor Authentication (“MFA”) on all available accounts as MFA protects you if your credentials get compromised by requiring authentication via devices that you own/register. For information on NYU MFA, see: http://www.nyu.edu/it/mfa.
For more information, please see:
- Connect, Under Lock and Passphrase