May and June were rather brutal months with global Ransomware impacts that impacted systems in a way that Ransomware has not typically done previously. WannaCry and Petya\NotPetya were a potential taste of the future of Ransomware. Weaponized, rapidly infectious, built for mass disruption instead of financial gain. WannaCry might have been intended for monetary gain, but just got away from the attacker, but Petya was not built for financial gain. It was missing the infrastructure, typical blinds for gathering the money, and redundancies. The attack from start to finish was well designed and thought out from its launch up until the point where they would typically try to gather the paycheck. Thwarted by the blocking of a single email address and limited to only one bitcoin purse.
Behind both attacks and some other variants in between was a series of SMB exploits that were disclosed in January and updates were provided by Microsoft in March. Three patch cycles and still a global impact occurred. A month after that and another round using the same exploits occurred.
My guidance this month is simple. When there is a vulnerability with known exploit code in the wild, especially one that allows for an exploit over the network without need for authentication, patch it and do so quickly. By the way, in June another pair of vulnerabilities were resolved. One was a vulnerability in Windows Search which could also be exploited remotely, using SMB, without need for authentication. It was flagged as a Zero Day meaning Microsoft knows of attacks that utilized the vulnerability already. Did you get your June patching done?
So here we are in July. I would say by this time of the year we are all a bit patch fatigued with a February miss, a HUGE March, and the May and June attacks it has been an exhausting first half of the year, and I just evangelize about patching.
- Expect Adobe Flash Player. No advanced notification on Acrobat or Reader so possibly just Flash this month from Adobe.
- July is an Oracle CPU. They update quarterly and this is the month, so next week Tuesday the 18th Oracle will release updates for all of their software including Java.
- Google Chrome has an update in the beta channel. Usually they similar for a week or two then release and it has been out there for about two weeks. There is a good chance it will come yet this week.
- Microsoft… Not sure I want to venture a guess this month. I would like to say we will have a light one, but I thought that about June and we got a sizeable release with the additions to XP and Server 2003 due to their advisory of exploits at high risk. Could go either way, but fingers crossed. There may be a few surprises coming our way like the disabling of VBScript in IE.