Page 17 - Threat Intelligence - 8-21-2019
P. 17

Vulnerabilities and Indicators of Compromise



                    ➢ Weekly Vulnerability Summary from US-CERT
                    ➢ Talos weekly alerts
                    ➢ Silence Advanced Hackers Attack Banks All Over the World
                    ➢ New Phishing Campaign Bypasses Microsoft ATP to Deliver Adwind to Utilities Industry
                    ➢ $11M Email Scam at Caterpillar Pinned to Nigerian Businessman
                    ➢ Routers from well-known manufacturers vulnerable to cross-router data leaks
                    ➢ Hy-Vee issues warning to customers after discovering point-of-sale breach





            Terminology Refresh: Server Message Block Protocol (SMB)


            There have been several vulnerabilities and exploitations of SMB in the past 12 months, but not everyone
            really understands the role of SMB in a Windows environment.   The Server Message Block Protocol (SMB
            protocol) is a client-server communication protocol used for sharing access to files, printers, serial ports
            and other resources on a network. It can also carry transaction protocols for interprocess communication.

            The SMB protocol enables an application -- or the user of an application -- to access files on a remote
            server, as well as other resources, including printers, mail slots and named pipes. Thus, a client application
            can open, read, move, create and update files on the remote server. It can also communicate with any
            server program that is set up to receive an SMB client request.

            SMB Signing is a feature through which communications using SMB can be digitally signed at the packet
            level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination
            and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of
            packets and “man in the middle” attacks.

            SMB signing is available in all currently supported versions of Windows, but it’s only enabled by default on
            Domain Controllers. This is recommended for Domain Controllers because SMB is the protocol used by
            clients to download Group Policy information. SMB signing provides a way to ensure that the client is
            receiving genuine Group Policy.  When assessing environments, its not uncommon to find that SMB Signing
            is not enabled for workstations, either because the IT staff assumes that it is already enabled, or through a
            misunderstanding of it’s purpose in protecting network communications.


            If you don’t have SMB signing enabled across all of your Windows systems, perform the necessary research
            to see if it can enhance your internal security.







                                                    “What we should actually be doing is thinking about what are our key
                                                  controls that will mitigate the risks. How do we have those funneled and

                                               controlled through the team that we have, how do we work through that in
                                              a well formatted, formulated process and pay attention to those controls we

                                               have chosen? Not a continual, add more, add more, add more.” — Dr. Chris
                                                         Pierson, Chief Executive Officer at Binary Sun Cyber Risk Advisors
   12   13   14   15   16   17   18   19   20