SKOUT Education Series: De-Worming Windows | A Cyber 101 Resource

Windows 7

Blog Post Received from our Partner SKOUT

A Reader Recently Asked:

“The news is talking about a new threat on Windows machines that can spread like the WannaCry attack did. Is it real, and what can I do about it?”

It’s very real. Microsoft released guidance via their TechNet website that detailed a newly discovered vulnerability in versions of Windows Server 2008 R2 and earlier as well as Windows 7 and earlier on the desktop side.

Here’s What You Need To Know:

The vulnerability concerns Remote Desktop services – basically a way to get to a Windows Server or desktop from somewhere other than a keyboard, mouse, and monitor plugged into the machine. This is very popular and used to remotely administer servers found in Cloud environments, virtual environments, datacenters that are in different physical locations, etc. It’s also used for remote administration and technical support for desk- tops where the IT staff may be physically in a different location than the user (like support for telecommuters and multiple office locations). Because of the usefulness of the Remote Desktop Protocol (RDP) system, most Windows Servers and a large number of desktops will have it turned on.

To be clear, the vulnerability isn’t in RDP itself. That set of services is still considered secure. The vulnerability is found in the process of accessing RDP, where the remote machine and the local machine communicate with each other before anyone is asked for a username and password. Due to the nature of this vulnerability, a threat actor can perform tasks like installing software or causing damage to systems even if they do not have a valid set of credentials (username/password/second factor) for the machine in question. The cyber- security industry uses the term “wormable” to describe this kind of vulnerability, since not requiring credentials means that malware that leverages this flaw in the code could spread itself. We’ve seen some examples of this, such as with the WannaCry outbreak not that long ago, where the malware spread itself from system to system without any user interaction to make it happen. Once one system is infected, any other system the infected machine can communicate with becomes a target and, if the second machine is vulnerable, it becomes infected. This process continues until someone figures out how to stop the malware, or the malware runs out of infectable machines.

There are some indications that we may be seeing threat actors beginning to use this particular vulnerability already, so addressing it has become a vital concern.

The good news is that there are steps you can take to protect your systems:

First, you should know that Microsoft has released a patch for no-longer-supported versions of Windows, specifically Windows XP and Windows Server 2003 and 2003 R2. This has only happened once before; and indicates that Microsoft is extraordinarily concerned that this vulnerability can and will be exploited – to the point where they feel they must correct the problem – even on Operating Systems they no longer support at all.

Of course, patches are available for Windows 7 and Server 2008 and 2008 R2; which are still under support by Microsoft. You should immediately patch all systems that are vulnerable to this attack vector. Later versions of Windows desktop and Server (8 or higher on desktop, 2012 and higher on Server) are not impacted, but all earlier versions must be patched immediately.

If servers cannot be patched, for whatever reason, then the safest course of action is to disable RDP services on the servers that are vulnerable and to block networking port 3389
– the default digital connection point used to access RDP – at your network firewall. Reach out to your IT staff and/or your 3rd-party IT provider for help with this task.

This vulnerability is real, and very dangerous because it can allow an attack to propagate all by itself. It can be defended against, however, with patching wherever possible and blocking the attack vector by disabling RDP everywhere else. Please reach out to your SKOUT Security Operations Center and Customer Success Team members if you are a customer of SKOUT Cybersecurity, we’re more than happy to assist in keeping your systems safe from this threat.

PREV

SKOUT Education Series: Cybersecurity Should Be Like The Electric Company | A Cyber 101 Resource

NEXT

SKOUT Education Series: Honda Breach | A Cyber 101 Resource

WRITTEN BY:

Erick Bacallao joined Champion Solutions Group in 2015 after a career of Software Development in Cuba at the National Cancer Care Institute of Cuba, followed by moving to the States with allAware.

 

Champion acquired allAware and its properties and Erick has utilized his extensive background and expertise in IT and Software Development to rise to VP of Product Development in less than 5 years. During this time, Erick has been involved with key projects that led to the launch of numerous products including CSP Boss, Inscape platform and 365 Productivity Insights.

 

Erick has a Bachelor of Science in Computer Science from the University of Havana. He won Gold Medals for Programming from the Ministry of Education in Cuba, and he is certainly still a Gold Medalist for Champion!

 

As President and CEO, Chris is responsible for the development of key strategic alliances and solution portfolio. He leads Champion’s go-to market and execution strategies for integrated offerings in the cloud, in security, and in digital infrastructure, always focusing on improving the customer experience and driving transformative business outcomes.

 

He also aligns key partner initiatives with company strategy and oversees corporate marketing and messaging to gain mindshare with customers and partners. It’s his vision and innovativeness that have catapulted Champion up the ranks to become a $100M+ organization—and one of the most respected solution providers in the industry.

 

Over the past two decades, Chris has also focused on mergers and acquisitions, as well as innovative product development. He is the original founder and an active member on the Board of Managed Maintenance, Inc., a SAAS provider and consulting firm that utilizes their award-winning One-View Portal to help the IT Channel and its customers manage their IT Maintenance.

 

Chris is also the original founder and chief strategist behind one of the original storage cloud providers, Storage Access / BluePoint. During the course of a few short years, he had raised $20M and took that company public on the Toronto Stock Exchange. It has since been acquired by Pomeroy.

 

In 2012, Chris led the acquisition of MessageOps and continued the product development and worldwide launch of its premier SAAS, 365 Command. Built on Microsoft Azure, 365 Command is currently managing over 1 million seats of Microsoft’s Office 365. After achieving this phenomenal milestone, 365 Command and other MessageOps O365 utilities were sold to Kaseya.

 

Over the past 35 years, Chris as worked tirelessly to not only advance his own career, but those of his employees. In addition to leading a $100M organization, Chris can also be found sitting with sales teams, cold calling and coaching, and validating why Champion has been listed on Best Places to Work by both South Florida Business Journal and Computerworld.

Ultimately, the success garnered by Champion Solutions Group, its associated companies, and their employees is due in large part to the leadership of its President and CEO. Perhaps the most fitting award Chris has earned is South Florida Business Journal’s 2013 Ultimate CEO Award.