Microsoft released the last patch cycle for 2020 and initial looks appear to be a light month overall by shear volume, not severity.  M$ released 58 fixes in December, this is well below what we’ve been used to seeing coming out of Redmond each month.   Even with the low number overall, 22 of the 58 are RCEs (Remote Code Execution) vulnerabilities.

As mentioned last month unfortunately MS has removed much of the detail of what each vulnerability is exactly, so we’ve hit the highlights below of each. 

In my professional opinion I rate Exchange as the highest risk with Sharepoint as a close second due to the need for availability outside of network walls. Those patch breakdowns are as follows:    

Exchange RCEs- 

CVE 2020 17143  –  “The type of information that could be disclosed if an attacker successfully exploited this vulnerability is sensitive information.”  Attack Complexity: low, Privilege required: low, + no user interaction = patch immediately.  Proof of concept is available for this CVE.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17143

CVE 2020 17144- “The vulnerability occurs due to improper validation of cmdlet arguments.”  Attack complexity: low, User interaction to exploit is required.  Whereas this is not being publicly exploited right now, there is a proof of concept for this CVE so time is of the essence to to patch, don’t wait.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17144

CVE 2020 17141- “the attacker must be authenticated.” So prior successful harvesting of credentials or acquisition of an active session is a prerequisite to exploitation.  Proof of concept is available.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17141

CVE 2020 17117- Not many details available for this one at all, Proof of concept available, no user interaction required however attack complexity is high. 

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17117

CVE 2020 17132– “The vulnerability occurs due to improper validation of cmdlet arguments.”  User authentication is required to exploit, however once acquired Attach complexity is low and no user interaction required.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17132

CVE 2020 17142- different CVE but a repeat of the details above for CVE-2020-17132.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17142

Overall summary – Patch Exchange now

Sharepoint RCEs-

CVE 2020 17118- MS rates this one as exploitation likely even though it is not currently being seen in the wild.  A proof of concept is available, Complexity of attack is rated as low however there is some sort of user interaction that is required.  Its Sharepoint, its an RCE, patch ASAP. 

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17118

CVE-2020-17121– “In a network-based attack an attacker can gain access to create a site and could execute code remotely within the kernel. The user would need to have privileges.”  Attack complexity rated as low, privileges required is low and no user interaction makes this CVE concerning.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17121

Other Patches to Note:

NTFS RCE

CVE 2020 17096– “A local attacker could run a specially crafted application that would elevate the attacker’s privileges.  A remote attacker with SMBv2 access to a vulnerable system could send specially crafted requests over a network to exploit this vulnerability and execute code on the target system.”  This CVE is not currently being exploited in the wild but exploitation is likely even though a proof of concept does not exist.

Lastly don’t forget Adobe Flash EOL is coming 12/31/2020, if not already removed from all aspects of your network there should be a plan in place ready to execute.

https://docs.microsoft.com/en-us/lifecycle/announcements/adobe-flash-end-of-support

References:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17096

https://www.zdnet.com/article/microsoft-december-2020-patch-tuesday-fixes-58-vulnerabilities/

https://krebsonsecurity.com/2020/12/patch-tuesday-good-riddance-2020-edition/

November 2020 seems to be a pretty standard month any more for Microsoft patches coming in at 112 fixed vulnerabilities, with a number of RCEs. Additionally November does contain one zero day that is currently being actively exploited in the wild.

Among the worst this month are:

NFS CVE-2020-17051: Critical vulnerability in Windows Network File System (NFS) which affects ALL versions of Windows OS, does not require authentication or user interaction and comes in with a CVSS (Common Vulnerability Scoring System) of 9.8. In a blog post released by McAfee (https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-17051-remote-kernel-heap-overflow-in-nfsv3-windows-server/) researchers state that the vulnerability could potentially be wormable if NFS has been set up to allow for anonymous write access. Do not wait to patch this vuln

Windows Kernel CVE-2020-17087: only listed as important and not critical due to the attacker already needing low level user access on the system, this vulnerability would then allow privilege escalation to root level access. Don’t let the low CVSS hold you back from patching this Windows Kernel vuln though as it is a zero day being actively exploited, so that low permissions user becomes a key phishing target as the entry point in this attack, or paired with another unpatched vulnerability this CVE becomes very dangerous.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-17087

Exchange CVE-2020-17083 and CVE-2020-17084: Vulnerabilities in exchange that could be exploited by an end user opening a specially crafted email. Where MS categorizes this vulnerability as less likely to be exploited there is no reason to hold off on this patch, exploitation involves an end user click which is all too easy to acquire.

SharePoint CVE-2020-17061: To exploit this vulnerability the attacker would already need low level privilege. MS has routinely released RCE patches for SharePoint over the last few months so make sure to fine tune your SP patching process and use it often.

Teams CVE-2020-17091: This “One click RCE” was originally discovered and reported to MS back in September 2018 by Matt Austin. Due to MS lack of response in fixing this flaw Matt released a Proof of Concept in November 2019. It is believed that CVE-2020-17091 is finally the patch for this exploit.

Excel CVE-2020-17019, CVE-2020-17064, CVE-2020-17065, CVE-2020-17066: As with many MS Office vulnerabilities these CVEs do require end user interaction to exploit. Potentially embedded in Macros? Yeah why not. What was old is new again and Phishing end users with malicious Office docs continues to be a preferred attack vector because it works.

Print Spooler CVE-2020-17042: Coming in with a lack of details from MS on what exactly is involved in this vulnerability, but with a CVSS of 8.8 this CVE should be prioritized high to patch. Print spooler vulns have drawn a fair amount of interest from researchers recently so I expect to see exploit proof of concepts released soon.

Microsoft has also reworked how they will be displaying monthly patch information to more closely align with the CVSS. Initial look and I’m not a fan of this new strategy as it limits how much information is shared directly from MS in regards to each patch.

Take Away: Patch Em if you Got Em – Don’t wait

Resources:
Krebs: https://krebsonsecurity.com/2020/11/patch-tuesday-november-2020-edition/
ZDNet: https://www.zdnet.com/article/microsoft-november-2020-patch-tuesday-arrives-with-fix-for-windows-zero-day/
Tenable: https://www.tenable.com/blog/microsoft-s-november-2020-patch-tuesday-addresses-112-cves-including-cve-2020-17087?mkt_tok=eyJpIjoiTkRWa1pUY3lNREV5T0RVeCIsInQiOiJ4cGhQb096UEh5QllBMVdvTEVQc1RhVXU1UVJWczhIVzAxU3g1VWduYWtkd1hGRXVGOHF2QXQwTFFraVYzQjJGaHhZQ3ZMelZsV3dkMFwveHZ3ZVR3cCtHSUdBUFR6SVBab0FCMFYyODg2V3hIYWJXdU82Q1lpT01pemFqU1Z2TFEifQ%3D%3D

Any time you get notification of your organization being compromised, as a security professional you peak up and take notice.  This extortion note came across our desk the other day, sent over from the website team, it had been submitted from the contact us form on our main retail site.  At that time there were 10 instances of basically the same message, unique email addresses were the only difference between each submission. 

First look at the extortion note immediately raised a couple questions:

• Obviously, is this legit and does the threat hold any water
  Followed immediately by
  
• How much money has this attacker made so far?
• $250 ? is that all they are asking for

That initial read through put my mind at ease a little more, no hard evidence of actual breach, no indication of how we were compromised, everything was just generic threats. Then back to the $250… had this attacker done zero recon on our organization, was it just a shot in the dark, why would you even waste your time on $250. 

So time to pick it apart:

DonaldNub – Google search – records found, however no record of previous malicious campaigns
WorkPhone: 84623514526 – didn’t spend too much time digging in to the phone, but no records found

Bitcoin wallet – this is where the most information came from.
Using the website: https://bitcoinwhoswho.com/ to track down the wallet info.

Campaign Success Grand Total of: $0.06
Only transaction history must have been when they opened the wallet.

This particular campaign started Oct 12, currently 37 scam reports on Bitcoinwhoswho from either web form blasting or direct email extortion.

In an instance like this, in my opinion, its not worth the time or effort to go any further than the quick analysis above. No need to reach out to this attacker via email to dig for more info. Use the info they gave and do some OSINT (open source intelligence gathering) to see what sort of details you can pull together to build a case. If the threats were to change where they showed evidence of an actual breach, potentially share some of the “hacked accounts information” then it would trigger an all hands on deck response. This was a quick short write up, pretty poor extortion attempt overall but I did find it entertaining.

Starting my journey to CISSP certification and will be outlining the progress here

Of all places my Cyber Security story started in a Creamery. Through high school I worked part time doing back breaking manual work “whooping vats” of cheese.  Whooping consisted of taking a stainless steal bucket and moving 35lbs of cheese per scoop out of a 2,000lb vat in to forms to create 40lb blocks of cheese.  Sounds about as awesome as it actually was.  As grueling as the work consisted, it showed me what I didn’t want to be doing the rest of my life.

Continued working full time nights at the creamery while I went back to school for Auto Body Collision and Painting.  I’ve always been mechanical minded and definitely consider myself a classic car guy so it seemed like a natural choice. Shortly before Graduation from Technical College in 2004 I started part time at a Chevrolet Dealership in the Body Shop doing collision repair.  We were a combination body shop, so the same technician took the job from start to finish doing all the mechanical, frame work, body panel replacement or repair, paint prep and painting.  No two repairs were the same and it was always a new challenge, which is why I loved it.  In the long run though I got thinking about my health, paint and body filler dust, paint fumes, cleaning solvents, it wasn’t what I wanted to put my body through for the rest of my professional career.

May of 2009 I decided it was time for a change, I was 25 and had always wanted to join the military, so it was time to pull the trigger or forget about it for good.  Signed my life over to Uncle Sam and Army Reserve Bootcamp was in Fort Sill OK in July, followed by 88-U AIT at Fort Eustis VA in September.  The 88-U MOS is one that you probably have never heard of, and may be one of the best Army jobs there is to offer, Railway Operations.  To present day I’ve been in the Army Reserves now for going on 12 years, done Army Rail missions from Coast to Coast as well as over seas. Its offered me opportunities that I would have never had the chance otherwise, 12 down and 8 to go to hit that magic number.

Back to late in 2009, after finishing bootcamp it was time to go back to school for …. IT ?  Nope,  initially I went back for Criminal Justice.  After the first semester complete of Criminal Justice I ended up in a class, talkign with a guy who had finished an Information Technology degree and he was now in the middle of going through a secondary Criminal Justice degree.  The more I thought about it the more sense it made and from that point on I never looked back.  Degree changed over to Information Technology and graduated with an Associates in 2011. 

Later in 2011 after applying for multiple Network Admin positions with no luck I finally got an interview for a Helpdesk position I applied for. That was my foot in the door to officially start my IT career.  Eight months on helpdesk and moved to a IT Client Support position.  This was more along the lines of workstation building, remote site support, remote sales team support and print server managing.  Another eight months or so down the road and I finally got my chance to step in to a security role.  An Account Administration position opened up on the security team (“team” which consisted of one guy at the time, and now me).   The original job scope of the Account Admin role was basically an Active Directory Admin, everything AD related,  User account creation and termination, group, Service Account and privileged admin account management.  That scope quickly expanded to include Application Security, Antivirus solution management among others.

Security Administrator, Security Analyst II and Security Analyst III are all titles I’ve held, current role is IR Security Manager for a billion dollar company, not the largest company out there, but far from a Ma and Pop shop.  Within those titles are a pretty wide area of responsibilities to include:

• Privileged Access Management
• Identity Management
• Anti Virus
• Firewalls
• Intrusion Prevention Systems
• Integrity Monitoring Systems
• SIRT (Security Incidents Response Team) Operations
• Data Leak Prevention
• PKI / Certificate Authority Administration
• Azure AD / Active Directory / SAML authentication
• Annual Security Audits
• DNS
• Powershell Automation
• Web Application Proxies
• Web Application Firewalls
• Email Security Appliances
• Device Identity – Network Access Control
• MFA Administration
• Load Balancers
• Malware Analysis
• Vulnerability Management
• Patch Management
• Security Training
• Windows / Linux Server Administration
• Web / URL Filter Management
• SIEM Configuration and Tuning
• Deception Technology
• Network Monitoring Solutions
• Budget Management
• Project Management
• Security Team Management
• Risk Management
• Policy Creation

Cyber Security is an area where if you are not constantly learning and staying on top of current events you will miss something important and it will bite you and your organization.

Do I know everything when it comes to Cyber Sec? Not even close, but what I lack in knowledge I make up for in passion to improve, learn and grow.

Let me know if I can help

Let me know if you’d like to talk Security, Army, Cars

Let me know if you’re looking for a mentor

Let me know if you see something in my background or a blog on this site you’d like to discuss further