New year, new ways for sophisticated cyber actors to exploit the vulnerabilities in our programs. Yesterday the National Security Agency (NSA) released a statement that they'd found a major security flaw in Microsoft Windows 10 and Windows Server 2016/2019.
The flaw allows bad cyber actors to exploit the vulnerability of a part of Microsoft CryptoAPI—a piece of code responsible for validating certificates using Elliptic Curve Cryptography (ECC). In short, ECCs are necessary for machines to create digital signatures and key agreements, which are fundamentals of encryption—the basics of keeping files and programs secure. By understanding this coding flaw, what an attacker could do is spoof a code-signing certificate to sign a malicious file or application (any executable) but make it appear as though it is from a legitimate source. The receivers would most likely open the file or program—not knowing to block its acceptance as it would look legitimate. Because the digital signature was spoofed it would exist on the computer undetected, and because the file was malicious it would be able to continue to do further damage.
Successful exploitation of the underlying flaw, like the one described, can allow the attacker to manipulate within the attack even further by conducting a man-in-the-middle attack. Kind of like cyber eavesdropping, a man-in-the-middle attack is a hacking tool where an attacker gets between communication between two parties who believe they are communicating directly with each other. Sometimes criminals will intercept the correspondence for personal gain, but sometimes they will decrypt confidential information as well. Stealing personal information can lead to all sorts of further crime—blackmail, identity theft, etc.
What are my next steps?
If your business is using Windows 10 and/or Windows Server 2016/2019, there's no need to panic. The NSA found the flaw very quickly, and chances are while your computers were affected, there wasn't any damage done. What you need to do now is patch the vulnerabilities, either manually or make sure your managed IT service provider has done so. If SumnerOne is your managed IT provider, your patches were already pushed through yesterday, January 14. If you're not getting service through SumnerOne, run a Windows update. You can check your system for Windows patches and updates here. If manually patching, the NSA recommends patching endpoints that have a high risk of exploitation or are broadly relied-upon services such as:
- Windows-based web appliances, web servers, or proxies that perform TLS validation.
- Endpoints that host critical infrastructure.
- Endpoints directly exposed to the internet.
- Endpoints regularly used by privileged users.
Have more questions?
There's no way to be 100 percent protected from cyberattacks, but keeping your systems up to date with patches and the latest software is an excellent place to start. You can check Microsoft's website for a list of their available security updates here, as well.
If you have additional questions or are worried about your system's vulnerabilities, please contact SumnerOne. We'll be happy to assess your current setup, answer any question you may have, and help you get started in the new year with a new configuration.