Patch Tuesday & Hack Wednesday—Why Software Patching Is A Necessity

Applying software patches to fix security vulnerabilities is a key piece of system hygiene and protection against criminal computer attacks. Windows 10 is by default set up to handle this automatically. Unfortunately, for many users the prospect of having to stop the task at hand, wait for the updates to download and install, and hold off while the system restarts is too inconvenient. That leads many to delay the updates or tweak the settings so the updates can’t execute. This can be a big mistake—especially now.

The second Tuesday of every month is “Patch Tuesday”, when Microsoft rolls out the latest set of security patches to its operating systems and software. The set of patches first made available on April 14 closes many, many vulnerabilities. Every hour delayed in applying them leaves unpatched systems susceptible to attack.

A Whopper of a Patch Tuesday

This last Patch Tuesday was unusually large. It included:

  • 113 patches overall
  • 3 that close zero-day vulnerabilities/exploits for which no defense exists
  • 3 known to be actively used to infect systems “in the wild”
  • 17 deemed “critical”, which means a criminal can gain complete control over the system without any user interaction
  • 96 deemed “important”, which means that some user action is involved (with or without warning prompts)

The products impacted include the Microsoft Windows operating system itself, the Edge and Internet Explorer browsers, various Microsoft Office applications, Microsoft Office Services and Web Apps, Windows Defender, Microsoft Dynamics, Microsoft Apps for Android, and Microsoft Apps for Mac.

Why Prompt Patching is Vital

To help you quickly grasp the importance of patching, we’ll first define a few terms. The first two have specific meanings when applied to computer software security.

  • Vulnerability: A weakness or oversight in the way software is coded or structured. It allows the code to be overwritten or tampered with so that it performs some action other than what it was intended to do.
  • Exploit: Rogue software code that a criminal uses to take advantage of a vulnerability. Such an exploit could allow a criminal to gain unauthorized access to a system or gain administrator privileges. The aim is often to inject malicious software code into a running process, leading to the criminal gaining control of the system.
  • Zero-day:  A combination of a vulnerability and an exploit that either is unknown to the security community, or is so new that no defenses have been developed against it. A patch isn’t available to close the vulnerability. Security software hasn’t been updated or is unable to recognize the exploit and prevent it from being introduced into systems and executing.
  • In the wild: An exploit that’s out of the realm of being theoretical or a possibility. It’s being actively used to infect and take over systems.
  • Patch Tuesday: Microsoft’s monthly distribution of patches that close known vulnerabilities.
  • Hack Wednesday: What the security community calls the day after Patch Tuesday. When Microsoft releases the patches, criminal programmers are able to use the patches to understand the vulnerabilities. Within a day or two, the related exploits begin appearing for sale on the underground marketplaces of the “dark web”.

Put the above together, and you can see the importance of applying patches as soon as they’re available. The instant that the patches are released, criminals are racing to create the new exploits and infect as many machines as possible before the systems’ owners can get around to installing the patches.

How to Ensure Systems are Properly Patched

Assuming you’re running Windows 10, click on the Start button, then Settings, open Update & Security, then Windows Update. Here you can immediately check for updates, as well as review your settings to make sure you’re not effectively blocking the update process.

If you’re running a business with multiple machines, managing the update process to be sure that essential patches have been applied can be a time-consuming headache. As a managed service provider (MSP), here at FIT Solutions we use sophisticated tools to administer your systems and ensure your systems are up-to-date with the current patches—without inconveniencing your users. If you could use help with patch management, give us a call at 888-339-5694.

MSPs and Ransomware: Does Your Provider Practice What They Preach?

Managed service providers (MSPs) are coming under increased scrutiny because of a number of ransomware incidents reported on various security sites over the last 12 months. Criminals have learned that by infiltrating a single MSP, they can use the provider’s tools to infect and take hostage all of the MSP’s clients. Because the reporting of these incidents is haphazard, the number of compromised MSPs could be a handful, or it could be dozens. What is certain is that hundreds or thousands of their clients have experienced severe business disruption — or worse.

The enhanced scrutiny is justified, and as an MSP, we welcome it.  We use powerful tools to manage and monitor our clients’ networks and systems. With that comes a responsibility to ensure that our own security is equal to or greater than the level that we promote to our clients.

Healthcare MSPs in the Crosshairs

Given that many MSPs specialize in serving a certain type of business, here are a few examples drawn from healthcare organizations over last year:

  • During July, an MSP serving dental offices was infiltrated and used to spread ransomware across dozens of practices throughout Washington and Oregon. A week after the attack, the MSP realized it didn’t have the resources to restore all the impacted systems in a reasonable timeframe and advised customers to seek outside assistance with restoring their files. Two weeks after the attack, the MSP announced it was closing its doors.
  • An August attack on a Wisconsin-based MSP planted ransomware on 400 dental practices around the country. The attack encrypted not only patient files, but also emails and most worryingly, the company’s HIPAA-compliant backup system. A follow-up letter to their clients indicated that the MSP had a decryption key. Presumably, they paid the ransom.
  • In November, a Wisconsin-based MSP serving more than 100 clients, which operated nearly 2,500 nursing homes in 45 U.S. states, was hit, cutting off many of their facilities from patient records, email and telephone service. The MSP declined to pay the ransom. While it took days or weeks to restore the data, the MSP had a few factors working in their favor. One, a sharp-eyed employee spotted suspicious activity in the early morning hours during the attack and immediately alerted higher-ups within the company, who closed off the network. This limited the damage. Two, there were offsite backups.
  • In early December, a Colorado-based MSP was used to install ransomware on computers at more than 100 dental practices. The company refused to pay the ransom to unlock all of the client sites, and left the clients to restore their businesses on their own. Some negotiated separately to pay the ransom to restore their practices, while others restored from backups.

Closing the Vulnerabilities

Ultimately the criminals do their damage by gaining administrator access to the MSP’s remote monitoring and management (RMM) tool, which allows them to install and execute the ransomware infector on the clients’ systems. The following means of infiltrating and compromising administrator credentials are either explicitly known or have been implicated in one or more incidents. We also list the countermeasure; ask your MSP if these protections are in place.

Means of Gaining Administrator Access

Known vulnerability in an unpatched RMM tool or administrative console

Zero-day exploit in an RMM tool

Login credentials stored in cleartext on compromised machine

Exploiting open remote desktop protocol (RDP)

 

Phishing email

Protective Countermeasure

Program of regular, systematic and diligent patch management and application

Proactive monitoring of the MSP’s IT environment

Password vaulting solution or encryption and best-practices password policy

Disabling RDP if not needed, or application of access control lists to limit RDP sessions to known IP addresses

Email filtering solution backed with regular cybersecurity awareness training

Above All, Do This …

A single countermeasure would have stopped the vast majority of these attacks: Requiring two-factor (2FA) or multi-factor authentication (MFA) without fail, for each and every administrator connection and session, to each individual client’s IT environment. MSPs should enforce MFA to the enterprise login and ensure it encompasses VPN connections, RDP sessions, RMM sessions, internal management systems, and SaaS applications.

The other essential countermeasure is regular backups that are air-gapped or stored offsite. In far too many ransomware incidents, backups were stored online and the ransomware infector encrypted the backups as well, making them useless for restoring the client’s data. Also, in some instances the criminals first disabled the backup agents on each system, then waited for the old backups to age before executing the ransomware. So it’s important to not only have a backup system, but to monitor the backups and test for recoverability.

At FIT Solutions, we do all of the above and encourage you to ask your MSP if they do the same. We also have the advantage of our cybersecurity offering, SOCBOX, which provides us with the services of a Security Operations Center for 24-hour proactive monitoring—but we don’t stop there. We also contract with a separate third party to do regular penetration testing and evaluate our environment to ensure our defenses are solid.

If you’d like more information about MSP security, please give us a call at 888-339-5694.

Get in touch.

Fill out the form and our team will get
back to you as soon as we can!