Keeping Up With the Patches: A Tour Through Spring 2019 Threat Alerts

This spring brought a number of security updates from major tech players such as Oracle, Microsoft and Cisco. Which ones affect your enterprise? The Tenable Research team breaks it all down.

Spring 2019 brought with it a string of security updates plus a new directive from the U.S. Department of Homeland Security requiring federal agencies to speed up the time it takes to patch critical vulnerabilities from 30 days to 15 days.

As with all vulnerabilities, knowing which ones could actually affect your infrastructure can help save time and resources when it comes to patching. The question is: With all the vulnerabilities coming out each week, which ones are most likely to be exploited? 

These were among the topics discussed during a recent Tenable Research webinar hosted by Product Marketing Manager Claire Tills, and featuring Pablo Ramos, Research Engineering Manager, and Satnam Narang, Senior Security Response Manager.

Alerts, Alerts and More Alerts

Microsoft’s April Patch Tuesday alert addressed 74 vulnerabilities. The same month, Oracle’s quarterly Critical Patch Update contained nearly 300 different alerts and notifications affecting a wide range of the company’s products. And, for good measure, Cisco released a string of security alerts this spring as well.

With each alert and update, the Tenable Research team digs deep into the details to analyze how potential vulnerabilities might affect your business. For example, the team explored an Oracle update addressing a possible zero-day vulnerability, which could have affected unpatched versions of the company’s WebLogic servers — a type of middleware that sits between the front end and back end of large-scale web applications.

During the webinar, the team discussed the news of a zero-day vulnerability in Oracle WebLogic that was first reported through China’s National Vulnerability Database (CNVD) on April 17. Shortly after it was reported, researchers began to experiment with developing proof-of-concept (PoC) code based on the information in the CNVD report, most of which were not fully functional. 

“It wasn’t until Oracle almost released the patch that we started to see actual functioning proof-of-concept code,” said Narang. “That’s when we started working with the [Tenable] Vulnerability Detection Team to make sure we had something in place, and we did our own tests and we actually even tweaked one of the proof-of-concepts that we had seen out there to make sure it worked.” Around this time, Tenable’s Security Response Team observed chatter that attackers were utilizing working PoC code in attacks in the wild.

Malicious Sea Turtle

Another issue capturing the team’s attention originated with a report from Cisco Talos. It’s a DNS hijacking attack targeting organizations in the Middle East and North Africa, which originated with a previously unknown advanced persistent threat (APT) group called Sea Turtle.

During the webinar, the research team discussed how these types of attacks are designed to spoof websites to steal credentials and passwords. The goal? According to the Cisco Talos analysis, it’s about gaining access to the networks of organizations targeted by Sea Turtle as part of a fairly widespread espionage campaign.

In these types of DNS attacks, threat actors — especially those with connections to nation-states — take advantage of one of the older internet protocols. Many of these protocols were designed and built before modern cybersecurity concerns were a factor. 

The Tenable Research team discussed their interest in the background of this attack. Sea Turtle took advantage of a series of older vulnerabilities — some dating back to 2009 — including the Shellshock vulnerabilities found in the Unix Bash shell and bugs still found in Apache Tomcat.

The lesson here is obvious but worth repeating: patching, especially older flaws and bugs that linger, still matters.

DHS Directive: “Patch Faster”

Finally, the Research Team took note of a new directive issued from the U.S. Department of Homeland Security requiring federal agencies to speed up the time it takes to patch vulnerabilities in the software they use.

Under the new rules, security teams must patch software vulnerabilities deemed critical within 15 calendar days and fix high severity vulnerabilities within 30 days. Under previous rules, established in 2015, critical vulnerabilities needed remediation within 30 days and there were no specific guidelines for vulnerabilities deemed high.

Knowing which vulnerabilities are the most critical to patch is an ongoing challenge for cybersecurity professionals everywhere. Earlier this year, Tenable unveiled Predictive Prioritization to help teams improve their ability to prioritize vulnerabilities based on risk to the business. Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat data and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a Vulnerability Priority Rating (VPR) for each vulnerability. VPR scores are now available in Tenable.sc and Tenable.io to help security teams improve their vulnerability management process.

The ability to zero in on those vulnerabilities that are actually being exploited enables security teams to focus their resources on patching the vulnerabilities posing the greatest threat to the network.

Learn more:

• Access the on-demand webinar: Tenable Research Update — May Day 2019
• Read the blog: Oracle Critical Patch Update for April Contains 297 Fixes