News
Tanium comments on patching and its necessities
January 2023 by Tim Morris, Chief Security Advisor at Tanium
Security researchers consulting company S-RM are warning that
patching critical vulnerabilities allowing access to the network is
insufficient to defend against ransomware attacks.
During an incident response engagement to a Lorenz ransomware attack,
researchers at S-RM determined that the hackers had breached the
victim’s network five months before starting to move laterally, steal
data, and encrypt systems. Though their client had applied the patch for
CVE-2022-29499 in July, the Lorenz ransomware hackers moved faster and
exploited the vulnerability, and planted a backdoor a week before the
update that fixed the issue. Although no vulnerable pages had remained
on the system, forensic analysis revealed that they had been last
accessed when the threat actor’s web shell was created on the victim
machine.
The hackers tried to hide the backdoor by naming it
"twitter_icon_and placed it in a legitimate location
directory on the system. For five months, the web shell lay dormant on
the victim network. When the hackers were ready to follow through with
the attack, they used the backdoor and deployed the Lorenz ransomware in
48 hours. The comment on the incident by Tim Morris, chief
security adviser at Tanium : "Patching is still
necessary, but has to be done in a timely manner. Organizations have to
know where their critical assets are and have plans to patch them
quickly. Any perimeter systems (Servers, network devices, etc) should be
considered as critical. Critical patches for those systems should be
patched in hours or days, not weeks or months. Mature organizations will
patch critical servers and network devices within 72-hours, others
within 7 or 30 days depending upon the criticality of the asset and the
severity of the vulnerability.
This CVE was published in April and the article says it wasn’t patched
until July. Which gives the attacker plenty of time to get in. The
importance of robust and timely vulnerability management and patching
programs are paramount and cannot be overstated.
Also, a multi-layered defense in depth strategy is as equally important
in order to monitor, detect, protect, and defend an organization. Active
threat hunting and monitoring go a long way to defending against
attackers that get in and attempt to "live off the land."
