This is the RSS 2.0 feed from www.secnews.physaphae.fr. IT's a simple agragated flow of multiple articles soruces. Liste of sources, can be found on www.secnews.physaphae.fr. 2025-05-10T21:04:54+00:00 www.secnews.physaphae.fr Kovrr - cyber risk management platform 2025-01-28T16:53:39+00:00 https://www.kovrr.com/reports/impact-of-technogenic-risk-on-crq www.secnews.physaphae.fr/article.php?IdArticle=8643894 False Ransomware,Malware,Vulnerability,Threat,Patching,Prediction,Cloud,Technical Wannacry 3.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC the adage "patch or perish" encapsulates a stark reality. The timely application of software patches is not just a best practice—it is a necessity. The vulnerabilities that lurk in unpatched software can serve as gateways for cybercriminals, leading to severe breaches, operational disruptions, and substantial financial losses. The imperative to keep software up-to-date has never been more pressing, yet patch management often takes a backseat in organizations. It\'s not merely a technical oversight; it\'s a question of diligence and prioritization. The virtue of diligence—the proactive, methodical maintenance of systems—has been lost amid the rapid pace of technological growth. This article takes a deeper look at why diligence in patching is a crucial, yet often overlooked, cornerstone of cybersecurity. The Imperative of Patching Software patches are more than mere updates; they are crucial security mechanisms designed to address vulnerabilities, fix bugs, and even add functionality to software. They serve as a frontline defense against a spectrum of threats that grow more sophisticated each day. Neglecting patches doesn\'t just put one system at risk; it can compromise the entire network, potentially creating a cascading effect of vulnerabilities. Cybercriminals often exploit known vulnerabilities for which patches already exist. These are known as “n-day vulnerabilities,” and their exploitation is rampant simply because organizations fail to apply fixes that are readily available. The importance of patching should be viewed not only as a matter of hygiene but also as a competitive edge. In the current threat landscape, attackers are quick, but defenders must be quicker. Consequences of Neglect The repercussions of inadequate patching are well-documented yet continue to be ignored. Unpatched systems become a fertile hunting ground for cybercriminals looking for easy prey. The result can be data breaches that compromise sensitive information, financial losses that are often uninsurable, and reputational damage that can take years to mend. Take, for example, the infamous WannaCry ransomware attack. WannaCry leveraged a known vulnerability in Microsoft Windows, a vulnerability for which a patch had been released months earlier. Due to lax patch management, over 200,000 systems in 150 countries were compromised, causing disruptions to healthcare, manufacturing, and finance industries. The cost? Billions of dollars in damages, not to mention the incalculable impact on people\'s lives due to healthcare system disruptions. These scenarios are not isolated—they illustrate the risks inherent in ignoring patching protocols. For organizations that fail to take patch management seriously, it’s not a question of "if" they will be compromised, but "when." Challenges in Patch Management Despite its importance, patch management remains fraught with challenges. It’s essential to recognize these hurdles to develop effective mitigation strategies: Resource limitations: Smaller organizations often lack the IT resources required for consistent patch management. Even larger enterprises might struggle to dedicate the necessary manpower, given the constant barrage of patches released by software vendors. System complexity: Modern IT ecosystems are incredibly complex, with a multitude of interdependent software applications and legacy systems. Applying a patch without testing could cause unforeseen issues, from compatibility problems to outright system failures. Downtime concerns: Many organization]]> 2024-12-09T13:49:00+00:00 https://levelblue.com/blogs/security-essentials/patch-or-perish-the-forgotten-virtue-of-diligence-in-digital-security www.secnews.physaphae.fr/article.php?IdArticle=8622293 False Ransomware,Tool,Vulnerability,Threat,Patching,Medical,Technical Wannacry 3.0000000000000000 AlienVault Lab Blog - AlienVault est un acteur de defense majeur dans les IOC 2024-11-26T14:37:00+00:00 https://levelblue.com/blogs/security-essentials/what-are-computer-worms www.secnews.physaphae.fr/article.php?IdArticle=8618712 False Ransomware,Data Breach,Spam,Malware,Tool,Vulnerability,Threat,Patching,Mobile,Industrial,Medical,Technical Wannacry 2.0000000000000000 Fortinet ThreatSignal - Harware Vendor 2022-07-07T08:14:35+00:00 https://fortiguard.fortinet.com/threat-signal-report/4663 www.secnews.physaphae.fr/article.php?IdArticle=5595940 False Ransomware,Threat,Patching,Medical Wannacry,Wannacry,APT 38 None TechRepublic - Security News US 2019-08-07T14:23:02+00:00 https://www.techrepublic.com/article/businesses-need-to-patch-for-bluekeep-to-avoid-another-wannacry/#ftag=RSS56d97e7 www.secnews.physaphae.fr/article.php?IdArticle=1248583 False Patching Wannacry None Errata Security - Errata Security masscan, my Internet-scale port scanner, looking for port 3389, the one used by Remote Desktop. This takes a couple hours, and lists all the devices running Remote Desktop -- in theory.This returned 7,629,102 results (over 7-million). However, there is a lot of junk out there that'll respond on this port. Only about half are actually Remote Desktop.Masscan only finds the open ports, but is not complex enough to check for the vulnerability. Remote Desktop is a complicated protocol. A project was posted that could connect to an address and test it, to see if it was patched or vulnerable. I took that project and optimized it a bit, rdpscan, then used it to scan the results from masscan. It's a thousand times slower, but it's only scanning the results from masscan instead of the entire Internet.The table of results is as follows:1447579  UNKNOWN - receive timeout1414793  SAFE - Target appears patched1294719  UNKNOWN - connection reset by peer1235448  SAFE - CredSSP/NLA required 923671  VULNERABLE -- got appid 651545  UNKNOWN - FIN received 438480  UNKNOWN - connect timeout 105721  UNKNOWN - connect failed 9  82836  SAFE - not RDP but HTTP  24833  UNKNOWN - connection reset on connect   3098  UNKNOWN - network error   2576  UNKNOWN - connection terminatedThe various UNKNOWN things fail for various reasons. A lot of them are because the protocol isn't actually Remote Desktop and respond weirdly when we try to talk Remote Desktop. A lot of others are Windows machines, sometimes vulnerable and sometimes not, but for some reason return errors sometimes.The important results are those marked VULNERABLE. There are 923,671 vulnerable machines in this result. That means we've confirmed the vulnerability really does exist, though it's possible a small number of these are "honeypots" deliberately pretending to be vulnerable in order to monitor hacker activity on the Internet.The next result are those marked SAFE due to probably being "pached". Actually, it doesn't necessarily mean they are patched Windows boxes. They could instead be non-Windows systems that appear the same as patched Windows boxes. But either way, they are safe from this vulnerability. There are 1,414,793 of them.The next result to look at are those marked SAFE due to CredSSP/NLA failures, of which there are 1,235,448. This doesn't mean they are patched, but only that we can't exploit them. They require "network level authentication" first before we can talk Remote Desktop to them. That means we can't test whether they are patched or vulnerable -- but neither can the hackers. They may still be exploitable via an insider threat who knows a valid username/password, but they aren't exploitable by anonymous hackers or worms.The next category is marked as SAFE because they aren't Remote Desktop at all, but HTTP servers. In other words, in response to o]]> 2019-05-28T06:20:06+00:00 https://blog.erratasec.com/2019/05/almost-one-million-vulnerable-to.html www.secnews.physaphae.fr/article.php?IdArticle=1128860 False Ransomware,Vulnerability,Threat,Patching,Guideline NotPetya,Wannacry None Errata Security - Errata Security blaming the NSA for a ransomware attack on Baltimore is typical bad journalism. It's an op-ed masquerading as a news article. It cites many to support the conclusion the NSA is to be blamed, but only a single quote, from the NSA director, from the opposing side. Yet many experts oppose this conclusion, such as @dave_maynor, @beauwoods, @daveaitel, @riskybusiness, @shpantzer, @todb, @hrbrmst, ... It's not as if these people are hard to find, it's that the story's authors didn't look.The main reason experts disagree is that the NSA's Eternalblue isn't actually responsible for most ransomware infections. It's almost never used to start the initial infection -- that's almost always phishing or website vulns. Once inside, it's almost never used to spread laterally -- that's almost always done with windows networking and stolen credentials. Yes, ransomware increasingly includes Eternalblue as part of their arsenal of attacks, but this doesn't mean Eternalblue is responsible for ransomware.The NYTimes story takes extraordinary effort to jump around this fact, deliberately misleading the reader to conflate one with the other. A good example is this paragraph:That link is a warning from last July about the "Emotet" ransomware and makes no mention of EternalBlue. Instead, the story is citing anonymous researchers claiming that EthernalBlue has been added to Emotet since after that DHS warning.Who are these anonymous researchers? The NYTimes article doesn't say. This is bad journalism. The principles of journalism are that you are supposed to attribute where you got such information, so that the reader can verify for themselves whether the information is true or false, or at least, credible.And in this case, it's probably false. The likely source for that claim is this article from Malwarebytes about Emotet. They have since retracted this claim, as the latest version of their article points out.In any event, the NYTimes article claims that Emotet is now "relying" on the NSA's EternalBlue to spread. That's not the same thing as "using", not even close. Yes, lots of ransomware has been updated to also use Eternalblue to spread. However, what ransomware is relying upon is still the Wind]]> 2019-05-27T19:59:38+00:00 https://blog.erratasec.com/2019/05/a-lesson-in-journalism-vs-cybersecurity.html www.secnews.physaphae.fr/article.php?IdArticle=1128277 False Ransomware,Malware,Patching,Guideline NotPetya,Wannacry None InformationSecurityBuzzNews - Site de News Securite Microsoft Warns Against Critical, WannaCry-like Flaw]]> 2019-05-16T23:13:01+00:00 https://www.informationsecuritybuzz.com/expert-comments/microsoft-warns-against-critical-wannacry-like-flaw/ www.secnews.physaphae.fr/article.php?IdArticle=1111466 False Vulnerability,Patching Wannacry None Network World - Magazine Info 2018-08-08T13:28:00+00:00 https://www.networkworld.com/article/3296041/security/chip-maker-tsmc-will-lose-millions-for-not-patching-its-computers.html#tk.rss_security www.secnews.physaphae.fr/article.php?IdArticle=771716 False Tool,Patching Wannacry None Errata Security - Errata Security An example is this quote in a recent article:"One year on from NotPetya, it seems lessons still haven't been learned. A lack of regular patching of outdated systems because of the issues of downtime and disruption to organisations was the path through which both NotPetya and WannaCry spread, and this fundamental problem remains." This is an attractive claim. It describes the problem in terms of people being "weak" and that the solution is to be "strong". If only organizations where strong enough, willing to deal with downtime and disruption, then problems like this wouldn't happen.But this is wrong, at least in the case of NotPetya.NotPetya's spread was initiated through the Ukraining company MeDoc, which provided tax accounting software. It had an auto-update process for keeping its software up-to-date. This was subverted in order to deliver the initial NotPetya infection. Patching had nothing to do with this. Other common security controls like firewalls were also bypassed.Auto-updates and cloud-management of software and IoT devices is becoming the norm. This creates a danger for such "supply chain" attacks, where the supplier of the product gets compromised, spreading an infection to all their customers. The lesson organizations need to learn about this is how such infections can be contained. One way is to firewall such products away from the core network. Another solution is port-isolation/microsegmentation, that limits the spread after an initial infection.Once NotPetya got into an organization, it spread laterally. The chief way it did this was through Mimikatz/PsExec, reusing Windows credentials. It stole whatever login information it could get from the infected machine and used it to try to log on to other Windows machines. If it got lucky getting domain administrator credentials, it then spread to the entire Windows domain. This was the primary method of spreading, not the unpatched ETERNALBLUE vulnerability. This is why it was so devastating to companies like Maersk: it wasn't a matter of a few unpatched systems getting infected, it was a matter of losing entire domains, including the backup systems.Such spreading through Windows credentials continues to plague organizations. A good example is the recent ransomware infection of the City of Atlanta that spread much the same way. The limits of the worm were the limits of domain trust relationships. For example, it didn't infect the city airport because that Windows domain is separate from the city's domains.This is the most pressing lesson organizations need to learn, the one they are ignoring. They need to do more to prevent desktops from infecting each other, such as through port-isolation/microsegmentation. They need to control the spread of administrative credentials within the organization. A lot of organizations put the same local admin account on every workstation which makes the spread of NotPetya style worms trivial. They need to reevaluate trust relationships between domains, so that the admin of one can't infect the others.These solutions are difficult, which is why news articles don't mention them. You don't have to know anything about security to proclaim "the problem is lack of patches". It's moral authority, chastising the weak, rather than a proscription of what to do. Solving supply chain hacks and Windows credential sharing, though, is hard. I don't know any universal solution to this -- I'd have to thoroughly analyze your network and business in order to ]]> 2018-06-27T15:49:15+00:00 https://blog.erratasec.com/2018/06/lessons-from-npetya-one-year-later.html www.secnews.physaphae.fr/article.php?IdArticle=725976 False Ransomware,Malware,Patching FedEx,NotPetya,Wannacry None