The Bedel Security Blog

A Bad Month for Anti-Virus

Written by Brian Petzold | May 24, 2019

Bad news sometimes comes in waves, and this month has included one of those waves. We had an announcement that three anti-virus companies had been breached and an announcement from Microsoft that there was a vulnerability that was so bad that they were distributing patches for end-of-life systems. This week, we will look at each of these to determine what actions your institution may need to take.

Microsoft Remote Desktop Vulnerabilities: Microsoft released a patch (CVE-2019-0708) to the Remote Desktop Protocol on May 14th that impacts those running on Windows 7 or earlier, as well as Windows Server 2008 or earlier. The vulnerability that is patched is so bad that an attacker can use it to install malware without any user interaction, meaning that it could be used to launch a “worm” that propagates itself quickly over a network (the last widespread worm was WannaCry). Because of the severity of the vulnerability, Microsoft went the extra mile and actually released patches for Windows XP and Windows Server 2003 operating systems.

This week, there are rumors that a proof of concept has already been developed using the vulnerability, meaning that an actual attack is likely not far behind. A breach of the RDS service could be catastrophic, so we recommend that any institution that is still using Windows XP, Windows 7, Windows Server 2003, or Windows Server 2008 apply the patches quickly. We also recommend that institutions block RDP port 3389 at their firewall for all systems.

Anti-virus Maker Breach: Last week, a group called Fxmsp claimed that they had hacked into the internal networks of 3 major anti-virus makers (Symantec, Trend Micro, and McAfee) and were selling their source code on the black market. As the week went on, Symantec claimed that they had not been breached, with this claim being reinforced by AdvIntel, the company that first reported the breach. Trend Micro reported that the breach had been of only a test lab and that it represented only a low risk, but AdvIntel claimed they had evidence to the contrary. McAfee responded very vaguely, saying only that “We’ve taken necessary steps to monitor for and investigate” the matter. There has been no new news since from any of the sources.

The risk of this breach is that an attacker could design malware that sneaks past the anti-virus software using their knowledge of how the software is built. If your institution uses software by one of the three anti-virus makers, you should be monitoring this situation closely. You should also ensure that you have other controls (IPS, activity monitoring, etc.) in place on your network to detect suspicious activity should a hacker be successful in exploiting this knowledge.

If you're looking for more information on exactly what this might mean for your institution, you can reach out to us any time at support@bedelsecurity.com!