Keeping Up With the Patches: A Tour Through Spring 2019 Threat Alerts

Team Tenable

This spring brought a number of security updates from major tech players such as Oracle, Microsoft and Cisco. Which ones affect your enterprise? The Tenable Research team breaks it all down.

Spring 2019 brought with it a string of security updates plus a new directive from the U.S. Department of Homeland Security requiring federal agencies to speed up the time it takes to patch critical vulnerabilities from 30 days to 15 days.

As with all vulnerabilities, knowing which ones could actually affect your infrastructure can help save time and resources when it comes to patching. The question is: With all the vulnerabilities coming out each week, which ones are most likely to be exploited? 

These were among the topics discussed during a recent Tenable Research webinar hosted by Product Marketing Manager Claire Tills, and featuring Pablo Ramos, Research Engineering Manager, and Satnam Narang, Senior Security Response Manager.

Alerts, Alerts and More Alerts

Microsoft’s April Patch Tuesday alert addressed 74 vulnerabilities. The same month, Oracle’s quarterly Critical Patch Update contained nearly 300 different alerts and notifications affecting a wide range of the company’s products. And, for good measure, Cisco released a string of security alerts this spring as well.

With each alert and update, the Tenable Research team digs deep into the details to analyze how potential vulnerabilities might affect your business. For example, the team explored an Oracle update addressing a possible zero-day vulnerability, which could have affected unpatched versions of the company’s WebLogic servers — a type of middleware that sits between the front end and back end of large-scale web applications.

During the webinar, the team discussed the news of a zero-day vulnerability in Oracle WebLogic that was first reported through China’s National Vulnerability Database (CNVD) on April 17. Shortly after it was reported, researchers began to experiment with developing proof-of-concept (PoC) code based on the information in the CNVD report, most of which were not fully functional. 

“It wasn’t until Oracle almost released the patch that we started to see actual functioning proof-of-concept code,” said Narang. “That’s when we started working with the [Tenable] Vulnerability Detection Team to make sure we had something in place, and we did our own tests and we actually even tweaked one of the proof-of-concepts that we had seen out there to make sure it worked.” Around this time, Tenable’s Security Response Team observed chatter that attackers were utilizing working PoC code in attacks in the wild.

Malicious Sea Turtle

Another issue capturing the team’s attention originated with a report from Cisco Talos. It’s a DNS hijacking attack targeting organizations in the Middle East and North Africa, which originated with a previously unknown advanced persistent threat (APT) group called Sea Turtle.

During the webinar, the research team discussed how these types of attacks are designed to spoof websites to steal credentials and passwords. The goal? According to the Cisco Talos analysis, it’s about gaining access to the networks of organizations targeted by Sea Turtle as part of a fairly widespread espionage campaign.

In these types of DNS attacks, threat actors — especially those with connections to nation-states — take advantage of one of the older internet protocols. Many of these protocols were designed and built before modern cybersecurity concerns were a factor. 

The Tenable Research team discussed their interest in the background of this attack. Sea Turtle took advantage of a series of older vulnerabilities — some dating back to 2009 — including the Shellshock vulnerabilities found in the Unix Bash shell and bugs still found in Apache Tomcat.

The lesson here is obvious but worth repeating: patching, especially older flaws and bugs that linger, still matters.

DHS Directive: “Patch Faster”

Finally, the Research Team took note of a new directive issued from the U.S. Department of Homeland Security requiring federal agencies to speed up the time it takes to patch vulnerabilities in the software they use.

Under the new rules, security teams must patch software vulnerabilities deemed critical within 15 calendar days and fix high severity vulnerabilities within 30 days. Under previous rules, established in 2015, critical vulnerabilities needed remediation within 30 days and there were no specific guidelines for vulnerabilities deemed high.

Knowing which vulnerabilities are the most critical to patch is an ongoing challenge for cybersecurity professionals everywhere. Earlier this year, Tenable unveiled Predictive Prioritization to help teams improve their ability to prioritize vulnerabilities based on risk to the business. Predictive Prioritization combines Tenable-collected vulnerability data with third-party vulnerability and threat data and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a Vulnerability Priority Rating (VPR) for each vulnerability. VPR scores are now available in Tenable.sc and Tenable.io to help security teams improve their vulnerability management process.

The ability to zero in on those vulnerabilities that are actually being exploited enables security teams to focus their resources on patching the vulnerabilities posing the greatest threat to the network.

Learn more:

Read more >

Published on Jun 26, 2019

People also viewed

Business Cost Analyst - Cloud Infrastructure

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is seeking a Business Cost Analyst of Cloud Infrastructure with strong MS Excel experience to assess, analyze and compile current costs and potentially determine initiatives to reduce and improve our cloud infrastructure cost for...

Professional Services Engagement Manager

Singapore Singapore Singapore North Bridge Road, Parkview Square, Singapore, 188788 Professional Services Professional Services
Your Role:The Professional Services Engagement Manager assists in the professional services business development and oversees the delivery of projects. The Professional Services Engagement Manager’s roles include tactical project management oversi...

UX Designer

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Engineering Engineering
Your Role:Tenable is looking for an extraordinary Senior UX Designer to join our team. Our group is chartered with creating the next generation of security products while at the same time pioneering unprecedented user experience in the digital sec...

Commercial Territory Manager - West

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Sales Sales
Your Role:The Commercial Territory Manager will meet and exceed quarterly sales quota by developing new opportunities within specific geographical territory.  Researching and identifying potential accounts; outbound cold calling to soliciting new ...

Senior Software Engineer (Java & Kotlin)

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
Your Role:Tenable is looking for a Senior Software Engineer to join the Lumin product development team. As a Sr. Software Engineer you will drive projects end-to-end, collaborate on product requirements with Product Managers, architect and impleme...

Public Sector Channel Manager - Distribution

Reston Virginia United States Reston, Virginia, United States Channel Sales Sales
Your Role:The Public Sector Channel Manager-Distribution is responsible for establishing and managing relationships with the Distribution Partner(s).  The CM-Disty will act as a sales liaison between distributor and Tenable Channel Manager personn...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.