Huntress CEO Urges Patching After Windows Vulnerability Warning
‘Hardening your external perimeter (blocking 445/135) is NOT enough as threat actors will still use this to spread laterally after gaining access via phishing,’ Kyle Hanslovan, CEO of threat research firm Huntress, posted on Linkedin.
Huntress CEO Kyle Hanslovan urged solution providers to patch their servers after a Microsoft Windows remote procedure call (RPC) vulnerability was found last week.
The call to action comes after Microsoft told partners in a blog post to harden their perimeter to stop any hackers from getting into their servers.
“The critical RPC vulnerability reported in Windows last week is trivial to exploit and credible security researchers expect cybercriminals to leverage it ASAP,” Hanslovan wrote in a Linkedin post Monday. “Hardening your external perimeter (blocking 445/135) is NOT enough as threat actors will still use this to spread laterally after gaining access via phishing.”
Hanslovan’s post is a follow-up to Hacker House CEO Matthew Hickey’s April 14 post about the vulnerability. Hacker House is a London-based global cybersecurity training and defense firm.
“We are advising to patch this issue as a priority in light of the vast number of RPC services that exist and the likelihood of exploitation by attackers,” Hickey said in an emailed response. “Disabling ports at the network perimeter will not prevent attackers from performing lateral movement with the RPCRCE vulnerability and exploitation from teleworkers and internal network users will still be possible until a patch is applied. Due to the various configuration options and services that this vulnerability can be found within, it is strongly advised that a patch is applied as a priority before attackers begin exploiting this in their campaigns.”
He said if patches aren’t performed then attackers could leverage this vulnerability for lateral movement and onto internal networks, exploiting on-premises Microsoft enterprise desktops and servers as part of ransomware and malicious software campaigns.
CRN reached out to Hanslovan for comment but had not heard back by press time.
Microsoft’s blog post included issuing mitigation efforts that told partners to block the TCP port 445 at the enterprise perimeter firewall.
“TCP port 445 is used to initiate a connection with the affected component,” the blog said. “Blocking this port at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. This can help protect networks from attacks that originate outside the enterprise perimeter. Blocking the affected ports at the enterprise perimeter is the best defense to help avoid Internet-based attacks. However, systems could still be vulnerable to attacks from within their enterprise perimeter.”
CRN reached out to Microsoft for comment but had not heard back by press time.
Hanslovan and Hickey, though, disputed Microsoft’s defense and said solution providers must patch as well.
“The only effective solution for this particular vulnerability will be to apply a patch and urgently,” Hickey wrote. “Attackers are already making progress on developing exploits to leverage this attack; we expect to see ransomware and other malicious code using this to deploy into Enterprise and Windows on-prem environments within the coming weeks.”
Hickey said that while the Microsoft advisory post suggested that the issue was limited to exploitation on TCP port 445, he believes that this issue can also affect any non-ephemeral RPC port assigned to an RPC service.
“The vulnerability is present within CoalescedBuffer handling within any RPC-linked client or server. This means that the best course of defense for this vulnerability is to apply the patch, and urgently,” Hickey wrote on his April 14 Linkedin post.
Dustin Bolander, partner and founder of Austin, Texas-based MSP Clear Guidance Partners said, “At its core it’s one of those things that it’s a concern, but it shouldn’t be a horrible concern.”
What will happen, he said, is there could be a chain attack where attackers could get a phishing email through, somebody runs it and suddenly the attacker is on the network.
“People are going to get inside of your network, that’s just the nature of IT security these days,” Bolander told CRN. “That’s why [Hanslovan and Hickey] are saying, ‘You’ve got to patch this so once, not if, somebody gets inside your network then they can’t take advantage of this.’”
He said this vulnerability is not at a Log4j level, “but it’s a bad enough one.”
“But relatively speaking, this one is easy,” he said. “Just go and patch your stuff.”