New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Microsoft Patches Seven Critical Vulnerabilties Leaving RPC Protocol Exploitable

Microsoft released patches on Patch Tuesday for 7 critical and 38 important bugs in its product portfolio. These critical vulnerabilities included one that Microsoft Threat Intelligence reported as actively exploited in the wild; CVE-2021-36948 is a privilege escalation bug in Windows Update Medic Service, which is designed to maintain the integrity of Windows Update components. No specifics or statistics were shared by Microsoft on how often this vulnerability has been exploited, but organizations are recommended to update as soon as feasible. In addition, Microsoft published intended patches for #PetitPotam (CVE-2021-36942) and #PrinterNightmare (CVE-2021-36936). 

Analyst Notes

While patching introduces risks of its own, seven of these updates are critical and organizations are advised to update in production as soon as feasible. This is not a cosmetic update.
For #PetitPotam, the RPC calls explicitly used by the published Proof of Concept (PoC) code were blocked from remote access. This duplicates the informal solution of employing RPC filters to block these RPC API calls, but installs the behavior by default.  However, the underlying structural issue in the RPC API, that authentication is optional, has not been addressed and organizations should continue to remain alert to threat actor attempts to exploit these vulnerabilities now that they have been promulgated. In addition, while the patch now requires administrative access to install a printer driver, it does not address the underlying structural issues for #PrinterNightmare and privilege escalation to patched systems has already been demonstrated. Organizations are advised not rely on this patch but to continue or initiate ongoing detection and mitigation strategies as appropriate to their risk management strategies.
While Defender identification of the PoC has been added, threat actors easily and routinely obfuscate code or otherwise bypass such detections.