January 2025 [Experts Analyze New Hyper-V, Active Directory, and macOS Vulnerabilities]

Summary

Join Automox's cybersecurity experts as they discuss the latest Patch Tuesday updates, focusing on vulnerabilities in Active Directory, Hyper-V, and macOS 15.2. They highlight the importance of staying updated and the evolving threat landscape, particularly with the rise of phishing attacks and the need for robust security measures in enterprise environments.

Transcript

Ryan Braunstein: 

Happy Patch Tuesday, everybody. Hope everyone survived the long, cold holiday season running your skeleton crews or just hoping to God nothing happened while you all were trying to enjoy your Christmas break. Today I have Tom Bowyer who is pretty regular on this podcast, and Seth Hoyt, who is also very big regular on this podcast.

Welcome everybody. Today we've got, it's kind of a light January, I would say. I don't know, what do y'all think? It's pretty kind of, yeah.

Tom Bowyer: 

Yeah, I mean, it

Seth Hoyt: 

Yep.

Tom Bowyer: 

seems pretty light to me. You know, there are some vulnerabilities in here. This, this patch Tuesday that, you know, may or may not kind of give me a little pause, but in general, feels like a pretty light slash typical part for the course patch Tuesday for, for your, for windows, right? Like lots of something surprising that I don't think I've seen in a long time though is all those telephony ones, which is

It's been years, you know, since I've seen anything related to telephony in any patch updates, but that still exists in Windows, apparently.

Ryan Braunstein: 

Yeah.

Yeah, I don't think I've interacted with it in like a decade. You know, since the era of cloud, you know, like there's third party cloud VoIP solutions, you know, there's just so much easier to work with.

Tom Bowyer: 

You

No,

yeah, absolutely, absolutely.

Ryan Braunstein: 

Sorry, Microsoft, sorry.

Tom Bowyer: 

Yeah, so

beyond that, no, like, you know, scrolling through the release and everything, I didn't see anything that would particularly stand out that I'm too concerned about, right?

Ryan Braunstein: 

Yeah, the only one that I see that's even being actively exploited is the Hyper-V kernel integration elevation and privilege phone. It's got three CVEs for that. mean, basically the attacker needs access to guest system and the ability to execute code on it. And it's pretty easily worked around. I mean, if you have a good setup with your

Tom Bowyer: 

Mm-hmm.

Ryan Braunstein: 

with your VM hosts, you can just reduce the permissions within them as a workaround. Obviously patching, any good EDR will probably pick up on some suspicious behavior like this. And then, you know, this is the general rule of thumb things like isolating high value systems. But I mean, this vulnerability can easily turn into like with none of those mitigations in place can easily turn into like a guest to host escape situation.

where basically someone gets complete control over every single one of your guest systems.

Tom Bowyer: 

Yeah, and that's kind of what I was thinking through when I read this as well is like, this a, is this another breakout that you need to be concerned about? And, you know, Microsoft didn't provide too many details around the CVE itself, or if this was kind of a breakout scenario. So, you know, I hope maybe that'll change in the coming days or if they provide a better summary of what, what actually is going on here because something, you know, the, notes.

Ryan Braunstein: 

Yeah.

Tom Bowyer: 

are pretty light, right? An attacker who successfully exploited this vulnerability could gain system privileges. Well, which system, right? Is that the guest system? Is that the hypervisor? I do wish they would have provided a little bit more detail there, but you know.

Ryan Braunstein: 

Yeah.

Yeah, and

I always go to the worst possible scenario when I read something vague like that. mean, until I get more details, you want to prepare for the worst in that kind of situation. also, hopefully, when you're dealing with Hyper-V, you're just using best practices in that sense.

Tom Bowyer: 

Yeah.

Absolutely. Yeah. It's quite the, you know, scary one. Sometimes when you're thinking about it, you know, especially hyper V a lot of untrusted VMs get run in Hyper-V. And if you're like a, you know, if you provide compute services to customers or other untrusted vendors, then there's always that possibility that someone's in the systems doing something they shouldn't be doing. And you don't necessarily have.

control of those guests. always something to be paranoid about, you know.

Seth Hoyt: 

Yep.

Ryan Braunstein: 

yeah,

definitely. What other ones we got here today? Seth, you have one. It was around Active Directory.

Tom Bowyer: 

Yeah.

Seth Hoyt: 

Yeah,

I was looking at one. It's CVE 21293. It's Active Directory Domain Services Priv-esc vulnerability. This one could be concerning. Hasn't been exploited in the wild as of yet. But an attacker who successfully exploited this vulnerability could gain system privileges. So again, you have a full admin access situation. The way to exploit this one is basically

the attacker has to have a victim open a malicious file. So again, we're getting into phishing territory. So, you know, with AI these days, these phishing emails are getting pretty crafty. know, AI has made it incredibly easy to craft these new waves of phishing emails. So they start being pretty convincing. So you get a user to click on one of these and gain access to a system or

Ryan Braunstein: 

Yeah.

Tom Bowyer: 

Yeah.

Seth Hoyt: 

If you get access to the actual AD server itself, you get full admin on an AD server, it's looking pretty bad. So hopefully in this situation, you do have your next-gen AV endpoint protection, getting your logs in the scene, things like that. Hopefully by the time that malicious executable is executed, it's either stopped at the door or at least picked up by an alert.

Ryan Braunstein: 

Yeah.

Tom Bowyer: 

Yeah. We

all know that people, you know, they don't use domain controllers for the most random things, right? Like browsing the internet or downloading things that they're not supposed to be downloading. It's put away in the closet where it should be and, you know, protected very well, right? Like that's...

Ryan Braunstein: 

Yep.

Sure, No

one has ever gone onto a domain controller and just, you know, Googled some kind of driver update to download to it, you know?

Tom Bowyer: 

It is a well-backed up and well-protected system, as we all know, across the industry. There's, yeah, it's not living under some desk that you're kicking every day, you know? Not speaking from any personal experience in this regard, but, you know, often those critical business systems are placed in areas. They're not supposed to be placed in.

Ryan Braunstein: 

Always. I mean, probably one of the best backed up.

Yep, yep, I have-

I

have also never worked at an organization that has leveraged Active Directory that has not backed it up properly and taken great care of it. I have also never worked at a place that hasn't synced that Active Directory to two other Active Directories that possibly propagate those roles out that could be taken over.

Tom Bowyer: 

Yeah, you know, or...

Just

sometimes you gotta check your email on the domain controller, you know, because you're busy, right? It's hard out here. So, you know, not a high bar here for an attacker. Yeah.

Ryan Braunstein: 

Yeah. Yeah.

Well, and it's a Microsoft domain controller, so you want

to load your Microsoft apps on it, you know, like your outlooks and.

Tom Bowyer: 

Sure.

Absolutely,

Ryan Braunstein: 

my god.

We're terrible.

Tom Bowyer: 

Yeah. Yeah.

Ryan Braunstein: 

Yes.

Well, aside from the Windows side of things, we do have a couple of, you know, Mac vulnerabilities that are being taken care of in the most recent update as well. Is it 18.2?

Tom Bowyer: 

yeah, I think that's the one for iOS, but for Mac itself, the 15.2 update in early, mid December shipped a bunch of fixes and you the ones that stood out to me are the WebKit ones, which, you know, I think I've talked about many, many, many times on this podcast. feel Mac has, you know, come under increased scrutiny as it kind of takes some market share in the enterprise.

Ryan Braunstein: 

Yeah.

Tom Bowyer: 

And, you know, a lot of this, I think comes out of that, you know, people from, you know, Google project zero or other initiatives are looking through web kit and a lot of these other fundamental Mac, applications and, you know, diving into the security of them. And, you know, unfortunately, a lot of it is like, you know, maliciously crafted websites lead to RCE, which

You know, it happens from time to time. I think in Chrome and Firefox and a lot of these other browsers, but there's always this like, at least the sentiment that I've seen through the last five or so years is that, you know, most of the, you know, the attack vector is always like the user downloads something and then they execute it. I've downloaded a malicious file and we tricked the user into executing, but

You know, these are a step up, right? All you got to do is trick them into browsing to a webpage or you host these. you know, you take over or you buy malicious ads and you can host like these links here and it could lead to RCE just by navigating to a, to a website. So it makes me a little bit more paranoid when I'm, when I'm browsing around the internet and when I'm clicking around.

But absolutely, if you're running macOS make sure you're on the latest version on both your iPhones and your laptops and stuff.

Ryan Braunstein: 

Yeah, I mean, it's also such a different sentiment than like where things were like even five or five to seven years ago around macOS. I feel like everyone just felt cozy on the Mac. Like they felt so safe, know, like nothing, nothing bad's going to happen here, you know. And I think really it's just the threat was always there. People just weren't digging as hard, you know, because it just wasn't as involved in your everyday work.

Tom Bowyer: 

Yeah.

Seth Hoyt: 

Tom Bowyer: 

Yeah.

Mm-hmm.

Ryan Braunstein: 

space, like, at least not in my experience back then, but.

Tom Bowyer: 

Yeah.

Yeah, it was a very developer.

Seth Hoyt: 

Yeah, you want to get the

biggest bang for your buck when you're writing that malware. So who are going to hit? You know, you're going to hit Windows, you know, it's everyone's like, does it get viruses? It's like, well, right now it's not worth their time. And now we're in a spot where, you know, a lot of corporations are picking up, know, Macs for enterprise and everything. So yeah, that that user base is growing. And so so is the malware.

Tom Bowyer: 

Yeah, exactly.

Ryan Braunstein: 

Yeah.

Tom Bowyer: 

Yeah.

Absolutely. And I think that trend will continue, right? Because it's, it is a more, I don't know, I don't want to say from an end user perspective, it's a lot easier to use a Mac, but from an administrator perspective, it's very difficult to maintain and manage Macs at like an enterprise level. So even a lot of modern EDRs are very tuned for Windows specific threats and Windows specific environments.

Oftentimes Mac is kind of a best effort, which, you know, leaves much to be desired, but it's kind of as administrators and as security professionals that have Macs in the enterprise, right? Like those threats are, are there in a real and are increasing. So having that kind of threat landscape in your mind and understand how they're approaching attacking Mac is really important to start thinking about.

Ryan Braunstein: 

Yeah, definitely when it comes to tuning your SEM, good detection engineering around your endpoints. mean, it's kind of paramount at this stage of the game until some of that stuff catches up. I think that's just kind of been one of the more things that I think about more recently about Max. As we try to manage our own endpoints here, that's the detection engineering that we're

Tom Bowyer: 

Mm-hmm.

Ryan Braunstein: 

we write internally is sometimes a few steps ahead of what is being just kind of automatically pushed through like an EDR or some tool set like that.

Tom Bowyer: 

Absolutely.

Ryan Braunstein: 

Yeah. But yeah, I think that kind of brings us to the end of this week's podcast, but we really want to thank you all for tuning in. Stay safe out there and stay patched.

Tom Bowyer: 

Happy New Year everyone.

Seth Hoyt: 

Happy New Year.

Ryan Braunstein: 

Happy New Year!