Transcript
came out from a Microsoft perspective and how that's impacting from a global news perspective. The zero-day vulnerability is an RCE vulnerability in a web dev. We're going to talk about that a little bit more in depth here in a moment, but this is a part of a threat actor campaign, so a nation state level APT called Stealth Falcon. They typically target Middle Eastern countries and have been very active, and this is one of the most recent vulnerabilities they've been using. So this talks about the web dev protocol that was being exploited, a little bit about how they're doing this, basically using a deceptive URL to basically convince a user to click on something, and then from there, a little bit about how they're executing their attack. So it's a good read just to understand the vulnerability itself and how it's being used in the wild. And for those of you who may be exposed from a targeting perspective, this gives you an idea of where this threat actor is operating. Most of you on here today may not be in an area where this is being targeted, but anybody who has entities over in Middle East and Africa, especially in the government and defense sectors in Egypt, Qatar, Turkey, and Yemen, that's where the attacks right now have been focused and where Stealth Falcon typically operates. So one interesting conversation I had a couple of weeks ago was, when do you make the decision to shift from regular maintenance mode into zero-day response mode? Learning to understand how a vulnerability like this is being used in the wild helps you to make those decisions. In this case, the vulnerability here is being used by a threat actor who has a fairly targeted kind of region that they operate in and targets that they typically go after. If you don't fall within that target, it doesn't mean you're 100% safe. It does though reduce the risk that you could be targeted sooner. So making the decision to go into zero-day mode versus sticking with your normal maintenance, this kind of starts to give you that context. You may have the need to take systems offline for a second maintenance window if you want to go into zero-day mode. If you decide to do that, you can have that kind of risk analysis of, okay, if we've got our business critical application, it's a server group of 10 servers that we would have to take down to patch that update if we needed to. For that, it costs us $5 million to take it offline for an extra maintenance window. That compared to the risk of this, if I'm not in the vertical they're targeting, if I'm not in the regional that this is being targeted in, the risk of this impacting my environment drops down steadily. So I may choose to not change my tactic there. So this kind of information, that's why we try to identify more about this as we talk about, especially the zero-days, that helps give people context to, and even links to the information to try to help make those decisions if necessary. So again, these links are here for you to be able to utilize to try to understand if you need to make any decisions there in your environment. And oftentimes it's good to just understand how threat actors are using these vulnerabilities so you can adjust your layers of defense within your organization. In this case, there's a social element. Is the type of attack they're doing something that you're using as an example within your phishing training within your organization? A lot of times our own security team here at Avanti will, if they've blocked a campaign that was trying to target us, they'll oftentimes look at that campaign and see how it differs from other training we've done and even replicate that campaign to do for internal phishing training. So things like that can help you adapt and adjust your approach to securing your environment beyond just the, do I need to make a decision about when and how soon I might patch? So some good information in this article that kind of talks about the particular tactics of this threat actor in there. Here's another one, the second article here.