Microsoft and Adobe have issued security patches for systems (to include legacy/unsupported platforms, such as Windows XP, Server 2003, Vista) to address multiple vulnerabilities on systems that are believed to be at imminent risk. These security advisories were released concurrently with alerts regarding a North Korea DDOS Botnet Infrastructure – HIDDEN COBRA
Security Bulletins:
US-CERT Alert: TA17-164A
https://www.us-cert.gov/ncas/alerts/TA17-164A
Microsoft Security Advisory 4025685
https://technet.microsoft.com/en-us/library/security/4025685.aspx
Adobe Bulletins: APSB17-17 and APSB17-18
https://helpx.adobe.com/security/products/flash-player/apsb17-17.html
https://helpx.adobe.com/security/products/shockwave/apsb17-18.html
rmsource Recommendations:
System Patching
Given the severity of the vulnerabilities and the quantity of exploits, rmsource recommends that Microsoft and Adobe security patches be installed at the earliest available window, and recommends that any company utilizing unsupported systems, such as Windows XP and Server 2003 continue to migrate to supported platforms.
Intrusion Prevention
Geo-Protection:
While US-Cert has provided indicators of compromise (IOC) to include watch-list source IP addresses, the list is too extensive for practical Access Control List implementation. rmsource recommends implementing Intrusion Prevention-Geo-Protection, to block attacks by source location (IOC source addresses found on US-CERT Alert: TA17-164A, link above).
Please note: Geo-Protection is an Advanced Threat Mitigation feature and my not be available on all firewall platforms. If Geo-Protection is enabled, care and planning must be given to ensure legitimate traffic is not blocked.
Signature Set:
rmsource recommends updating all Intrusion Prevention platforms to detect or prevent on signatures addressing the following CVEs.
Please note: depending on IPS platform, it is possible that not all CVEs have been addressed. rmsource recommends continued monitoring of signature releases for any CVE not currently addressed by an IPS signature.
CVE-2017-0267
CVE-2017-0280
CVE-2017-7269
CVE-2017-8461
CVE-2017-8464
CVE-2017-8487
CVE-2017-8543
CVE-2017-8552
CVE-2017-3075
CVE-2017-3081
CVE-2017-3083
CVE-2017-3084
CVE-2017-3076
CVE-2017-3077
CVE-2017-3078
CVE-2017-3079
CVE-2017-3082
CVE-2017-3086
CVE-2017-0176
CVE-2017-0222
CVE-2017-0143
CVE-2017-0144
CVE-2017-0145
CVE-2017-0146
CVE-2017-0148
CVE-2009-2526
CVE-2009-2532
CVE-2009-3103
CVE-2008-4250
Security