October 8, 2019
This Is Why You Have To Protect All Users And Not Only Your Top Level Management
It was a summer to forget for Exim - it disclosed a second critical vulnerability in just three months.
News about Exim are a lot like news about Facebook. You can just recycle the same headlines over and over again because some things never really change.
For the uninitiated, there’s a new case of Exim being susceptible to remote code execution. This time Exim before 4.92.2 “allows remote attackers to execute arbitrary code as root via a trailing backslash.”
Well, maybe that has something to do with “Lilocked” aka “Lilu” ransomware.
Maybe not, but these events can be tied up together.
Just 2 Reasons Why You Have To Cover Up All Your Bases
I hear one thing too often for my own liking:
We only need robust security for our top management, regular users don’t need the same level of protection.
I have many thoughts regarding this school of thought, but I will keep it short and sweet, highlighting just two reasons why you need to upgrade your entire team, and not engage in some cherry-picking, giving the adversary even more hints.
Fact number one - everyone uses email.
If your email protection policy covers only the C-level and leaves “general public” behind, you still flirt with a potential data breach, as all generated email correspondence becomes open to outside interference.
Two latest Exim vulnerabilities can lead to total information disclosure, resulting in all system files being revealed. Both CVE’s can lead to a total compromise of system integrity. There is a complete loss of system protection, resulting in the entire system being compromised.
Finally, there is a potential for a total shutdown of the affected resource, as the attacker can render the resource completely unavailable.
Also, let’s not forget about lateral network movement. The adversary is more likely to break into a low-level web server or email account and then move laterally from this initial compromise to reach their intended target.
The initial compromise doesn’t cause much damage, but acts as a stepping stone for threat actors to minimize the security of the properly protected systems.
This Lilu Is Far More Dangerous Than Leeloo From 5th Element
There’s also a second point, if the first one wasn’t good enough.
To get into it, we have to look at the Lilu ransomware case once more, even though it may not have any connection to critical Exim vulnerabilities.
When Lilu gets in touch with your machine, the usual taunting text will tell you that all your sensitive data is encrypted, and that you have to buy a decryption key for a victim-friendly sum of $325 (converted from Bitcoin) for each infected machine.
And how many computers do you have in your office? In moments like this, I hate math.
Now you hopefully understand why it makes perfect sense to protect all your users, and not only top management. I would recommend anyone to move away from the old model of thinking and embrace the fact that every device, software or user is vulnerable. To find more information about the methods to mitigate this risk, I encourage you to check another Exim-inspired blog post at StealthMail.com.