Zyklon malware and the role of credentialed vulnerability scanning

19 January 2018

As many in the security world know, a piece of malware known as Zyklon made a resurgence this week using relatively new vulnerabilities in Microsoft Office. As is typically the case after new vulnerabilities or attacks are exposed, people are left wondering what they can do to prevent being targeted by cybercriminals.

Our security team here at IGI has some advice to avoid not only Zyklon, but other malware and threats to your network.

Perhaps the most important advice is to always keep your software and systems up to date. This case presents a perfect example of this, as the threat actors incorporated recently discovered vulnerabilities in an extremely popular software—Microsoft Office—to increase the potential for successful infections. In addition to the Microsoft Office flaws, another flaw exploited to deliver Zyklon is CVE-2017-11882, a 17-year-old vulnerability in the Equation Editor component that Microsoft patched in November. It’s important to note that CVE-2017-11882 has been leveraged by Iranian cyberspies, the Cobalt hacking group, and others, according to SecurityWeek.

Keeping your software and systems up to date and patched is crucial, as we mentioned, but the best way to do that is with vulnerability scanning and, more specifically, credentialed scanning. IGI’s own vulnerability management solution, Nodeware, can perform credentialed scanning, so we’re well-versed on this topic.

Nodeware is a continuous vulnerability management solution that enables you to keep your system and software up to date with real-time vulnerability management alerts and instructions to remediate known vulnerabilities. Credentialed scanning allows Nodeware to analyze installed software—like Microsoft Office, in this case—and provide users with version and patch levels, so we can alert users if they’re running an out of date or unpatched version of Microsoft Office. In the case of Zyklon attack, all versions of Microsoft office from 2007 to present (2007, 2010, 2013, 2016) are vulnerable.

There are numerous benefits to Nodeware’s credentialed scanning, including providing a safer way to get valuable security information and producing more accurate scan results. By using secured credentials, Nodeware can be granted local access to scan the target system without requiring an agent, providing a bigger picture of customers’ vulnerabilities. This level of access often results in the discovery of more missing patches or vulnerabilities that can then be addressed easily by following instructions available within the Nodeware interface.

Current Nodeware customers who have not activated credentialed scanning on their domain should do so immediately by supplying domain admin credentials.

You can also avoid becoming a victim of a cyber attack, like Zyklon, by always be wary of opening attachments where you don’t know the sender, and running a virus and malware scanner on email attachments.

Visit nodeware.com to learn more.

�͗`�