Microsoft DCOM hardening tool discovers vulnerabilities

B2B Cyber ​​Security ShortNews

Share post

Open-source detection tool uncovers vulnerabilities in DCOM ahead of Microsoft's March 2023 patch. Users can quickly determine if their networks contain unsecured DCOM made unusable by the new Microsoft patch.

OTORIO has released the open-source Microsoft Distributed Component Object Model (DCOM) Hardening Toolkit. The aim is to protect OT systems from possible problems in connection with an upcoming Microsoft patch. Because Microsoft itself writes: “14. March 2023, hardening changes are enabled by default with no option to disable them. At this point, you must resolve any compatibility issues with the hardening changes and applications in your environment."

Check before Microsoft switches

The standalone, open-source toolkit can be used by any organization to detect weak DCOM authentication applications and provide temporary workarounds. OTORIO RAM² users also have automatic access to a new alert in Safe Active Query, enabling detection across the network.

The OPC Data Access (OPC DA) protocol was introduced in 1995 to enable real-time data communication between the programmable logic controller (PLC) and software in OT networks. However, OPC DA is based on DCOM technology, which has security vulnerabilities. In 2008, Microsoft introduced the non-DCOM dependent OPC Unified Architecture (OPC UA) protocol, but many industrial companies still use OPC DA.

Microsoft patch comes in phases

In 2021, Microsoft acknowledged a critical vulnerability in its DCOM protocol and announced a hardening patch to strengthen authentication between DCOM clients and servers. To minimize service disruption, the patch was released in phases. The first patch introduced the ability to enable hardening of weak authentication levels in DCOM, but was disabled by default; the second forced hardening by default with an option to disable it; the third rollout of the DCOM hardening patch had automatically increased all non-anonymous activation requests from DCOM clients; and on March 14, 2023, Microsoft will issue a new patch that will remove the option to enable unsecured DCOM altogether.

Do the code have a problem or not?

With OTORIO's DCOM Hardening Toolkit, users can quickly determine if their networks contain unsecured DCOM that the new patch will render unusable. It then provides remediation instructions to ensure organizations remain in full control of their OT devices.

"Companies need to understand whether they have a problem or not, and that's where our toolkit comes in," explains Yair Attar, CTO and co-founder of OTORIO. “If an organization applies the March patch and loses critical visibility and communication between nodes on its network, it could incur significant financial losses. Our goal is to prevent such a catastrophe.”

RAM² of OTORIO collects and analyzes multiple data sources present in the OT environment. These include e.g. B. SCADA (Supervisory Control and Data Acquisition), programmable logic controllers (SPS/PLC), distributed control systems (DCS), historical databases, technical systems and more. The solution then enriches this analysis with operational context, vulnerabilities and exposures to assess the security posture and identify and prioritize OT security threats.

Go to the OORIO tool on GitHub

 


About OTORIO

OTORIO is an OT (Operational Technology) security company providing end-to-end solutions for proactive digital risk management. These help industrial companies around the world to maintain business continuity and protect ongoing operations. OTORIO provides comprehensive security risk assessment, monitoring and management solutions and services for critical infrastructure, intelligent transportation and logistics systems and industrial manufacturing companies.


 

Matching articles on the topic

Companies spend 10 billion euros on cybersecurity

Germany is arming itself against cyber attacks and is investing more than ever in IT and cyber security. In the current year the ➡ Read more

Qakbot remains dangerous

Sophos X-Ops has discovered and analyzed a new variant of the Qakbot malware. These cases first appeared in mid-December and they ➡ Read more

VexTrio: most malicious DNS threat actor identified

A DNS management and security provider has exposed and blocked VexTrio, a complex criminal affiliate program. This increases cybersecurity. ➡ Read more

A comeback from Lockbit is likely

It is fundamentally important for Lockbit to be visible again quickly. Victims are presumably less willing to pay as long as there are rumors ➡ Read more

LockBit is alive

A few days ago, international law enforcement authorities scored a decisive blow against Lockbit. According to a comment from Chester Wisniewski, Director, Global ➡ Read more

Cyber ​​danger Raspberry Robin

A leading provider of an AI-powered, cloud-delivered cybersecurity platform warns about Raspberry Robin. The malware was first released in the year ➡ Read more

New scam Deep Fake Boss

Unlike classic scams such as the email-based boss scam, the Deep Fake Boss method uses high-tech manipulation ➡ Read more

Classification of the LockBit breakup

European and American law enforcement authorities have managed to arrest two members of the notorious LockBit group. This important strike against the ransomware group ➡ Read more