Categories
Cybersecurity Advisories Uncategorized

Vulnerability in XZ Utils Data Compression Library Impacting Multiple Linux Distributions (CVE-2024-3094)

Description of the vulnerability per NIST:

“Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting, and modifying the data interaction with this library.”

This vulnerability was intentionally induced by a supply chain attack. Starting in 2021, a suspected Threat Actor started to submit patches to open-source project on GITHUB, eventually focusing on the XZ Utils repository and becoming a co-developer. A fuller timeline of events can be found here. The backdoor/vulnerability was fully introduced in versions 5.6.0 and 5.6.1 of xz utils in February. Most production Linux distributions have not adopted these patches, but please check the following section to confirm that no affected versions are present in your environment.

Affected & Fixed Versions

Recommendations and Mitigations

SecurIT360 Managed SOC Clients:

  • For all active managed SOC EDR clients, we have checked our inventory across products and have already reached out if you have an affected Linux distribution.
  • For all active managed SOC MDR clients, we have also run an external Nessus vulnerability scan looking for affected versions and have again already reached out to any and all affected clients.

Otherwise, if you have any Linux endpoint that we do not monitor that you are concerned may be affected by this vulnerability, you can run a simple command of “xz –version” or “xz ultis –version” on these endpoints to confirm your versioning on the endpoint in question:

If any of your endpoints do presently use 5.6.0 and 5.6.1 of XZ Utils, we would recommend either updating or downgrading packages per the table above. For the case of Fedora 40-41 and Rawhide specifically the recommendation from Red Hat would be to power-down or stop using Rawhide for the time being, and to move to packages 5.4.X for Fedora 40-41. See Red Hat’s blog post on the subject for more information.

Resources & Related Articles

Categories
General Cyber and IT Security Uncategorized

Understanding DNSSEC and DNS Security

In our increasingly interconnected world, where the digital landscape expands every day, safeguarding our online presence has become vital. One fundamental yet often overlooked aspect of online security is Domain Name System (DNS) security. DNS is the backbone of the internet, responsible for translating domain names into IP addresses that computers can understand. To protect this system from threats, DNS security extensions (DNSSEC) plays a pivotal role.

How DNS Works

DNS Attacks

DNS spoofing and DNS cache poisoning are malicious techniques aimed at manipulating the Domain Name System (DNS) to redirect users to fraudulent websites or compromise network security. DNS spoofing involves forging DNS responses to trick a user’s device into believing it has received legitimate information when, in reality, it’s been directed to a malicious site. This can lead to various security breaches, including phishing attacks. On the other hand, DNS cache poisoning involves corrupting a DNS server’s cache with fraudulent data. Once the cache is poisoned, the server can distribute this tainted information to users, redirecting them to attacker-controlled websites. Both DNS spoofing and cache poisoning are serious threats to the integrity of the DNS infrastructure that highlight the importance of DNSSEC.

DNSSEC

DNSSEC is a suite of extensions to DNS that adds an extra layer of security by digitally signing DNS data. This verification process ensures that the data retrieved from DNS servers is authentic and hasn’t been tampered with by malicious actors. Here’s how it works:

  1. Signing Zone Data: DNSSEC involves signing zone data with cryptographic signatures. Each DNS record in a zone is signed using a private key.
  2. Public Key Distribution: The public key for each zone is published in a DNS record called the Delegation Signer (DS) record. This record is stored in the parent zone, creating a chain of trust. The public key is paired with a private key which is typically stored offline. This creates a digital signature which is published to DNS.
  3. Authentication: When a user’s device queries a DNS server for a domain, the server provides not only the requested data but also the corresponding digital signature. The user’s device uses the public key stored in the DS record to verify the signature’s authenticity.
  4. Validation: If the signature is valid, the DNSSEC client trusts the data it received, knowing it hasn’t been altered during transmission.

How DNSSEC Works:

Benefits of DNSSEC:

  1. Data Integrity: DNSSEC ensures that the DNS data remains unchanged, preventing attackers from redirecting users to malicious websites.
  2. Authentication: It guarantees that the data comes from a legitimate source, reducing the risk of DNS spoofing attacks.
  3. Trust Chain: By establishing a trust chain through DS records, DNSSEC enhances the security of the entire DNS hierarchy.

Challenges with DNSSEC:

While DNSSEC offers robust security, its adoption faces some challenges:

  1. Complex Implementation: DNSSEC implementation can be complex and may require significant effort. However, other DNS providers may offer to enable DNSSEC as part of your DNS package.
  2. Compatibility: Not all DNS servers and clients support DNSSEC, which can lead to compatibility issues.
  3. Key Management: Managing cryptographic keys can be challenging and requires careful consideration.
  4. Increased Packet Size: DNSSEC can result in larger DNS responses, which may impact network performance.

Other DNS Security Options:

DNSSEC is a cornerstone of DNS security, but several other extensions complement it:

  1. DNS-based Authentication of Named Entities (DANE): DANE allows domain owners to associate their TLS certificates with DNS records, improving the security of encrypted connections.
  2. Response Policy Zones (RPZ): RPZ enables DNS servers to block or redirect requests to known malicious domains.
  3. DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT): These protocols encrypt DNS traffic, preventing eavesdropping and manipulation.

In conclusion, DNSSEC is an essential component of our digital defense. DNSSEC provides a robust framework for ensuring the integrity and authenticity of DNS data. The benefits of a more secure and trustworthy internet make the adoption of DNS security extensions a worthy investment in our digital future.

 

Categories
Uncategorized

Coronavirus Cyber Security Challenges – The Remote Workforce

The Cyber Security Implications of the Coronavirus

As the fear of the Coronavirus – COVID-19 – spreads, governments and companies are looking for containment strategies that reduce human contact.  Exposed cities are on lockdown, forcing any work to be done remotely and there are more restrictions to come.  Some companies have already closed locations as a precaution, and as restrictions increase, others will be forced to send workers home to work remotely.  The criminals have already started the scams: phishing campaigns to take people to fake news updates to see if they can entice a click.  That is the easy starting place.  No doubt that the cyber criminals will find other ways to try to monetize the situation including new types of Ransomware attacks.

Need help?
Contact one of our representatives and we’ll help you find solutions.

Remote Security Posture vs. Capacity

Many have created remote security policies and procedures to address the potential risks which need to be taken into consideration.  Systems have been designed with capabilities to allow secure remote access and keep sensitive data safe, but they often don’t have the capacity for everyone or even most of the organization to work remote simultaneously.  

Will the workarounds and changes you make to accommodate the need for operations compromise your security?  They might.  It is situations like COVID-19 where the urgency of a solution often does not get full Cyber Security due diligence.  Or, there is not enough time and funds available to implement a prudent secure solution that considers the risks. 

What to Do

Evaluate Risk

The discipline of applying cybersecurity protections is centered around the risk to the organization, its people, its systems, and the information.  Now, you don’t have to stop what you are doing for a couple of weeks and perform a formal risk assessment, but could an extra day or week for a more secure solution reduce hundreds of thousands or millions of risk?  Here are some basics about remote access that you should consider:

  • Who will be accessing the resources?
  • What devices will be used to access resources?
  • What resources will be accessed?  Data, Networks, Applications, Physical systems, etc.
  • What will the individuals be doing with the resources?  Download, screenshot, email, copy, print, control other systems, etc.
  • Will remote access to the information comply with statutory and client requirements that we must abide by?
  • If all of the above are not created equal (and they are not), then which might need to be treated differently?
  • See other known risks below

Implement MultiFactor Authentication 

For everything that is remotely accessible.  There are many options depending upon what you are trying to protect.  It is not a silver bullet and can be circumvented in some cases, but it GREATLY reduces your risk.  You should also require an additional layer or stronger security for certain individuals like your IT administrators and others with access to sensitive information.

Ensure that your basic security protections also apply

You MUST have difficult passwords, require patching, screen saver time-outs, and all of the other basics that you require for your internal network.  

Monitor Remote Access

Is that really John?  Why is he still working at 2:30am?  Geez, he is copying a lot of files right now.  You need to be able to understand that the remote behavior is legitimate and if not, take action.

Train Your Staff About Working Remotely

Ensure they know what is allowed and not allowed and what the risks are.

Consider a Tiered Solution

If you can’t provide the same level of security for everyone, then ensure that those that need the most security are on your best solution.  Create workarounds for others.  Many may be able to operate without remote access to the environment at all.  Cloud services come in handy here.  You can also check with your vendors about emergency temporary licensing or solutions.  See below for some considerations of different types of remote access. 

Known Risks Associated with Remote Access

You CANNOT and MUST NOT trust a home network

The PC itself is an unknown device that has many risks.  I hate to be the voice of doom, but it may already be compromised by a bad actor and be part of a botnet network or otherwise

  1. Could have multiple users including kids playing games and others going to known risky sites
  2. May have risky applications installed
  3. It may not have current or working Antivirus and security software in place
  4. It may not be fully patched and have many vulnerabilities
  5. It may not require a password
  6. You get the picture…

    The Network is consumer-grade and does not have the ability to offer protections that you depend on at work.

  7. Firewall.  There may not even be one, just the device provided by the Internet provider
  8. Security Monitoring and Alerting.  Mature business environments have regular information available to surface anomalies and other risks that home networks do not have
  9. There are other devices that are not secure on the network.  Other computers, mobile phones, smart refrigerators, home automation systems, and who knows what other new security risks (baby monitors…) 

Data Sprawl

This is a big one.  When users know that they may be out of the office for a while, they will find ways to be productive in the easiest manner possible AND they are less concerned about the security or compliance requirements.  Be aware:

  • People will email themselves information.  Either to a home account or to themselves in their corporate account
  • Data will be copied to USB keys and might be transferred to other file-sharing technologies
  • Now that this data is being duplicated into other places, how can we keep up with it and secure it
  • If allowed, the above-copied data will end up on non-company computing devices.  

Increased Scams

We have already mentioned the increase in phishing scams.  Since January, there is documented activity of a number of questionable registered websites related to COVID-19 and reputable organizations like the WHO with the intent to take advantage of those that are looking for legitimate information about the pandemic.

Free WiFi

Hopefully, this is happening a little less in this situation, but you could have workers trapped overseas or on a cruise ship that is using insecure remote access.  Educate and provide alternatives.

Physical Theft

Now that we have more folks out of the office and working on company-owned or personal devices, these devices could be targeted by criminals.  If they get their hands on a home PC – without a password – that has company or customer information on it…

Security Postures of Possible Solutions

Today’s technology provides quite a few options for remote access; some of which are more secure than others.  Below is a discussion about the security considerations of some of the most common methods.  NOTE:  MFA (MULTIFACTOR AUTHENTICATION) is paramount for the security of any remote access solution.  MFA is not the silver bullet as you will see below, but we would not consider a remote access solution without it.

1 – Virtual Desktops

These offer the most protection, if on a company-owned computer and configured correctly.  

Also known as VDI (Virtual Desktop Infrastructure) and DaaS (Desktop-as-a-Service).  VDI is typically hosted internally or privately, while DaaS is typically provided by a hosting company.  This includes VDI and DaaS.  (More about Remote Access at the end of this post.)

Advantages:

  • All of the data and applications remain on the virtual machine located within the data center and its security controls.  
  • You can enforce the same level of security (or a chosen level) based on profiles or rules.  These include:
    • Copying (or not) data to the remote computer
    • Sharing folders with the remote computer
    • Printing
    • Access to certain applications
    • Location-based rules

Risks of VDI and DaaS:

  • If accessing from an insecure or compromised (home) computer, an attacker could see everything the user can see – even if you did use MFA to access…
  • If rules are not established to govern copying files, network sharing, and printing, then the remote computer and network are vulnerable.

2 – VPN (Virtual Private Network)

Good protection but can have hidden risks if not correctly configured.  A VPN is an encrypted tunnel into your private network that makes the connected Computer or network a remote part of the network it connects to.  

Advantages:

  • The secure tunnel allows connection to internal network resources including computers, applications, databases, and file shares.  
  • Some VPN software will enforce local security profiles on the connecting PC (including home PCs) to ensure that minimum requirements are met.  the same level of security (or a chosen level) based on profiles or rules.  

Risks of VPNs:

  • If accessing from an insecure or compromised (home) computer, an attacker could see everything the user can see – even if you did use MFA to access…
  • If not configured correctly, you can be attaching and insecure (home network and all of its insecure devices – your kid’s iPhones) to your corporate network.
  • Depending upon configuration, VPNs allow users to transfer files to remote devices and map network drives to file shares

3 – Remote Desktop Access Strength of security varies, but not as capable as VDI or DaaS.  When paired with a VPN, security is increased, but you still have risks.  Remote Desktop access is provided by software running on a computer inside your corporate network.  Examples include:  RDP, LogMeIn, GoToMyPC, VNC, Team Viewer, and there are others.

Advantages:

  • Access to the same computer and programs that you use while at work.
  • The company computer is subject to all of the company security policies and protections

Risks:

  • If allowed, the software can be installed and managed without IT’s knowledge, circumventing monitoring and other security controls creating an unmanaged gateway into the company.
  • Some solutions can be accessed from anywhere using a web browser and may not require MFA.
  • Solutions allow for data transfer and printing which can lead to risks of data breaches. 

More About Remote Access

Virtual Desktops – VDI & DaaS

After authentication (including MFA…) the user essentially receives a window that displays the computer and all of its applications on the remote computing device.  The computing infrastructure can be in a private data center or hosted.  There is a virtualization layer where computing and storage resources may be spread across multiple physical devices that sometimes are not in the same physical location.

Virtual Private Networks – VPNs

Instead of routing directly through a public network, VPNs put a layer between your information and public access. It can aid in masking your online activity from the public and provide you with a secure connection to another network online. They work by making your IP address and location anonymous; your data is sent through them before being released into an external server. Generally, outside forces can identify your IP address and track your activity online, but with the veil of VPNs, your online activity can only be traced back to your VPN service provider. 

Remote Desktops

Windows RDP

In Windows, this is a native software program that allows remote connection from another device running the appropriate connection software.  The user receives a screen just as they would sitting in front of the actual computer and is able to see the desktop and use their mouse and keyboard to interact.  One (insecure) way to use RDP is to open a port in the Firewall and allow direct connection from the internet.  This is how many machines have been compromised over the past couple of years.  RDP connections can also be brokered using a local server running Remote Desktop Services.  This is a safer, more secure configuration – don’t forget MFA. 

Local Remote Desktop Programs

Programs like Teamviewer or VNC can be installed locally on a PC or Mac that will allow direct connection over the network.  These function like Windows RDP above and can also be configured insecurely via a Firewall over the internet.

Hosted Remote Desktop

Other software is installed and managed by a cloud provider.  LogMeIn is an example.  The user installs the program on their computer and registers it with the service.  They can then remotely go to a web browser from any computer and authenticate (MFA?) to start a session with the company computer.

Contact Us

Contact us and one of our representatives would be happy to help you.

Categories
Uncategorized

Cyber Security Budgeting for 2020

It is time to update our annual Cyber Security Budgeting advice.  I just lead an exercise at a conference where folks had limited budgets and needed to determine the best places to spend their Cyber Cash.  As I reviewed what we have adapted over the years, much of it is still the same.  We continue to become more dependent on technology composed of applications, operating systems, processors, storage, and connectivity.  IoT, autonomous vehicles, 5G, Huawei, and other new things continue to proliferate, but we still apply the same principles to protect ourselves.  

So, what is new this year?

The proliferation of Ransomware and Business Email Compromise (BEC).  Crimeware as a service is nothing new, but the cases are skyrocketing.  If you don’t know someone who has had one of the events, then you don’t have very many friends.  The crime groups are becoming better at monetizing these events and they are growing at an amazing pace.  The primary attack vectors is still email and the humans that own these accounts.  This threat landscape and other considerations will move a few things around and I will make note of them. 

So, here is some of the same old stuff:  Organizations are now willing to spend $$ now more than ever to avoid becoming the next headline.  When planning, it is easy to focus on available products that vendors are spending millions of dollars to push at us every day.  Products are required, but it is the process around these that keep you secure.  Best practices in security follow a layered approach, and budgeting is no different.  Where should you focus your efforts?

The Basic Layers:  Reduce Known Risks

These are not sexy, but neither is changing your oil and rotating your tires (Diet and exercise?  Pick your poison).  Before you look at some of the newer, enticing security solutions, it is important to make sure the basics are covered.  What we know:  attacks and breaches are increasing every year.  We have seen an 8x increase in incidents in the past twelve months.  So, our basic list has grown from last year.  You may ask:  why don’t you just follow the CIS top 20?  We agree that all of those 20 items are very important, but after working with over450 organizations, we know that approval of budget items, gaps in expertise, and culture typically makes it hard for an organization to follow the CIS in order.  If you can, that is great, but we offer the following list of items to consider in order of importance and ease of execution:

  1. Email & Web security – Spam & Antivirus solutions
  2. Enable MultiFactor Authentication for all remote access – don’t forget O365 and other cloud services – or don’t allow it
  3. Tested Backup and Recovery Capability.  More than restoring that occasional deleted file or email.  This is typically IT Ops and we had not specifically called it out previously – it is the best defense against Ransomware.
  4. IDS/IPS; internet monitoring/filtering – hard to believe, but we still find some organizations with outdated firewalls and no IDS capability
  5. End User Security Awareness Training – must include email Phishing
  6. Basic Incident Response capabilities
  7. Security patching for all hardware/software
  8. Endpoint protections – Antivirus/Malware solutions
  9. Review all accounts, especially privileged accounts and do not allow privileged accounts for regular use
  10. Check for consistent password and access controls across all of your platforms
  11. Encrypt portable devices
  12. Approve Basic Policies to establish guidelines
  13. Constant inventory devices on your network
  14. Review firewall, remote access/VPN, and wireless solutions regularly
  15. Comprehensive network documentation
  16. Secure file transfer capability
  17. Basic Security Metrics and Reporting – Regular measurements are a must to eliminate a false sense of security
  18. Increase visibility with SIEM (Security Information & Event Management) – either in-house or as a service
  19. Evaluate your ability to perform these basic functions adequately – do we need managed services?

Add Advanced Layers to Cover Blind Spots

Once you have the basics in place, formal measurement and planning is prudent to prioritize capital expenses.  If you do not have the in-house expertise available, you may need to rely on outside assistance.  Some items to consider:

  1. Objective measurement: Risk Assessment, Security Audit, Vulnerability and penetration testing
  2. Compliment SIEM with MDR (Managed Detection & Response)
  3. Formal Program & Policy development following ISO 27001, NIST, HITRUST, or other appropriate framework
  4. Risk Management
  5. Vulnerability Management
  6. Mobile device management solution
  7. NAC – internal Network Access Controls
  8. Data Loss Prevention technologies
  9. Identity Access Management
  10. Forensic capabilities
  11. Application whitelisting
  12. Incident Response Tabletops, Red Team, Blue Team, Purple Team Exercises
  13. Information Governance

Studies have shown that a good security posture will reduce the operational costs and the cost of a security breach.

A Note for your CFO:  You may want to remind your finance committee that breaches can cause serious reputational damage and be very expensive.  Cyber Liability insurance is not enough.  In today’s world, the expectation is that there are measurable efforts (and funds) devoted to keeping information safe.

Note:  SecurIT360 is an independent, vendor-agnostic Cyber Security consulting firm.  We do not sell or broker hardware or software.

If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

Why not just follow the CIS top 20?

Since we mentioned it, we will go ahead and put this list out here too.

Basic CIS Controls

  1. Inventory and Control of Hardware Assets
  2. Inventory and Control of Software Assets
  3. Continuous Vulnerability Management
  4. Controlled Use of Administrative Privileges
  5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  6. Maintenance, Monitoring and Analysis of Audit Logs

Foundational CIS Controls

  1. Email and Web Browser Protections
  2. Malware Defenses
  3. Limitation and Control of Network Ports, Protocols and Services
  4. Data Recovery Capabilities
  5. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
  6. Boundary Defense
  7. Data Protection
  8. Controlled Access Based on the Need to Know
  9. Wireless Access Control
  10. Account Monitoring and Control

Organizational CIS Controls

  1. Implement a Security Awareness and Training Program
  2. Application Software Security
  3. Incident Response and Management
  4. Penetration Tests and Red Team Exercises

The 7 Key Principles guiding the latest version of the CIS Controls:

When designing the latest version of the CIS Controls, our community relied on 7 key principles to guide the development process:

  1. Improve the consistency and simplify the wording of each sub-control
  2. Implement “one ask” per sub-control
  3. Bring more focus on authentication, encryption, and application whitelisting
  4. Account for improvements in security technology and emerging security problems
  5. Better align with other frameworks (such as the NIST CSF)
  6. Support the development of related products (e.g. measurements/metrics,implementation guides)
  7. Identify types of CIS controls (basic, foundational, and organizational)
Categories
Uncategorized

Phishing Attacks and Multifactor Authentication

Stop the Password Reset Insanity

How much time does your IT department spend changing a user’s network and or email account passwords because they clicked on a phishing link that they should not have? How many users do you have who do this repeatedly? Have you trained your users to identify, report, and ignore these phishing attempts?

Why make the only procedure to resolve this resetting the password when it just keeps happening again and again? Stop the insanity and look at a new way of solving this problem.

“The definition of insanity is doing the same thing over and over again and expecting different results.”

How Spearphishing Works

Your company webpage has just been redesigned to provide an enriched marketing experience. It looks great and everyone on your leadership team is excited about the new page. One of the pages, “About Our Team”, lists every member of the executive management team with a short bio. You have just provided the bad guys with a short list of high-value targets within your company.

With this list of users in hand and by utilizing the most standard email address format (everyone uses first initial of the first name + last name), a couple of smart public DNS queries, and a telnet to port 25 of your email server, I can determine your mail server and version, including Microsoft Office 365. Then I can set up a fake webmail account login page and send a well-crafted email asking them to log in to my fake email system so I can steal their password.

Once your user completes this action, I have not just compromised their account, I have compromised an influential person in the company. I now have access to the corporate account of someone who can make decisions and spend money, for example, authorize an invoice to be paid or request a wire transfer. Payday for me, headaches dealing with law enforcement, lawyers, cyber insurance companies, and forensics experts for you.

What Happens Next

Once you discover the intrusion, I’ve been reported to IT, the user’s account password has been changed, the lawyers are doing insurance reviews, and accounting is double checking the books, but I am still out there. While everyone is thinking, crisis averted, I am waiting for the next opportunity.

Now, I sit back and wait a week or two before another attempt. During this time, a business crisis arises, distracting the executives, and I send another email asking you to log in. Nine times out of ten, I get back in. Executives are busy between internal, partner and customer meetings, traveling, reviewing performance numbers, and so on. They are always busy and want things to go smoothly so they can accomplish tasks quickly. Because of this, your executives rarely look twice at the email asking for the password again – just so they can get that PDF report they think they are getting.

So, they are compromised. Again. You change their password. Again. Insanity.

While you are saying to yourself, “This would never happen at my company”, let me share this story with you. I recently worked a case where the President of the company was successfully spearfished three times in two weeks. Each time, the password was reset, and everyone moved on to other things. In another case, a breached IT administrator account was used to spearfish the CFO. As if that is not bad enough, the CFO had already been successfully spearfished two months prior.

How do I end this cycle?

The easy answer is to require multi-factor authentication (MFA). The harder question is, “How do I implement MFA without being chased with pitchforks and firebrands?” Or worse yet, isolated in an office in the basement with your career stalled out.

So, how do you implement MFA while minimizing the impact on your users?

Scenario 1:

IT develops a MFA implementation plan. They then meet with the executives to outline the program’s pros and cons, with the strategy of scaring them into agreeing to implement MFA. They use statistics from Gartner, include quotes from Verizon’s Annual Data Breach Investigation Report, and try to sell the implementation plan. Remember, these are the same executives who are busy moving from one fire drill to another while being spearfished daily. This strategy almost never goes well.

Scenario 2:

IT develops a MFA implementation plan. Instead of only using statistics from Gartner and quotes from Verizon’s Annual Data Breach Investigation report, they use actual internal data to affect change from within. Prior to presenting this data, they have already completed a MFA pilot with their Email administrators and then rolled it out to the entire IT department. Here’s the payoff: report the measured results of the rollout to the IT Steering Committee, CFO, or COO; the point is, get an executive to start thinking about MFA, hearing the results, and digesting the successes. Then, get that individual to try it.

Peer pressure can also be beneficial in this scenario. “One-Upmanship” within a highly political boardroom can be a good thing. Having someone inside the decision-making group proudly boasting how fourteen unauthorized attempts to log in to their account were thwarted by MFA can provide the incentive you need. No one wants to be the weak link or in last place.

The Benefits of MFA

Now that you have implemented MFA, you are able to stop the insanity of repeatedly resetting passwords, re-imaging computers, spending hours on telephone calls with lawyers, insurance companies, and forensics companies. You can expect fewer security headaches, more time to complete your projects, and your executive team to appreciate how secure your network has become with multi-factor authentication.

SecurIT360 is an independent, vendor-agnostic Cybersecurity consulting firm.
If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

Categories
Uncategorized

WannaCry – Worldwide Ransomware Attack – Updated

A widespread ransomware attack has spread across the globe infecting tens of thousands computers in as many countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan.  The software can run in many languages.  There have been several versions and updates, but the ways to protect remain the same.  Recently, a decryption tool has been discovered – see here.

Technical Details

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through a Remote Desktop Protocol (RDP) compromise or the exploitation of a critical Windows SMB vulnerability.  Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017.  According to open sources, one possible infection vector is via phishing emails.

The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL.  During runtime, the loader writes a file to disk named “t.wry.”  The malware then uses an embedded 128-bit key to decrypt this file.  This DLL, is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files.  Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.  Subsequent versions are manifested differently.

What to do to protect against Wana Decrypt0r aka WannaCry

1.    Patch all Windows Operating Systems

  1. For supported Operating Systems see MS17-010
  2. Emergency Patch for Windows XP and Windows 2003 is here

2.    Run a port scan and or Vulnerability Assessment against your firewalls. 

Ensure that Remote Desktop Protocol (RDP) and SMB protocols are not open to the internet.  These are typically on ports 3389, 445, and 139 respectively, but can be mapped to different ports on your firewall.  These configurations are security best practice.

Verify Other Protections Are working as expected.

*************************************IMPORTANT******************************************

Do NOT assume you are safe just because you have purchased and installed a product.

**********************************************************************************************

3.    Backups

Review your backups to ensure that they are working as expected.  Test restores of critical data.

4.    SPAM Filter

Enable strong spam filters to prevent phishing e-mails from reaching the end users.  Most enterprise filters should detect WannaCry.

5.    Antivirus & Malware Protections

  1. Ensure that real-time scanning enabled to detect file downloads, email attachments, and web links
  2. Ensure that scan engines are up to date and that definitions are downloaded and regularly deployed – at least daily. We recommend more frequently
  3. Configure anti-virus and anti-malware solutions to conduct routine scans
  4. Inventory protected machines to ensure that all have products installed and that they are functional

WannaCry Remediation

  • Isolate compromised computer systems.
    1. Unplug from network to prevent spreading
    2. Power down other computers or unplug network access switches during eradication
    3. Wipe and reload infected machines
    4. Paying the ransom does not guarantee you recovery
  • Ensure that proper logging is enabled and preserved on key systems.
  • Contact law enforcement. Contact a local FBI field office upon discovery to report an intrusion and request assistance.  Maintain and provide relevant logs.
  • Implement your security incident response and business continuity plan.
  • Ideally, organizations should not store critical data on workstations. Critical data should reside on centralized storage systems.  Storage systems should have complete, verified, and tested backups.  Ofen the most efficient response is to restore data from a known clean backup.

Signatures

 

File name:  @WanaDecryptor@.exe

 

Confirmed indicators – SHA-256 Hashes:

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c25d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b976a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdfbe22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafaaee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002cc365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aab9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

Yara Signatures

rule Wanna_Cry_Ransomware_Generic {

meta:

description = “Detects WannaCry Ransomware on disk and in virtual page”

author = “US-CERT Code Analysis Team”

reference = “not set”

date = “2017/05/12”

hash0 = “4DA1F312A214C07143ABEEAFB695D904”

strings:

$s0 = {410044004D0049004E0024}

$s1 = “WannaDecryptor”

$s2 = “WANNACRY”

$s3 = “Microsoft Enhanced RSA and AES Cryptographic”

$s4 = “PKS”

$s5 = “StartTask”

$s6 = “wcry@123”

$s7 = {2F6600002F72}

$s8 = “unzip 0.15 Copyrigh”

condition:

$s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8

}

 

/*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.

rule MS17_010_WanaCry_worm {

meta:

description = “Worm exploiting MS17-010 and dropping WannaCry Ransomware”

author = “Felipe Molina (@felmoltor)”

reference = “https://www.exploit-db.com/exploits/41987/”

date = “2017/05/12″

strings:

$ms17010_str1=”PC NETWORK PROGRAM 1.0″

$ms17010_str2=”LANMAN1.0″

$ms17010_str3=”Windows for Workgroups 3.1a”

$ms17010_str4=”__TREEID__PLACEHOLDER__”

$ms17010_str5=”__USERID__PLACEHOLDER__”

$wannacry_payload_substr1 = “h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j”

$wannacry_payload_substr2 = “h54WfF9cGigWFEx92bzmOd0UOaZlM”

$wannacry_payload_substr3 = “tpGFEoLOU6+5I78Toh/nHs/RAP”

condition:

all of them

}

Categories
Uncategorized

Internet Explorer Zero Day – Emergency Patch Released, includes XP

UPDATED 5/1/2014: Microsoft has released an emergency out-of-band update for Internet Explorer that resolves this issue.  They are including updates to IE in Windows XP as well.  We recommended deploying this update as soon as possible.

Microsoft released an advisory on April 26th:

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

Mitigation Steps (Details on TechNet):

  • Install EMET . According to Fireeye, “EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests.”
  • Also according to Fireeye, “Enhanced Protected Mode in IE breaks the exploit in our tests”. Keep in mind that Enhanced Protection Mode in IE can break some plugins.
  • Disable Flash . The vulnerability is not a Flash vulnerability, but flash is required to exploit.

WARNING: Windows XP

For organizations and users who have not upgraded from Windows XP, this vulnerability does affect IE6-IE8 which can run on Windows XP.  Windows XP will not be receiving updates as it is now out of support.  It is critical that organizations upgrade from Windows XP.

Categories
Uncategorized

Microsoft July Security Bulletin

For Patch Tuesday this month, we are receiving critical updates from both Microsoft and Adobe. Microsoft has five bulletins, bringing the six-month total up to 51 bulletins, about 20% more than we had in 2012.

Read more here.