RansomWeb Attacks Observed in HITME

Unfortunately, the destructive nature of Ransomware has taken a new turn for the worse.  A new technique called RansomWeb is affecting production web-based applications.  I recently analyzed data from the HITME project and observed several RansomWeb attacks against PHP applications.  I can only assume the frequency of these attacks will increase throughout the year.  As a former Systems Administrator, I can definitively say that it would be a nightmare to bring an application back online that was affected by this variant of Ransomware.  Due to RansomWeb’s destructive nature, it is important to ensure that your organization is actively working to prevent RansomWeb from destroying any critical systems.

The attackers begin the RansomWeb process by exploiting a vulnerability within a web server or web-based application.  Once the server or application have been exploited, the attackers slowly begin encrypting key databases and files.  Once the encryption is complete, the hackers shut down the website/application and begin to demand ransom in exchange for the decryption of the corporation’s files.  Unfortunately, the attackers have even perfected using this process to encrypt system-level backups.

To prevent RansomWeb from affecting your organization, please be sure to complete the following steps on a regular basis:

  • Perform regular vulnerability assessments and penetration testing against your critical applications and servers.
  • Audit your application and system logs for any irregular entries.
  • Verify that you are performing regular application and system backups.
  • Be sure to test the backup/ restore process for your applications and systems on a regular basis.  After all, your backup/ DR process is only as effective as your last successful restore.

If you would like to discuss how we can help you prevent RansomWeb from affecting your production applications, do not hesitate to contact us by emailing info <at> microsolved.com

Recently Observed Attacks By Compromised QNAP Devices

Despite the fact that the Shellshock bug was disclosed last fall, it appears that a wide variety of systems are still falling victim to the exploit.  For example, in the last 30 days, our HoneyPoint Internet Threat Monitoring Environment has observed attacks from almost 1,000 compromised QNAP devices.  If you have QNAP devices deployed, please be sure to check for the indicators of a compromised system.  If your device has not been affected, be sure to patch it immediately.

Once compromised via the Shellshock bug, the QNAP system downloads a payload that contains a shell script designed specifically for QNAP devices.  The script acts as a dropper and downloads additional malicious components prior to installing the worm and making a variety of changes to the system.  These changes include: adding a user account, changing the device’s DNS server to, creating an SSH server on port 26 and downloading/installing a patch from QNAP against the Shellshock bug.

The map below shows the locations of compromised QNAP systems that we observed to be scanning for other unpatched QNAP systems.  If you have any questions regarding this exploit, feel free to contact us by emailing info <at> microsolved.com.

Screen Shot 2015-01-27 at 1.41.31 PM

Spike in HITME NTP Probes Following Recent Exploits

For those of you that are unfamiliar with the HITME project, it is a set of deployed HoneyPoints that gather real-world, real-time attacker data from around the world. The sensors gather attack sources, frequency, targeting information, vulnerability patterns, exploits, malware and other crucial event data for the technical team at MSI to analyze. We frequently feed these attack signatures into our vulnerability management service to ensure that our customers are tested against the most current forms of attacks being used on the Internet.
On a monthly basis, we have been taking a step back and looking at our HITME data from a bird’s eye view to find common attack patterns.  Throughout December, we observed a significant increase in attacks against Port 123 (NTP).  This is due to the recent discovery of a vulnerability within NTP.
A majority of the attacks we observed against Port 123 appeared to originate out of the United States of America, Germany, Switzerland, Russia, and China. 
PastedGraphic 2
This vulnerability should be addressed as soon as possible as exploits are publicly available.  All NTP Version 4 releases prior to Version 4.2.8 are vulnerable and need to be updated to Version 4.2.8.  Do not hesitate to contact us at info@microsolved.com if you require any assistance in responding to this vulnerability.

This blog post by Adam Luck.

5 Ways My Medical Background Makes Me a Better Intelligence Analyst

When I first started for MicroSolved, Inc.(MSI), I wasn’t sure what to think, but now that I have been here for nearly three months I feel I am starting to get the hang of  what it is to be an intelligence analyst. At least a little bit anyhow. Now mind you I am not your typical intelligence analyst, nor am I a new college graduate, but rather I am coming to MSI from the health care industry with over twenty years of work experience in that industry. This was a completely different mindset, with a whole host of new things for me to experience and learn. For me this was totally refreshing and exactly what I wanted and more importantly, needed! There are a few things that I have noticed in my short time here that could be considered pearls of wisdom rather than actual characteristics of a good employee that I feel make me a good intelligence analyst for MSI. Perhaps they are one and the same. At least that is my hope 😉

First, while I am not a seasoned IT professional like so many others that I work with, I am not naive to the fact that there are deadlines and expectations thrust upon all of us. This in my opinion is no different than in being in the hospital setting where people expect you to act quickly and in the best interests of your patient at all times. Couldn’t we say the same is true working for a company like MSI?  In that it is the expectation to be professional, performing your best at all times, and the like? I would like to think that is what I strive for.

After thinking a bit longer perhaps it is that we share a tenacity for getting to the bottom of whatever mystery that we are looking at. Whether it is a series of questions that we may be asking our patients in an effort to try to figure out what ailment they be suffering from. This is not unlike when we are looking for a key bit of code for an algorithm to help us do our work more efficiently. Regardless, it is this mentality of never giving up! To keep fighting, keep looking, to keep trying. Just keep chipping away at it. 

I think the next characteristic would have to be patience. Something that we all have often heard from our grandparents growing up as children. Something that in my mind and in my experience has played a provocative role in both my dealings with patients, their families and with challenging projects in the IT world. Now while as I previously stated in the above paragraph that tenacity plays a role, I also think having a measure of patience does too. There are times in the medical world where even the most experienced physician stands there for a moment and scratches his or her head and says “I don’t know”. Now to a patient that is the last thing that they want to here, but sometimes we truly have to “wait and see”. Sometimes grandma was right! There have been times while working on projects with MSI, where sitting back even if it’s just a few moments, allowed me to gain a better “bird’s eye view” of a given project and really helped me figure out what it was that I was looking for and ultimately aided the project.

Another area that I think gives me an edge would be that I am willing to go the extra mile and I am not afraid to work hard to attain my goals. It isn’t enough to just punch a clock or be mediocre! I have told this to my children, my patients and my friends. Never give up, always work your butt off for what you want in life! It may take time for what you want to come to fruition, but if you’re willing to put the time, energy and effort into it, then it will come!  It takes sacrifice to get to your goals. Others will recognize your efforts and aid you in your path. That’s what I feel MSI has done and is continuing to do for me!

Lastly, laugh! I have not laughed so hard in any of my previous work experiences as compared to working for MSI these past few months. Don’t get me wrong there were plenty of wonderful times, but here at MSI it is a whole new animal! Yes, we work hard, but I think having a healthy sense of humor and a desire to see others laugh is what really sets MSI apart. If you are down, they help pick you up! So often we spend our work lives with people that aren’t our family for hours on end. Shouldn’t we have some fun while we work? If you are lucky enough you do. Then, by choice those people that aren’t your family start to become them and find a place in your heart. Then, your work doesn’t seem like work anymore. 

Yes it’s true that I am new to the world of information technology as a career choice, but that doesn’t mean that I don’t have some very real life experiences to draw upon. Remember, it is a combination of work ethic, tenacity, patience, a sense of humor and ultimately a willingness to never give up. These are the things that will make you successful, not only in your career path, but in life as well. These are my little pearls of wisdom, just a few tidbits of information to help you get to where you want to be in life. Who knows it might even be right here at MSI.

This post by Preston Kershner.

Heads Up, ICS & SCADA Folks, Especially!

Remotely exploitable vulnerabilities have been identified & published in NTP (network time protocol). This is often a CRITICAL protocol/instance for ICS environments and can be widely located in many control networks. 

The fix currently appears to be an upgrade to 4.2.8 or later.

This should be considered a HIGH PRIORITY for critical infrastructure networks. Exploits are expected as this is an unauthenticated remotely triggered buffer overflow, which should be easily implemented into existing exploit kits.

Please let us know if we can assist you in any way. Stay safe out there! 

Update: 12/19/14 2pm Eastern – According to this article, exploits are now publicly available.

Here’s Why You Don’t Want RDP on the Internet

For those of you that are unfamiliar with the HITME project, it is a set of deployed HoneyPoints that gather real-world, real-time attacker data from around the world. The sensors gather attack sources, frequency, targeting information, vulnerability patterns, exploits, malware and other crucial event data for the technical team at MSI to analyze. We frequently feed these attack signatures into our vulnerability management service to ensure that our customers are tested against the most current forms of attacks being used on the Internet.

It’s also important that we take a step back and look at our HITME data from a bird’s-eye view to find common attack patterns. This allows us to give our customers a preemptive warning in the event that we identify a significant increase in a specific threat activity. We recently analyzed  some of the data that we collected during the month of November. We found that over 47% of the observed attacks in the public data set were against the Remote Desktop Protocol (RDP)(often also known as Microsoft Terminal Services). This was more than attacks against web servers, telnet servers and FTP servers combined!

Be sure that all recommended security measures are applied to RDP systems. This should include requiring the use of RDP clients that leverage high levels of encryption. If you need any assistance verifying that you are protected against attacks against your terminal servers, feel free to contact us by sending an email to info(at)microsolved(dot)com.

This post by Adam Luck.

Hacktivism on the Rise

With all of the attention to the Ferguson case and the new issues around the public response to the New York Police Department Grand Jury verdict, your organization should expect to be extra vigilant if you have any connection to these events. This could include supply chain/vendor relationships, locations or even staff members speaking out publicly about the issues. 

Pay careful attention to remote access logs, egress traffic and malware detections during the ongoing social focus on these issues and press coverage.

As always, if MSI can be of assistance to you in any security incident, please don’t hesitate to let us know! 

Data Breaches are a Global Problem

For those of you who maybe just thought that data breaches were only happening against US companies, and only by a certain country as the culprit, we wanted to remind you that this certainly isn’t so.

In fact, just in the last several weeks, breaches against major companies in the UK, Australia, Japan, Kenya, Korea, China and others have come to light. Sources of attacks show evidence of criminal groups working from the US, Brazil, Northern Africa, the Middle East, Russia and Asia among others. Just follow the data for a few weeks, and it quickly becomes clear that this is a GLOBAL problem and is multi-directional.

Even loose alliances seem to come and go amongst these criminal groups. They often steal data, talent, techniques, tools and resources from each other. They work together on one deal, while treating each other as competitors in other deals simultaneously. The entire underground is dynamic, shifting in players, goals and techniques on almost moment by moment basis. What works now spreads, and then gets innovated.

This rapidly changing landscape makes it hard for defenders to fight against the bleeding edge. So much so, in fact, that doing the basics of information security and doing them well, seems to be far more effective than trying to keep up with the latest 0-day or social engineering techniques.

That said, next time you read a report that seems to cast the data breach problem as a US issue versus the big red ghost, take a breath. Today, everyone is hacking everyone. That’s the new normal…

Compliance-Based Infosec Vs Threat-Based Infosec

In the world of Information Security (infosec), there are two main philosophies: compliance-based infosec and threat-based infosec. Compliance-based infosec means meeting a set of written security standards designed to fulfill some goal such as the requirements of statute law or financial information privacy requirements. Threat-based infosec, on the other hand, means applying information security controls in reaction to (or anticipation of) threats that organizations currently (or soon will) face. 

Compliance-based infosec is generally applied smoothly across the organization. In other words, all the security controls mandated in the security standard must be put in place by the organization, and the relative effectiveness of each control is largely ignored. In contrast, security controls are applied in a hierarchical manner in threat-based infosec. The most effective or greatly needed security controls are applied first according to the threats that are most likely to occur or that will cause the most damage to the organization if they do occur. 

The difference is sort of like the defensive strategy of the Chinese versus that of the Normans in post-conquest England. The Chinese built very long walls that went from one end of their territory to the other. Their goal was to keep out all invaders everywhere. This is a grand idea, but takes a very large amount of resources to implement and maintain. In practice, it takes tons of men and infrastructure and the defensive capabilities at any one place are spread thin. The Normans in England, on the other hand, built strong castles with many layers of defense in strategic locations where the threats were greatest and where it was easiest to support neighboring castles. In practice, there are fewer defenses at any one point, but the places where defenses are implemented are very strong indeed. Both of these strategies have merit, and are really driven by the particular set of circumstances faced by the defender. But which is better for your organization? Let’s look at compliance-based infosec first.

Compliance-based infosec, when implemented correctly, is really the best kind of defense there is. The problem is, the only place I’ve ever seen it really done right is in the military. In military information security, failure to protect private information can lead to death and disaster. Because of this, no expense or inconvenience is spared when protecting this information. Everything is compartmentalized and access is strictly based on need to know. Every system and connection is monitored, and there are people watching your every move. There are rules and checklists for everything and failure to comply is severely punished. In addition, finding better ways to protect information are sought after, and those that come up with valuable ideas are generously rewarded.

This is not the way compliance-base infosec works in the private sector, or even in non-military government agencies. First, statute law is tremendously vague when discussing implementing information security. Laws make broad statements such as “personal health information will be protected from unauthorized access or modification”. Fine. So a group of people get together and write up a body of regulations to further spell out the requirements organizations need to meet to comply with the law. Unfortunately, you are still dealing with pretty broad brush strokes here. To try to get a handle on things, agencies and auditors rely on information security standards and guidelines such as are documented in NIST or ISO. From these, baseline standards and requirements are set down. The problems here are many. First, baseline standards are minimums. They are not saying “it’s best if you do this”, they are saying “you will at least do this”. However, typical organizations, (which generally have very limited infosec budgets), take these baseline standards as goals to be strived for, not starting points. They very rarely meet baseline standards, let alone exceed them. Also, NIST and ISO standards are not very timely. The standards are only updated occasionally, and they are not very useful for countering new and rapidly developing threats. So, unless your organization is really serious about information security and has the money and manpower to make it work, I would say compliance-based infosec is not for you. I know that many organizations (such as health care and financial institutions) are required to meet baseline standards, but remember what happened to Target last year. They were found to be compliant with the PCI DSS, but still had tens of millions of financial records compromised.

Now let’s look at threat-based infosec. To implement a threat-based information security program, the organization first looks at the information assets they need to protect, the threats and vulnerabilities that menace them and the consequences that will ensue if those information assets are actually compromised (basic asset inventory and risk assessment). They then prioritize the risks they face and decide how to implement security controls in the most effective and efficient way to counter those particular risks. That might mean implementing strong egress filtering and log monitoring as opposed to buying the fanciest firewall. Or it might mean doing something simple like ensuring that system admins use separate access credentials for simple network access and administrative access to the system. Whatever controls are applied, they are chosen to solve particular problems, not to meet some broad baseline that is designed to meet generally defined problems. Also, threat-based infosec programs are much better at anticipating and preparing for emerging threats, since reassessments of the security program are made whenever there are significant changes in the system or threat picture.

These are the reasons that I think most of us in non-military organizations should go with threat-based infosec programs. Even those organizations that must meet regulatory requirements can ensure that they are spending the bulk of their infosec money and effort on the effective controls, and are minimizing efforts spent on those controls that don’t directly counter real-world threats. After all, the laws and regulations themselves are pretty vague. What counts in the long run is real information security, not blind compliance with inadequate and antiquated baselines. 

Thanks to John Davis for this post.

Accepting Identity Theft

I can recall a time when I wasn’t concerned about data theft. Eventually, buzz words such as “breach” and “identity theft” became a regular part of my vocabulary.  I began to wonder if I would ever be affected by a data breach. In 2003, I received a letter in the mail informing me that my personal data had been stolen. I remember asking myself, “when will this happen next?” In 2004, I once again became a victim of a data breach. Despite my young age at the time, I had already started to think of identity theft in the cynical terms of “not if but when”. It then became apparent to me that I could no longer think in terms of “if” or “when” but I should focus on “how often”.

I find it helpful to compare identity theft to personal health care. Eating the right foods, taking all the trendy vitamins and getting the recommended amount of exercise isn’t enough to guarantee perfect health. You are still susceptible to diseases that you can’t detect on your own. This is why you typically see a doctor for checkups on a regular basis. You should use the same thought process when considering the possibility of identity theft. Regardless of how much effort you put into securing your identity, your personal data will be stolen. This is why I feel strongly that we should focus on monitoring and preparing for identity theft with the same time and energy that we devote to trying to prevent it.

Just like your health care, it’s also worthwhile to take a proactive approach to handling identity theft. It’s important to have multiple methods of discovering if you are a victim of fraud. This can be as simple as checking your debit/credit card statements and using an automated solution (such as LifeLock) to monitor for irregularities in your credit report. Don’t just wait to receive a notice in the mail or find out about the latest hack on the news. It can take the companies that handle your personal data and process your credit cards months before they realize that they have been hacked. This gives the attackers ample time to take advantage of your stolen data.

It’s also worthwhile to prepare yourself for how to handle an incident when it occurs. This can be as simple as keeping a list of the contact information for all of your financial institutions so that you can notify them as soon as you detect suspicious activity. Also, a majority of the aforementioned credit monitoring solutions include assistance services in the event that a criminal begins using your identity. Be sure to take advantage of these resources as these organizations have the necessary institutional knowledge to help assist you.

In short, continue doing what you can to prevent your identity from being stolen. Simple things like setting complex passwords and avoiding the reuse of your passwords between different services can go a long way to prevent you from becoming a victim of identity theft. However, the next time you’re configuring a lengthy password, be sure to ask yourself “Am I prepared for identity theft?”

This article courtesy of Adam Luck – @adamjluck.