Telnet!? Really!?

I was recently analyzing data from the HITME project that was collected during the month of January. I noticed a significant spike in the observed attacks against Telnet. I was surprised to see that Telnet was being targeted at such a high rate. After all, there can’t be that many devices left with Telnet exposed to the internet, right?

Wrong. Very wrong. I discovered that there are still MILLIONS of devices with Telnet ports exposed to the internet. Due to Telnet’s lack of security, be sure to use SSH as opposed to Telnet whenever possible. If you absolutely must control a device via Telnet, at least place it behind a firewall. If you need to access the device remotely, leverage the use of a VPN. Finally, be sure to restrict access to the device to the smallest possible IP range.

The map below shows the geographical locations and number of attacks against Telnet that we observed last month. If you need any help isolating Telnet exposures, feel free to contact us by emailing info <at> microsolved.com.

Screen Shot 2015-02-10 at 11.28.10 AM

 

RansomWeb Attacks Observed in HITME

Unfortunately, the destructive nature of Ransomware has taken a new turn for the worse.  A new technique called RansomWeb is affecting production web-based applications.  I recently analyzed data from the HITME project and observed several RansomWeb attacks against PHP applications.  I can only assume the frequency of these attacks will increase throughout the year.  As a former Systems Administrator, I can definitively say that it would be a nightmare to bring an application back online that was affected by this variant of Ransomware.  Due to RansomWeb’s destructive nature, it is important to ensure that your organization is actively working to prevent RansomWeb from destroying any critical systems.

The attackers begin the RansomWeb process by exploiting a vulnerability within a web server or web-based application.  Once the server or application have been exploited, the attackers slowly begin encrypting key databases and files.  Once the encryption is complete, the hackers shut down the website/application and begin to demand ransom in exchange for the decryption of the corporation’s files.  Unfortunately, the attackers have even perfected using this process to encrypt system-level backups.

To prevent RansomWeb from affecting your organization, please be sure to complete the following steps on a regular basis:

  • Perform regular vulnerability assessments and penetration testing against your critical applications and servers.
  • Audit your application and system logs for any irregular entries.
  • Verify that you are performing regular application and system backups.
  • Be sure to test the backup/ restore process for your applications and systems on a regular basis.  After all, your backup/ DR process is only as effective as your last successful restore.

If you would like to discuss how we can help you prevent RansomWeb from affecting your production applications, do not hesitate to contact us by emailing info <at> microsolved.com

Recently Observed Attacks By Compromised QNAP Devices

Despite the fact that the Shellshock bug was disclosed last fall, it appears that a wide variety of systems are still falling victim to the exploit.  For example, in the last 30 days, our HoneyPoint Internet Threat Monitoring Environment has observed attacks from almost 1,000 compromised QNAP devices.  If you have QNAP devices deployed, please be sure to check for the indicators of a compromised system.  If your device has not been affected, be sure to patch it immediately.

Once compromised via the Shellshock bug, the QNAP system downloads a payload that contains a shell script designed specifically for QNAP devices.  The script acts as a dropper and downloads additional malicious components prior to installing the worm and making a variety of changes to the system.  These changes include: adding a user account, changing the device’s DNS server to 8.8.8.8, creating an SSH server on port 26 and downloading/installing a patch from QNAP against the Shellshock bug.

The map below shows the locations of compromised QNAP systems that we observed to be scanning for other unpatched QNAP systems.  If you have any questions regarding this exploit, feel free to contact us by emailing info <at> microsolved.com.

Screen Shot 2015-01-27 at 1.41.31 PM

How I leveraged HoneyPoint during Corporate Acquisitions

Throughout my career, I have worked for organizations that have purchased and integrated 4 companies.  The acquired companies ranged from an organization with revenues of less than $3 million per year to a publicly traded company with annualized revenues of almost $1 billion.  While the acquisitions all carried their own set of challenges, they remain among the highlights of my career.

When I pictured corporate acquisitions, I always envisioned purchasing the next big startup or buying out your leading competitor.  I didn’t realize that a majority of corporate acquisitions are an attempt to leverage existing infrastructure and shared services to turn a failing company into a profitable organization.  When I was informed that my company was about to purchase another organization, I instantly realized I was going to be working with a lot of old hardware, disgruntled employees and vulnerable systems.  Fortunately, I was able to leverage HoneyPoint to address several the aforementioned challenges.

Completing an acquisition can be overwhelming at times.  It’s important to take a step back and look at systems from a bird’s-eye view.  I always found it extremely helpful to deploy HoneyPoint Agent at the start of an acquisition.  I worked diligently to create an Agent deployment that mimicked the infrastructure of the acquired company.  This allowed me to have a centralized view of their network from one HoneyPoint console.  On more than one occasion, HoneyPoint Agent helped me to identify infected machines on the network of a recently acquired company.

Having worked for a company that has been acquired on two separate occasions, I always empathize with the employees of an acquired organization.  While it can be a scary time, it can also be looked at as an opportunity to demonstrate your talent to a new company.  I have met several talented IT Professionals throughout the 4 acquisitions that I have had the privilege of completing.  I was frequently amazed at their ability keep a critical infrastructure running on a nonexistent budget.  Unfortunately, for every talented and cooperative professional, I have encountered a few disgruntled employees.

HoneyPoint has several great features that can help identify a disgruntled employee.  For example, I was able to place documents throughout our network that would log an alert to my HoneyPoint console each time they were opened.  This would have allowed me to easily identify any disgruntled employee that was searching a file server for confidential information.  Deploying these trojanized documents throughout our network taught me a valuable lesson about HoneyPoint…it should be considered a good thing when a deployment does not generate any alerts.  In this instance, it meant that I did not identify any employees that were digging through our file shares for confidential information.

Unfortunately, I have been a part of acquisitions where the IT staff of the acquired organization were not retained.  While it was purely a business decision, the layoffs posed a serious risk of creating disgruntled employees.  This could lead an employee of the acquired company to attempt to cause harm to systems owned and operated by the acquiring organization.  During each acquisition, I deployed HoneyPoint Agents that mimicked the Infrastructure of my company.  This allowed me to identify any instance of an individual attempting to scan systems that were owned by the parent organization.  While I did not catch any individuals in the act, I was able to rest assured knowing that I had the capability to do so.

I highly recommend leveraging HoneyPoint during your next M&A.  It will help you address several of the challenges that are associated with the M&A process.  If you have any questions about HoneyPoint and how it can help your organization, please contact us at info <at> microsolved.com.