CBS News recently did an interesting piece on ransomware, and the various reasons that businesses may choose to pay the ransom.
These ransom payments can range from a few thousands – Lees, Alabama negotiated their attacker down from $50,000 to $8,000 – to half a million dollars or more.
On the flip side of the coin, Atlanta, GA decided not to pay a ransom demand of approximately $50,000 – instead spending upwards of $17 million to recover from the attack.
Prepping? Who wants to prep for incident response?
This particular bit of writing came from a question that I was asked during a speaking engagement recently – paraphrased a bit.
How can a client help the incident team when they’re investigating an incident, or even suspicious activity?
So, I circulated this to the team, and we tossed around some ideas.
On May 14, 2019 Microsoft announced a vulnerability in RDP – Remote Desktop Services…formerly known as Terminal Services. The vulnerability is significant enough that Microsoft has chosen to publish a patch for Windows XP and Windows 2003 on May 15th – operating systems that have been out of support for a few years now.
Why is this important? The vulnerability is similar to the one that WannaCry leveraged, and allows an attacker to “worm” through the network. Reports say that there is a proof-of-concept exploit; as of this writing on May 19th, the MSI lab hasn’t laid hands on one to test and our research is ongoing.
To quote Microsoft:
“This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
So what? So…early this morning, a search on shodan.io for “rdp” showed 1058 exposures indexed. A few HOURS later, that number increased to 1062. Externally facing RDP is a very bad idea, and attackers considered it to be low hanging fruit before this vulnerability came to light…now, the stakes are higher.
“My patching is automated” – we’re all good, right? Well…I contacted a friend in a small office yesterday, and suggested that they check. When she inventoried the 4 computers that were set to update automatically…3 of them had not received this update. Due diligence is your friend here, don’t assume.
Patch. Patch now. Share with your friends and colleagues, particularly those who are less than technically savvy. Friends don’t let friends have RDP as an externally facing service!
(Let’s not leave Adobe out of the mix. Adobe’s Patch Tuesday covers 82 CVE’s. EIGHTY TWO? People, we have to do better…)
And remember…is it really paranoia if they ARE out to get you?
Office 365 and G Suite MFA bypass
Multi-factor authentication (MFA) has been shown to be a critical control to prevent business email compromise (BEC) as well as compromise of other critical systems. Recently, some information came to light about attacks on Office 365 and G Suite applications that bypass the protection of MFA.
A good day phishing is better than a bad day doing anything else! (Or was that fishing…)
Business Email Compromise (BEC) attacks saw a 479% increase between Q4 2017 and Q4 2018 per Proofpoint. The dramatic increase in web-based implementations like Office 365 (O365) contributes to the corresponding increase in attacks. Yeah, yeah, we’re going to talk about phishing again, @TheTokenFemale? Really?
Yes. Because no matter how well trained your people are, no matter how diligent…everyone has a bad day. Your organization may not be the “phish in a barrel” type…but it just takes once. A family member in the hospital, a rush to clean things up before vacation, or any kind of significant distraction can make the most diligent person overlook…and click.
Recently, Brent – MSI’s CEO – put together a Business Email Compromise checklist to help our clients combat phishing attempts, and prepare to discover and remediate successful attempts. The checklist:
- Enumerates attack vectors
- Briefly reviews impacts
- Lists control suggestions mapped back to the NIST framework model
But, what does that mean for you? Our team put together an educational series based on the checklist, to help security programs at all levels. The next thing we’d like to share are a few war stories – tales from the field in various industries. These are drawn from our security and incident response work in these industries, and call out specific attack vectors and points to consider for these entities.
A few weeks ago, we published the Business Email Compromise (BEC) Checklist. The question arose – what if you’re new to security, or your security program isn’t very mature?
Since the checklist is based on the NIST model, there’s a lot of information here to help your security program mature, as well as to help you mature as a security practitioner. MSI’s engineers have discussed a few ways to leverage the checklist as a growth mechanism.