Ready for Ransomware?

Ransomware is becoming common. We are getting a lot of calls for help with incident response. Here’s a couple of things to think about, in general, around ransomware attacks.

1. Backups are your first line of recovery – just think about making sure they aren’t infected as well, so that you don’t restore infected files

2. Paying the ransom can be hairy – in some cases, paying the ransom could be a crime (think money laundering, banking regulations and the Patriot Act…), plus having a process to pay in bitcoin, even if you wanted to – in the time provided – is often a challenge

3. Some ransomware is recoverable – so check for options

4. Measure business impact – is re-creation of the data viable at a cost less than the cost of paying the ransom, including the work of paying the ransom – sometimes yes… 

5. Can you identify the failed controls that let you get infected? – If so, fix them, if possible.

These are a good place to start. Think about ransomware, your incident response process and current capabilities. Check your backups and have multiple sources. Be prepared instead of panicked.

Hosting Providers Matter as Business Partners

Hosting providers seem to be an often overlooked exposure area for many small and mid-size organizations. In the last several weeks, as we have been growing the use of our passive assessment platform for supply chain assessments, we have identified several instances where the web site hosting company (or design/development company) is among the weakest links. Likely, this is due to the idea that these services are commodities and they are among the first areas where organizations look to lower costs.

The fall out of that issue, though, can be problematic. In some cases, organizations are finding themselves doing business with hosting providers who reduce their operational costs by failing to invest in information security.* Here are just a few of the most significant issues that we have seen in this space:
  • “PCI accredited” checkout pages hosted on the same server as other sites that are clearly under the control of an attacker
  • Exposed applications and services with default credentials on the same systems used to host web sites belonging to critical infrastructure organizations
  • Dangerous service exposures on hosted systems
  • Malware infested hosting provider ad pages, linked to hundreds or thousands of their client sites hosted with them
  • Poorly managed encryption that impacts hundreds or thousands of their hosted customer sites
  • An interesting correlation of blacklisted host density to geographic location and the targeted verticals that some hosting providers sell to
  • Pornography being distributed from the same physical and logical servers as traditional businesses and critical infrastructure organizations
  • A clear lack of DoS protection or monitoring
  • A clear lack of detection, investigation, incident response and recovery maturity on the part of many of the vendors 
It is very important that organizations realize that today, much of your risk extends well beyond the network and architectures under your direct control. Partners, and especially hosting companies and cloud providers, are part of your data footprint. They can represent significant portions of your risk, and yet, are areas where you may have very limited control. 
 
If you would like to learn more about using our passive assessment platform and our vendor supply chain security services to help you identify, manage and reduce your risk – please give us a call (614-351-1237) or drop us a line (info /at/ MicroSolved /dot/ com). We’d love to walk you through some of the findings we have identified and share some of the insights we have gleaned from our analysis.
 
Until next time, thanks for reading and stay safe out there!
 
*Caveat: This should not be taken that information security is correlated with cost. We have seen plenty of “high end”, high cost hosting companies with very poor security practices. The inverse is also true. Validation is the key…

NanoCore RAT

It’s been discovered that a Remote Access Trojan (RAT) named NanoCore has been cracked again. These cracked copies are being heavily distributed via the deep and dark web. Due to the fact that malicious actors are now able to obtain this RAT for free, there has been a spike of observed NanoCore infections. For example, it was recently reported that the cracked copies are being leveraged in phishing attacks against energy companies. Unfortunately, we anticipate that the attempted use of this RAT will increase over the next few weeks.
However, there is some good news regarding the spread of NanoCore. First, the observed methods for deploying this malware do not seem to be very complicated. The attacks appear to be leveraging basic e-mail phishing which can be prevented by tuning spam filters and performing security awareness training with staff. Second, the attacks appear to be attempting to exploit vulnerabilities that are 2-3 years old. Your organization’s workstations should already have patches installed that will prevent the malware from being deployed. Finally, several commercial IDS/IPS systems are already able to detect this RAT. To ensure that your organization is protected, be sure to verify that your IDS/IPS/AV signatures are up to date.
We are more than happy to answer any questions that you might have about this RAT. Feel free to contact us by emailing <info> at microsolved.com

Lots of PHP Web Shells Still Circulating

Many PHP-based web shells are still making the rounds, and while many of them are based on old code, mutations, customizations and updates abound. They are so common, that new variants and modified versions are often seen at the rate of about 10 a day in our TigerTrax Threat Intelligence systems and honeypots.

Variants exist for a wide variety of platforms and human languages, many with some very nasty features and even some cool ASCII art. There are many variants for attackers to choose from for just about any of the popular PHP-based content management platforms. From WordPress to Joomla and beyond to the far less common apps, there are easily used exploits and shell kits widely available.

If you run a PHP-based site or server, it’s a good idea to keep an eye on the file system changes and watch closely for new files being uploaded or added. Pay particular attention to those using the “base64_decode” function, since it is so common among these tools.

Thanks for reading, and until next time, stay safe out there! 

Malware Can Hide in a LOT of Places

This article about research showing how malware could be hidden in Blu-Ray disks should serve as a reminder to us all that a lot of those “smart” and “Internet-enabled” devices we are buying can also be a risk to our information. In the past, malware has used digital picture frames, vendor disks & CD’s, USB keys, smart “dongles” and a wide variety of other things that can plug into a computer or network as a transmission medium.

As the so called, Internet of Things (IoT), continues to grow in both substance and hype, more and more of these devices will be prevalent across homes and businesses everywhere. In a recent neighbor visit, I enumerated (with permission), more than 30 different computers, phones, tablets, smart TV’s and other miscellaneous devices on their home network. This family of 5 has smart radios, smart TVs and even a Wifi-connected set of toys that their kids play with. That’s a LOT of places for malware to hide…

I hope all of us can take a few minutes and just give that some thought. I am sure few of us really have a plan that includes such objects. Most families are lucky if they have a firewall and AV on all of their systems. Let alone a plan for “smart devices” and other network gook.

How will you handle this? What plans are you making? Ping us on Twitter (@lbhuston or @microsolved) and let us know your thoughts.

RansomWeb Attacks Observed in HITME

Unfortunately, the destructive nature of Ransomware has taken a new turn for the worse.  A new technique called RansomWeb is affecting production web-based applications.  I recently analyzed data from the HITME project and observed several RansomWeb attacks against PHP applications.  I can only assume the frequency of these attacks will increase throughout the year.  As a former Systems Administrator, I can definitively say that it would be a nightmare to bring an application back online that was affected by this variant of Ransomware.  Due to RansomWeb’s destructive nature, it is important to ensure that your organization is actively working to prevent RansomWeb from destroying any critical systems.

The attackers begin the RansomWeb process by exploiting a vulnerability within a web server or web-based application.  Once the server or application have been exploited, the attackers slowly begin encrypting key databases and files.  Once the encryption is complete, the hackers shut down the website/application and begin to demand ransom in exchange for the decryption of the corporation’s files.  Unfortunately, the attackers have even perfected using this process to encrypt system-level backups.

To prevent RansomWeb from affecting your organization, please be sure to complete the following steps on a regular basis:

  • Perform regular vulnerability assessments and penetration testing against your critical applications and servers.
  • Audit your application and system logs for any irregular entries.
  • Verify that you are performing regular application and system backups.
  • Be sure to test the backup/ restore process for your applications and systems on a regular basis.  After all, your backup/ DR process is only as effective as your last successful restore.

If you would like to discuss how we can help you prevent RansomWeb from affecting your production applications, do not hesitate to contact us by emailing info <at> microsolved.com

Do You Browse From a Virtual Machine?

Configure 256

This article brings to mind an interesting trend we see going on among our financial and highly regulated clients – using a virtual machine for all Internet browsing. Several of our clients have begun using this technique in testing and small production groups. Often they are using ChromeOS images with VirtualBox or some other dedicated browser appliance and a light VM manager. 

Have you or your organization considered, tried or implemented this yet? Give us a shout on Twitter (@lbhuston, @microsolved) and let us know your thoughts. Thanks for reading!

Crypto Locker Down, but NOT Out

So, the US govt and law enforcement claim to have managed the disruption of crypto locker. And officials are either touting it as a total victory or a more realistic slowdown of the criminals leveraging the malware and bot-nets.

Even as the govt was touting their takedown, threat intelligence companies around the world (including MSI), were already noticing that the attackers were mutating, adapting and re-building a new platform to continue their attacks. The attackers involved aren’t likely to stay down for long, especially given how lucrative the crypto locker malware has been. Many estimates exist for the number of infections, and the amount of payments received, but most of them are, in a word, staggering. With that much money on the line, you can expect a return of the nastiness and you can expect it rather quickly.

Takedowns are effective for short term management of specific threats, and they make great PR, but they do little, in most cases, to actually turn the tide. The criminals, who often escape prosecution or real penalties, usually just re-focus and rebuild. 

This is just another reminder that even older malware remains a profit center. Mutations, variants and enhancements can turn old problems like Zeus, back into new problems. Expect that with crypto locker and its ilk. This is not a problem that is likely to go away soon and not a problem that a simple takedown can solve.

Watching Malware Evolve with TigerTrax

Recently, I have been spending a lot of my time working with TigerTrax, our intelligence platform, and using it to further my research into emerging threats. One of the most interesting areas has been using to track and trace the fits and starts of malware evolution using social media data and the web.

TigerTrax is really good at finding and analyzing the data for trends. The visualizations make spotting emerging patterns and even outliers very easy. For example, we noticed a trend around side loading of malware payloads recently. Not an overwhelming trend across all of malware, but associated with a specific group of verticals being targeted. This emerged easily from the graph data and analytics engines. We were able to use that information to inform our customers in that space and increase their capabilities in detection and incident response.

We have only just begun to find the deeper use cases for TigerTrax, but it is already changing the way MSI does work, even the core work of assessments. For example, with a small window of lead time, we can generate specific pattern analysis and cases to support findings in risk assessments, vulnerability and pen-testing work. The engines can keep our scenarios refreshed, keep us up to date with the latest attack vectors and exploits being used in the wild.

All in all, TigerTrax has given us a larger view of infosec, and watching malware evolve through its lens has become an interesting part of what we do at MSI. We look forward to the day when we can discuss more publicly what we are doing with TigerTrax and some of the findings we are generating, but for now, just know that the platform is being used in a myriad of ways, and that new developments are occurring on a daily basis. If you’d like to discuss what TigerTrax can do for your organization, give us a call. We’d be happy to sit down for a briefing with your team.

HoneyPoint IP Protection Methodology

Here’s another use case scenario for HoneyPoint Security Server. This time, we show the methodology we use to scope a HoneyPoint implementation around protecting a specific set of Intellectual Property (IP). 

If you would like an in-depth discussion of our process or our capability, please feel free to reach out to us and schedule a call with our team. No commitment and no hard sale, guaranteed.

If the graphic below is blurry on your device, you can download a PDF version here.

HP_IPProtection