In these uncertain times, many companies are allowing employees to work from home more than ever before. Essential personnel onsite at the workplace are kept to a minimum and are offered remote support when issues occur. The scope of remote work is unprecedented and brings up a lot of questions for managers aiming to support their employees.
This series will discuss security testing and consulting options that Raxis offers to help companies work as securely as possible while employees work from home using home wireless services and systems or jump on the company VPN in unprecedented numbers.
Phishing
Raxis expects a rise in phishing attempts — emails, texts & phone calls — as attackers realize that employees are at home and not as easily able to verify that requests are legitimate.
Let’s start with your VPN itself. It’s likely at least a few of your team members are going to have problems logging on. Though they may be overwhelmed, your help desk workers are inclined to be helpful. Verification is a step that might easily be skipped in a rush to get an exec or senior manager online.
Finance is another point of vulnerability. Say that you receive an email from your boss saying to approve a new vendor payment. Normally your boss would never send that in an email . . . but these are not normal times, and you’re both working from home. You think of giving her a call, but she just told you she’s busy setting up her children’s new online school meeting. Do you approve the request? How are you sure that it’s legitimate?
What if it was a phone request from a customer who is working from home? He’s on his cell phone. Are you sure it’s really him? Should you verify before telling him customer financial information? Sure you should, but you’re out of your normal environment and he sounds really annoyed. What do you do?
And what about your teammates? Your employee texts you and asks for the password to an old system with a shared password. Do you text them back? Do you check the number first? Send it in email?
These are different questions than you ask when you’re in the office and can lean over the cube wall. It pays to make sure all your employees know the answers (or at least ask the questions) before they face them in the real world from home.
Where to start
Raxis has a number of phishing tests that fit these scenarios, and we are happy to work with you to customize a test that fits your needs. We provide a report and a debriefing call to help you educate your employees with real world examples. Whether they pass or fail, it’s an opportunity to safely assess their readiness and reinforce their training.
Take a look at our social engineering offerings. As always, Raxis is happy to advise you and work with you to customize a test that meets your needs. If you have concerns, we’d be happy to chat with you about options that work for you.
Brad Herring and Scott Sailors had the pleasure to present at the (ISC)² Atlanta Chapter Meeting last Thursday. The topic was on Social Engineering and understanding how the high success rates of social engineering impacts network security. Herring and Sailors shared the most common attack vectors, which include phishing, spear phishing, vishing, physical with a pre-text bias and physical with a technology bias.
The members were shocked at the 90% success rate Raxis sees with social engineering across all verticals and business size. Further sobering is the fact that, once Raxis gains access to an internal network, our team is successful in achieving an “impactful breach” 85% of the time.
Once the realization hit that determined and skilled hackers are commonly able to breach armed security, card keyed systems, numeric keypads and other physical controls, it became apparent the importance of achieving and maintaining a strong internal network security program.
This engaging meeting facilitated many conversations about physical security as well as the effectiveness of a mature phishing campaign. The group was able to heighten their awareness of the types of attacks to which businesses often fall prey, understand the behind the scenes actions that take place once credentials or access is achieved, and discuss meaningful remediation steps for combating these attacks.
Our Chief Operating Officer, Bonnie Smyre, was interviewed on Fox 5 News in Atlanta in a story regarding a Facebook scam involving Tyler Perry. Essentially, the scammers behind the Facebook sites and accounts are “data mining to get your information”. If you clicked the Facebook scam link, it’s probably too late to reverse it, but try to avoid it next time – if something seems too good to be true, it almost always is.
While events are still unfolding, we’re piecing together facts pertaining to the March 22nd ransomware attack on the City of Atlanta. As an Atlanta-based company, my colleagues at Raxis and I have been keeping a close eye on the happenings since the attack. The City of Atlanta has so far successfully kept people informed without revealing information that may be critical in responding to the attack.It appears that the epicenter of the attack was Atlanta’s municipal court (including tickets, citations, and other information) and bill-payment systems. I examined the Municipal Court of Atlanta website as I researched this post late Monday and found that the site displayed an error message explaining that payments could temporarily be made at a different site. When I clicked through to that site, I was given two options: a link back to the original site where I had started and a link to an error message, both seen here. Whether these sites were directly affected by the attack or are disrupted as part of the aftermath, people using these sites are affected just the same. The ‘Online lookup tool’ on the same page leads to a webpage that times out. It is possible that this service was not affected by the ransomware attack directly, but access to this page may have been removed as a precautionary measure to prevent further attacks. Based on these observations, we can infer that the attack has effectively diverted Atlanta’s resources to understanding, containing, and recovering from the attack. A trusted source tells Raxis that Atlanta is still working to fully confirm that critical infrastructure systems, such as fire, water and the airport, have not been impacted. All systems that may have been impacted have been taken offline until their state of compromise can be determined.Employees have been directed not to turn on or login to their workstations, which is another proactive security measure implemented in immediate response to the attack. A source has informed Raxis directly that vendors have physically been locked out of city buildings since the attack took place. A direct source has also confirmed to Raxis that construction companies have been unable to obtain permits that had already been submitted for approval due to the attack.Raxis also noted Atlanta’s Outlook Web App (OWA) and GIS server were displaying application errors after the attack. The City of Atlanta appears to be working around the clock to fix these services, nonetheless, these issues speak to the severity of the attack and the breadth of Atlanta’s response to an active threat.
What can we speculate about the attack itself?
The city has not released details about the attack yet, but we can speculate. A Raxis source stated that the attackers were demanding three bitcoin per decrypt key. Internet sources shows that the attackers are asking $6,800 per system or $51,000 to unlock the entire Atlanta system. While the math does not quite add up (currently Bitcoin rates are $8,056.44), we can see that the costs are high but also possible for Atlanta to pay.Raxis has spoken to a trusted source who confirmed that it is believed that the attackers gained access to Atlanta systems using MS-RDP (Microsoft Remote Desktop Protocol) and then installed SamSam ransomware which made the ransom demand. Our source stated that, as of close of business on Monday March 26th, Atlanta had not made a determination of whether to pay the ransom or to pursue other methods to recover business continuity.
RDP (Remote Desktop Protocol)
As noted above, a trusted Raxis source has informed us that the current belief is that attackers used MS-RDP as the entry point to Atlanta’s network. Raxis’ source, while not privy to the passwords that were harvested in the attack, believes that passwords likely were weak, which may have contributed to the success of the attack.While the focus currently is on the ransom demands, the full access that the attackers may have achieved in this type of attack likely may have allowed them to create back doors to Atlanta systems that they accessed, which would allow them to maintain a persistent presence for use in future attacks. Atlanta now finds itself in a position where it does not know whether a persistent threat is present on the internal network. It will need to maintain ongoing vigilance to determine the effectiveness of its response.Both the externally accessible MS-RDP service and the possible use of weak passwords are security issues that many companies deal with. This attack makes clear the importance of basic security housekeeping in protecting any network.
Patching & EternalBlue Rumors
While our sources do not point to patching issues such as EternalBlue being involved in this attack, there are multiple rumors circulating on the internet stating that EternalBlue was the entry point the attackers used. Even if EternalBlue was not a part of this attack, it has been used in other recent attacks, such as the RedisWannaMine cryptominer attacks.EternalBlue was one of several exploits released by ShadowBrokers in April 2017. Microsoft released a patch (MS17-010) the previous month on March 14th. EternalBlue was also used in the WannaCry and Petya/NonPetya attacks that made headlines in 2017. It exploits SMB 1.0 and affects several versions of Windows and Windows Server, including newer versions such as Windows 10 and Windows Server 2016. Using Shodan, a search engine that focuses on the configuration aspects of publicly exposed systems, Raxis confirmed that a system reported to be a part of Atlanta’s infrastructure still allowed SMB 1.0 as of Monday afternoon. As a career penetration tester, I know how easy this attack is to perform. In many cases, a successful exploit of EternalBlue leads to administrative rights on the system itself. An experienced hacker can often use other vulnerabilities, such as weak passwords and inappropriate delegation of administrative privileges, to gain further access on the network.
SamSam Ransomware
A trusted Raxis source has confirmed that SamSam (also known as Samas or SamsamCrypt) ransomware, first seen in late 2015, was used in the attack. Once the attackers infiltrated Atlanta’s systems using RDP, they appear to have deployed the SamSam ransomware that alerted Atlanta. Attacks of this type have been widespread, victimizing governments, the healthcare industry, and educational institutions, as well as businesses of all sizes. The attacks have been profitable because the ransoms have often been affordable, often making it more appealing to pay to decrypt the affected files, rather than take on the expense and administrative burden of adjusting operations to compensate for lost data. Even with backups in place, it can take days or even weeks to restore systems fully. It seems best not to pay an attacker who is holding your information at ransom, but, in many cases, restoring business operations in a timely manner takes precedence.
What now?
While our source tells us that the initial internal response efforts were disorganized, Atlanta now appears to be engaged with the Microsoft and Cisco experts that they’ve brought in. The current lack of details is a positive; like any active investigation, managing communications is paramount until as many facts as possible have been discovered.A trusted source tells Raxis that Atlanta has made it clear that brand management is a priority as its bid to become the second Amazon headquarters and the 2019 Super Bowl loom large.That said, Atlanta has demonstrated effective triage measures in response to the attack. As mentioned above, employees were told not to login to their workstations, decreasing the surface area for the attack. An airport spokesman told the Associated Press that the airport Wi-Fi network (as well as part of the webpage) had been taken down as a precaution.Atlanta has also been updating the public actively with news that is considered appropriate to release. Atlanta has leveraged their Twitter account, @cityofatlanta, to great effect, using it to post videos of press conferences with Atlanta Mayor Keisha Lance Bottoms as well as alerting constituents as city information services are restored to service.
Finally, what can your company do to not end up in this position?
Test, test, test. Working at Raxis I’ve seen penetration tests open customer’s eyes to issues they may not have known about or did not understand. While a penetration test may feel scary (you’re asking a hacker to enter your systems; the fear is understandable!), if you choose a good company, you should find that a penetration test is an indispensable tool to discover and prioritize your security tasks. The report you receive at the end of each test should do just that. To learn more about Raxis’ penetration testing services or just to find out more about the types of tests we recommend, see our site at https://raxis.com/pentest/. At Raxis, we’ve also worked with smaller companies that don’t need or can’t afford a full penetration test. We’ve recently launched a new service, the Baseline Security Assessment, that is meant to provide the benefit of security awareness for these companies that may not require the full depth of engagement that comes with our penetration testing services. Mature organizations that have mastered the art of managing a strategic security program that includes regular testing, vulnerability and patch management, as well as identity and access control, will benefit from the next step in security readiness. Investing in our Rapid Response Incident Response retainer is a strong measure of preparedness for when a security incident does occur. See Specialized Services to learn more about how Raxis can help you with this as well.If you have questions about where to start and what services could be right for you, fill out the contact form at https://raxis.com/company/contact, and we’ll be happy to discuss how we can help fortify your defenses to keep you open for business and out of the headlines.
Petya, the next major security malware since Wannacry is specifically targeting companies across the globe. Originating from the Ukraine, the Petya ransomware uses the same Eternalblue/MS17-010 vulnerability that was used with Wannacry. The difference this time is there is no kill switch that we know of. It’s getting some significant traction, infecting systems everywhere. In the US, it’s hit a major pharmaceuticals company and a food services company. Petya has also hit Danish, French, and Russian companies.Similar to Wannacry, the malware virus is encrypting systems and demanding a ransom to get access to the data. Our research has not found a way to bypass this ransom at this time. Fortunately, it seems that working decryption keys are being provided once paid.
It’s not just ransomware
Unfortunately, there’s much more to this variant. Once the ransomware gains a foothold, it has worm capabilities and is breaching other systems using a variety of exploitation methods. It appears to be focused on critical infrastructure across the world, but is not limiting devices it infects by any means. Various news sources have reported that power plants in the US and other countries have been breached. If this turns out to be a successful attack, it is quite scary to think about the damage that could occur.For those who don’t remember, you can thank the NSA for this. The NSA had developed a tool that could breach Windows systems remotely using an exploit that was previously undisclosed. The Shadow Brokers hacker group obtained the source to the NSA tool and leaked it on April 14, 2017.
Stop PETYA with a penetration test
When it comes to ransomware, we haven’t found a good way to retroactively deal with the damage. Even once the ransom is paid, it is very likely that the attackers will return again in the future. Particularly if they know that they’ve received payment in the past. The only real way to defend against Petya is to eliminate the vulnerability from the beginning, and a penetration test from a trusted third party might be the only real way to know you’re protected. Petya (and Wannacry) uses the Eternalblue vulnerability in SMB, fixed by MS17-010. Systems are still falling victim, even when the organization has a patch management program. Mistakes with configuring the vulnerability scanning tool, or unknown systems to the patch management tool will cause a few systems to remain vulnerable and outside of the view of the security administrators. A penetration test can find these gaps in process before malware can exploit these systems. In addition, the penetration test will attempt to exploit any issues found as a proof of concept – providing you and your security organization proof that a potentially significant security event was avoided. Schedule a penetration test with Raxis before the next malware variant hits.
Drones have been a hot news topic for a number of years. Individuals and businesses alike are scrambling to leverage these digital devices for everything from aerial photography to package delivery. Their inexpensive cost makes them readily accessible, and the uses are virtually unlimited – even for the malicious actor.Perhaps you saw in the news where a drone was used to get within range of a home and hack into the automation features to control the lights. While that stunt was simply annoying, it shines a spotlight (pun fully intended) on the bigger issue security professionals face when seeking to implement this new technology securely.
Aerial Hacking
Recently Raxis conducted a security assessment where we employed a drone to intercept aerial signals in transit between two locations. The drone was positioned in the line of sight of the transmission and intercepted the signal as it flew by.The drone relayed the data to our security engineer on the ground and the captured data was reviewed for exploitable content.Similarly, drones can be used for proximity attacks where they can get close enough to a target to intercept the radio signal. This information can be saved onboard or relayed to a remote location for analysis and use.Drones can be readily equipped to receive and transmit data across a myriad of transports. This creates an interesting array of attack vectors for the creative hacker.
What Can You Do?
Drones offer an entirely new attack vector for hackers. As a security engineer, you need a comprehensive plan that incorporates drone-related threat profiles:
Establish a no-fly zone and prepare countermeasures for safely landing a rouge drone (where legally available).
Maintain vigilant surveillance of critical areas.
Ensure that all data is highly encrypted and that no plain text passwords or other information is being transmitted through the air.
If a drone is spotted, consider ceasing all data traffic until the drone is no longer a threat.
Beyond intercepting data, drones are employed for general surveillance with increasing frequency. An attacker preparing to infiltrate your physical property can gain a substantial amount of information by reviewing aerial footage obtained during overhead flights.Drones can be small, quiet, and hard to detect. It’s possible a drone could surveille your property without attracting undue attention. Even if the device is noticed, it’s likely that employees would simply assume its presence is recreational without considering the security implications regarding such a device in proximity to a given facility.Training and attentiveness are critical to maintaining a robust security posture against these aerial attacks. The old slogan from US Homeland Security, “If you see something, say something” applies here. Encourage your employees to report drone sightings and develop a legal and safe plan for handling drone flights in your area.Above all else, realize that drone-based attacks can pose a significant threat to your security posture and should be managed accordingly.
Ransomware is the hot topic today. Malicious actors infect your system with sinister code that hijacks your information. In its most pure form it encrypts your data and yanks it from within your very grasp. Leaving behind only a message – a ransom note. If you ever wish to see your precious data ever again, you will pay. If you don’t pay, your data will be deleted and you will find yourself in the unemployment line.It’s the kind of thing that keeps business owners and managers up at night.The question is – what do you do to guard against it? Once the ransom appears on your screen, you’re done. There are several steps you should be taking to safeguard against ransomware.
1. Prevention
The number one thing you should do to guard against ransomware is to seal up the cracks. Find a good penetration testing company and have your internal and external networks evaluated. The right penetration testing company is going to come in with no credentials and attempt to exploit every weakness your network has. Don’t confuse this with a vulnerability scan – a true penetration test (pen test) approaches your system just like a real hacker. A real person is working your network and looking for exploits.Include social engineering (email phishing, vishing and spear phishing specifically) to your assessment. Ransomware often infiltrates your system by malicious code unintentionally installed by an employee. Using a found USB stick, visiting a malicious website, giving up credentials to an official sounding phone call, clicking a link in an email, etc. etc…. All of these are inadvertent ways an employee may infect their system.The report and remediation recommendations you will get from a pen test are priceless for patching the holes in your security. Evaluate your pen test company carefully. Ask to see sample reports and determine the depth of analysis you will truly get. Do not be guided by price alone.Along with assessing the network for vulnerabilities you should also consider a robust endpoint protection solution with an awareness of ransomware and zero-day vulnerabilities.Patching as a component of a comprehensive vulnerability management program should also be considered as a foundational element in any ransomware mitigation strategy.
2. Anticipation
Remember the saying – “failing to plan is planning to fail”. Ransomware is becoming more and more prevalent. You need to know what data you have, where you have it, and when it was last backed up. A completely audited data system will be much easier to restore. This will also help you get a grip on what has been compromised.
3. Backup, Cloud backup and Services
Once the thief has your data, the jig is up. Your data is encrypted, and there is a ransom to get it back. You’re not going to hack the encryption. If you pay – you’ll usually get your data back (not to mention a target on your back). If you don’t pay – they delete the data and you’re likely out of business.Once the attack happens you have three choices – pay the ransom, go out of business or restore from a backup.You DO backup, right? Surprisingly many companies don’t, and the ones that do often don’t have good practices in place for consistency. It’s critical this backup be separate from your network. You have a few options with backups:1 – Consistent internal backups to off-site drives isolated from the network.2 – Cloud based backupsWhile many experts agree that ransomware has not yet made the leap to the cloud, the issue is getting the data back in time for a reasonable restore. Normal data transfers aren’t reasonable with typical large companies. There are services available that will overnight a hard drive to your door once you’ve been attacked.
4. Restoration Plan
You need a plan in place to restore the data once you get it. Regardless of how you choose to backup and restore – you need this plan. You will have to wipe the entire system and systematically restore it. You also need to keep in mind the data you are restoring has the same vulnerability that got you hacked in the first place. So a smart hacker is likely to get right back in – and the game of cat and mouse continues.You can’t afford to keep playing the game. Restore the system and immediately get it assessed and patched. By now you should see why step 1 is so crucial to avoiding ransomware. You are also likely seeing why step 2 is important.Ransomware is here to stay for a while. It’s the new age stagecoach heist. The hi-tech way of bank robbery. Your best defense is a strong offense, good preparation and a plan for business continuity if and when it happens to you.
Last week Raxis’ managing director, Bonnie Smyre, met with Dana Fowle at Fox 5 Atlanta to discuss the EMV credit card chip technology. The US is the last major market to convert to this technology as an eventual replacement for magnetic strip credit cards. Bonnie speaks with Dana about the increased security provided by these chips that send a one time code for each transaction. Watch the video for more details.
Please see below for a Transcript of the video interview with Fox5 News:
…”And if you haven’t, it’s time to get on board. The bottom line is that security experts agree, it’s safer to use than your magnetic strip.
The swipe at many retailers is on its way out. Now at the register you will “Dip the Chip.”
Pull your credit card out of your wallet. If you got a new one, which many of you have, you should see a silver square. It’s called EMV chip technology.
We listened in as a Home Depot employee walked a customer through it.
“This is a chip card now, place inside – the card – like that. Just leave like that until the light is gone.”
Bonnie Smyre of the local Internet security firm RAXIS said, “What that does that is special is that it creates a one-time code.”
It’s an extra security layer. A new code is created for each purchase. But, it does take longer to process the card.
It takes a good, solid 10 seconds, at major retailers. Longer at smaller shops. But, according to security expert Bonnie Smyre, it’s offering the closest thing we have to perfect credit card security protection.
“Even if that code is stolen by a thief nearby who is trying to get that information, the code can not be used again. And that’s your protection here.”
The US is the last big market to use this EMV chip technology. Great Britain has used it for 10 years and it’s credit card fraud for in-person purchases has plummeted a whopping 63 percent.
Home Depot customer Ben Darmer said there isn’t really much of a learning curve at all when using it the first time. The machine at the register walks you right through the process.
“I like the security and it’s very easy to use. We were recently in Europe and they use them all over the place,” he said.
Novelle Caibon was a first-timer.
“It seemed pretty good. I like it.”
But here’s the catch: This chip doesn’t offer any protection for online purchases.
“In the UK, like I said, 10 years ago that they did this conversion, since then they’ve seen 120 percent increase in online fraud,” said Bonnie Smyre.
Not all small retailers have the new chip machines yet. They’re expensive. Ms. Smyre says it can cost up to $1,000 per terminal to install. But big box retailers, like Home Depot and Target, do have them installed.
Home Depot supervisor Kevin Cannon says while customers look at little confused at first it only takes one time to get it.
“It’s not here to hurt you; it’s here to help you and it’s a better way,” he said.”