Tag: Ransomware

  • Why Mutual Assured Destruction is an Incomplete Cyber Defense Strategy

    “Like it or not, all of us are on the front lines in a cyberwar that is heating up with every day that passes.”

    Bonnie Smyre, Raxis Chief Operating Officer

    In the wake of the Colonial Pipeline breach, security analysts have discussed the idea that direct retribution might be an effective deterrent to the large-scale cyberattacks of the sort the US is experiencing ever more frequently nowadays. As someone with a strong background in Russian and Eastern European studies, I understand the historical precedent that drives this mindset. However, as a cybersecurity professional, I know that half-century-old strategy will not be nearly as effective against the challenges we face today.

    Some ‘MAD’ Background

    In the most dangerous days of the Cold War, US and Soviet leaders agreed to a counterintuitive policy that helped ensure neither side would launch a catastrophic nuclear first strike. Recognizing that stockpiles of atomic weapons were sufficient to destroy Earth many times over, the two superpowers agreed that the world was most secure when both sides maintained the ability to respond to a first strike with an equally devastating counterstrike.

    Though it sounds barbaric, the strategy of mutual assured destruction (MAD) was one reason a period of détente lasted long enough for both nations to de-escalate tensions and negotiate dramatic reductions in the size of their nuclear arsenals.

    The New Battlespace

    Though the Soviet Union fell apart in the early 1990s, and the US ‘normalized’ relations with China, the threat they posed to America never disappeared completely. Instead, it has evolved with new technology and shifted into cyberspace. Hackers with ties to Russia and China are widely believed to have been responsible for high-profile breaches of government agencies and contractors, meddling in US political campaigns, and sabotaging critical infrastructure.

    I say ‘widely believed’ because in the shadowy world of hackers it’s nearly impossible to prove an attack was state-sponsored. Malicious actors are very much cybercriminals without borders, and it’s not hard for hostile nations to contract out some of their dirtiest work.

    As for the weaponry, ransomware, like the type used in the Colonial Pipeline hack, can be a few lines of code, readily available for sale on the dark web. Some of the more helpful black hats even offer support for an additional fee.

    Where Deterrence Fails

    The simplicity and anonymity of cyberwarfare do more than give cover to state-sponsored actors. In the context of mutual assured destruction, a more dangerous possibility is that non-state actors could launch an attack that triggers a misdirected, full-scale state response. In that scenario, it’s easy to envision a rapid escalation leading to military action.

    An even bigger problem with the MAD concept, however, is its central tenet that the civilian population is purposely left exposed. In the case of nuclear war, there is a macabre logic behind that. Taking away the fallout shelters, civil defense infrastructure, and air raid drills made clear to everyone that a nuclear war between the superpowers would likely be the end of civilization. Entering the launch codes meant worldwide annihilation, plain and simple.

    In the case of cyberwarfare, there simply isn’t a clear delineation between military and civilian or even public and private sector targets. Colonial is a private company, as are many utilities and other organizations that are of vital importance to our national security. Was the recent ransomware attack a simple economic crime or a strategic strike on the Eastern Seaboard?

    Nor is there a foolproof way to gauge the severity of the attack. A small business might be hacked in order to reach a larger upstream supplier. And disrupting several municipalities could have the same strategic impact as an attack on the federal government.

    We are the Front Line

    From a practical perspective, what all this means is that, at most, deterrence can only be one part of a much larger strategy. And, unlike the Cold War, this new state of perpetual, persistent cyberwarfare can’t be waged solely by our military or managed by diplomats alone.

    We’re all in this together. As long as one business is at risk, all of our businesses are. If our businesses are at risk, so is our government. And if our government is at risk, so are our people – from all walks of life.

    Like it or not, all of us are on the front lines in a cyberwar that is heating up with every day that passes. The good news is that there are things we can do to protect ourselves and to become harder targets. As we do so, we raise the technological barriers, drive up the costs, and increase the risk to those who would attack us.

    Mutual assured destruction helped end the Cold War without nuclear confrontation. But the key to ending global cyberwarfare may well be mutual cooperation – among our government, our military, and our businesses of all sizes.

  • Imminent Threat for US Hospitals and Clinics, RYUK RansomwareAlert (AA20-302A) – Updated 11/2/2020

    Earlier this week rumblings were detected of a RYUK attack against US based hospitals and clinics. As the week has progressed, we have started to see this attack unfold.

    On October 29, 2020 a confidential source on the attack described this as “Increased and Imminent Cybercrime Threat”.

    What we know:

    This appears to be an RYUK ransomware attack being delivered through phishing attacks. Raxis recommends that heightened vigilance be  applied across all attack vectors and instrumentation.

    Who:

    The attack appears to be targeted at U.S. based hospitals, clinics, and other health care facilities. All health care operations should be on heightened alert for anomalous behavior or other Indications of Compromise (IOCs).

    When:

    Imminent. As of the time of this writing several US hospitals are already under attack.

    What to do:  
    • Immediately disseminate threat awareness notifications to all users and establish an update cadence to keep them aware of the threat as it continues to evolve.
    • Isolate critical systems where possible.
    • Review Incident Response (IR) plans and confirm accuracy of the plans to the extent possible.
    • Verify systems are patched and up to date.
    • Adjust instrumentation to detect known ransomware IOCs.
    • Use Multi-Factor Authentication (MFA) wherever possible. Consider temporarily enforcing MFA in instances where users have the option of bypassing it.
    • Enforce cybersecurity hygiene including: Audit user accounts with admin privileges and close all unnecessary ports.
    • Backup all critical data and verify restoration capabilities.
    • Verify endpoint protection measures are up to date and functioning properly.
    Technical details of the attack:
    • The initial insertion point is through a phishing campaign.
    • Typically, RYUK has been deployed as a payload from Trojans such as Trickbot.
    • RYUK actors use common tools to steal credentials. These tools allow the actors to dump cleartext passwords as well as password hashes that can be brute forced offline.
    • Payloads may establish persistence based on DLL injection or other common techniques.
    • RYUK has been known to use scheduled tasks and service creation to maintain persistence.
    • RYUK actors will conduct network reconnaissance using native tools such as Windows Net commands, nslookup, and ping to locate mapped network shares, domain controllers, and Active Directory resources.
    • RYUK actors also use tools such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (MS-RDP) for lateral movement through the network. IT personnel should be on alert for any suspicious traffic on the network.
    • RYUK uses AES-256 to encrypt files and an RSA public key to encrypt the AES key.
    • Actors will attempt to disable or remove security applications on victim systems that might prevent the ransomware from executing. Secondary monitoring on these processes may enhance detection fidelity.
    Updates
    November 2, 2020

    New information has been released specifically around Indicators of Compromise (IOC). Latest information indicates threat actors are targeting the HPH Sector with TrickBot and BazarLoader malware. This malware often leads to ransomware, data theft, and disruption of services. These are often loaded through malicious links and/or attachments via phishing.

    TrickBot IOC:
    TrickBot often installs an achor toolset identified as anchor_dns that creates a backdoor for sending and receiving data from compromised machines using Domain Name Systems (DNS) tunneling. Anchor_dns uses a single-byte X0R cipher to encrypt communications which have been observed using key 0xB9. This decrypted traffic can be found in DNS request traffic.

    TrickBot copies itself as an executable file with a 12-character randomly generated name and places this file in one of the following directories:

    • C:\Windows
    • C:\Windows\SysWOW64
    • C:\Users\[Username]\AppData\Roaming

    Once the executable is running, it downloads hardware-specific modules from the Command and Control server (C2s). These files are placed in the infected host’s %APPDATA% or %PROGRAMDATA% directory.

    The malware uses a scheduled task running every 15 minutes to maintain persistence with the host machine. Reports indicate the tasks typically use the following naming conventions:

    [random_folder_name_in_%APPDATA%_excluding_Microsoft]
    autoupdate#[5_random_numbers]

    After successful execution, anchor_dns deploys malicious batch scripts using PowerShell commands: 

    cmd.exe /c timeout 3 && del C:\Users\[username]\[malware_sample]
    cmd.exe /C PowerShell \"Start-Sleep 3; Remove-Item C:\Users\[username]\[malware_sample_location]\"

    The following domains have been associated with anchor_dns:

    • Kostunivo.com
    • chishir.com    
    • mangoclone.com
    • onixcellent.com

    This malware has been known to use the following legitimate domains to test internet connectivity:

    • Api.ipify.org
    • Checkip.amazonaws.com
    • Icanhazip.com
    • Ident.me
    • Ip.anysrc.net
    • Ipecho.net
    • Ipinfo.io
    • Myexternalip.com
    • Wtfismyip.com

    There is also an open-source tracker for TrickBot C2 servers located at https://feodotracker.abuse.ch/browse/trickbot/

     Anchor_dns historically used the following C2 Servers:

    • 23.95.97.59
    • 51.254.25.115
    • 87.98.175.85
    • 91.217.137.37
    • 193.183.98.66

     BazarLoader/BazarBackdoor IOC:

    Typically deployed through phishing and contain the following:

    • Typically deployed in a PDF attachment through an actor controlled online hosting solution
    • Often references a failure to create a preview of the document and contains a link to a URL that is hosting a malware payload
    • Emails are often routine in appearance and often employ a business pretext
    • Typical social engineering tactics are in use with email content 

    The following filenames have been identified for installing BazarLoader:

    • Document_Print.exe
    • Report10-13.exe
    • Report-Review26-10.exe
    • Review_Report15-10.exe
    • Text_Report.exe 

    Bazar activity can be detected by searching system startup folders and Userinit values under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key:

     %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk

    The following C2 servers are known to be associated with this malicious activity:

    •  5.2.78.118
    • 31.131.21.184
    • 36.89.106.69
    • 36.91.87.227
    • 37.187.3.176
    • 45.148.10.92
    • 45.89.127.92
    • 46.28.64.8
    • 51.81.113.25
    • 62.108.35.103
    • 74.222.14.27
    • 86.104.194.30
    • 91.200.103.242
    • 96.9.73.73
    • 96.9.77.142
    • 103.76.169.213
    • 103.84.238.3
    • 104.161.32.111
    • 105.163.17.83
    • 107.172.140.171
    • 131.153.22.148
    • 170.238.117.187
    • 177.74.232.124
    • 185.117.73.163
    • 185.68.93.17
    • 185.90.61.62
    • 185.90.61.69
    • 195.123.240.219
    • 195.123.242.119
    • 195.123.242.120
    • 203.176.135.102

  • City of Atlanta 2018 Ransomware Hack: What We Know and What You Can Learn From It

    What do we know?
    Municipal Court of Atlanta Site Unable to Take Payments
    Error on Alternative Citation Payment Webpage
    Citation & Case Number Lookup Tool

    While events are still unfolding, we’re piecing together facts pertaining to the March 22nd ransomware attack on the City of Atlanta. As an Atlanta-based company, my colleagues at Raxis and I have been keeping a close eye on the happenings since the attack. The City of Atlanta has so far successfully kept people informed without revealing information that may be critical in responding to the attack.It appears that the epicenter of the attack was Atlanta’s municipal court (including tickets, citations, and other information) and bill-payment systems. I examined the Municipal Court of Atlanta website as I researched this post late Monday and found that the site displayed an error message explaining that payments could temporarily be made at a different site. When I clicked through to that site, I was given two options: a link back to the original site where I had started and a link to an error message, both seen here. Whether these sites were directly affected by the attack or are disrupted as part of the aftermath, people using these sites are affected just the same. The ‘Online lookup tool’ on the same page leads to a webpage that times out. It is possible that this service was not affected by the ransomware attack directly, but access to this page may have been removed as a precautionary measure to prevent further attacks. Based on these observations, we can infer that the attack has effectively diverted Atlanta’s resources to understanding, containing, and recovering from the attack. A trusted source tells Raxis that Atlanta is still working to fully confirm that critical infrastructure systems, such as fire, water and the airport, have not been impacted. All systems that may have been impacted have been taken offline until their state of compromise can be determined.Employees have been directed not to turn on or login to their workstations, which is another proactive security measure implemented in immediate response to the attack. A source has informed Raxis directly that vendors have physically been locked out of city buildings since the attack took place. A direct source has also confirmed to Raxis that construction companies have been unable to obtain permits that had already been submitted for approval due to the attack.Raxis also noted Atlanta’s Outlook Web App (OWA) and GIS server were displaying application errors after the attack. The City of Atlanta appears to be working around the clock to fix these services, nonetheless, these issues speak to the severity of the attack and the breadth of Atlanta’s response to an active threat. 

    What can we speculate about the attack itself?

    The city has not released details about the attack yet, but we can speculate. A Raxis source stated that the attackers were demanding three bitcoin per decrypt key. Internet sources shows that the attackers are asking $6,800 per system or $51,000 to unlock the entire Atlanta system. While the math does not quite add up (currently Bitcoin rates are $8,056.44), we can see that the costs are high but also possible for Atlanta to pay.Raxis has spoken to a trusted source who confirmed that it is believed that the attackers gained access to Atlanta systems using MS-RDP (Microsoft Remote Desktop Protocol) and then installed SamSam ransomware which made the ransom demand. Our source stated that, as of close of business on Monday March 26th, Atlanta had not made a determination of whether to pay the ransom or to pursue other methods to recover business continuity.

    RDP (Remote Desktop Protocol)

    As noted above, a trusted Raxis source has informed us that the current belief is that attackers used MS-RDP as the entry point to Atlanta’s network. Raxis’ source, while not privy to the passwords that were harvested in the attack, believes that passwords likely were weak, which may have contributed to the success of the attack.While the focus currently is on the ransom demands, the full access that the attackers may have achieved in this type of attack likely may have allowed them to create back doors to Atlanta systems that they accessed, which would allow them to maintain a persistent presence for use in future attacks. Atlanta now finds itself in a position where it does not know whether a persistent threat is present on the internal network. It will need to maintain ongoing vigilance to determine the effectiveness of its response.Both the externally accessible MS-RDP service and the possible use of weak passwords are security issues that many companies deal with. This attack makes clear the importance of basic security housekeeping in protecting any network.

    Patching & EternalBlue Rumors
    Shodan Results Showing SMB Version 1.0 Enabled

    While our sources do not point to patching issues such as EternalBlue being involved in this attack, there are multiple rumors circulating on the internet stating that EternalBlue was the entry point the attackers used. Even if EternalBlue was not a part of this attack, it has been used in other recent attacks, such as the RedisWannaMine cryptominer attacks.EternalBlue was one of several exploits released by ShadowBrokers in April 2017. Microsoft released a patch (MS17-010) the previous month on March 14th. EternalBlue was also used in the WannaCry and Petya/NonPetya attacks that made headlines in 2017. It exploits SMB 1.0 and affects several versions of Windows and Windows Server, including newer versions such as Windows 10 and Windows Server 2016. Using Shodan, a search engine that focuses on the configuration aspects of publicly exposed systems, Raxis confirmed that a system reported to be a part of Atlanta’s infrastructure still allowed SMB 1.0 as of Monday afternoon. As a career penetration tester, I know how easy this attack is to perform. In many cases, a successful exploit of EternalBlue leads to administrative rights on the system itself. An experienced hacker can often use other vulnerabilities, such as weak passwords and inappropriate delegation of administrative privileges, to gain further access on the network.

    SamSam Ransomware

    A trusted Raxis source has confirmed that SamSam (also known as Samas or SamsamCrypt) ransomware, first seen in late 2015, was used in the attack. Once the attackers infiltrated Atlanta’s systems using RDP, they appear to have deployed the SamSam ransomware that alerted Atlanta. Attacks of this type have been widespread, victimizing governments, the healthcare industry, and educational institutions, as well as businesses of all sizes. The attacks have been profitable because the ransoms have often been affordable, often making it more appealing to pay to decrypt the affected files, rather than take on the expense and administrative burden of adjusting operations to compensate for lost data. Even with backups in place, it can take days or even weeks to restore systems fully. It seems best not to pay an attacker who is holding your information at ransom, but, in many cases, restoring business operations in a timely manner takes precedence.

    What now?
    Atlanta Mayor Keisha Lance Bottoms at a March 26th Press Conference

    While our source tells us that the initial internal response efforts were disorganized, Atlanta now appears to be engaged with the Microsoft and Cisco experts that they’ve brought in. The current lack of details is a positive; like any active investigation, managing communications is paramount until as many facts as possible have been discovered.A trusted source tells Raxis that Atlanta has made it clear that brand management is a priority as its bid to become the second Amazon headquarters and the 2019 Super Bowl loom large.That said, Atlanta has demonstrated effective triage measures in response to the attack. As mentioned above, employees were told not to login to their workstations, decreasing the surface area for the attack. An airport spokesman told the Associated Press that the airport Wi-Fi network (as well as part of the webpage) had been taken down as a precaution.Atlanta has also been updating the public actively with news that is considered appropriate to release. Atlanta has leveraged their Twitter account, @cityofatlanta, to great effect, using it to post videos of press conferences with Atlanta Mayor Keisha Lance Bottoms as well as alerting constituents as city information services are restored to service.

    Finally, what can your company do to not end up in this position?

    Test, test, test. Working at Raxis I’ve seen penetration tests open customer’s eyes to issues they may not have known about or did not understand. While a penetration test may feel scary (you’re asking a hacker to enter your systems; the fear is understandable!), if you choose a good company, you should find that a penetration test is an indispensable tool to discover and prioritize your security tasks. The report you receive at the end of each test should do just that. To learn more about Raxis’ penetration testing services or just to find out more about the types of tests we recommend, see our site at https://raxis.com/pentest/. At Raxis, we’ve also worked with smaller companies that don’t need or can’t afford a full penetration test. We’ve recently launched a new service, the Baseline Security Assessment, that is meant to provide the benefit of security awareness for these companies that may not require the full depth of engagement that comes with our penetration testing services. Mature organizations that have mastered the art of managing a strategic security program that includes regular testing, vulnerability and patch management, as well as identity and access control, will benefit from the next step in security readiness. Investing in our Rapid Response Incident Response retainer is a strong measure of preparedness for when a security incident does occur. See Specialized Services to learn more about how Raxis can help you with this as well.If you have questions about where to start and what services could be right for you, fill out the contact form at https://raxis.com/company/contact, and we’ll be happy to discuss how we can help fortify your defenses to keep you open for business and out of the headlines.

  • Petya Ransomware Strikes Businesses Globally

    Petya, the next major security malware since Wannacry is specifically targeting companies across the globe.  Originating from the Ukraine, the Petya ransomware uses the same Eternalblue/MS17-010 vulnerability that was used with Wannacry.  The difference this time is there is no kill switch that we know of.  It’s getting some significant traction, infecting systems everywhere.  In the US, it’s hit a major pharmaceuticals company and a food services company.  Petya has also hit Danish, French, and Russian companies.Similar to Wannacry, the malware virus is encrypting systems and demanding a ransom to get access to the data.  Our research has not found a way to bypass this ransom at this time.  Fortunately, it seems that working decryption keys are being provided once paid.

    It’s not just ransomware

    Unfortunately, there’s much more to this variant.  Once the ransomware gains a foothold, it has worm capabilities and is breaching other systems using a variety of exploitation methods.  It appears to be focused on critical infrastructure across the world, but is not limiting devices it infects by any means.  Various news sources have reported that power plants in the US and other countries have been breached. If this turns out to be a successful attack, it is quite scary to think about the damage that could occur.For those who don’t remember, you can thank the NSA for this. The NSA had developed a tool that could breach Windows systems remotely using an exploit that was previously undisclosed.  The Shadow Brokers hacker group obtained the source to the NSA tool and leaked it on April 14, 2017.

    Stop PETYA with a penetration test

    When it comes to ransomware, we haven’t found a good way to retroactively deal with the damage.  Even once the ransom is paid, it is very likely that the attackers will return again in the future.  Particularly if they know that they’ve received payment in the past.  The only real way to defend against Petya is to eliminate the vulnerability from the beginning, and a penetration test from a trusted third party might be the only real way to know you’re protected. Petya (and Wannacry) uses the Eternalblue vulnerability in SMB, fixed by MS17-010.  Systems are still falling victim, even when the organization has a patch management program.  Mistakes with configuring the vulnerability scanning tool, or unknown systems to the patch management tool will cause a few systems to remain vulnerable and outside of the view of the security administrators. A penetration test can find these gaps in process before malware can exploit these systems.  In addition, the penetration test will attempt to exploit any issues found as a proof of concept – providing you and your security organization proof that a potentially significant security event was avoided. Schedule a penetration test with Raxis before the next malware variant hits.

  • Ransomware – What you can do to avoid being a victim

    Ransomware is the hot topic today. Malicious actors infect your system with sinister code that hijacks your information. In its most pure form it encrypts your data and yanks it from within your very grasp. Leaving behind only a message – a ransom note. If you ever wish to see your precious data ever again, you will pay. If you don’t pay, your data will be deleted and you will find yourself in the unemployment line.It’s the kind of thing that keeps business owners and managers up at night.The question is – what do you do to guard against it? Once the ransom appears on your screen, you’re done. There are several steps you should be taking to safeguard against ransomware.

    1. Prevention

    The number one thing you should do to guard against ransomware is to seal up the cracks. Find a good penetration testing company and have your internal and external networks evaluated. The right penetration testing company is going to come in with no credentials and attempt to exploit every weakness your network has. Don’t confuse this with a vulnerability scan – a true penetration test (pen test) approaches your system just like a real hacker. A real person is working your network and looking for exploits.Include social engineering (email phishing, vishing and spear phishing specifically) to your assessment. Ransomware often infiltrates your system by malicious code unintentionally installed by an employee. Using a found USB stick, visiting a malicious website, giving up credentials to an official sounding phone call, clicking a link in an email, etc. etc…. All of these are inadvertent ways an employee may infect their system.The report and remediation recommendations you will get from a pen test are priceless for patching the holes in your security. Evaluate your pen test company carefully. Ask to see sample reports and determine the depth of analysis you will truly get. Do not be guided by price alone.Along with assessing the network for vulnerabilities you should also consider a robust endpoint protection solution with an awareness of ransomware and zero-day vulnerabilities.Patching as a component of a comprehensive vulnerability management program should also be considered as a foundational element in any ransomware mitigation strategy.

    2. Anticipation

    Remember the saying – “failing to plan is planning to fail”. Ransomware is becoming more and more prevalent. You need to know what data you have, where you have it, and when it was last backed up. A completely audited data system will be much easier to restore. This will also help you get a grip on what has been compromised.

    3. Backup, Cloud backup and Services

    Once the thief has your data, the jig is up. Your data is encrypted, and there is a ransom to get it back. You’re not going to hack the encryption. If you pay – you’ll usually get your data back (not to mention a target on your back). If you don’t pay – they delete the data and you’re likely out of business.Once the attack happens you have three choices – pay the ransom, go out of business or restore from a backup.You DO backup, right? Surprisingly many companies don’t, and the ones that do often don’t have good practices in place for consistency. It’s critical this backup be separate from your network. You have a few options with backups:1 – Consistent internal backups to off-site drives isolated from the network.2 – Cloud based backupsWhile many experts agree that ransomware has not yet made the leap to the cloud, the issue is getting the data back in time for a reasonable restore. Normal data transfers aren’t reasonable with typical large companies. There are services available that will overnight a hard drive to your door once you’ve been attacked.

    4. Restoration Plan

    You need a plan in place to restore the data once you get it. Regardless of how you choose to backup and restore – you need this plan. You will have to wipe the entire system and systematically restore it. You also need to keep in mind the data you are restoring has the same vulnerability that got you hacked in the first place. So a smart hacker is likely to get right back in – and the game of cat and mouse continues.You can’t afford to keep playing the game. Restore the system and immediately get it assessed and patched. By now you should see why step 1 is so crucial to avoiding ransomware. You are also likely seeing why step 2 is important.Ransomware is here to stay for a while. It’s the new age stagecoach heist. The hi-tech way of bank robbery. Your best defense is a strong offense, good preparation and a plan for business continuity if and when it happens to you.