Tuesday, 23 May 2017

So you have WannaCry 2.0, what next?


So you machine is infected, what can you do?

Immediate Action


  1. Find all the machines vulnerable to MS17-010.  This can be done using scanning tools or wholesale apply the patch to all machines.
  2. On the infected machines, don't pay the ransom - Research suggests that payment will get your files back two thirds of the time.
  3. Try the WannaCry decryption tool and skip to step 5 on.
  4. If the decryption tool fails, re-install your operating system - remembering to patch it.
  5. Install a good malware protection solution, switch on real-time updates and update it.
  6. Scan your machine with your newly installed and updated malware protection software.
  7. Re-install essential applications, remembering to check for patches, and switch on auto updates.
  8. Copy back data from backups, remembering to scan it as you do.  One of your backup files could be infected.

Next Steps


  1. Create a standard user account for general use, and keep the administrator account for configuration changes only.  Although WannaCry did not need administrator credentials, other ransomware does.
  2. Consider Application Whitelisting to ensure only known applications are able to execute on your machine.
  3. If you existing firewall allows it, switch on web filtering to prevent traffic to known malicious sites.
  4. Consider using an IPS (Intrusion Prevention System) to protect your network. 
  5. A Web Security Gateway to monitor and prevent traffic to malicious websites, and sandboxing to scan unknown packages.
  6. An Email Security Gateway can monitor and scan emails, working in combination of a sandbox to scan unknown attachments, and a Web Security Gateway to validate URLs within emails.  Although email was not the delivery mechanism for WannaCry, it is for pretty much 90+% of ransomware.
  7. Check existing backups and/or start doing backups.

Planning for the future


  1. User training is important, but it must be remembered that WannaCry 2.0 wasn't propagated by email and didn't require user interaction to install or spread.
  2. Ensure an open policy for users to report to IT Teams or Information Security Teams with any suspicious behaviour on their machines.
  3. Test the environment with simulated attacks to ensure the People, Process and Technology work hand in hand together.

WannaCry/WCRY 2.0 - What do we know?


On Friday 12th May, we were all made aware of a global ransomware attack, which hit nearly 200 countries, infecting over 300,000 Windows machines.  Named WannaCry/WCRY 2.0, it encrypts your data and demanded a ransom of US$300 payable in Bitcoins (electronic currency).

Timeline


Looking back to earlier in 2017, shows how WannaCry evolved.

14th March 2017 - Microsoft leased a patch it classified as Critical as part of its month patch cycle.  The patch was called MS17-010 which resolved a vulnerability in the SMBv1 server on machines running Windows workstation and server operating systems.

14th April 2017 - Shadow Brokers leak the NSA hacking tools which exploited the MS17-010 vulnerability.

14th April 2017 - WannaCry/WCRY 1.0 was released

12th May 2017 - WannaCry/WCRY 2.0 was released

History


WannaCry/WCRY 1.0 was a spam campaign, which delivered its payload via compromised or malicious Dropbox accounts.  To all intents and purposes, it felt like a typical ransomware attack, delivering an email with a link, the user clicking on the link to download the ransomware, the ransomware would exploit a vulnerability (in this case MS17-010) and then encrypt the data.

Why is WannaCry/WCRY 2.0 different?


It is believed that WannaCry/WCRY 2.0 was not distributed via email, nor was it caused by clicking on a link.

WannaCry/WCRY 2.0 scans for Windows machines that are running SMBv1, and will try to infect them.  I say try to infect them, because if the machine had the MS17-010 patch installed, it could not be infected.  The ransomware will exploit the vulnerability, install and encrypt the data.  WannaCry/WCRY 2.0 also has a worm like characteristic, where it will scan the local network and random external IP address to see if they are running SMBv1 and try to infect them as well.

The clever part of this ransomware, is that it requires no user interaction to initiate it or to spread it.

What as the criminal gain?


Some organisations have been monitoring the Bitcoin wallet and they estimate that the financial gains from this attack is in the region of US$65-70,0000, which doesn't sound like a great deal.

Whose vulnerable now?


Using Shodan it's possible to search for Windows machines on the internet using the SMBv1 protocol.  Of course, it doesn't show if these machines have been patched to prevent MS17-010 from being exploited.


Sunday, 14 May 2017

So you have Ransomware, what do you do?

I've put a lengthy blog post about ransomware, but you just want a quick and simple answer?

Your machine is infected and your have this screen:


  1. Don't pay - Research suggests that payment will get your files back two thirds of the time
  2. Re-install your operating system - remembering to patch it!
  3. Create a standard user account for general use, and keep the administrator account for configuration changes only.
  4. Install a good malware protection solution, and update it
  5. Scan your machine with your newly installed and updated malware protection software.
  6. Re-install essential applications, remembering to check for patches, and switch on auto updates.
  7. Copy back data from backups, remembering to scan it as you do.  One of your backup files could be infected.
Going forward:
  • Be mindful of any email attachments or links within emails
  • Continue to update malware protection, operating system and applications
  • Ensure backups are happening to prevent data loss, and even consider multiple backup destinations
  • Only use the admin account for configuration changes
This advice is more based for home users, but your can see the relevance to organisations as well.  For a more detailed look at ransomware, and what approach a organisation can take, have a look here.

Saturday, 13 May 2017

The Anatomy of Ransomware - and How to Prevent from Impacting You

After the global cyber attack with ransomware, there is much advice out there suggesting the problem would have been prevented with point products, training or procedures.  I'm going to outline a generic ransomware attack below, so that the defences can be understood.  I'm going to outline what you can do as a home user, corporate user, or corporate IT team.


Delivery of Ransomware


Depending on the research you read, you can see that 93-98% of ransomware is delivered by email.  The remaining delivery methods can be via websites, whether a drive by download, malvertising or malicious website; or via removable media.

As a home user, a good quality endpoint protection solution would be recommended.  Try not to click on email attachments, dubious weblinks or using removable media you are unsure about.  Look to only have standard user profiles and not administrator rights on your everyday profile, and enter the admin credentials when needed.

As a corporate user, the advice is similar to a home user, try not to click on email attachments, dubious weblinks or using removable media you are unsure about.

As a corporate IT team, email and web gateway solutions should be protecting the email and web traffic.  The endpoint should have good quality multi layered protection.  Ensure that users do not have local administrator rights.  Sandboxing solutions on the network would analysis the unknown traffic coming into the network and ensure the email, web and endpoint vectors are covered.  Consider device control solutions if removable media is a big entry point into the network.  User education can help, but it needs to short and regular, and not many hours once a year.

Exploit the Endpoint


The ransomware's next task is to find a vulnerability on the endpoint, in order to exploit it and install the ransomware.  This is when the advice is to patch your operating system, or check and install the updates to your machine.  It's lesser known that the other software on your machine also has vulnerabilities, such as the third party software, like Java, Adobe Reader, etc, as well as the internet browsers and add-ons.

As a home user, change the settings on the operating system and software to automatically check and install the updates. Consider removing applications that are rarely used, as some may not check for updates until they are used.

As a corporate user there is typically little you can do, as this should be controlled by the administrators.  If you are able to run the updates, check regularly.  If you are able to install applications, consider what you are installing and switching on auto updating.

As a corporate IT team, ensure there is a robust patching regime.  Ensure patches are deployed to Microsoft operating systems as close to "Patch Tuesday" as possible, to prevent there being a "Hack Wednesday".  Ensure the patching regime goes beyond operating systems, covering off the third party applications, browsers and add-ons.  Consider Application Control solutions to limit the applications on the endpoints.  With the server environment, consider using IDS/IPS or "Virtual Patching" solutions in order to protect the servers until patch remediation can be carried out in a scheduled maintenance windows, allowing for testing of patches prior to deployment.


Installation of Ransomware


The installation of the ransomware will typically be disguised as a system process, so can go undetected by traditional or single layers of defence.

As a home user with the administrator rights removed as mentioned before, the software may not be able to install.  Again a good quality anti-malware solution may help prevent the ransomware from being installed.

As a corporate user there is typically little you can do, as this should be controlled by the administrators.

As a corporate IT team, look to Application Whitelisting, so unknown applications can't be installed.  Also giving the known good software will check fingerprints of applications, so even if the ransomware is masquerading as a system process, it will not be allowed to execute.  Again good multi layered anti-malware protection and limited local admin rights will help.  Sandboxing solutions should detect this traffic, and consider tools that can monitor file integrity, analyses the memory or offers memory injection protection.

Command and Control


Once installed, the ransomware will typically talk back to the "Command and Control" servers, communicate with the ransomware and customise what the machine will do, such as detect language settings of the computer and then get the correct interface installed in the matching language.  A Chinese demand for a ransom would not be very effective to a machine using Russian language.  There can be communication of the unique encryption key as well.

As a home user, beside the reliance on the endpoint protection having a good malware detection and possibly a host based firewall, there is very little that can be done at this point.

As a corporate user, the situation is much the same as the home user, as there is little that can be done.

As a corporate IT team, the use of Next Generation Firewalls and/or web gateway solutions should be able to see this traffic travelling to and from the network, and prevent the communication.  Logging or SIEM solutions should be able to take the feeds from various point throughout the network to detect this activity.


Data Encryption


The ransomware will now start to encrypt a portion of each of the files, allowing it to work quickly through all the files.  It will check for connected devices, so it will be able to encrypt network file shares and removable media connected to the machine.  It also knows to leave the operating system files, so the machine is still able to run and demand the ransom.

As a home user, beside the reliance on the endpoint protection having a good malware detection and possibly a host based firewall, there is very little that can be done at this point, aside from ensuring that there are system backups.

As a corporate user, the situation is much the same as the home user, as there is little that can be done.

As a corporate IT Team, the anti-malware solution may be able to detect this and stop it from running, or the use of application control could have prevent the application from executing as mentioned before.  Beyond that the the dependence will be on having system backups.


Ransom Demand


At this point, whoever you are, all is lost with out system/data backups.

The advice is not to pay as research currently shows that the payment of the ransom will to the decryption of the data around two thirds of the time, and increases your possibility of being targets again.


The Advice

As a home user, don't click on links without validating if they are legitimate, get a good quality endpoint protection solution and patch your computer regularly.  Remember to backup your data, whether to the cloud, portable hard drives or USB devices, and try not to physical devices connected when not in use.  Make your account a standard user, so the administrator password is required for tasks that are altering the configuration of your computer.

As a corporate user, don't click on links without validating if they are legitimate, but work with IT, if you think you have.

As a corporate IT Team, ensure the endpoints have good quality malware protection that can be centrally managed and centrally logs information.  Ensure there web and email gateways installed and configured.  If you don't have a NGFW, consider getting one and using the features available.  Patch the operating systems, applications and browsers on endpoints and servers.  Consider investing in Device and Application Control solutions, if you don't already have them.  Sandboxing solutions will help deal with the unknown and new threats, so are well worth the investment.  Review the rights the users have on their devices, as they typically don't need to be local administrations.  SIEM solutions with security features will help detect this early on.  End user training is important, but keep it short and regular for it to be effective.


Conclusion


Ransomware attacks will continue to happen, but stopping the chain of events as soon and as quickly as possible will minimise the damage.

I hope this guide has been useful in helping understand how ransomware works, and the measures that can be taken to prevent if from impacting you.  If you have any questions, please feel free to email me: blog@andytang.com

Wednesday, 10 May 2017

Wargames on a Warship - Arbor Networks/Nuvias

Today I attended an event on the HMS Belfast hosted by Nuvias, with Arbor Networks running a technical session.  The location itself is cool and I've been a few times for other security vendor events, but this was something a little different.

Arbor Networks are a leader in DDoS mitigation solutions, and our distributor partner is Nuvias who carry a number of networking and security solutions.


Today, we got to see the DDoS solution up and running, but not just a product demonstration.  We got to attack websites with commonly available toolsets and defend using the Arbor APS solution.


It was an informal event, where the name badges only had your first name, and no organisations or job titles were displayed.  It allowed us all to chat and share without an agenda.  I met some great technical people today, and we got to play with some cool toys.  After a few hours, we got into the swing of being in a team, depending our website and attacking another teams website.

My conclusions from the day were the vendor and distributor know their stuff, the solution was easy to get your head around, technical people in the channel are friendly, and for some reason I was better at attacking websites than defending them.  Maybe I ahve hte wrong coloured hat!!

Wednesday, 15 February 2017

Can AV stop Ransomware?


I've read a few articles recently questioning whether "traditional" anti-virus solutions can stop Ransomware. There have also been articles comparing "traditional" and "next generation" solutions, all with their own agenda, both questioning the others ability to prevent Ransomware.

I feel that it's a simplistic approach to ask whether solution "X" or "Y" will prevent Ransomware, especially without understanding how Ransomware works.

If a majority (93-98%, depending on which survey your read) of Ransomware comes into an environment via email, then the first point of preventing Ransomware, is using an email security solution. Other entry points can be via drive by downloads or malvertising, so a web security solution can also help prevent the delivery of Ransomware.

Once on the computer, the malware will look for a vulnerability whether it's the operating system, browser or third party applications. Patching the computer will protect your computer from known vulnerabilities, whether it's carried out manually or using a patch remediation solution.

Once your computer is exploited, the Ransomware can be installed. This is assuming that the user had local administrative rights onto the computer. Application Control solutions could also prevent the installation of the Ransomware. This is the point where an anti-virus/anti-malware solution would be expected to stop the installation of the Ransomware.

Once the Ransomware is installed, it will typically communicate back to the Command and Control server. This traffic will need to cross a perimeter solution, so could be seen by a NGFW solution, web security solution or via SIEM or logging solutions.

After this, the Ransomware will encrypt the computer's hard drive and demand a ransom. At this point, it's recovering from backups or paying a ransom in the hope a decryption key will be provided.

Can (traditional or next generation) anti-virus or anti-malware solutions stop Ransomware? Potentially, but that's assuming there is no email security solution, no web filtering solution, no patch remediation, no application control, users have local admin rights, no NGFW, no SIEM solution, no next generation firewall, and no back ups are in place.

Let's not get stuck in trying to find a silver bullet, but understand the attack and therefore apply appropriate measures to prevent this from happening to you.