WannaCry/WCRY 2.0 - What do we know?

On Friday 12th May, we were all made aware of a global ransomware attack, which hit nearly 200 countries, infecting over 300,000 Windows machines.  Named WannaCry/WCRY 2.0, it encrypts your data and demanded a ransom of US$300 payable in Bitcoins (electronic currency).

Timeline

Looking back to earlier in 2017, shows how WannaCry evolved.

14th March 2017 - Microsoft leased a patch it classified as Critical as part of its month patch cycle.  The patch was called MS17-010 which resolved a vulnerability in the SMBv1 server on machines running Windows workstation and server operating systems.

14th April 2017 - Shadow Brokers leak the NSA hacking tools which exploited the MS17-010 vulnerability.

14th April 2017 - WannaCry/WCRY 1.0 was released

12th May 2017 - WannaCry/WCRY 2.0 was released

History

WannaCry/WCRY 1.0 was a spam campaign, which delivered its payload via compromised or malicious Dropbox accounts.  To all intents and purposes, it felt like a typical ransomware attack, delivering an email with a link, the user clicking on the link to download the ransomware, the ransomware would exploit a vulnerability (in this case MS17-010) and then encrypt the data.

Why is WannaCry/WCRY 2.0 different?

It is believed that WannaCry/WCRY 2.0 was not distributed via email, nor was it caused by clicking on a link.

WannaCry/WCRY 2.0 scans for Windows machines that are running SMBv1, and will try to infect them.  I say try to infect them, because if the machine had the MS17-010 patch installed, it could not be infected.  The ransomware will exploit the vulnerability, install and encrypt the data.  WannaCry/WCRY 2.0 also has a worm like characteristic, where it will scan the local network and random external IP address to see if they are running SMBv1 and try to infect them as well.

The clever part of this ransomware, is that it requires no user interaction to initiate it or to spread it.

What as the criminal gain?

Some organisations have been monitoring the Bitcoin wallet and they estimate that the financial gains from this attack is in the region of US$65-70,0000, which doesn't sound like a great deal.

Whose vulnerable now?

Using Shodan it's possible to search for Windows machines on the internet using the SMBv1 protocol.  Of course, it doesn't show if these machines have been patched to prevent MS17-010 from being exploited.

So you have Ransomware, what do you do?

I've put a lengthy blog post about ransomware, but you just want a quick and simple answer?

Your machine is infected and your have this screen:

1. Don't pay - Research suggests that payment will get your files back two thirds of the time
2. Re-install your operating system - remembering to patch it!
3. Create a standard user account for general use, and keep the administrator account for configuration changes only.
4. Install a good malware protection solution, and update it
5. Scan your machine with your newly installed and updated malware protection software.
6. Re-install essential applications, remembering to check for patches, and switch on auto updates.
7. Copy back data from backups, remembering to scan it as you do.  One of your backup files could be infected.

Going forward:

• Be mindful of any email attachments or links within emails
• Continue to update malware protection, operating system and applications
• Ensure backups are happening to prevent data loss, and even consider multiple backup destinations
• Only use the admin account for configuration changes

This advice is more based for home users, but your can see the relevance to organisations as well.  For a more detailed look at ransomware, and what approach a organisation can take, have a look here.

The Anatomy of Ransomware - and How to Prevent from Impacting You

After the global cyber attack with ransomware, there is much advice out there suggesting the problem would have been prevented with point products, training or procedures.  I'm going to outline a generic ransomware attack below, so that the defences can be understood.  I'm going to outline what you can do as a home user, corporate user, or corporate IT team.

Delivery of Ransomware

Depending on the research you read, you can see that 93-98% of ransomware is delivered by email.  The remaining delivery methods can be via websites, whether a drive by download, malvertising or malicious website; or via removable media.

As a home user, a good quality endpoint protection solution would be recommended.  Try not to click on email attachments, dubious weblinks or using removable media you are unsure about.  Look to only have standard user profiles and not administrator rights on your everyday profile, and enter the admin credentials when needed.

As a corporate user, the advice is similar to a home user, try not to click on email attachments, dubious weblinks or using removable media you are unsure about.

As a corporate IT team, email and web gateway solutions should be protecting the email and web traffic.  The endpoint should have good quality multi layered protection.  Ensure that users do not have local administrator rights.  Sandboxing solutions on the network would analysis the unknown traffic coming into the network and ensure the email, web and endpoint vectors are covered.  Consider device control solutions if removable media is a big entry point into the network.  User education can help, but it needs to short and regular, and not many hours once a year.

Exploit the Endpoint

The ransomware's next task is to find a vulnerability on the endpoint, in order to exploit it and install the ransomware.  This is when the advice is to patch your operating system, or check and install the updates to your machine.  It's lesser known that the other software on your machine also has vulnerabilities, such as the third party software, like Java, Adobe Reader, etc, as well as the internet browsers and add-ons.

As a home user, change the settings on the operating system and software to automatically check and install the updates. Consider removing applications that are rarely used, as some may not check for updates until they are used.

As a corporate user there is typically little you can do, as this should be controlled by the administrators.  If you are able to run the updates, check regularly.  If you are able to install applications, consider what you are installing and switching on auto updating.

As a corporate IT team, ensure there is a robust patching regime.  Ensure patches are deployed to Microsoft operating systems as close to "Patch Tuesday" as possible, to prevent there being a "Hack Wednesday".  Ensure the patching regime goes beyond operating systems, covering off the third party applications, browsers and add-ons.  Consider Application Control solutions to limit the applications on the endpoints.  With the server environment, consider using IDS/IPS or "Virtual Patching" solutions in order to protect the servers until patch remediation can be carried out in a scheduled maintenance windows, allowing for testing of patches prior to deployment.

Installation of Ransomware

The installation of the ransomware will typically be disguised as a system process, so can go undetected by traditional or single layers of defence.

As a home user with the administrator rights removed as mentioned before, the software may not be able to install.  Again a good quality anti-malware solution may help prevent the ransomware from being installed.

As a corporate user there is typically little you can do, as this should be controlled by the administrators.

As a corporate IT team, look to Application Whitelisting, so unknown applications can't be installed.  Also giving the known good software will check fingerprints of applications, so even if the ransomware is masquerading as a system process, it will not be allowed to execute.  Again good multi layered anti-malware protection and limited local admin rights will help.  Sandboxing solutions should detect this traffic, and consider tools that can monitor file integrity, analyses the memory or offers memory injection protection.

Command and Control

Once installed, the ransomware will typically talk back to the "Command and Control" servers, communicate with the ransomware and customise what the machine will do, such as detect language settings of the computer and then get the correct interface installed in the matching language.  A Chinese demand for a ransom would not be very effective to a machine using Russian language.  There can be communication of the unique encryption key as well.

As a home user, beside the reliance on the endpoint protection having a good malware detection and possibly a host based firewall, there is very little that can be done at this point.

As a corporate user, the situation is much the same as the home user, as there is little that can be done.

As a corporate IT team, the use of Next Generation Firewalls and/or web gateway solutions should be able to see this traffic travelling to and from the network, and prevent the communication.  Logging or SIEM solutions should be able to take the feeds from various point throughout the network to detect this activity.

Data Encryption

The ransomware will now start to encrypt a portion of each of the files, allowing it to work quickly through all the files.  It will check for connected devices, so it will be able to encrypt network file shares and removable media connected to the machine.  It also knows to leave the operating system files, so the machine is still able to run and demand the ransom.

As a home user, beside the reliance on the endpoint protection having a good malware detection and possibly a host based firewall, there is very little that can be done at this point, aside from ensuring that there are system backups.

As a corporate user, the situation is much the same as the home user, as there is little that can be done.

As a corporate IT Team, the anti-malware solution may be able to detect this and stop it from running, or the use of application control could have prevent the application from executing as mentioned before.  Beyond that the the dependence will be on having system backups.

Ransom Demand

At this point, whoever you are, all is lost with out system/data backups.

The advice is not to pay as research currently shows that the payment of the ransom will to the decryption of the data around two thirds of the time, and increases your possibility of being targets again.

The Advice

As a home user, don't click on links without validating if they are legitimate, get a good quality endpoint protection solution and patch your computer regularly.  Remember to backup your data, whether to the cloud, portable hard drives or USB devices, and try not to physical devices connected when not in use.  Make your account a standard user, so the administrator password is required for tasks that are altering the configuration of your computer.

As a corporate user, don't click on links without validating if they are legitimate, but work with IT, if you think you have.

As a corporate IT Team, ensure the endpoints have good quality malware protection that can be centrally managed and centrally logs information.  Ensure there web and email gateways installed and configured.  If you don't have a NGFW, consider getting one and using the features available.  Patch the operating systems, applications and browsers on endpoints and servers.  Consider investing in Device and Application Control solutions, if you don't already have them.  Sandboxing solutions will help deal with the unknown and new threats, so are well worth the investment.  Review the rights the users have on their devices, as they typically don't need to be local administrations.  SIEM solutions with security features will help detect this early on.  End user training is important, but keep it short and regular for it to be effective.

Conclusion

Ransomware attacks will continue to happen, but stopping the chain of events as soon and as quickly as possible will minimise the damage.

I hope this guide has been useful in helping understand how ransomware works, and the measures that can be taken to prevent if from impacting you.  If you have any questions, please feel free to email me: blog@andytang.com

Wargames on a Warship - Arbor Networks/Nuvias

Today I attended an event on the HMS Belfast hosted by Nuvias, with Arbor Networks running a technical session.  The location itself is cool and I've been a few times for other security vendor events, but this was something a little different.

Arbor Networks are a leader in DDoS mitigation solutions, and our distributor partner is Nuvias who carry a number of networking and security solutions.

Today, we got to see the DDoS solution up and running, but not just a product demonstration.  We got to attack websites with commonly available toolsets and defend using the Arbor APS solution.

It was an informal event, where the name badges only had your first name, and no organisations or job titles were displayed.  It allowed us all to chat and share without an agenda.  I met some great technical people today, and we got to play with some cool toys.  After a few hours, we got into the swing of being in a team, depending our website and attacking another teams website.

My conclusions from the day were the vendor and distributor know their stuff, the solution was easy to get your head around, technical people in the channel are friendly, and for some reason I was better at attacking websites than defending them.  Maybe I ahve hte wrong coloured hat!!

Can AV stop Ransomware?

I've read a few articles recently questioning whether "traditional" anti-virus solutions can stop Ransomware. There have also been articles comparing "traditional" and "next generation" solutions, all with their own agenda, both questioning the others ability to prevent Ransomware.

I feel that it's a simplistic approach to ask whether solution "X" or "Y" will prevent Ransomware, especially without understanding how Ransomware works.

If a majority (93-98%, depending on which survey your read) of Ransomware comes into an environment via email, then the first point of preventing Ransomware, is using an email security solution. Other entry points can be via drive by downloads or malvertising, so a web security solution can also help prevent the delivery of Ransomware.

Once on the computer, the malware will look for a vulnerability whether it's the operating system, browser or third party applications. Patching the computer will protect your computer from known vulnerabilities, whether it's carried out manually or using a patch remediation solution.

Once your computer is exploited, the Ransomware can be installed. This is assuming that the user had local administrative rights onto the computer. Application Control solutions could also prevent the installation of the Ransomware. This is the point where an anti-virus/anti-malware solution would be expected to stop the installation of the Ransomware.

Once the Ransomware is installed, it will typically communicate back to the Command and Control server. This traffic will need to cross a perimeter solution, so could be seen by a NGFW solution, web security solution or via SIEM or logging solutions.

After this, the Ransomware will encrypt the computer's hard drive and demand a ransom. At this point, it's recovering from backups or paying a ransom in the hope a decryption key will be provided.

Can (traditional or next generation) anti-virus or anti-malware solutions stop Ransomware? Potentially, but that's assuming there is no email security solution, no web filtering solution, no patch remediation, no application control, users have local admin rights, no NGFW, no SIEM solution, no next generation firewall, and no back ups are in place.

Let's not get stuck in trying to find a silver bullet, but understand the attack and therefore apply appropriate measures to prevent this from happening to you.

Cyber security in 2016 – why is it still not happening? [Link - ITProPortal]

I was asked to write an article reviewing the cyber security challenges for 2016, Here is the article that was published on the ITProPortal website: 

http://www.itproportal.com/features/cyber-security-in-2016-why-is-it-still-not-happening/

===================================

It's 2016, and businesses are generally still not taking security seriously.

Image source: Shutterstock/jijomathaidesigners

Perhaps the surprising, and damning, thing about 2016 in terms of security is that businesses are generally still not taking security seriously. Nobody wants to admit to being slack when it comes to cyber security, but the indisputable fact is that during 2016, many organisations simply didn’t show up, whatever they claimed.  

The basics are still not being done. Updates aren’t being applied, patching strategies are not in place, admin credentials are easy to find. Let’s be blunt, people are still trying to do security on the cheap, using, for example, free antivirus software.  This was most evident in the amount of ransomware that infected companies. 

A Trend Micro report claimed that 45 per cent of UK businesses were hit by ransomware this year. We believe the figure is much higher, closer to 60 or 70 per cent. 

Ransomware scourge

In the US, hospitals have paid massive amounts of money when their databases have been encrypted by ransomware. The Hollywood Presbyterian Medical Center paid a $17,000 bitcoin ransom for the decryption key for patient data. It was infected by the delivery of an email attachment disguised as a Microsoft Word invoice. In the UK some hospitals had to cancel operations.  

Hundreds of planned operations, outpatient appointments, and diagnostic procedures were put on hold at multiple hospitals across Lincolnshire.  The damage done by ransomware in 2016 is largely attributable to the infamous Locky and its many variants. It was first identified in February and made it to the top of the ransomware charts only two weeks later. 

It initially used malicious macros in Office documents to infect its victim’s computer, and these documents were distributed attached to spam emails. Locky has been through several versions since then. A new version was released on October 24, and less than 24 hours later yet another version was launched. It’s carried through phishing campaigns and the email subjects are centred on pay cheques, receipts, invoices, orders, or wrong credit card charges all of which are themes designed to fool recipients into opening attached files.   

Heads in the sand

In a sense it’s staggering that people are still falling for these tricks, given the exposure about ransomware dangers. There still seems to be a general mindset that ‘it will never happen to me’, when it clearly is happening to lots of businesses and individuals.  It’s frustrating because basic security measures offer protection. Being on the front line we tend to get a good sense of what is happening on the ground and it can be best summed up with the phrase ‘blind panic’ when a company is hit.  

But this lack of awareness, or ‘head in the sand’ scenario, is also playing out across other areas. Security in 2016 can also be defined by the large number of replay attacks that have taken place. Ransomware is included in this but it’s not exclusive. Yahoo is perhaps one of the biggest culprits. 

In 2012, a security breach exposed 450,000 usernames and passwords from a site on the huge web portal with the company failing to take even basic precautions to protect the data. Two years later it happened again with 500 million account details stolen.

Enormous DDoS attacks

Yahoo cried ‘state-sponsored actor’ in its defence but clearly it’s still not adequately protecting its customer data. This defence is usually code for ‘don’t blame us, it was a really sophisticated attack’. And Yahoo only came clean in 2016. These serious errors are clearly an illustration of some fundamental flaws at the online giant. Is it any wonder that it’s gone from an operation worth close to $100 million at its peak to today’s evaluation of $4.8 million? 

Another large 2016 security event, which ironically few noticed at the time, was the largest DDoS attack recorded, a whopping 540Gbps directed at public facing websites belonging to organisations affiliated with the 2016 Rio Olympics. These attacks were sustained, sophisticated, and actually started months before the Olympics began.  

These attacks were clearly aimed at the global stage and foreshadowed the equally massive IoT botnet based DDoS attacks which, in contrast, caught the attention of the mainstream media because they were launched from compromised everyday household devices such as internet connected video recorders and cameras.  

Plundering millions

The industry, at large has been warning about the parlous state of IoT security for some time, but it seems no one really wants to listen until an attack hits home and hurts bank balances.  

The Swift’s global payments network hack that resulted in $81 million being siphoned from Bangladesh central bank was also noteworthy due to the huge amounts of money involved.  Hackers also exploited the Swift system to steal a reported $10 million from an unnamed bank in Ukraine, while back in Bangladesh an eye watering $1 billion cyber theft was only stopped when an eagle-eyed employee spotted a typo. 

In an ironic way it’s almost fitting that a hack to see out 2016 was the attack on Tesco Bank. The company was forced to repay £2.5 million of losses to 9,000 customers in a heist described as ‘unprecedented’ by regulators. It may seem small when compared to the Swift system hacks but there’s worrying significance that the company apparently ignored warnings that its vulnerable software was being targeted by cyber criminals for months before the attack. What is just as shocking is that the bank didn’t even encourage two-factor authentication for its customers. 

How many more financial organisations are going to be nailed by cyber thieves before the message gets through? If the EU General Data Protection Regulation had been in force, which is due to come into effect in 2018, Tesco would have been hit by a fine up to £1.9bn. And who could say that Tesco and other organisations with terrifyingly lax cyber security wouldn’t deserve it?

Cyber-security in 2017 – brace yourself [Link - ITProPortal]

I was asked to gaze into my crystal ball and write a piece around the Cyber Security challenges for 2017.  Here is the article as it appeared on the ITProPortal website: 

http://www.itproportal.com/features/cyber-security-in-2017-brace-yourself/

=================================

If there’s one thing you can say with certainty about cyber-security in 2017, it’s that many companies are going to fail because they are simply not doing the right thing. Fundamental flaws still exist.

Image source: Shutterstock/jijomathaidesigners

It's about the business

Until the technical people lift their heads up and see that security and business are different sides of the same coin, we will inevitably see more damaging attacks. When security people learn to speak in the language of business they will begin to understand just where in the organisation they need to apply their expertise. 

This might be smart configuration options, cautious security policies, vigilance and a willingness to read server logs like some people read the newspaper in the morning to identify targeted attacks.  

Of course, this won’t stem the malware tsunami but it will help defend against it. Leading the malware charge in 2017 will be ransomware. Like 2016 it will be more of the same, with an important and fundamental exception; ransomware will be more sophisticated.

Advanced attack vectors

Encryption keys are becoming more complex while ransomware attack vectors are becoming alarmingly advanced. Ransomware can mount previously mapped drives, encrypt them, and then unmount them, reaching deeper into the network.  

However, the efficiency of ransomware as a tool for fraud will also be slowly undermined. One misconception about ransomware is that once the ransom is paid, the victim receives the keys to unlock their files. Increasingly we are seeing instances of this not happening. The fraudsters are simply taking the money and running.

Criminals dumbing down

As ransomware is now available as-a-service, it is reaching down into the lower levels of the criminal underworld and organised crime networks. The type of villain who uses the ‘service’ might have previously been involved with keeping crooked books for instance.

As such they can’t be bothered to send decryption keys which of course will erode the value of ransomware as victims increasingly refuse to pay the ransom.

IoT security

Another major area of concern is the security of IoT devices. It’s fair to say that the existing state of device security isn’t great. Some devices are managed by web consoles that don’t even have encryption. Some devices have passwords hard coded into them that you can’t change. It would be good to see manufacturers take some responsibility but this is unlikely as they operate with tight margins and are unlikely to take on tasks that eat into thin profits. 

If we’re lucky, we will see the emergence of pressure groups consisting of industry vendors and third parties who are no longer willing to sit back and watch major hacks unfold. 

Questioning machine learning

Another area to keep an eye on is machine learning. As with any new technology it’s usually proclaimed with a loud fanfare and over exaggerated claims that often fall just short of guaranteeing freedom for all and world peace. In terms of security, machine learning does promise a lot of potential but when you drill down some serious questions need to be asked.  

In 2017 we’re likely to see these questions put forward with some force, as it becomes apparent that machine learning in the security realm has flaws. For instance, how are the machines learning, are millions of good and bad results being fed into the machine to ensure accurate analytics and what kind of input is coming from security labs and research teams?  

These are important questions and with the advent of next-generation endpoints, such as mobile devices and laptops designed to respond to machine learning security in depth is vital to ensure success. If machine learning vendors can’t answer these questions with confidence, then you can expect to see machine learning and security take a dive.

Shock of GDPR

An area where you can expect to see panic break out is the European Union’s General Data Protection Regulations or GDPR as it’s more commonly known. At the moment UK organisations are displaying naivety towards GDPR which comes into effect in May 2018. Many are hiding behind Brexit and taking the view that the UK won’t be in the EU come May 2018 so GDPR won’t affect them. However, if a business operates in Europe, it will.  

To meet GDPR requirements, measures need to be put in place in 2017. Many companies have already finalised budget for 2017 but haven’t made any provision for GDPR. With no budget provision, there’s going to be an awful lot of flapping when companies realise that it’s nowhere near compliance ready. 

Big fines, big panic

GDPR also reaches up to the board and any data breaches can result in enormous fines of up to 4 per cent of revenue. This can and will translate in some cases, to fines that run into millions of pounds. Are executive directors aware that if they show negligence in protecting customer data they’re going to be hit really hard?  

In summary, it would be uplifting to say that we’re not going to see any more major breaches, that fundamental flaws will be addressed, that new technologies are going to change the security landscape for the better and everyone is set for GDPR. In reality, while we will see some positives we also need to prepare our businesses for more breaches and more hacks.