We used to call the Internet the “information super-highway” back in the day, when connections were slow, bulletin boards and gopher were about as techie as it got. Those days are long gone, but something of the ‘highway’ has remained, like a bad smell, one that has come back to haunt us in 2017… The highway robber in the form of ransomware exploits !
The person who went about their villainy on the trade routes and highways of the world, extorting money and valuables from unsuspecting travellers with a simple threat –– ”your money or your life” –– reinforced of course with the trademark flintlock pistol and sabre.
Today’s highway robber is a lot more sophisticated and savvy. They take far less risk and turn to the latest technology to extort you out of your money by threatening your valuables. In this case your data, your technology and most probably your computing ability.
Of course, I’m talking now about ransomware, the threat that’s been in the news almost every day for the past couple of months. The tool of choice for the modern highway robber has become headline news around the world with variants such as WannaCry and the more recent Popcorn Time. Organizations around the world have been affected by this ransomware, from the UK National Health Service, through to the Russian Postal Service in the last few weeks.
Interestingly, WannaCry leverages a previously known vulnerability in the Windows operating system, which is alleged to have been hoarded by a national security agency of the USA. In this case a vulnerability which allowed the ransomware to be especially successful in both current and older versions of Windows, such as XP and Windows 7, by using a weakness in their inbuilt SMB networking functionality. Even when out of support, there are still organisations using Windows XP and putting themselves at risk.
Luckily however an enterprising security researcher managed to find a kill switch written into some variants of WannaCry, in the form of a phone-home domain which hadn’t been registered by the malware’s author. Registering the domain seemed to give these variants of the malware the dead letter box it was looking for in order to shut down, thus halting the attack.
After intense examination of WannaCry’s tactics by the security community, we now know the infection spread within organizations by means of leveraging SMB connections. And, while patching the known vulnerability (as the patch had been out for over a month) helps sqelch WannaCry’s ability to spread, there are a broad range of ransomware sources through which you can get infected, such as:
Trojans – Perhaps the most common and the ransomware attack source we read the most about. Email attachments that contain malicious macro attachments are the chosen method here.
Removable media – Perhaps the most likely ransomware source of infection for the majority of malware in an enterprise, whether it’s ransomware or something more nefarious. Especially for those organisations that don’t lock down their USB ports. USB sticks and removable media are a very simple way to infect a PC as users generally trust those devices. A study by Google and two US universities showed that dropping USB sticks in public places was a simple and effective way to trigger human curiosity, with a full 49% of the ‘bait USBs’ being plugged into a computer by people who found them. Imagine if those had been malicious?
Malvertising – Malver-what-now? A portmanteau of malicious advertising. Where attackers compromise the weak infrastructure of an online ad network that serves adverts to legitimate websites. Therefore, when users view those adds, usually on well-known news websites, they can be used to trick browsers into downloading malware through the page display ads. Exploit kits such as Angler and Neutrino are often used as the initial dropper of the malware, which often then allows cyber criminals complete control of the infected endpoint. Ransomware is just one of the common outcomes of these watering-hole or drive-by attacks.
Ransomware-as-a-Service – RaaS? Yes, it does exist, as one of the many ‘Crime-as-a-Service’ networks. (Yes, those exist too). RaaS allows criminals of any variety to use ransomware exploits and become instant cyber criminals, to the extent we’re seeing a drop off in classic crime like burglary, as RaaS is far a less risky ransomware source for them. RaaS and CraaS have given rise to vast affiliate networks too, where ransomware is easy to deploy and manage for almost anyone and where the earning potential is significant. I use this example to demonstrate the sophistication and motivation of the cybercriminals behind ransomware. Ignore them at your peril.
Of course, we’re used to thinking of ransomware as an email-specific or Trojan-based attack and that’s certainly the most common route it takes, but we should note that once ransomware makes its way into your business, ransomware creators will attempt to take as many routes possible to ensure as widespread an infection as is possible.
What all of these attacks and the breadth of ransomware sources show us is that it’s a live and hostile environment on the information super-highway and that for all the good we do, there are still people intent on exploiting, stealing, violating and pillaging our assets. Don’t be under any illusion they’re not motivated either; ransomware is a great money earner for them so don’t expect the attacks to die down anytime soon. Technologically not doing your best is not an option either. Sitting back hoping Windows XP or 7 will “struggle on for a little longer” or that those patches you didn’t deploy don’t matter is not a sensible strategy. Remember there are books written about hope not being a strategy, so don’t fall into that trap.
Patch your stuff, back up your valuables and keep an eye out for the highway robbers and those ransomware exploits.
Stay safe out there.
http://www.netcal.com/wp-content/uploads/2017/07/images.jpg170297Conal Mullanhttp://www.netcal.com/wp-content/uploads/2015/11/netcal_logo2.gifConal Mullan2017-07-19 09:59:132017-07-19 10:00:255 Top ransomware exploits that you should know
One of the favourite pieces of software for malicious hackers to target on users’ computers is Adobe Flash Player.
Why? Well, there are a few reasons.
Firstly, Adobe Flash Player is on an awful lot of computers. Many users may have installed it long ago in order to access Flash-based media content online, such as videos. Malicious hackers can rely upon a large number of people having Flash installed, making it a target for attack.
Secondly, the version of Adobe Flash Player installed on your computer may be out-of-date. Users may have failed to configure updates properly, or chosen to ignore reminders to update the software promptly when a new security update is released. There’s only one thing more attractive to a malicious hacker than widely-used ubiquitous software, and that’s widely-used ubiquitous software that hasn’t been kept updated with the latest patches.
It doesn’t matter if a hacker doesn’t have a zero-day exploit to throw at your Adobe Flash Player if you haven’t been bothering to keep it protected against known vulnerabilities.
Thirdly, there has been a long history of malicious hackers finding critical security holes in Adobe Flash Player, and building their attacks into exploit kits for anyone to deploy. Flash is closed, proprietary software controlled by Adobe and it has been plagued with software vulnerabilities and serious flaws over many years. Quite why Flash has been targeted so often is open to some debate, but the mere fact that it has suggests that it will continue to be for some time to come.
The upshot of this is that when Adobe releases new security patches for Adobe Flash Player, it would be very sensible indeed for its users to sit up and take notice.
Earlier today Adobe issued a security advisory detailing updates it has released for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS.
The updates are said to address critical vulnerabilities that could allow an attacker to penetrate a vulnerable system, allowing a remote attacker to execute code on a victim’s computer and take control over the device.
Adobe recommends that users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player version 184.108.40.206 as soon as possible. You can do this either by visiting the official Adobe Flash Player download page, or ensuring that Flash’s global settings are set to “install updates automatically when available”.
Even with that option enabled you may be disappointed to find that security updates are not immediately available to you, and – rather than wait – prefer to manually force an update instead.
Things are a little simpler for those who rely upon the Adobe Flash Player code integrated with the Google Chrome and Microsoft Edge browsers, as they should be automatically updated to the latest version as the browser itself updates.
The best approach of all, of course, if you want to permanently secure your computers and devices against Flash flaws is the nuclear option: uninstall Flash from your computer. Or – if you just need Adobe Flash for very specific websites or bespoke applications – have Flash installed on an alternative browser rather than the one you regularly use to surf the web.
If you’re not quite ready to take the step of entirely uninstalling Flash, then you should at the very least consider enabling “Click to Play”, which stops Flash elements from being rendered in your browser unless you give specific permission.
http://www.netcal.com/wp-content/uploads/2017/07/flash-623x425.jpeg425623Conal Mullanhttp://www.netcal.com/wp-content/uploads/2015/11/netcal_logo2.gifConal Mullan2017-07-13 04:30:552017-07-13 04:33:47Update Adobe Flash Player NOW
The company is going to kill off SMB1 at long last, but you shouldn’t wait to disable it
Another day, another global malware attack made possible by a Microsoft security hole. Once again, attackers used hacking tools developed by the U.S. National Security Agency (NSA), which were stolen and subsequently released by a group called Shadow Brokers.
This time around, though, the late-June attack apparently wasn’t ransomware with which the attackers hoped to make a killing. Instead, as The New York Times noted, it was likely an attack by Russia on Ukraine on the eve of a holiday celebrating the Ukrainian constitution, which was written after Ukraine broke away from Russia. According to the Times, the attack froze “computers in Ukrainian hospitals, supermarkets, and even the systems for radiation monitoring at the old Chernobyl nuclear plant.” After that, it spread worldwide. The rest of the world was nothing more than collateral damage.
The NSA bears a lot of responsibility for this latest attack because it develops these kinds of hacking tools and frequently doesn’t tell software makers about the security holes they exploit. Microsoft is one of many companies that have beseeched the NSA not to hoard these kinds of exploits. Brad Smith, Microsoft’s president and chief legal officer, has called on the NSA “to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits” and stop stockpiling them.
Smith is right. But once again, a global malware attack exploited a serious insecurity in Windows, this time a nearly 30-year-old networking protocol called SMB1 that even Microsoft acknowledges should no longer be used by anyone, anywhere, at any time.
First, a history lesson. The original SMB (Server Message Block) networking protocol was designed at IBM for DOS-based computers nearly 30 years ago. Microsoft combined it with its LAN Manager networking product around 1990, added features to the protocol in its Windows for Workgroups product in 1992, and continued using it in later versions of Windows, up to and including Windows 10.
Clearly, a networking protocol designed originally for DOS-based computers, then combined with a nearly 30-year-old networking system, is not suitable for security in an internet-connected world. And to its credit, Microsoft recognizes that and is planning to kill it. But a lot of software and enterprises use the protocol, and so Microsoft hasn’t yet been able to do it in.
Microsoft engineers hate the protocol. Consider what Ned Pyle, principal program manager in the Microsoft Windows Server High Availability and Storage group, had to say about it in a prescient blog in September 2016:
“Stop using SMB1. Stop using SMB1. STOP USING SMB1!… The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes.”
Back in 2013, Microsoft announced it would eventually kill SMB1, saying the protocol was “planned for potential removal in subsequent releases.” That time is almost here. This fall, when the Windows 10 Fall Creators Update is released, the protocol will finally be removed from Windows.
But enterprises shouldn’t wait for then. They should remove the protocol right away, just as Pyle recommends. Before doing that, they would do well to read the SMB Security Best Practices document, put out by US-CERT, which is run by the U.S. Department of Homeland Security. It suggests disabling SMB1, and then “blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.”
As for how to disable SMB1, turn to a useful Microsoft article, “How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server.” Note that Microsoft recommends keeping SMB2 and SMB3 active, and only deactivating them for temporary troubleshooting.
An even better source for killing SMB1 is the TechNet article “Disable SMB v1 in Managed Environments with Group Policy.” It is the most up-to-date article available and more comprehensive than others.
Turning off SMB1 will do more than protect your enterprise against next global malware infection. It will also help keep your company safer against hackers who specifically target it and not the entire world.
http://www.netcal.com/wp-content/uploads/2017/07/cyber_attack-100728320-large.jpg455700Conal Mullanhttp://www.netcal.com/wp-content/uploads/2015/11/netcal_logo2.gifConal Mullan2017-07-06 07:16:232017-07-06 07:16:23Microsoft networking protocol at the core of recent global malware attacks
In the wake of another ransomware attack, this one labeled Goldeneye, we’re reaching out to ensure our partners that we’re focused on security first. According to Forbes, there are similarities with WannaCryptor, but experts are labeling this a variant of Petya aimed at the file system—specifically targeting the master boot record—instead of encrypting individual files. It utilizes the same attack vector that WannaCry used last month – an SMBv1 exploit that was patched in March under MS17-010 known as EternalBlue.
The attack has effected systems beginning in Ukraine, and has been confirmed as spreading through a trojanized version of M.E.Doc accounting software. The massive ransomware campaign was launched in the early hours of June 27, and the outbreak is spreading globally. The National Bank of Ukraine has shared a warning on their website to help protect other banks, and the financial sector is taking steps to “strengthen security measures and counter hacker attacks.” The Independent is reporting affected systems in Spain and India, along with issues arising for Danish and British companies.
Reports are now coming in that Goldeneye has reached the US, with systems affected in major companies like Merck. Advanced security systems can block the currently known samples of new ransomware variants like Goldeneye, keeping most users safe from system infiltration.
Just like the WannaCry cyberattacks in May, this attack is highlighting the importance of maintaining up-to-date patching to keep your systems safe from these exploitative malware programs. Keeping your systems fully patched and using a vetted security solution with network segmentation can help prevent large-scale issues.
Patching, in conjunction with third-party products like anti-virus, anti-malware & backup, are critical to providing the best IT services, and an integrated ecosystem of solutions allows you to:
Close Windows vulnerabilities by keeping it up to date with latest patches from Microsoft
Detect new threats as the IT landscape continues to shift with anti-virus and anti-malware protection
Prevent an all-out disaster by procuring continuous backups of data
See how our partners and other AV solution providers are addressing the latest attack:
Looking to make the move into the cloud can be a bit of daunting process, with so many options available. One of the first decisions to make is choosing whether you want to opt for public cloud provider or choose a private cloud Private Hosting Services solution.
With decades of experience within the IT sector, dealing with a range of business clients, we have highlighted security, flexibility and control as the key values to our clients and wanted to ensure all of our cloud services were done so through a highly secure private cloud platform.
We have jotted down 5 top reasons for choosing a private cloud model for your business, to help guide you on your way.
1. Sense of security
Without a doubt, the number one reason to opt for Private Hosting Services is the knowledge that you know, not only, where your data is located but exactly who can access it. Whilst there are certainly a number security controls in place on a good public cloud platform, you will never have the sense control and security that you achieve through a private cloud solution.
Security is especially important for businesses who may hold sensitive documents on their servers such as highly personal customer information or private financial data. Businesses have a responsibility to ensure their data is kept safe and secure at all times, making a private cloud provider the go to platform for rest assured data security.
2. Knowing where your data is
Closely linked to security and privacy, specific data location is another important difference between private and public cloud providers. You cannot be 100% sure where your data is being stored on a public cloud, with many providers holding your data abroad, and often even unable to specify the exact location of your files at any given time.
With a private cloud infrastructure, you will always know the precise location of your data. At NetCal all your data is held on state of the art, enterprise level equipment in temperature controlled environments in a distinct number of data centres, known to you at any given time.
3. Top performance
Another clear advantage for Private Hosting Services is the ability to have dedicated applications and a dedicated server which runs its own operating system for your business. This ensures you do not have to share processing power with other company applications, resulting in a more stable predictable performance which is optimised for your business requirements.
4. Take control
If you want to ensure you have complete control over your hardware and your virtual servers, a private cloud is the clearly favourable option. In addition, private cloud also allows much more control over Service Level Agreement (SLA) management. Public cloud platforms can only give you control over certain features of your operating system, applications and server, and a public cloud provider controls the SLAs with all clients.
Another advantage of a private cloud solution is complete control over your own failover plan, which is put in place to ensure that there is no risk of your cloud service becoming unavailable to users.
5. Be flexible
An enterprise level private cloud service is built from the bottom up and tailored for your individual requirements. This means that, you as a client are able to specify what you need (both technical capabilities and SLAs) and only ever need to take up the processing power that you require.
In summary Private cloud is highly compliant and highly flexible, providing you with complete control over your hardware, virtual servers, SLAs and failover plans, whilst ensuring you are operating at your optimum performance.
If you are considering migrating to a cloud solution, or want to better understand the benefits of opting for a private cloud provider, get in touch with one of the friendly and experienced members of our team and we can get you up and started in no time.
http://www.netcal.com/wp-content/uploads/2017/06/download-2.jpg223226Conal Mullanhttp://www.netcal.com/wp-content/uploads/2015/11/netcal_logo2.gifConal Mullan2017-06-29 07:44:302017-06-29 07:44:30Benefits of choosing Private Hosting Services