Posts

Managed Security Services

Ransomware Spares No One: How to Avoid the Next Big Attack

With global ransomware attacks, such as WannaCry and not-Petya, making big headlines this year, it seems the unwelcomed scourge of ransomware isn’t going away any time soon. While large-scale attacks like these are most known for their ability to devastate companies and even whole countries, the often under-reported victim is the average home user.

We sat down with Tyler Moffit, senior threat research analyst at Webroot, to talk ransomware in plain terms to help you better understand how to stop modern cybercriminals from hijacking your most valuable data.

 To put it simply, your files are stolen. Basically, any files that you would need on the computer, whether those are pictures, office documents, movies, even save files for video games, will be encrypted with a password that you need to get them back. If you pay the ransom, you get the password (at least, in theory. There’s no guarantee.)

How does the average home user get infected with ransomware?

Malspam” campaigns are definitely the most popular. You get an email that looks like it’s from the local post office, saying you missed a package and need to open the attachment for tracking. This attachment contains malware that delivers the ransomware, infecting your computer. It is also possible to become infected with ransomware without clicking anything when you visit malicious websites. Advertisements on legitimate websites are the biggest target. Remote desktop protocol (RDP) is another huge attack vector that is gaining traction as well. While controlling desktops remotely is very convenient, it’s important to make sure your passwords are secure.

How is the data ? Is the ransomed data actually taken or transmitted?

When you mistakenly download and execute the ransomware, it encrypts your files with a password, then sends that password securely back to the attacker’s server. You will then receive a ransom demand telling you how to pay to get the password to unlock your files. This is a really efficient way to prevent you from accessing your files without having to send gigabytes of information back to their servers. In very simple terms, the files are scrambled using a complex algorithm so that they are unreadable by any human or computer unless the encryption key is provided.

What types of files do ransomware attacks usually target?

Most ransomware is specifically engineered to go after any type of file that is valuable or useful to people. Around 200 file extensions have been known to be targeted. Essentially, any file that you’ve saved or open regularly would be at risk.

How does the attacker release the encrypted files?

The attacker provides a decryption utility via the webpage where you make the payment. Once you receive the decryption key, all you have to do is input that key into the tool and it will decrypt and release the files allowing you to access them again. Keep in mind, however, that the criminal who encrypted your files is under no obligation to give them back to you. Even if you pay up, you may not get your files back.

Tips for protecting your devices:
  • Use reliable antivirus software.
  • Keep all your computers up-to-date. Having antivirus on your computer is a great step towards staying safe online; however, it doesn’t stop there. Keeping your Windows PCs and/or Mac operating systems up-to-date is equally important.
  • Backup your data. Being proactive with your backup can help save your favorite vacation photos, videos of your kid’s first piano recital, not to mention sensitive information that could cost you thousands by itself.

This article was provided by our service partner Webroot.

 

cyber secuirty

Five Crucial Components of a Layered Security Strategy

Modern cyber threats are evolving at an alarming pace. Today’s thieves are constantly devising new tactics, angles, and technologies that can be used to victimize your customers—everything from malicious mobile apps to phishing emails and malware, and the consequences can be costly. Last year, the FBI estimated that criminals would net $1 billion in ransomware profits alone.

To truly ensure your customers are safe from these increasingly complex attacks, they need multiple defense layers to protect against every tactic at every attack stage. Here are a few essential layers that should be a part of any successful cyber security strategy.

Multi-Vector Protection

Cyber criminals are more organized and better educated than ever before. This means they’re increasingly savvy in implementing multistage, multi-vector attacks. Multi-vector protection ensures that your customers’’ endpoint security covers threats that cross multiple vectors, through multiple stages, reducing the opportunity for cyber criminals to successfully breach their networks.

Web Filtering

In many cases, the weakest links in a security strategy are the very same end users it’s intended to protect. In order to ensure end user behaviors don’t jeopardize the security of business networks, effective domain-level protection is a must. Using a cloud-based, web accessible security layer protects a TSP’s customers by reducing the flow of malware into the network by up to 90 percent. Plus, it gives TSPs granular control of all users’ internet activities, blocking dangerous websites automatically, and placing others under real time policy control.

End User Education

According to the Verizon Data Breach Investigations Report, phishing—a practice in which cyber criminals impersonate a legitimate company to steal personal information or login credentials—was behind 90 percent of security breaches in 2016. Plus, thanks to an increasingly mobile workforce, an organization’s data often leaves its secured network perimeters, creating a major vulnerability. For these reasons, implementing a recurring and continuously updated security education program is more important than ever to help end users remain current on increasingly sophisticated and realistic phishing attempts.

Patch Management

Patching ensures that your customers’’ systems are up-to-date making it more difficult for the majority of hackers to penetrate. Regularly scanning for vulnerabilities in your customers’ environments can help you determine if patches are necessary. It’s a low-cost practice that can dramatically improve security.

Backup

Backups are essential for remediating malicious activity and eliminating the effectiveness of ransomware. Having a regular backup in place also addresses concerns about whether your customers have ready access to the latest versions of their applications and data. This is critical for organizations that must meet certain compliance mandates such as HIPAA or PCI-DSS.

Webroot SecureAnywhere® solutions specialize in providing all the layers of security you need to protect your customers from complex, zero-hour cyber threats.


This article was provided by our service partner Webroot.

ransomware attack

Is Your Organization Ready to Defend Against Ransomware Attacks?

Without question, cybercrime is escalating and ransomware attacks and threats abound. Learn how to defend against ransomware, how infection can occur and how you can fight back.

Cybercrime is reaching unprecedented heights. And with the recent “WannaCry” ransomware attack, cyberthreats are back at the top of every IT department’s list of priorities and concerns. Unfortunately, it’s a trend that is unlikely to be curbed anytime soon. Cybersecurity communities have estimated that the total cost of cybercrime damage worldwide is estimated at $6 Trillion annually by the end of 2021, forcing more and more businesses to invest in cybersecurity spending on products and services to protect their business critical data from potential ransomware attacks.

Here I’ll talk more about what ransomware is, how infections can occur and how your business can be more prepared to defend against potential attacks.

What is ransomware?

Ransomware is typically defined as a subset of malware where the data on a victim’s computer becomes inaccessible and payment is demanded (usually in the form of bitcoin or other cryptocurrencies), before the data is decrypted and the victim can re-access their files.

Ransomware attacks can present themselves in a variety of forms but Microsoft Malware Protection Center explains that the two most widespread ransomware families to be reported in 2016/17 were:

  • Lock-screen ransomware
  • Encryption ransomware

Typically, lock-screen ransomware will present victims with a full-screen message which then prohibits the user from accessing their PC or files, until a payment is made. Whereas encryption ransomware will modify the data files via encryption methods so that the victim cannot open them again. In both cases, the attackers are in total control and demand large sums of money to access or unlock the files.

How does a ransomware infection occur?

On average, most ransomware infections occur through email messages carrying Trojans that attempt to install ransomware when opened by victims, or alternatively, websites that attempt to exploit vulnerabilities in the victim’s browser before infecting the system with ransomware.

Multiple high-profile incidents in 2016/17 alone, have demonstrated the destruction ransomware attacks can have on enterprise networks just as easily as on individual PCs.  For example, EternalBlue (a Windows exploit) released by the mysterious hacking group Shadow Brokers in April 2017 breached spy tools at the National Security Agency (NSA) and offered stolen data for auction, and the WannaCry strain targeted thousands of targets including the National Health Service in the UK (in total netting ~52 bitcoins or around $130,000 worth of ransom).

Not to mention many other widespread strains of ransomware including Petya, Nyetya, Goldeneye, Vault 7, Macron which have had devastating effects on countries, enterprises, election debates and individuals around the world. Attacking enterprise networks in this manner, is even becoming even more attractive because of the value of the files and data that large enterprises own means attackers can demand higher monetary values for ransom.

How to fight back

The increasing threats of ransomware attack should come as no surprise, because in reality organizations have always been under threat from malicious cyberattacks, viruses and ransomware, just more so now than ever before, and IT managers should continually be looking for ways to better protect their valuable data. Therefore, it is essential that your organization has a plan in place to defend against such attacks, minimize financial impact, reduce IT impact and maintain brand reputation.

The industry recognized recommendations suggest organizations follow the simple 3-2-1 rule and the implementation of a strong security plan. The goal of the 3-2-1 rule is to provide customers with a data protection solution that maximizes application uptime, and data availability in the event of a disaster striking.

With the proper execution of the 3-2-1 backup principles, IT managers can protect their data by:

  • Maintaining 3 copies of data (primary data and two copies)
  • Store backup copies on 2 different media types (such as tape, disk, secondary storage or cloud)
  • Keep 1 copy off-site (either on tape or in the cloud, since disasters can strike without notice, if all other forms of protection fail, you still have access to offline data!)

 

Links in phishing-like emails lead to tech support scam

Tech support scams continue to evolve, with scammers exploring more ways to reach potential victims. Recently, we have observed spam campaigns distributing links that lead to tech support scam websites.

Anti-spam filters in Microsoft Exchange Online Protection (EOP) for Office 365 and in Outlook.com blocked the said emails because they bore characteristics of phishing emails. The said spam emails use social engineering techniques—spoofing brands, pretending to be legitimate communications, disguising malicious URLs—employed by phishers to get recipients to click suspicious links.

However, instead of pointing to phishing sites designed to steal credentials, the links lead to tech support scam websites, which use various scare tactics to trick users into calling hotlines and paying for unnecessary “technical support services” that supposedly fix contrived device, platform, or software problems.

The use of email as an infection vector adds another facet to tech support scams, which are very widespread. Every month, at least three million users of various platforms and software encounter tech support scams. However, tech support scams are not typical email threats:

  • Many of these scams start with malicious ads found in dubious web pages—mostly download locations for fake installers and pirated media—that automatically redirect visitors to tech support scam sites where potential victims are tricked into calling hotlines.
  • Some tech support scams are carried out with the help of malware like Hicurdismos, which displays a fake BSOD screen, or Monitnev, which monitors event logs and displays fake error notifications every time an application crashes.
  • Still other tech support scams use cold calls. Scammers call potential victims and pretend to be from a software company. The scammers then ask victims to install applications that give them remote access to the victim’s devices. Using remote access, the experienced scam telemarketers can misrepresent normal system output as signs of problems. The scammers then offer fake solutions and ask for payment in the form of a one-time fee or subscription to a purported support service.

The recent spam campaigns that spread links to tech support scam websites show that scammers don’t stop looking for ways to perpetrate the scam. While it is unlikely that these cybercriminals will abandon the use of malicious ads, malware, or cold calls, email lets them cast a wider net.

An alternative infection path for tech support scams

The spam emails with links to tech support scam pages look like phishing emails. They pretend to be notifications from online retailers or professional social networking sites. The suspicious links are typically hidden in harmless-looking text.

Figure 1. Sample fake Alibaba order cancellation email. The order number is a suspicious link.

Figure 2. A sample of a fake Amazon order cancellation email. Similarly, the order number is a suspicious link.

Fig 3. Sample fake LinkedIn email of a message notification. The three hyperlinks in the email all lead to the same suspicious link.

The links in the emails point to websites that serve as redirectors. In the samples we analyzed, the links pointed to the following sites, which are most likely compromised:

  • hxxp://love.5[redacted]t.com/wordpress/wp-content/themes/acoustician.php
  • hxxp://s[redacted]t.com/wp-content/themes/paten.php
  • hxxp://k[redacted]g.org/wp-content/categorize.php

Interestingly, the redirector websites contain code that diverts some visitors to pharmaceutical or dating websites.

Fig 5. Redirects to support scam site

Landing on typical support scam websites

Tech support scams sites often mimic legitimate sites. They display pop-up messages with fake warnings and customer service hotline numbers. As part of the scam, calls to these phone numbers are answered by agents who trick users into paying for fake technical support.

Fig 6. Tech support scam site with fake warning and support number

The technical support scam websites employ various social engineering techniques to compel users to call the provided hotlines. They warn about malware infection, license expiration, and system problems. Some scams sites display countdown timers to create a false sense of urgency, while others play an audio message describing the supposed problem.

Tech support scam websites are also known to use pop-up or dialog loops. A dialog loop refers to malicious code embedded in sites that causes the browser to present an infinite series of browser alerts containing falsified threatening messages. When the user dismisses an alert, the malicious code invokes another one, ad infinitum, essentially locking the browser session.

More advanced tech support scam sites use web elements to fake pop-up messages. Some of these scam sites open full screen and mimic browser windows, showing spoofed address bars.


This article was first published at microsoft.com

 

The End of an Era – Next Steps for Adobe Flash

Earlier this week, Adobe announced that Flash will no longer be supported after 2020. Microsoft will phase out support for Adobe Flash in Microsoft Edge and Internet Explorer ahead of this date.

Flash led the way on the web for rich content, gaming, animations, and media of all kinds, and inspired many of the current web standards powering HTML5. Adobe has partnered with Microsoft, Google, Mozilla, Apple, and many others, to ensure that the open web could meet and exceed the experiences that Adobe Flash has traditionally provided. HTML5 standards, implemented across all modern browsers, provide these capabilities with improved performance, battery life, and increased security. We look forward to continuing to work with Adobe and our industry partners on enriching the open web without the need for plug-ins.

We will phase out Flash from Microsoft Edge and Internet Explorer, culminating in the removal of Flash from Windows entirely by the end of 2020. This process began already for Microsoft Edge with Click-to-Run for Flash in the Windows 10 Creators Update. The process will continue in the following phases:

  • Through the end of 2017 and into 2018, Microsoft Edge will continue to ask users for permission to run Flash on most sites the first time the site is visited, and will remember the user’s preference on subsequent visits. Internet Explorer will continue to allow Adobe Flash with no special permissions required during this time.
  • In mid to late 2018, we will update Microsoft Edge to require permission for Flash to be run each session. Internet Explorer will continue to allow Flash for all sites in 2018.
  • In mid to late 2019, we will disable Flash by default in both Microsoft Edge and Internet Explorer. Users will be able to re-enable Flash in both browsers. When re-enabled, Microsoft Edge will continue to require approval for Flash on a site-by-site basis.
  • By the end of 2020, we will remove the ability to run Adobe Flash in Microsoft Edge and Internet Explorer across all supported versions of Microsoft Windows. Users will no longer have any ability to enable or run Flash.

This timeline is consistent across browsers, including GoogleMozilla, and Apple. We look forward to continuing our close collaboration with Adobe, other browser vendors, and the publishing community, as we evolve the future of the web for everyone.

ransomware exploits

5 Top ransomware exploits that you should know

We used to call the Internet the “information super-highway” back in the day, when connections were slow, bulletin boards and gopher were about as techie as it got. Those days are long gone, but something of the ‘highway’ has remained, like a bad smell, one that has come back to haunt us in 2017… The highway robber in the form of ransomware exploits !

The person who went about their villainy on the trade routes and highways of the world, extorting money and valuables from unsuspecting travellers with a simple threat –– ”your money or your life” –– reinforced of course with the trademark flintlock pistol and sabre.

Today’s highway robber is a lot more sophisticated and savvy. They take far less risk and turn to the latest technology to extort you out of your money by threatening your valuables. In this case your data, your technology and most probably your computing ability.

Of course, I’m talking now about ransomware, the threat that’s been in the news almost every day for the past couple of months. The tool of choice for the modern highway robber has become headline news around the world with variants such as WannaCry and the more recent Popcorn Time. Organizations around the world have been affected by this ransomware, from the UK National Health Service, through to the Russian Postal Service in the last few weeks.

Interestingly, WannaCry leverages a previously known vulnerability in the Windows operating system, which is alleged to have been hoarded by a national security agency of the USA. In this case a vulnerability which allowed the ransomware to be especially successful in both current and older versions of Windows, such as XP and Windows 7, by using a weakness in their inbuilt SMB networking functionality. Even when out of support, there are still organisations using Windows XP and putting themselves at risk.

Luckily however an enterprising security researcher managed to find a kill switch written into some variants of WannaCry, in the form of a phone-home domain which hadn’t been registered by the malware’s author. Registering the domain seemed to give these variants of the malware the dead letter box it was looking for in order to shut down, thus halting the attack.

After intense examination of WannaCry’s tactics by the security community, we now know the infection spread within organizations by means of leveraging SMB connections. And, while patching the known vulnerability (as the patch had been out for over a month) helps sqelch WannaCry’s ability to spread, there are a broad range of ransomware sources through which you can get infected, such as:

  • Trojans – Perhaps the most common and the ransomware attack source we read the most about. Email attachments that contain malicious macro attachments are the chosen method here.
  • Removable media – Perhaps the most likely ransomware source of infection for the majority of malware in an enterprise, whether it’s ransomware or something more nefarious. Especially for those organisations that don’t lock down their USB ports. USB sticks and removable media are a very simple way to infect a PC as users generally trust those devices. A study by Google and two US universities showed that dropping USB sticks in public places was a simple and effective way to trigger human curiosity, with a full 49% of the ‘bait USBs’ being plugged into a computer by people who found them. Imagine if those had been malicious?
  • Malvertising – Malver-what-now? A portmanteau of malicious advertising. Where attackers compromise the weak infrastructure of an online ad network that serves adverts to legitimate websites. Therefore, when users view those adds, usually on well-known news websites, they can be used to trick browsers into downloading malware through the page display ads. Exploit kits such as Angler and Neutrino are often used as the initial dropper of the malware, which often then allows cyber criminals complete control of the infected endpoint. Ransomware is just one of the common outcomes of these watering-hole or drive-by attacks.
  • Social media and SMS – The prevalence of shortened links used on social media platforms and in SMS text messages gives attackers a superb mechanism to deliver ransomware and malware. Users rarely, if ever, check the destination of shortened links in social media, SMS or even email and attackers know this. Security solutions that ‘link-follow’ are increasing in popularity, but not fast enough. Ransomware delivered through shortened links is also often JavaScript based and requires little action on the users’ part, other than to click the link.
  • Ransomware-as-a-Service – RaaS? Yes, it does exist, as one of the many ‘Crime-as-a-Service’ networks. (Yes, those exist too). RaaS allows criminals of any variety to use ransomware exploits and become instant cyber criminals, to the extent we’re seeing a drop off in classic crime like burglary, as RaaS is far a less risky ransomware source for them. RaaS and CraaS have given rise to vast affiliate networks too, where ransomware is easy to deploy and manage for almost anyone and where the earning potential is significant. I use this example to demonstrate the sophistication and motivation of the cybercriminals behind ransomware. Ignore them at your peril.

Of course, we’re used to thinking of ransomware as an email-specific or Trojan-based attack and that’s certainly the most common route it takes, but we should note that once ransomware makes its way into your business, ransomware creators will attempt to take as many routes possible to ensure as widespread an infection as is possible.

What all of these attacks and the breadth of ransomware sources show us is that it’s a live and hostile environment on the information super-highway and that for all the good we do, there are still people intent on exploiting, stealing, violating and pillaging our assets. Don’t be under any illusion they’re not motivated either; ransomware is a great money earner for them so don’t expect the attacks to die down anytime soon. Technologically not doing your best is not an option either. Sitting back hoping Windows XP or 7 will “struggle on for a little longer” or that those patches you didn’t deploy don’t matter is not a sensible strategy. Remember there are books written about hope not being a strategy, so don’t fall into that trap.

Patch your stuff, back up your valuables and keep an eye out for the highway robbers and those ransomware exploits.

Stay safe out there.

Update Adobe Flash Player NOW

One of the favourite pieces of software for malicious hackers to target on users’ computers is Adobe Flash Player.
Why? Well, there are a few reasons.

Firstly, Adobe Flash Player is on an awful lot of computers. Many users may have installed it long ago in order to access Flash-based media content online, such as videos. Malicious hackers can rely upon a large number of people having Flash installed, making it a target for attack.

Secondly, the version of Adobe Flash Player installed on your computer may be out-of-date. Users may have failed to configure updates properly, or chosen to ignore reminders to update the software promptly when a new security update is released. There’s only one thing more attractive to a malicious hacker than widely-used ubiquitous software, and that’s widely-used ubiquitous software that hasn’t been kept updated with the latest patches.

It doesn’t matter if a hacker doesn’t have a zero-day exploit to throw at your Adobe Flash Player if you haven’t been bothering to keep it protected against known vulnerabilities.

Thirdly, there has been a long history of malicious hackers finding critical security holes in Adobe Flash Player, and building their attacks into exploit kits for anyone to deploy. Flash is closed, proprietary software controlled by Adobe and it has been plagued with software vulnerabilities and serious flaws over many years. Quite why Flash has been targeted so often is open to some debate, but the mere fact that it has suggests that it will continue to be for some time to come.

The upshot of this is that when Adobe releases new security patches for Adobe Flash Player, it would be very sensible indeed for its users to sit up and take notice.

Earlier today Adobe issued a security advisory detailing updates it has released for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS.

The updates are said to address critical vulnerabilities that could allow an attacker to penetrate a vulnerable system, allowing a remote attacker to execute code on a victim’s computer and take control over the device.

Adobe recommends that users of the Adobe Flash Player Desktop Runtime for Windows, Macintosh and Linux update to Adobe Flash Player version 26.0.0.137 as soon as possible. You can do this either by visiting the official Adobe Flash Player download page, or ensuring that Flash’s global settings are set to “install updates automatically when available”.

Even with that option enabled you may be disappointed to find that security updates are not immediately available to you, and – rather than wait – prefer to manually force an update instead.

Things are a little simpler for those who rely upon the Adobe Flash Player code integrated with the Google Chrome and Microsoft Edge browsers, as they should be automatically updated to the latest version as the browser itself updates.

The best approach of all, of course, if you want to permanently secure your computers and devices against Flash flaws is the nuclear option: uninstall Flash from your computer. Or – if you just need Adobe Flash for very specific websites or bespoke applications – have Flash installed on an alternative browser rather than the one you regularly use to surf the web.

If you’re not quite ready to take the step of entirely uninstalling Flash, then you should at the very least consider enabling “Click to Play”, which stops Flash elements from being rendered in your browser unless you give specific permission.

malware attack

Microsoft networking protocol at the core of recent global malware attacks

The company is going to kill off SMB1 at long last, but you shouldn’t wait to disable it

Another day, another global malware attack made possible by a Microsoft security hole. Once again, attackers used hacking tools developed by the U.S. National Security Agency (NSA), which were stolen and subsequently released by a group called Shadow Brokers.

This time around, though, the late-June attack apparently wasn’t ransomware with which the attackers hoped to make a killing. Instead, as The New York Times noted, it was likely an attack by Russia on Ukraine on the eve of a holiday celebrating the Ukrainian constitution, which was written after Ukraine broke away from Russia. According to the Times, the attack froze “computers in Ukrainian hospitals, supermarkets, and even the systems for radiation monitoring at the old Chernobyl nuclear plant.” After that, it spread worldwide. The rest of the world was nothing more than collateral damage.

The NSA bears a lot of responsibility for this latest attack because it develops these kinds of hacking tools and frequently doesn’t tell software makers about the security holes they exploit. Microsoft is one of many companies that have beseeched the NSA not to hoard these kinds of exploits. Brad Smith, Microsoft’s president and chief legal officer, has called on the NSA “to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits” and stop stockpiling them.

Smith is right. But once again, a global malware attack exploited a serious insecurity in Windows, this time a nearly 30-year-old networking protocol called SMB1 that even Microsoft acknowledges should no longer be used by anyone, anywhere, at any time.

First, a history lesson. The original SMB (Server Message Block) networking protocol was designed at IBM for DOS-based computers nearly 30 years ago. Microsoft combined it with its LAN Manager networking product around 1990, added features to the protocol in its Windows for Workgroups product in 1992, and continued using it in later versions of Windows, up to and including Windows 10.

Clearly, a networking protocol designed originally for DOS-based computers, then combined with a nearly 30-year-old networking system, is not suitable for security in an internet-connected world. And to its credit, Microsoft recognizes that and is planning to kill it. But a lot of software and enterprises use the protocol, and so Microsoft hasn’t yet been able to do it in.

Microsoft engineers hate the protocol. Consider what Ned Pyle, principal program manager in the Microsoft Windows Server High Availability and Storage group, had to say about it in a prescient blog in September 2016:

“Stop using SMB1. Stop using SMB1. STOP USING SMB1!… The original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80’s, it was designed for a world that no longer exists. A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivete is staggering when viewed though modern eyes.”

Back in 2013, Microsoft announced it would eventually kill SMB1, saying the protocol was “planned for potential removal in subsequent releases.” That time is almost here. This fall, when the Windows 10 Fall Creators Update is released, the protocol will finally be removed from Windows.

But enterprises shouldn’t wait for then. They should remove the protocol right away, just as Pyle recommends. Before doing that, they would do well to read the SMB Security Best Practices document, put out by US-CERT, which is run by the U.S. Department of Homeland Security. It suggests disabling SMB1, and then “blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.”

As for how to disable SMB1, turn to a useful Microsoft article, “How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server.” Note that Microsoft recommends keeping SMB2 and SMB3 active, and only deactivating them for temporary troubleshooting.

An even better source for killing SMB1 is the TechNet article “Disable SMB v1 in Managed Environments with Group Policy.” It is the most up-to-date article available and more comprehensive than others.

Turning off SMB1 will do more than protect your enterprise against next global malware infection. It will also help keep your company safer against hackers who specifically target it and not the entire world.


This article was reposted from : www.computerworld.com

Ransomware Attack Goldeneye

Ransomware Attack: Goldeneye

Ransomware Attack Goldeneye

 

In the wake of another ransomware attack, this one labeled Goldeneye, we’re reaching out to ensure our partners that we’re focused on security first. According to Forbes, there are similarities with WannaCryptor, but experts are labeling this a variant of Petya aimed at the file system—specifically targeting the master boot record—instead of encrypting individual files. It utilizes the same attack vector that WannaCry used last month – an SMBv1 exploit that was patched in March under MS17-010 known as EternalBlue.

The attack has effected systems beginning in Ukraine, and has been confirmed as spreading through a trojanized version of M.E.Doc accounting software. The massive ransomware campaign was launched in the early hours of June 27, and the outbreak is spreading globally. The National Bank of Ukraine has shared a warning on their website to help protect other banks, and the financial sector is taking steps to “strengthen security measures and counter hacker attacks.” The Independent is reporting affected systems in Spain and India, along with issues arising for Danish and British companies.

Reports are now coming in that Goldeneye has reached the US, with systems affected in major companies like Merck. Advanced security systems can block the currently known samples of new ransomware variants like Goldeneye, keeping most users safe from system infiltration.

Just like the WannaCry cyberattacks in May, this attack is highlighting the importance of maintaining up-to-date patching to keep your systems safe from these exploitative malware programs. Keeping your systems fully patched and using a vetted security solution with network segmentation can help prevent large-scale issues.

Patching, in conjunction with third-party products like anti-virus, anti-malware & backup, are critical to providing the best IT services, and an integrated ecosystem of solutions allows you to:

  1. Close Windows vulnerabilities by keeping it up to date with latest patches from Microsoft
  2. Detect new threats as the IT landscape continues to shift with anti-virus and anti-malware protection
  3. Prevent an all-out disaster by procuring continuous backups of data

See how our partners and other AV solution providers are addressing the latest attack:

Bitdefender
ESET
Webroot
Malwarebytes
VIPRE
Acronis
StorageCraft


This article was provided by our service partner : Connectwise

webroot

Web Security : Is Your Chat Client Leaving You Exposed?

Popular third-party chat platforms like Slack, Discord, and Telegram are just a few of the many new productivity applications that are being hijacked by cyber criminals to create command-and-control (C&C) communications infrastructures for their malware campaigns. As corporate web security teams become more aware of traditional malware threats and deploy new security solutions to defend against them, cyber criminals continue to innovate. Now they’ve turned to well-known chat and social media applications as platforms to communicate with their deployed malware.

Hiding in Plain Sight

The appeal of these chat programs for cyber criminals is born from the fact that many of them are free, easy to use, and incorporate application programming interface (API) components that simplify connections between the programs and custom-built applications. It’s this use of APIs that allows hackers to operate undetected on corporate networks. This clever technique enables hackers to entrench their access by camouflaging themselves with normal data flows. Plus, because this malware leverages software platforms and services that are readily available (and free), all hackers need to do in order to stay connected to their growing malware bot farm is set up an account on their chat platform of choice.

Granted, not all software using APIs is susceptible to this type of attack. However, these attacks are a clear demonstration that tools used by project management and software development teams can be compromised in ways that expose their organizations to significant risk. I predict that similar vulnerabilities in productivity services and applications used by corporate technology teams will continue to be exploited—at an even greater rate. In many ways, these attacks mirror what we’ve seen recently targeting core protocols that operate on the Internet.

Know Your Enemy

Luckily, knowing the enemy is half the battle. With this in mind, we can manage these types of threats, and some of the steps I recommend come down to basic cyber hygiene. I highly recommend security professionals deploy an antivirus solution that incorporates anti-malware and firewall services to all endpoints. A solid threat-intelligence service is also vital to educate security staff and business stakeholders on the current threats and threat actors targeting their business.

One final point: it’s a good idea to screen all outbound network traffic in order to verify that it’s going to legitimate destinations. Hopefully, you’ve already deployed these recommended security controls. If you are missing one or more of these elements, it’s time to shore up your web security efforts to protect yourself and your organization.


This article was provided by our service partner : Webroot