Internet Security Archives - Page 6 of 7 - Managed IT Services | IT Support | SF Bay Area & Los Angeles

Posts

Report Uncovers Cloud Security Concerns and Lack of Security Expertise Slows Cloud Adoption

Crowd Research Partners yesterday (28th March 2017) released the results of its 2017 Cloud Security Report revealing that security concerns, lack of qualified security staff and outdated security tools remain the top issues keeping cyber security professionals up at night, while data breaches are at an all-time high.

Based on a comprehensive online survey of over 1,900 cyber security professionals in the 350,000-member Information Security Community on LinkedIn, the report has been produced in conjunction with leading cloud security vendors AlienVault, Bitglass, CloudPassage, Cloudvisory, Dome9 Security, Eastwind Networks, Evident.io, (ISC)2, Quest, Skyhigh, and Tenable.

“While workloads continue to move rapidly into the cloud, security concerns remain very high,” said Holger Schulze, founder of the 350,000-member Information Security Community on LinkedIn. “With a third of organizations predicting cloud security budgets to increase, today’s cloud environments require more than ever security-trained, certified professionals and innovative security tools to address the concerns of unauthorized access, data and privacy loss, and compliance in the cloud.”

Key takeaways from the report include:

Cloud security concerns top the list of barriers to faster cloud adoption. Concerns include protection against data loss (57 percent), threats to data privacy (49 percent), and breaches of confidentiality (47 percent).
Lack of qualified security staff is the second biggest barrier to cloud adoption, and more than half of organizations (53 percent) are looking to train and certify their current IT staff to address the shortage, followed by partnering with a managed service provider (MSP) (30 percent), leveraging software solutions (27 percent), and hiring dedicated staff (26 percent).
As more workloads move to the cloud, organizations are realizing that traditional security tools are not designed for the unique challenges cloud adoption presents (78 percent). Instead, strong security management and control solutions designed specifically for the cloud are required to protect the new, agile paradigm.
Visibility into cloud infrastructure is the single biggest security management headache for 37 percent of respondents, moving up to the top spot from being the second ranking operational concern in the previous year.

Download the complete 2017 Cloud Security Report here.

The Importance of Linux Patch Management

In recent news there have been a number of serious vulnerabilities found in various Linux systems. Whilst OS vulnerabilities are a common occurrence, it’s the nature of these that have garnered so much interest. Linux patch management should be considered a priority in ensuring the security of your systems.

The open-source Linux operating system is used by most of the servers on the internet as well as in smartphones, with an ever-growing desktop user base as well.

Open-source software is typically considered to increase the security of an operating system, since anyone can read, re-use and suggest modifications to the source code – part of the idea being that many people involved would increase the chances of someone finding and hopefully fixing any bugs.

With that in mind let’s turn our sights on the bug known as Dirty Cow (CVE-2016-5195) found in October – named as such since it exploits a mechanism called “copy-on-write” and falls within the class of vulnerabilities known as privilege escalation. This would allow an attacker to effectively take control of the system.

What makes this particular vulnerability so concerning however isn’t the fact that it’s a privilege escalation bug, but rather that it was introduced into the kernel around nine years ago. Exploits already taking advantage of Dirty Cow were also found after the discovery of the bug by Phil Oester. This means that a reliable means of exploitation is readily available, and due to its age, it will be applicable to millions of systems.

Whilst Red Hat, Debian and Ubuntu have already released patches, millions of other devices are still vulnerable – worse still is the fact that between embedded versions of the operating and older Android devices, there are difficulties in applying the updates, or they may not receive any at all, leaving them vulnerable.

Next, let’s have a look at a more recent vulnerability which was found in Cryptsetup (CVE-2016-4484), which is used to set up encrypted partitions on Linux using LUKS (Linux Unified Key Setup). It allows an attacker to obtain a root initramfs shell on affected systems. At this point, depending on the system in question, it could be used for a number of exploitation strategies according to the researchers whom discovered the bug, namely:

Privilege escalation: if the boot partition is not encrypted:
— It can be used to store an executable file with the bit “SetUID” enabled. Which can later be used to escalate privileges by a local user.
— If the boot is not secured, then it would be possible to replace the kernel and the initrd image.

Information disclosure: It is possible to access all the disks. Although the system partition is encrypted it can be copied to an external device, where it can be later be brute forced. Obviously, it is possible to access to non-encrypted information in other devices.

Denial of service: The attacker can delete the information on all the disks, causing downtime of the system in question.

Whilst many believe the severity and/or likely impact of this vulnerability has been exaggerated considering you need physical or remote console access (which many cloud platforms provide these days), what makes it so interesting is just how it is exploited.

All you need to do is repeatedly hit the Enter key at the LUKS password prompt until a shell appears (approximately 70 seconds later) – the vulnerability is as a result of incorrect handling of password retries once the user exceeds the maximum number (by default 3).

The researchers also made several notes regarding physical access and explained why this and similar vulnerabilities remain of concern. It’s generally accepted that once an attacker has physical access to a computer, it’s pwned. However, they highlighted that with the use of technology today, there are many levels of what can be referred to as physical access, namely:

Access to components within a computer – where an attacker can remove/replace/insert anything including disks, RAM etc. like your own computer

Access to all interfaces – where an attacker can plug in any devices including USB, Ethernet, Firewire etc. such as computers used in public facilities like libraries and internet cafes.

Access to front interfaces – usually USB and the keyboard, such as systems used to print photos.

Access to a limited keyboard or other interface – like a smart doorbell, alarm, fridge, ATM etc.

Their point is that the risks are not limited to traditional computer systems, and that the growing trends around IoT devices will increase the potential reach of similar attacks – look no further than our last article on DDoS attacks since IoT devices like printers, IP cameras and routers have been used for some of the largest DDoS attacks ever recorded.

This brings us back around to the fact that now, more than ever, it’s of critical importance that you keep an eye on your systems and ensure any vulnerabilities are patched accordingly, and more importantly – in a timely manner. Linux patch management should be a core consideration for all IT systems, whether they are servers or workstations, and of course regardless of the operating systems used.

This article was provided by our service partner ESET

Network Security : OpenDNS

Why Firewalls and Antivirus are not enough in our fight for the best network security ?

Understanding Malicious Attacks to Stay One Step Ahead

Network (firewall) and endpoint (antivirus) defenses react to malicious communications and code after attacks have been launched. OpenDNS observes Internet infrastructure before attacks are launched and prevent those malicious internet connections happening in the first first. Learning all the steps of an attack is key to understanding how OpenDNS can bolster your existing defenses.

Each step of the attackers operation provides an opportunity for network security providers to find the attack and defend the intrusion.

High level summary of how attacks are laid out.

—> RECON: Many reconnaissance activities are used to learn about the attack target
—> STAGE: Multiple kits or custom code is used to build payloads. And multiple networks and systems are staged to host initial payloads, malware drop hosts, and botnet controllers
—> LAUNCH: Various Web and email techniques are used to launch the attack
—> EXPLOIT: Both zero-day and known vulnerabilities are exploited or users are tricked
—> INSTALL: Usually the initial payload connects to another host to install specific malware
—> CALLBACK : Nearly every time the compromised system callbacks to a botnet server
—> PERSIST : Finally, a variety of techniques are used to repeat through steps 4 to 7

We do not have to understand each tool and technique that attackers develop. The takeaway from this is to simply understand how multiple and often repeated, steps are necessary for attackers to achieve their objectives undermining your existing network security tools.

Compromises happen in seconds. Breaches start minutes later and can continue undetected for months. Operating in a state of continuous compromise may be normal for many. but no one should accept a state of persistent breach.

Existing defenses cannot block all attacks.

Firewalls and AntiVirus stop many attacks during several steps of the ‘kill chain’, but the volume and velocity of new attack tools and techniques enable some to go undetected for minutes or even months.

Firewalls know whether the IP of a network connection matches a blacklist or reputation feed. Yet, providers must wait until an attack is launched before collecting and analyzing a copy of the traffic. Then, the provider will gain intelligence of the infrastructure used.

Antivirus solutions know whether the hash of the payload match a signature database or heuristic. Yet providers must wait until a system is exploited before collecting and and analyzing a sample of the code before gaining intelligence about the payload used.

The OpenDNS Solution

Stop 50 to 98 percent more attacks than firewalls and antivirus alone by pointing your DNS traffic to OpenDNS.
OpenDNS does not wait until after attacks launch, malware install, or infected systems callback to learn how to defend against attack. By analyzing a cross-section of the world’s Internet activity, OpenDNS continuously observe new relationships forming between domain names, IP addresses, and autonomous system numbers (ASNs). This visibility enables us to discover, and often predict, where attacks are staged and will emerge before they even launch.

Why keep firewalls and antivirus at all?

Once we prove our effectiveness, we are often asked: “can we get rid of our firewall or antivirus solutions?” While these existing defenses cannot stop every attack, they are still useful—if not critical—in defending against multi-step attacks. A big reason is threats never expire—every piece of malware ever created is still circulating online or offline. Signature-based solutions are still effective at preventing most known threats from infecting your systems no matter by which vector it arrives: email, website or thumbdrive. And firewalls are effective at defending both within and at the perimeter of your network. They can detect recon activities such as IP or port scans, deny lateral movements by segmenting the network, and enforce access control lists.

“One of AV’s biggest downfalls is the fact that it is reactive in nature; accuracy is heavily dependent on whether the vendor has already seen the threat in the past. Heuristics or behavioral analysis can sometimes identify new malware, but this is still not adequate because even the very best engines are still not able to catch all zero-day malware.”

Your Solution:
Re-balance investment of existing versus new defenses:
Here are a couple examples of how many customers free up budget for new defenses.

• Site-based Microsoft licenses entitle customers to signature-based protection at no extra cost. Microsoft may not be the #1 ranked product, but it offers good protection against known threats. OpenDNS defends against both known and emergent threats.

• NSS Labs reports that SSL decryption degrades network performance by 80%, on average. OpenDNS blocks malicious HTTPS-based connections by defending against attacks over any port or protocol. By avoiding decryption, appliance lifespans can be greatly extended.

“OpenDNS provides a cloud-delivered network security service that blocks advanced attacks, as well as malware, botnets and phishing threats regardless of port, protocol or application. Their predictive intelligence uses machine learning to automate protection against emergent threats before your organization is attacked. OpenDNS protects all your devices globally without hardware to install or software to maintain.”

Managed Security Services

“The Internet of Things is the biggest game changer for the future of security,” emphasizes David Bennett, vice president of Worldwide Consumer and SMB Sales at Webroot. “We have to figure out how to deal with smart TVs, printers, thermostats and household appliances, all with Internet connectivity, which all represent potential security exposures.”

Simply put, the days of waiting for an attack to happen, mitigating its impact and then cleaning up the mess afterward are gone. Nor is it practical to just lock the virtual door with a firewall and hope nothing gets in–the stakes are too high. The goal instead must be to predict potential exposure, and that requires comprehensive efforts to gather threat intelligence. According to Bennett, such efforts should be:

Real time: Because the velocity and volume of threats increases on a daily basis, the technologies used to protect systems must be updated by the minute. The ability to adjust to the nature and type of new threats as they appear is key. Data should be aggregated from sources globally and delivered as actionable information to the security professional.
Contextual: Data must be parsed through sophisticated computer analytics to ensure humans can make decisions based on actionable intelligence. An analyst has to be given data with pre-connected dots in order to act quickly. There’s little time for onsite security professionals to analyze reams of data when they suspect an attack is underway. By the time they figure out what’s going on, the damage is done.
Big data-driven: It’s not enough for a company to understand only what’s happening in its own environment; an attack on one of its competitors or peers could mean it’s next. To analyze complex threat patterns, threat intelligence technology must be cloud-based and should aggregate activities from across companies and across geographies.
“Security professionals of the future must act like intelligence officers or analysts,” Bennett notes. “They have to consume information that’s already been parsed for them, and make decisions based on that intelligence. Success will depend on how they are fed the data. How is it presented? Is it relevant? Have the irrelevant data points already been removed? Only then will they be able to make decisions in time to prevent breaches.”

What This Means for MSPs

MSP services are particularly valuable to SMBs that lack the internal resources needed to effectively manage complex systems, or for any customers seeking to defer capital expenses in favor of leveraging their operational budgets. As such, cybersecurity is a perfect discipline to utilize the managed services model. “The biggest untapped opportunity for our partners today is providing security as a managed service,” observes Bennett. “Users are overwhelmed and just not capable of keeping on top of the rapid changes in the nature of threats.”

MSPs that offer managed security services address one of the major problems users face today: the lack of access to talented security professionals. Especially for SMB customers, finding and competing for talent with larger firms can be daunting. “Hiring and retaining the right personnel should not be a vulnerability in and of itself,” says Bennett. “Users who leverage managed security services remain protected through transitions in their IT staff and lower the risk of losing institutional knowledge critical to their security procedures. In addition, managed security services represents one of the largest and most profitable growth opportunities today for solution providers.”

MSPs that include Webroot SecureAnywhere Business Endpoint Protection solutions as part of their service offerings to clients are ideally positioned to take full advantage of these growth opportunities. In effect, Webroot technology gives MSPs their own dedicated security firm to monitor their customers’ environments. As Bennett explains, “We don’t just collect data—we scrub it, make correlations globally, and pass on exactly what our customers need to reduce exposures. It’s a big data approach to security, and it’s the only effective means to combat the ever-changing threats companies face.”

Microsoft to revamp its documentation for security patches

Microsoft has eliminated individual patches from every Windows version, and Security Bulletins will go away soon, replaced by a spreadsheet with tools

With the old method of patching now completely gone—October’s releases eliminated individual patches from every Windows version—Microsoft has announced that the documentation to accompany those patches is in for a significant change. Most notable, Security Bulletins will disappear, replaced by a lengthy list of patches and tools for slicing and dicing those lists.

Security Bulletins go back to June 1998, when Microsoft first released MS98-001. That and all subsequent bulletins referred to specific patches described in Knowledge Base articles. The KB articles, in turn, have detailed descriptions of the patches and lists of files changed by each patch. The Security Bulletins serve as an overview of all the KB patches associated with a specific security problem. Some Security Bulletins list dozens of KB patches, each for a specific version of Windows.

Starting in January, we’ll have two lists—or, more accurately, two ways of viewing a master table.

Keep in mind that we’re only talking about security patches and the security part of the Windows 10 cumulative updates. Nonsecurity patches and Win7/8.1 monthly rollups are outside of this discussion.

To see where this is going and to understand why it’s vastly superior to the Security Bulletin approach, look at the lists for November 8, this month’s Patch Tuesday. The main Windows Update list

shows page after page of security bulletins, identified by MS16-xxx numbers, and those numbers have become ambiguous. See, for example, MS16-142 on that list, which covers both the Security-only update for Win7, KB 3197867, and the Monthly rollup for Win7, KB 3197868. The MS16-142 Security Bulletin itself runs on for many pages.

Now flip over to the Security Updates Guide. In the filter box type windows 7 and press Enter. You see four security patches (screenshot below): IE11 and Windows, both 32- and 64-bit. They’re all associated with KB 3197867.

In the Software Update Summary, searching for “windows 7” yields only one entry, for the applicable KB number (screenshot below).

Here’s why the tools are important. On this month’s Patch Tuesday, we received 14 Security Bulletins. Those Security Bulletins actually contain 55 different patches for different KB numbers; the Security Bulletin artifice groups those patches together in various ways. The 55 different security patches actually contain 175 separate fixes, when you break them out by the intended platform.

There’s a whole lotta patchin’ goin’ on.

Starting this month, you can look at the patches either individually (in the Security Updates Guide) or by platform (in the Software Update Summary), or you can plow through those Security Bulletins and try to find the patches that concern you. Starting in January, per the Microsoft Security Response Center, the Security Bulletins are going away.

Of course, the devil’s in the implementation details, but all in all this seems to me like a reasonable response to what has become an untenable situation.

This is a repost from http://www.infoworld.com/

Cloud backup security concerns

Many CIOs are now adopting a cloud-first strategy and backing up and recovering critical data in the cloud is on the rise. If you don’t have a permanent CIO to manage your IT department, consider hiring an interim CIO. As more and more companies explore the idea of migrating applications and data to the cloud, questions like “How secure are cloud services?” arise. While there isn’t a standout number one concern when it comes to cloud computing, the one thing we can be sure about is that security is front and center in CIO’s minds. Veeam has identified the top two concerns from our recent 2016 customer survey to be security and price. See the graph of responses below:

Quite inevitably, cloud has come with new challenges and we’ll be exploring them all in this cloud challenges blog series. It has also come with some genuine security risks but as we will uncover, cloud backup security has more to do with your implementation of it to successfully ensure data security when moving to the cloud. With cloud, security has to be top priority. The benefits of flexibility and scalability you get from the cloud should not mean sacrificing any security at all.

What are the most important cloud backup security risks?

Stolen authentication/credentials

Attacks on data happen more often than not due to weak password usage, or poor key and certificate management. Issues tend to happen as multiple allocations and permission levels begin to circulate and this is where good credential management systems and practices can really help.

One-time generated passwords, phone-based authentication and other multifactor authentication systems make it difficult for attackers wanting to gain access to protected data because they need more than just one credential in order to log in.

Data breaches

Data breaches can be disastrous for organizations. Not only have they violated the trust of their customers by allowing data to be leaked, but it also opens them up to facing fines, lawsuits and even criminal indictments. The brand tarnishing and loss of business from such an event can leave a business with a long road to recovery at best.

Despite the fact that cloud service providers typically do offer security methods to protect tenants’ environments, ultimately you – the IT professional – are responsible for protection of your organization’s data. In order to protect even the idea of a breach, you need to become a fan of encryption. If you use cloud for storage, experts agree data should be encrypted at no less than 256-bit AES (Advanced Encryption Standard) before it leaves your network. The data should be encrypted a second time while in transit to the cloud and a third time while at rest stored in the cloud. It is important to do your research and enquire into the encryption used by the application, and by the service provider when the data is at rest in order to ensure safe and secure cloud backups.

Lack of due diligence

A key reason moving data to the cloud fails, becomes vulnerable or worse becomes subject to an attack or loss is due to poor planning and implementation. To successfully implement a cloud backup or disaster recovery strategy, careful and deliberate planning should take place. This should first involve considering and understanding all of the risks, vulnerabilities and potential threats that exist. Secondly, an understanding of what countermeasures need to be taken in order to ensure secure restore or recovery of backups and replication, such as ensuring your network is secure or access to key infrastructure is restricted. Due diligence in approaching the cloud should also involve an alignment of your IT staff, the service provider and the technologies and environment being leveraged. The service provider must be seamlessly integrated with the cloud backup and recovery software you plan to utilize for optimal security and performance of your virtualized environment.

Multi-tenant environment

Service providers offer cost-effectiveness and operations efficiencies by providing their customers with the option of shared resources. In choosing a service that is shared, it’s essential that the risks are understood. Ensuring that each tenant is completely isolated from other tenant environments is key to a multi-tenant platform. Multi-tenant platforms should have segregated networks, only allow privileged access and have multiple layers of security in the compute and networking stacks.

Service provider trust and reliability

The idea of moving data offsite into a multi-tenant environment where a third party manages the infrastructure can give even the boldest IT professionals some anxiety. This comes with the perceived lack of control they might have on cloud backup security. To combat this, it is essential to choose a service provider you trust who is able to ease any security doubts. There are a variety of compliance standards a provider can obtain, such as ISO9001 or SOC 2 & SSAE 16 and it’s important to take note of these as you search for a provider. In addition to standards, look for a service provider that has a proven track record of reliability – there are plenty of online tools that report on provider network uptime. Physical control of the virtual environment is also paramount. You must seek a secure data center, ideally with on-site 24/7 security and mantraps with multi-layered access authentication.

So, is the cloud secure?

Yes, the cloud is secure but only as secure as you make it. From the planning and the processes in place, to the underlying technology and capabilities of your cloud backup and recovery service. All these elements combined can determine your success. It is up to you to work with your choice of service provider to ensure the security of your data when moving to cloud backups or DRaaS. Another critical aspect is partnering with a data management company experienced in securely shifting and storing protected data in the cloud.

Veeam and security

We provide flexibility in how, when and where you secure your data for maximum security matched with performance. With AES 256-bit encryption, you have the ability to secure your data at all times: During a backup, before it leaves your network perimeter, during movement between components (e.g., proxy to repository traffic), for when data must stay unencrypted at the target and while your backup data is at rest in its final destination (e.g., disc, tape or cloud). It is also perfect for sending encrypted backups off site using Backup Copy jobs with WAN Acceleration.

You have a choice over when and where you encrypt backups. For example, you can leave local Veeam backups unencrypted for faster backup and restore performance, but encrypt backups that are copied to an offsite target, tape or the cloud. You can also protect different backups with different passwords, while actual encryption keys are generated randomly within each session for added backup encryption security.

Here are some links with more details on encryption and related information:

This article was provided by our service partner Veeam

Security Awareness: A Tale of Two Challenges

SANS Institute has recently releases their findings from a survey ‘Securing The Human 2016’ about Security Awareness that led them to uncover two key findings: First, the security awareness team are not getting enough support they need and second, the experts in the field of security awareness lack soft skills to get the knowledge they have distributed properly.

This is the second annual security awareness report released and its main goal is to allow security awareness officers to make knowledgeable decisions on how to make their security programs better and to let them compare their organizations program to other programs in their industry.

SANS Institute provides information security training all over the world. For over 25 years of experience they are considered as the most trusted and the principal source of information security training. SANS : Securing The Human is an institute division that gives complete and comprehensive security awareness solution to organizations which can help them to effectively manage their human cyber security risk.

Report Summary

This years’ approach tells a story through data, compared to last year where the data and results were presented in the order the survey was taken. The data tells a story about the tale of two challenges which they began to see as they worked through the data.

They conducted a survey on what are the biggest challenges that security officers encountered and the results were tremendous giving them over a 100 different topics. The responses were categorized into 12 categories by Ingolf Becker, from University College of London. The seven problem categories include: resources, adoption, support from management, end user support, finding time to take part, content and not enough staff awareness. They have focused on the first seven on the list which fell into two general groups: lack of resources, time, support and/or not having an impact. The people are either limited on their ability to execute (46%) and/or fails to deliver the needed impact (47%). This starts the tale of two challenges and this report is focused on understanding these challenges and identifying possible solutions.

Categorization of Biggest Challenge Awareness Programs Face

Similar to last year’s report, the data showed that a lot of awareness staff has insufficient resources, time and support to get the work completed.

Resources, as defined by Ingolf, are about the shortage of money or technical resources. Budget wise more than 50% of respondents stated that they either have a budget of $5,000 or less or they are not aware if they do have a budget and only 25% reported a budget of $25,000 or more.

Estimated Budget for 2016

Less than 15% of the respondents work full-time in awareness which is an improvement from last year’s 10% it is still considerably low. While there is an improvement only 65% says that they only spend 25% or less of their time on awareness.

Even if the people are getting support for security awareness they do not have or there is only a few metrics considered that demonstrates the human problem, impact or awareness. Most are focused on phishing which is a common top human risk, which is good but this is only one of the many organizational human risk to deal with.

Communication was identified to be the number one blocker in the program. This is more evident in larger organizations where they have 1,000 employees or more. Highly technical people reports to the highly technical department have communications as their biggest blocker even if their main job is to communicate to the organization.

Recommendations

As a recommendation they proposed that communications as one of the most critical soft skills needs to be addressed by training; place someone from the communications department into the awareness team or hire someone with the soft skills they need. As for the engagement, people needs to know why they should care about security awareness and target them at an emotional level rather than giving them statistics and numbers.

How Attackers Use a Flash Exploit to Distribute Malware

Adobe Flash is multimedia software that runs on more than 1 billion systems worldwide. Its long list of security vulnerabilities and huge market presence make it a ‘target-rich environment’ for attackers to exploit. According to Recorded Future, from January 1, 2015 to September 30, 2015, Adobe Flash Player comprised eight of the top 10 vulnerabilities leveraged by exploit kits.

Here is an illustration of just how quickly bad actors can deploy an exploit:

May 8 2016: FireEye discovers a new exploit targeting an unknown vulnerability in Flash and reports it to Adobe.
May 10 , 2016: Adobe announces a new critical vulnerability (CVE-2016-4117) that affect Windows, Macintosh, Linux, and Chrome OS
May 12, 2016: Adobe issues a patch for the new vulnerability (APSB16-15)
May 25, 2016: Malwarebytes Labs documents a ‘malvertising’ gang using this exploit to compromise your system via distribution of malware well-known websites and avoid detection

The Malwarebytes blog is a good read, as it provides several examples of how sophisticated malware distribution schemes have become. For example, it breaks down the malicious elements of a rogue advertising banner that the Flash exploit allows attackers to use to push out malware. Among other things, it runs a series of checks to see if the targeted system is running packet analyzers and security technology, to ensure that it only directs legitimate vulnerable systems to the Angler Exploit Kit.

Impact on you

With over 1 billion systems running Adobe Flash, it is likely that one or more systems under your control are vulnerable to this exploit. Fortunately, there is a fix to patch the vulnerability. Unfortunately, according to Adobe, it takes 6 weeks for more than 400 million systems to update to a new version of Flash Player. Six weeks (or however long it takes you to patch Flash) is a long time to be at risk of being compromised by ransomware via the Angler EK.

The Rise in Crypto Ransomware

In recent years, we have seen a significant growth in Malware. With enablers such as Bitcoin, RSA 2048-bit encryption, and the TOR network, NetCal predicts there will continue to be a significant rise in Crypto Ransomware. The use of these malicious applications are morphing as we speak. Originally, they were to gain access to computers and steal data (ie spying/snooping). Then it was for ad clicks from popups. Now, malware has taken on the purpose of extorting money directly from the users themselves. Although this shouldn’t be a surprise to anyone, the tools mentioned above makes it a lot easier to achieve success.

Most Crypto Ransomware use the following tactics:

Use Social Engineering to invoke a user to run an application script
Avoiding detection
1. Encrypting/Encoding it’s payload (e.g. Base-64)
2. Using Domain Generation Algorithm (DGA)
3. Use Tor network
4. Use Bitcoin and a money laundering network
Use the Registry to reinfect after reboot
1. 0x06 and 0x08 byte subkey (hidden using regedit)
Disable System Restore or VSS type services
Encrypt all user created files by extension, shares, or folders
Use an existing OR 0-Day exploit/vulnerability
1. Hijack CLSIDs
  For example, {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} causes any file in the LocalServer32 subkey to be run any time a folder is opened. By hijacking this CLSID, Poweliks is able to ensure that its registry entry will be launched any time a folder is opened or new thumbnails are created, even if the Watchdog process has been terminated.

10 Prevention Tips:

Back-up your data
Patch and keep software up to date
Run a reputable AV solution (Webroot, Eset, etc)
User Training
Filter executable attachments at the email gateway
Disable files running from AppData/LocalAppData folders (Group Policies)
Do not give users Local Admin privileges
Limited end user access to mapped drives
Use a popup blocker
Show hidden file-extensions

You, your network and the Locky virus

Last Monday, a new particularly clever (and nasty) piece ransomware appeared on the internet called Locky.

The malicious file went undetected by most anti-virus software for a number of days and even now a couple weeks since it appeared, antivirus products are still struggling to keep up, often taking upto 24 hours to include detection in their definition packages for each new daily iteration version of the virus.

This clearly has left users and company network exposed.

How it works :

It is initially spread through a Word doc embedded in an email. He is an example of one of those emails:

Attached to this email is a Word document containing an alleged Invoice.

If Office macros are enabled on this document – it unleashes an executable called : ‘ladybi.exe’

This loads itself into memory then deletes itself. Whilst resident in memory – it encrypts your documents as hash.locky files, changes the desktop wallpaper, creates a .bmp file and opens it, creates a .txt file and opens it, and delete VSS snapshots. It can also reach out and encrypted files on your company network!

Once the files are encrypted, a ransom demand appears on the PC directing the user towards the the ‘Deep Web‘ to make a payment in Bitcoin to get your files decrypted.

Recovery

To recover your files you need to rely on you backups. It is thought unlikely that any kind of tool will become available to break the encryption algorithms. We do not recommend paying ransoms.

Identifying infected network users

If you see .locky extension files appearing on your network shares, look up the file owner on _Locky_recover_instructions.txt file in each folder. This will tell you the infected user. Lock their AD user and computer account immediately and boot them off the network — you will likely have to rebuild their PC from scratch.

Prevention

User education – do not open emails from unknown sources!

Disable Macro’s in office documents – this can be done on a network level via Group Policy

Global spread

The deployment of Locky was a masterpiece of criminality — the infrastructure is highly developed, it was tested in the wild initially on a small scale (ransomware beta testing, basically), and the ransomware is translated into many languages. In short, this was well planned and expertly executed.

One hour of infection stats

Measuring the impact

Locky contains code to spread across network drives, allowing the potential to impact large enterprises outside of individual desktops.

Twitter impressions of over half a million this week from talking about this. It is thought many organisations are simply paying for the decrypter, which is basically paying your hostage takers for freedom. It’s also worth noting that many of the IP addresses getting hit by this are associated with addresses at large companies, many in the US; this clearly caught people out.

Sources:

https://medium.com
http://www.idigitaltimes.com