February 27, 2018 – Last week, the city of Allentown was hit with Emotet, malware that started as a banking trojan. Reports indicate that the initial entry into their municipal business environment occurred via phishing. Once the malware was downloaded and installed, it began to replicate itself across the city government’s network infecting devices and stealing login credentials. This has resulted in the city’s financial system being offline, the city’s camera surveillance being taken offline, and the city’s police department being disconnected from the Pennsylvania law enforcement network.
It is estimated that the cost to remediate this attack will be close to $1 million. This same malware has infected other government and public-school facilities. In fact, this past January, the same malware cost the Rockingham, North Carolina school district $314,000 to recover from the infection.
What is Emotet? Emotet is malware that started out as a banking trojan three years ago. It was originally designed to sniff network traffic for user login credentials. Over the last three years, the malware has morphed to allow for custom modules to be added. Last year, the malware started to use the EternalBlue exploit developed by the NSA and later leaked to the public. This exploit allows the malware to spread across Windows networks on devices that have not been patched. The malware is not easily blocked as it can be delivered via .js, .pdf, and .doc/.docx files.
What can be done? Ensure that you are auditing your patching to verify that patches are being applied as they should. Not saying that this malware spread via the EternalBlue exploit, however as a method that it does spread by, are you ready to prevent it from spreading.
Why perform a patch audit? Sometimes patches may be pushed in an automated fashion, but for whatever reason just don’t make it on to a system and may require a more hands on approach.
October 25, 2017 – Brian Krebs, a known and respected journalist that covers cyber, reported that Dell Inc. had lost control of a the web address that is used by the Dell Backup & Recovery service installed on just about every Dell computer produced. There are indications that during a few weeks this past summer, a malicious group took control of the address and may have pushed malware via the service. The suspected time frame was between June and July 2017.
During the period of loss of control, the website address was being directed to a leased server on Amazon that was and currently continues to be known as hosting malicious content.
The software that performs the service comes pre-installed on Windows systems according to the Dell support forums.
If you are using a Dell computer that has the Dell Backup & Recovery service running on it, ensure your malware/anti-virus software is up-to-date, and be wary of any calls or pop-ups on your computer claiming to be Dell tech support, even if they provide you with the correct service tag. If you receive a call or pop-up, call Dell directly.
For Krebs’ full report see https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/
October 24, 2017 – A piece of malware called “Bad Rabbit” is reportedly making its rounds around Eastern Europe and Russia. However, the United States Computer Emergency Response Team (US-CERT) has reported they have “received multiple reports of Bad Rabbit ransomware infections in many countries around the world.”
The ransomware infection is being distributed via a pop-up in the user’s browser that says the version of Adobe Flash Player installed is out of date. Once the fake update is downloaded, it will move from computer to computer encrypting the files and stealing info in memory.
This malware preys on a weakness in Windows operating systems using a method discovered and used by the National Security Agency. This weakness (aka vulnerability) became public when it was stolen and then leaked to the world as “EternalBlue”.
The vulnerability utilizes a communication method that is used between Windows based computers called Server Message Block version 1. As this method of communication is the oldest version in use, there were a significant amount of computers that were easily attacked in April/May of 2017. This is evidenced by the WannaCry and the Petya/notPetya malware that took control of over 230,000 computers in 150 different countries. If it was not for an alert cyber security researcher that found a method of killing the malware, this number would have been much higher. Organizations that were affected include FedEx, British hospital system, and French auto manufacturer Renault, to name a few.
A fix for the vulnerability was sent out in March by Microsoft. The computers that did not apply the fix were left vulnerable. As of this date, there are still computers vulnerable as they have not received the fix.
What can you do? Ensure your computers are up to date on patches. This can be done by using Windows Update on your computers or by using a patch management system.
If there are any questions, please do not hesitate to reach out to me.
As I mentioned in my last post, bringing your own device (BYOD) provides a benefit to businesses that need work done, but don’t have the money to purchase the equipment. But there was a caveat, that benefit must be weighed against the risk the business assumes by allowing BYOD.
Second to the businesses employees, the most valuable asset a company has is their information and the information they process. This information is what is at risk if there happens to be vulnerability that is exploited (intentionally or unintentionally) by an employee or other person that gets there hands on the device.
Some threats that pose dangers to your data is
1. Malware/Viruses/Spyware. Introduction of malware, viruses, and spyware into the company IT infrastructure could have a crippling effect on your business. The latest malware also known as ransomware encrypts the data on the users device and there by prevents the user from gaining access to the files needed. If a BYOD user gets hit with ransomware while connected to the business’ files, the business may be out of luck.
2. Lost/Stolen device. Perhaps the largest threat. The Veteran’s Administration is no stranger to lost portable electronic devices. In 2006 they lost a single laptop that contained a significant amount of information about U.S. veterans. It has not only happened to the Veteran’s Administration but also to car manufacturers, HR recruiting companies, etc. Once the device is lost, the data is potentially forever lost and possibly compromised.
3. Rooted devices. Device manufacturers go to great lengths to ensure some level of security on the devices they sell. But there are people that want more access to the inner workings of the device. The super power users inadvertently open their device to being an easier target for malware and misbehaving applications.
4. Outdated software. Numerous times each week, updates and patches to software applications are released to fix flaws within the application that not only affect how the application works, but also affect the security of the device and data.
5. Open WiFi. In this day and age, most are desiring the ability to be able to connect anywhere at anytime. Look at all the places that offer free or pay WiFi… airport, coffee shops, stores, restaurants, just about anywhere you go. When connecting to these WiFi sources, the connections are typically unprotected. Another person at the same coffee shop could snoop on the mobile device’s traffic and get all sorts of information. Maybe even get into the computer.
6. Unlocked devices. Locking the device provides a minimal measure of security. This prevents people from picking up the device and scrolling through documents, emails, or other files related to your business. It is a simple mechanism, but is often not implemented.
This just a summary of some of the larger threats associated with BYOD. In my next blog entry, we will look at what can be done to protect a business while still implementing BYOD.
Until then… Think twice and perform a cyber 360.