Blog

FDA Recall for Nearly Half a million Pacemakers Vulnerable to Hacking

The Food and Drug Administration on Tuesday issued an alert about the first recall of a network-connected implantable device due to cyber security vulnerabilities.

 

The agency is instructing patients with certain implantable cardiac pacemakers from St. Jude Medical – now owned by Abbott Laboratories – to visit their physicians for firmware updates to address cyber vulnerabilities that can potentially be remotely exploited by hackers and that pose safety concerns.

Approximately 465,000 such devices are in use in the U.S., an Abbott spokeswoman tells Information Security Media Group. She did not immediately have information about how many of these devices are used outside the U.S.

While the FDA has characterized the corrective action to address the vulnerabilities as a “voluntary recall” by the manufacturer, the Abbott spokeswoman stresses that neither the company nor the FDA is not recommending the “prophylactic removal and replacement of affected devices.” Rather, patients are being advised to have the devices’ firmware updated “at their next regularly scheduled visit” to their healthcare provider, the Abbott spokeswoman says.

A related Department of Homeland Security alert also issued on Tuesday notes that vulnerabilities include the Abbott pacemaker’s authentication algorithm, “which involves an authentication key and time stamp, can be compromised or bypassed, which may allow a nearby attacker to issue unauthorized commands to the pacemaker via radio frequency communications.”

‘Key Moment’
The recall of the Abbot cardiac devices is “a key moment in the evolution of connected medical devices,” says cyber security expert Joshua Corman, founder of grassroots cyber safety organization I Am the Cavalry and a member of the Department of Health and Human Services’ cyber task force. That group issued a report earlier this year with recommendations about how the healthcare sector can improve cyber security.

Making arrangements to have nearly a half million patients in the U.S. visit their healthcare provider for the firmware update “will be a logistical nightmare,” he says, despite Abbott and the FDA recommending that patients wait until their next regular appointment with physicians to do the update. Many worried patients are likely to seek appointments for the updates sooner than their regularly slated visits, he says.

And although there have been no reports of actual harm to patients due to hackers exploiting the vulnerabilities in the devices, “that number can go from zero to a lot of patients quickly” if hackers decide to launch attacks, Corman warns.

This recall is the most serious development so far related to medical device cyber security, Corman contends.

Affected Devices
The FDA alert says the recall involves implantable cardiac pacemakers, including cardiac resynchronization therapy pacemakers under the names Accent, Anthem, Accent MRI, Accent ST, Assurity and Allure. The alert does not apply to any implantable cardiac defibrillators or to cardiac resynchronization ICDs, the FDA says.

The FDA notes that on Aug. 23, it approved the firmware update “that is now available and is intended as a recall, specifically a corrective action, to reduce the risk of patient harm due to potential exploitation of cyber security vulnerabilities for certain Abbott pacemakers.

 

Read More at InfoRisk.com

 

Is your Network REALLY Secure, why not know for sure, Get your FREE Vulnerability Assessment Today!!!


Get Your FREE Assessment Today!

Share

Posted in: Monthly Security Brief, Tech Tips for Business Owners

Leave a Comment (0) →

Scam Alert: Hurricane Harvey Charity Fraud

Hurricane Harvey hit hard and especially Houston, TX got badly flooded. The death toll is rising and you can also count on low-life cyber-scum exploiting this disaster. HurricaneHarvey.jpg

Disgusting.

Scammers are now using the Hurricane Harvey disaster to trick people in clicking on links, both on Facebook, Twitter and phishing emails trying to solicit charitable giving for the flood victims. Here are some examples:

  • Facebook pages dedicated to victim relief contain links to scam websites.
  • Tweets are going out with links to charitable websites soliciting donations, but in reality included spam links or links that lead to a malware infection.
  • Phishing emails dropping in a user’s inbox asking for donations to #HurricaneHarvey Relief Fund.

Previous disasters have been exploited like this, and the bad guys are going at it again will all guns blazing. Be wary of anything online covering the Hurricane Harvey disaster in the following weeks.

I suggest you send employees, friends and family an email about this Scam Of The Week, feel free to copy/paste/edit:

“Heads-up! Bad guys are exploiting the Hurricane Harvey disaster. There are fake Facebook pages, tweets are going out with fake charity websites, and phishing emails are sent out asking for donations to #HurricaneHarvey Relief Funds.

 

Don’t fall for any scams. If you want to make a donation, go to the website of the charity of your choice and make a donation. Type the address in your browser or use a bookmark. Do not click on any links in emails or text you might get. Whatever you see in the coming weeks about Hurricane Harvey disaster relief… THINK BEFORE YOU CLICK.

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

IRS Issued Urgent Warning About An IRS & FBI- Ransomware

WASHINGTON, August 28, 2017 — The Internal Revenue Service warned people to avoid a new phishing scheme that impersonates the IRS and the FBI as part of a ransomware scam to take computer data hostage.

The IRS said: “The scam email uses the emblems of both the IRS and the Federal Bureau of Investigation. It tries to entice users to select a “here” link to download a fake FBI questionnaire. irs_questionnaire_safe.jpgInstead, the link downloads a certain type of malware called ransomware that prevents users from accessing data stored on their device unless they pay money to the scammers.”

“This is a new twist on an old scheme,” said IRS Commissioner John Koskinen. “People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call.”

I suggest you send employees, friends and family an email about this ransomware attack, feel free to copy/paste/edit:

“Heads-up! The IRS is warning against a new phishing scam that tries to make you download an FBI questionnaire. But if you click the link, your computer will be infected with ransomware instead. The scam email uses the emblems of both the IRS and the Federal Bureau of Investigation.

 

Remember that the IRS does not use email, text messages or social media to discuss personal tax issues, such as those involving bills or refunds. THINK BEFORE YOU CLICK!

The IRS stated: “Victims should not pay a ransom. Paying it further encourages the criminals, and frequently the scammers won’t provide the decryption key even after a ransom is paid. Victims should immediately report any ransomware attempt or attack to the FBI at the Internet Crime Complaint Center, www.IC3.gov. Forward any IRS-themed scams to phishing@irs.gov.”

Here is the official IRS Newsroom post : https://www.irs.gov/uac/newsroom/irs-issues-urgent-warning-to-beware-irs-fbi-themed-ransomware-scam

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

Bank Scam Alert: Text Message Scam

Bank Scam Alert!!

We’re going to go out on a limb here and assume that everyone reading this uses a bank, right? Well, if you use a bank than this scam is targeted at you. Last week, an innocent banking customer received a legitimate looking text (about an hour after she left the bank!) stating that her card had been temporarily blocked and it gave her a number to call to resolve the issue. Wanna take a wild guess about who was waiting for her to dial that number and spill all of her banking information?  You guessed it, the scammer!!!

Do You Need to Worry: You sure do. Since it appears like it’s coming from a company that you do business with you are more likely to fall for this scam. By calling the phone number provided you’ll be automatically connected with the scammer who says they need your bank account information. They may even ask for your PIN or Social Security number leaving you with a serious problem on your hands.

What Can You Do About It: Keep in mind that financial institutions won’t contact you by text or email to request personal information or account details. While you may receive alerts, the information should only flow one way, from the bank to you, not the other way around. If you get a request to contact your bank, always verify the source by calling the bank, using the number on your ATM card or on their official site.

Share

Posted in: Monthly Security Brief, Newsletter Topics

Leave a Comment (0) →

Facebook and Google Were Victims of 100 Million-Dollar Phishing Scam

We have been reporting on this massive Cyberheist for a while now, but Fortune Magazine decided to unleash their investigative reporters and find out exactly who those two mysterious high-tech companies were that got snookered for a whopping 100 million dollars. 

It is excellent ammo to send to C-level executives to illustrate the urgent need to train employees so they can recognize red flags related to spear phishing.scam-troll-796x531.jpg

Here is how the Fortune story starts:

“When the Justice Department announced the arrest last month of a man who allegedly swindled more than $100 million from two U.S. tech giants, the news came wrapped in a mystery. The agency didn’t say who was robbed, and nor did it identify the Asian supplier the crook impersonated to pull off the scheme.

The mystery is now unraveled. A Fortune investigation, which involved interviews with sources close to law enforcement and other figures, has unearthed the identities of the three unnamed companies plus other details of the case.

The criminal case shows how scams involving email phishing and fake suppliers can victimize even the most sophisticated, tech-savvy corporations. But the crime also raises questions about why the companies have so far kept 
silent and whether—as a former head of the Securities and Exchange Commission observes—it triggers an obligation to tell investors about what happened.

The Masssive Phishing Heist

In 2013, a 40-something Lithuanian named Evaldas Rimasauskas allegedly hatched an elaborate scheme to defraud U.S. tech companies. According to the Justice Department, he forged email addresses, invoices, and corporate stamps in 
order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business. The point was to trick companies into paying for computer supplies.

The scheme worked. Over a two-year span, the corporate imposter convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. By the time the firms figured out what was going on, Rimasauskas had coaxed out over $100 million in payments, which he promptly stashed in bank accounts across Eastern Europe.”  

 

Learn how to FIGHT Ransomware and stop being a victim!!!

 

 

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

The Data Security Game Has Changed

Why Today’s Security Strategy May Not Be Enough

For auto racing fans and teams, safety is a subject that is always on everyone’s mind. Compared to racing 25 years ago, the game today has changed dramatically. Cars are faster, lighter, and danger to the drivers has increased. Safety features to accommodate these changes certainly cost the race team more money – but they’re necessary to stay secure. Investments in safety continue, as long as the threat escalates. The same is true in business, technology and cybercrime The game has indeed changed and a business’s security investment must adapt.

5 Reasons The Game Has Changed

Cyber-security, much like car racing, has changed significantly over the past several years. There are five ways the cyber-security game has changed and why the current strategy, particularly for the small businesses, may not be enough.
1. The Growth of Cyber-Crime – The growth in attack volume on small businesses has grown exponentially because it’s easy. Small businesses (and some public sector entities as well) tend to be well behind the security curve, making the organization an easy target of cybercrime.
2. The Target of Cyber-Crime – The real target of cyber-crime are small businesses! In 2014, 60% of all known successful attacks where against small and medium businesses. And of those that were breached, 60% went out of business within 6 months.
3. The Number of Security Solutions – While firewalls, IDS/IPS, AV, etc., are critical, improper configuration and management of these tools often create more risk. Many companies might not have the resources or expertise to know what to do if those tools alert them of a problem.
4. The Lack of Expertise – The most effective way to listen to these devices is to observe their every action and their communication patterns. Because these actions and “event logs” occur several times per second, many companies turn to a Security Information and Event Management tool (SIEM) to help make sense of the vast amount of machine data being generated.
5. The Lack of Resources – Security products, to be effective, must be monitored and maintained 24/7 so that threats are detected and responded to immediately. Not an easy task for the typical small business that cannot afford around-the-clock security experts. Cisco agreed that “the worldwide shortage of information security professionals is at 1 million openings, even as cyber attacks and data breaches increase each year”.

“it only take once for a hacker to gain access to your network, but it takes 100% of your time defending it”!

Cyber-threat monitoring and detection are the cornerstones of an effective IT security strategy. But collecting the right data, parsing and analyzing it into manageable and useful pieces of information is an extremely complex task.
Our 24/7 security service employs the right technologies, paired with a staff of security experts, to reduce the risk and complexity of protecting your critical data.
Our SentreeGuard solution provides the intelligence and awareness needed to take action on the latest threats in your organization’s environment.  If you are serious about your company and want to take your security to the next level, we have the next level security solution, SentreeGuard.

 

 

Get Your Security Audit Today, Tomorrow Could be Too Late!!!

Did you know that the average breach goes undetected for more than 200 days?


Get Your Data Security Audit

Share

Posted in: Company News, Monthly Security Brief, Tech News, Tech Tips for Business Owners

Leave a Comment (0) →

[ALERT] A New Worldwide Ransomware Outbreak Petya

Motherboard reported: “A quickly-spreading, world-wide ransomware outbreak has reportedly hit targets in Spain, France, Ukraine, Russia, and other countries.

 

Motherboard continued: “The attacks are similar to the recent WannaCry outbreak, and motherboard has seen several reports of infections shared by victims on Twitter. We were not able to immediately confirm the veracity of the reports, but several security researchers and firms also reported the attacks.New Ransomware Attack

“We are seeing several thousands of infection attempts at the moment, comparable in size to Wannacry’s first hours,” Costin Raiu, a security researcher at Kaspersky Lab, told Motherboard in an online chat.

Judging by photos posted to Twitter and images provided by sources, many of the alleged attacks involved a piece of ransomware that displays red text on a black background, and demands $300 worth of bitcoin.

“If you see this text, then your files are no longer accessible, because they are encrypted,” the text reads, according to one of the photos. “Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

Raiu believes the ransomware strain is known as Petya or Petrwrap, a highly sophisticated Russian strain, without all the errors that WannaCry contained, and no kill-switch. According to a tweet from anti-virus company Avira, the Petya attacks were taking advantage of the EternalBlue exploit previously leaked by the group known as The Shadow Brokers

EternalBlue is the same exploit used in the WannaCry attacks; it takes advantage of a vulnerability in the SMB data-transfer protocol, and Microsoft has since patched the issue. However, whether customers apply that patch is another matter.

Security researchers from Kaspersky Lab reported that the ransomware hit Russia, Ukraine, Spain, France, among others. Several people on Twitter reported witnessing or hearing reports of the outbreak in their respective countries, and across a wide range of industries. Companies around the world also reported computer outages.

If You Have Not Done So Yet, Apply This Patch Immediately.

From what we have been able to learn, this new worm spreads through SMB jkust like WannaCry so when we’re talking about machines behind firewalls being impacted, it implies port 445 being open and at-risk hosts listening to inbound connections. It’d only take one machine behind the firewall to become infected to then put all other workstations and servers at risk due to it being a true worm.

In the meantime, harden yourselves against this Windows Network Share vulnerability and ensure that all systems are fully patched with the “MS17-010” security update (link below) and remind all staff to Think Before They Click when they receive any out of the ordinary emails. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Note, the patch is included in the Monthly Quality rollups. Also, block inbound connections on TCP Port 445

[UPDATE 6/27/2017] 1:40pm

“It is definitely using EternalBlue to spread,” says Fabian Wosar, a security researcher at the defense firm Emsisoft, which specializes in malware and ransomware. “I confirm, this is a WannaCry situation,” Matthieu Suiche, the founder of security firm Comae Technologies, wrote on Twitter.

Group-IB believes the attacks on Ukraine and Rosneft were simultaneous and coordinated. Kaspersky and Flashpoint think they’re observing signs of the Petya (a.k.a. Petrwrap) strain of ransomware in the attacks.

Other major infestations are reported by the Danish shipping concern A.P. Moller-Maersk, pharmaceutical company Merck (this in the US), Deutsche Post (its operations in Ukraine), and British ad agency WPP. More are sure to come.

The ransom note’s text has appeared in English, but Ukrainian authorities blame Russian hackers, especially since the attack coincides with tomorrow’s observance in Ukraine of Constitution Day. On this interpretation the attack’s spread is due either to the inherently difficult-to-control nature of malware, deliberate misdirection, or willingness to take such targets of opportunity as present themselves.

UPDATE 6/27/2017 2:13pm

Delivery/Exploitation

We have not yet confirmed the initial infection vector for this new Petya variant. Previous variants were spread through e-mail, but we have not identified this latest sample carried in any e-mail related attacks.

Installation

This variant of Petya is spread as a DLL file, which must be executed by another process before it takes action on the system. Once executed, it overwrites the Master Boot Record and creates a scheduled task to reboot the system. Once the system reboots, the malware displays a ransom note which demands a payment of $300 in bitcoin.

Command and Control

Petya contains no Command and Control mechanisms that we know of. After a host is infected, there is no communication from the malware back to the attacker.

Lateral Movement

Petya may spread to other hosts directly using SMB or through the ETERNALBLUE exploitation tool.

 

Learn how to FIGHT Ransomware and stop being a victim!!!

 

 

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

Scam of the Week: Department of Motor Vehicles Warns Drivers About Traffic Ticket Phishing

Online reporter Doug Olenick at SC Media was the first to point to a press release from the NY State Department of Motor Vehicles warning about a phishing scam where New York drivers are being targeted, stating they have 48 hours to pay a fine or have their driver’s license revoked.  This may happen in your state as well, so this is your heads-up.

The NY DMV alerted motorists that the scam is just bait to entice them to click on a “payment” link that will in turn infect their workstation with malware. The DMV does not know how many people have been affected, but Owen McShane, director of investigations at New York State DMV, said calls came in from New York City, Albany and Syracuse.

Olenick was able to get a bit more detail: “The malware being dropped came in two categories. The first simply placed a tracking tool on the victim’s computer to see what websites were visited; and the second, more nefarious, attempted to acquire a variety of personally identifiable information, such as names, Social Security numbers, date of birth and credit card information.”

There are several social engineering red flags that show the email is a scam. The supplied links lead to sites without an ny.gov URL, tied to the fact that the state would never make such a request. Here is how the phishing email reads:

License_Phish-Example.png

The Department of Motor Vehicles does not send emails urging motorists to pay traffic tickets within 48 hours or lose your license,” said Terri Egan, DMV deputy executive commissioner, in a statement.

McShane noted that this scam is similar to one that hit the state about 18 months ago. The DMV, he said, is often used as bait in phishing attacks. Most previous attacks only lasted for 24 to 48 hours and this attack seems to have wrapped up too at this point, he added. This means that the bad guys may have moved on to other states with this attack, so…

I suggest you send employees, friends and family an email about this Scam Of The Week.  Obviously, an end-user who was trained to spot social engineering red flags like this would have thought before they clicked.

 

Lean More about Security Awareness training for your entire company.

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training

Leave a Comment (0) →

Scam of the Week: Massive DocuSign Phishing Attacks

DocuSign has admitted they were the victim of a data breach that has led to massive phishing attacks which used exfiltrated DocuSign information. Ouch. So here is your Scam Of The Week.

They discovered the data breach when on May 9, 15, and 17 DocuSign customers were being targeted with phishing campaigns. They now are advising customers to filter or delete any emails with subject lines like:

  • Completed: [domain name] – “Wire transfer for recipient-name Document Ready for Signature”
  • Completed [domain name/email address] – “Accounting Invoice [Number] Document Ready for Signature”
  • Subject: “Legal acknowledgement for [recipient username] Document is Ready for Signature”

The campaigns all have Word docs as attachments, and use social engineering to trick users into activating Word’s macro feature which will download and install malware on the user’s workstation.  DocuSign warned that highly likely there will be more campaigns in the future.  Here is an example, these emails look very real:

DocuSign_Example_Phishing_Email.png

I suggest you send the following to your employees, friends, and family. You’re welcome to copy, paste, and/or edit:

“Hackers have stolen the customer email database of DocuSign, the company that allows companies to electronically sign documents. These criminals are now sending phishing emails that look exactly like the real DocuSign ones, but they try to trick you into opening an attached Word file and click to enable editing.

But if you do that, malware may be installed on your workstation. So if you get emails that look like they come from DocuSign and have an attachment, be very careful. If there is any doubt, pick up the phone and verify before you electronically sign any DocuSign email. Remember: Think Before You Click.”

 

See How Sentree Systems, Corp. can Help!!


Learn More!

 

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News

Leave a Comment (0) →

[Alert] WannaCry Ransomware Attack Uses NSA 0-Day Exploits To Go On Worldwide Rampage

NHS Ransomware Attack

This screenshot is just one example: The IT systems of around 40 National Health System hospitals across the UK were affected by this ransomware attack. Non-emergency operations have been suspended and ambulances are being diverted as a result of the infection. Cybersecurity experts have long used the phrase “where bits and bytes meet flesh and blood,” which signifies a cyberattack in which someone is physically harmed.

Mikko Hypponen, chief research officer at the Helsinki-based cybersecurity company F-Secure, called the attack “the biggest ransomware outbreak in history.” This is a cyber pandemic caused by a ransomware weapon of mass destruction. In the Jan 3 issue of CyberheistNews, we predicted that 2017 would be the year where we’d see a ransomworm like this. Unfortunately, it’s here.

Banks, Trains and Automobiles

Hundreds of thousands of machines are infected worldwide, including FedEx Corp, Renault, Nissan, the German Railways, Russian banks, gas stations in China, and Spanish telecommunications firm Telefonica (which reported 85% of their systems being down as a result of the cyberattack), and in a case of poetic justice, Russia seems to have been hit the hardest up to now. The source is Kaspersky’s Securelist, note that this is just the early days, and their visibility is likely limited.

wannacry_03.png

The strain is called “Wana Decrypt0r” which asks $300 from victims to decrypt their computers. This monster has infected hundreds of thousands of systems in more than 150 countries. Monday morning when people get back to work, these numbers will only go up. Check out an early animated map created by the NYTimes.

Here is an infection map based on data from MalwareTech.com:

Wana_Infection_Map.png

…and the Wall Street Journal also created an InfoGraphic explaining the spread of Wana which is nice to show to management when you ask for more IT security budget to train your users – which would prevent this whole mess.

WSJ_Wana_Info.png

Bleepingcomputer said: “Whoever is behind this ransomware has invested heavy resources into Wana Decrypt0r’s operations. In the few hours this ransomware has been active, it has made many high-profile victims all over the world. “Affected machines have six hours to pay up and every few hours the ransom goes up,” said Kurt Baumgartner, the principal security researcher at security firm Kaspersky Lab. “Most folks that have paid up appear to have paid the initial $300 in the first few hours.”

Despite the fact that this strain is hyper-agressive, the criminals behind the code do not seem to be all that sophisticated, they are using only a limited amount of static bitcoin wallets. Could even be that they are relative newbies at ransomware, and that the NSA worm-code has run amock scaring the daylight out them, afraid to be caught.

The Ransom Deadline Is Short

The ransom starts at $300 for the first 6 hours, and you’ve got up to 3 days to pay before it doubles to $600. If you don’t pay within a week then the ransomware threatens to delete the files altogether. Note the social engineering aspect here too: a sense of urgency is created to prompt people into action. A sense of hope is granted by virtue of the ability to decrypt a sample selection of the files

The ransomware’s name is WCry, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or Wana Decrypt0r. As everybody keeps calling it “Wana Decrypt0r,” this is the name we’ll use in this article, but all are the same thing, which is version 2.0 of the lowly and unimpressive WCry ransomware that first appeared in March.”

Kaspersky Lab also reports that the Wana strain has numerous languages available and was designed to affect multiple countries.

wana-decrypt0r-2_0.png

Sky News Technology Correspondent Tom Cheshire described the attack as “unprecedented”. The ransomware is using originally NSA 0-day ETERNALBLUE and DOUBLEPULSAR exploits which were made public earlier this year by a group calling itself the ShadowBrokers. There are recent patches available but many have not applied them yet.

 

Former U.S. intelligence contractor turned whistleblower Edward Snowden pointed the finger at the NSA, implying the agency was responsible for exploiting a weakness in Windows. It is not clear yet how the ShadowBrokers first got their hands on the NSA tools – conspiracy theories range from a contractor leak to a Russian counter-espionage trying to hint American intelligence should back off.
The group ShadowBrokers first appeared in August, claiming it had stolen tools from the Equation Group, a legendary espionage operation rumored to be affiliated with the NSA. The Brokers announced they had the tools and offered to auction them off which did not go very far. In January, the group gave up, only to resurface in April dumping EternalBlue and other Windows hacking tools in the public domain, where criminal hackers were grateful recipients.

 

The Initial Infection Vector Is A Well-crafted Phishing Email.

 

According to CrowdStrike’s vice president of intelligence Adam Meyers, the initial spread of WannaCry is coming through phishing, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a password protected .zip file, so the email uses social engineering to persuade the victim to unlock the attachment with a password, and once clicked that initiates the WannaCry infection. Microsoft confirms this in a blog post.

But the most concerning aspect of WannaCry is its use of the worm-like EternalBlue exploit. “This is a weapon of mass destruction, a WMD of ransomware. Once it gets into an unpatched PC it spreads like wildfire,” CrowdStrike’s Meyers told Forbes. “It’s going through financials, energy companies, healthcare. It’s widespread.”

“We encourage all Americans to update your operating systems and implement vigorous cybersecurity practices at home, work, and school,” the U.S. Department of Homeland Security said in a statement released late Friday. “We are actively sharing information related to this event and stand ready to lend technical support and assistance as needed to our partners, both in the United States and internationally.” Here is a technical nosedive of the Wana malware.

If You Can, Apply This Patch Immediately.

After the initial infection, the malware spreads like a worm via SMB, that is the Server Message Block protocol used by Windows machines to communicate with file systems over a network. According to Cisco’s TALOS team:

The file tasksche.exe checks for disk drives, including network shares and removable storage devices mapped to a letter, such as ‘C:/’, ‘D:/’ etc. The malware then checks for files with a file extension as listed in the appendix and encrypts these using 2048-bit RSA encryption.

From what we have been able to learn, Wana spreads through SMB so when we’re talking about machines behind firewalls being impacted, it implies ports 139 and 445 being open and at-risk hosts listening to inbound connections. It’d only take one machine behind the firewall to become infected to then put all other workstations and servers at risk due to it being a true worm.

In the mean time, harden yourselves against this Windows Network Share vulnerability and ensure that all systems are fully patched with the “MS17-010” security update (link below) and remind all staff to Think Before They Click when they receive any out of the ordinary emails. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Redmond Issues Emergency Patch For WinXP

Microsoft has also released out-of-band patches for older versions of Windows to protect against Wana, because the original patch did not include XP/Win8. “This decision was made based on an assessment of this situation, with the principle of protecting our customer ecosystem overall, firmly in mind,” the company told customers in a blog post.

Besides installing these out-of-band updates — available for download from here — Microsoft also advises companies and users to outright disable the SMBv1 protocol, as it’s an old and outdated protocol, already superseded by newer versions, such as SMBv2 and SMBv3. You can use Grooup Policy for Clients and Servers. Here is a script to check the complete Active Directory for systems that miss the WanaCry related hotfixes.

Here is how to remove SMBv1 on Windows 10:

Turn_Off_SMB.png

And here is how to turn if off on Windows Servers. Start with those…

SMBV1_win_server.png

Another option: Use DSC to enforce the SMBv1 removal. If you don’t have DSC in place, you can use DSC local on your servers as well. You can now download security updates for Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86,Windows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, and Windows 8 x64.

A Honeypot Server Got Infected With WanaCry 6 Times In 90 Minutes

As the original one, the second variant is automatically executed by “Microsoft Security Center (2.0) Service” and is trying to spread by creating SMB connections to random IP addresses, both internal and external.

According to an experiment carried out by a French security researcher that goes online by the name of Benkow. WanaCry infected the honeypot in a mere three minutes after it was reset, showing the aggressive nature of the ransomware’s scanning module, which helps it spread to new victims. Noteworthy: three minutes is about the same amount of time IoT malware will infect a vulnerable home router left connected to the Internet without patches.

How To Detect The Presence Of Wana And SMBv1 Servers On Your Network

One of the easiest ways to monitor what is happening on your network is to setup a SPANMirror port or use a network TAP. This will give you access to flows and packet payloads so you can see who is connecting to what and if there is anything suspicious moving around. Check out this blog post if you use Cisco switches, it explains how you can monitor multiple network segments without the need to remember what is connected to what switch port. If you don’t use Cisco switches there is an excellent resource on the Wireshark wiki site which looks at how to setup monitoring on other switches.

There is one caveat though, this infection moves out like lightning from patient zero, and all vulnerable machines are literally locked in less than two minutes so monitoring alone would not be enough to be stop this monster. Here is a video showing a machine on the left infected with MS17-010 worm, spreading WCry ransomware to machine on the right in real time.

There Are Four Things To Watch Out For When It Comes To Detecting Wana

  1. Check for SMBv1 use
  2. Check for an increase in the rate of file renames on your network
  3. Check for any instances of the file @Please_Read_Me@.txt on your file shares
  4. Check for any instances of files with these extensions
    • .wnry
    • .wcry
    • .wncry
    • .wncryt

If Your Network Has Been Infected, What To Do?

This ransomware strain cannot be decrypted with free tools. Research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible, unless the coders have made a mistake has not been found yet.

Your best bet is to recover from backups, and if your backup failed or does not exist, try a program like Shadow Explorer to see if the ransomware did not properly delete your Shadow Volume Copies. If a user did not click Yes at the UAC prompt, then there is a chance those are still available to start the recovery. Here is How to recover files and folders using Shadow Volume Copies. As a last resort and all backups have failed, you could decide to pay and get the files decrypted. It appears to work.

uac-prompt.png

What Can Be Done To Stop These Bad Guys?

It’s possible but difficult. The money has reportedly been flooding into hackers’ accounts and investigators can track the money and see where the bitcoin ends up. “Despite what people tend to think, it’s highly traceable,” Clifford Neuman, who directs the University of Southern California’s Center for Computer Systems Security. told the Washington Post.

However, hackers are still able to hide and launder the bitcoins in many different ways. Investigators will also examine the code itself as hackers often leave identifiable traces of their work. You can watch as some of these wallets are receiving money in real time.

Here Are 8 Things To Do About It (apart from having weapons-grade backups)

  1. Check your firewall configuration and make sure no criminal network traffic is allowed out, and disable SMBv1 on all machines immediately
  2. From here on out with any ransomware infection, wipe the machine and re-image from bare metal
  3. If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it’s tuned correctly
  4. Make sure your endpoints are patched religiously, OS and 3rd Party Apps
  5. Make sure your endpoints and web-gateway have next-gen, frequently updated (a few hours or shorter) security layers
  6. Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA)
  7. Review your internal security Policies and Procedures, specifically related to financial transactions to prevent CEO Fraud
  8. Deploy new-school security awareness training, which includes simulated social engineering tests via multiple channels, not just email.

See How Sentree Systems, Corp. can Help!!


Learn More!

 

Share

Posted in: Monthly Security Brief, Newsletter Topics, Security Awareness Training, Tech News, Tech Tips for Business Owners

Leave a Comment (0) →
Page 2 of 26 12345...»
Real Time Web Analytics