Protecting the Unprotectable
Call Us at: 951.NET.FORCE

Blogs

Petya Ransomware Strikes Computer Networks Worldwide

Just this morning, a deadly new strain of ransomware called Petya has been spotted in the wild — and is growing rapidly.  According to ABC News, there have been reports of Petya striking government systems and telecommunications providers throughout Europe.  There are also unconfirmed reports that systems in North America may be impacted as well.

Containment and Response:

  1. Immediately disconnect as many computers, servers, backups, USB thumbdrives, external hard drives, laptops, WiFi and any other means of data communication as quickly as possible.
  2. Implement firewall rules that block inbound and outbound TCP and UDP traffic on ports 137,138,139,445, and 3389 at all levels.
  3. Begin patching systems as soon as possible.  The recommended patches are as follows:
  • Windows Server 2008 (all editions) – KB4012598
  • Windows Server 2008 R2 – KB4012212 (security only) or KB4012215 (monthly rollup)
  • Windows 7 – KB4012212 (security only) or KB4012215 (monthly rollup)
  • Windows 10 (all editions) – KB4012606 or KB4013198 or KB4013429
  • Windows Server 2012: KB4012214 (security only) or KB4012217 (monthly rollup)
  • Windows Server 2012 R2: KB4012213 (security only) or KB4012216 (monthly rollup)

Net Force will be available to respond to all requests for cybersecurity consulting and advisory during any cybersecurity or ransomware attack.

 

WCry Ransomware Attacks Hits Global Computer Networks

WCry Ransomware Attacks Hits Global Computer Networks

There is a huge ransomware attacking organizations in multiple countries as we wrote this blog. The number of victims keeps growing – and by this latest string of ransomware attacks have grown tremendously over the last few hours. According to NPR, there are reports of Spain’s largest telecom being hit. At least 16 hospitals in England’s National Health Service are impacted. There are also unconfirmed reports that Frankfurt International Airport is also victim.

Ransomware was estimated to be a billion dollar business in 2016 and it will keep growing.

All of the attacks are being blamed on the same malware, called WCry, WannaCry, or Wana Decryptor. Wana Decryptor exploits a Windows flaw that was patched in Microsoft’s Security Bulletin MS17-010, which was disclosed back in March 2017.

Containment and Response:

  1. Immediate disconnect as many computers, servers, backups, USB thumbdrives, external hard drives, laptops, WiFi and any other means of data communications as quickly as possible.
  2. If it isn’t possible, implement firewall rules that blocks all inbound and outbound TCP and UDP traffic on Port 137, 138, 139, 445 and 3389 at all levels.
  3. Begin patching systems as soon as humanly possible. The patches are as followed:
    • Windows Server 2008 (all editions) – KB4012598
    • Windows Server 2008 R2 – KB4012212 (security only) or KB4012215 (monthly rollup)
    • Windows 7 – KB4012212 (security only) or KB4012215 (monthly rollup)
    • Windows 10 (all editions) – KB4012606 or KB4013198 or KB4013429
    • Windows Server 2012: KB4012214 (security only) or KB4012217 (monthly rollup)
    • Windows Server 2012 R2: KB4012213 (security only) or KB4012216 (monthly rollup)

Net Force will be available to respond to all requests for cybersecurity consulting and advisory during any cybersecurity or ransomware attack.

Worst Passwords of 2014

KeepCalmLongPasswordsPasswords are often the first and last defenses for organizations, banking accounts, medical accounts, etc. People love using the following for their password attributes, including:

  • Using information from social media about what you “like”, ie. sports team, book titles, movie titles, etc.
  • Using your favorite sports team or sport game
  • Using an important date (birthday, anniversaries, important dates)
  • Using swear words and profanity, including, but not limited to, profanity in other languages
  • Using simple passwords from dictionaries that lack additional complexity including Upper Case, lower case, numbers, and special characters.

At Net Force, we recommend the use of passphrases instead of passwords. A phrase could be something as simple as “ILuvMyDaughter&Son:DianaandTim!”

It not only has length, but it also has complex elements that makes the brute forcing or cracking the passwords challenging, but not impossible

Great passphrases attributes include:

  • Length – I mean longer than 14-16 characters. In the case of my example “ILuvMyDaughter&Son:DianaandTim!”, it comes out to be 31 characters in length (without quotation marks).
  • Case Sensitive – It has a mixture of Upper Case and Lower Case scattered throughout the passphrase
  • Special Characters – The ampersand and colon is scattered in middle of the passphrase. Using multiple special characters will always increasing the difficult of the password

For those of you who have a password on the following list, I think it is time to change your password.

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. qwerty
  6. 1234567890
  7. 1234
  8. baseball
  9. dragon
  10. football
  11. 1234567
  12. monkey
  13. letmein
  14. abc123
  15. 111111
  16. mustang
  17. access
  18. shadow
  19. master
  20. michael
  21. superman
  22. 696969
  23. 123123
  24. batman
  25. trustno1

 

Don’t shoot the #Infosec Messenger

Don't shoot the #Infosec Messenger

When doing a security disclosure to any organization or company, one must be delicate and careful on how you craft the message to the recipient. It is not an easy process to disclose that there are issues, especially when its unsolicited. No one likes to hear there are issues in their cybersecurity.

However, to companies and organizations who do receive these disclosures, take a moment please to not shoot the infosec messenger. As someone who identifies security issues day in and day out, it is a thankless job. Countless hours are poured over information data sets, and at the end of the day, they rarely see a bug bounty like the ones you hear about from Facebook, or Twitter.

 

It is extremely sad to hear that the recipient of this disclosure deems or jumps to a conclusion that the messenger is a rogue, malicious actor. However, think about it for a moment.  The fact that an individual or entity took time to say something to your organization or company should generally be an indicator that their intentions are not malicious or ill-intent, and they potentially found something of interest and it might be worthwhile to investigate. If their intent was malicious, they would never have taken the time to reach out and say “there’s a potential problem and it doesn’t hurt to take a few moments to look at it with some scrutiny.”

It is also not an opportunity to be disrespectful or unprofessional to the individual or party who reached out to contact you. It is not the opportunity to insult their analysis. They most certainly do not understand your business processes. They may very well have information, or intelligence feeds that you may not know exist. The really good researchers know how to leverage those intelligence feeds and do not require any tools or scans to be launched against your infrastructure to determine security issues.

Being disrespectful or unprofessional to this very individual or company may lead to a potentially future awkward moments where they may be the people you will call to help you out when there are security issues or data breaches.

If there are questions about the analysis, it never hurts to ASK politely and professionally. If the conclusion is incorrect, or data doesn’t match, ask them how they drew their conclusions and their analysis (You most certainly do not have to volunteer any information to them for social engineering concerns).  Most entities whose intent is help you will offer information on how they drew their conclusions and share with you what they found.

It is never wise to burn a bridge.

2014 WRCCDC Overview and Debrief

2014 WRCCDC Overview and Debrief

wrccdc_logo_lgThe idea behind CCDC (Collegiate Cyber Defense Competitions) and competitions like it are to allow students to showcase their skills and abilities in a pseudo-real world situation. These competitions are a wonderful addition to the Information Technology world and generally provide a positive addition to any student’s learning experience.

I am a Red Team member; it is my job to make your lives hell during competition. I use tools, skills, and Google to make your lives even worse than the Black Team does. I’m writing out this post for you Blue Team members to understand what Red Team does and how to possibly prevent Red Team from living on your Domain Controllers.

Blue teams are naturally at a disadvantage in this style of competition due to the nature of the beast. The attackers can gain footholds faster than patches can be applied or passwords changed. At WRCCDC the hour head start that teams get should be used to prioritizing your risk, applying as many patches as possible, removal of basic vulnerable services, user account auditing, and checking for basic password strength. Yes the machines provided are often broken, running Red Star Linux, or Server Core, but a simple reimage can solve many problems. The point value of a reimage is less costly than having me sit on a Server Core machine that your domain administrator who does not know how to properly manage the Server. From my position on a DC, I control access to every Windows Machine on the network and can pivot from any machine to another. This type of access allowed me to maintain persistence until the end of CCDC. By adding new domain administrator accounts, pivoting from DCs to client machines, with the traffic appearing to start from the DC to a client I was able to stay stealthier than if I was connecting to every machine via my Cobalt Strike server or client.

Here are some low hanging fruit that every blue team should know about and should think about:

  • Lack of user account auditing. Honestly, does “whiteteam” need to be a domain admin?
  • Creation of domain admin accounts. C1utch was all over your boxes blue teams.
  • Know what services are actually needed, disable or patch anything that you possibly can. By removing attack surface, the threat map gets smaller.
  • Look for default passwords and schemas. PostgreSQL this year was running as postgres with no password and default template1. This allowed me to dump SSH keys and maintain access to those machines
  • Service filtering. Stop SMB from traversing over the router if possible, removes many methods I use to maintain persistence.
  • IPv6 is a thing, know what it is, how to use it or disable it.

Rupert Cunningham says hello by the way.

Page 1 of 712345...Last »