Protecting the Unprotectable
Call Us at: 951.NET.FORCE

Incident Response

Petya Ransomware Strikes Computer Networks Worldwide

Just this morning, a deadly new strain of ransomware called Petya has been spotted in the wild — and is growing rapidly.  According to ABC News, there have been reports of Petya striking government systems and telecommunications providers throughout Europe.  There are also unconfirmed reports that systems in North America may be impacted as well.

Containment and Response:

  1. Immediately disconnect as many computers, servers, backups, USB thumbdrives, external hard drives, laptops, WiFi and any other means of data communication as quickly as possible.
  2. Implement firewall rules that block inbound and outbound TCP and UDP traffic on ports 137,138,139,445, and 3389 at all levels.
  3. Begin patching systems as soon as possible.  The recommended patches are as follows:
  • Windows Server 2008 (all editions) – KB4012598
  • Windows Server 2008 R2 – KB4012212 (security only) or KB4012215 (monthly rollup)
  • Windows 7 – KB4012212 (security only) or KB4012215 (monthly rollup)
  • Windows 10 (all editions) – KB4012606 or KB4013198 or KB4013429
  • Windows Server 2012: KB4012214 (security only) or KB4012217 (monthly rollup)
  • Windows Server 2012 R2: KB4012213 (security only) or KB4012216 (monthly rollup)

Net Force will be available to respond to all requests for cybersecurity consulting and advisory during any cybersecurity or ransomware attack.

 

WCry Ransomware Attacks Hits Global Computer Networks

WCry Ransomware Attacks Hits Global Computer Networks

There is a huge ransomware attacking organizations in multiple countries as we wrote this blog. The number of victims keeps growing – and by this latest string of ransomware attacks have grown tremendously over the last few hours. According to NPR, there are reports of Spain’s largest telecom being hit. At least 16 hospitals in England’s National Health Service are impacted. There are also unconfirmed reports that Frankfurt International Airport is also victim.

Ransomware was estimated to be a billion dollar business in 2016 and it will keep growing.

All of the attacks are being blamed on the same malware, called WCry, WannaCry, or Wana Decryptor. Wana Decryptor exploits a Windows flaw that was patched in Microsoft’s Security Bulletin MS17-010, which was disclosed back in March 2017.

Containment and Response:

  1. Immediate disconnect as many computers, servers, backups, USB thumbdrives, external hard drives, laptops, WiFi and any other means of data communications as quickly as possible.
  2. If it isn’t possible, implement firewall rules that blocks all inbound and outbound TCP and UDP traffic on Port 137, 138, 139, 445 and 3389 at all levels.
  3. Begin patching systems as soon as humanly possible. The patches are as followed:
    • Windows Server 2008 (all editions) – KB4012598
    • Windows Server 2008 R2 – KB4012212 (security only) or KB4012215 (monthly rollup)
    • Windows 7 – KB4012212 (security only) or KB4012215 (monthly rollup)
    • Windows 10 (all editions) – KB4012606 or KB4013198 or KB4013429
    • Windows Server 2012: KB4012214 (security only) or KB4012217 (monthly rollup)
    • Windows Server 2012 R2: KB4012213 (security only) or KB4012216 (monthly rollup)

Net Force will be available to respond to all requests for cybersecurity consulting and advisory during any cybersecurity or ransomware attack.

Don’t shoot the #Infosec Messenger

Don't shoot the #Infosec Messenger

When doing a security disclosure to any organization or company, one must be delicate and careful on how you craft the message to the recipient. It is not an easy process to disclose that there are issues, especially when its unsolicited. No one likes to hear there are issues in their cybersecurity.

However, to companies and organizations who do receive these disclosures, take a moment please to not shoot the infosec messenger. As someone who identifies security issues day in and day out, it is a thankless job. Countless hours are poured over information data sets, and at the end of the day, they rarely see a bug bounty like the ones you hear about from Facebook, or Twitter.

 

It is extremely sad to hear that the recipient of this disclosure deems or jumps to a conclusion that the messenger is a rogue, malicious actor. However, think about it for a moment.  The fact that an individual or entity took time to say something to your organization or company should generally be an indicator that their intentions are not malicious or ill-intent, and they potentially found something of interest and it might be worthwhile to investigate. If their intent was malicious, they would never have taken the time to reach out and say “there’s a potential problem and it doesn’t hurt to take a few moments to look at it with some scrutiny.”

It is also not an opportunity to be disrespectful or unprofessional to the individual or party who reached out to contact you. It is not the opportunity to insult their analysis. They most certainly do not understand your business processes. They may very well have information, or intelligence feeds that you may not know exist. The really good researchers know how to leverage those intelligence feeds and do not require any tools or scans to be launched against your infrastructure to determine security issues.

Being disrespectful or unprofessional to this very individual or company may lead to a potentially future awkward moments where they may be the people you will call to help you out when there are security issues or data breaches.

If there are questions about the analysis, it never hurts to ASK politely and professionally. If the conclusion is incorrect, or data doesn’t match, ask them how they drew their conclusions and their analysis (You most certainly do not have to volunteer any information to them for social engineering concerns).  Most entities whose intent is help you will offer information on how they drew their conclusions and share with you what they found.

It is never wise to burn a bridge.

2014 WRCCDC Overview and Debrief

2014 WRCCDC Overview and Debrief

wrccdc_logo_lgThe idea behind CCDC (Collegiate Cyber Defense Competitions) and competitions like it are to allow students to showcase their skills and abilities in a pseudo-real world situation. These competitions are a wonderful addition to the Information Technology world and generally provide a positive addition to any student’s learning experience.

I am a Red Team member; it is my job to make your lives hell during competition. I use tools, skills, and Google to make your lives even worse than the Black Team does. I’m writing out this post for you Blue Team members to understand what Red Team does and how to possibly prevent Red Team from living on your Domain Controllers.

Blue teams are naturally at a disadvantage in this style of competition due to the nature of the beast. The attackers can gain footholds faster than patches can be applied or passwords changed. At WRCCDC the hour head start that teams get should be used to prioritizing your risk, applying as many patches as possible, removal of basic vulnerable services, user account auditing, and checking for basic password strength. Yes the machines provided are often broken, running Red Star Linux, or Server Core, but a simple reimage can solve many problems. The point value of a reimage is less costly than having me sit on a Server Core machine that your domain administrator who does not know how to properly manage the Server. From my position on a DC, I control access to every Windows Machine on the network and can pivot from any machine to another. This type of access allowed me to maintain persistence until the end of CCDC. By adding new domain administrator accounts, pivoting from DCs to client machines, with the traffic appearing to start from the DC to a client I was able to stay stealthier than if I was connecting to every machine via my Cobalt Strike server or client.

Here are some low hanging fruit that every blue team should know about and should think about:

  • Lack of user account auditing. Honestly, does “whiteteam” need to be a domain admin?
  • Creation of domain admin accounts. C1utch was all over your boxes blue teams.
  • Know what services are actually needed, disable or patch anything that you possibly can. By removing attack surface, the threat map gets smaller.
  • Look for default passwords and schemas. PostgreSQL this year was running as postgres with no password and default template1. This allowed me to dump SSH keys and maintain access to those machines
  • Service filtering. Stop SMB from traversing over the router if possible, removes many methods I use to maintain persistence.
  • IPv6 is a thing, know what it is, how to use it or disable it.

Rupert Cunningham says hello by the way.

CyberPatriot National Finals this week

CyberPatriot National Finals this week

n2c6fw-b781279339z.120140312113222000g6k1is0g2.1This weekend marks the end of CyberPatriot VI with the National Competition at the Gaylord National Convention Center in National Harbor, MD. It has been an amazing journey these last few months guiding and training these brilliant young minds at Troy High School. As my responsibilities and duties conclude for this season of CyberPatriot VI, I reflect upon the joys, the frustrations, the highs and the lows. And yet, I can not help but smile and experience joy at every moment. Honestly, I felt like I got the better end of the deal. I gained so much more and grew in so many ways that I think my mentees’ do not even realize.

I want to say it’s easy being a cybersecurity mentor, but it is almost like a full time job. Thankfully my fellow colleagues at Net Force has been gracious enough to allow me some leeway to make up some hours in the evening during mentorship sessions. Thank you to my colleagues for the flexibility and patience on my ever changing schedules.

I am extremely proud of each member of this year’s CyberPatriot VI team at Troy High School. I kept throwing more at them and they kept rising to the challenge.

I encourage everyone to consider mentoring a team or a few students next year. It is extremely rewarding emotionally, spiritually.

To next year’s mentors:

  • Care for your mentees. Make that emotional investment. There is nothing more rewarding when they see you and their faces light up. Especially in victories, when they see you and they will come running to you and hugging you. You will in many ways become an older brother/sister figure in their lives.
  • Be patient. Be compassionate. Be merciful. Be full of grace and forgiveness. Mentees will drive you crazy. Mentees will make mistakes. This is all part of the learning process. That is why they are here: to learn, to grow.
  • Be accessible. Be available. Students hear the word mentor and they automatically put distance between themselves and you. Close the gap and engage them. Engage all of them. Even that shy mentee in the corner. Get to know who they are.
  • Encourage your mentees. Build them up. It is easy to become discouraged. Each student has unlimited potential. We as mentors need to teach them how to harness that potential.
  • Everything matters. The technical skills. The soft skills. The behavior. Who they become as an individual. Help them to become better men and women. Groom them to be polite, respectful, honorable young men and women. They will adopt your behavior, your good and bad habits. Chivalry is not dead. 😉
  • It is okay to not know everything. I will be the first to say I don’t know everything or anything. Don’t be afraid to ask for resources, help, guidance and wisdom. I attribute much of my success with my group of mentees this year was not of my own knowledge or doing, but going out and asking questions, and seeing how my professors and other coaches/mentors approach things and actively listening to them. Everyone will share with you a small bit of information which will tell you what worked, and what didn’t work for them. Focus on your strengths. Identify your weaknesses. Let those who have strengths in your weaknesses help you.
  • Most importantly: what you do matters. By being a part of their lives, you will shift their lives in ways you will never know or understand. Positively influence them. You will inspire them to achieve great things.

1606205_593625814873_615704767_oTo my mentees/protégés/future colleagues/friends/brothers in cybersecurity:

  • If you happen to win this week, awesome, but give it your all. Have no regrets. At the end of the competition, walk away with your heads held high knowing you did your best at that moment in time.
  • Be confident in your skills. You know your stuff. You have been preparing this entire academic year. You are ready. Remember, this is a journey of a lifetime. This is only the beginning of something amazing. Not the end. Tomorrow is and will be another day. This is the time of your lives right now. You’re never going to forget it. It will be all over in a moment. No sad faces. No regrets. Just go out there tomorrow and have a blast. Live it. Carpé Momentum. (Seize the Moment). Have fun.
  • I have complete confidence in each of your abilities, talents, skills, knowledge.
  • I’m extremely proud of each and everyone of you. Each of you have grown so much and I can not stress that each of you are amazing individuals.  You’ve won my admiration, my respect, and I look forward to the day each of you join the ranks in this industry full-time. Each of you have accomplished much this year, and to the senior class that is leaving high school, I hope all of you will return and mentor future CyberPatriot teams and individuals. I hope you also look at being part of the US Cyber Challenge as well

If you are in the National Harbor, MD or DC Metro Area this week, I encourage everyone to come out this Friday, March 28 and check out CyberPatriot VI. Tours will be given all day at the competition venue (Gaylord National Center)

Page 1 of 212