Tag Archives: Ransomware

Responding to Wana Decrypt0r / WanaCrypt0r Infections

As I am sure you are aware earlier this week a new variant of ransomware named WanaCrypt0r began to infect many systems worldwide using the vulnerability patched in March 2017. The infections were especially severe in the UK (hospitals were affected), Spain (banks, the ISP Telefonica and gas/electricity providers) among many others. The infections were spreading in a worm (defined) like fashion.

The ransomware uses the vulnerability exploited by the “Eternal Blue” exploit patched by Microsoft in Mach by their MS17-010 update. This exploit uses the SMBv1 (defined) protocol to enter a vulnerable system over port 445 (when that port is accessible from the internet). In some instances the CERT of Spain have observed the exploit installing the DoublePulsar malware on the already infected system. A live map of this malware’s global infections is available here. Once the malware obtains access to your system it installs the WanaCrypt0r ransomware to encrypt your files. As detailed by BleepingComputer it also terminates active databases and email servers so that it can encrypt them also.

On the 12th of May, the spread of the malware was temporarily halted by the actions of the malware researcher known as MalwareTech. They registered a website domain the malware checks if it exists while installing itself on your system. If it exists, it halts its installation and doesn’t encrypt your data (acting like a “kill switch”). I use the word temporary above since as the researcher points out all the malware authors need to do is to choose a different domain and re-release the updated malware (or worse they could use a domain generation algorithm (DGA)(defined) to make registering the websites by researchers even harder). The purpose of the malware checking if this domain was registered is to check if it is running inside a malware sandbox (defined).

How can I protect myself from this threat?
If you have not already done so, please install the MS17-010 security update (released in March 2017) on your Windows based servers and workstations. Researchers are simply saying “patch your systems” and that is what they mean. Microsoft discusses this advice in more detail in their MSRC blog post.

=======================
Note:
=======================
A full list of the versions of Windows affected by vulnerabilities patched within MS17-010 is provided at the end of this post.

If you are not sure how to update your systems, the following links below will assist if you are consumer/small business. Larger corporations should check with their IT team/system administrators install this update. If you can, please install all other remaining security updates:

Windows Vista
http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off

Windows 7
http://windows.microsoft.com/en-US/windows7/products/features/windows-update

Windows 8.1
http://windows.microsoft.com/en-us/windows-8/windows-update-faq

Windows 10
http://pcsupport.about.com/od/keepingupwithupdates/f/windows-updates.htm

Microsoft have since released the MS17-010 update for all other remaining out of support Windows systems namely Windows XP, Windows Server 2003 and Windows 8.0. They are available as direct downloads from their MSRC blog post. I checked earlier today and these updates were not being offered by Windows Update and Automatic Updates for those older versions of Windows, please obtain the updates directly from their MSRC blog post.

While the “kill switch”for this malware was used (as mentioned above), it is very likely to return in the future. The steps below will better prepare you now and for the future.

I am aware Windows Vista is out of support at this time but it was supported when the MS17-010 update was released.

=======================
Update: 15th May 2017:
=======================
It is appears a new variant (Uiwix) of this threat is now circulating which does not have a kill switch. This variant does not appear to spread using a different vulnerability. Other variants are currently in-progress.

=======================
Update: 18th May 2017:
=======================
As mentioned above, newer variants of this malware are being made available. They exploit the same vulnerability as WannaCry but don’t spread in a worm like fashion.

I would suggest installing the MS17-010 as soon as possible since further ransomware is likely to capitalise on many devices (approximately 1 million still exposing the SMB protocol to the internet, with roughly 800k being Windows devices).

Moreover, the ShadowBrokers may release more exploits next month (and continue to do so on a regular basis) but this time we are unlikely to have security updates ready for them. My advice is to be prepared in June.

Thank you.
=======================

=======================
Update: 21st May 2017:
======================
The Eternals Rocks worm is now also spreading by exploiting exposed systems over SMB. The advice below to block installation of WannaCrypt should prevent infection of your systems. At this time, the worm is not carrying out malicious actions with infected devices. Instead it is setting up a C&C (C2)(defined) infrastructure and may leverage this for malicious actions in the future.

=======================
Bayer healthcare equipment was confirmed affected by WannaCry but service was restored in less than 24 hours. Other manufacturers have also issued security advisories:

Siemens

Smiths Medical

Medtronic

Johnson & Johnson

=======================
The US ICS CERT have issued an alert with recommendations for critical infrastructure devices. Affected vendors include those mentioned above and GE, Philips, Tridium, Emerson Automaton Solutions, Schneider Electric (among others).

Please note the above link for the ICS CERT advisory is https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01D If this advisory is updated it will become https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-135-01E Further updates will change the final letter to F, G and so on.

=======================
ICS CERT also issued an FAQ on WannaCry which you may find useful.
=======================

Additional advice/considerations:
At this time there is no known way to decrypt your files if you have been effected by the WanaCrypt0r ransomware. If you have the option of restoring your files from a backup, please do so. Your only other option is discussed by BleepingComputer at the end of this article.

If you followed the advice earlier in the week and turned off your systems before they were infected, that was a wise precaution. However when you power them back on you will need to avoid them becoming infected before you can secure them. A French security researcher had a honeypot (defined) of theirs infected 6 times in 90 minutes.

If you can segregate your vulnerable devices (including devices within your network perimeter) so they don’t expose the following ports:

  • TCP port 445 with related protocols on UDP ports 137-138
  • TCP port 139
  • Also disable SMBv1 (it’s a deprecated protocol)
  • Please also block the Remote Desktop Protocol (RDP) port 3389 (defined) at the entry point to your corporate to prevent the spread of this malware as recommended by the US CERT.

Once you have updated your Windows devices against this vulnerability, please by all means resume normal operations but follow the advice of the US CERT and avoid having the SMB port exposed to the internet going forward as a defense in-depth measure (defined)(PDF).

Other recommendations are as follows:

  • It’s important to understand, installing the update mentioned in this post will protect your Windows systems from spreading the ransomware to other systems. If you click on a link in a suspicious email (or another source) the ransomware may still be downloaded but will only encrypt/effect your system.
  • For any critical systems, ask if they really need to be connected to the internet or not? Avoid unnecessarily connecting them.
  • Provide your staff with security awareness training (defined)(PDF). This will prevent this malware infecting your systems by means of phishing (defined) (which can still encrypt your data even if you have installed the above recommended security update, that update only blocks the spreading of the infection). According to the US CERT and HelpNetSecurity this advice isn’t confirmed but it will not reduce your protection.
  • Verify your organization can recover from a ransomware attack like this as part of your Business continuity process (BCP)(defined)(PDF).
  • If you have an incident response team, verify their standard response process against a ransomware attack like this to ensure it is fit for purpose.

Thank you.

 

=======================
Affected Windows versions:
=======================
While the MS17-010 security bulletin lists which versions of Windows are vulnerable to this ransomware, I have listed them all below (this applies to all 32 and 64 bit versions of Windows listed below):

Windows XP (with Service Pack 3)

Windows Server 2003 (with Service Pack 2)

Windows Vista (with Service Pack 2)

Windows Server 2008 (with Service Pack 2)

Windows Server 2008 (with Service Pack 2)(Server Core installation)(defined)

Windows 7 (with Service Pack 1)

Windows Server 2008 R2 (with Service Pack 1)

Windows Server 2008 R2 (with Service Pack 1)(Server Core installation)

Windows 8.0

Windows 8.1 (with 8.1 Update (April 2014))

Windows Server 2012

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2

Windows Server 2012 R2 (Server Core installation)

Windows RT 8.1

Windows 10 Version 1507

Windows 10 Version 1511

Windows 10 Version 1607

Windows Server 2016

Windows Server 2016 (Server Core installation)

Tampered NSIS installers contain ransomware

In a blog post earlier this month Microsoft provided an in-depth analysis of a new technique in use by ransomware authors to disguise their attempts to hold your data for ransom.

What has made these newly disguised ransomware installers so successful?
These attack involve tampering with a Nullsoft Scriptable Install System (NSIS) installer (used in paid, free and open-source software such as VideoLAN VLC, Wireshark (among others)). In contrast to previously altered installers the attackers have removed their randomly named DLL (defined) which dramatically reduces the chance of detection due to far less code being present. Inclusions of non-malicious plugins, an uninstallation component and a legitimate .bmp image file for use with the installer help to divert attention away from the installer’s real purpose.

The installer instead contains an installation script which would usually automate the installation of the application for you. In this case however an obfuscated (defined here and here) script which calls the Win32API (API, defined) allows an attacker to allocate (make ready for use) an area in the computer’s memory in order to activate a small code fragment to decrypt the ransomware.

As detailed by Deep Instinct’s security researcher Tom Nipravsky; the script is sophisticated since it operates only in memory in addition to being multi-staged. Moreover the shell code (defined) uses a technique known as Heaven’s Gate which allows 64 bit shell code to make use of a 32 bit process (defined) which makes the work of security researchers more difficult since debuggers (defined) cannot easily handle a transition from one architecture to another. This also has the benefit of bypassing API hooks (defined) which are monitored by anti-malware software and makes use of system calls (defined) as opposed to API calls.

Moreover this ransomware uses a technique known as “process hollowing.” This occurs when an attacker creates a process in a suspended state (defined) but replaces it’s in memory code with code the attacker wishes to hide. Finally the attackers use an encrypted installer within NSIS which currently security vendors are unable to trace and is only decrypted when it is about to be used.

How can I protect myself from these threats?
Since the tampered NSIS installers originate from emails you should follow the advice from SANS with regards to email:

=============
Use Caution Opening Email Attachments – A common method cyber criminals use to hack into people’s computers is to send them emails with infected attachments. People are tricked into opening these attachments because they appear to come from someone or something they know and trust. Only open email attachments that you were expecting. Not sure about an email? Call the person to confirm they sent it.
=============

Source: https://www.sans.org/tip-of-the-day (date: 1st March 2017)

Microsoft encourages enterprise/corporate users to upgrade to Windows 10 and make use of its security features to defend against this threat.

Full disclosure: I don’t work for or on behalf of Microsoft nor do I wish to promote their products/services. I have simply provided a link to their advice for corporate users who may already have Windows 10 (or are considering upgrading) in order for them to better protect themselves against this and other threats using the security protections it offers.

Thank you.

Mitigating the Increasing Risk Facing Critical Infrastructure and the Internet of Things

With attackers and malware authors extending their reach to more and more areas of our everyday lives, both companies and individuals need to take steps to improve the security of their equipment/devices. It’s not just devices such as thermometers (while important) in our homes at risk; devices that impact health and safety as well as entire communities and economies are being / or will be targeted.

For example, last month a cyber-attack took place in Ukraine that while it only lasted approximately 1 hour, served to cause a power outage in an entire district of Kiev. The on-going investigation into this attack believes it to be the same attackers responsible for the December 2015 attack (that attack affected approximately 250,000 people for up to 6 hours).

In a similar manner, a smaller energy company (at an undisclosed location) was a victim of the Samsam ransomware (defined). The attackers initially compromised the web server and used a privilege escalation vulnerability (defined) to install further malware and spread throughout the network. The attackers demanded 1 Bitcoin per infected system. The firm paid the ransom and received a decryption key that didn’t work.

Fortunately, this energy company had a working backup and was back online after 2 days. The root cause of infection? Their network not being separated by a DMZ (defined) from their industrial networks. This Dark Reading article also details 2 further examples of businesses affected who use industrial systems namely a manufacturing plant and a power plant. Both were located in Brazil.

Mark Stacey of RSA’s incident response team says that while nation states have not yet employed ransomware in industrial systems, it will certainly happen. He cites the example of a dam, where the disabling of equipment may not demand a large ransom compared to the act of encrypting the data required for its normal operation.

Former US National Security Official Richard Clarke is suggesting the use of a tried and tested means of increasing the security of all deployed industrial control systems. As it is very difficult convincing those on the Board of Directors to provide budget for something that has not happened/may not happen, he suggests employing an approach similar to that of the Y2K bug. This would require introducing regulations that require all devices after a given date be in a secured state against cyber-attack. He advocates electric power, connected cars and healthcare providers follow this approach and notes that without regulation “none of this is going to happen.” Since these regulations would apply to all ICS/SCADA (defined) vendors, they would also not loose competitiveness

With security analysts predicting further compromises of ICS/SCADA equipment this year, we need to better protect this infrastructure.

For enterprises and businesses, the regulations proposed above should assist with securing IoT and ICS/SCADA devices. However, this is just the beginning. This scanner from Beyond Trust is another great start. As that article mentions the FTC is offering $100,000 to “a company that can discover an innovative way of managing and patching IoT devices.” Securing IoT devices is not an easy problem to solve.

However, progress is happening with securing critical infrastructure and Internet of Things (IoT)(defined) devices. For example, please find below resources/recommendations, tools and products that can help protect these systems and devices.

How can we better secure ICS/SCADA devices?
These devices power our critical infrastructure e.g. power, gas, communications, water filtration etc. The US ICS-CERT has a detailed list of recommendations available from the following links:

ICS CERT Recommended Practices
ICS-CERT Secure Architecture Design
ICS Defense In-Depth (PDF)

An ICS-CERT overview of the types of vulnerabilities that these systems face.

Securing IoT devices in industry
Free IoT Vulnerability Scanner Hunts Enterprise Threats (Dark Reading.com)
Defending the Grid
Network and IoT to underpin Trend Micro’s 2017 strategy

Securing IoT in the medical sector/businesses
Hospitals are under attack in 2016 (Kaspersky SecureList)
Fooling the Smart City (Kaspersky SecureList)

Recommendations for consumer IoT devices are the following
My previous recommendations on securing IoT devices
Blog Post Shout Out: New Wireless Routers Enhance Internet of Things Protection
Securing Your Smart TV
8 tips to secure those IoT devices (Network World)
Who Makes the IoT Things Under Attack? (Krebs on Security)

=======================
I hope that you find the above resources useful for securing ICS/SCADA as well as IoT devices that are very likely a target this year.

Thank you.

Protecting Your Smart TV From Ransomware

In mid-2016 a news article detailed the possibility for Android powered Smart TVs to be infected by ransomware. Last month that prediction came true.

To recover the affected TV, you should reset it to factory default settings. You may need to contact the manufacturer if they don’t provide the steps to perform the reset as part of the devices documentation.

With 2017 predicted to break the record set in 2016 for ransomware, occurrences such as this will likely become more common.

Unfortunately, TV manufacturers are unlikely to pre-harden vulnerable devices before shipping them due to compatibility concerns and increased costs (during manufacturing and later support costs). To increase use of their after sales service they are again unlikely to publish the key sequences or button presses to perform a factory reset.

The ransomware encountered by this software developer was “just” a screen locker. It didn’t also try to encrypt any connected USB drives. Separately, a Symantec security researcher published a helpful list of mitigations to protect against ransomware targeting Smart TVs.

Continuing the trend of protecting Internet of Things (IoT) devices (defined), I hope that you find the above mitigations useful. Please also refer to this previous blog post for more general advice on preventing ransomware infections on your everyday computing devices (non IoT devices).

Thank you.

Adobe Releases Flash Security Update Due To New Exploit

Yesterday Adobe released an emergency security update for Flash Player that they had previously announced earlier this week. This update was released ahead of the next Update Tuesday since the Magnitude Exploit kit(defined) is exploiting a zero-day vulnerability (defined) in order to infect devices/systems with ransomware (defined) specifically the Cerber and Locky variants.

The update address 24 critical security vulnerabilities (more formally known as CVEs (defined) one of which (as mentioned above) is currently being exploited and has been since at least the 31st of March according to the security firm Proofpoint.

=======================
Update: 13th April 2016:

Microsoft issued their security update for Windows 8.1 (Internet Explorer) and Windows 10 users (Microsoft Edge and Internet Explorer, respectively). Further details are available in their security bulletin.

Thank you.
=======================

(Please see update above): At the time of writing Microsoft had not yet made available the relevant updates for Microsoft Edge or Internet Explorer. They now do so by releasing a separate security bulletin. The full list of security bulletins is available from this page. Google reacted quickly releasing version 49.0.2623.112 of Chrome which includes the updated Flash Player v21.0.0.213.

Flash Player updates for Linux, Apple Mac OS X and Windows are available from this link (which can be used if you don’t have automatic updating enabled or simply wish to install the update as soon as possible). As explained by Sophos the automatic updater of Flash Player updates systems in phases in order to avoid too much congestion on Adobe’s servers.

As always I would recommend that if you have Flash Player installed to install the necessary update as soon as possible. You can check if you have Flash Player installed using this page.

In addition, please follow my recommendation to enable the ASR mitigation of Microsoft EMET as detailed in this post in order to mitigate against Flash based vulnerabilities being exploited in applications that can open Microsoft Office documents and/or Adobe PDF files.

Thank you.

Blog Post Shout Out: Further Tips To Prevent Ransomware

With growing numbers of organizations, companies and individuals being affected by ransomware we need to take precautions before we are affected so that if the worse should happen we can recover.

For the second time this month I wish to provide a respectful shout-out to the following blog post that provides further tips on preventing ransomware that were not present in previous posts.

For example, using the principle of least privilege (not using a privileged user account on your device when you don’t have to e.g. for everyday general use), security awareness (being aware/having knowledge of current computer security trends and knowing what to avoid/which warning signs to look out for) as well as a new security feature developed by Microsoft for Office 2016 in an effort to prevent the spread of ransomware. I hope that you will find the post linked to below useful:

8 tips for preventing ransomware by John Zorabedian (Sophos Security)

Further practical advice on preventing ransomware is provided in a previous blog post.

Thank you.

First Apple Mac Ransomware Poses Serious Risk

The prevalence of ransomware continues to increase this time affecting Apple Mac OS X devices. Earlier this month users of the Trasnmission BitTorrent client (specifically the version for Mac OS X) were at risk of having their data stolen since the downloadable version of the client had extra code added to it by attackers seeking to obtain a ransom to recover your data after stealing it from you.

Why Should This Issue Be Considered Important?
If you had downloaded and installed version 2.90 of the Transmission app after 3 days, it would have encrypted your personal data and demanded 1 bitcoin (approx. USD $400) in order to retrieve it. This would have not only been a huge inconvenience but also could possibly lead to you being unable to carry out routine tasks or your job if you are small business owner using your personal Mac system for business.

The fact that the malicious code included with the hijacked Transmission app would have encrypted your data only after 3 days since you installed it would have made narrowing down the source of the malware infection much more difficult.

An analysis of the malware by Palo Alto showed that malware had partial support for encrypting the data stored within Apple’s Time Machine backup software which if it had been operational would have caused far more data loss.

As discussed below, while this particular malware infection has now been resolved by the combined efforts of Apple, Transmission, Palo Alto and other security companies; the ramifications for future malware to be made available using similar techniques to steal data will be present from now on.

How Can I Protect Myself from This Issue?
As per Transmission’s recommendation, if you use their BitTorrent client on your Mac OS X system, please update it to version 2.92 or later. If you have anti-malware/anti-virus software installed, please run a full system scan and remove any traces of the malware that may be present. Alternatively, easy to follow manual instructions to remove the malware are provided here.

As mentioned in previous ransomware blog posts, please back up your critical data and ensure to have at least one full copy that is not connected to your computer. This will ensure that it is not available to the ransomware for it to be encrypted too. Recommendations for using Apple’s Time Machine backup software are provided here.

Separately Apple revoked the fake app development certificate (when Palo Alto Networks informed them of it’s misuse) that allowed the malware to bypass it’s Apple’s Gatekeeper security feature. They also updated their XProtect malware protection software to detect and remove the malware.

Meanwhile Transmission updated their software to version 2.92 to remove the malware from the app and to remove any existing malware traces that may have been present on a Mac system after installing version 2.90. All of the mentioned companies/teams should be applauded for their thorough and swift response to this threat.

Thank you.

=======================
Further References:
ComputerWorld: First Mac ransomware had sights on encrypting backups, too
The Safe Mac: First Mac ransomware spotted