Thought leadership. threat analysis, news and alerts.
Security Risks Associated with Exposed RDP
A recent report from McAfee Labs showed that since the official start of the COVID-19 pandemic in March 2020, the number of exposed RDP has increased considerably.
RDP, short for Remote Desktop Protocol (RDP), is a proprietary protocol developed by Microsoft that runs on port 3389 and allows users the ability to connect to another computer over the internet. In the blog post "Cybercriminals Actively Exploiting RDP to Target Remote Organizations", McAfee Labs said that amid the COVID-19 pandemic, organizations wanting to maintain operational continuity very likely allowed employees to access organizations’ networks remotely via RDP with minimal security checks in place, giving cyber attackers the opportunity to access these networks with ease.
According to McAfee Labs, the number of RDP ports exposed to the internet grew from approximately three million in January 2020 to more than four and a half million in March 2020. McAfee Labs derived this number of exposed RDP ports from a simple search on Shodan – a search engine that allows users to find internet-connected computers.
Exposed RDP Risks
RDP often runs on Windows server operating systems. Access to RDP box allows attackers access to an entire network.
RDP ports that are exposed to the internet are valuable to attackers as these ports allow them to enter organizations’ networks and conduct further malicious activities such as spreading malicious software (malware), including ransomware – a type of malware that encrypts computers or files, locking out legitimate users and forcing victims to pay ransom in exchange for decryption keys that will unlock these encrypted computers or files.
Other than spreading ransomware, compromised RDP ports can also be used to spread cryptominer – a type of malware that illicitly consumes the computing power of the compromised computer for the purpose of mining cryptocurrencies such as Bitcoin or Monero.
Exposed RDP ports also allow attackers to conduct malicious activities such as hiding their tracks, for instance, by compiling their tools on the compromised computer. Attackers also used exposed RDP ports in carrying out other malicious activities in the victims’ networks such as theft of personal information, proprietary information or trade secrets.
How Cyberattackers Access Exposed RDP Ports
Below are some of the tactics used by attackers to enter exposed RDP ports:
According to McAfee Labs, it observed an increase in both the number of attacks against RDP ports and in the volume of RDP credentials (username and password combinations) sold on underground online markets. In the past, some of these RDP online shops were taken down by law enforcement agencies.
These RDP online shops sell RDP credentials at a very low cost. McAfee Labs earlier reported that the stolen RDP credential of a major international airport was sold in one of these RDP online shops for only US$10.
While RDP can be secured via multi-factor authentication, many users fail to use this added security measure. Failure to protect RDP via multi-factor authentication allows attackers to stage brute force attack – a type of attack that guesses the correct password through trial and error.
Password guesses via brute force attacks aren’t so random. According to McAfee Labs, data from a law enforcement agency and RDP online shops taken down by the law enforcement agency showed that weak passwords remain one of the common points of entry.
A number of RDP ports were broken into, McAfee Labs said, using the top 10 passwords. “What is most shocking is the large number of vulnerable RDP systems that did not even have a password,” McAfee Labs said. The following are part of the top 10 passwords used by RDP attackers: 123456, 123, P@sswOrd, 1234, Password1, password, 12345, 1 and test.
In recent months, RDP has also been riddled with security vulnerabilities. In August 2019, Microsoft disclosed the security vulnerability known as “BlueKeep”. This security vulnerability, officially designated as CVE-2019-0708 allows an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.
Microsoft warned that BlueKeep is “wormable”, which means that it can replicate and propagate by itself to create a large-scale outbreak similar to Conficker and WannaCry. Conficker has been estimated to have impacted 10 to 12-million computer systems worldwide, while WannaCry’s damage to computer systems in just one global enterprise was estimated at $300 million.
Two other security vulnerabilities in RDP were disclosed by Microsoft in recent months: CVE-2020-0609 and CVE-2020-0610. Similar to BlueKeep, CVE-2020-0609 and CVE-2020-0610 allow an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.
According to Dustin Childs of Zero Day Initiative, while not as widespread as systems affected by Bluekeep, CVE-2020-0609 and CVE-2020-0610 present an attractive target for attackers as these vulnerabilities are wormable – at least between RDP Gateway Servers.
Best Practices in Protecting Exposed RDP Ports
Here are some of the best practices in protecting RDP ports:
Windows 7 Support to End Soon. What’s at Risk?
Windows 7, an operating system released by Microsoft more than 10 years ago, will reach its end of life on January 14, 2020.
While Windows 7 can still be used after the operating system's end of life, using this outdated operating system puts your organization’s computers vulnerable to security risks.
Security Risks of Using Outdated Operating System
According to Microsoft, the end of life of Windows 7 means that after January 14, 2020, technical assistance and software updates from Windows Update that help protect computers will no longer be available. "If you continue to use Windows 7 after support has ended on January 14, 2020, your PC will still work, but it may become more vulnerable to security risks,” Microsoft said in its advisory.
Software programs like operating systems are never made perfect. Somewhere along the way, someone will find a vulnerability or a bug that must be fixed. As such, operating system vendors like Microsoft regularly, and as the need arise, issue security updates to fix newly discovered security vulnerabilities. In 2018 alone, Microsoft patched hundreds of security vulnerabilities on its operating systems, including Windows 7 and Windows 10.
With the end of life of Windows 7, newly discovered security vulnerabilities will no longer be fixed by Microsoft, putting your organization’s at risk of cyber-attacks.
The WannaCry attack which infected hundreds of thousands of computers in just a matter of 24 hours on May 12, 2017 gave the world a hard lesson on the risk of using outdated operating systems. WannaCry is categorized as a ransomware – a type of malicious software (malware) that stops users from using their computers or accessing their data.
WannaCry had shaken the online world due to its worm capabilities, that is, this malware spreads through the network, infecting other vulnerable computers, without the need for any user involvement. WannaCry exploits the security vulnerability referred to as CVE-2017-0145. This security vulnerability exists in the way that the Server Message Block 1.0 (SMBv1) handles certain requests. SMBv1 is the old version of the Server Message Block protocol that Windows operating systems use for file sharing on a local network. “An attacker who successfully exploited the vulnerability [CVE-2017-0145] could gain the ability to execute code on the target server,” Microsoft said.
Microsoft issued a security fix for CVE-2017-0145 on March 14, 2017 – months before the WannaCry attack on May 12, 2017. The company issued a security update to fix CVE-2017-0145 for operating systems that still received the company’s support, including Windows 7, Windows 10, Windows 8.1, Windows Server 2008, Windows Server 2012, Windows Server 2016 and Windows Vista.
No security update was issued to fix the security vulnerability CVE-2017-0145 for operating systems that reached its end of life, including Windows XP, Windows 8, and Windows Server 2003. At the time of the WannaCry attack on May 12, 2017, these outdated operating systems were vulnerable as they were defenceless without the security update.
It’s worthy to note that WannaCry infected Windows 7 the most despite the fact that at the time of the attack, this operating system was still supported by Microsoft with a readily available security fix issued months before the attack.
Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab said that 98% of the computers infected by WannaCry used Windows 7 as the operating system. “ #WannaCry infection distribution by the Windows version. Worst hit - Windows 7 x64,” Raiu said.
Migration to Latest Operating System
A study conducted by Kaspersky Lab showed that even as newer versions of operating systems are available, nearly 41% still use either an unsupported or approaching end of support operating system. The study also showed that 40% of very small businesses (VSBs) and 48% of small, medium-sized businesses (SMBs) and enterprises still rely on unsupported or approaching end of support operating system.
Even as operating system vendors stop in supporting customers via security updates, cyber attackers never stop digging up new security vulnerabilities, knowing full well that any security vulnerabilities discovered won’t be fixed by the vendors.
Using Windows 7 after its end of life on January 14, 2020 also makes this operating system incompatible with other software such as Office 365 ProPlus. On the flip side, many organizations delay their migration to the latest operating systems as custom-made applications are incompatible to the latest operating systems. Migration cost is also another reason why many organizations delay migration from outdated operating systems to newer operating systems.
Leaving your organization’s outdated operating system exposed to the internet leaves it open to cyber-attacks. The cost of a cyber-attack may even be higher than the cost of migrating to a newer operating system.
If the migration to a newer operating system needs to be delayed for a little longer, computers using outdated operating systems should be taken offline to keep them away from the reach of malicious actors.
It’s also important to practice network segmentation, especially when using outdated operating systems. Network segmentation controls how traffic flows across the network.
In network segmentation, your organization’s network is divided into smaller parts or sub-network, ensuring that in case of a compromise in one sub-network, the other sub-networks won’t be affected. It’s advisable to keep computers using outdated operating systems in a separate sub-network.
Connect with our team of experts today to learn more and mitigate IT and cybersecurity risks for your business.
Control Access Before Bad Actors Do
Leaving your door wide open invites bad actors. Like in real life, leaving your organization’s devices, networks or cloud accounts wide open similarly invites malicious actors. Controlling access to these devices, networks or cloud accounts controls the threat both from insiders and outsiders.
Misconfiguration, in general, is the configuration of digital system’s settings in such a way that the system behaves contrary to what it’s expected to do. Repercussions resulting in misconfigurations include exposure of sensitive data or could allow attackers to gain privileged access – the ability to perform an action with security consequences.
Misconfiguration happens because these digital systems themselves allow the sharing of data to the public or they allow privileged access. For instance, current cloud service providers allow clients to either configure or set stored data in the cloud to be shared to the public. Server operating systems, meanwhile, can be configured to allow certain individuals to have privileged access. Misconfiguration, therefore, is an internal problem that originates from within the IT infrastructure of any organization.
In recent months, security researchers have discovered troves of sensitive data stored in the cloud easily accessible to the general public. Researchers at UpGuardrecently discovered that two partners of Facebook, Mexico-based media company Cultura Colectiva and the now defunct “At the Pool” misconfigured their cloud accounts, exposing a total of hundreds of millions of Facebook customer data. According to UpGuard, the exposed customer data were each stored in Cultura Colectiva and At the Pool’s respective Amazon Simple Storage Service (Amazon S3) bucket configured to allow public download of files.
“Amazon customers own and fully control their data,” Amazon said in response to the exposure of millions of Facebook customer data. “While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content. As is the case on premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting access as intended.”
In February 2018, researchers at RedLockdiscovered that malicious actors accessed Tesla’s Kubernetes – a tool for managing a network of virtual machines – console as this wasn’t password protected. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry,” RedLock researchers said. As a result of the data exposure, the malicious actors performed cryptocurrency mining from within one of Tesla’s Kubernetes pods.
According to Gartner, through 2020, 99% of firewall breaches will be caused, not by flaws but by simple firewall misconfigurations. A firewall is a network security device that monitors outgoing and incoming network traffic and decides whether to block or allow certain traffic based on a defined set of security rules. Firewalls are often configured with an open policy, that is, allowing from any source to any destination as system administrators at the outset don’t know what they want to block or allow, and never get around changing this configuration, leaving the network exposed to attackers.
A case in point in the value of effective firewall configuration is the 2017 case in which a malware infiltrated the North Carolina transmission plant’s computer networkvia email. The malware spread through the plant’s network, stopping production as users were locked out from their computers. According to the plant’s information technology manager, while data on some computers were lost, the malware was blocked by a firewall when it tried to exit the plant’s network.
Another ransomware incident in 2017, this time in the Northern Lincolnshire and Goole NHS Foundation Trustwas attributed to the “misconfiguration of the firewall”. The ransomware took a Northern Lincolnshire and Goole NHS Foundation Trust hospital offline for four days and resulted in the cancellation of 2,800 patient appointments.
Best Practices & Prevention
Here are some cybersecurity measures in order to prevent or mitigate the effects of misconfigurations:
Apply the Principle of “Least Privilege”
Least privilege is the concept and practice of restricting access to accounts and computing processes only to certain individuals based on their job necessities. Restricting a certain group in your organization from installing and running software application can prevent a malware from infecting your organization's network, for instance, in case this malware is unwittingly downloaded by one of your organization’s staff onto his or her computer workstation.
The Microsoft Vulnerabilities Report 2019, an analysis of Microsoft security updates in 2018 conducted by BeyondTrust, showed that of the 189 critical vulnerabilities discovered last year, 154 or 81% of the vulnerabilities could have been prevented if administrator rights had been removed.
Administrator rights, also known as admin rights, means that a user has privileges to perform virtually all functions within an operating system on a computer. These privileges include the installation of software and hardware, installation of updates and configuring or changing system settings.
Regularly Update Firewall Configuration
Regularly update your organization’s firewall to block data from certain locations, applications or ports, while at the same time allowing certain relevant and necessary data through.
Monitor for Suspicious User Behavior
Another way to prevent or mitigate the effects of misconfiguration is by monitoring suspicious user behavior. In monitoring suspicious user behavior, your organization needs to have a baseline normal user data. From this baseline data, suspicious behavior can then be detected, such as geolocation-based anomalies, time-based anomalies and event-based anomalies.
The best way to evaluate your current access controls is to perform an independent IT audit. Most IT and business executives are surprised by the results and are able to take an immediate action moving toward better security controls.
Reduce the IT risks today by speaking with one of our cybersecurity experts. Connect with ustoday.
Why Your Organization Should Replace All TLS Certificates Issued by Symantec
October 2018 is a crucial month for anyone owning a website as two of the world’s biggest browsers, Chrome and Firefox, will “distrust” TLS certificates issued by Symantec.
What Is a TLS Certificate?
TLS stands for Transport Layer Security. This technology is meant to keep the internet connection secure by encrypting the information sent between the website and the browser, preventing cybercriminals from reading and modifying any information that’s being transferred.
The more popular TLS isn’t free. A website owner has to buy this technology – referred to as TLS certificate – from any of the companies trusted by browsers. Symantec was once a trusted issuer of TLS certificates by Google, the owner of Chrome, and Mozilla, the organization behind Firefox.
HTTPS, which stands for Hyper Text Transfer Protocol Secure, appears in the URL when a website uses a TLS certificate. Google has also been rewarding websites using TLS certificates with improved web rankings. As of July 2018, according to Mozilla, 3.5% of the top 1 million websites were still using Symantec TLS certificates.
When a visitor attempts to connect to a website, the browser used by the visitor requests the site to identify itself. The site then sends the browser a copy of its TLS certificate. The browser, in return, checks if this TLS certificate is a trusted one. If the browser finds that the TLS certificate can be trusted, the browser then sends back a digitally signed acknowledgment to start the TLS encrypted session.
Reasons Behind the Distrust of Symantec TLS Certificates
In March 2017, Ryan Sleevi, software engineer at Google Chrome, posted on an online forumGoogle’s findings, alleging that Symantec failed to properly validate TLS certificates. Sleevi said that Symantec mis-issued 30,000 TLS certificates over a period spanning several years.
“Symantec allowed at least four parties access to their infrastructure in a way to cause certificate issuance, did not sufficiently oversee these capabilities as required and expected, and when presented with evidence of these organizations’ failure to abide to the appropriate standard of care, failed to disclose such information in a timely manner or to identify the significance of the issues reported to them,” Sleevi said.
Symantec, for its part, said that Google’s allegations are “exaggerated and misleading”. “Google’s statements about our issuance practices and the scope of our past mis-issuances are exaggerated and misleading,” Symantec said. “For example, Google’s claim that we have mis-issued 30,000 SSL/TLS certificates is not true. In the event Google is referring to, 127 certificates – not 30,000 – were identified as mis-issued, and they resulted in no consumer harm. We have taken extensive remediation measures to correct this situation, immediately terminated the involved partner’s appointment as a registration authority (RA), and in a move to strengthen the trust of Symantec-issued SSL/TLS certificates, announced the discontinuation of our RA program.”
Mozilla, for its part, conducted its own investigation surrounding Symantec’s issuance of TLS certificates. Mozilla said it found a set of issueswith Symantec TLS certificates. A consensus proposalwas reached among multiple browser makers, including Google and Mozilla, for a gradual distrust of Symantec TLS certificates.
On October 31, 2017, DigiCert, Inc. acquired Symantec’s website security business, and on December 1, 2017 DigiCert took over the validation and replacement of all Symantec TLS certificates, including TLS certificates issued by Symantec’s subsidiaries: Thawte, GeoTrust and RapidSSL.
“DigiCert will replace all affected certificates at no cost,” DigiCertsaid in a statement. “Additionally, you don’t need to switch to a new account/platform. Continue to use your current Symantec account to replace and order your SSL/TLS certificates.”
Implications of the Distrust of Symantec TLS Certificates
Mozillasets October 23, 2018 as the distrust date of all TLS certificates issued by Symantec. Googlesets October 16, 2018 as the distrust date for all TLS certificates issued by Symantec to non-enterprise users, while January 1, 2019 is the distrust date set by Google for all TLS certificates issued by Symantec to enterprise users. Apple, the owner of the Safari browser, sets “Fall 2018” as the date of complete distrust of Symantec TLS certificates.
In the case of Chrome, if website owners fail to replace their Symantec TLS certificates beyond the prescribed period by Google, the message below will be shown instead:
Image by Google
In the case of Firefox, the message below will be shown instead:
Image by Mozilla
As can be gleaned from the distrust notices by Google and Mozilla, failure to replace Symantec TLS certificates runs the risk of attackers trying to steal information from your organization’s website, including passwords, messages and credit card details.
According to Mozilla, whenever it connects to a website, it verifies that the TLS certificate presented by the website is valid and that the site’s encryption is strong enough to adequately protect the privacy of the visitor. If Firefox determines that the TLS certificate can’t be validated or if the encryption isn’t strong enough, the connection to the website will be stopped and instead, the message, “Your connection is not secure” will be shown, Mozilla said.
“When this error occurs, it indicates that the owners of the website need to work with their certificate authority to correct the policy problem,” Mozilla added.
Contact us today if your organization needs assistance in replacing legacy Symantec TLS certificates.
Nearly Half of the World’s Top Websites Are Risky to Visit, Study Finds
A new study from Menlo Security showed that almost half of the world’s top websites are risky to visit.
According to Menlo Security'sState of the Web (First Half 2018), 42% or nearly half of the Alexa top 100,000 websites are “risky”. The Menlo Security study considers a website as risky when it falls in one of these three criteria:
According to Menlo researchers, the practice of classifying the world’s websites into logical categories is no longer defendable as more than a third of all sites in categories including News and Media, Entertainment and Arts, Shopping and Travel are risky.
Even websites categorized as safe aren’t safe by deﬁnition, with 49% of “News and Media” sites falling within Menlo’s criteria as risky, as 45% of Entertainment and Arts, 41% Travel, 40% Personal Sites and Blogs, 39% Society, 39% Business and Economy and 38% Shopping.
3 Variables that Can Put A Website at Risk
Here are 3 variables that can make a website risky:
1. Risks Linked with Background Websites
Menlo researchers found that every time a visitor visits a website, the site calls on average 25 other sites – also as known as background sites – to fetch a content, for instance, a viral video from a content delivery network (CDN) or an advertisement display from an advertisement delivery network.
Every time you visit a website, therefore, you’re not just visiting one website, but 25 sites on average. Any of these background sites could be used by cyberattackers to compromise the main site and eventually website visitors.
An example of a background site which cybercriminals could compromise the main site is through malvertisement, short for malware advertisement. In malvertisement, the advertisement being displayed on the main site could be infected by a malware. If a visitor clicks on a malvertisement, the visitor's computer then becomes infected with a malware.
2. Risks Linked with Use of Active Content
Active content refers to a software that web developers use to produce personalized and dynamic websites. By using software like Flash, active content allows stock tickers to continuously update, and animated images, maps or drop-down boxes to function.
The trade-off with these active contents is that while these contents make websites personalized and dynamic, web developers lose the control in securing the sites as similar to malvertisements, these contents have to be fetched from background sites. These background sites could be compromised and used to deliver a malware.
Adobe Flash, one of the software used for active content, is known to be packed with security loopholes, making this software the favorite tool by cyberattackers. While Adobe tries to make Flash more secure, the product is simply unfortunate enough to rank as one of the most frequently exploited software by cybercriminals.
3. Risk Linked with Use of Vulnerable Web Software
According to Menlo Security, many of today’s top websites and their accompanying background sites run on vulnerable web software.
"Many of the world’s most popular websites run on back-end web servers that are outdated, including some that have not been updated for years or even decades,” Menlo Security said. “This leaves those websites extremely vulnerable to web-borne malware, exposing site visitors to possible infections, incursions, or breaches. Use of outdated server software also threatens any site to which it serves as a ‘background website.’ Simply put, the older the software, the higher the risk.”
Vulnerable web software refers to a software that has been repeatedly attacked over the years. It also refers to a software that has reached its end of mainstream support, including the end of security updates or patches from the software vendor.
Menlo researchers found that many Business and Economy websites still use Microsoft’s IIS version 5 web server, a software that Microsoft stopped providing updates or patches more than 12 years ago.
Microsoft’s IIS version 5 web server has been exploited by cybercriminals in the past. An example of a malware that exploited the security vulnerability in Microsoft’s IIS version 5 web server is the infamous Code Red, a malware that appeared in three versions from July 2001 to August 2001. The first version of this malware defaced webpages and launched a denial of service attack against www.whitehouse.gov.
Code Red, also known as ISS Buffer Overflow vulnerability, allows an attacker to gain full system level access to any server that’s using the Microsoft Internet Information Services (IIS) Web server software. An attacker that exploits the Code Red or ISS Buffer Overflow vulnerability can perform any system level action, including installing malware, adding, changing or deleting files, and manipulating web server content.
Here are some of the best practices to the lower the odds of being victimized from risky websites:
If you’re a website owner, make sure that your server runs up-to-date software. Running your company website on Microsoft’s IIS 5 web server, a software that Microsoft no longer supports, is a big security risk for your company. Attackers have been known to exploit computer programs that no longer receive security updates or patches from vendors. To keep your website safe, it’s also important to use technologies that prevent the introduction of malicious code via background sites.
As a website visitor, you can lower your odds of being victimized by a risky website by making sure that your computer programs are up-to-date. It’s also important to avoid vulnerable software like Adobe Flash.
Dangers of Cyberattacks as a Result of Source Code Leak
This past week, someone posted the source code of Apple iPhone operating system iOS on GitHub – a repository of open source code.
There was confusion at first as to whether the code was real or not. Apple indirectly confirmed that the code was real by filing a DMCA legal notice demanding GitHub to remove the source code. DMCA, which stands for Digital Millennium Copyright Act, is a takedown request that empowers owners of copyrighted material who believe their rights under U.S. copyright law have been infringed.
The iPhone source code called “iBoot” published on GitHub, Apple said "is responsible for ensuring trusted boot operation of Apple's iOS software." The company added, “The ‘iBoot’ source code is proprietary and it includes Apple's copyright notice. It is not open-source.”
Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, told Lorenzo Franceschi-Bicchierai of Motherboard that the iBoot source code publication is the “biggest leak” in Apple's history.
A source code is a collection of computer instructions that’s written by a programmer when developing a software program. A software can either be open source or non-open source.
With an open source code, anyone can inspect or modify the code. With a non-open source code, the source code is hidden from the public and as such, only the software maker can make changes to the code.
Non-Open Source Code Leak
Apple and Microsoft are examples of companies that keep their products’ source code hidden from the public.
While most companies don’t allow outsiders to view and make modifications on their source code, they allow security researchers, also known as ethical hackers, to review their software, find security vulnerabilities and report this directly to the company to receive monetary reward, also called bounty.
Apple, through its bounty program, pays a maximum of $200,000 to someone who directly reports bugs or security vulnerabilities to the company.
Despite the takedown of the iPhone source code on GitHub, the source code has already made its way to dark web sites.
Access to non-open source code like the iBoot gives hackers a better chance of finding security vulnerabilities that could lead to cyberattacks.
EternalBlue Source Code Leak
On April 15, 2017, a hacker group calling itself the “Shadow Brokers” leaked the source of code of a number of hacking tools believed to be developed by the U.S. National Security Agency (NSA).
The source code of EternalBlue is one of those leaked by the hacker group. EternalBlue could allow remote code execution if a cyberattacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
The EternalBlue source code leak spawned devastating cyberattacks, the most notable of which was the WannaCry cyberattack. In May 2016, hundreds of thousands of computers around the world were infected with WannaCry, a malware that encrypts computer files, prevents users from accessing files and asks for ransom payment in the form of Bitcoin for the release of the decryption key to unlock the affected computer.
Adylkuzz is another malware that uses the EternalBlue source code. The purpose of Adylkuzz malware is to mine the cryptocurrency Monero. Similar to cryptocurrency Bitcoin, a Monero coin needs to be mined – a process by which a transaction is verified, added to the public ledger, known as the blockchain, and a means before a coin is released.
While cryptocurrency mining of Bitcoin can only be done on powerful computers, mining Monero can be done on regular computers and even on smartphones.
The Adylkuzz malware installs the Monero cryptocurrency miner called “cpuminer” on infected computers. Once the cpuminer is installed in a compromised computer, Monero cryptocurrency mining is conducted without the knowledge of the user. Cryptocurrency mining operation, however, will exhaust your computer CPU, resulting in slow performance.
Open Source Code Leak
With an open source code, anyone can inspect or modify the code. An open source is also known as a collaborative code. There are benefits in allowing other programmers to inspect and modify a source code. It’s a known fact that there’s not one software with a perfect source code. Allowing programmers to inspect and modify a source code can enhance and improve the code in the long run.
Linux is an example of an open source software. It’s an operating system similar to Windows and iOS. The difference between Linux and other operating systems is that it’s open source. The Linux source code is free and available to the public to view and, for users with the necessary skills, to contribute to the enhancement of the code.
While the publication of an open source code, on one hand, can be beneficial to society similar to the positive contribution of Linux, publication of an open source code with malicious intent can be detrimental to society.
Mirai Source Code Leak
The publication of the Mirai source code is an example of how a publication of a malicious open source code can be detrimental to society.
On September 30, 2016, a HackForum user by the name of “Anna-senpai” posted the source code of the malicious software called “Mirai”. The Mirai was responsible for the distributed denial of service (DDoS) attack on the website of cybersecurity journalist Brian Krebs on September 20, 2016.
On December 13, 2017, Paras Jha pleaded guilty in creating the Mirai and for conducting a series of DDoS attacks on the networks of Rutgers University between November 2014 to September 2016, which resulted in shutting down Rutgers University’s central authentication server – a gateway portal through which students, staff and faculty deliver assignments and assessments.
According to the U.S. Department of Justice, hundreds of thousands of IoT devices such as wireless cameras and routers were infected with the Mirai malware and were used "to conduct a number of powerful distributed denial-of-service, or ‘DDOS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers".
According to Imperva Incapsula, Mirai-infected IoT devices were spotted in 164 countries, appearing even in remote locations like Montenegro, Tajikistan and Somalia.
The publication of the Mirai spawned other DDoS attacks, the most notable of which was the attack on Dyn, a domain name service (DNS) provider which many websites rely upon. The DDoS attacks against Dyn resulted in temporarily shutting down popular websites like Amazon, Twitter, Netflix and even GitHub.
Dyn, in a statement, said, “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.” The company said that 100,000 IoT devices were infected with the Mirai malware to attack its DNS infrastructure.
In December 2017, the source code of the malware called “Satori”, a variant or new version of Mirai, was leaked on Pastebin. This Mirai variant particularly infects Huawei home router model HG532.
While the original Mirai malware infects IoT devices by using default usernames and passwords, Satori doesn’t need usernames and passwords. Security researchers at Qihoo 360 Netlab said, “The bot [Satori] itself now does NOT rely on loader/scanner mechanism to perform remote planting, instead, bot itself performs the scan activity. This worm-like behavior is quite significant.”
Security researchers at NewSky Security said that with the release of the full working code of the Mirai variant Satori, “we expect its usage in more cases by script kiddies and copy-paste botnet masters.”
Cybersecurity Best Practices
Here are some security best practices to protect your organization’s computers from the dangers of cyberattacks as a result of source code leak:
1. Use Supported Software
Supported software refers to a software whereby security updates are regularly issued by the software vendor.
Many fell victim to WannaCry for using Windows operating systems that Microsoft – the software vendor – no longer supports or no longer issues security updates.
A patch, also known as security update, is a piece of software code added to an existing source code that fixes security vulnerabilities.
WannaCry could have been prevented by simple patching or installing of the security update issued by Microsoft on March 14, 2017 – a month before the hacker group leaked the EternalBlue source code. Microsoft’s March 14, 2017 security update patches or fixes the security vulnerability exploited by EternalBlue. This security update was issued to supported Windows operating systems.
3. Use Latest Software Version
Many leaked source code are typically source code of older software version. Software vendors normally fix security vulnerabilities found in older software versions with the latest software version.
Interesting to note that Windows 10 proved to be resilient against Petya ransomware attack unleashed more than a month after the WannaCry attack. Similar to WannaCry, Petya exploited security vulnerabilities exploited by EternalBlue and EternalRomance – two hacking tools believed to be developed by the NSA and leaked by the hacker group Shadow Brokers.
4. Practice Network Segmentation
There are instances that security updates can’t be installed right away. One way to prevent or minimize the effects of a cyberattack is through network segmentation – a process of dividing computer network into subnetworks. With network segmentation, cyberattack on one subnetwork won’t affect the other subnetworks.
5. Have the Right DDoS Protection
Cybercriminals today don’t necessarily create their own attack tools. Some simply copy leaked source code. This is the case of DDoS-for-hire groups, a bunch of cybercriminals that offer DDoS service for a fee. There are available tools that effectively counter these DDoS attacks. Connect with us today and protect your business.
Cyber Espionage Group Targets Critical Infrastructure Using Old Hacking Tactics
Cyberattacks against critical infrastructure – energy, nuclear, water, aviation and critical manufacturing sectors – in the US have been going on since May 2017, the US Computer Emergency Readiness Team (US-CERT) said in a rare technical alert notice.
Symantec, on the other hand, reported that cyberattacks against the energy infrastructure in some European countries and in the US have been underway since December 2015. Cisco researchers, meanwhile, reported that since at least May 2017, they have observed attackers targeting critical infrastructure and energy companies around the world, in particular, Europe and the US.
While US-CERT and Cisco didn’t name a particular group responsible for the ongoing cyberattacks against critical infrastructure, Symantec identifies the threat actors collectively known as “Dragonfly” as the group behind the cyberattacks against the energy sector. Symantec researchers said the group has been in operation since at least 2011.
Symantec dubbed Dragonfly’s latest campaign against the energy sector as “Dragonfly 2.0”, a campaign that started in late 2015 the most notable cyberattack of which was the attack against Ukraine’s power system in 2015 and 2016, resulting in power outages affecting hundreds of thousands of residents.
The US-CERT technical alert – the result of analytic efforts between the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI), and the reports from Symantec and Cisco showed that old hacking tactics have been employed by the threat group.
Methods of Cyber Attacks
1. Malicious Emails
According to US-CERT, the threat group used malicious emails or phishing emails with the subject line such as “AGREEMENT & Confidential”. The group also used malicious Microsoft Word attachments that appear to be legitimate invitations, policy documents or curricula vitae for industrial control systems personnel to lure users to open the attachment, US-CERT said.
According to Symantec, one example of the malicious email campaign used by the threat group were emails disguised as an invitation to a New Year’s Eve party to targets in the energy sector in December 2015.
Cisco researchers identified an email-based attack called "Phishery", targeting the energy sector, including nuclear power. Phishery became publicly available on GitHub in late 2016
“Typically, malicious Word documents that are sent as attachments to phishing emails will themselves contain a script or macro that executes malicious code,” Cisco researchers said. “In this case, there is no malicious code in the attachment itself. The attachment instead tries to download a template file over an SMB connection so that the user's credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim's computer.”
2. Watering Holes
According to US-CERT and Symantec, the cyber espionage group used "watering holes" – websites that have legitimate content by reputable organizations but are altered by the threat group to have malicious content. Almost half of the known watering holes, the US Computer Emergency Readiness Team said, are reputable websites that offer information to those in the critical infrastructure sector.
“As well as sending malicious emails, the attackers also used watering hole attacks to harvest network credentials, by compromising websites that were likely to be visited by those involved in the energy sector,” Symantec said.
3. Social Engineering
These stolen network credentials, according to Symantec, were then used for follow-up attacks on the target critical infrastructure organization itself by delivering trojanized software – malicious software that’s disguised as legitimate software.
One of the trojans used by Dragonfly group is Karagany.B – malicious software that infiltrates computer systems of target organizations by masquerading as Flash updates. The group here used the old hacking tactic of social engineering – convincing victims they need to download software, in this case, an update for their Flash player.
The trojan Karagany.B enables attackers remote access to the victims’ computer systems and allows them to install additional malicious tools if needed. Another trojan used by the group, according to Symantec, is the trojan Heriplor – malicious software that also enables attackers remote access to the victims’ computer systems.
“Trojan.Heriplor is a backdoor that appears to be exclusively used by Dragonfly, and is one of the strongest indications that the group that targeted the western energy sector between 2011 and 2014 is the same group that is behind the more recent attacks,” Symantec said. “This custom malware is not available on the black market, and has not been observed being used by any other known attack groups.”
Symantec noted that Dragonfly’s origins cannot definitively be determined. While some of Dragonfly’s malware codes were written in Russian and French, Symantec noted, this could be a way to mislead people.
How to Prevent Dragonfly Attacks
To prevent Dragonfly attacks, the US-CERT recommends the following:
Reaper IoT Botnet Threatens to Take Down Websites
Reaper IoT botnet, considered as more powerful than the Mirai botnet, is spreading worldwide and threatens to take down websites.
According to Check Point researchers, the Reaper botnet already infected one million IoT devices worldwide. "So far we estimate over a million organizations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing," Check Point researchers said.
Researchers at Qihoo 360 Netlab, meanwhile, reported that the number of “vulnerable devices in one c2 queue waiting to be infected” reached over 2 million.
IoT botnet refers to internet-connected smart devices which are infected by one malware and is controlled by a cyber criminal from a remote location. It’s typically used by cyber criminals to launch a distributed denial-of-service (DDoS) attack.
“In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer,” the United States Computer Emergency Readiness Team (US-CERT) defines DDoS attack. “By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses.”
Infecting millions of IoT devices with a malware is a time-consuming task. Cyber criminals found a way to automate this task by creating a botnet – an army of infected IoT devices. The Reaper malware, as well as the Mirai malware, is spread by the IoT devices themselves. After infecting a particular IoT device, this infected device starts to look for other devices to infect.
The Mirai botnet in October 2016 brought down major websites – including Twitter, Spotify and Reddit – by launching a DDoS attack against the DNS infrastructure of New Hampshire-based company Dyn. Many major websites rely on Dyn’s internet infrastructure.
Reaper Botnet versus Mira Botnet
While the Reaper botnet shares similar characteristics with Mirai, it differs in many ways with the Mirai botnet. On September 30, 2016, the attacker known as “Anna-senpai” publicly released the source code of Mirai. According to Check Point and Qihoo 360 Netlab researchers, Reaper borrows some of the source code of Mirai, but this new botnet is significantly different from Mirai in several key behaviors.
Here are some of the differences between Reaper and Mirai:
1. Number of Affected IoT Devices
The first difference between the Reaper botnet and Mirai botnet is in terms of the number of affected IoT devices. Mirai affected about 500,000 IoT devices, while Reaper has infected over a million IoT devices.
2. Means of Infecting IoT Devices
Mirai was able to infect hundreds of thousands of IoT devices by exploiting the lax attitude of IoT users of not changing the factory or default login and password details. By using default login and password details, Mirai attackers were able to infect a massive number of IoT devices.
On the hand, Reaper’s means of infecting IoT are by exploiting several IoT vulnerabilities which the devices’ manufacturers may or may not have issued security updates or patches. Reaper attackers can, therefore, infect IoT devices even if a strong password is used as the means of entry to the device is by exploiting known software vulnerabilities.
According to Check Point researchers, the Reaper, for instance, infects unpatched wireless IP cameras by exploiting the “CVE-2017-8225” vulnerability.
3. Botnet Capabilities
Mirai already showed what it can do: It brought down major websites worldwide even for just a few hours. For Reaper, it’s still unclear what it wants to do. As of this writing, Reaper’s creator or creators just want (based on the code they wrote) to infect as many IoT devices without yet writing the command to attack any internet infrastructure or websites.
"It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes," Check Point researchers said.
The sheer number of infected IoT devices by Reaper – more than twice the number of Mirai’s victims – show how powerful and devastating Reaper can do when used as a means to launch a DDoS attack.
Gartner projected that 8.4 billion IoT devices will be in use worldwide in 2017 and will reach 20.4 billion by 2020. Examples of IoT devices include security systems (alarm systems, surveillance cameras), automation devices (devices that control lighting, heating and cooling, electricity), smart appliances (refrigerators, vacuums, stoves) and wearables (fitness trackers, clothing, watches).
"As more businesses and homeowners use Internet-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet provides new vulnerabilities for malicious cyber actors to exploit," the US Federal Bureau of Investigation (FBI) said. "Once an IoT device is compromised, cyber criminals can facilitate attacks on other systems or networks, send spam e-mails, steal personal information, interfere with physical safety, and leverage compromised devices for participation in distributed denial of service (DDoS) attacks."
How to Block Reaper IoT Botnet
In most cases, owners of infected IoT devices are unaware that their devices are infected and are used for criminal activities, such as launching a DDoS attack. IoT users who fail to change their devices’ default login and password details, as well as by failing to apply security updates, are part of the problem for “blindly” contributing to cyber criminal activities like DDoS attacks.
Here are the top cyber security measures to stop attackers from infecting your IoT devices and turned it into a botnet:
1. Timely Apply Security Updates of IoT Software
Always apply in a timely manner all security updates issued by your IoT manufacturer.
2. Use Strong Password
While the sophisticated malware like the Reaper can bypass strong password, it still pays to use a strong password to ward off less sophisticated malware.
3. Isolate IoT devices on their own protected networks.
4. Block traffic from unauthorized IP addresses by configuring network firewalls.
5. Turn off IoT devices when not in use.
6. When buying an IoT device, look for manufacturers that offer software updates.
'Secure' Wi-Fi Standard Has Serious Security Flaws
Researchers from the University of Leuven in Belgium have discovered a series of serious wi-fi security flaws that essentially eliminate wi-fi privacy.
These series of wi-fi vulnerabilities collectively dubbed as “Krack”, short for key reinstallation attacks, can access data that was previously presumed to be safely encrypted. Krack attackers can steal wi-fi passwords, chat messages, emails, photos and other sensitive information. It’s also possible, depending on device use and the network configuration, for Krack attackers to inject malicious software like ransomware into websites.
The University of Leuven researchers, in their paper entitled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” (PDF) said that “every Wi-Fi device is vulnerable” to Krack attacks.
"The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations,” lead researcher Mathy Vanhoef said.
Wi-Fi Alliance, a non-profit organization that promotes wi-fi technology and certifies wi-fi products, said, “Recently published research identified vulnerabilities in some Wi-Fi devices where those devices reinstall network encryption keys under certain conditions, disabling replay protection and significantly reducing the security of encryption.”
For its part, the International Consortium for Advancement of Cybersecurity on the Internet (ICASI), in a statement said, “Depending on the specific device configuration, successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform packet replay, decrypt wireless packets, and to potentially forge or inject packets into a wireless network.”
ICASI members include Amazon, Cisco Systems, IBM, Intel Corporation, Juniper Networks, Microsoft Corporation and Oracle Corporation.
How Krack Works
For Krack to work, the attacker must be within the range of a victim. As proof-of-concept, lead researcher Vanhoef executed Krack attacks against wi-fi devices. Vanhoef was able to show that Krack not just steals login credentials – including email addresses and passwords – but all data that the victim transmits or sends was decrypted.
It’s also doable for Krack attackers, depending on the network setup and the device being used, to decrypt, not just data sent over wi-fi but also data sent towards the victim, for instance, the content of a website.
“Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations,” Vanhoef said. “For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.”
Krack is able to decrypt not just data sent over wi-fi but also data sent towards the victim by exploiting the vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access 2 (WPA2) protocol.
The 4-way handshake is a 14-year-old technology that supposedly ensures wi-fi privacy by installing a fresh and unique encryption key that’ll be used to encrypt all subsequent traffic every time a device joins a protected wi-fi network.
Instead of installing a fresh and unique encryption key, Krack tricks the device into reinstalling an already-in-use encryption key. This is done by manipulating and replaying handshake messages. The researchers also found that Krack similarly exploits other wi-fi handshakes, including PeerKey handshake, the group key handshake and the Fast BSS Transition (FT) handshake.
As mentioned, Krack is a series of wi-fi vulnerabilities. This means that not just one wi-fi vulnerability is exploited by Krack. The Common Vulnerabilities and Exposures (CVE) – a dictionary of common names for publicly known cyber security vulnerabilities – list the following specific vulnerabilities related to Krack:
According to Wi-Fi Alliance, there’s no evidence that Krack has been exploited maliciously in the wild.
How to Prevent Krack Attacks
To prevent Krack attacks, make sure to update your wi-fi device as soon as patch or security update becomes available. A security update ensures that an encryption key is only installed once, preventing Krack attacks.
Password change of your wi-fi network won’t stop Krack attacks. The only remedy is to apply the patch or security update of your wi-fi device as soon as it becomes available. It’s also important to update your router’s firmware. While it’s important to patch or apply the latest security updates of your wi-fi and router, it also pays to change the wi-fi password as a precaution.
According to Vanhoef, they notified wi-fi manufacturers about the Krack issue on July 14, 2017. They also notified the Computer Emergency Response Team Coordination Center (CERT/CC) – the world’s first computer emergency response team for internet security incidents. CERT/CC, in turn, issued a broad notification to wi-fi manufacturers on August 28, 2017 about this issue.
“We have released a security update to address this issue,” Microsoft spokesperson told The Verge. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”
Windows updates released last October 10, according to Microsoft, addressed this issue. The company said it “withheld disclosure until other vendors could develop and release updates”.
“Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member,” the alliance said. “Wi-Fi Alliance is also broadly communicating details on this vulnerability and remedies to device vendors and encouraging them to work with their solution providers to rapidly integrate any necessary patches.”
Top 7 Cyber Security Tools for Your Business
With so much of our information online, everyone is vulnerable to hackers and cyber-thieves. When it comes to business, a cyber invasion is a constant threat.
Short term loss could be financial, intellectual property theft, data loss, or worse.
The real threat is the long term loss of trust and reputation damage that could take years to repair. If your clients' information is exposed, it will be hard for them to consider it safe to give you their business again.
Protect your business with these 7 cyber security tools.
7 Cyber Security Tools Your Business Must Be Using
In order to protect your business' digital information, you need a variety of cyber security tools in place.
For complete peace of mind, you'll want to work with a trusted cyber security partner. In the mean time, these tools are a great place to start.
1. Malware Scanners
Malware is short for malicious software. It is designed by hackers to gain access to a computer without the owner's knowledge.
You must have specific anti-malware cyber security tools in place to detect any hacker invasion.
There are a variety of malware scanners out there, many even available for free (with limited features).
Protect your business with automatic malware scanners in place.
2. Routine Patching
Patching is the process of installing a piece of software that repairs any security flaws. Updating an app is an example of patching.
Picture your business's digital infrastructure as a house. Each time you add a new application, piece of software, etc. it's like adding a new room to the house.
Software, apps, and the like are built by humans, meaning that there is room for human error. Human error is like an unlocked door or unfinished window in one of the new rooms.
This can leave a welcome mat out to cyber attackers. That's why your security plan needs to include routine assessments and patching.
3. Two-Factor Authentication
Use two-factor authentication to add a difficult-to-hack layer of security to your log in systems.
Examples include a verification code sent to a linked phone number or a piece of information only the user would know.
4. Restrictive Administrative Access
Add an additional security level for your most sensitive information and infrastructure by restricting who can access it.
Click here for more information on how to implement restrictive admin mode.
5. Network Segmentation
Divide your computer network into sub networks to improve security and performance.
This allows you to isolate the most sensitive data to a specific network to limit access and decrease congestion.
6. Vulnerability Scanning
There's no better way to access your security levels than a vulnerability scan.
Try our free vulnerability assessment to find weaknesses in your code and how to remedy them.
7. 24/7 Security Monitoring
Cyber security protection doesn't come in the form of a quick fix.
Continually protect your business' data with a 24/7 security monitoring system in place to catch attacks the minute they happen.
Protect Your Business for Peace of Mind
Cyber security tools are of the utmost importance for businesses and individuals alike.
Questions? Let us know if there is anything we can help you with. Our emergency response team is available 24/7 if you're currently dealing with a cyber attack. Contact us today.
Steve E. Driz, I.S.P., ITCP