Threat Intelligence Brief – June 2017

TECH TALK

Minimizing damage from the next WannaCry

The recent use of the Shadow Brokers’ leaked tools in recent malware campaigns ( Wannacry /Adylkuzz Botnet/EternalRocks) has highlighted a dirty little secret in the IT world: The continued reliance on unsupported, past end-of-life or unpatchable servers.

These legacy systems create easily exploited holes in a corporate security program due to their inability to be updated against recently identified vulnerabilities or attack vectors. They unnecessarily expose critical data and infrastructure to all levels of threat actors and undermine the efficiency of still-supported technology in your network.

In the fight against cyber threats, every weak link in your infrastructure, no matter how small, can become a serious liability if left unaccounted for. To limit exposure and potential damage from the next WannaCry, organizations need to consider the defense in depth of their security program.

Defense in Depth

Defense in depth is the concept of arranging lines of defense in a way that they defend each other. Each defensive line, or system, in this case, compensates for the weakness of the others – a sort of “bend but don’t break” strategy. So, when added to this defensive formation, an unpatchable, outdated server makes the entire infrastructure vulnerable. To illustrate the point, let’s look at a defense in depth approach that would have minimized the effects of Wannacry on an organization with vulnerable machines

Defense in Depth vs. WannaCry

Firewall (External) – Firewall rules can be used to restrict internet access to internal resources. By only allowing inbound traffic to a minimal number of servers/services, the attack surface of your organization can be minimized. Since the primary infection vector of Wannacry was remote exploitation of SMBv1 via port 445, a firewall rule on the edge of a company’s network blocking inbound traffic destined for port 445 would have prevented external infection. A similar rule prohibiting an organization’s machines from connecting to random machines on the internet on 445 would have also prevented any internal compromises from spreading outside the organization’s environment.

Network Segmentation – By dividing network resources into segments (either through the use of additional firewalls or utilization of VLANs) and restricting communications between these segments, the spread of worms such as Wannacry within an organization could have been minimized or prohibited.

OS Hardening – Even if you can’t have the latest patch, you can still disable unneeded services. Doing so reduces the number of potential attack points that exist on your systems. It also limits an adversary’s options for movement should a compromise occur. In the case of Wannacry, a single line of code could have been used by a system administrator to disable SMBv1 and prevent a machine from being compromised.

Using PowerShell, an administrator could just run the following:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 –Force

For large enterprises, Windows Group Policy may also have been used to disable SMBv1 for all domain attached systems.

Firewall (Host-Based) – Firewalls on endpoints can also be used to minimize the number of exploitable services from within an organization. If you can’t segregate the network utilizing VLANs or internal firewalls, host-based firewalls provide a means to prevent compromised systems from being used to spread laterally.

Anti-Virus Software – No anti-virus software can catch everything, but installing one on each system that can support it serves as an additional hurdle for an adversary to overcome. Even if an attacker successfully exploits a system, the A/V can serve as the last line of defense and detect known payloads that an attacker might send.

Malicious IPs

We’ve seen the following IPs involved in various malicious activity, and have taken steps to block them from our environment. We highly recommend blocking these IPs until they can be remediated and no longer pose a threat. It is prudent to heavily scrutinize any communications from your network to these IPs, especially C2 nodes.

IPAttack SignatureIP Address Geo Location
50.62.239.1PhishingUnited States
78.162.162.215Command and ControlTurkey
89.16.176.158Malware HostGreat Britain
27.145.126.63Command and ControlThailand
179.40.166.123SSH Brute ForceArgentina
77.246.144.79PhishingRussia
190.50.230.202SSH BruteArgentina
213.142.143.191PhishingTurkey
82.220.89.53Malware HostSwitzerland
118.212.186.91SSH Brute ForceChina
109.120.189.36PhishingRussia
82.217.114.19Webshell HuntinNetherland
186.95.15.36Command and ControlVenezuela
113.223.87.191Webshell HuntingChina

Security Trends and Insights

GOLDEN AGE OF CYBER ESPIONAGE

Espionage has long been the domain of nations with the financial resources needed to carry out an effective operation. In this age of low-cost cyber operations, it’s become possible for smaller players to enter the game and gain meaningful insights into their adversaries’ operations. Previously main actors in this realm were Russia, the United States and China. Now we have new players such as India, Macedonia, Ethiopia and Malaysia. All are now conducting their own plans with very similar goals: leveraging low-cost techniques for large intelligence gains.

Read more

FINANCIALTROJAN QAKBOT LOCKING OUT USERS

IBM’s X-Force has reported that the financial Trojan Qakbot, which has been around since 2011, is now responsible for a spike in active directory (AD) user lockouts. This is due to the way the malware attempts to spread through the affected network. After gaining access to user account credentials, it will attempt to move within the network by repeatedly reusing those credentials. This tactic triggers AD lockouts for affected users. The malware, primarily used as part of spear phishing campaigns, also performs a “man in the browser” attack once it gets on an endpoint. This is used to inject malicious code into online banking sessions.

Learn more

INSECURE HADOOP CLUSTERS EXPOSE OVER 5,000 TERABYTES OF DATA

Over the past year, threat actors have increasingly used ransomware to target unprotected online databases and servers. The first victims of this type of attack were users of MongoDB and Elasticsearch databases. Recent attacks have begun targeting Hadoop Clusters and CouchDB servers as well. The popular internet of things (IoT) search site Shodan shows nearly 5,000 Hadoop servers hosting more than 5000TB of data, most of which are on AWS. This illustrates a key misunderstanding of secure Hadoop configuration or of the AWS environment’s security. Hosting Hadoop servers in AWS poses a security risk. The ransom attacks against MongoDB, Elasticsearch, CouchDB and Hadoop servers are still occurring. This development indicates that this is likely to increase as organizations continue their migration to the cloud.

Read more