White Papers | Secnic Consultancy Services

Security Management

Information is one of the most valuable assets in your business. The use of proper preventive measures and safeguards can reduce the risk of potentially devastating security attacks, which could cost you the future of your business. Some losses might be irrecoverable, such as the loss of a business deal due to leaks of confidential data to your competitor.

With an effective information security management policy in place, you will be able to provide your company with a strong security strategy, and a cost-effective solution for the overall protection of valuable information. The advantage is that information control becomes easier to manage and, most importantly, you can minimise the risk of attacks, ultimately saving costs. You want to safeguard you assets as best as you can, so simply making a security budget a mandatory part of your company / organisation budget would be a wise move.

Information security management involves a combination of prevention, detection and reaction processes. It is a cycle of iterative activities and processes that require ongoing monitoring and control. While this management cycle is mostly applied at the overall organisation level, it can also be applied to different functions or units in a business to prevent financial loss, e.g. the sales department, the customer service unit, and so on.

In order to make security management work, involvement, understanding and support from all members in your organisation is a crucial factor in the effectiveness of any program. Do not be fooled into thinking it is an isolated task just for the security or IT department.

Security Primer – EternalBlue

Overview

EternalBlue is an exploit that allows cyber threat actors to remotely execute arbitrary code and gain access to a network by sending specially crafted packets. It exploits a software vulnerability in Microsoft’s Windows operating systems (OS) Server Message Block (SMB) version 1 (SMBv1) protocol, a network file sharing protocol that allows access to files on a remote server. This exploit potentially allows cyber threat actors to compromise the entire network and all devices connected to it. Due to EternalBlue’s ability to compromise networks, if one device is infected by malware via EternalBlue, every device connected to the network is at risk. This makes recovery difficult, as all devices on a network may have to be taken offline for remediation. This vulnerability was patched and is listed on Microsoft’s security bulletin as MS17-010.

Malware that utilizes EternalBlue can self-propagate across networks, drastically increasing its impact. For example, WannaCry, a crypto-ransomware, was one of the first and most well-known malware to use this exploit to spread. WannaCry uses the EternalBlue exploit to spread itself across the network infecting all devices connected and dropping the cryptro-ransomware payload. This increased the persistence and damage that WannaCry could cause in a short amount of time. This increase has made EternalBlue popular with various malware, such as Trickbot, a modular banking trojan, as well as CoinMiner and WannaMine, cryptominers that use the EternalBlue exploit in order to gain access to computing power to mine cryptocurrencies.

For more information on this vulnerability, please see the MS-ISAC’s Microsoft SMBv1 Advisory and the Common Vulnerabilities and Exposures list where it is listed under CVE-2017-0143, CVE2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE–2017-0148.

Recommendations

Patch devices with Microsoft Windows OS with the security update for Microsoft Windows SMB v1. The Microsoft Security Bulletin, MS17-010, includes the list of affected Windows OS.
Use Eset’s tool to check whether your version of Windows is vulnerable.
Where appropriate, disable SMBv1 on all systems and utilize SMBv2 or SMBv3, after appropriate testing.
Use Group Policy Objects to set a Windows Firewall rule to restrict inbound SMB communication to client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication. Ata minimum create a Group Policy Object that restricts inbound SMB connections to clients originating from clients.
Apply the Principle of Least Privilege to all systems and services and run all software as a non-privileged user (one without administrative privileges).

Security Primer – Remote Desktop Protocol

Overview

Remote Desktop Protocol (RDP) is a Microsoft proprietary protocol that enables remote connections to other computers, typically over TCP port 3389. It provides network access for a remote user over an encrypted channel. Network administrators use RDP to diagnose issues, login to servers, and to perform other remote actions. Remote users use RDP to log into the organization’s network to access email and files.

Cyber threat actors (CTAs) use misconfigured RDP ports that are open to the Internet to gain network access. They are then in a position to potentially move laterally throughout a network, escalate privileges, access and exfiltrate sensitive information, harvest credentials, or deploy a wide variety of malware. This popular attack vector allows CTAs to maintain a low profile since they are utilizing a legitimate network service and provides them with the same functionality as any other remote user. CTAs use tools, such as the Shodan search engine, to scan the Internet for open RDP ports and then use brute force password techniques to access vulnerable networks. Compromised RDP credentials are also widely available for sale on dark web marketplaces.

In 2018, the Multi-State Information Sharing and Analysis Center (MS-ISAC) observed an increase in ransomware variants that strategically target networks through unsecured RDP ports or by brute forcing the password. The ransomware is then manually deployed across the entire compromised network and is associated with higher ransom demands.

Recommendations:

Assess the need to have RDP, port 3389, open on systems and, if required:
- place any system with an open RDP port behind a firewall and require users to VPN in through the firewall;
- enable strong passwords, multi-factor authentication, and account lockout policies to defend against brute-force attacks;
- whitelist connections to specific trusted hosts;
- restrict RDP logins to authorized non-administrator accounts, where possible. Adhere to the Principle of Least Privilege, ensuring that users have the minimum level of access required to accomplish their duties; and
- log and review RDP login attempts for anomalous activity and retain these logs for a minimum of 90 days. Ensure that only authorized users are accessing this service.
If RDP is not required, perform regular checks to ensure RDP ports are secured.
Verify cloud environments adhere to best practices, as defined by the cloud service provider. After cloud environment setup is complete, ensure that RDP ports are not enabled unless required for a business purpose.
Enable automatic Microsoft Updates to ensure that the latest versions of both the client and server software are running.

Security Primer – Emotet

Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments. Its highly infectious nature makes it difficult to combat and has cost SLTT governments up to $1 million per incident to remediate due to its worm-like features resulting in rapid, network-wide infections. Emotet is an advanced, modular banking trojan that primarily functions as a downloader or dropper of other banking trojans. Additionally, Emotet is polymorphic allowing it to evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. The trojan uses modular Dynamic Link Libraries (DLL) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine (VM) aware and can generate false indicators if run in a virtual environment. Emotet is disseminated through malspam (emails containing malicious attachments or links) that uses branding familiar to the recipient, including the MSISAC name. As of July 2018, the most recent campaigns imitate PayPal receipts, shipping notifications, or “past-due” invoices purportedly from the MS-ISAC. Initial infection occurs when a user opens or clicks the malicious download link, PDF, or macro enabled Microsoft Word document included in the malspam. Once downloaded, Emotet establishes persistence and attempts to propagate the local networks through incorporated spreader modules.

Currently, there are five known spreader modules:

NetPass.exe, WebBrowserPassView, Mail PassView, Outlook scraper, and a credential enumerator.

exe: a legitimate utility developed by NirSoft that recovers all network passwords stored on a system for the current logged-on user. This tool can also recover passwords stored in the credentials file of external drives.
Outlook scraper: a tool that scrapes names and email addresses from the victim’s Outlook accounts and uses that information to send out additional phishing emails from the compromised accounts.
WebBrowserPassView: a password recovery tool that captures passwords stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera and passes them to the credential enumerator module.
Mail PassView: a password recovery tool that reveals passwords and account details for various email clients such as Microsoft Outlook, Windows Mail, Mozilla Thunderbird, Hotmail, Yahoo! Mail, and Gmail and passes them to the credential enumerator module.
Credential enumerator: a self-extracting RAR file containing two components, a bypass and a service component. The bypass component is used for enumeration of network resources and either finds writable share drives using Server Message Block (SMB) or tries to brute force user accounts, including the administrator account. Once an available system is found, Emotet then writes the service component on the system, which writes Emotet onto the disk. Access to SMB can result in entire domains (servers and clients) becoming infected.

To maintain persistence, Emotet injects code into explorer.exe and other running processes. The Trojan can also collect sensitive information including system name, location, operating system version, and connects to a remote command and control server (C2) usually through a generated 16 letter domain name that ends in “.eu.” Once Emotet establishes a connection with the C2, it reports a new infection, receives configuration data, downloads and runs files, receives instructions, and uploads data to the C2 server. Emotet artifacts are typically found in arbitrary paths located off of the AppData\Local and AppData\Roaming directories and mimicking names of known executables. Persistence is typically maintained through scheduled tasks or via registry keys. Additionally, Emotet creates randomly-named files in the system root directories that are run as windows services. When executed, these services attempt to propagate the malware to adjacent systems via accessible administrative shares. It is essential that privileged accounts are not used to login to compromised systems during remediation as this may accelerate the spread of the malware.

RECOMMENDATIONS:

The Secnic Consultancy recommends organizations adhere to the following general best practices, to limit the effect of Emotet and similar malspam in your organization.

Use Group Policy to set a Windows Firewall rule to restrict inbound SMB communication between client systems. If using an alternative host-based intrusion prevention system (HIPS), consider implementing custom modifications for the control of client-to-client SMB communication. At minimum create a Group Policy Object that restricts inbound SMB connections to clients originating from clients.
Use antivirus programs on clients and servers, with automatic updates of signatures and software.
Apply appropriate patches and updates immediately after appropriate testing.
Implement filters at the email gateway to filter out emails with known malspam indicators, such as known malicious subject lines, and block suspicious IP addresses at the firewall.
If you do not have a policy regarding suspicious emails, consider creating one and specifying that all suspicious emails should be reported to the security and/or IT departments.
Mark external emails with a banner denoting it is from an external source. This will assist users in detecting spoofed emails.
Provide social engineering and phishing training to employees. Urge them to not open suspicious emails, click links contained in such emails, post sensitive information online, and to never provide usernames, passwords and/or personal information to any unsolicited request. Teach users to hover over a link with their mouse to verify the destination prior to clicking on the link.
Consider blocking file attachments that are commonly associated with malware, such as .dll and .exe, and attachments which cannot be scanned by antivirus software, such as .zip files.
Adhere to the principal of least privilege, ensuring that users have the minimum level of access required to accomplish their duties. Limit administrative credentials to designated administrators.
Implement Domain-Based Message Authentication, Reporting & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.
Adhere to best practices, such as those described in the CIS Controls, which are part of the CIS SecureSuite.

If a user opened a malicious email or an infection is believed to exist, we recommend running an antivirus scan on the system and take action based on the results to isolate the infected computer. If multiple machines are infected:

Identify the infection source (patient zero);
Identify, shutdown, and take the infected machines off the network;
Consider temporarily taking the network offline to perform identification, prevent reinfections, and stop the spread of the malware;
Do not login to infected systems using domain or shared local admin accounts;
Reimage the infected machine(s);
After reviewing systems for Emotet indicators, move clean systems to a containment VLAN, segregated from the infected network;
Issue password resets for both domain and local credentials;
As Emotet scrapes additional credentials, consider password resets for other applications that may have had stored credentials on the compromised machine(s);
Review log files and the Outlook mailbox rules associated with the user account to ensure further compromises have not occurred. It is possible that the Outlook account may now have rules to auto forward all emails to an external email address, which could result in a data breach.

Security Primer Spear Phishing

Spear phishing occurs when cyber threat actors send a targeted electronic communication to an individual or a small group of users, while masquerading as legitimate entities, in an attempt to gain unauthorized access to private, sensitive, or restricted content. Spear phishing emails are designed to socially engineer a response from the recipient. Through the response, recipients may unwittingly divulge information or click on a link that leads to a fraudulent website designed to harvest information, such as login credentials. Once collected by the cyber threat actor, the victim’s information or login credentials may be used to further compromise systems and networks. Often, spear phishing attempts impose artificial time constraints to create a sense of urgency that clouds a victim’s initial judgment.

TECHNICAL RECOMMENDATIONS:

Flag emails from external sources with a warning banner.
Implement filters at the email gateway to sift out emails with known phishing indicators, such as known malicious subject lines, and block suspicious links.
Adhere to the Principal of Least Privilege. If a user has no need for administrative access in order to carry out their daily activities, they should not have an administrative account. This can minimize the damage caused by malicious activity carried out under the user’s credentials.
Implement Domain-based Message Authentication, Reporting, & Conformance (DMARC), a validation system that minimizes spam emails by detecting email spoofing using Domain Name System (DNS) records and digital signatures.

ORGANIZATIONAL RECOMMENDATIONS:

Provide social engineering and phishing training to employees. Urge them not to open suspicious emails, click links contained in such emails, post sensitive information online, and never provide usernames, passwords, and/or personal information to any unsolicited request.
Conduct organized phishing exercises to test and reinforce the concepts using services such as those provided by CIS.
Implement a standardized protocol for reporting phishing attempts to the Information Technology (IT) department.

USER RECOMMENDATIONS:

Do not open suspicious emails or click on unknown links. The easiest way to check a link is by hovering over it with your mouse. This allows the true destination of the link to appear in the bottom left corner of your browser window or next to your mouse pointer in Microsoft Outlook.
Never reveal personal or financial information in response to an email. Legitimate organizations will never ask for this information in an unsolicited email.
If the message appears to be a phishing email, do not respond. Report it to the IT department immediately and await further instruction.