Monday, May 15, 2017

Introducing Comsec's Ransomware Readiness Service

Introduction

Comsec Group recently created a ransomware readiness service, which maps the gaps, validates the readiness level of an organization against ransomware attacks and provides concrete recommendations for remediation and improvement.

The WannaCry ransomware that struck recently and exploited a vulnerability found by NSA was leaked by TheShadowBrokers hacking group about two months ago. It is the biggest and most notable example of ransomware that includes the ability to spread without further user interaction, significantly increasing the ransomware threat, and making this service a lot more relevant.

So what is this service?

One approach for confronting the ransomware threat, is just to pray and hope it won't hit you, and if it does, to try and recover or just pay the ransom. However, this can take time and more importantly, as was seen in WannaCry, there is no guarantee that you will get your files back even if you pay.

But there is another way: Organizations can actively test if their infrastructure is ready to counter the threat of ransomware, either by preventing the ransomware from executing, or preventing any real damage by allowing quick recovery from backups.

Our ransomware readiness service tests exactly that.

Incident Response

NIST defines a cyber framework that includes five different activities in a cyber incident:
  • Identify – Develop the institutional understanding to manage cybersecurity risk.
  • Protect – Develop and implement the appropriate safeguards, prioritized through the organization’s risk management process, to ensure delivery of critical infrastructure services. 
  • Detect – Develop and implement the appropriate activities to identify the occurrence of a  cybersecurity event.
  • Respond – Develop and implement the appropriate activities, prioritized through the organization’s risk management process (including effective planning), to take action regarding a detected cybersecurity event.
  • Recover – Develop and implement the appropriate activities, prioritized through the organization’s risk management process, to restore the capabilities or critical infrastructure services that were impaired through a cybersecurity event. 

 

Details of the Ransomware Readiness Service

The ransomware readiness service tests the organization's readiness level in each stage of the incident response process in order to understand the risk of ransomware, test the organization's protection and detection mechanisms, test the response procedures and verify the recovery process.

The service includes the following steps.

Identify:

  • Identify management awareness in the organization of the threat of ransomware 
  • Mapping the relevant response procedures for ransomware and general cyber attacks in the organization, highlight the gaps and recommending improvements for these procedures.

Protect:

  • Web protection: Ensure safe internet browsing by reviewing and adjusting the organization’s web browsing policy to reduce the risk of a malicious executable (or document) being downloaded.
  • Mail protection: Ensure that an appropriate solution for inbound emails exists by reviewing and adjusting the organization’s anti-spam and malicious activity policy. This includes, amongst other things, the detection of malicious files, even if they are not detected as malicious based on anti-virus signatures.
  • User permissions: Ensure that the user workstations are hardened. This includes ensuring that malware can’t be executed by accident (for example, due to an autorun script in a USB drive), and examining any endpoint protection solutions.
  • Limit users' domain permissions: This includes reviewing servers and workstations in the domain in order to ensure that users do not have permissions to execute code remotely. In addition, this review includes restricting writable folders on the domain, to reduce the risk of malware spreading itself via network shares.
  • Servers and endpoint configuration and patching: Ensuring that servers and workstations are updated with the latest security patches in a timely manner in order to reduce the risk of ransomware exploiting known vulnerabilities.

Detect:

  • Testing endpoint protection: Testing the configuration and update policy of the antivirus and EDR (Endpoint Detection and Response) in order to detect or even prevent the ransomware from executing in real-time.

Response:

  • IRT (Incident Response Team): Comsec’s IRT is always available for future support in the event of a security incident caused by ransomware (or any other malware). Comsec investigates the ransomware in order to assess the "family" which it comes from and whether there is a known method of decrypting the files without paying the ransom. Comsec has a registered bitcoin wallet to pay the ransom if needed, as a last resort, following our assessment of the likelihood of the files being decrypted even after paying. 
  • User awareness training: Perform phishing exercises with scenarios such as fake websites, malicious links, malicious files etc., including a detailed report showing statistics of the extent to which the user was susceptible, e.g. opened email, opened link, downloaded file, ran file.

Recovery:

  • Backups: Ensure that files are constantly backed up in order to minimize damage in the event of a ransomware attack and that regular restoration tests are carried out.

 

Conclusion


In conclusion: In order to better mitigate the risk of ransomware and other modern cyber threats, you should test your readiness across the full chain of events and activities that can occur in such an event, in order to prevent the threat from occurring and\or to limit the damage if it does occur.

For further details and for any question please contact us:
https://comsecglobal.com/contact-us
info@comsecglobal.com
+972-3-923-4646

Stay Safe



Gil Cohen
CTO
gilc@comsecglobal.com

Monday, May 8, 2017

Monday tech: WPAD Man in the middle across LANs *and* the WAN

Hi everyone
WPAD or Web Proxy Autodiscovery Protocol, is a protocol that is used in Windows by Internet Explorer and other web browsers that follow Window's internet configuration, that enable auto discovering of proxy server setings in order to connect to the outside, usually the Internet.



WPAD is almost 20 years old and it's an old and unsecured protocol. When WPAD is enabled, the client asks for a DNS record with the hostname of WPAD and a file that is called a PAC file (Proxy auto-config) that contains sandboxed JavaScript code, that tells the browse the location of the proxy server or multiple proxies. If the DNS query failes, another similar protocol that operates in the LAN and called WINS (Windows Internet Naming Service) is used to search for the WPAD host, and then if this also failes, another similar protocol called LLMNR (Link-Local Multicast Name Resolution) is used. This protocol is used for peer-to-peer resolusion, and uses an entire network broadcast to ask for the resolution - not the safest and most reliable method.

If an attacker resides in the network of the victim, he can easily respond to the LLMNR broadcast, return a PAC file and redirect the victim's trafic to his station, performing a full MITM attack.
Moreover, if the attacker adds basic authentication to his malicious server, the victim will be prompt to enter credentials and once he does, he just gave the username and password to the attacker.

This can be automatically executed using the famous Responder tool created by Spider Lab and now part of Kali.
A full example can be seen here:
https://www.trustedsec.com/july-2013/wpad-man-in-the-middle-clear-text-passwords/

But wait, the fun doesn't stop there. WPAD first issues a DNS request for WPAD hostname, and in many cases it appends the domain name to the WPAD hostname.
So effectivly if an organization that is called Contoso has a domain with the same name, and of the domain stations enable WPAD, the DNS server will get both a WPAD hostname request and a WPAD.Contoso request.
If WPAD.Contoso is a legal DNS hostname in the internet, this attack becomes FAR more dangerous as it nows leaks from the LAN to the WAN.
During the last BlackHat Las Vegas conference a researcher actually registered multiple top level domains with the WPAD hostname and different suffixes such as wpad.news, wpad.university and wpad.tokyo, hoping to get requests from different organizations. Suprisingly (or not) - he did. A LOT.
The most succesfull suffix was Tokyo, maybe because the upcoming olympics that will take place in the city in 2020.
An article about this hack can be found here:
http://www.eweek.com/security/researcher-tells-how-web-proxy-autodiscovery-protocol-could-be-abused
The presentation from BlackHat can be found here:
https://www.blackhat.com/docs/us-16/materials/us-16-Goncharov-BadWpad.pdf

Have a great week!

Saturday, May 6, 2017

Cyber Updates - 06/05

Hey all,
Here are this week's cyber updates:

(1) Intel processors remote management features were found to be vulnerable (CVE-2017-5689) to remote code execution.
Intel’s Active Management Technology (AMT), uses a web-based control panel, which is accessible from port 16992 and 16993, and allows an administrator to remotely manage a system. The web server uses digest as its authentication mechanism, but does not properly compare the users_response digest value with the computed_response value. In particular, the website uses the strncmp function with the user_response length instead of the computed_response length.
This means that a null value submitted as the user’s digest response, would invoke the strncmp function with a length of 0, therefore causing it to always return 0 (success). Thus, malicious users can successfully authenticate to the webserver and manage users’ computer.
Fortunately, the AMT features are not installed by default, so not all organizations are affected by this vulnerability.

Here are all the details:


(2) WordPress was found to be vulnerable (CVE-2017-8295) to a logical flaw that might allow an attacker to reset users’ passwords. In particular, WordPress sends a “password reset” email from the following address: wordpress@domain.com, with “domain.com” parsed from the user’s request host header. Thus, a mail can be sent from the attacker’s domain if he/she submits a password reset request with their own domain (to the victim's IP address).

A malicious user can flood the user’s mailbox with numerous big attachments (unrelated to the WordPress platform). This would result in the user’s mailbox being flooded, and thus becoming unavailable to receive new emails. 
The attacker can then send the "forgot password" email (from their own domain), which will cause the victim’s MX server to reply to the original email with a "552 mailbox full" error. However, since the attacker has managed to control the domain, the email would be sent to the attacker, and would contain the original email, including the token to reset the password.

Here are all the details:

(3) Flicker was found to be vulnerable to an account takeover vulnerability: the authentication mechanism to Flicker relies on Yahoo, where the user receives a token from Yahoo and sends it to Flicker. Due to insufficient validation on the address URL in Yahoo, a malicious user who causes their victim to invoke a call to Yahoo can receive the victim's Flicker token and login on their behalf.

Here are all the details:

(4) Albert Einstein once said that two things are infinite: the universe and human stupidity. A new phishing campaign proves the latter. Users have received an email from Apple iCloud, requesting them not only to provide their password, but also their credit card details, address, and government issued credit card.

Here are all the details:
https://www.hackread.com/icloud-phishing-scam-credit-card-camera-access/


Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Uni

Saturday, April 29, 2017

Cyber Updates - 29/04

Hey all,
Here are this week's cyber updates:

(1) Hyundai app has been found vulnerable to MiTM attacks. The app communicates with Hyundai’s server using the HTTP protocol, but encrypts the data before it is sent. However, the encryption key is symmetric, hence allowing an attacker to decrypt the data.
Thus, a malicious user connected to the same Wi-Fi network as the attacker may conduct a MiTM attack and view the username and password. This would allow the attacker to track the victim’s car, unlock its door and start its engine.

I wonder if insurance companies would increase the premium for Hyundai cars :)
Here are all the details:

(2) When users buy a new laptop, they think of its firmware, weight, and battery life, but they don’t think of the default programs that are installed with it. HP laptops, which are shipped with the HP Display Control software, are now vulnerable to privilege escalation exploits. In particular, the installed service is executed as the SYSTEM user, but allows any OS user to change the service’s binary path.
An attacker can thus change the binary path to their own malicious executable, therefore executing OS code with SYSTEM privileges.

Here are all the details:

(3) Can you hack the US Air Force? Now you can legally do it, and gain money from it.  The DoD has engaged with a new bug bounty program, allowing you to hack the Air Force, but beware, you must be a citizen of the Five Eyes countries to participate and pass a background check.

Here are all the details:

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit


Wednesday, April 26, 2017

Monday tech: PRSD DDoS attack

Hi everyone
Today I'm going to talk about a nice variation of DDoS that I recently encountered: PRSD DoS - Pseudo Random Sub Domain attack, also know as "water torture attack".
This DDoS attack sends multiple DNS queries of known domains (such as google.com) but with invalid ransdom sub-domains (such as gfhadffgas.google.com).

What makes this attack cool?
The purpose of this attack is to stress the authoritive DNS servers of the target domain (google.com), but it is also forwarded to the ISP, and it in turn resolve your query using the DNS resolver, and it can also crash in this attack.

Furthermore, this attack is not mitigated in most of the DNS servers out there.
What can you do? Block IPs that send too many failed DNS queries (reponses of SERVFAIL) will do the trick. In addition you can obviously increse hardware resources of DNS servers or limit the number of concurrent requests which will also temporarly bring the server down.

In conclusion: This is a very simple yet effective attack, that exploits the iterative and naive nature of the DNS protocol. DNS DDoS attacks are on the raise, as we wintessed that even the large websites (Twitter, Spotify and others) were hit by it 6 months ago in the notorious attack against the Dyn DNS provider company, that included tens of millions of zomies that were controled by multiple malwares, including the famous Mirai bot (https://techcrunch.com/2016/10/21/many-sites-including-twitter-and-spotify-suffering-outage/).
We sure are going to so more and more DNS applicative attacks in the future, as it is usually easier to bring down a DNS server comparing to webservers of very large websites.

Have a great day

Saturday, April 22, 2017

Cyber Updates - 22/04

Hey all,
Here are this week's cyber updates:

(1) Browsers use Punycode encoding in order to represent Unicode characters in the URL and protect against Homograph phishing attacks.
Google Chrome, Mozilla Firefox and Opera were vulnerable to a phishing attack due to a flawed implementation of the above encoding. The loophole relies on the fact that if someone chooses all characters for a domain name from a single foreign language character set, resembling exactly the same as the targeted domain, then browsers will render it in the same language, instead of the Punycode format.
This has allowed attackers to redirect users to a website while presenting a different URL in the address bar.
Here are all the details:

(2) Last week we’ve reported a security incident in Marriott. This week it is IHG’s turn to reach the headlines. The company was infected with a malware that searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) from the magnetic stripe of a payment card as it was being routed through the affected hotel server. 

Be sure to check your credit card transactions if you stayed at an IHG hotel on or after September 29, 2016.

A list of affected hotels can be found in the following URL: https://www.ihg.com/content/us/en/customer-care/protecting-our-guests/property-listing

Stay tuned for more updates,
Dan Gurfinkel
Head of Offensive Security & Response Unit

Tuesday, April 18, 2017

Windows exploits dump by "TheShadowBrokers" - What you need to know/do

Background


This past weekend, a hacker group calling themselves “TheShadowBrokers” dumped a large amount of content which allegedly relates to the US Government’s cyber espionage activities.

Included in the dump were a number of previously unreleased vulnerability exploits, mostly targeting Windows systems. Some of these exploits provide the ability for an attacker to remotely execute code on a target system with zero client interaction using the SMB service running on port 445. This type of “wormable” vulnerability in Windows (i.e. a vulnerability that can remotely take control of a system and then use the infected system to attack other systems) is very rare. The last notable example where a working exploit was released was the “MS08-067” vulnerability which was used in the Conficker Worm in 2008.

Whilst there was initially a great deal of speculation and panic that these Windows exploits were “0 days”, i.e. unpatched vulnerabilities, Microsoft published a comprehensive blog-post indicating that all relevant exploits in the dump had already been patched in supported Operating Systems. 

Key Issues


It is important to note the following:
  1. These vulnerabilities still exist in unsupported Operating Systems such as Windows Server 2003 which will not receive patches.
  2. Some of the most critical vulnerabilities were only fixed in the March 2017 “Patch Tuesday” release.
As such, organisations running older Windows Operating Systems or which have not applied the latest patches to their newer Windows Operating Systems may still be at risk from these vulnerabilities.

Our Recommendations


We would therefore recommend that organisations take the following immediate actions:
  • Scan for Windows machines where port 445 is externally exposed to incoming traffic from the Internet and block this at the firewall.
  • Where servers were found with this port open, review server logs to look for evidence of malicious activity.
  • Prepare a plan to patch all Windows machines with the key patch (MS17-010) and any of the other patches from the Microsoft blog-post above which have not yet been applied.
  • Prepare a mitigation plan for any Windows machines which are unsupported or cannot be patched in a timely fashion.
  • Review the list of exploits to look for non-Windows exploits which may directly affect you.

We would also recommend the following, mid to long term actions:
  • Ensure that you have a robust Patch Management process in place to allow timely application of updates.
  • Ensure all non-vital ports are inaccessible externally across the technology environment.
  • Prepare a plan to upgrade unsupported OSes as soon as possible.


Closing thoughts


This incident also shows the importance of being prepared for a case when an attacker gains internal network access (be it through a “0 day” vulnerability or through social engineering. 

Organisations should ensure that strong detection controls are in place to discover unexpected or malicious activity in the internal network and design the network to make it harder for an attacker to move laterally from one part of the network to another without detection.

Josh Grossman
Senior Information Security Consultant and Team Leader
@JoshCGrossman