Here are some of the key stories that stuck out from the last few weeks.
The #NotPetya/Nyetya wormWe have already written at length about ransomware and about this specific attack. This worm hit a number of different companies, appearing like ransomware but in practice having no effective decryption mechanism. It appears to have originated from a breached Ukrainian software house from where it was distributed as part of a forged updates file. Once it infected a machine, it spread throughout the network using both the EternalBlue exploit but also by dumping passwords and reusing them on other networked machines via psexec and wmic. This blog post gives a good overview of why this attack should be especially concerning for blue-teamers.
- More impetus to apply the MS17-010 if somehow this has not yet been done.
- Reportedly, the malware spread incredibly fast so detection solutions maybe not have been enough in this case. Frequent, robust and offline backups would have been crucial for recovery.
- The malware traversed networks in the same way as manual attackers. It's important to use different local passwords on all endpoints and segment the network as much as possible.
Malware that attacks power-grids
Dragos Inc who specialise in Industrial Control System (ICS) security and ESET released a report with detailed information about malware they have observed in the wild targeting power grid networks. They have seen this malware on attacks in the United States, Europe and Ukraine.
- If you run industrial control networks, reading this report will provide valuable information for better protecting your network.
- Even if you are not an ICS company, it is still important to consider what similar elements may exist in your environment, e.g. smart building components.
Wikileaks have alleged that the CIA have the capability to infect routers with malware and intercept sensitive traffic. Similarly, researchers from Ben Gurion University demonstrated a technique of exfiltrating sensitive data using the LEDs on a router.
Threats from your routers
- Whilst neither of these threats may be particularly realistic for most company's threat models, it is important to consider the risk from all devices in the technology environment.
- This is especially important in the "Internet of Things(IoT) age" where so many regular items have computers inside.
From weak password to RCE
This week’s nice hack is documented at the “pentest.blog” blog. The author found an external facing messaging server with a weak password and then reverse engineered the product to find a vulnerability which led to remote code execution.
- Ensure that as little as possible is externally exposed. Consider mitigating controls where this is necessary.
- Make sure external services in particular are kept up to date.
- Make sure your security planning includes the “0 day” scenario