How many Bad Cyber-Characters Are There?

As I was listening to

The Future is not Blockchain. It’s Hashgraph. I had a question as they were discussing how a potential attack could come into their product, i.e. what if 3 out of 5 cheaters were in a card game? Obviously the cheaters would win, unless the game was found out to be cheated and you could enforce something to recoup losses.

The problem we have is we are on the Internet, and we have to be, so my question came as an obvious, how many bad characters are on the Internet right now?

Let’s list some of the known actors:

  1. Ransomware creators (criminal syndicates in friendly legal areas – East European countries)
  2. Ransomware creators (bad state actors – like NorK, Iran, and to some degree China -only because China has some local government that can do this for some time – and any others that push their weight around)
  3. Malware creators that want to make Bitcoins or Monero by using your computers to mine cryptocurrencies.(could be anybody)
  4. DoS (Denial of Service) attacks causing threats and ransom in other ways are sold on Darkweb for money, so anybody can attack anybody else(competitors, neighbors etc.)

 

The reality is we do not know “exactly” our adversaries, and there are estimates that ransomware cost $5 Billion in 2017, but numbers can be inflated.

But let’s turn that around – if your device receives ransomware and you cannot unlock it then stating statistics of millions (or Billions) of dollars means little when your device is not working.

So yes it is good to know your adversary, and there is no shortage of criminals and their methods to extract more money from their marks(people who do not know how to defend their computers).

What does that mean to all of us without exaggeration?

So we know there are a lot of cyber criminals, and they are constantly looking for you to mess up. They are becoming more sophisticated not less.

So here is a report by Mandiant (a Fireeye company) that investigates last year’s actual breaches and other activity as they have found at client sites and more- you can click on the report without registering.

There is also an interesting statistic they have compiled: “Dwell time” the number of days that there is evidence of a compromise on the network before detection.

America dwell time was 75.5 days in 2017, an improvement of 23.5 days(was 99days).

The average for the world was 101 days in 2017.

So this is an interesting statistic and is in line within Cybersecurity discussions as I know them. A bad character once they breach a network they will stay under the radar for a while, then performing their stealing or destruction before they are found.

So if we use both sets of information we know the Cyber criminals are making a lot of money and they are very sophisticated. They are not like the old “script kiddies” where it is fun to see what mischief to get into. Today’s bad characters are here to stay, to make more money this year than last.

We have to become more sophisticated as we keep using more of the Internet with more technologies.

Contact Us to discuss the sophistication of attackers and more.

Replace your Wi-Fi Router if 2yr+ old

Insignary had some research and created a report that looked into the binary code of most of the routers on the market. Technewsworld has  a story…

And Business Insider has a story

The short story is that many router companies do not update their devices which would mean customers would have to upgrade firmware, which is also doubtful, but at least it is possible to update and secure your router.  Many people do not update because it is difficult or time consuming, and the router upgrades require a technical skill missing in most home users anyway. It seems that all of the vulnerabilities of the routers:

WPA2(KRACK) – Key reinstallation attack

ffmpeg – DoS attack

openssl – DoS attack, and remote code exec

Samba – remote code exec

OSS components have weaknesses which are also open source.

New components that are secure have been created but have not been created to coexist with the Wi-Fi devices (within their firmware). If they would have been created you would have to download the firmware and then you would have to update this firmware. So the process of updating firmware in Wi-Fi routers differs with each manufacturer, I would go to your manufacturer website and try to find out if a new firmware has been released.

But as a safety precaution (with security in mind) it is probably best just to buy a new Wi-Fi  router (which has  software that does not have these old vulnerabilities.

So it depends on your level of risk and what you are protecting. Myself I always like to update my computers and wifi devices every year or every two years anyway.  If you are in the habit of doing this as a standard way of doing business you will not be affected by these vulnerabilities.

 

Contact Us to discuss your risk exposure and decide what upgrade standards you might need.

Test your network by Bloodhound

Which Bloodhound might you ask?

No not the Dog…

But the following program in Kali Linux:

Just a slightly different picture and meaning.

Cobaltstrike has tested with it and this is his explanation:

“BloodHound is a tool to analyze and understand Active Directory Trust Relationships. For an offensive practitioner, this tool can highlight the hops you might take to reach a goal within a network. For a defensive practitioner, this tool is gold as it can show you the most likely paths an attacker might take. It’s a good exercise to decide which of these trust paths needs to exist and which you can eliminate.”

Once setting up Bloodhound and Neo4J (used to create a graphical representation) you can then review your users in Active Directory. what is the most important attribute of your users in Active Directory?  Permissions. What can a user access with their permission?

“Defenders think in lists.

Attackers think in graphs

As long as this is true attackers will win “

John Lambert quote , he is with Microsoft Threat Intelligence.

 

What is going to happen is what is called as an Identity snowball attack.  We want to learn what users have privileges that allow us to gain more privileges.

The following images are from a youtube video of Andy Robbins, Will Schroeder, and Rohan Vazarkar – six degrees of Domain Admin

In Bloodhound: Vertices represent individual elements of a system (uses, groups, computer, domain)

Edges: generically represent relationship between vertices( group membership, admin rights, user session, domain trusts)

paths point toward escalating rights – always(compromising a system or user).

 

So the idea is to find users that lead you to domain admin user accounts or their privileges.

Powerview is also useful ( a pure PowerShell v2.0+ domain/network situational awareness tool… Which bloodhound is built upon.  With this tool bloodhound can collect data and does not need elevated privileges for collection methods.

  • Invoke-UserHunter
    • Get-NetSession sessions w remote user
    • Get-NetLoggedOn/Get-LoggedOnLocal – who is looged on to what machine.

Who can admin what?

We can enumerate members of a local group on a remote machine without admin privilieges

  • The WinNT service provider or NetLocalGroupGroup-ComputerName IP [-API]
  • GPOs can set local admins
  • GPOs are applied to OUs/Sites
    • correlation is equal to local admin information through communication with a DC
  • PowerView
    • Find-GPOLocation
  • Who is in What Groups
    • Get-NetGroup| Get-Netgroupmember

Instead of doing these commands manually via PowerView, Bloodhound does it graphically.

Here are 2 examples from the youtube video:

I believe this is test data, but from a large environment (200k computers) so there were a few large graphs. The 2 examples I chose from video are groups and certain users, computers broken out. The key is one can find a few specific computers and users that one has to infiltrate to then quickly get domain admin access. I.e. Identity snowball attack.

 

This tool is worth the time to learn and understand to make sure your environment is not easy to escalate and take over.

Contact Us to discuss.

 

Upgrade or Get Hacked (When Patch Available)

Did you hear the latest in Cybersecurity news?

  1. No not the news that Pizza Hut was hacked
  2. Not the news Hyatt Hotels were hacked.

BUT only the news that the supposed secure WPA2 Wifi Protocol is actually vulnerable to attacks. Which essentially means all current wifi access points are not secure.

CERT has a list of all the vendors with patches and affected vendor models.  CERT used to be Computer Emergency Response Team, but today it is at Carnegie Mellon University and still reviews the important vulnerabilities.

So you say…  Big deal another protocol is insecure the researchers say, just because it may be insecure if a person with knowledge can hack this then my wifi is going to be less secure, but what does it really mean?

It means it is another item to patch in a large schedule of patches (with Microsoft Windows, and other software also having to be patched.)

So we have to evaluate the actual risk and impact before allocating resources.

For one the hacker has to be close enough to your wifi station to see if they can hack your communications, this is not a recipe for mass mania. True,  but as usual it is only the high risk areas that have more to worry about. High risk as in protecting Social security numbers, and other PII (Personal Identifiable Information).

So the largest worry we have is that this patch is going to be ignored by most people, thus leaving 50% or more of wifi access points vulnerable to this attack. So the best thing that can happen here is that companies must evaluate their own situation and then make decisions with their resources as to when to patch this problem. It may not be easily hackable and must have proximity to wifi access points.  So in the future a seeming secure protocol is not until patched.

Unfortunately not everyone patches. As we mentioned before, 25% patch within first week,another 25% within first month, an additional 25% within 6 months. And some do not patch at all.

 

Obviously this is true since there are many ransomware outbreaks and they take advantage of basic patches not applied (vulnerabilities that take advantage of this).

So in the coming months as hackers develop better hacks (programs that take advantage of this vulnerability so the hacker can make money,  only then will the risk go higher and higher. And depending on impact of system affected it might actually get more dangerous for the companies not patching.

 

So everyone must have a patching regimen. Get going already – get a CISA tester on hand (like US – contact us).

 

Doing the Basics Would Have Saved You

A new Zero-Day attack is out available for attackers. this attack was discussed in the SANS website Internet Storm Center: https://isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/

SMBLoris – the new SMB flaw

The article was written from reviewing a Threatpost article, but was ultimately triggered because of the DEFCon 2017 presentation:

 

Notice the arrows on right with memory usage on a webserver going close to 100%.

What makes this attack (DOS – Denial Of Service) so bad is that it is easily disguised as ‘SlowLoris’ as sending partial HTTP requests to webservers (i.e. not fully connecting to the webserver). This partial connection essentially slows the webserver to a crawl when requesting enough connections.  And since this is a standard request, it is hard to distinguish friend from foe.

This is an interesting point from the archive.org webpage:

“Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they’ll allow. Slowloris must wait for all the sockets to become available before it’s successful at consuming them, so if it’s a high traffic website, it may take a while for the site to free up it’s sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they’ll still be able to see the site. So it’s a bit of a race condition, but one that Slowloris will eventually always win – and sooner than later.”

So this is not a simple easy to see issue. This issue abuses the way the webserver operates for the following 4 applications:

 

  • Apache 1.x
  • Apache 2.x
  • dhttpd
  • GoAhead WebServer

slowloris is just one variant and as hackers review this attack…  variants may get created and thus exploit this in yet unknown ways. As of this posting there is no CERT classification yet.

What do I mean about the basics?  Well, if you have a webserver it should not have port 445 open to the public:

Google Port 445 definition:

Port 445 is a SMB port, or Structured Message Block which is used in NETBIOS protocols usually in file sharing applications. Well, one should not have a webserver with port 445 open and available on the Internet.

So, if you have done the basics, i.e. not run 445 or other ports that are unnecessary than this attack will likely not affect you or at least minimally affect you.  If you had to keep everything open, it might be time to run a firewall port limiter device in front of your website.  This is a fluid issue at this time, so keep an eye out for new attacks.. Contact Us to discuss.

 

Remember the hacker takes advantage of poor configurations.

Contact Us to discuss auditing your environment and review the basics in IT security.