Wednesday, May 17, 2017

WannaCry Ransomware - Lessons Learned



WannaCry (or WannaCrypt) is a new malware that hit over 200,000 computers in over 150 bcountries late last week (May 12, 2017). This malware encrypts files on the infected machine, making them inaccessible. What make this a significant cause for concern, is that it was the first time ransom-ware had the ability to spread automatically on a computer network, to other vulnerable computers. That means an entire network could become infected, as a result of the action of a single user clicking on an email attachment.

Fortunately, a temporary solution was identified to halt the spread of the malware, by registering a specific domain that the malware was trying to connect to. However, new versions have since been released by malware authors, which ignore this domain.

For those who have infected machines, the malware requests a payment of at least $300 bitcoins, in return for a decryption key to recover their files. However there is no guarantee that this will work, or that hackers won’t retain remote access to the infected computer. Instead, it is recommended that the computer be reformatted and data restored from a recent backup.


Where it came from

WannaCry was developed using a Windows security flaw that was discovered by the USA's National Security Agency (NSA), which was later stolen and released to the public by a hacking group called Shadow Brokers. At this point it appears that a second hacking group used the leaked information to create WannaCry.

Microsoft has expressed its displeasure (reference# 4) with the release of WannaCry, as it was the result of a larger problem. Several governments around the world are suspected of holding stockpiles of security vulnerabilities, for their own use, instead of notifying the affected software vendors. If these were reported in a timely manner, the current outbreak would have been avoided.


How to Protect Yourself

The most important method of protecting yourself is to apply Microsoft patches in a timely manner. Fortunately, a patch (MS17-010) should have been automatically applied in March 2017 to currently supported versions of Windows. However, Windows XP and Windows Server 2003 which are not officially supported by Microsoft, were issued their emergency patches after the outbreak (on Saturday May 12, 2017). These emergency patches can be downloaded from the Microsoft website (see reference# 1)

Most major antivirus companies have also released emergency updates that will detect the WannaCry malware. Also several network security monitoring devices have released their own updates to detect its movement on the network. 

As a third layer of security, disable the old file share protocol called SMB v1 (see reference# 5). While this outbreak primarily targeted older versions of Windows, the legacy coding used in SMB v1 remains vulnerable to future attacks. Newer versions of the SMB protocol (version 2 and 3) are installed on newer Windows Systems, and should not cause significant disruption to your operations. Ask you experienced IT support team to identify older legacy systems that depend on SMB v1, and start planning to mitigate their risk.

The final piece of advice is to maintain good security awareness. This includes,
·     Scrutinize each email you receive, especially when it contains an attachment or a web link
·     Do not install programs, unless they are from verified and trusted vendors
·     Turn off WIFI when not in use, and avoid public WIFI if possible
·     Maintain several offline backups of your data

References
1.   https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
2.   https://www.cnet.com/news/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to-know/
3.   https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware
4.   https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.001wk56cvrqfecz119v2dvzcw9e7m
5.   https://community.tenable.com/thread/11156


Bonus: how to detect SMB v1
  • https://redmondmag.com/articles/2017/05/16/insecure-smb-1-from-windows-networks.aspx
  • https://blogs.technet.microsoft.com/ralphkyttle/2017/04/07/discover-smb1-in-your-environment-with-dscea/
  • https://www.microsoft.com/en-us/download/details.aspx?id=44226




Saturday, April 22, 2017

How to access Linux via Windows Remote Desktop

One of the advantages of the Linux-based SIFT Workstation, is the ability to deploy it at remote locations, for quick forensics assessments. However after installation, you need a method of remotely connecting to that desktop.

The following steps provide instructions on how to install a remote desktop server. It was taken from articles posted on AskUbuntu and Teaking4All (links below).

Step 1 – Install xRDP
Open Terminal (Crtl+Alt+T) and execute the following commands:
sudo apt-get update
sudo apt-get install xrdp

Step 2 – Install XFCE4 ( Unity doesn't seem to support xRDP in Ubuntu 14.04; although, in Ubuntu 12.04 it was supported ). That's why we install Xfce4.
sudo apt-get install xfce4

Step 3 – Configure xRDP
In this step, we modify two files to make sure xRDP uses Xfce4. First we need to create, or edit, our .xsession file in our home directory. We can either use nano or simply redirect an echo statement (easier):
echo xfce4-session >~/.xsession

The second file we need to edit is the startup file for xRDP, so it  will start Xfce4.
sudo nano /etc/xrdp/startwm.sh

The content should look like this (pay attention to the last line and ignore . /etc/X11/Xsession):
#!/bin/sh

if [ -r /etc/default/locale ]; then
  . /etc/default/locale
  export LANG LANGUAGE
fi

startxfce4

Step 4 – Restart xRDP
To make all these changes effective, restart xRDP as such:
sudo service xrdp restart


The above information was taken from the following posts:
- https://askubuntu.com/questions/592537/can-i-access-ubuntu-from-windows-remotely
- https://www.tweaking4all.com/software/linux-software/use-xrdp-remote-access-ubuntu-14-04/




Sunday, December 6, 2015

PingWeb 0.1 - Checking the time to load web pages


I keep getting asked by the system support team, for a tool that checks on the time to load a webpage. The problem is that you cannot use a traditional ping tool, as it is based on ICMP instead of TCP, and will only indicate the spread at which data is transferred. However in the case of a website, the webpage can be delayed by the database processing time, the Web servers processing of the request.

To help solve that issue, I've created a simple tool called pingweb, which will connect to a webpage, and test the time it takes to retrieve that webpage, and the images on it.

The code is very simple, and will be put through several iterations over the next few months.

I will be posting a link to my GitHub page tomorrow.

UPDATE: The github address for the executable is https://github.com/norvalwest/PingWeb/releases.

Regards,
Norval