Managing Spectre and Meltdown at Enterprise Scale

1/05/2018 Update:  Apple announced late in the day on 1/4 that its products are vulnerable. Its most recent versions of iOS 11.2.1 and macOS 11.12.3, released before this vulnerability went public, included some fixes. Apple is still working on further updates and will release them at an unspecified time in the future.

The dawn of the new year brings with it a pair of new designer vulnerabilities, Meltdown and Spectre, which affect virtually any CPU made after Intel’s original Pentium CPU, regardless of what operating system it runs.

What is Meltdown and Spectre?

Modern CPUs use a trick called speculative execution to speed up processing. When there is a branch in program code, the CPU runs both possibilities at once, then discards the one it didn’t need. Meltdown and Spectre use different tricks to find data from those discarded results and access memory that they normally wouldn’t be able to access.

An attacker could use this to steal passwords or credit card numbers, or in the case of cloud infrastructure, steal data from virtual machines belonging to other customers. In cloud environments, it is possible to read data belonging to the hypervisor or other virtual machines.

The biggest problems occur on Intel CPUs. CPUs from AMD and ARM are susceptible to a smaller number of more complex attacks, but still must be considered vulnerable. In enterprise environments, Intel CPUs are far more common than AMD or ARM.

Why should you care?

Almost any computer made in the last 22 years is vulnerable to one degree or another for this. These vulnerabilities have received a tremendous amount of coverage, even bleeding into the mainstream press, so everyone from customers to board members have likely heard about this and are concerned.

What can you do?

First, don’t panic. So far there are no reports of reliable exploits circulating in the wild. Operating system vendors are releasing patches as we speak. Spectre is difficult to mitigate at the CPU or operating system level, so browser makers are attempting to mitigate it at the browser level, since browsers are both an effective attack vector and an attractive target.

Scan your network with a proven vulnerability scanning solution. Check your results for CVEs CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754, and check your web browser versions to build an inventory of patches that will need to be deployed and where. For best results, ensure you are scanning your entire network with authenticated scans. Vendors will be releasing updates through the end of January, so keep in mind, this is a moving target.

Chrome, Edge, Firefox, and Internet Explorer all received updates this week. Chrome will receive another update by January 23. Safari, Opera and Vivaldi will receive updates on or before January 31. Additionally, Google recommends enabling site isolation in Chrome. Opera and Vivaldi have the same feature. This setting is in chrome://flags/#enable-site-per-process.

If your vulnerability management platform is capable of scanning your mobile device management solution, scan your MDM solution as well to ensure your Android devices are running the January 2018 update from Google, and your iOS devices are running iOS 11.2.1 from Apple.

Microsoft released out-of-band updates for this, but its patch has issues with many third-party antivirus solutions. Unless you have other information direct from your antivirus vendor, GuidePoint Security recommends waiting until Monday for your antivirus vendor to catch up. On Monday, push the update to your antivirus client, then start pushing Microsoft’s update.

Patch in a controlled, prioritized fashion. Workstations and cloud infrastructure are the most critical, as they are most susceptible to attacks. Servers running on hardware you control are much more difficult to exploit, so they can be in your later round of patching. If possible, patch a test environment first so you can monitor for performance impact, as servers that do large amounts of I/O, such as database and web servers, can experience performance degradation of 20 or even 30 percent. Google and Intel have experimental mitigations to help with these degradations in the long term. However, these fixes will require recompiling code so these changes will take time to appear.

After patching, be sure to follow up with subsequent vulnerability scans. GuidePoint engineers have observed Microsoft’s patch giving false error messages that suggest the patch failed when, in fact, it had succeeded. Your vulnerability management solution has more thorough checks that can validate the patch actually succeeded. Microsoft is working on an update for this patch to fix the error messages.

If you cannot update all of your browsers, consider updating one browser and limiting general web access to one particular browser at your proxy server until you are able to update all of the browsers in your network. Please note that technologies like Microsoft EMET and Malwarebytes Anti Exploit, while very useful against certain types of exploits, are not able to protect your browser against Spectre and Meltdown.

GuidePoint Security is here to help

GuidePoint’s cybersecurity advisors have years of experience managing vulnerabilities in enterprise environments. We can help you ensure your vulnerability management solution is correctly sized for your environment, and our Virtual Security Operations Center (vSOC) Identify Team can even run your vulnerability management program for you. Learn more at www.guidepointsecurity.com.

Author

Dave Farquhar, vSOC Analyst at GuidePoint Security, is a Cyber Security professional who has worked in the field for 8 years with Vulnerability Management, Policy Compliance, and Incident Handling as his main focuses. Dave most recently managed accounts for 30 large customers at a major vulnerability management vendor, where he helped his most successful clients reduce their vulnerability counts by 50 percent. Prior to moving to security, Dave specialized in remediation management on the infrastructure side of IT. Dave has a Bachelors degree in Journalism from the University of Missouri as well as holding CISSP and Security+ certifications.

An Incident Responders Take on 2018’s Cybersecurity Predictions

In his article, The Top 18 Security Predictions for 2018, Dan Lohrmann’s roundup outlined the cybersecurity industry’s top predictions from some of the major industry vendors, including TrendMicro, McAfee, Symantec, Check Point, and others.

As with any prediction, there are always those who either agree, agree in part or totally disagree. I would place myself in the second category of agree in part, although there are a few salient points that I believe should be included.

Additionally, I am going to add a bit of fidelity to their predictions based on my market visibility and experiences. You will see some similarities and some differences in view but remember, they are based on my exposure to the industry, GuidePoint Security’s customer base, independent research I’ve performed, and input I have received from other valued Digital Forensics and Incident Response (DFIR) professionals.

Without further delay, here are my thoughts on the Top Security Predictions for 2018.

1) IoT devices will be the key victims for Ransomware

a. A lot of IoT device manufactures have implemented minimal security safeguards and these connected devices are low hanging fruit for attackers.
b. Moreover, these devices are relatively easy to target, have a highly visible public impact, and ransomware continues to provide a nice profit margin for attackers. I expect the combination of these factors to lead to a significant uptick in successful Ransomware attacks against IoT devices in 2018.

2) Most companies will take definitive action on the General Data Protection Regulation (GDPR) but only after the first set of high-profile fines or lawsuits are filed.

a. GDPR is the latest set of requirements that has companies scrambling to meet the compliance deadline, but few companies have invested the time and resources required to be properly prepared by May.
b. Also, with the EU wielding such power, European assets of American companies can be seized.

3) Malspam will increase and will focus on account compromises for Outlook Web Access (OWA) and Office 365 (O365) email/account access. Additionally, unsecured AWS and Azure environments could lead to large-scale compromises.

a. A large amount of companies are moving their email and Office environments into OWA and O365 as well as their workloads into Azure and AWS. As is often the case, security requirements are not included in these migrations in the haste to move to the new environment. (Remember, in 2017 we have already seen an uptick in the number of discovered publically accessible S3 buckets and there’s nothing to suggest that this will not continue well into 2018.)
b. Overall, malspam attacks are easy to execute and only requires gullible end-users to be successful.
c. Malspam success is based on the Human Element (HE) and you can never remove HE from cybersecurity, hence it will remain the weakest link in the chain

4) Companies in the cryptocurrency business will see the most attacks in 2018, with one or more declaring bankruptcy from the losses suffered in the attacks.

a. 2017 was a banner year for hacking the cryptocurrency businesses with at least one crypto currency dealer being hacked twice then filing for bankruptcy (e.g., Youbit[1]).

5) Non-malware and File-less malware attacks will dominate the tech industry.

a. These types of attacks were dominant and profitable in 2017 and I see them gaining strength in 2018. Many companies are ill-prepared to deal with these types of attacks, and the attackers are well aware of this weakness.

6) The Corporate Cyber Insurance industry will suffer large financial losses in 2018. This will not be a record for that industry but their claims will reach record levels.

a. I think the Cyber Insurance industry has a significant amount of maturing and change to accomplish in 2018.
b. The Cyber Insurance market will continue to explode. However, the common underwriting framework and process to measure the risk of the policies has lagged behind the policy writing.
c. I also believe the current cryptocurrency businesses are improperly designed and are too high of a risk for the cyber insurance market.

7) New POS malware variants will emerge in 2018 that will focus on EMV / Chip and PIN technologies with an increase of Ransomware targeting POS devices.

a. This is a bit of a reach for me but I refuse to believe the crime syndicates are not testing or trying to target Chip and PIN.
b. Ransomware on a POS device is simple, easy, cheap and effective and we will see it deployed effectively against retailers in 2018.

8) Online gaming agents will be used as bots in an DDoS attack. It is only a matter of time before this “innocent” avenue will be exploited and with the wide distribution of online gaming, these bots will be a force to reckon with in 2018.

a. This attack vector isn’t new but is often overlooked. I have been waiting for the past five years for this to happen and I think we are at that point in cyber-history to witness this type of massive distributed-global attack.

9) Increase in malware that targets PLC type devices. Much like we saw with the Trisis malware, the PLC device manufactures are unaware of how exposed they are to exploit and this type of targeting, especially for a Ransomware attack, can be extremely profitable.

a. With PLC devices connecting to the internet and/or to internal networks, most are not protected and large industrial corporations with deep pockets utilize the PLC devices. Therefore, with a well-planned Ransomware attack the payout could be massive.

10) NIST 800-171/ DFARS standard violations will outpace the US Government’s ability to contract and waivers will be provided to lessen the impact.

a. Many of the companies that claim compliance to 800-171 have scrambled to get a basic compliance program in place to meet the assessment criteria.
b. The DoD will need to make contracting adjustments to its FAR in order to keep up with DoD contracting demands.

Well, I guess it is a matter of record now, so we will have to revisit my prognostications in 2019 and see how close I was with each one.

Happy New Year everyone!

[1] https://www.pymnts.com/blockchain/bitcoin/2017/youbit-cryptocurrency-bankruptcy-south-korea/

Image credit: https://www.varmour.com/templates/varmour/images/easyblog/easyblog_articles/187/2108predictions.jpg

Author

Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence at GuidePoint Security, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.

2017 the year of the Non-Malware Attacks

What is a “non-malware” attack?

Image Source: https://www.firstclassassignment.com/value-risk-finance/

A non-malware attack is an attack that does not use malware. Simple.

More realistically, a non-malware attack is one in which an attacker uses existing software or allows (remote access) applications and authorized protocols (e.g., RDP, ssh, etc.) to carry out malicious activities on your network.

In a non-malware attack, the threat actor uses the accessible software to gain entry into the targeted network, control the victimized computers and from this point perform any sort of nefarious actions all within “full view” of all security safeguards.

These native tools grant users exceptional rights and privileges to carry out the most basic commands across a network that will eventually lead to your valuable data. With a non-malware attack, the victim has built into their traditional business model all the tools and access the threat actor needs to have to be successful. Yes, you could have made the bad-guy successful.

Without proper monitoring, the victim has, with legitimate business software (e.g., PowerShell, UltraVNC, TeamViewer, DesktopNow, etc.)[1], opened the front door to their kingdom and welcomed the threat actor with a big, warm hug and a hot cup of coffee.

In a recent Carbon Black report[2] they make note that; “Virtually every organization included in this research was targeted by a non-malware attack in 2016.” Furthermore, in the same report, Carbon Black also states there has been a +92% increase in non-malware based attacks for 2016.

The Carbon Black report says common types of non-malware attacks researches reported seeing and the percentage that saw them were: remote logins (55%); WMI-based attacks (41%); in-memory attacks (39%); PowerShell-based attacks (34%); and attacks leveraging Office macros (31%).[3]

Remember, I am not saying that any of these remote access utilities do not have a legitimate use. What I am pointing out is that non-malware remote access utilities, properly managed and not used in an ad-hoc fashion, can be very useful. However, after you add in the hubris of the Human Element (HE), this is hardly ever the case and security professionals are left scrambling to identify authorized vs. unauthorized use and access which is quite time-consuming.

What makes a non-malware attack work?

What makes a non-malware attack so successful? The answer is simple, we give the threat actor all the tools they need to be successful. We (the royal “we”) fully equip the threat actor with all the necessary tools and access simply by doing our normal daily activity and business.

Some of the more famous non-malware attacks or attack trends include the attack against the Democratic National Committee (DNC) and the “PowerWare”[4]  campaign tracked by the Carbon Black teams.

Remember, the basis of a non-malware attack is to gain a toe-hold with little threat of detection. From this point, the threat actor determines how to promulgate the attack internally.

Why are non-malware attacks so hard to prevent and detect?

Traditional security approaches in detecting non-malware (malicious) attacks will probably be 100% ineffective. This is because traditional security platforms and most modern security platforms were not designed to detect non-malware attacks in mind.

In addition to GuidePoint’s IR experiences, Carbon Black[5] has performed extensive research on non-malware based attacks, and has provided their findings in {https://www.carbonblack.com/2017/02/10/non-malware-fileless-attack/}. Unfortunately, traditional antivirus (A/V) is ineffective in detecting non-malware based attacks, and security professionals should consider the use of technologies that incorporate Artificial Intelligence (AI), Machine Learning (ML), and User and Entity Behavior Analytics (UEBA) to effectively thwart non-malware based attacks.

Traditional A/V was never designed to detect non-malware attacks. They are basically designed as a signature-based threat detection platform that typically only monitors when a known malware signature has been written to disk. Non-malware based attacks are not identified as malware.

Image Ref: www.carbonblack.com

“AI and ML’s roles in preventing cyberattacks have been met with both hope and skepticism. They have been marketed as game-changing technologies though doubts still persist, especially when used in siloes. Their emergence is due largely to the climbing number of breaches, increased prevalence of non-malware attacks, and the waning efficacy of legacy antivirus (AV)”.[6]

Real-World Example

In one real world example, of a non-malware attack the GPS/DFIR team responded to a customer request to analyze some anomalous network activity their security team had been witnessing for a couple of months (yes, months).

The Incident Responders were able to monitor an initial select set of endpoints and network segments.  Soon the GuidePoint Security Digital Forensics & Incident Response (GPS/DFIR) team identified the fact that no remote access malware was present and that network/system access was gained through compromised accounts via non-malware attack.

This was a complex DFIR investigation that involved multiple security and forensic disciplines, 24/7 monitoring of all network segments and an enterprise wide deployment with high fidelity endpoint sensors.  Also, customized onsite databases had to be designed so that all sensor data could be aggregated and analyzed in near-real-time.

The end result was a lengthy engagement with multiple forensic responders chasing and tracking the threat actor inside a global network.  The threat actor was using non-malware techniques, system administration tools and a variety of security tools to compromise user accounts, escalate privileges, access systems and exfiltrate data for profit.

Defense for non-malware based attacks

Remember, non-malware attacks will use legitimate software to perform malicious activity.  However, fielding a proper, holistic security strategy that encompasses enterprise level end point and UEBA advanced analysis that enables your overall investigative, cyber-hunt and security strategy should be carefully considered.

GPS/DFIR has a track record of investigating and analyzing such non-malware based attacks and with the combined strategic arm of GuidePoint’s security experts and knowledge of the security platforms available, we can help define the best short-term and long-term security roadmap for your organization.

As a basic defense, there are some “snap-shot” remedies that can be easily implemented:

  • Allow few (justified) remote access applications to be used (e.g., Windows RDP, TeamViewer, etc.) in your environment on your systems.  Ensure all remote access requires multi-factor authentication.
  • Because some applications can be manipulated and replaced it is important to have forensically hashed versions identified
    • Share those authorized forensic hash values with your security and IR teams
    • Place the authorized hash values into any white listing or AV applications
  • Only allow a pre-defined group of employees with a legitimate business need to use the remote access applications
  • Identify to your internal security and IR teams the list of who is authorized to use the remote access software
  • Have employees read and sign an “Acceptable Use” policy for the software or applications
  • Develop internal security alerts and rules that identify anomalous behavior and/or connections and alert/respond to those “out of parameter” activities
  • Educate your employees as to the vulnerabilities of such applications
  • Incorporate all non-malware investigative and response activities into your IR plans and run-books

The first line of defense in any effective security organization is the Human Element (HE). With proper education and training, employees can and do typically provide significant feedback as to unusual or questionable behavior.  So, open lines of communication within all business units can only benefit the entire security posture of your organization.

Conclusion

In conclusion, as in the real-world example, forensic analysis validated this particular threat actor using a non-malware attack method was active on this global network for over two years.  Essentially, most of their malicious activity was completely cloaked within the victim’s daily business activity and they were able to work autonomously.

This real-world example is being played out every day in companies all over the globe.  And as GPS/DFIR witnessed in this example, talented security teams recognized the threat but also realized their own team’s limitations and asked for outside help.

Non-malware attacks will never go away, rather we strongly believe that they will only increase in count and complexity and we strongly recommend that you ensure your organization is prepared to deal with this growing threat.

[1] https://www.lifewire.com/free-remote-access-software-tools-2625161

[2] https://cdn.www.carbonblack.com/wp-content/uploads/2017/04/Carbon_Black_Threat_Report_Non-Malware_Attacks_and_Ransomware_FINAL.pdf

[3] https://www.networkworld.com/article/3186497/security/non-malware-attacks-grow-there-are-tools-for-it-security-to-fight-back-with.html

[4] https://www.networkworld.com/article/3186497/security/non-malware-attacks-grow-there-are-tools-for-it-security-to-fight-back-with.html

[5] www.carbonblack.com

[6] https://www.carbonblack.com/2017/03/28/beyond-hype-security-experts-weigh-artificial-intelligence-machine-learning-non-malware-attacks/

Author

Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence at GuidePoint Security, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.

Android Malware (SonicSpy) “Ludo Coins RAT”

Image Reference: http://www.ludocoins.com/

Android malware is not something I typically perform forensic analysis on, but this one caught my eye. This caught my eye mainly because it was in a threat actor database directory that GuidePoint Security’s (GPS) Digital Forensic and Incident Response (DFIR) team has been watching, and also because it is the first sample of Android malware I have seen posted on this particular threat actors database.

Knowing this threat actor has had some recent successes, I thought I should take a look at this Android malware and give it the ole’ forensic once-over. I’m glad I did.

Considering Google is fighting a massive Android malware outbreak [1], and 99% of all mobile malware is Android malware[2], this would be a good way to “enter” into a targeted environment and start to move laterally.  But wait until you see what this Android Remote Access Trojan (RAT) can do.

GPS DFIR teams perform forensic analysis of malware in an effort to provide OSINT and our customers real, actionable and valid forensic IOCs (e.g., Hash values, IPv4, etc.).  It is these IOCs that allow our customers the ability to “plug” them into security devices for action, detection and prevention.

Background

Because of ongoing threat investigations that I will not disclose in this analysis, I have labeled this Android malware “Ludo Coins” RAT.  Yes, I believe there could be a direct correlation to ludocoins.com and, among other things, this RAT could be used to capitalize on the Ludo Coins business model for cash.

Overview

GPS DFIR harvested this sample directly from the threat actor’s database server and was subsequently analyzed in the GPS forensic malware analysis lab.

Overall impression of this RAT is that it has a good overall design and will capture and control all major components and features of your Android mobile device.  The reader should be quite aware that after installation the victimized user will have no control over that mobile device.

Sample Analyzed

MD5:   ee7fba3487165f00533e4fd90bca531f
SHA256:    7eb6a65a7d9ee2bfc9b8df6442cfa2c76f4753663297d2dabafc023b1bd2370b

Analysis Platform

Android x86 5.1 (“Android 4”)

Analysis Summary

Overall, this RAT has very little visual clues that it has been installed.  Remember, this is a RAT and it will allow a remote threat actor full control of your Android device.

It does have the ability to change the wallpaper so the threat actor can change (android.app.WallpaperManager.setBitmap) if they so wish.

Test Image 1: Android Screen Capture

During testing, I also noted the RAT can access the Android keyguard (lock screen) and allow the remote threat actor to query the phone’s “GPS” location.

The RAT also performs anti-forensic activities once it is initialized:

  • Deletes call logs/history
  • Deletes other (installed) packages (platform dependent)
  • Kills background processes
  • Obfuscates method names

After deployment/installation, the RAT has the capability of performing a variety of command level functions – remotely:

  • Dials phone numbers and sends SMS (SmsManager) in the background
  • Monitors, redirects and/or block calls
  • Records audio (while running in the background)
  • Takes photos
  • Records any audio/media running on the Android device

The RAT also has specific remote access functionality:

  • Uses Download Manager to fetch additional RAT components
  • Redirects camera/video feed
  • Reads call logs & browser history
  • Monitors incoming & outgoing phone calls and SMS messages
  • Conducts remote query
    • Query list of installed applications
    • Camera Information
    • Stored mail
    • Phone contact information
  • Queries the SIM provider ISO country code
  • Queries the network operator ISO country code
  • Queries device unique ID (e.g., IMEI, MEID, etc.)

Spreading

This RAT has the ability to spread throughout a WiFi environment after initial installation.  It can change the (local) WiFi settings in which it can chose to connect and disconnect from selected WiFi networks.  It can also scan access points for available WiFi networks.

Remember, once it conducts these activities it will transmit the information back to the threat actor and with a reasonable level of effort the threat actor will be able to plot your general geographical location and have knowledge of your WiFi preferences and access.

Summary

Overall, if this Android malware (SonicSpy) infects an Android device, the user will have few visual indications that they have been infected and unless the network IOCs are being monitored, there will be little evidence of an infection.

In my opinion, if an Android device has been infected with SonicSpy, it will command root level access, remain persistent, and make other malicious changes to your mobile device. About the only safe thing you can do at that point is to take a hammer to the Android device and physically destroy it.

https://i.ytimg.com/vi/t6198YIn31g/maxresdefault.jpg

At least after you destroy your Android you can buy an iPhone and not worry about being infected with SonicSpy or any Android variant.

SonicSpy IOCs

File name:   SonicSpy.apk

File size:   840735
MD5:   ee7fba3487165f00533e4fd90bca531f
SHA256:   7eb6a65a7d9ee2bfc9b8df6442cfa2c76f4753663297d2dabafc023b1bd2370b

zaraar.ddns[.]net

216.58.201[.]40
64.233.166[.]188
173.194.175[.]188
134.0.16[.]1

Port: 5228 (sample tested seems to always want to connect to CnC to this outbound port)

[1] https://www.forbes.com/sites/thomasbrewster/2017/09/14/massive-google-android-malware-expensivewall/#730a036d477f

[2] http://bgr.com/2014/01/21/android-mobile-malware-report/

Author

Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.

GuidePoint Security Ranked Among the Top 3 Security Technology Companies in the Greater Washington Region by the Washington Business Journal

GuidePoint Security has been ranked No. 3 for two consecutive years by the Washington Business Journal in its Largest Security Technology Companies List. The rankings were published Friday, Oct. 27th. To view the list, click here.

The companies were ranked by 2016 metro-area revenue. To be eligible, companies had to have a presence in Washington D.C. metro region, including Herndon, Va.

Founded in 2011 by cybersecurity industry veterans, GuidePoint is a trusted security expert for security technologies and professional services. The company differentiates itself through its organizational structure, technological expertise, unrivaled customer service, and a vendor-agnostic approach.

“What an honor this is,” noted Michael Volk, GuidePoint Security’s Founder and Managing Partner. “Our continued success is possible because of the tremendous pool of highly skilled and talented individuals who make up our company team.”

“Customer services has always been number one for all of us. Our high placement on this list, for the second consecutive year, is a testament to our team’s hard work, innovation, and commitment to always providing the best solutions for our federal and commercial customers.”

In addition to the Washington Business Journal’s Largest Security Technologies List, GuidePoint was recently ranked #57 on the Washington Business Journal’s Private Companies list. To view the list, click here.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

About the Washington Business Journal

The Washington Business Journal is the #1 print and online source for Greater Washington area business news and information on the most successful people, companies and transactions in the region. Every Friday, the Business Journal arrives with an in-depth lineup of breaking local news stories, business profiles and valuable industry rankings. From technology and sustainability to small business, biotech, hospitality, real estate and banking, the Business Journal covers the most relevant and timely topics for the local business community. Washingtonbusinessjournal.com takes the Washington Business Journal brand known for its insight, analysis and high journalistic standards and extends it to the Internet. Thousands of established and up and coming executives visit washingtonbusinessjournal.com every day looking for the information they need to do business in the DC metro area.

BadRabbit Malware Analysis

Image Source:http://www.designlync.com/about.html

Image Source http://www.designlync.com/about.html

10.27.2017 UPDATE:  BadRabbit CnC Dormancy

Looks like the Threat Actors caged this “Killer Rabbit” for now.  Most of the servers and sites used by the hackers behind the ransomware appear to be taken out of service for no.[1]

Overview: On October 24, 2017, Bad Rabbit, a ransomware infection, a new variant of Petya, has hit a number of organizations in Russia and Ukraine.  First announced in a tweet, the Russian cybersecurity firm Group-IB said initially three media organizations in the country have been hit by file-encrypting malware. [2]

At the same time, Russian news agency Interfax said its systems have been affected by a “hacker attack”.

“Interfax Group’s servers have come under a hacker attack. The technical department is taking all measures to resume news services. We apologize for inconvenience,” [3]
This new strain of ransomware, actively being used in the wild and code-named “BadRabbit”, disguises itself as an Adobe Flash installer in order to gain the user’s trust.  It reportedly uses EternalBlue and Mimikatz to steal passwords and spread in a “worm-like” fashion.

Once executed, the ransomware modifies the bootloader and encrypts the files on the user’s machine.  After the infection is complete BadRabbit presents the user a UI demanding a Bitcoin ransom payment in order to have the files unlocked.

The malware also has the capability to spread throughout the local network via SMB or limited credential brute force over Windows Management Instrumentation Command-line (WMIC) and PSExec after infecting the user’s machine.

Initial reports indicated the ransomware was targeting multiple Eastern-European countries including Ukraine, Russia, Turkey, and Bulgaria, however, additional reports of the ransomware have surfaced in South Korea, Japan, and the United States. Reports surfaced of attacks to government institutions, news agencies, and transportation organizations. The ransomware is reportedly being delivered through compromised legitimate websites – mainly news and media sites at the time of this writing.

Ukrainian organizations have posted about systems failing: payment systems on the Kiev Metro appear to have fallen victim to the attack, while in a statement on its Facebook page, Odessa International Airport said its information system had been hit by hackers.[4]

“We inform that the information system of the International Airport “Odessa” suffered a hacker attack,” a translation of the post says. [5]

On 24 OCT 2017 – 05:20PM, ESET announced that their telemetry has detected hundreds of occurrences of Diskcoder.D. Most of the detections are in Russia and Ukraine, however, also there are reports of computers in Turkey, Bulgaria and other countries are affected. [6]

Bad Rabbit shares some similarities with Petya – the ransom note looks almost identical and it can also use SMB to propagate across the infected network. However, researchers say much of the code appears to have been rewritten in this case.

GPS Huntmasters

GuidePoint’s Forensic Intelligence Division, GPS Huntmasters, has had the opportunity to analyze a couple variants of the BadRabbit malware/ransomware.  Through this analysis this elite GuidePoint team was able to confirm additional (unannounced) IOCs [7] as well as documenting the software’s [8] behavior within our testing environments.

Technical Overview

BadRabbit has been distributed through malicious websites with fake Adobe Flash updates with popup (decision) boxes that the end user must execute.  After the user clicks on the malicious popup, the ransomware is downloaded (via http/https) to the victim in the form of a malicious windows binary (e.g., install_flash_player.exe). After execution, the file will require the user to accept a Windows User Account Control (UAC) popup granting the malware escalated rights to the system.

Once executed, the malware deploys the ransomware onto the user’s machine completely compromising the end-user.

Image: Group-IB [9]

#_ftn1

The malware drops the file Infpub.dat, which is then executed by a rundll32 command. Infpub.dat will then create the files cscc.dat and dispci.exe within the C:\Windows directory. The file cscc.dat is actually a renamed file from the legitimate DiskCryptor program. These files are used to encrypt the disk and modify the bootloader preventing a normal bootup of Windows. A scheduled task is also created to ensure the dispci.exe file is run at bootup. Upon reboot, the user is presented with the Ransomware message demanding payment.

Landfall: BadRabbit

Although the USA and other western countries were not specifically targeted by this campaign, it is only a matter of time before BadRabbit will make US “Landfall”. In fact, according to cybersecurity and antivirus vendor Avast, BadRabbit has now been detected in the USA [10](2:44 PM – 24 Oct 2017).

Remember, BadRabbit attempts to spread through SMB. [11] It does this with account information stolen from the victim using Mimikatz or by trying an embedded list of common account names and passwords that is hard coded in the actual malware.

GuidePoint Forensic Analysis

On October 24, 2017 GuidePoint’s Forensic Intelligence team obtained and analyzed two samples of BadRabbit. The GuidePoint team has included a summary of our findings that may help future identification and of upcoming variants.

It should be noted that with each variant, file names and hash values may change depending on software variants and Threat Actor activity and strategy.

Analyst Note:  Although the tested samples were done in a forensically pure fashion BadRabbit did exhibit anti-forensic features and file deletion capabilities as noted in some “zero-byte file size” noted during our analysis and testing.

Samples Analyzed

File name: 9y6VPA4OK.exe
File size: 441899
MD5: fbbdc39af1139aebba4da004475e8839
SHA1: de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

File name: infpu.dll
File size: 410760
MD5: 1d724f95c61f1055f0d02c2154bbccd3
SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

File name: 6CQZJL6EH.exe
File size: 142848
MD5: b14d8faf7f0cbcfad051cefe5f39645f
SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add
SHA256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Forensic Overview

This malware has multiple elements. Execution starts in the binary file that is responsible for dropping and installing other elements.

During testing, once launched initial malware dropped files and conducted the following;
• Clears the windows event log
• Clears the journal log
• Drops executables to the windows directory (C:\Windows) and starts them
• Shows the ability to spread by using its contained functionality to enumerate network
shares of other (attached) devices
• Uses shutdown.exe to shut down or reboot the system
• Contacts additional CnC servers
• Contains functionality to register a low-level keyboard hook
• Contains functionality to infect the boot sector
• File names are dynamically generated
**NOTE: Dropped files appear to be kernel level key loggers

Sample Analysis: fbbdc39af1139aebba4da004475e8839

Memory Analysis

Analysis of volatile memory (RAM) disclosed that there were URLs that were forensically resident during testing that are attributed to the binaries tested;
hxxp://rb.symcb.com/rb.crl
hxxp://s.symcd.com
hxxp://ts-aia.ws.symantec.com/sha256-tss-ca.cert
hxxp://ts-ocsp.ws.symantec.com
hxxp://ocsp.thawte.com

Noted Binary Activity

Uses schtasks.exe or at.exe to add and modify task schedules
C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Contains functionality which may be used to detect a debugger (GetProcessHeap)
GetModuleHandleW,GetModuleFileNameW,GetProcessHeap,RtlAllocateHeap,memcpy,GetProcessHeap,Get
ProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree

CnC Connection Attempts:
23.60.139[.]27

Drops PE Files

Path:  C:\Windows\infpub.dat (zero byte file size)
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: 79116FE99F2B421C52EF64097F0F39B815B20907
SHA-256: 579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648

Binary Startup Activity

Test System is Windows 7 sp1

  • 9y6VPA4OKL.exe (PID: 3424 cmdline: ‘C:\Users\user\Desktop\9y6VPA4OKL.exe’ MD5: FBBDC39AF1139AEBBA4DA004475E8839)
  • rundll32.exe (PID: 3452 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cmd.exe (PID: 3464 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)
  • schtasks.exe (PID: 3484 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • cmd.exe (PID: 3500 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 4038216979 && exit’ MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cmd.exe (PID: 3520 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR ‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST 15:25:00 MD5: AD7B9C14083B52BC532FBA5948342B98)

 cleanup

Windows Behavior

C:\Windows\system32\IMM32.DLL
– read attributes and synchronize and generic read
– read data or list directory and execute or traverse and synchronize

C:\Windows\AppPatch\sysmain.sdb
– read attributes and synchronize and generic read

C:\Windows\system32\apphelp.dll
– read data or list directory and execute or traverse and synchronize

Sample Analysis: 1d724f95c61f1055f0d02c2154bbccd3

Memory Analysis
N/a

Noted Binary Activity

Boot Survival:
Uses schtasks.exe or at.exe to add and modify task schedules
– C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN Rhaegal

Spawns processes
– C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR
‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST
– C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 2835140717 && exit’
– C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Drops PE Files

(Zero byte File Size)
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: B4D371272FE9C5A7C7936D32DEE609019CC24C31
SHA-256: FA6FE917BCB4F9CE5FE03B71F5E4AF392FB63A4DA4E142C691CCAF9042AB4DCE

Binary Startup Activity

 Test System is Windows 7 sp1

  • loaddll32.exe (PID: 3276 cmdline: loaddll32.exe ‘C:\Users\user\Desktop\infpub.dll’ MD5: D2792A55032CFE825F07DCD4BEC5F40F)
  • rundll32.exe (PID: 3284 cmdline: rundll32.exe C:\Users\user\Desktop\infpub.dll,#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cmd.exe (PID: 3296 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)
  • schtasks.exe (PID: 3316 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • cmd.exe (PID: 3328 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 2835140717 && exit’ MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cmd.exe (PID: 3340 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR ‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST 16:03:00 MD5: AD7B9C14083B52BC532FBA5948342B98)

 cleanup

Windows Behavior

N/a

Sample Analysis: b14d8faf7f0cbcfad051cefe5f39645f

Memory Analysis

Analysis of volatile memory (RAM) disclosed that there were URLs that were forensically resident during testing that are attributed to the binaries tested;

hxxp://diskcryptor.net/

Noted Binary Activity

Contains functionality to register a low-level keyboard hook
– SetWindowsHookExW 00000002,Function_00003FC0,00000000,00000000
Contains functionality for read data from the clipboard
Contains functionality to infect the boot sector
Detected the Windows Explorer process (often used for injection)
Connects to many different private IPs via SMB (likely to spread or exploit)

Drops PE Files

This file has been seen in most BadRabbit samples analyzed
C:\Windows\dispci.exe (zero byte file size)
File Type: PE32 executable (console) Intel 80386, for MS Windows
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: AFEEE8B4ACFF87BC469A6F0364A81AE5D60A2ADD
SHA-256: 8EBC97E05C8E1073BDA2EFB6F4D00AD7E789260AFA2C276F0C72740B838A0A93
File name: cscc.dat
File size: 181448
MD5: b4e6d97dafd9224ed9a547d52c26ce02SHA1: 59cd4907a438b8300a467cee1c6fc31135757039SHA256: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806

Binary Startup Activity

 Test System is Windows 7 sp1

• 6CQZJL6EHc.exe (PID: 3464 cmdline: ‘C:\Users\user\Desktop\6CQZJL6EHc.exe’ MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F)• cmd.exe (PID: 3492 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)• schtasks.exe (PID: 3512 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

 cleanup

Windows Behavior

C:\Windows\Globalization\Sorting\sortdefault.nls
– read attributes and synchronize and generic read
C:\Windows\system32\rsaenh.dll
– read attributes and synchronize and generic read
C:\Windows\system32\IMM32.DLL
– read data or list directory and execute or traverse and synchronize
C:\Windows\cscc.dat
– File attributes queried
– Return Compare (GetFileAttributesW) executed

BadRabbit Vaccine

According to Cyberreason, users can “vaccinate” their computers against BadRabbit. Note: GuidePoint has not tested this “vaccine” and all changes to any systems should be approved by your network administration teams and proper change control procedures should be followed before they are implemented.

An overview of the process contains two primary steps;
1. Create a file “C:\Windows\infpub.dat & C:\Windows\cscc.dat”
2. Go into the each of the files properties and remove all permissions to both files. When doing this, remove the inheritance so the files do not inherit the perms of the C:\Windows folder.

Detailed guide on setting up files with no permissions or a “BadRabbit Vaccine”. https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware

BadRabbit IOCs

GuidePoint has identified additional IOCs during the course of the testing that should be incorporated into organizational defenses. These IOCs are provided below:

IPv4

5.61.37[.]209*
23.60.139[.]27*
23.50.75[.]27*
23.63.139[.]27*
185.149.120[.]3

“*” Not previously identified and discovered by GuidePoint

HASH Values

– de5c8d858e6e41da715dca1c019df0bfb92d32c0
o install_flash_player.exe
– afeee8b4acff87bc469a6f0364a81ae5d60a2add
– fbbdc39af1139aebba4da004475e8839
o Dropper
– 1d724f95c61f1055f0d02c2154bbccd3
o infpub.dat
 the main DLL
– b4e6d97dafd9224ed9a547d52c26ce02
o cscc.dat
 legitimate driver used for the disk encryption (diskcryptor.net)
– b14d8faf7f0cbcfad051cefe5f39645fo dispci.exe
 installs the bootlocker, communicates with the driver (cscc.dat)
– d41d8cd98f00b204e9800998ecf8427e (zero byte file size)

URLs

hxxp://1dnscontrol.com/flash_install.php
1dnscontrol[.]com
an-crimea[.]ru
ankerch-crimea[.]ru
argumenti[.]ru
argumentiru[.]com
bg.pensionhotel[.]com
blog.fontanka[.]ru
calendar.fontanka[.]ru
grupovo[.]bg
i24.com[.]ua
most-dnepr[.]info
novayagazeta.spb[.]ru
osvitaportal.com[.]ua
spbvoditel[.]ru
aica.co[.]jp
fontanka[.]ru
grupovo[.]bg
imer[.]ro
mediaport[.]ua
online812[.]ru
otbrana[.]com
pensionhotel[.]cz
sinematurk[.]com
t.ks[.]ua

Tor Payment URL:- caforssztxqzf2nm[.]onion

Additional References

https://isc.sans.edu/forums/diary/BadRabbit+New+ransomware+wave+hitting+RU+UA/22964/  https://gizmodo.com/bad-rabbit-ransomware-strikes-russia-and-ukraine-1819814538https://twitter.com/lorenzofb/status/922946057318871041 http://blog.talosintelligence.com/2017/10/bad-rabbit.html
https://pastebin.com/01C05L0C
https://app.any.run/tasks/9198fd01-5898-4db9-8188-6ad2ad4f0af3 http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading- warn-researchers/
https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder- ransomware/
https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

Bad Rabbit ransomware

BadRabbit malware


https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/
https://www.us-cert.gov/ncas/current-activity/2017/10/24/Multiple-Ransomware-Infections-Reported

Image Source: http://www.designlync.com/about.html

Cited Resources

[1] https://motherboard.vice.com/en_us/article/d3dp5q/infrastructure-for-the-bad-rabbit-ransomware-appears-to-have-shut-down

[2] http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading-warn-researchers/

[3] http://www.interfax.com/newsinf.asp?id=786280

[4 http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading-warn-researchers/

[5] https://www.facebook.com/odessa.aero/posts/704524863080360

[6] https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/

[7] IOCs were identified exclusively in the GuidePoint vSOC Spot Report; “Bad Rabbit Ransomware”, Update 1, October 25, 2017

[8] Malware is software that is designed to do malicious or unauthorized activity or have unauthorized functionality

[9] https://twitter.com/GroupIB/status/922818401382346752

[10] https://twitter.com/avast_antivirus/status/922941896439291904?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fsmall-amount-of-bad-rabbit-ransomware-victims-detected-in-the-usa%2F

[11] https://msdn.microsoft.com/en-us/library/windows/desktop/aa365233(v=vs.85).aspx

Author

Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.

GuidePoint leverages Splunk and Crowdstrike to automate critical security operations for customers

Find more than just an MSSP; find a partner

Today, organizations are scrambling to find managed security services providers (MSSPs) who can combat the shortage of qualified cybersecurity personnel available. Enterprises that have moved operational components of their security programs to MSSPs (e.g. management of on-premise or cloud-based Security Incident and Event Management Systems (SIEM)), often express disappointment with the value that typical MSSPs provide. Because most traditional MSSPs consider it their core function to forward alerts at a certain threshold to the customer for treatment, widespread complaints by organizations are growing – claiming that noise emanating from their MSSPs require as much manpower as managing their SIEM in-house. As such, these MSSPs are not adequately addressing the needs of their customers.

GuidePoint Security focuses its solution development on addressing these needs. Instead of reworking a failed model, GuidePoint brings Advanced Security Operations to our customers through a combination of best-in-class practices and technologies. Instead of simply forwarding alerts from customer SIEM environments, GuidePoint’s vSOC managed security service validates every alert to ensure that each threat is real. By doing so before taking further action or alerting our customers, customers save time and resources in tracking down false-positives.

Leveraging its partnership with CrowdStrike and Splunk, GuidePoint’s vSOC recently developed the capability to automate critical security operations functions including detection, hunting and remediation. Together, the advanced capabilities of both the Splunk platform and Crowdstrike’s Falcon Platform, allow customers to trust GuidePoint’s vSOC (and their skilled analysts) to alert them once an incident has been detected, validated and remediated. This practice offloads these processes from our customers’ security teams and allows them to focus on other tasks requiring their unique context and expertise, providing real value to our customers.

Interested in learning more? GuidePoint Security has a booth at .conf2017: the 8th Annual Splunk Conference, in Washington DC, Sept. 25-28th. Drop by and see us at the conference for a live Advanced SecOps demo.

Stay tuned for future blog posts on the coming solutions GuidePoint’s vSOC uses to provide customers with Advanced Security Operations – virtually.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

Author

Robert Vaile – GuidePoint Security’s Director for vSOC Product Development

GuidePoint Security Named to 2017 CRN Fast Growth 150 List

List Recognizes Thriving Solution Providers in the IT Channel

CRN®, a brand of The Channel Company, has named GuidePoint Security to its 2017 Fast Growth 150 list. The list is CRN’s annual ranking of North America-based technology integrators, solution providers and IT consultants with gross sales of at least $1 million that have experienced significant economic growth over the past two years. The 2017 list is based on gains in gross revenue between 2014 and 2016, and the companies recognized represent a total, combined revenue of more than $16,717,688,643.

“We are delighted to be included in the top 50 of such an esteemed group,” GuidePoint Security Founder and Managing Partner Michael Volk commented. “As the cybersecurity landscape continues to change, GuidePoint’s mission of assisting our clients and prospects to recognize the threats, understand the solutions, and mitigate their risks continues to be our principal focus,” Volk added.

“The companies on CRN’s 2017 Fast Growth 150 list are thriving in what is now a very tumultuous, demanding IT channel climate,” said Robert Faletra, CEO of The Channel Company. “This remarkable group of solution providers has successfully adapted to a landmark industry shift away from the traditional VAR business model to a more services-driven approach, outpacing competitors and emerging as true channel leaders. We congratulate each of the Fast Growth 150 honorees and look forward to their continued success.”

The Fast Growth 150 list is highlighted in the August issue of CRN and can be viewed online at www.crn.com/fastgrowth150.

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their missions. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.

About the Channel Company

The Channel Company enables breakthrough IT channel performance with our dominant media, engaging events, expert consulting and education, and innovative marketing services and platforms. As the channel catalyst, we connect and empower technology suppliers, solution providers and end users. Backed by more than 30 years of unequaled channel experience, we draw from our deep knowledge to envision innovative new solutions for ever-evolving challenges in the technology marketplace. www.thechannelco.com

Scariest presentations at DefCon 25 (2017)

Every year there are presentations at DefCon that make you want to move you to a remote mountain cabin and disconnect from all forms of electronics. This year was no different.

Below I will detail five presentations that I personally attended and qualify for scariness. Several will have whitepapers released this week and we will update with links as they are released.

An ACE Up the Sleeve: Designing Active Directory DACL Backdoors https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Robbins

This presentation showed how DACL manipulation can assist in persistence by hiding the unintentional, or adversary added administrative rights that a user may have. Usually found in nested rights granting, the presenter was able to show normal queries alerting an assessor to administrative rights that should be removed. However, using purposeful DACL misconfiguration, those queries were disabled, while the administrative rights persisted.

This causes a serious problem when an adversary gains credentials that might not be apparent to have AD administrative rights, but does. Now finding those privileged accounts and cleaning them up will be difficult, if not impossible. Using this, an adversary could gain administrative privileges through an account and go undetected for quite some time. Even the most common PAM (Privileged Access Management) system could be rendered useless in defense, if the attacker implements this technique correctly.

Get-$pwnd: Attacking Battle-Hardened Windows Server https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Holmes

A Microsoft engineer that participated in designing PowerShell presented on how even hardened Windows Servers can be exploited. Specifically, systems thought to be hardened with configurations such as whitelisted commands and JEA (Just Enough Administration) may still be vulnerable. When the presentation was finished, the demonstration showed that commands that were thought to be restricted and not available on a system could still be executed, including administrative functions that would give attackers significant power.

WSUSpendu: How to Hang WSUS Clients
https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Coltel

Many organizations believe that Air-Gapped networks are the answer. Pulling an entire network, with the most sensitive data, off the internet and creating your own intranet will protect you. The presenters offered a way to compromise a Windows Server Update Services (WSUS) in order to compromise the off-line network for, at the very least, major down time, possibly data loss.

First, the presenter showed how to convince the WSUS that a malware package was a valid Windows Update that was then pushed out to connected clients. Next, the presenters uploaded a second package, not divulging what was in it, in order to show that an air-gapped network that gets its windows update from the master WSUS server on the connected environment can be compromised the same way. The theory is that a CD or USB drive will be created from the online server and “sneaker-net” over to the air-gapped network.

When it was completed, he revealed that it was Ransomware that would have infected THE ENTIRE air-gapped network, encrypted every windows server and caused an outage while restores from backup are completed. Definitely scary!

‘Ghost Telephonist’ Impersonates You Through LTE CSFB https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Yuwei-Zheng-UnicornTeam-Ghost-Telephonist.pdf

This presentation was an even easier way to compromise an LTE phone than what previously was thought to require some heavy lifting of creating a fake tower and forcing the phone down from LTE. The presentation was based on a finding that there is an authentication step missing from towers when a cell phone drops out of LTE. Now, if you create a device that tells the tower that it is a phone that is in CSFB (Circuit Switched Fallback), the tower will assume it is the other phone and not ask for proof.

At that point, the attacker can intercept calls and SMS texts. As a demonstration, the presenter showed a phone used as an SMS 2FA (two factor authentication) for Gmail being compromised and the Gmail account being taken over, changing the password successfully, while the true phone showed no activity.

Google Authenticator/Okta/Duo anyone? https://en.wikipedia.org/wiki/Software_token

The Black Art of Wireless Post Exploitation
https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Ryan

This presentation really had lots of goodies and a history of how wireless security has evolved. The part of the presentation that stuck out was when he was trying impress upon the audience that EAP-TLS wireless was worth it even with the painful administration. What the presenter explained is that a wireless NAC port-based access control is thought to contain any issues, so that “bad” systems may connect, but will have no access to the rest of the network. While connected in quarantine, they can be scanned, queried and resolved or rejected. This assumes that the unwanted system is foreign to the network. The technique presented showed that even a separate “sensitive” network that has a different connection method can be compromised via a carefully crafted “evil twin” attack. Once a legitimate system is connected to the evil-twin, a payload can be installed and then the system can be returned to the corporate wireless, now compromised. If done correctly, the NAC will not find the compromise and now the attacker can leverage the system to pivot throughout the internal network.

There were many more presentations with highly impactful vulnerabilities and attacks, these were the top four ones that I personally attended. Stay tuned for added links to the whitepapers associated to these presentations. Be careful out there!

About the author:

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.

The President’s Executive Order: Mapping products to cybersecurity Risk Management

In the previous three blogs, President Trump’s Executive Order. What agencies need to do to respond., Quick hit product categories that can boost executive agencies EO mandated NIST risk scores, and Addressing the EO stated greatest threat to agency cybersecurity posture, we laid out some strategies for federal agencies to respond to the President’s Executive Order (EO).  Finally, in this blog we list a variety of products and technologies that, if not already deployed, should be considered first when trying to move the needle in security posture.

First, the different technologies are listed here in the area they fit in EO Section 1 b (i):

Section 1 b (i) defined cybersecurity Risk Management product mapping:
–Protecting IT from unauthorized access
Information and access discovery
MFA
Privileged Access Encryption
Privileged Access monitoring and management
UBEA (user)
–Maintaining awareness of threats
Threat Intelligence feeds
Threat Intelligence Management system
Vulnerability scanning/monitoring
Vulnerability mapping/prioritization
–Detecting anomalies and incidents
Deception Technology for EARLY WARNING (Man, this is an easy one!)
EDR
NextGen AV
SIEM
UBEA (User, System and Network)
–Mitigating the impact of incidents through response and recovery
EDR
NAC

Next, we will list them in alphabetical order with brief explanations of what they do.  These are not ranked by importance or value.  We recognize that many organizations will probably have most of these deployed already, but none that we have experienced have all of them deployed.

Deception Technology for EARLY WARNING (TrapX, Attivo Networks) – (This is an easy one!)
Platform that deploys “fake” systems on the network, fake credentials on the end points, and carefully crafted ogs in the administrative systems.  The most advanced deception platforms weave a complex storyline designed to look like bread crumbs leading to sensitive information to attract/bait adversaries into revealing themselves.  These platforms will include alarms that once these systems and credentials are used will send alerts to the SIEM or SOC directly.  The most eye-opening thing about most deception platforms is the low-price point for the simplest early warning system innovation.  The value vs. cost is fantastic.

EDR (FireEye HX, Carbon Black, DigitalGuardian) – These solutions defend end points against advanced threats, detect active threats and compromise, and collect logs and data for response forensically when a threat or compromise is suspected.  The more advanced EDR products can pull detailed forensic information and quarantine systems actively under attack or already compromised. This is a must-have for any enterprise.

Multi-Factor Authentication (Duo, Okta, Google Authenticator) – Two-Factor Authentication (2FA) uses at least two of the three types of authentication.  “What you know”, “What you have” and “Who you are”.  Typically, this means a password plus a verified device or fingerprint.  In the past, this was a costly and cumbersome security measure where key generators from tokens were bought and distributed.  However, with the advent of smart phones, MFA can be created with a phone app that is verified as a secure second factor for a specific user.  (NOTE:  This is not SMS, which is no longer considered an acceptable MFA.)

NAC (ForeScout) – Manages asset access to the network by validating system is complaint with security policies.  An example would be DoD “Comply2Connect” where any system connecting to the network has to be thoroughly vetted and could be quarantined for further administration and clean up.  Also can be used for quarantining a system that has been identified for investigation for attack or compromise.

NextGen AV (Cylance, Cb Protect) – Legacy AV, using signatures, stop unsophisticated attacks and NextGen AV uses math and heuristics to defend against more sophisticated attacks.  The most prevalent example is poly-morphic malware that changes its signature even after install.  By using analytics on the files, malware can be detected even if the signature was created minutes ago.

Information and Access Discovery (Varonis) – These products can scan enterprises for sensitive data (Ex: PII, or classified data) and report back all the known locations and who has access in the IdAM system to them.  It can also lay out past history of access and monitor for access and anomalous behavior in accessing sensitive data.  In addition, these technologies help significantly in any IdAM. UBA-User or DLP deployment in cleaning up access and classification of data.  Many times, access creep has corrupted security policy or people who have access are not using it and should be removed unless requesting it in the future.  Without these steps, IdAM, User-UBA and DLP can be permanently crippled or take significant time to tune and become effective.

Privileged Access Encryption (Vormetric) – Solution that specifically prevents privileged accounts from accessing data directly.  This is mitigation against the most common form of unauthorized access by adversaries.  Once inside a network, attackers typically elevate privileges to administrators and try to access data directly.   By encrypting data while still allowing administrators to administrate systems, unauthorized users, even privileged users, cannot read important data.

Privileged Access Monitoring and Management (Varonis and CyberArk/Thycotic)
– By controlling and monitoring privileged user access, a significant threat vector is closed. Even if a privileged user could not access data directly (see above), they could still create or find and take over a user account that does have access to data and systems that are desired by an adversary.  Typically, privileged user account management solutions require check out access in a highly-controlled manner.

SIEM (Splunk, LogRythm) – Security Information and Event Management consumes and correlates logs from the environment against pre-determined rules for security alerting.

Threat Intelligence Feeds – Both free and paid threat feeds supply adversary information to identify when an attack, attacker, or malicious file needs attention.  Many organizations have paid subscriptions to threat feeds from different products in their environment, however some pay for high fidelity threat feeds to augment them.

Threat Intelligence Management System (Anomali) –  Threat Intelligence is the core of defending against attackers.  Knowing what files, IP addresses and threat actor indicators to look for or block are key to the effectiveness of cyber security tools throughout a cyber infrastructure.  By deploying a threat intelligence management platform, the highly valuable threat feeds, free and paid, can be deduplicated against each other, contextually aggregated for enrichment and distributed to the cyber tools.

UBA (User, System and Network)
– User (Exabeam):
 Analyzes logs of user activity from the standard IT infrastructure (such as IdAM/AD/LDAP), creates a baseline of activity and monitors for deviations from the baseline.  This includes individual user behavioral changes and user deviations from the standard a cohesive group creates. This may include an account that has been compromised.  The most mature User-UBA will create a timeline of activity from a range of logs including normal IT and security tools throughout the enterprise.
– System (Exabeam):  Analyzes system logs from the IT infrastructure, creates a baseline of activity and monitors for deviations from the baseline.   This System-UBA go beyond signature or correlations to known activities of attackers.
– Network:  Analyzes network logs such as packets and netflow from IT infrastructure and security tools, creates a baseline of activity and monitors for deviations. Unlike IPS or NGFW, these Network-UBA go beyond signature or correlations to known activities of attackers in the network. The most advanced will pull in logs from many resources across multiple disciplines.

Vulnerability Scanning/Monitoring (Tenable, TripWire) – Scans systems with or without agents on end points to monitor for vulnerabilities and changes to a system that may open it up to compromise.

Vulnerability Mapping/Prioritization (RedSeal) – Actively ingest network configuration data and vulnerability scanning logs to rank security threats identified by attack paths to vulnerable systems.  The resulting risk scoring and details allow for an enterprise to prioritize mediation by risk score that is specific to their systems and not a generic one-size-fits-all scoring.

If any of these intrigue your organization and you would like to know more, please contact us at federal@guidepointsecurity.com.

About the author:

Jean-Paul Bergeaux, Federal CTO, GuidePoint Security

With more than 18 years of experience in the Federal technology industry, Jean-Paul Bergeaux is currently the Federal CTO for GuidePoint Security. JP’s career has been marked by success in technical leadership roles with ADIC (now Quantum), NetApp and Commvault and SwishData. Jean-Paul focuses on identifying customers’ challenges and architecting innovative solutions to solve their complex problems. He is also a thought leader on topics that are top of mind for Federal IT Managers like Cyber Security, VDI, Big Data, and Backup & Recovery.