Are We Learning Lessons From Wanna Cry? I Sure Hope So

Over the last month or so I have been on a whirlwind tour of events and webinars. It’s been a bit crazy, but never so much as the day I was in Detroit for the Converge conference. I was there to speak about ransomware. My talk started at 3pm, the date was May 12th. May 12th was the day the world caught on fire (OK, maybe just a tiny bit dramatic there…). This was the day Wanna Cry (a.k.a. WCry) shook the security world.

I first heard about this while in the speaker room checking emails and such. It started with trickles and quickly turned in to a torrent of stories, warnings and opinions on what was happening. Whenever something like this happens in the world, the first few hours are always full of a mix of facts, opinions, facts presented as opinions, misreported facts and complete fabrications. I try very hard not to repeat misinformation even if it means not being the first to make a post or tweet about it. In this case, knowing that I had a ransomware presentation happening a few hours after the most widespread/well-known ransomware attack in recent history, I had to have the facts right.

A very cool thing happened then. A few of us were in the speaker room and started sharing information we each had with each other. Some folks were on the phone and some were online, but we just organically started sharing info with each other. It’s hard to describe how good this feels to folks that aren’t a part of a culture like this. In this case, perfect strangers just started helping each other as everyone was trying to make heads or tails of the facts and information being presented. This is why I love infosec professionals so much. We essentially fell in to our incident response roles without prodding, without reservation and without ego.

We quickly sorted the wheat from the chaff and determined the most reliable or likely facts and were able to present those to others that were dealing with the issue. It was nothing short of fantastic.

I put as much relevant information in to my presentation, knowing that incident responders would be in the audience and be closely monitoring the situation. Something I noticed as I was doing this was that most of the things I have been preaching for the last year or so were more relevant than ever. Defense against this latest threat was essentially nothing new, so I didn’t have to change a thing on this slide.  These are my key bullets on preparing for a ransomware attack from any number of presentations over the last year:

  • Train Your Users – This is our number one suggestion because it works. An untrained staff is an incident waiting to happen. Most technical solutions are reactive and respond after an attack. It is important to have them to minimize the damage, but we prefer to prevent the attack
  • Have Weapons-Grade Backups – Backups do no good if they are encrypted by the ransomware, so they have to be isolated from the network
  • Segment the Network – Marketing computers rarely need to have network access to the SQL servers or accounting systems
  • Principle of Least Privilege – Not everyone should be an administrator. The less access users have, the less malware can spread
  • Monitor the Network – Use a system like a SIEM or IDS to alert on malicious network behavior
  • Keep Up With Patches – OS and applications need to be kept patched

In this case, we have discovered that the attacks were not necessarily spread via phishing, but let’s be perfectly clear, this was a significant exception to the rule so the first bullet still stands strong. We know that the patch was available for months prior to the attack. I can forgive a few weeks or maybe a month after a patch for an OS vulnerability labeled, “Critical” is released. I have a much harder time with 2+ months. Yes, I know some folks run an older OS that did not have a patch (e.g. XP), but in all honesty, those machines should not be on the network any more and if they are, they should have a ton of security controls in place to essentially isolate if from the rest of the network. This is 2017 folks, having a vulnerable OS available on the production network is just inexcusable.

Did we learn nothing about the importance of network segmentation from the Target breach? No, it’s not the same type of attack, but we should have learned that if a group of devices don’t NEED to talk to each other, they shouldn’t! Same theory here. Had more folks had their networks better segmented, the damage would have been much more contained. In the Army, when a new system went online, we had to define the ports that needed to be open in order to operate that system. Rules were pretty simple, list the ports and protocols, don’t even try to sneak in an any-to-any rule. We could have one-to-many or many-to-one, but each line had to have some specific ports on it. This was non-negotiable. This was a pain in the butt. This was a great thing.

I hope this was a wake up call for organizations and security professionals across the globe. We need to do a better job remediating or mitigating the risks. Yes, it’s more work than just accepting it, but how many risk acceptances for outdated operating systems or patch deferrals do you think were in place in NHS as they buckled under the load of WCry? Remember, accepting the risk is not the same as correcting it. With that, I leave you with this fantastic video by Host Unknown.

If you disagree or have something to add, post the comments below

 

Let’s talk WCry. Why was it so bad, and what could have been done?

Most Incident Responders on Friday

So, Friday May 12th, the world got a wakeup call in the form of a ransomware attack that hit a bunch of organizations, including the British National Health Service and Telephonica, a major telecom/ISP in Spain. Overall, it hit nearly a quarter million computers in almost 100 countries in just a couple of short days. I’m not going in to detail here as there are a ton of articles detailing things already. I do want to focus on why this hit so hard, and what could have been done to limit the massive damage that occurred so quickly.

Before I go any further, I want to give mad props to the security researchers that triggered the “kill switch” which, while not completely stopping the attack, will do a great deal to limit the damage in the near future.

We know there are variants without the “kill switch” option, and it doesn’t stop everything, but they have done a huge service to the world by discovering and slowing the current spread. Thanks!

Background

To understand why this was so bad, we need to understand a little bit about the threat. This was version 2 of a malware called “WannaCry” or “WCry”. Version 1 was spotted early in the year, but didn’t make much a splash. Obviously v2 was a whole new bag of worms. What made version 2 so bad was that it leveraged a somewhat recent vulnerability in the Microsoft SMB service (the service used to browse/copy/list/etc. files and folders on a network). This vulnerability was recently made public when the group called the “Shadow Brokers” released a bunch of stolen NSA exploits. The one leveraged in this attack was called “EternalBlue“. Because of the severity of the vulnerability, Microsoft offered a patch pretty quickly in the form of MS17-010 on March 14th. 

Why did it spread so much, so fast?

So, the vulnerability was known and Microsoft had released a patch to deal with it almost 2 months earlier, why then did it spread so fast? There are a few reasons for this

Systems were not patched – This exploded so quickly primarily because a lot of systems had not been patched. While a lot of security/IT folks got a rude wake up call related to their patch management processes, let’s put the pitchforks and torches down for a moment and look at why. First, patching is dangerous. Yep, you heard me right, applying patches is a dangerous proposition in the production world. It’s sadly too common that the application of patches causes system outages, instability and much wailing and gnashing of teeth. For this reason, patches are often applied carefully and only after extensive testing, especially in environments that run older software in critical roles. This can take a while to complete.

I can tell you first hand that applying patches notches the pucker factor up by a factor of at least 10. While this is no excuse not to patch, it is a driving factor in why so many were still vulnerable. In addition, many organizations still run older versions of Windows, some of which are unsupported now. In those cases the patches weren’t even available (although Microsoft has created patches for many of them back to Windows XP of them due to how bad this outbreak was)

Networks were flat – Another major factor, and something I harp on constantly when I speak, is that a lot of networks were segmented well. In a well designed network, only computers that REALLY need to communicate between each other are allowed to, and only through communications that are necessary. There is no reason a receptionist in a company should be able to reach a login screen on a production database server. No reason. Ever!

Far too often, networks are designed without taking this in to consideration. A lot of focus is placed on securing network perimeters and the internal structure is ignored. If you have a well segmented network, many attacks can have the damage greatly minimized because the malware or hacker cannot get to every asset on the network. It’s much better to have 2 machines infected than 2000. Think about it.

Users clicked in emails – Yep, this appears to have started with phishing attacks. This in turn infected unpatched machines (see above) and allowed the ransomware to spread across the networks (also see above) through the EternalBlue exploit. This is so common as to be comical. If organizations do not take security awareness training seriously, this is where we end up far too often. You can have as many bars on the windows as you like, but if you open the front door and invite them in, it all means nothing!

This kills me because of all of the protections that could be put in place, this is one of the easiest things to do, caries a huge ROI and is the most cost-effective and risk-free approach to stopping something like this from getting in to your organization. Think of this way, the user is the last line of defense. After the user clicks on the email, everything else is reactive from that point on. Antivirus/endpoint protection can try to stop it, patching can eliminate the ability of the malware to infect machines (but they are still being attacked) or hackers can be moving around your network. The user is the pivotal point when defending your network.

So what now?

In the sort-term, if you have not patched your systems, do it NOW! In addition, watch your DNS for queries to hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, the “kill switch” domain for the virus, check your backups ASAP and finally, TRAIN THOSE USERS NOT TO CLICK ON PHISHING EMAILS! If you need help with this last step, let me know, I help you there.

Long-term, put some focus on security 101 things in your org, to include patching schedules, segmentation, principle of least privilege and especially your backup processes. You would also be wise to really look at your organizations security culture and put some effort in to making it as effective as possible.

If you have any stories or comments you want to share, please do it below.

$400 Philadelphia Ransomware Complete With a Marketing Video

So, I ran across this today in an article describing yet another RaaS (Ransomware as a Service) variant called Philadelphia. While not up there in distribution with the likes of Cerber or Locky, it has a pretty aggressive advertising campaign and even includes a nicely made YouTube video lauding its wonderful features and customization.

RaaS is one big reason why ransomware keeps growing and expanding. Folks with little or no technical experience can get in the game for little or no money. Variants such as “Dot” are $0 with a 50/50 split on profits. It doesn’t get much easier than that.

Until we stop paying these ransoms and these folks stop making money hand-over-fist, this threat will continue to grow and victimize others. Folks, make sure you have good backups in place and teach people how to identify phishing emails. We need this to stop.

Do you have a ransomware story? Share it in the comments!

Wow, What a Couple of Weeks. Road Trips and Webinars Galore!

April and the beginning of May have been the busiest since working at KnowBe4. I’ve flown around 15-16k miles in the last month or so and been super busy at conferences and with webinars. It’s been awesome but has left little time for blogging. I’ll recap a little bit of what I’ve been up to here.

GMIS Conference in Brandon Mississippi –

This was a fun conference where I actually got to set up a tabletop and talk to folks about social engineering, ransomware and compliance issues.

InfoSec World 2017 in Chapions Gate, Florida-

I had to make a run for the airport at the end of the GMIS conference to get here on time. I landed in Tampa after midnight and still had to drive to Champions Gate, Fl. It was about an hour drive in the middle of the night, only to get up for an early presentation the next morning. I was surprised at the size of the crowd that early on the last day, but they were very interactive and we had a good session. I kinda messed up on the time (I blame the sleep deprivation) and ended a little early, but spent the time afterword chatting with some folks from the preso and answering questions while the hotel staff cleared the room. I’ve got to tell you, those folks were in the room and stacking chairs quicker than I could have imagined after I stopped speaking. I reasonably sure everyone was allowed to stand before they took their chair and stacked it, but I could be wrong. 🙂

ISSW (InfoSec Southwest) in Austin – 

This was a really fun show and was VERY well-organized. As a speaker it is wonderful when the organizers keep in touch as you get close to the event. The ISSW staff was awesome here! I got to sit in some great sessions before and after mine. The quality was certainly there. This was more of a “hacker” convention than some of the more corporate ones, and it was great. I had an impromptu laughable moment as while presenting, my youngest made a purchase request from iTunes. This is a family account, so it popped up on the screen. Not the screen with the speaker notes of course, but rather THE screen. The big one. With my full-screen preso going in all it’s glory. Did you know that if this happens, you can’t just mouse over and click the notification to close it? Nope. It seems you have to stop the presentation to do it. I wasn’t going to do that so the audience and I had a quick laugh about my daughters desire to purchase the Hamilton soundtrack (which we already own) and moved on with the presentation, purchase request hovering in the corner.

It made for a laugh and was memorable. I also did something here I don’t usually do. I added audio to my presentation. If you have never checked out “Lenny” on YouTube, I recommend it for a laugh. “Lenny” is a series of automated voice prompts meant to mess with telemarketers and/or scammers. It’s simply brilliant. It is.

IP Vision Conference in St. Louis –

pwn-o-matic

From ISSW, I had to head to the airport in hurry to make a flight to St. Louis for the IP Vision conference which was a neat twist on the education angle. There were 60 session attendees at 6 tables and 2 people representing a different topic. The attendees were from rural telcos and myself an a coworker, Ray, had the security topics. We sat at each table for about 30 minutes and answered questions on our topic, then moved to another table. It was pretty cool how it all went. At the end, we did a summary presentation of the questions and hot issues. Very cool indeed for the attendees. My only issue was the Pwn-o-matic station set up for the conference, but I see these more and more often. Folks, don’t plug your phone in to random USB ports. Really, just don’t.

IAMCP meeting in Tampa – 

Once again I found myself making a beeline for the airport and arriving back in Tampa at about midnight, only to speak the next day. This time it was a an IAMCP (International Association of Microsoft Channel Partners) meeting in Tampa. It was a small group and I spoke about ransomware. This was very interactive and although we went a little over on time, everyone was OK with that because it was heavy on discussion and they were learning.

Tech Buzz in Tampa –

This was another really nice, small, intimate talk. I had a little tabletop set up and got to do a panel talk for a number of resellers. The irony was, it was myself, an Apple rep and a Microsoft rep. I got to sit between them on the panel. I’m still not sure if it was because I was the security guy or not, but either way, it went really well and was fun. I really do like these small event were I can talk to folks about their specific concerns afterword. Helping others is what makes my job so great!

Spiceworks Expert Round Table: Multi-Layered Security Webinar

I’m here to speak of the Cyberz!

The day after Tech Buzz, I was honored to be a part of a live video webinar with Malwarebytes, Varonis, AlienVault, and Kaspersky. It was a ton of fun and my first live video webinar. Because the room I usually do webinars in (affectionately known as “The Cave”) is not really conducive to video webinars due to the egg crate foam all over the room for sound deadening, I used an empty office. We are mostly an open floor plan, so quiet places are limited.  When we do these sorts of webinars, we dial in early to make sure everything is working and the connection is strong. I decided to mess them a bit, put on a hoodie and a printed Mr. Robot mask and that’s how I introduced myself to the group. It was all downhill from there. The ice was broken and the laughs came easy, leading to a great webinar.

One slight issue occurred during this however. When you are a participant in things like this, it is a good thing to mute yourself when you aren’t talking and communicate with the group via chat. This is done to reduce background noise and make things less distracting. About half way through, a train passed our building. You see, we are VERY close to a train track here. Like VERY, VERY close and since we are in downtown Clearwater, there are a lot of streets the train crosses. Each time it comes to a street, it blows it’s horn. That horn is loud! It doesn’t happen often, but this time it happened right in the middle of the webinar. I was furiously typing in the chatbox, while trying not to LOOK like I wasn’t typing (this was live video after all) telling them not to call on me for anything. Guess what… They called on me. I was lucky enough that the train had moved along enough that I was able to answer and re-mute before it blew it’s horn again. Fun times.

TechPulse Florida in Orlando

After the webinar, I hopped in the car and headed to Orlando for TechPulse. This was a nice conference put on by Verteks Consulting at the Orlando World Center. That resort is amazing. I spent the day hanging out with one of our reseller reps at our little booth and doing one presentation on ransomware. The booth next to us was occupied by Watchguard, which is where we first met up with Ransombear. This terrifying little fuzzball is made from the things that haunt the minds of children on dark, stormy nights. Whomever came up with these is a very disturbed soul.

 

OPTA Conference in Columbus

3 short days later I found myself in Columbus, OH for the Ohio Public Transportation Association show. I’ve never been to anything like this, but it was pretty cool seeing the various types of busses and related systems (things like camera systems) on display. Here in the Tampa area we have something called the “Jolly Trolley” and I got to see some of those in their generic form.

pwn-o-matic v2

My booth was next to a company that was a leader in seating. I learned more about bus/mass transit seating than I thought there was. I’m not sure if that will trigger a resume update with the new knowledge, but it might come in handy in some trivia some day.

On a side note, I spotted yet another one of those pwn-o-matics at this show. Ironically I had just warned folks about this in the session I spoke at. Seriously folks, if you see one of these, think twice before plugging in to it. Who knows what lurks behind the scenes. If you find yourself in situations where you are having to use things like this, invest in a power bank, or if at all possible, try something like this USB Condom.

Webinar-a-palooza

I hit the airport and headed back to Tampa after the OPTA show and spent the next few days doing a webinar-a-palooza. It was 4 webinars in 3 days. I like doing panel-type webinars that involve discussion with other folks a lot more than just presentation type webinars, both kinds serve a purpose. Again, my job satisfaction comes from teaching folks how to protect against scams and ransomware. I love doing this regardless of the format it’s presented in.

BSides Back to Back – Austin then Knoxville

It’s not secret that I am a big supporter of the BSides conferences. I love the low cost and high quality of the events. After the insanity of April, I had some time to catch up on some things, then it was off to BSides Austin where I spoke from 3-4pm, followed the next day by BSides Knoxville where I spoke at 9am. That’s 2 sessions in 17 hours, 900 miles apart. I won’t get in to the logistics of that, but it was pretty wild and hectic, and totally worth it. Both events were awesome and demonstrated how varied they can be. Austin was in a nice learning center with lecture halls where Knoxville was in a bar… starting at 9am. Both events were AWESOME, just starkly different. It’s another reason I love supporting BSides. These were worthy of pics so you can see the difference. 🙂

Austin stage view

 

Knoxville stage view

I also want to say that, the folks in Austin did the charging station thing right! I was super happy to see these lockers that allowed you to secure whatever it was that you were charging, and the locker supplied an AC power plug as opposed to a USB cable hanging out of who-knows-where. Kudos for doing this right!

 

 

So, having written over 1800 words now, I’m going to call this update complete. I’m heading to BSides Detroit tomorrow morning and a conference in New Paltz, NY on Monday and will hopefully have some time to do some updates in between. Thanks for reading!

 

If you enjoyed this blog, please subscribe in the top-right of the page and as always, comments are welcome!