Latest Posts

WannaCry & NSA, How They’re Connected

written by Pierluigi Stella

Remember when Snowden revealed what was going on with the NSA in 2013? How we were all being spied upon? How, with the excuse of preventing terrorism, this agency was collecting data on everyone, in flagrant violation of any reasonable privacy expectation (let alone law), we were all outraged!! And demanded that someone be held accountable. And that the practice be stopped immediately. Do you remember that?

However, with time, some of us became convinced that in order to be safe, we may actually need to accept the new order of things. And that it’s far better to let the NSA know when you called your grandmother than to risk a terrorist attack.

After all, what have we got to lose?

And since, at the time, we were under a democratic government, I too eased up on the outrage, and settled for a more mundane, “I have nothing to hide”.

However, January 2017 came along, things changed, and quite dramatically too.  We now live in a post democratic era where our president firmly believes he’s above the law, hires (and especially fires) at his whim and fancy.  Oblivious, or should I say, impervious to the possible consequences.  So my stance on this issue has drastically changed.  I really don’t want this president collecting data about me.

How’s this related to WannaCry?  Read on.

One of the things we ended up accepting as a matter of fact is that the NSA (and other security agencies) withhold things.  When they discover vulnerabilities in commercial products, instead of letting the vendor know about it so they can be patched, they keep it a secret, and see if it can be used as a backdoor to infiltrate computers they want to spy upon.  The presumption being that their network is so secure, no one will ever know about these discoveries, so only _they_ will be able to take advantage of them.  Until, of course Microsoft and Co. finds that very same vulnerability on its own, and patches it anyway.

However, this arrogant presumption has finally backfired.

For years, we in the security industry have been telling everyone that this practice is dangerous, ethics and legality aside.  We’ve been telling everyone that there’s no such thing as a secure network.  And that despite their arrogant presumption, sooner or later the NSA network could be hacked and this information leaked.

And, there you have it.

Hackers were able to steal this information about a vulnerability that allows them to take over a workstation and encrypt all files.  But what’s worse, it allows this new threat to spread horizontally.  Up until now, ransomware spread ‘vertically’, as in from the server containing the malware to the workstation downloading it.

This new attack, codenamed WannaCry, also spreads horizontally, within workstations, within a network.  And that’s where the big issue has been.  That’s what has allowed this major attack to take place.

Because once one workstation was infected, many others followed easily, and entire networks fell prey to the attack.  Microsoft had already released a patch in March to protect against this horizontal attack.  And that’s likely the reason why we’ve seen much less of a problem with WannaCry in the US than as experienced by the rest of the world.

Our processes and procedures are fairly stringent, and are starting to work.  We patch and protect, and things didn’t get out of control.  But frankly, that’s besides the point.  The real issue here is, if the NSA didn’t keep such information in the first instance, it wouldn’t have been available to steal to begin with, and none of this would’ve happened.

How’s that for protection?

WannaCry Ransomware

There have been recent widespread reports concerning an emerging malware campaign known as WannaCry. So far, we’ve seen reported infections in 99 countries. Cyber-security firm Avast said it had seen 75,000 cases of the ransomware around the world. Kaspersky is reporting 45,000 attacks in 74 countries (with Russia most badly affected). Both of these are likely to be seeing just a portion of the overall attack.

The WannaCry ransomware can enter your network either via eMail of HTTP/HTTPS download links. Once in the network, it has the ability to spread horizontally over the LAN/DMZ by exploiting a SMB vulnerability (codenamed “EternalBlue”) made public as part of the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14th, 2017 (MS17-010).

The malware used in the attacks encrypts files, and adds .WCRY to the file extension of files encrypted. It also drops a decrypt tool, changes wallpaper, and displays a notice to pay bitcoins for the decryption key. Initial variants requested US$300, but recently this has been increased to US$600 in Bitcoin.

The file extensions that the malware is targeting contain certain clusters of formats including:

  • Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  • Less common and nation-specific office formats (.sxw, .odt, .hwp).
  • Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  • Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  • Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  • Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  • Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  • Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  • Virtual machine files (.vmx, .vmdk, .vdi).

Network Box has released several signatures to protect against this, as well as generic heuristic protection. Some of the threat names seen include:

  • Trojan-Ransom.Win32.Gen.djd
  • Trojan-Ransom.Win32.Scatter.tr
  • Trojan-Ransom.Win32.Zapchast.i
  • PDM:Trojan.Win32.Generic
  • Trojan.Win64.EquationDrug.gen
  • Trojan-Ransom.Win32.Wanna.a through Trojan-Ransom.Win32.Wanna.q

We continue to see new variants on an hourly basis and are issuing signatures using the Trojan-Ransom.Win32.Wanna.* prefix namespace. We’ve also released IDS, IPS, and INFECTEDLAN signatures to be able to detect, block and alert on infections within the network.

The malware uses the TOR network and the following domains:

  • 57g7spgrzlojinas.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • gx7ekbenv2riucmf.onion
  • sqjolphimrr7jqw6.onion
  • xxlvbrloxvriy2c5.onion

Based on the severity and impact of this attack, Network Box Security Response makes the following recommendations:

  1. Block access to the TOR network. Network Box 5 including policy control options for controlling the TOR network, and we recommend that those be deployed and enabled.
  2. Make sure that all hosts are running and have enabled endpoint security solutions.
  3. Ensure that the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability used in this attack, is installed on all your systems.
  4. Isolate incoming laptops and ensure that they (a) have been patched with MS17-010, (b) have endpoint security solutions installed, enabled, and running, and (c) conduct a manual scan to ensure they are clean – before connection to your network.

So far, it seems that the multi-engine, multi-level, approach that Network Box uses is keeping this at bay for our customers. However, we’ve seen a large increase in both heuristic and WannaCry-specific blocks in recent hours and Network Box Security Response is keeping a close eye on the situation.

Network Box Security Response

Lunch & Learn: Compliance and Cybersecurity for Financial Institutions

When it comes to cybersecurity, banking is one of the most highly-regulated industries, with multiple checks and failsafe steps put in place to ensure the highest possible level of protection. And while industry as well as government regulations include extensive, rigorous assessments, compliance alone does not suffice. Financial institutions simply must take the extra steps beyond compliance to ensure that their network and clients’ information are protected from cyber threats.

On February 22nd, Network Box USA and ReliableIT hosted a Lunch & Learn for financial institutions at Maggiano’s Little Italy in Houston. This casual gathering was aimed at discussing compliance and cybersecurity. Attendees enjoyed a family-style Italian meal, as Nikki Almazan, Banking Compliance Expert from ReliableIT, talked at length about the threat landscape for banks and credit unions.  She also touched on CAT, the Cybersecurity Assessment Tool, put forth by the FFIEC.

After the presentation, Pierluigi Stella, CTO of Network Box USA, opened the floor for a roundtable discussion that included hot topics such as ransomware and web application security. He also, of course, circled back to the issue of the hour, compliance.

“Compliance and security go hand-in-hand. Compliance regulations are created to help and, in some ways force, companies to adhere to standards that, on a whole, will contribute to make them more secure. Or, at least, forces them to think about security. Although being compliant does not necessarily make a company secure, compliance is certainly a vital step towards security,” said Stella.

Network Box USA thanks all who attended, and would like to extend our appreciation to the team from ReliableIT.

Network Box USA named in CIO Review’s 20 Most Promising DDoS Solution Providers for 2016

CIO Review – DDoS Special

The corporate world is constantly getting smarter by leveraging the latest internet technology advancements. Information sharing has over the years witnessed a gradual displacement of paper with digital becoming the dominant and favored medium. While, undeniably, this transition has boosted communications within and between enterprises, it has also made it a lot easier for hackers to breach an enterprise and disrupt these communications, curtailing business operations. Attackers infiltrate an enterprise’s Domain Name System (DNS)—freezing the network or infecting the DNS with botnets.

Such infiltrations, known as Distributed Denial of Service (DDoS) attacks, make business operations arduous by temporarily suspending services and making them unavailable for customers. To purge these challenges, it becomes important to defend an enterprise’s DNS servers and networks from DDoS onslaughts. Preventing these infiltrations requires purpose-built network architecture which can detect and subdue the often deceptive and wildly complex DDoS attacks.

In the current IT market sphere there are many DDoS solution providers offering secured services with a myriad of features and functionalities—Software-as-a-Service (SaaS), traffic control, and firewall protection to fight DDoS attacks in different layers. Presently there are vendors providing solutions that can curb attacks of up to 300 Gbps, and above. CIOReview helps enterprise CIOs looking for key technologies related to DDoS navigate this landscape by presenting a list of ‘20 Most Promising DDoS Solution Providers 2016.’

Network Box USA – Multilayered Threat Protection

In recent years, web applications have been subjected to DDoS attacks more than any other type of network or application, which Pierluigi Stella, CTO of Network Box USA (NWB) points-out to be the challenging task for organizations to address, because it requires a coordinated effort between client, service provider and the ISP. Today, many companies offer DDoS protection by simply moving the client’s internet presence onto a very large cloud solution—capable of absorbing almost any size of attack. “However this solution is not optimal for all users, as they cannot afford to pay a huge sum and requires providing DDoS protection in every way the client can implement it, while remaining affordable,” says Stella.

Unlike many Web Application Firewall systems on the market, NWB’s suite of security solutions provides a wide range of capabilities to allow for the mitigation of DDoS attacks. Befitting its name, the firm’s Anti-DDoS WAF+ system allows companies and organizations to implement effective Anti-DDoS technology on an affordable basis. As a managed security services provider, NWB combats increasing danger posed by security breaches, virus attacks and similar threats arising from widespread use of the Internet. The Network Box networking stack consists of many layers of protection: layer 3—protocol enforcement, including connection rate, data transfer volume and handling connection slowness; and a wide range of application protection—layer 7, where URL pattern, user agent and request header are taken into account.

The Anti-DDoS WAF+ uses behavioral analysis, traffic signatures, rate limiting, and other techniques to identify malicious traffic per source-address. “Dynamic blacklisting and intelligent analysis recognize similar patterns when the attacking IP addresses change, and can automatically keep up with the attack to continue blacklisting the new sources, dropping their connections before they cause damage,” delineates Stella. “NWB offers these capabilities onsite and in the cloud.”

NWB’s Anti-DDoS system’s protection starts with the intelligence gathered from over 70 global security sources, including Microsoft’s Active Protections Program and Kaspersky Labs. Real-time automated fingerprinting is then utilized, to slow down DDoS attacks by a factor of about a millisecond automated response. Most importantly, the firm’s managed services suite is equipped with 16 Security Operations Centers (SOC) as well as a Security Response Center (SRC) to increase the security posture of the clients, quickly and efficiently. “The SRC is where the intelligence analysis happens and security analysts spend their entire time learning ways to create real-time protection—be it in the form of new signatures, or libraries, heuristics, or codes,” points-out Stella.

According to Stella, “Speed and security are of the essence when fighting against cyber threats, and we make it a point of delivering protection—unbelievably in short and true real-time.” Network Box USA’s Managed Cloud Email Security provides robust, multilayered email threat protection and it is cost-efficient as it is sold as a service, hosted in the cloud and completely managed. With its patented PUSH technology, the firm ensures that customers’ solutions are protected with the latest security updates in less than 45 seconds upon availability. In addition, Network Box’s Z-Scan, a true real-time zero-day anti-malware engine, reacts by creating fingerprints, which are available to all NWBs globally within 3 seconds, as they are made available through NWB global private cloud.

Forging ahead, the firm is planning to offer its services via AWS, Google and Azure and intends to set up more SOCs. “We are also aiming to bring in a new service—MCPROXY—for clients who desire the same quality of protection that NWB offers, but are not willing to pay the cost of a full, dedicated, managed solution. MCPROXY will be a low cost, cloud based shared proxy offering, where, although the configuration capabilities will be limited, clients will still get the full
protection of the NWB services, including HTTP and HTTPS AV scanning and web filtering. This system is currently under test,” concludes Stella.

Spear Phishing, Conclusion

written by Pierluigi Stella

In this concluding post on the topic of Spear Phishing (read the first one here), allow me to share something which happened to one of our clients last week.

The sender “appeared” to be the CEO; but that was only the “From:”.  The actual sender in the envelope was mirza.shafgat@bingutab.com – a fake sender.  The originating IP address was 97.74.135.162; this IP is in Scottsdale, AZ, and corresponds to DNS name p3plsmtp09-01-2.prod.phx3.secureserver.net.  The server connected to our device with a EHLO message of p3plwbeout09-01.prod.phx3.secureserver.net.

Our client’s domain is none of this.  However, the From: and To: fields appeared to be both from someone @ our client’s domain.

The first reaction one could have would be to apply SPF control.  However, SPF is applied to the envelope, not to the body headers.  The envelope shows bingutab.com as the sending domain, and secureserver.net as the EHLO domain.  Upon checking the SPF record of the server, we note that the sending IP is included.  So SPF did not fail.  The email, on the surface, looked legitimate.  Besides, SPF isn’t mandatory.  In this case, the server had one and it matched.  In many other cases we’ve seen, there simply wasn’t an SPF record to match.  We cannot discard emails only based on that fact, because SPF isn’t required.  If it exists, it must be respected; but since it isn’t a requirement, if a domain has no SPF record, we still need to accept emails from that domain.

email security

In case it isn’t clear, there’s a specific reason why the envelope sender doesn’t match the apparent sender (From:).  Your domain _could_ have an SPF record; in which case, it’d be extremely easy for us to catch that email as a spoof, because it’d be originating from an IP address that isn’t authorized.  And if, by any chance, it did originate from an IP that you’ve authorized in your SPF record, then you’ve a much larger problem because one of your servers has been compromised ☺

So, how do you block such emails?  Actually the answer is simpler than I’ve made it look so far.  We can easily create a rule that says “if the header:from is from someone at my domain, the recipient is to someone at my domain, but the sender is not, block that email”.

However, we cannot apply such a sweeping rule without thorough consideration.  You may have hired a marketing firm to send emails on your behalf, including emails to your own employees/colleagues, and generally, they make it a habit of using a From: that makes them appear as though they’re coming from your company.  For example, I’ve seen emails from evite.com doing just this.  You set up an invitation for your entire company, specify your own email address, and  click GO.  They’ll generate an email to everyone on your list (your colleagues), the header:From will contain _your_ email address; but the envelope sender will be something random @evite.com.

email rules

To avoid catching such legitimate emails in the sweeping net of the rule above, we create a list of email addresses and domains that _you_ want to authorize to send such ‘spoof looking’ emails.  So, say I were to do this for our company, the rule would look something like this:-

deny header:from endswith @networkboxusa.com recipient endswith @networkboxusa.com sender notinacl authorized-spooffers.

I know, it sounds/looks/reads strange.  But it’s a very effective way to solve the issue of spear phishing that’s currently plaguing many companies.  And the only input we need from you is that list of domains or companies you want to allow in the rule above.

Makes sense?

Has your company experienced Spear Phishing?

Or any other form of spam?

Spear Phishing, Part 1

written by Pierluigi Stella

One of the dangerous issues we currently face with spam emails is that of spear phishing – a type of phishing spam email targeted at the recipient.  While most spam deploy a shotgun approach (send billions of emails and see what sticks), spear phishing attacks are specifically aimed the recipient, requiring hackers to do homework on the targeted victim.  It is by no means random.  If their efforts are to be handsomely rewarded, they must target Executive and C levels, whereby a click on the wrong email can inflict serious damage.  These emails are usually made to appear as though they are coming from one C level, to either another C level or someone else with authority to act upon the request.

Most of our clients are financial institutions (banks and CUs), and as such, a frequent phishing attempt we see in this particular sector is an email appearing to originate from the CEO.  The request likely to be to execute a wire transfer, with the intended target being the CFO, or the person in the bank who oversees such wires.

To be convincing, hackers need to emulate as much of the CEO as possible which, at first glance, may seem a daunting task.  Unfortunately, given how we are all far too eager to share as much of ourselves as possible these days, through various social media platforms, it isn’t as impossible a task as it might appear. Hackers can quickly find out the name of the CEO, they know the address of the business and the main phone number; thus crafting a false signature isn’t all that difficult.  If the recipient has never received an email from the CEO before, he/she may well fall into the trap.

The second step is to find out who’s doing the wires.   That’s why the CFO might be the target here; because he has the authority to forward that email and ask for the wire to be executed.  However, we’ve also seen such emails directly targeting the employee who can run the wire.  In such instances, it means hackers have invested a little more time researching the company, perhaps through connections on Linkedin, who knows.  However they went about it, they now have the information they need, and placed a bullseye on that person.

Phishing Target

To understand how this could be technically possible, we first need to understand how email works, and what the SMTP protocol specifies and doesn’t specify (SMTP stands for Simple Mail Transfer Protocol and is the protocol used on the internet to send emails).  When SMTP was devised about 40 years ago, security wasn’t at all a concern.  Therefore, the creators of the protocol simply set out to model electronic communications in the image of physical mail.   When we write a letter, we have an envelope and a page where we compose the ‘body’ of our letter.  On the envelope, we write the name of the recipient, with the actual address we want it to go to.  We then pen our own name and address as the sender, so if the letter cannot be delivered, it is returned to us.

On the inside, however, we do not replicate all this.  Depending on the person to whom we’re writing, we may say “Dear Larry”, or “Hello son”, or something to that effect.  When we’re done, we end by signing the letter.  NOTHING says we _have_ to use our name.  We could be signing “Dad”; or “Pierluigi”, or use a nickname.

The SMTP protocol accounts for this and allows it in electronic format.  An email is comprised of 2 parts – the envelope and the body.  Users who never deal with email scanning, never see the envelope. Your email server behaves like JARVIS, opens the “letter” for you, discards the envelope.  So you, as a user, most likely are unawares this part of the email even exists.  I personally know I didn’t, that is, before I started dealing with spam and malware.

What you receive in your inbox is what we call the body of the email, which is the electronic equivalent of the actual physical letter of old times.  The body is, in turn, divided into 3 areas:-

  • Headers
  • Actual body
  • Attachments

We all know what attachments are.  We can easily understand which part is the ‘body’.  The headers contain a few, well specified, fields, the following being relevant to our current discussion:-

  • From:
  • To:
  • Subject:
  • Reply-to:

email

The From:, To:, and Subject: are those that Outlook shows you at the top of the email.  NONE of these fields is mandatory.  The reason why your email server sent that email to _you_ and not to someone else is because of what was written in the envelope; and not because of the To: field in the headers of the body.

This also means that these fields can be entirely different from those in the envelope.  And that’s where the phishing trick comes into play.  You as a user only see the From: and To:.  Therefore, if I’m a hacker, I can write the following into the email:-

From:
To: (Luca Maestri is the CFO of Apple)
Subject:Wire

If Mr Maestri isn’t careful, he’ll think the email originates from Mr.Cook and will execute the order.  However, if we analyze the envelope logged into the server, we will likely find:-

  • The originating IP of the email does not belong to Apple
  • The server sending the email (identified by something called “EHLO) isn’t Apple’s
  • The sender in the envelope may or may not say cook@apple.com, and most likely it does not

In our second and concluding part on Friday, we’ll share how one of our clients experienced Spear Phishing directly, and we went about to resolve the issue.

ransomware

The Ransomware Epidemic: Why It’s Spreading and What You Can Do

If it hasn’t already been dubbed “The Year of Ransomware,” 2016 is well on its way to earning that title. Even though ransomware has been around since 1989 (starting with the AIDS Trojan), we’ve seen a spike in the number of incidents over the past couple years that has left us wondering:

Why ransomware? Why now?

While there are several factors contributing to the increase in ransomware activity, the driving force is more than likely the fact that ransomware is fast money – a short-term ROI. With ransomware, cybercriminals don’t have to worry about handling personal information and/or trying to sell that information on the black market. That comes as a secondary benefit once they’ve infected a machine. If they so choose, cybercriminals could easily walk away with just the ransom and no additional information. After all, according to a recent study, 40% of companies are willing to pay the ransom to decrypt their files and/or regain access to their machines (e.g. workstations).1

The introduction of crypto-currency (as in Bitcoin) has been attributed as a key catalyst to this growing epidemic. While traceable, crypto-currency is an easy, verifiable way for cybercriminals to get paid. Another contributing factor may simply be the fact that the size of the cyber landscape itself is significantly larger than it was in 1989 (when the AIDS Trojan was released).  To put it into perspective, over the course of a decade, the number of Internet users has increased by over 825%.2 That percentage excludes the number of devices (estimated at an average of 3 per person).3 In other words, the pool of targets has expanded (or widened) and, therefore, more opportunities abound for cybercrime.

What can I do?

First, it’s important to understand how ransomware spreads. The most common way it’s delivered is via phishing emails, followed by drive-by downloads, and then social media (i.e., a malicious link on Facebook). We’ve also seen instances of ransomware in malvertising campaigns. Cybercriminals are finding any and every opportunity to finagle their way into your network.

stop ransomwareSince delivery varies, there’s no single technique by which to stop ransomware in its entirety. Rather, it’s a collective effort between you, your employees, your vendors, and your cybersecurity solution.

In its simplest form – ransomware protection involves going back to cybersecurity basics:

Backup your data. At the very least, backing up your data will delay the impact after a ransomware attack. One of the costliest parts of cybercrime is its effect on business operations. Simply put, downtime is money lost.

Keep your systems up-to-date. This may seem like an obvious step, but it’s too often neglected, much like backing up data. The rate of threat generation (including ransomware) is uncanny and kind of scary. Keeping your systems updated ensures you have the latest protection in a threat landscape that’s constantly evolving.

Educate your employees. Often times, humans are pointed out as the weakest link in a cybersecurity chain. The reality is that they’re also your best defense. Ideally, ransomware is stopped before your employees even encounter it, which is why keeping your systems up-to-date is so important. However, in the event it does reach your employees, you want to be sure they don’t blindly accept enabling macros in a Word document, for example. Ultimately, educating your employees strengthens your security posture, as they become both your first and last line of defense.

Like crime in the physical world, cybercrime isn’t going anywhere, anytime soon. It’s a real threat with real repercussions.

What do you think is the driving force behind the increased ransomware activity? What other steps can companies take to stop ransomware? Let us know in the comments section below.


1 http://www.securityweek.com/40-percent-companies-will-pay-ransom
2 http://www.internetlivestats.com/internet-users/
3 http://www.globalwebindex.net/blog/digital-consumers-own-3.64-connected-devices