Stop the Password Reset Insanity

How much time does your IT department spend changing a user’s network and or email account passwords because they clicked on a phishing link that they should not have? How many users do you have who do this repeatedly? Have you trained your users to identify, report, and ignore these phishing attempts?

Why make the only procedure to resolve this resetting the password when it just keeps happening again and again? Stop the insanity and look at a new way of solving this problem.

“The definition of insanity is doing the same thing over and over again and expecting different results.”

How Spearphishing Works

Your company webpage has just been redesigned to provide an enriched marketing experience. It looks great and everyone on your leadership team is excited about the new page. One of the pages, “About Our Team”, lists every member of the executive management team with a short bio. You have just provided the bad guys with a short list of high-value targets within your company.

With this list of users in hand and by utilizing the most standard email address format (everyone uses first initial of the first name + last name), a couple of smart public DNS queries, and a telnet to port 25 of your email server, I can determine your mail server and version, including Microsoft Office 365. Then I can set up a fake webmail account login page and send a well-crafted email asking them to log in to my fake email system so I can steal their password.

Once your user completes this action, I have not just compromised their account, I have compromised an influential person in the company. I now have access to the corporate account of someone who can make decisions and spend money, for example, authorize an invoice to be paid or request a wire transfer. Payday for me, headaches dealing with law enforcement, lawyers, cyber insurance companies, and forensics experts for you.

What Happens Next

Once you discover the intrusion, I’ve been reported to IT, the user’s account password has been changed, the lawyers are doing insurance reviews, and accounting is double checking the books, but I am still out there. While everyone is thinking, crisis averted, I am waiting for the next opportunity.

Now, I sit back and wait a week or two before another attempt. During this time, a business crisis arises, distracting the executives, and I send another email asking you to log in. Nine times out of ten, I get back in. Executives are busy between internal, partner and customer meetings, traveling, reviewing performance numbers, and so on. They are always busy and want things to go smoothly so they can accomplish tasks quickly. Because of this, your executives rarely look twice at the email asking for the password again – just so they can get that PDF report they think they are getting.

So, they are compromised. Again. You change their password. Again. Insanity.

While you are saying to yourself, “This would never happen at my company”, let me share this story with you. I recently worked a case where the President of the company was successfully spearfished three times in two weeks. Each time, the password was reset, and everyone moved on to other things. In another case, a breached IT administrator account was used to spearfish the CFO. As if that is not bad enough, the CFO had already been successfully spearfished two months prior.

How do I end this cycle?

The easy answer is to require multi-factor authentication (MFA). The harder question is, “How do I implement MFA without being chased with pitchforks and firebrands?” Or worse yet, isolated in an office in the basement with your career stalled out.

So, how do you implement MFA while minimizing the impact on your users?

Scenario 1:

IT develops a MFA implementation plan. They then meet with the executives to outline the program’s pros and cons, with the strategy of scaring them into agreeing to implement MFA. They use statistics from Gartner, include quotes from Verizon’s Annual Data Breach Investigation Report, and try to sell the implementation plan. Remember, these are the same executives who are busy moving from one fire drill to another while being spearfished daily. This strategy almost never goes well.

Scenario 2:

IT develops a MFA implementation plan. Instead of only using statistics from Gartner and quotes from Verizon’s Annual Data Breach Investigation report, they use actual internal data to affect change from within. Prior to presenting this data, they have already completed a MFA pilot with their Email administrators and then rolled it out to the entire IT department. Here’s the payoff: report the measured results of the rollout to the IT Steering Committee, CFO, or COO; the point is, get an executive to start thinking about MFA, hearing the results, and digesting the successes. Then, get that individual to try it.

Peer pressure can also be beneficial in this scenario. “One-Upmanship” within a highly political boardroom can be a good thing. Having someone inside the decision-making group proudly boasting how fourteen unauthorized attempts to log in to their account were thwarted by MFA can provide the incentive you need. No one wants to be the weak link or in last place.

The Benefits of MFA

Now that you have implemented MFA, you are able to stop the insanity of repeatedly resetting passwords, re-imaging computers, spending hours on telephone calls with lawyers, insurance companies, and forensics companies. You can expect fewer security headaches, more time to complete your projects, and your executive team to appreciate how secure your network has become with multi-factor authentication.

SecurIT360 is an independent, vendor-agnostic Cybersecurity consulting firm.
If you are interested in a complimentary budgeting and strategy session using some of our time-tested tools, you can schedule a meeting by clicking this link, Appointments.

A widespread ransomware attack has spread across the globe infecting tens of thousands computers in as many countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan.  The software can run in many languages.  There have been several versions and updates, but the ways to protect remain the same.  Recently, a decryption tool has been discovered – see here.

Technical Details

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through a Remote Desktop Protocol (RDP) compromise or the exploitation of a critical Windows SMB vulnerability.  Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017.  According to open sources, one possible infection vector is via phishing emails.

The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL.  During runtime, the loader writes a file to disk named “t.wry.”  The malware then uses an embedded 128-bit key to decrypt this file.  This DLL, is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files.  Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.  Subsequent versions are manifested differently.

What to do to protect against Wana Decrypt0r aka WannaCry

1.    Patch all Windows Operating Systems

1. For supported Operating Systems see MS17-010
2. Emergency Patch for Windows XP and Windows 2003 is here

2.    Run a port scan and or Vulnerability Assessment against your firewalls. 

Ensure that Remote Desktop Protocol (RDP) and SMB protocols are not open to the internet.  These are typically on ports 3389, 445, and 139 respectively, but can be mapped to different ports on your firewall.  These configurations are security best practice.

Verify Other Protections Are working as expected.

*************************************IMPORTANT******************************************

Do NOT assume you are safe just because you have purchased and installed a product.

**********************************************************************************************

3.    Backups

Review your backups to ensure that they are working as expected.  Test restores of critical data.

4.    SPAM Filter

Enable strong spam filters to prevent phishing e-mails from reaching the end users.  Most enterprise filters should detect WannaCry.

5.    Antivirus & Malware Protections

1. Ensure that real-time scanning enabled to detect file downloads, email attachments, and web links
2. Ensure that scan engines are up to date and that definitions are downloaded and regularly deployed – at least daily. We recommend more frequently
3. Configure anti-virus and anti-malware solutions to conduct routine scans
4. Inventory protected machines to ensure that all have products installed and that they are functional

WannaCry Remediation

• Isolate compromised computer systems.
  1. Unplug from network to prevent spreading
  2. Power down other computers or unplug network access switches during eradication
  3. Wipe and reload infected machines
  4. Paying the ransom does not guarantee you recovery
• Ensure that proper logging is enabled and preserved on key systems.
• Contact law enforcement. Contact a local FBI field office upon discovery to report an intrusion and request assistance.  Maintain and provide relevant logs.
• Implement your security incident response and business continuity plan.
• Ideally, organizations should not store critical data on workstations. Critical data should reside on centralized storage systems.  Storage systems should have complete, verified, and tested backups.  Ofen the most efficient response is to restore data from a known clean backup.

Signatures

 

File name:  @WanaDecryptor@.exe

 

Confirmed indicators – SHA-256 Hashes:

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c25d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b976a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdfbe22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafaaee20f9188a5c3954623583c6b0e6623ec90d5cd3fdec4e1001646e27664002cc365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aab9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

Yara Signatures

rule Wanna_Cry_Ransomware_Generic {

meta:

description = “Detects WannaCry Ransomware on disk and in virtual page”

author = “US-CERT Code Analysis Team”

reference = “not set”

date = “2017/05/12”

hash0 = “4DA1F312A214C07143ABEEAFB695D904”

strings:

$s0 = {410044004D0049004E0024}

$s1 = “WannaDecryptor”

$s2 = “WANNACRY”

$s3 = “Microsoft Enhanced RSA and AES Cryptographic”

$s4 = “PKS”

$s5 = “StartTask”

$s6 = “wcry@123”

$s7 = {2F6600002F72}

$s8 = “unzip 0.15 Copyrigh”

condition:

$s0 and $s1 and $s2 and $s3 or $s4 or $s5 or $s6 or $s7 or $s8

}

 

/*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.

rule MS17_010_WanaCry_worm {

meta:

description = “Worm exploiting MS17-010 and dropping WannaCry Ransomware”

author = “Felipe Molina (@felmoltor)”

reference = “https://www.exploit-db.com/exploits/41987/”

date = “2017/05/12″

strings:

$ms17010_str1=”PC NETWORK PROGRAM 1.0″

$ms17010_str2=”LANMAN1.0″

$ms17010_str3=”Windows for Workgroups 3.1a”

$ms17010_str4=”__TREEID__PLACEHOLDER__”

$ms17010_str5=”__USERID__PLACEHOLDER__”

$wannacry_payload_substr1 = “h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j”

$wannacry_payload_substr2 = “h54WfF9cGigWFEx92bzmOd0UOaZlM”

$wannacry_payload_substr3 = “tpGFEoLOU6+5I78Toh/nHs/RAP”

condition:

all of them

}