Posts

Ransomware and the impact to your business

Everyday, you read another story about how a company has been hit by a ransomware attack, which potentially can disrupt your business, services to your clients and livelihood of your employees.

Just last week it was announced another company, Forward Air, was hit by a ransomware attack, which disrupted services and impacted revenue.  This attack was attributed to a group “Hades”.  Forward Air, a trucking company from Tennessee, posted revenues of $1.4 billion in  2019 and employs more than 4300.

The ransomware note, resembles a similar note used by another ransomware group known as “REvil”, also known as “Sodin”.

Hades Tor site

 

This is a Sodinokibi variant that was first seen in early 2019.  Sodinokibi is what is known as ransomware-as-a-service, basically a software package which is catered by underground vendors to threat actors providing them a ransomware platform tool.

Companies are limited in their ability to defend against this type of exploitation, especially if they do not have full time IT staff or contracted Managed Service Providers that focus on security.  Your organization must follow the following guidelines to help mitigate your exposure:

  • Patch aggressively so vulnerabilities are eliminated and access routes are contained
  • Enable endpoints with tools that automatically detect and respond to infections before they become systemwide
  • Enable network threat intelligence tools to detect anomalies in your network traffic
  • Make sure emails are screened for malicious payloads and links
  • Minimize access levels by employees to perform their job functions

If you have been hit by ransomware, or just want to assess your company’s state of preparedness, reach out to us to discuss your needs.

LMJ is a full service Managed Service Provider, with offices in Alaska and California.

 

secure data center

Zero-Day vulnerability in iTunes and iCloud Apps on Windows PCs allowed ransomware to be installed

A vulnerability in the Bonjour component in both iTunes and iCloud for Windows was exploited to install malicious applications.  Apple has released a patch update for iTunes 12.10.1 and iCloud 7.14, so PC users should check that they have both updates installed.

The worst part of this issue is that no anti-virus will catch it since the actions being done, were being done by a signed Apple application, and therefore flagged as ok.   In addition, uninstalling via the iTunes uninstaller doesn’t automatically remove Bonjour, leaving your PC vulnerable even if you have uninstalled the application.

The primary vehicle for the ransomware exploit is called BitPaymer.

This is a good reminder that updating third-party applications is a critical component of a broad based security posture.

 

 

SamSam Ransomware

December 3, the FBI and Department of Homeland Security (DHS) issued an alert for SamSam ransomware—also known as MSIL/SAMAS.A—after identifying certain cyber threat actors using the ransomware to target industries in the US.

SamSam Ransomware: How it Works

As explained in the DHS alert, the SamSam actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to earlier reports, this is done by:

  • The cyber actors using the JexBoss Exploit Kit to access vulnerable JBoss applications
  • The cyber actors using Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks

After gaining access to a particular network—typically through brute force attacks or stolen login credentials—the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization.

Detecting RDP intrusions can be challenging because the malware enters through an approved access point. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.

Protecting Against SamSam Ransomware

DHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization’s systems and mitigate the risk of SamSam ransomware infection:

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good backup strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.