Don’t let the WannaCry Ransomware bring you to tears

Published on May 15, 2017 in Blog

Over the weekend, a lot of reports have come to light about the WannaCry ransomware malware.  This is also known as “Wanna”, “WanaCrypt0r 2.0” and “Wcry”.

This ransomware threat has reportedly hit over 150 countries, over 200,000 systems, and infected large and small organisations alike.  WannaCry appears to be entering organisations via email primarily, using infected PDF files (amongst other alternatives).

IF YOU ARE NOT EXPECTING AN EMAIL WITH AN ATTACHMENT – BE VERY CAREFUL AND DO NOT TRUST IT!

WannaCry Ransomware Alert Image

What does it do?

WannaCry incorporates two behaviours:

  1. Crypto – Once executed it encrypts important files on the local system and any USB or network drives connected to it.
  1. Worm – The worm ability allows this threat to seek out vulnerable computers on your network, infect them and then encrypt the files on them also.

The combination of these two behaviours makes this threat a very dangerous one, and one that requires your immediate action.

 

Very important items that provide some level of protection against WannaCry

  1. There is a Microsoft patch that was released in March 2017. This patch resolved the vulnerability that WannaCry exploits.
  2. Disabling SMB 1.0. The SMB 1.0 protocol is an older file sharing protocol, which is what gives WannaCry its worm capabilities.  It is not used by most modern software and technology, and should be disabled.

Microsoft have blogged previously about disabling SMB 1.0, as the protocol itself is old (30 years), and there are potential risks with it.  The only instances they believe may require SMB 1.0 are:

  • You’re still running Windows XP or Server 2003 under a custom support agreement.
  • You have some decrepit management software that demands admins browse via the ‘network neighborhood’ master browser list.
  • You run old multi-function printers with antique firmware in order to “scan to share”.
  1. Ensuring your anti-virus is patched and up to date.
  2. If you are running Windows XP or Server 2003 still, these machines need to be replaced ASAP. However, as a minimum, there has been a patch released for these operating systems (the first patch in over 2 years, this shows how serious Microsoft is taking this threat)

Ensure you engage the services of a professional IT support company to help you:

  • Regularly patch your computers
  • Ensure your Anti-Virus software is kept up-to-date
  • Ensure your backups are automatically taken offsite and tested regularly
  • Provide advice and assistance on upgrading from older systems

If you need our assistance then please contact us to discuss how we can help.


A temporary reprieve – THE KILL SWITCH

Another item that was reported overnight was that a security researcher discovered and registered what is believed to be a kill switch for WannaCry.

It appears this is true IN THIS INSTANCE.  The origina version of WannaCry does appear to have slowed significantly, as the kill switch has been registered.

However, there are also new variants of WannaCry that have been released, and definitely more to come, that will bypass that kill switch.  As of this morning, there were 2 variants released already, one of which used a different domain name as the kill switch, and the other that had no such kill switch.  These are just the tip of the iceberg.

 

Other Information:

  1. https://www.itnews.com.au/news/wannacrypt-ransomware-what-you-need-to-know-461717
  2. https://www.webroot.com/blog/2017/05/13/wannacry-ransomware-webroot/

 

Like us on Facebook and Twitter to keep up to date.

 

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn

Running BGL Simple Fund? Your server could be at risk

Published on September 21, 2016 in Blog

If you are running BGL Simple Fund your server could be at risk of compromise

BGL Simple Fund users beware

The password for the default user that gets created when the software is installed is out in the wild and being used to attack servers. BGL Simple Fund users are feeling the pain.

There is a suggested fix which will only help those that have implemented it, however the latest update reverts this back to the original compromised password.
It should be a recommended practice to follow the suggested fix after each update to ensure your system remains secure.


Is it safe?Here is a little more detail

When the software is installed, it creates a local user on the server called ndbuser, on a member server this will be part of the local administrators group, and if the software is installed on a domain controller it will be in the domain admins group. The ndbuser, uses a standard password and this password is in the wild.

This is not best practice as you need to trust and rely on the security practices of the software provider.  However, as IT support providers we need to take what we are given and do the best we can to protect the systems under our purview.

 

How is this vulnerability being used

IT support providers are seeing their clients get taken down. In one case they spent a few hours reviewing logs to see what actually happened and this is what they found.

The hacker logged onto the terminal server as the ndbuser, as the account existed on this server as BGL was installed on it locally. Then they downloaded a password sniffer and got a domain admin account being used by the Line of Business application supports guys in the last couple of days, this gave them access to the back end servers (the Hyper-V host and Domain Controller).  From there the hacker deleted all the backups connected to the servers.
And finally installed the DMA Locker encrypting virus on all the clients servers.  As they are no doubt the recipient of the ransom if paid.

 


The Fix

BGL published a security article explaining how to guard against this vulnerability to their client Wiki (BGLWiki) – “KB: Nexus service security instructions” – however, this is only accessible by those with a client account.  BGL also recommend that the ndbuser password be changed frequently.
When the security of the IT systems under your purview is concerned you should to assume that the notification has not gone out and make someone aware of it.

If you are an end user, notify your IT provider. I highly recommend you get them to implement the changes outlined in the support document.

If you are an IT provider then notify your clients that run BGL Simple Fund.

 

Still Concerning

It turns out the latest update for BGL actually resets the password for the ndbuser back to the original compromised password, even if you have changed it.
It is our recommended practice that you follow the suggested fix after each update to ensure your system remains secure.

Print Friendly
 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn

Is antivirus software enough protection?

Published on August 1, 2016 in Blog

antivirus coverageIs antivirus software enough to protect your computer systems?  It has been my long held belief that it is not.  Security of your computer systems should be a multi-layered solution and one that is proactively monitored.

I was recently reading a Book entitled “Security Monitoring – Proven methods for incident detection on enterprise networks” an O’Reilly publication by Chris Fry & Martin Nystrom.  I would like to share with you a small section, now bear in mind this book was published in 2009 and surprisingly to some the message still holds true today. (Don’t rely on antivirus alone)

 

 

Failure of Antivirus Software

Hopefully, you no longer rely solely on antivirus software to detect and protect your end-user systems. Rather, a defense-in-depth strategy includes antivirus software, adding OS and application patch management, host-based intrusion detection, and appropriate access controls (we said “hopefully” 🙂 ).  If you are still relying exclusively on antivirus software for protection, you will be very disappointed. For example, in summer 2008, many employees received a well-crafted phishing campaign that contained a realistic-looking email regarding a missed shipment delivery from UPS.

Fake UPS email antivirus

 

 

 

 

 

 

 

 

 

Attached to this email was a trojan that more than 90% of the 37 antivirus software programs were unable to detect.

These antivirus products, which detect malware via “known bad” signatures, failed to identify the Trojan.  Such technology fails primarily because an insignificant change to the virus will make it undetectable by existing signatures.  Vendors have been improving their techniques over the years – by including heuristic/behavioural – based detection, for example – but they still fall far short of providing “complete” system security.

The prevalence and advanced capabilities of modern malware should be reason enough to closely monitor for its existence in your network. If it isn’t, perhaps its use by Mafia-like organisations of criminals for profit via identify theft, extortion, and espionage is more convincing.

So where are we 7 years later

You will notice that these sorts of emails are still doing the rounds, albeit with a more destructive payload (you may have heard the terms CryptoLocker, CryptoWall, and Ransomware in which your files are encrypted and you are forced to pay a ransom usually around $700 – $2000 to have your files restored).  Most antivirus software packages are still having trouble stopping these threats for the same reasons, the malicious code writers are always thinking up new ways to circumvent the protection products.

Remember, we need to stop any and all threats, they just need to find one vulnerability.  The odds are against us. So we need to be vigilant and employ all tools and techniques at our disposal.  One of these solutions is not a security product at all, it is ensuring you have an offsite back up of our data.

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn

Should you upgrade to Windows 10?

Published on July 29, 2016 in Blog

Now that Windows 10 has been released should you upgrade to it?

Windows 10 desktop

In most cases Windows 10 is a good upgrade, especially as most of the hardware which is capable of running Windows 7 and above will be able to support Windows 10.

If you have tested your environment and decide to upgrade make sure you back up, back up, back up. Almost every installation we have completed has been relatively smooth, although it is not worth taking the risk. If it locks up halfway through, just reboot the PC and it should continue.

Running an upgrade does create a Windows .old folder which can waste 10-20GB of data on your Hard Disk Drive. I would recommend keeping the folder for a few weeks just to ensure that everything is OK. Once you have a clean backup, this folder can safely be removed.

Some software packages and devices may not work after. Here are a few we have come across:

  • CISCO Systems VPN Client V5.0.04.0040 – It is recommended that you install the new CISCO Anywhere applicaiton, however you need to also ensure your Cisco router supports this. The old version can be made to work with some tweaking.
  • Belkin Serial to USB converter – This used a custom written UE driver to allow it to work on Windows 7 64bit. This hasn’t been ported to Windows 8, so it will not work on Windows 10. The serial to USB Converter I now use is an Aten UC-232A which is working well.

Test, test, test.

Ensure that you have a non-production test machine to make sure that all your applications function as desired rather than upgrading an actual user’s computer. Upgrading prematurely could be a costly exercise.

 

If you need help upgrading or deciding if you should upgrade, then please reach out.

For some more information about its features visit – https://www.microsoft.com/en-au/windows/features

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn

Are your passwords strong enough?

Published on June 8, 2012 in Blog

Recently a social networking company was hit by a security breach targeting the companies database, which contained the usernames and passwords of 32 million users. The full list was posted on a hacker’s website.

A security vendor performed an analysis on the strength of the passwords and then created a Consumer Password Worst Practices, which identified the top 20 most commonly used passwords.

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 123456
  9. 12345678
  10. abc123
  11. Nicole
  12. Daniel
  13. babygirl
  14. monkey
  15. Jessica
  16. Lovely
  17. michael
  18. Ashley
  19. 654321
  20. Qwerty

I could have stopped this list at the Top 10, however I thought the last 10 show how common some passwords are.

All of the above are either too short or too simple, they are susceptible to basic forms of cyber attack. It would take only seconds to break these passwords.

This is one side of the password dilemma, the other is that most people re-use the same password on multiple sites.

Password security should be considered as an important first step in data security, as one of our clients found out first hand when they received a $10,000 internet bill.

We have designed a 10 point Security Assessment which can highlight potential problem areas.

If you would like to organise your assessment then please call us to organise a suitable time.

 
 Share on Facebook Share on Twitter Share on Reddit Share on LinkedIn