Friday, January 19, 2024

This is bad architecture. Let me show you why.

 


I have Comcast. Most of my clients do, too -business and executive homes. In 100% of cases when we walk in the door and see this very basic internet architecture, we know that you're already hacked. Why? Comcast, Frontier, Verizon, Spectrum; it doesn't matter who you use, this architecture provides ZERO protection from what's happening on the internet. 

Take six and a half minutes out of your day and watch this short cybersecurity education burst. I think you'll find it useful. 



Friday, May 14, 2021

Trusted Internet regarding the Colonial Pipeline Hack

On May 10, the FBI announced that on Friday, May 7, a group known as Darkside was responsible for a ransomware attack that effectively shut down the operation of the Colonial Pipeline. This morning, it was reported that Colonial Pipeline paid $5 mil in ransome tor restore operations.

DarkSide’s team is considered relatively professional and organized.  The group even has a dedicated phone number and a helpdesk to facilitate negotiations with its victims.  DarkSide has traditionally presented itself to be quite meticulous in using this process to collect information from the victim to only use its ransomware on the “right targets.” This stems from the claim that DarkSide is only interested in extorting large for-profit businesses and has even attempted to donate a portion of its earnings to various charities.  Further analysis of the group’s historic attacks shows that only western, English-speaking companies have been targeted with a mandate to exempt companies in Soviet states grouped under the Commonwealth of Independent States (CIS) coalition, including Georgia and Ukraine, hinting at the origins of the group.

DarkSide is a relatively new actor that presents itself as an independent for-profit group that follows the RaaS (ransomware-as-a-service) model touting new ransomware, DarkSide 2.0, equipped with the “fastest encryption speed on the market.” Along with conducting its ransomware operations, the group also markets and sells its software and tools to other hacking groups. 
 
Darkside 2.0 features multithreading in both Windows and Linux versions.  The Linux version of the ransomware can now target VMware ESXi vulnerabilities, meaning it can hijack virtual machines and encrypt their virtual hard drives targeting network-attached storages (NAS), including Synology and OMV.  A unique feature of the DarkSide ransomware is that it targets domain controllers, which puts the entire network environment at risk.

What have we done about it, and is your company at risk? 

Trusted Internet utilizes a defense-in-depth approach to protect our clients from ransomware attacks such as DarkSide.  Trusted Internet’s cybersecurity solution detects and prevents ransomware deployment from several aspects. 
  • As information has come available, Trusted Internet has been combing our logs for indicators of Dark Side activities.
  • As well, while we do participate in some of the larger information sharing environments, any intelligence offered has been validated and loaded into firewalls and endpoint solutions. 
  • We continue to remain vigilant for updates in other kinds of pre-ransomware attacks, including loaders, installers, and dormant code.
  • Last we've been working with our security vendors to ensure the latest indicators are loaded, in an effort to keep our customers safe and free of ransomware. 
Our 24/7 Security Operations Center monitors both next-generation firewalls and our Secure Workstation endpoint software to protect your corporate network and devices. These systems are specifically designed to prevent this type of and other attacks.  To keep up with the ever-evolving threat landscape, our internal systems and deployed equipment and software are uniquely equipped and constantly updated in real-time with the latest threat intelligence to stay ahead of malicious actors and malware.  

From an Intelligence and Analysis perspective, we continue to monitor the situation. We receive intelligence from dozens of high-quality, reliable sources and will update your firewalls with any additional information as it is received and validated.
 
In the meantime, if you are a Trusted Internet Cyber Security client, you are already protected. If you are interested in establishing cybersecurity services to secure your network, Trusted Internet can assist immediately.

If you're concerned or have had a problem or breach, please contact Trusted Internet to speak with a Virtual CISO® today. 

Contact our 24x7 Security Operations Center at 800-853-6431, or staysafeonline@trustedinternet.io.

www.trustedinternet.io

Saturday, March 28, 2020

Keep your company digital assets available, and safe: "Two is One and One is None"

I received a call yesterday from my insurance agent. He works for a large company; you'd know the name. He told me that when the entire company went remote, their connection to the home office dropped for about a day. This is not the first company that I've heard this about. In our haste to go quickly to remote work, many companies failed to plan for redundancies and choke points. The good thing? The fixes aren't hard:

Here are some simple things to consider as we normalize in our potential for longer-term quarantine.

When it comes to terminating VPNs at the border, think redundancy

Many companies use a Next-Generation Firewall (NGF) at the edge. NGFs are great little boxes, filled with features --traditional firewalls, routing, intrusion prevention, anti-malware and SSL and IPSec VPN Concentrators.  Here's the problem: in generic terms, if you turn on VPN and Intrusion Prevention in many of these firewalls, performance drops... fast. You could lose as much as 70% of your speed. Add in SSL Inspection, and that amazing hardware-based box comes to a screeching halt, crawling, frustrating workers and costing the company valuable productivity time. What to do about it:
  • Separate those duties into independent functions
  • Consider adding High Availability (HA) pairs to allow for failover
  • Have a backup plan if you find your current inbound bandwidth swamped
Separate those duties into independent functions. Isolate VPN Concentration from protection. Use one machine (firewall, router, VPN concentrator) to terminate VPNs at the company edge, and the NGF for edge firewalling, IPS, anti-malware, etc. You'll find that your employees will be much happier.

Consider adding High Availability (HA) pairs to allow for failover.  High availability is the
pairing of two devices together so that if one fails, the other automatically takes over. Every device that we've used has the ability to be paired in high availability mode. Why? Three nights ago we saw an ASA fail because of the heavier workload. When it finally failed, the connection simply rolled over to the second firewall, allowing remote operations to continue, almost without issue, until the first machine could be updated to the newest OS.  In the world of firewalls, two is one and one is none. If you have HA paired firewalls, if one fails, the other continues. If you only have one, your remote workers lose access to the company and productivity stops.

Have a backup plan if you find your current bandwidth is swamped.  Most companies had planned for only a fraction of their workforce to be remote --sales, executives, support, and maybe a few dedicated telecommuters. If you had 100Mb of bandwidth set aside for remote access for 10% of your company, how much bandwidth will you need when the other 90% gets quarantined? The math isn't hard. Look at what's used internally, taking into consideration actual utilization, and plan.
--------------------------------------------

TRUSTED INTERNET IS A MANAGED SECURITY SERVICES PROVIDER
We install next-generation firewalls, managed antivirus, and an anti-evasion toolkit in your home or office, and then monitor and manage them remotely, 24x7. If we see a threat, we stop it.

Contact us
800-853-6431
staysafeonline@trustedinternet.io





Monday, April 30, 2018

No Cost NIST 800-171 Self Assessment

Did you know that last week, Lockheed Martin won a $1 billion contract to build hypersonic aircraft and technologies? 

Did you also know that NIST 800-171 compliance is going to be required to participate on the contract?

I thought I might take an opportunity to present an 'easy button'. We took the NIST Assessment document and turned it into a no cost, no obligation, online Self Assessment.  Fill in the correct contact information (as opposed to fake contact information) and at the end, we'll send you your individual responses.

The self assessment is located here: https://www.surveymonkey.com/r/BKTXJ89

If you're a small business (<500 alliance="" also="" and="" ask="" at="" business="" businesses:="" can="" charge="" corner="" employees="" for="" help="" in="" nbsp="" need="" no="" ompliance="" provided="" questions="" red="" sky="" small="" span="" the="" you="">https://redsky-sba.ning.com/compliance-corner.

Good luck.
Jeff

Saturday, January 06, 2018

What are Meltdown and Spectre? Should you be concerned?

We posted this analysis in the Red Sky Small Business Alliance portal. Red Hat Videos deserves kudos.. they do a wonderful job of describing where these bugs come from and one of our newer analysts offers a short analysis, written in plain english, describing the bugs in more detail. 



Source: Red Hat Videos - Meltdown and Spectre in 3 minutes

Meltdown and Spectre are two major flaws that affect all modern computers based on processors from Intel, AMD and ARM. Discovered and named by the team of security researchers as part of Google Project Zero, both of these flaws potentially allow hackers to steal personal data from computers, including cloud servers and mobile devices.

The disclosure date for the flaws were set for January 9, 2018 but due to premature reports, growing speculation and risk of exploitation, the information was revealed sooner and patches are just being made available for some platforms.

MeltdownSpectre
Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure.

Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate.

Both these critical CPU flaws come down to how a CPU handles cache and optimizes execution techniques which results in a user getting access to kernel memory.

Cache Management and Speculative Execution:

Processors use a concept of rings to protect kernel memory from user programs. x86 processors have lots of rings, but for this issue, only two are relevant: "user" (ring 3) and "supervisor" (ring 0). When running regular user programs, the processor is put into user mode, ring 3. When running kernel code, the processor is in ring 0, supervisor mode, also known as kernel mode.

These rings are used to protect the kernel memory from user programs. The page tables aren't just mapping from virtual to physical addresses; they also contain metadata about those addresses, including information about which rings can access an address. The kernel's page table entries are all marked as only being accessible to ring 0; the program's entries are marked as being accessible from any ring. If an attempt is made to access ring 0 memory while in ring 3, the processor blocks the access and generates an exception. The result of this is that user programs, running in ring 3, should not be able to learn anything about the kernel and its ring 0 memory.

Every modern processor performs a certain amount of speculative execution. For example, given some instructions that add two numbers and then store the result in memory, a processor might speculatively do the addition before ascertaining whether the destination in memory is actually accessible and writeable. In the common case, where the location is writeable, the processor managed to save some time, as it did the arithmetic in parallel with figuring out what the destination in memory was. If it discovers that the location isn't accessible—for example, a program trying to write to an address that has no mapping and no physical location at all—then it will generate an exception and the speculative execution is wasted.

Intel processors, specifically—though not AMD ones—allow speculative execution of ring 3 code that writes to ring 0 memory. The processors do properly block the write, but the speculative execution minutely disturbs the processor state, because certain data will be loaded into cache and the TLB in order to ascertain whether the write should be allowed. This in turn means that some operations will be a few cycles quicker, or a few cycles slower, depending on whether their data is still in cache or not. As well as this, Intel's processors have special features, such as the Software Guard Extensions (SGX) introduced with Skylake processors, which slightly change how attempts to access memory are handled. Again, the processor does still protect ring 0 memory from ring 3 programs, but again, its caches and other internal state are changed, creating measurable differences. (ArsTechnica, 2018)

Patch Status:

As these flaws cannot be fixed with a firmware or microcode update alone, an OS-level fix is also required for the affected operating systems. The immediate solution comes in the form of a kernel Page Table Isolation (PTI), which separates the kernel’s memory from user processes. But this solution increases the kernel’s overhead, potentially causing the system to slow down depending on the task and processor model.
Early indications suggest that these patches mostly deal with Meltdown exploits and not Spectre, which again, is harder to exploit and to fix. In order to protect against all instances of Spectre, application-level fixes are to be expected.
  1. 1.     Windows
Microsoft has released an emergency patch this week for Windows 10 that is being applied automatically. Windows 7 and Windows 8 have also received a patch that can be applied manually while automatic updates are rolling out ahead of next Patch Tuesday.
In addition to the patch, Microsoft is warning that some third-party antivirus will create a conflict with the fix and the OS update won't be applied to those systems until the antivirus supports these changes.
Users should expect additional hardware/firmware updates from OEMs and motherboard manufacturers in the short term to complement Microsoft's patch. There is a PowerShell verification script which can be used to test and confirm whether protections have been enabled properly.
  1. 2.     MacOS
Apple has confirmed that all of its iPhones, iPads, and Mac devices are affected by the recently discovered chip flaws. The company has already released OS updates to protect users from the Meltdown attack, and a patch for Spectre will arrive "in the coming days.”
Apple released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown, adding that these updates do not slow down the devices. As the Apple Watch doesn’t use Intel chips, it is not affected.
  1. 3.     Linux
Linux kernel developers have a set of patches named kernel page-table isolation (KPTI) released in kernel 4.15 (currently in RC).
  1. 4.     Android
According to Google, devices with latest security updates are protected.
  1. 5.     Cloud Services
Companies using virtualized environments are the biggest potential targets for those looking to exploit the vulnerability. Microsoft Azure, Amazon AWS and Google Cloud are all implementing fixes and claim they have already mitigated some of the risk. Expect scheduled downtime of several cloud services in the coming days.

User Checklist:
  • Update to the latest version of Chrome (on January 23rd) or Firefox 57 if using either browser
  • Check Windows update and ensure KB4056892 is installed for Windows 10
  • Check your PC OEM website for support information and firmware updates and apply any immediately.
White Papers:


References:


Author: Wapack Labs, Asia Desk
Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com.

Saturday, December 30, 2017

2018 Cyber Security Threat and Vulnerability Predictions

This report encapsulates our predictions regarding the most significant cyber threats and vulnerabilities for 2018.

Phishing. Phishing continues to be at the top of the list for delivery and exploitation. It works, and shouldn’t be expected to slow down any time soon.

Distributed Denial of Service attacks (DDoS) appears to be losing some of its appeal.  LizardSquad/DD4BC glorified DDoS but large-scale adoption of common tools and botnets appears to decreasing in popularity (Phantomsquad, Armada, etc.). We expect to see continued use of DDoS attacks from hactivism motivated actors, those wishing to create noise for effect, and between the gaming communities as an entry into DDoS and IoT DDoS botnets but other tools, like ransomware appear to be growing in popularity while DDoS appears to be shrinking.

Credential Targeting.  In almost any breach, the holy grail of targeting is a domain server, Active Directory, or another location where credentials can be stolen and used. Unfortunately, account credentials are becoming increasingly more available. Keyloggers, misconfigurations, cloud computing, and the expansion of increasingly complex interconnected heterogeneous networking has led to massive losses of credentials. As recently as December 2017, a cache of 1.4 billion credentials was made available in an underground forum. Credentials in the wrong hands can enable a host of malicious activity, from automated, "credential stuffing" and account-takeover, to targeted attacks. The reported use of personal email accounts for official business, combined with the current availability of these credentials, indicates the year 2018 will likely see additional leaks of sensitive data and correspondence.

Democratization of cyber weapons.  2017 saw the most high-profile ransomware attack to-date with the Wannacry worm. Wannacry took advantage of publicly available exploits leaked by ShadowBrokers.  If more exploit leaks are forthcoming from ShadowBrokers or other sources, then their adoption by cyber criminals or other nation states is a near certainty and should be expected to not only continue, but to grow.

2018 is the year of fighting and winning against the abuse of the Tor network.  The Tor network is shrinking due to the new-found ability of IP leak scanning with an onion scanner. The need for compromised systems for web hosting is high and will remain great. Despite the Tor network shrinking, it remains the host of choice for ransomware and scanning/enumerating. The Tor network’s continuing IP leaks, may prove to be a good way at attributing ransomware.

Macro Malware. The popularity of malicious macros for malware delivery continued strong in 2017. The later part of 2017 indicated the increased obfuscation of malicious macros to bypass email based detections. Macro malware can easily achieve low anti-virus detection and there are infinite possibilities when it comes to obfuscation. Because of the ease of development, deployment, and opportunity for success, this trend will continue into 2018 and beyond.

Geopolitical tensions. Iran and North Korea tensions continue. With Russia intensifying contacts with North Korea and Iran, it is highly likely both Iranian and North Korean APT groups will gain more access to Russian APT expertise. Cyber has become the equalizer, and countries with little diplomatic leverage and lesser military power are using cyber as a weapon of choice –both in force and influence. As well, the introduction of asynchronous warfare into election scenarios is likely the tip of the iceberg. Wapack Labs has reported several times sources of fake news. The idea of manipulation of behavior through public influence –by cyber, by advertising, by fake news will grow through 2018.

Blockchain-related cybercrime. With the establishment of Bitcoin futures and general interest to blockchain technologies, exploitation in this field grows too. Blockchain will continue to receive investment but at the same time will receive corporate metrics to determine its value. As volatility continues in emerging markets, more people will try to hedge against inflation with bitcoins. Phishing and stealing cryptocurrency is on the rise. Bitcoin exchanges will continue to be targeted. Botnets and simple JavaScript inserts are used to mine cryptocurrency. New software in smart contracts and other blockchain-related infrastructure will continue to be exploited and will grow in complexity and losses.

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com.

Saturday, December 16, 2017

Iran, Blacklists and Red Sky Small Business

On Tuesday, the 60 day deadline Trump gave Congress to fix or scrap the 2015 Iran nuclear deal
Photo credit: Reuters

passed, leaving another deadline in mid-January for the State Department to act. Will it happen? Who knows, but what we do know is that cyber activity associated with pro-Iranian hackers appears to have been escalating over the last month, targeting organizations in the US, Qatar, Saudi Arabia, and others.

Earlier this year the Saudi government warned telecommunications companies of cyber attacks against 15 organizations, including the Saudi Labor Ministry, and Sadara, a venture between Saudi Aramco and Dow Chemical.

Wapack Labs is currently tracking 13 cyber groups with varying levels of pro-Iranian sentiment or Iranian association ranging from possible government sponsorship (APT) to pro-Iranian hactivism. 

Why do we care? In 2014, leading up to John Kerry sealing the original deal, we watched what we believed to be both APT and pro-Iranian hackers stockpile cyber tools and we called out the idea that if the deal went badly for Iran, both Iranian hackers and their cyber ally's could be preparing to use cyber as a possible equalizer.

Many of the tools that we saw being gathered back then took advantage of opportunistic targeting --they scanned a broad area of the internet and the tools automatically targeted those organizations that had openings that could be exploited through automation. At the same time, backdoors and other tools are used for targeted approaches against organizations of prominence or significance. This is not a new tactic. During the Petya/Not-Petya campaign, we reported that below the noise of the ransomware a second attack was operating that was targeting specific organizations in an attempt to steal credentials.

Cyber is the equalizer and will always be involved where there's geopolitical risk.

Starting in the mid-90's we watched the Mexican Zapatistas use DDoS tools against places like the German Stock exchange to garner support for their cause. Since then, hundreds of other organizations have followed suit. If not for bringing support to a cause, to attempt to change an outcome of an impending action, or for retribution. Even back then, the Zapatistas were not the direct actor in the fight, rather they allied with hacker groups who built DDoS tools and took their fight to public organizations --the German Stock Exchange, because they knew the action would appear in the news, and if associated, would bring attention to their cause. The effectiveness of this action could be debated. I'm probably one of a handful of people that tracked it enough to know the story.

That being said, I tell my team on a daily basis "Where there's geopolitical risk, there will always (now) be a cyber threat to someone". The Iranian story is no different.

In the past 45 days or so, we've seen long standing backdoors being used by actors who've been attributed by us and others to operating for, or operating in support of Iran.

In the last 18 days we've seen an uptick of a new attack profile with characteristics similar to previous attacks. If the linkage is true, then we've likely seen the escalation.

BT

Changing gears. We're heading into Christmas. Last week we ran two days of fraud related presentations -one for Red Sky Alliance members, and one for the general public. Our second day was announced through a public service announcement on WMUR, the local ABC affiliate in New Hampshire, and for those of you who attended, we hope you found it useful.  Throughout the holiday period we've been publishing Black lists with monitor and/or block recommendations for addresses ranging from fraud to theft. Thank you to those of you who've provided feedback.

Last, we've opened the Red Sky Small Business Alliance - a no-cost location for small businesses to come for help. If you qualify as a small business under the SBA rules, please, feel free to join us. Both Red Sky Alliance and Red Sky Small Business Alliance are now officially registered with DHS as Information Sharing and Analysis Organizations, affording the CISA legal protections to those who request assistance.

Red Sky Small Business can be found at redsky-sba.ning.com.

As always, if you have any questions on services offered or membership in the information sharing environments, drop us a note.

Until next time,
Have a great weekend.
Jeff