cybersecurity are you ready for the attacks we face? - eot€¦ · 430791,443248,280530. beware of...

MultiHouse IT-partner

CybersecurityAre you ready for the attacks we face?


• Tobias Evar Lauridsen• 10 years experience in IT operations and IT security

• EC-Council Certified Ethical Hacker

• IBM Certified Ethical Hacker

• MultiHouse Information Security Officer:• ISAE 3402 Type 2 security declaration

• Senior IT Security consultant

• Panoply hacker competition:• Blackhat 2014 in Las Vegas #1 winner

• Blackhat 2015 in Amsterdam #1 winner

2

About me


• We are all targets for IT-criminals

• Shadow Brokers group and secret NSA exploits

• Wannacry, Not Petya, Bad Rabbit attacks and Ransomware 101

• Smishing

• CEO Fraud examples and how to analyse

• (D)DOS attack – the next cash cow for criminals

• From Apple to Apple juice

• Let’s wrap it up

3

Agenda

MultiHouse IT-partner4

Let’s learn from each other

I share stories to learn from each other.

Not to point my finger at others.

5

http://www.internetlivestats.com/internet-users/

http://www.dst.dk/Site/Dst/Udgivelser/GetPubFile.aspx?id=19375&sid=itanvbefeu https://www.av-test.org/en/statistics/malware/#tab-6906-2

OurBanks/money areonline – thus the IT-criminals areonline

Welcome to the Dungeon © 1986 Brain & Amjads (pvt). BRAIN COMPUTER SERVICES 730 IZANAMIBLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination...

Worlds first virusBrain

”proof of concept” I love you virusCost of 5 billion $

”pranks”First ever

breakdown of netbank in Denmark

RansomwareCEO Fraud

IT-Crime is big bizz


Danish companies have been tricked into paying more than180 million kr in the 2nd half of 2016

6

The current state of cyber security

-threat assesment from Center for Cyber security(NC3) and Danish Defence Intelligence Service

The average salary in denmark is 294.000 kr for people from 15 and older.


https://blogs.sans.org/securingthehuman/files/2013/01/STH-Poster-YouAreATarget-LowResolution.jpg


ShadowBrokers group leaked NSA hacking tools timeline

August 2016

May 2017

April 2017 May 2017

June 2017

“ShadowBrokers” are asking for 1 Million Bitcoins (around $568 Million) in an auction to release the ‘best’ cyber weapons made by NSA

ShadowBrokers publishes a bunch of tools to github. EternalRomance(NotPetya) and EternalBlue(Wannacry) are part of this dump.

Wannacry attack used leaked NSA exploits: EternalBlue exploit and DoublePulsar payload.

More than 24,000 internet connected windows xp and 2003 where still vulnerable to a Remote Desktop attack called EsteemAudit.

The auction failed. NSA hacking tools a setup for direct sale on an underground website.

NotPetya disk wiper attackused NSA exploits: Fileshareexploit EternalRomance and EternalBlue

Bad Rabbit ransomware: EternalRomance is used.

Maybe more…

October 2017


• A program that encrypts all your files

• You cannot open your files after the ransomware has encrypted them

• The hackers wants you to pay for the key to unlock your files

• Or restore from a backup

9

What is Ransomware?


Ransomware timeline

https://labsblog.f-secure.com/2017/04/18/ransomware-timeline-2010-2017/


Monday Mornings…..


WannaCry Attack Simplified

WannaCry is run on a system

Spread WannaCry

Attack a range of computers on the internetwith EternalBlue exploit

Attack other computers on the local networkwith EternalBlue exploit

Stop attack if the kill-switch domain existshxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Run the Ransomware


Wannacry Timeline

March 2017

April 2017 May 2017

May 2017 May 2017

Other info:

ETERNALBLUE Remote Exploit via SMB & NBTwas leaked by shadowbrokers

Day 1: WannaCry with a kill-switch targeted the world. Kill-switches are typically used by nation states.

Day 2: Microsoft releases emergency patch updates for unsupported versions. Marcus Hutchins stoppedoutbreak with kill-switchUnrelated: Botnet Sending 5 Million Emails per hour to spread JaffRansomware

Day 3: WannaCry with no killswitchin the wild. Blasted the internet over the next couple of weeks.

Microsoft releases patch MS17-010 for EternalBlue.

Over 99.000 - 300.000 computers in 99 - 150 countries.The attack only made 50.000 $Marcus Hutchins was arrestedby FBI August the 2nd for selling and creating Kronos banking malware in 2014-15


• Install patches on all systems every patch Tuesday

• Watch for emergency patches from Microsoft

• Upgrade to windows before the version is end-of-life. Windows XP and Windows 2003 is end-of-life.

• Disable protocols that are no longer used in your environment. In this case SMBv1.

• Use endpoint protection not just antivirus. Endpoint protection is Antivirus, Firewall and Intrusion Prevention.

14

How to defend against the next wannacry

Firewall protection:

• Do not listen on SMB(TCP port 445) from the internet


Not Petya – Russian disk wiper


Not Petya Attack Simplified

Spreading Not Petya

Scans network for internal fileshares.Mimikatz steals credentials from memoryUses EternalRomance and EternalBlue againstinternal networksTries to infect computers over sysadmins toolWMIC and PSEXEC

Runs the disk wiper to make the data unuseable to the victim. Disk wiper encryptsthe computer harddisk Master Boot Record.

Ukrainian tax accounting software was used to distributeNot Petya. M.E. Doc service was compromised.

https://cloudblogs.microsoft.com/microsoftsecure/2017/10/03/advanced-threat-analytics-security-research-network-technical-analysis-notpetya/


• Segmentate the network into zones

• Only allow necessary traffic

• Limit the use of domain admin

• Do not use administrator access per default

• Backup is a must

17

How to stop Not Petya

• Users should live without local administrator privileges

• Users should only have access to files necessary to perform their job.


October: Bad Rappit attack

https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html


Bad Rabbit Attack Simplified

Spreading Bad Rabbit

Scans network for internal fileshares.Attempt to logon with commonly used credsMimikatz steals credentials from memoryUses EternalRomance against internalnetworksTries to infect computers over sysadmins toolWMIC

Runs the Ransomware and show ransomnotewhen done encrypting the users files

Malicious adverts on websites by tricking user to install fake Flash update

https://thehackernews.com/2017/10/bad-rabbit-ransomware.html


Russia’s Enterprises were hit hard

Enterprise vs Consumer Infection attempts by country

https://www.symantec.com/connect/blogs/badrabbit-new-strain-ransomware-hits-russia-and-ukraine


• Disable the WMI service ifpossible

• Patch computers• Use software to update

computer programs, such as flash – or configure flash to autoupdate

• Make sure you bakcup your data on regular basis

21

Protect against Bad Rabbit

https://thehackernews.com/2017/10/bad-rabbit-ransomware.html

If flash auto updates or software is updated from a program. You can tell users: Do not update flash ifprompted. Call the support team insted.


Day-to-day: Examples of Ransomware


2017 Q2: Evil Invoices delivered with dropbox links

https://www.phishtank.com/phish_detail.php?phish_id=4888479

1. Criminals steal dropbox credentials with Phishing mails to you and me

2. Criminals upload malware to the compromised dropbox accounts.

3. Phishing mails with dropbox links to companies

4. Employees open the invoice5. Ransomware

I wonder what the criminals want to do in the companies?


What do hackers want to do?


Ransomware 101

Compromised webpages Phishing mails Existing botnet

You may get ransomware by involuntary download of malware by way of

SMB open to the internet


Protect yourself against day-to-day ransomware• Backup - to restore files

• User education – be observant – talk to a colleague

• Update systems including 3. part software such as: java, flash, silverligth, firefox, chrome etc.

• Do not activate macro files in office files – a macro is a small program in an office file

• Do not activate external content in office documents


• Text message/SMS phishing is the same as Mail phishing

• Hackers attempt to trick the receiver into installing an app or give out information such as passwords etc.

27

What is smishing


Smishing – NemID

www.littleleadersecc.com/cu.html massmediaman.com/nets/run/update/

www.littleleadersecc.com

37,652,825 millioner webpages host Wordpress

1038 kliks in 36 min.Beware of short links – you never know where you end up!


Smishing: You have received an MMS-message

http://enlightek.com/imms.apk

Bitly.com URL short links

= Android App

False sender Analysis of Android App

Targeting Denmark

Command and Control

http://enlightek.com/imms.apk


CEO Fraud Examples

You press reply…


DKK 300.000 transferred to an account in England.

20% in money-laundering feesmakes DKK 240.000 in cleanmoney.

It is possible to live 17 monthson one big catch.

No wonder why this is so popular.

31

The Hacker has 2584 hours per catch

https://nomadlist.com/lagos-nigeria/cost-of-living

https://nomadlist.com/lagos-nigeria/cost-of-living


CEO Fraud analysis of mail headerReceived: from EXCH01.danskvirksomhed.local (192.168.1.4) by EXCH01.danskvirksomhed.local (192.168.1.4) with Microsoft SMTP Server (TLS) id 15.0.847.32 via Mailbox Transport; Wed, 31 Aug 2016 12:30:49 +0200Received: from EXCH01.danskvirksomhed.local (192.168.1.4) by EXCH01.danskvirksomhed.local (192.168.1.4) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 31 Aug 2016 12:30:49 +0200Received: from mxscanner.dkvirksomhed.dk (8.8.8.8) by EXCH01.danskvirksomhed.local (192.168.1.4) with Microsoft SMTP Server id 15.0.847.32 via Frontend Transport; Wed, 31 Aug 2016 12:30:49 +0200Received: from mxscanner.dkvirksomhed.dk (localhost [127.0.0.1]) by mxscanner.dkvirksomhed.dk (Postfix) with ESMTP id 3F662ACA27 for <[email protected]>; Wed, 31 Aug 2016 10:30:31 +0000 (UTC)Received: from mxscanner.dkvirksomhed.dk (localhost [127.0.0.1]) by mxscanner.dkvirksomhed.dk (Postfix) with ESMTP id 8E474ACA14 for <[email protected]>; Wed, 31 Aug 2016 10:30:30 +0000 (UTC)

Received: from stt-cha-ms1.vipowernet.net (mail.vipowernet.net [65.112.145.72]) by mxscanner.dkvirksomhed.dk (Postfix) with ESMTPS id 1A36EAC8D4 for <[email protected]>; Wed, 31 Aug 2016 10:30:28 +0000 (UTC)

From: "Bent Direktør" <[email protected]>To: =Peder <[email protected]>Subject: =?iso-8859-1?Q?international_bankoverf=F8rsel?=Date: Wed, 31 Aug 2016 10:30:26 +0000Message-ID: <[email protected]>Reply-To: Bent Direktør <[email protected]>Content-Language: da-DKreceived-spf: pass (vipowernet.net: 65.112.145.72 is authorized to use'SRS0+eC/[email protected]' in 'mfrom' identity(mechanism 'a' matched)) receiver=mxscanner; identity=mailfrom;envelope-from="SRS0+eC/[email protected]";helo=stt-cha-ms1.vipowernet.net; client-ip=65.112.145.72Content-Transfer-Encoding: quoted-printableMIME-Version: 1.0


• Inform your employees about the risk of CEO fraud e.g.CEO fraud – mail fraud: The company is at the moment exposed to fraud attempts that look like they are coming from the company CEO. It is an attempt to get the employees to transfer large amounts of money to an account abroad.

Recommendation: Always phone the CEO or talk to him directly when it comes to transferring money

• You may require the approval of more than one person and that an email cannot stand alone.

• Think twice before replying or opening links in mails

33

CEO fraud action plan


DOS – quite simpel

Internet Connection

Fills your line up or overloads central equipment so the service goes offline.


DOS and DDOS

DOS – Denial of Service DDOS - Distributed Denial of Service

Pew pew pew

Pew pew pew


The biggest DDOS ever seen 2016

https://thehackernews.com/2016/09/ddos-attack-iot.html

https://thehackernews.com/2016/10/iot-dyn-ddos-attack.html

Took down Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify

1 Tbps is equal to 212 DVD discs212 DVD discs every second quickly fill up a mailboxThe same happens to our internet connection

https://4.bp.blogspot.com/-YWAchjQdYEw/V-uIrG2KbKI/AAAAAAAApm4/JosPa0mP7wc5tOoczqgYORNeGXJ9ZtoiACLcB/s1600/ddos-attack-iot.png


2017 Q4: A huge IOT botnet is being build• IoT_reaper malware is spreading with exploits for nine

previously disclosed vulnerabilities from:

• Dlink (routers)

• Netgear (routers)

• Linksys (routers)

• Goahead (cameras)

• JAWS (cameras)

• AVTECH (cameras)

• Vacron (NVR)

• The Mirai botnet from 2016 only used 150.000 devices. This can end very badly… Patch your stuff!

https://1.bp.blogspot.com/-iZqWna5Ix9E/Wer7uHzHZ0I/AAAAAAAAAlw/Bg_u0bkmvrQHkMRIYADQ8dOk6yXKsQaEgCLcBGAs/s1600/iot-botnet-malware.png


Wireless networks have serious security holes

https://thehackernews.com/2017/10/wpa2-krack-wifi-hacking.html

https://4.bp.blogspot.com/-V8dDL9Kefnc/WeRTm2l5ATI/AAAAAAAAuY0/MEaxpP-Xiogl9mWcFyr4J03EzrG2zxZMwCLcBGAs/s1600/wpa2-krack-wifi-hacking.png


Serious security flaws have been detected in WPA2 and WPA1 that are used to protect wireless networks.

The vulnerabilities affect both clients and wireless access points.

It is possible to control and change the network traffic.

Suppliers are working on releasing updates to patch the vulnerabilities.

Recommendations:

39

Wireless networks have serious security holes

”Update wireless devices, but do not loseany sleep in fear of the vulnerabilityproblem with KRACK”

https://www.cert.dk/da/klumme/2017-10-27/KRACK

-Henrik Larsen, DKCERT


• Use your smartphone to access:• haveibeenpwned.com

• Enter your email, and press “pwned?”

• You will receive a list of public data leaks in which you appear. Nice – isn’t it?

• This is just public data leaks…

40

Are you a part of a public data leakage?

From Apple to apple juice

41


An historical picture of Windows and Apple

Hackers spend more time finding security holes in Apple after their marked share has increased

- Seen from an IT security point of view


Virus + MAC OSX = Yes it can happen

Malware can control the computer over the internet, and can start the webcam, monitor, mouse, keyboard and can install more evil programs.The Malware was discovered by Malwarebytes and is called FruitFly.


Apple bug bounty program

http://thehackernews.com/2016/08/apple-bug-bounty-program.html

Find securityholes in apple software and get paid.


• Zerodium offers $1.5 Million for iOS Zero-Day Exploits

• This is more than 7 times than what Apple pays

• Zerodium has already paid 1 million $ for the first 3 iOS 9 vulnerabilities to hacker groups

45

The free marked pays more than Apple


Remember to update

http://thehackernews.com/2017/05/apple-security-patches.html

Lets wrap it up!

47


Security is about safeguarding your secrets and what you treasure the most

Maybe it’s your internet search history Or your intellectual property


Don’t build a wall; Use security in depth

Strategy: Discover threats insideyour network with security in depth.

Strategy: Build a fence and expect to keepthreats out using a good firewall with blinking lights.


Wrap it up – Enterprise security in depth

https://twitter.com/GaryDower/status/912869424650211331


Wrap it up – Home security a good startPerimeter Security

Network Security

Endpoint Security

Application Security

Data Security

Your crownjewels

Drive encryptionFx Bitlocker or FileVault

Update the computerBuild in feature

Update your applicationFx Ninite, Heimdal or Personal Software Inspector

Endpoint SecurityVirus protection, IntrusionPrevention System and Firewall

Secure DNSDNS translates IP adresses to Domains. Fx 31.13.72.36 -> facebook.comFx Cisco Umbrella

Update Wireless RouterYour router needs to beupdated as well.

Wireless RouterWPA2 encrypted networkwith a looong password

Wireless Router FirewallBlock connection from the internet

Use different passwords and 2 step login: Use a password manager. Fx: Keepass or master password


The weakest link is our finger tips

Think before you click, type or tap

cybersecurity are you ready for the attacks we face? - eot€¦ · 430791,443248,280530. beware of...

Documents