cybersecurity are you ready for the attacks we face? - eot€¦ · 430791,443248,280530. beware of...
TRANSCRIPT
MultiHouse IT-partner
CybersecurityAre you ready for the attacks we face?
MultiHouse IT-partner
• Tobias Evar Lauridsen• 10 years experience in IT operations and IT security
• EC-Council Certified Ethical Hacker
• IBM Certified Ethical Hacker
• MultiHouse Information Security Officer:• ISAE 3402 Type 2 security declaration
• Senior IT Security consultant
• Panoply hacker competition:• Blackhat 2014 in Las Vegas #1 winner
• Blackhat 2015 in Amsterdam #1 winner
2
About me
MultiHouse IT-partner
• We are all targets for IT-criminals
• Shadow Brokers group and secret NSA exploits
• Wannacry, Not Petya, Bad Rabbit attacks and Ransomware 101
• Smishing
• CEO Fraud examples and how to analyse
• (D)DOS attack – the next cash cow for criminals
• From Apple to Apple juice
• Let’s wrap it up
3
Agenda
MultiHouse IT-partner4
Let’s learn from each other
I share stories to learn from each other.
Not to point my finger at others.
5
http://www.internetlivestats.com/internet-users/
http://www.dst.dk/Site/Dst/Udgivelser/GetPubFile.aspx?id=19375&sid=itanvbefeu https://www.av-test.org/en/statistics/malware/#tab-6906-2
OurBanks/money areonline – thus the IT-criminals areonline
Welcome to the Dungeon © 1986 Brain & Amjads (pvt). BRAIN COMPUTER SERVICES 730 IZANAMIBLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination...
Worlds first virusBrain
”proof of concept” I love you virusCost of 5 billion $
”pranks”First ever
breakdown of netbank in Denmark
RansomwareCEO Fraud
IT-Crime is big bizz
MultiHouse IT-partner
Danish companies have been tricked into paying more than180 million kr in the 2nd half of 2016
6
The current state of cyber security
-threat assesment from Center for Cyber security(NC3) and Danish Defence Intelligence Service
The average salary in denmark is 294.000 kr for people from 15 and older.
MultiHouse IT-partner7
https://blogs.sans.org/securingthehuman/files/2013/01/STH-Poster-YouAreATarget-LowResolution.jpg
MultiHouse IT-partner8
ShadowBrokers group leaked NSA hacking tools timeline
August 2016
May 2017
April 2017 May 2017
June 2017
“ShadowBrokers” are asking for 1 Million Bitcoins (around $568 Million) in an auction to release the ‘best’ cyber weapons made by NSA
ShadowBrokers publishes a bunch of tools to github. EternalRomance(NotPetya) and EternalBlue(Wannacry) are part of this dump.
Wannacry attack used leaked NSA exploits: EternalBlue exploit and DoublePulsar payload.
More than 24,000 internet connected windows xp and 2003 where still vulnerable to a Remote Desktop attack called EsteemAudit.
The auction failed. NSA hacking tools a setup for direct sale on an underground website.
NotPetya disk wiper attackused NSA exploits: Fileshareexploit EternalRomance and EternalBlue
Bad Rabbit ransomware: EternalRomance is used.
Maybe more…
October 2017
MultiHouse IT-partner
• A program that encrypts all your files
• You cannot open your files after the ransomware has encrypted them
• The hackers wants you to pay for the key to unlock your files
• Or restore from a backup
9
What is Ransomware?
MultiHouse IT-partner10
Ransomware timeline
https://labsblog.f-secure.com/2017/04/18/ransomware-timeline-2010-2017/
MultiHouse IT-partner11
Monday Mornings…..
MultiHouse IT-partner12
WannaCry Attack Simplified
WannaCry is run on a system
Spread WannaCry
Attack a range of computers on the internetwith EternalBlue exploit
Attack other computers on the local networkwith EternalBlue exploit
Stop attack if the kill-switch domain existshxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
Run the Ransomware
MultiHouse IT-partner13
Wannacry Timeline
March 2017
April 2017 May 2017
May 2017 May 2017
Other info:
ETERNALBLUE Remote Exploit via SMB & NBTwas leaked by shadowbrokers
Day 1: WannaCry with a kill-switch targeted the world. Kill-switches are typically used by nation states.
Day 2: Microsoft releases emergency patch updates for unsupported versions. Marcus Hutchins stoppedoutbreak with kill-switchUnrelated: Botnet Sending 5 Million Emails per hour to spread JaffRansomware
Day 3: WannaCry with no killswitchin the wild. Blasted the internet over the next couple of weeks.
Microsoft releases patch MS17-010 for EternalBlue.
Over 99.000 - 300.000 computers in 99 - 150 countries.The attack only made 50.000 $Marcus Hutchins was arrestedby FBI August the 2nd for selling and creating Kronos banking malware in 2014-15
MultiHouse IT-partner
• Install patches on all systems every patch Tuesday
• Watch for emergency patches from Microsoft
• Upgrade to windows before the version is end-of-life. Windows XP and Windows 2003 is end-of-life.
• Disable protocols that are no longer used in your environment. In this case SMBv1.
• Use endpoint protection not just antivirus. Endpoint protection is Antivirus, Firewall and Intrusion Prevention.
14
How to defend against the next wannacry
Firewall protection:
• Do not listen on SMB(TCP port 445) from the internet
MultiHouse IT-partner15
Not Petya – Russian disk wiper
MultiHouse IT-partner1616
Not Petya Attack Simplified
Spreading Not Petya
Scans network for internal fileshares.Mimikatz steals credentials from memoryUses EternalRomance and EternalBlue againstinternal networksTries to infect computers over sysadmins toolWMIC and PSEXEC
Runs the disk wiper to make the data unuseable to the victim. Disk wiper encryptsthe computer harddisk Master Boot Record.
Ukrainian tax accounting software was used to distributeNot Petya. M.E. Doc service was compromised.
https://cloudblogs.microsoft.com/microsoftsecure/2017/10/03/advanced-threat-analytics-security-research-network-technical-analysis-notpetya/
MultiHouse IT-partner
• Segmentate the network into zones
• Only allow necessary traffic
• Limit the use of domain admin
• Do not use administrator access per default
• Backup is a must
17
How to stop Not Petya
• Users should live without local administrator privileges
• Users should only have access to files necessary to perform their job.
MultiHouse IT-partner18
October: Bad Rappit attack
https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html
MultiHouse IT-partner1919
Bad Rabbit Attack Simplified
Spreading Bad Rabbit
Scans network for internal fileshares.Attempt to logon with commonly used credsMimikatz steals credentials from memoryUses EternalRomance against internalnetworksTries to infect computers over sysadmins toolWMIC
Runs the Ransomware and show ransomnotewhen done encrypting the users files
Malicious adverts on websites by tricking user to install fake Flash update
https://thehackernews.com/2017/10/bad-rabbit-ransomware.html
MultiHouse IT-partner20
Russia’s Enterprises were hit hard
Enterprise vs Consumer Infection attempts by country
https://www.symantec.com/connect/blogs/badrabbit-new-strain-ransomware-hits-russia-and-ukraine
MultiHouse IT-partner
• Disable the WMI service ifpossible
• Patch computers• Use software to update
computer programs, such as flash – or configure flash to autoupdate
• Make sure you bakcup your data on regular basis
21
Protect against Bad Rabbit
https://thehackernews.com/2017/10/bad-rabbit-ransomware.html
If flash auto updates or software is updated from a program. You can tell users: Do not update flash ifprompted. Call the support team insted.
MultiHouse IT-partner22
Day-to-day: Examples of Ransomware
MultiHouse IT-partner23
2017 Q2: Evil Invoices delivered with dropbox links
https://www.phishtank.com/phish_detail.php?phish_id=4888479
1. Criminals steal dropbox credentials with Phishing mails to you and me
2. Criminals upload malware to the compromised dropbox accounts.
3. Phishing mails with dropbox links to companies
4. Employees open the invoice5. Ransomware
I wonder what the criminals want to do in the companies?
MultiHouse IT-partner24
What do hackers want to do?
MultiHouse IT-partner
Ransomware 101
Compromised webpages Phishing mails Existing botnet
You may get ransomware by involuntary download of malware by way of
SMB open to the internet
MultiHouse IT-partner26
Protect yourself against day-to-day ransomware• Backup - to restore files
• User education – be observant – talk to a colleague
• Update systems including 3. part software such as: java, flash, silverligth, firefox, chrome etc.
• Do not activate macro files in office files – a macro is a small program in an office file
• Do not activate external content in office documents
MultiHouse IT-partner
• Text message/SMS phishing is the same as Mail phishing
• Hackers attempt to trick the receiver into installing an app or give out information such as passwords etc.
27
What is smishing
MultiHouse IT-partner28
Smishing – NemID
www.littleleadersecc.com/cu.html massmediaman.com/nets/run/update/
www.littleleadersecc.com
37,652,825 millioner webpages host Wordpress
1038 kliks in 36 min.Beware of short links – you never know where you end up!
MultiHouse IT-partner29
Smishing: You have received an MMS-message
http://enlightek.com/imms.apk
Bitly.com URL short links
= Android App
False sender Analysis of Android App
Targeting Denmark
Command and Control
MultiHouse IT-partner30
CEO Fraud Examples
You press reply…
MultiHouse IT-partner
DKK 300.000 transferred to an account in England.
20% in money-laundering feesmakes DKK 240.000 in cleanmoney.
It is possible to live 17 monthson one big catch.
No wonder why this is so popular.
31
The Hacker has 2584 hours per catch
https://nomadlist.com/lagos-nigeria/cost-of-living
MultiHouse IT-partner32
CEO Fraud analysis of mail headerReceived: from EXCH01.danskvirksomhed.local (192.168.1.4) by EXCH01.danskvirksomhed.local (192.168.1.4) with Microsoft SMTP Server (TLS) id 15.0.847.32 via Mailbox Transport; Wed, 31 Aug 2016 12:30:49 +0200Received: from EXCH01.danskvirksomhed.local (192.168.1.4) by EXCH01.danskvirksomhed.local (192.168.1.4) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 31 Aug 2016 12:30:49 +0200Received: from mxscanner.dkvirksomhed.dk (8.8.8.8) by EXCH01.danskvirksomhed.local (192.168.1.4) with Microsoft SMTP Server id 15.0.847.32 via Frontend Transport; Wed, 31 Aug 2016 12:30:49 +0200Received: from mxscanner.dkvirksomhed.dk (localhost [127.0.0.1]) by mxscanner.dkvirksomhed.dk (Postfix) with ESMTP id 3F662ACA27 for <[email protected]>; Wed, 31 Aug 2016 10:30:31 +0000 (UTC)Received: from mxscanner.dkvirksomhed.dk (localhost [127.0.0.1]) by mxscanner.dkvirksomhed.dk (Postfix) with ESMTP id 8E474ACA14 for <[email protected]>; Wed, 31 Aug 2016 10:30:30 +0000 (UTC)
Received: from stt-cha-ms1.vipowernet.net (mail.vipowernet.net [65.112.145.72]) by mxscanner.dkvirksomhed.dk (Postfix) with ESMTPS id 1A36EAC8D4 for <[email protected]>; Wed, 31 Aug 2016 10:30:28 +0000 (UTC)
From: "Bent Direktør" <[email protected]>To: =Peder <[email protected]>Subject: =?iso-8859-1?Q?international_bankoverf=F8rsel?=Date: Wed, 31 Aug 2016 10:30:26 +0000Message-ID: <[email protected]>Reply-To: Bent Direktør <[email protected]>Content-Language: da-DKreceived-spf: pass (vipowernet.net: 65.112.145.72 is authorized to use'SRS0+eC/[email protected]' in 'mfrom' identity(mechanism 'a' matched)) receiver=mxscanner; identity=mailfrom;envelope-from="SRS0+eC/[email protected]";helo=stt-cha-ms1.vipowernet.net; client-ip=65.112.145.72Content-Transfer-Encoding: quoted-printableMIME-Version: 1.0
MultiHouse IT-partner
• Inform your employees about the risk of CEO fraud e.g.CEO fraud – mail fraud: The company is at the moment exposed to fraud attempts that look like they are coming from the company CEO. It is an attempt to get the employees to transfer large amounts of money to an account abroad.
Recommendation: Always phone the CEO or talk to him directly when it comes to transferring money
• You may require the approval of more than one person and that an email cannot stand alone.
• Think twice before replying or opening links in mails
33
CEO fraud action plan
MultiHouse IT-partner34
DOS – quite simpel
Internet Connection
Fills your line up or overloads central equipment so the service goes offline.
MultiHouse IT-partner35
DOS and DDOS
DOS – Denial of Service DDOS - Distributed Denial of Service
Pew pew pew
Pew pew pew
MultiHouse IT-partner36
The biggest DDOS ever seen 2016
https://thehackernews.com/2016/09/ddos-attack-iot.html
https://thehackernews.com/2016/10/iot-dyn-ddos-attack.html
Took down Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify
1 Tbps is equal to 212 DVD discs212 DVD discs every second quickly fill up a mailboxThe same happens to our internet connection
MultiHouse IT-partner37
2017 Q4: A huge IOT botnet is being build• IoT_reaper malware is spreading with exploits for nine
previously disclosed vulnerabilities from:
• Dlink (routers)
• Netgear (routers)
• Linksys (routers)
• Goahead (cameras)
• JAWS (cameras)
• AVTECH (cameras)
• Vacron (NVR)
• The Mirai botnet from 2016 only used 150.000 devices. This can end very badly… Patch your stuff!
MultiHouse IT-partner38
Wireless networks have serious security holes
https://thehackernews.com/2017/10/wpa2-krack-wifi-hacking.html
MultiHouse IT-partner
Serious security flaws have been detected in WPA2 and WPA1 that are used to protect wireless networks.
The vulnerabilities affect both clients and wireless access points.
It is possible to control and change the network traffic.
Suppliers are working on releasing updates to patch the vulnerabilities.
Recommendations:
39
Wireless networks have serious security holes
”Update wireless devices, but do not loseany sleep in fear of the vulnerabilityproblem with KRACK”
https://www.cert.dk/da/klumme/2017-10-27/KRACK
-Henrik Larsen, DKCERT
MultiHouse IT-partner
• Use your smartphone to access:• haveibeenpwned.com
• Enter your email, and press “pwned?”
• You will receive a list of public data leaks in which you appear. Nice – isn’t it?
• This is just public data leaks…
40
Are you a part of a public data leakage?
From Apple to apple juice
41
MultiHouse IT-partner42
An historical picture of Windows and Apple
Hackers spend more time finding security holes in Apple after their marked share has increased
- Seen from an IT security point of view
MultiHouse IT-partner43
Virus + MAC OSX = Yes it can happen
Malware can control the computer over the internet, and can start the webcam, monitor, mouse, keyboard and can install more evil programs.The Malware was discovered by Malwarebytes and is called FruitFly.
MultiHouse IT-partner44
Apple bug bounty program
http://thehackernews.com/2016/08/apple-bug-bounty-program.html
Find securityholes in apple software and get paid.
MultiHouse IT-partner
• Zerodium offers $1.5 Million for iOS Zero-Day Exploits
• This is more than 7 times than what Apple pays
• Zerodium has already paid 1 million $ for the first 3 iOS 9 vulnerabilities to hacker groups
45
The free marked pays more than Apple
MultiHouse IT-partner46
Remember to update
http://thehackernews.com/2017/05/apple-security-patches.html
Lets wrap it up!
47
MultiHouse IT-partner48
Security is about safeguarding your secrets and what you treasure the most
Maybe it’s your internet search history Or your intellectual property
MultiHouse IT-partner49
Don’t build a wall; Use security in depth
Strategy: Discover threats insideyour network with security in depth.
Strategy: Build a fence and expect to keepthreats out using a good firewall with blinking lights.
MultiHouse IT-partner50
Wrap it up – Enterprise security in depth
https://twitter.com/GaryDower/status/912869424650211331
MultiHouse IT-partner51
Wrap it up – Home security a good startPerimeter Security
Network Security
Endpoint Security
Application Security
Data Security
Your crownjewels
Drive encryptionFx Bitlocker or FileVault
Update the computerBuild in feature
Update your applicationFx Ninite, Heimdal or Personal Software Inspector
Endpoint SecurityVirus protection, IntrusionPrevention System and Firewall
Secure DNSDNS translates IP adresses to Domains. Fx 31.13.72.36 -> facebook.comFx Cisco Umbrella
Update Wireless RouterYour router needs to beupdated as well.
Wireless RouterWPA2 encrypted networkwith a looong password
Wireless Router FirewallBlock connection from the internet
Use different passwords and 2 step login: Use a password manager. Fx: Keepass or master password
MultiHouse IT-partner52
The weakest link is our finger tips
Think before you click, type or tap