SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Big changes in the infosec landscape: Time to take note and take action
Mon, 15th May 2017
FYI, this story is more than a year old

Recent events are changing the topography of the threat model and attack methodologies across the board and at record speeds – to say that the impact of the past few weeks in information security news has been small would be a complete understatement.

The Shadow Brokers releasing full-blown government hack frameworks, VAULT 7 releases, and other nefarious deeds, have elevated even the lowliest of script kiddies into valid threats to enterprise-level businesses.

If you do not believe this, please place your head back in the sand. Record numbers of breaches of entire networks and payment systems are becoming more the de-facto computer event to investigate instead of small-scale user-based infections that used to plague businesses.

It is time to up your game plan to the real world: an ongoing battle against malicious actors targeting you, your business, your home, your electronics and potentially every communication device that you own that is capable of networking.

When Windows 2008 R2 systems can be fully compromised in less than 120 seconds, it is time to get serious, fast. Here are a few things you can do to get back in the game and get your network security up to 21st century standards.

RDP: Remote death protocol

Do you like RDP? Good. So do attackers. Wait? What?! Yes, attackers love your weakly-defended RDP port as the payoff can be huge. Instead of having to use a pesky sometimes non-persistent terminal shell, they can just log right in with a Windows interface or use other tools to execute applications on your server remotely. The lowest hanging fruit is the abandoned credentials that have way too much access that you forgot to delete years ago, akin to helpdesk:helpdesk or other credentials that should never have existed, ever.

It is possible to compromise other, seemingly more password-protected accounts, especially if the password is derived from an aspect of your business. In this manner, an attacker could easily generate a mutation wordlist consisting of a few hundred thousand varied words located on your informative website to run as administrator against the potentially open RDP port. As an administrator, you should think about changing the port (not to 3390 but something else) or use RDP over a VPN connection, closing off outside access to unwanted parties.

Another, and even better idea is to also have a secondary control mechanism, like 2FA (two-factor authentication) to allow you to have something that a potential attacker does not: a token or OTP (one time password).

Microsoft even has the ability to lock out accounts that try to authenticate more than a certain number of times (instructions can be located here). Check out this link for more info on RDP attacks.

Windows updates, firmware updates, everything updates

With the release of various exploits from different avenues that affect Windows 8, Windows Server 2012 and SMBv3, updating Windows has become more important than ever. There are more dangerous exploits out in the wild than members in some IT departments: these are precompiled, awaiting public consumption.

As mentioned previously, the releasing of the Shadow Brokers' decryption key for their cache of allegedly stolen “government” exploit kits is a very real cause for concern since these tools are now actually being used in real time against targets. The good news is that Microsoft has already patched the zero-day vulnerability and other security issues that created the vulnerabilities.

The question is, how up-to-date are the patches in your network? Updating is a continuous effort, as new threats arise and must be addressed and newer security holes are discovered and must be closed. Sometimes, that includes upgrading your antivirus.

Take CVE-2017-0199, a vulnerability that was recently turned into a Metasploit module for ease of use. This zero-day exploit has been discovered dropping Dridex and other malware and can be modified for multiple payloads.

This exploit started getting attention on April 11, 2017. At the time of writing, ESET was one of only nine vendors detecting attachments with this exploit payload. Sometimes, in updating your defense mechanisms, you find that you need to update your antivirus strategy as well.

Sleep better at night, play it safe

The fewer footprints you leave on the open internet, the better. Close those ports that do not need to be opened for everyone to query. If your business runs a web application that you can get to from the open internet, ensure that it is tuned, hardened, and not running vulnerable code.

The last thing you would want is your entire CRM (customer relationship management software) or other business communications platforms compromised, with client or personnel data presented to an attacker who resides halfway around the world.

Explaining this is a difficult letter to write to your client base; however, it would not be the first time this has ever happened and it definitely won't be the last one as this latest issue regarding HipChat has proven.

The information security world spins pretty fast. If you don't stop and look around once in a while, you could miss it. It worked for Ferris; make it work for you.