Vulnerabilities & Exploits

Should We Pay The Ransom?

Summary
Has your organization been a target of ransomware? Did you pay the ransom? If so, did you get all your data back? Whenever an organization becomes a victim of a ransomware attack, paying the malicious attackers may seem like the only hope, especially for companies that don’t have proper backup procedures in place. Unfortunately, statistics are showing us that paying the ransom guarantees little in return. Here are some key data points collected from a large sample size of mid-sized organizations spread across the globe.

In 2021, 37% of organizations have experienced some type of ransomware attack.
The average costs of remediating against a ransomware attack grew in 2021 to $1.85 million.
The average cost of paying the ransom grew to $170,000.
32% of the organizations affected by a ransomware attacks decided to pay the malicious actors.
ONLY 8% WERE ABLE TO DECRYPT AND RECOVER ALL THEIR DATA AFTER PAYING THE RANSOM!

The last point truly brings reality into check. Paying the ransom rarely pays off. This can be attributed to many factors, but the overwhelming majority of organizations say that they received the ransom key after payment, but were unable to use it in an effective manner. This can be linked to poorly coded malware and IT teams with limited experience.

What Can You Do?
It is extremely important for organizations to take proper precautions to protect themselves against the increasing threat of ransomware.

Perform monthly or quarterly vulnerability scans against your external perimeter and internal networks to stay up to date with the latest vulnerabilities that could give an attacker their initial foothold.
Perform annual penetration testing to protect against advanced techniques that may allow an attacker to pivot once they have a foothold.
Create effective Incident Response policies and procedures.
Conduct tabletop exercises to validate and identify gaps in your Incident Response Plan.
Perform consistent security awareness training with employees to limit the chance of successful social engineering and phishing attacks.
Have proper onsite and offsite backup policies and procedures in place. If you fall victim to ransomware, you may be able to recover from backup, with limited, if any data loss, and not rely on paying a large sum of money for an 8% chance of getting your data back.

When it comes to protecting your organization’s critical data, it’s time to get serious. nGuard is ready and willing to discuss all these preventative solutions with you and your team.

Cyber Criminals Are Pressuring Your Customers

Summary
Over the past few years, cybercriminals have brought more sophisticated ransomware attacks against organizations leading to potentially catastrophic damages. Generally, an attacker gains access to an internal network, performs network reconnaissance, elevates their privileges, and deploys ransomware across the network, which encrypts the data rendering it unusable. The attacker then demands the organization pay a large sum of money for the keys to decrypt the data. This makes it critical for organizations to increase security awareness, perform regular offsite backups of critical systems, have properly configured network monitoring and endpoint protection, and a mature incident response program.

Criminals are now taking their extortion attempts to the next level. Security researchers have noticed a spike in emails sent to end customers of companies that have fallen victim to network breaches. These emails notify customers that their data has been compromised due to a security breach. It asks the customer to reach out and demand that the company pay the cybercriminal’s ransom request in order to prevent their personal data from being leaked online. Here is an example of the type of emails end customers are receiving:

Most security professionals will tell you, if possible, avoid paying the ransom when your company falls victim to data leaks or ransomware attacks. Increased pressure from customers receiving these emails only makes the decision to not pay more difficult. Additionally, these emails notifying customers of a data breach can lead to reputational damage and lost business.

What can be done?
It is important for companies to put an emphasis on security before they fall victim to these types of attacks. Performing regular external penetration testing can prevent attackers from compromising systems and pivoting into the internal network. Additionally, performing internal penetration testing can stop an attacker in their tracks. If an attacker gains a foothold, it will be difficult for them to elevate privileges and compromise critical internal systems allowing the deployment of ransomware. nGuard provides an abundance of tactical and strategic security assessments that will boost the overall security posture of an organization. This will reduce the chances of a successful attack and further minimize the damages that stem from a breach.

Critical Exchange Zero-Day

Summary
This month, Microsoft released security patches for multiple zero-day exploits targeting on-premise Exchange servers. CVE-2021-26855 allows a malicious attacker to bypass authentication and impersonate users. Not only does this vulnerability allow an attacker to compromise email accounts, but the ability to install malware for persistent access or ransomware is also available. Microsoft has labeled this as a critical vulnerability that must be patched immediately.

As of this week, full proof-of-concept exploits are popping up online. This allows the exploit to become more widely exploited by malicious actors with little to no technical expertise. Check out the video below to see just how easy it is to gain a high-privilege shell with the public proof-of-concept code. It is estimated that nearly 80,000 Exchange servers exposed to the internet are still vulnerable to this exploit. If your organization is utilizing Microsoft’s on-premise Exchange service, it is essential that it be patched right away to avoid compromise.

What to do?
Microsoft has released their Exchange On-premises Mitigation Tool (EOMT) to address CVE-2021-26855 which is the most effective way to protect and mitigate exchange servers prior to patching. If you need to check if your exchange servers are vulnerable, use this handy script from Microsoft which is formerly known as the HAFNIUM script. The United States CISA is recommending all organizations use this script to determine if their exchange servers have been compromised. Stay updated with alerts from US-CERT.

Florida Water Treatment Plant Hack

Summary
Earlier this month, hackers successfully carried out an attack against an Oldsmar, Florida water treatment facility, coming awfully close to poisoning the water supply. Attackers were able to access the water treatment plant’s Supervisory Control and Data Acquisition (SCADA) systems remotely and increase the levels of sodium hydroxide that is added to the water from 100 parts per million to 11,100 parts per million. In small doses this chemical is safe to consume. Fortunately, the change was discovered immediately by an employee and they were able to reverse the change, prior to any modifications in the levels of sodium hydroxide.

How did they do it?
The water treatment plant is running Windows 7 operating system on its computers. This is an outdated, unsupported operating system which had not received any updates in over a year. Attackers were able to compromise the computers due to the outdated systems which are affected by multiple known vulnerabilities. This resulted in unauthorized access to the systems. The computers had also been utilizing TeamViewer, a remote access software, to administer the machines as needed and respond to alerts. All the computers on the network that used TeamViewer utilized the same password and allowed anyone from the internet to access these systems. A recent data breach database that was leaked in 2017 contained passwords that matched the domain of ci.oldsmar.fl.us. It is believed the attackers used these passwords to gain access via TeamViewer. Once attackers had gained access via the outdated operating system, they used this software to remotely access the desktop and modify the sodium hydroxide levels.

What to do?
If your organization is hosting critical infrastructure, like SCADA or Cardholder Data Environments (CDE) for PCI, it’s crucial to:

Properly segment these systems from non-critical networks.
Ensure all operating systems in use, across all networks, are supported by the vendor and receiving and applying regular security patches.
Regular testing to check for proper segmentation should be done to validate the security access controls in place are sufficient to limit access to critical infrastructure.
Limit the types of software allowed on your systems.
Eliminate all local administrator accounts to enforce the principle of least privilege.
Have a strong password policy that is strictly enforced for all types of accounts.

nGuard has broad experience helping to secure all types of critical infrastructure organizations, including energy. By leveraging penetration testing, managed security solutions and Cyber Security Incident Response, we can help your organization become secure and meet your compliance goals.

February SolarWinds Update

As security researchers continue to delve into the issues surrounding the SolarWinds breach, additional implications and vulnerabilities are coming to light.

Last week researchers discovered 3 additional SolarWinds vulnerabilities that at worst, allow an attacker to achieve remote code execution with elevated privileges.

CVE-2021-25274 affects the SolarWinds Orion platform through the Microsoft Message Queue. The Collector Service doesn’t set permissions on private queues which may allow an attacker to send specially crafted packets to the service to gain remote code execution.
CVE-2021-25275 also affects the Orion platform and may allow an attacker to gain unauthorized access to the back-end database. This vulnerability would likely allow an attacker to gain administrator privileges for the application which can cause a world of trouble.
CVE-2021-25276 affects the SolarWinds Serv-U FTP server. A directory that contains user’s password hashes is accessible to any Windows User that has access to the server’s filesystem. A malicious user could quickly add a user profile that would give them persistent access to the FTP server.

SolarWinds has since addressed these issues that were responsibly disclosed to them. While these vulnerabilities have not been found to be exploited in the wild and appear to be missing from the supply chain attack that we have been so closely following, it is highly recommended that users of the platform install the latest versions. Users of the SolarWinds Orion platform can find information related to the recent update here. Additionally, organizations utilizing the Serv-U FTP functionality can find a hotfix here (ServU-FTP 15.2.2 Hotfix 1). This is a direct .zip download. nGuard has been responding to many requests for services related to this massive SolarWinds breach. From incident response to preventative penetration testing assessments, nGuard is helping our clients to secure their data and protect their customers.

Tesla Targeted in Ransomware Attack

In the last week of August 2020, the FBI successfully detained and arrested a Russian citizen that was attempting to bribe a Tesla employee into carrying out an internal ransomware attack. The 27-year-old Russian citizen, Egor Igorevich Kriuchkov, was arrested by the FBI in Los Angeles while attempting to leave the United States.

The Tesla employee met with Kriuchkov, who offered the employee $1 million to help deliver and introduce the malware into Tesla’s network. The malware was designed to first, exfiltrate data from the network, then encrypt data in the network. Kriuchkov would use the exfiltrated and encrypted data to demand a ransom payment from Telsa. Fortunately, for Tesla, the employee immediately notified Tesla, who then involved the FBI. The FBI, with the assistance of the Tesla employee, carried out a sting operation to arrest Kriuchkov.

Kriuchkov told the employee they would distract Telsa from the malware attack by simultaneously conducting a denial-of-service (DoS) attack. He described to the employee that he had successfully conducted this attack against another company and neither he nor the assisting employee had been caught. Kriuchkov told the FBI he had successfully negotiated a $4 million payment from another company using the same tactics.

These attacks do not only cost organizations money if they decide to pay, but should companies not pay and do not have proper backups, they can spend an extensive amount of time configuring networks in an attempt to return it to a normal state.

This attack comes as no surprise with ransomware continuing to prove as a valuable attack vector for adversaries. Recent ransomware attacks against Garmin and Carnival are just the tip of the iceberg as attackers continue cashing in big paydays. It is being reported that Garmin paid $10 million to attackers for the keys to decrypt their files. These attacks do not only cost organizations money if they decide to pay, but should companies not pay and do not have proper backups, they can spend an extensive amount of time configuring networks in an attempt to return it to a normal state. The City of Atlanta chose not to pay a $52,000 ransom, but ultimately spent $2.6 million and took months to recover from the attack.

With the continuing rise of these attacks, it’s important to take the necessary steps to secure your networks by conducting proper testing, seeking out consulting, and training your workforce on the latest security best practice. These actionable items will help prevent these types of attacks from occurring via a multitude of attack vectors. nGuard is staffed with certified Security Assessors who are ready to work with you and your organization to help prevent this style of attack. Additionally, nGuard provides detailed Incident Response services should your organization be the unfortunate victim of an attack.