Massive Cyber Attack

Introduction

            The blog for week 10 will be dedicated to the massive cyber attack affecting over 150 countries. On May 12, 2017, a massive cyber attack was started because of a leaked NSA exploit. A hacking group called the Shadow Brokers broke into the NSA and stole a trove of exploits. With these exploits, a ransomware called WannaCrypt used two exploits called ETERNALBLUE and DOUBLEPULSAR. Below are more details on how the history of how this massive cyber attack started.

Shadow Brokers

            Who are the Shadow Brokers? The Shadow Brokers are a hacking group that are famous for stealing NSA hacking tools. The Shadow Brokers released a few of the NSA Hacking tools in August of 2016 after they failed to auction off the tools (Gibbs,2017). The Shadow Brokers voted for Donald Trump and were not happy with his policies and actions after he became president (Ghosh,2017). They released the second group of NSA hacking tools in April 2017. The Shadow Brokers have more hacking tools to release and Edward Snowden says the NSA has more hacking tools in their arsenal. The Shadow Brokers have yet to be identified and remain wanted for breaking into the NSA and stealing their tools.  

ETERNALBLUE

            ETERNALBLUE is the name of the exploit stolen from the NSA. ETNERNALBLUE abuses the Server Message Block (SMB), a network file sharing protocol (Fox-Brewster, 2017). SMB v1 is old, dating back to Windows 95 and it is enabled by default on Windows XP, Vista, 7, 8 and on some version of 10. An attacker must use a specially crafted packet that exploits a vulnerability in SMB v1. Once the specially crafted packet has been sent, the attacker can now run code on the victim’s computer.  The code the attacker can run could be ransomware, a Trojan, or any other program the attacker wants to run.

DOUBLEPULSAR

            DOUBLEPULSAR is another exploit that was stolen from the NSA. DOUBLEPULSAR is a remote access Trojan or RAT, which allows attackers to have remote control of the victim’s computer. DOUBLEPULSAR also acts as a malware downloader to install other types of malware such as bots. DOUBLEPULSAR exploits SMB v1 and can hide on a computer system avoiding detection systems (Arghire, 2017).

WannaCrypt

            WannaCrypt is a piece of malware that is part of the ransomware family. Ransomware is a piece of malware that encrypts a person’s files and demands money to decrypt the files. WannaCrypt raises the payment after a set amount of time and it will also delete the files if no payment is received. WannaCrypt uses the ETERNALBLUE exploit to run itself on the victim’s machine. WannaCrypt is a computer worm that uses the ETERNALBLUE exploit to also spread itself across a network in a matter of seconds. Once the victim’s computer is infected with WannaCrypt it will scan random hosts on the internet to try and spread itself further (Kumar, 2017).

http://d3i6fh83elv35t.cloudfront.net/newshour/wp-content/uploads/2017/05/RTX35YNS-1024x765.jpg 

Conclusion

            Microsoft in their new version of Windows needs to stop backwards capability. As seen by ETERNALBLUE, an exploit was found in a 20 plus year old service. If Windows stops backwards capability this massive attack could have been mitigated. People were surprised by the leak of the NSA hacking tools, but how hard was it to find a flaw in a 20-year-old software. WannaCrypt hit systems that were not patched by MS17-010. Legacy systems may still use SMB v1, but old protocols should not be enabled on new operating systems by default. Microsoft has released a patch to fix the SMB v1 exploits, which includes a patch for Windows XP, Vista, 8, Server 2002, and Server 2008. Installing the patch is not a guarantee there is not another backdoor. It is advised to disable old protocols if they are not being used especially since the Shadow Brokers can release more NSA exploits.

References

Gibbs, S. (2017, May 18). Shadow Brokers Threaten To Unleash More Hacking Tools. Retrieved May 21, 2017, from http://www.cio-today.com/article/index.php?story_id=103003JXPSMS

Ghosh, A. (2017, April 09). 'President Trump what the f**k are you doing' say Shadow Brokers and dump more NSA hacking tools. Retrieved May 21, 2017, from http://www.ibtimes.co.uk/president-trump-what-fk-are-you-doing-say-shadow-brokers-dump-more-nsa-hacking-tools-1616141

Fox-Brewster, T. (2017, May 15). An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak. Retrieved May 21, 2017, from https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#3dcc7128e599

Arghire, I. (2017, April 24). Hackers Are Using NSA's DoublePulsar Backdoor in Attacks. Retrieved May 21, 2017, from http://www.securityweek.com/hackers-are-using-nsas-doublepulsar-backdoor-attacks

Kumar, M. (2017, May 15). WannaCry Ransomware: Everything You Need To Know Immediately. Retrieved May 21, 2017, from http://thehackernews.com/2017/05/how-to-wannacry-ransomware.html

Microsoft Anti-virus and Healthcare Vulnerability

Introduction

In Week 9 there has not been a shortage of security news. A healthcare organization had a vulnerability that allowed people to look at different patient records, which is quite serious. Microsoft had a remote code execution vulnerability that would allow an attacker to remotely control a machine. There were several other stories, but these were the two I chose to write on.

True Health Vulnerability

True Health Diagnostics located here https://truehealthdiag.com/ had a major vulnerability discovered by a patient. The vulnerability was found on their patient portal, which is located at the following link https://my.truehealthdiag.com/customlogin.htm. The patient was Troy Mursch who is an IT consultant that lives in Las Vegas (Krebs, 2107). Mursch found the vulnerability when he was looking at a PDF of this blood test and saw the link True Health Diagnostics created could be edited. Mursch edited the link to the PDF and was able to access other patient’s test and records. Once Mursch found the vulnerability he called and alerted True Health Diagnostics to the flaw. True Health Group shut down their website while they found and fixed the website.

https://my.truehealthdiag.com/customlogin.htm.

At this point, there is no knowledge of how long the vulnerability has existed. This means patients or an attacker could have been stealing data for several years. True Health Diagnostics needs to hire a forensic company to come in and do an investigation. This is the only way to know if there was unauthorized access to patient’s records. If they don’t hire a forensic investigator then I don’t think they are being ethical. I like the way True Health Diagnostics responded to the vulnerability by shutting off their site. This is the first time I have heard of this and it is truly a bold and interesting move. Most companies would say they will investigate an issue and either fix or not fix it while keeping their website up.

Microsoft Remote Code Execution

It has been discovered that Microsoft has a vulnerability in their malware scanner. Google Project Zero found the remote code execution in Windows anti-malware software. Per thehackernews article the following is the affected software Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection and Microsoft Forefront Endpoint Protection (Kumar, 2017). Google’s Project Zero found that if any of the Microsoft anti-virus programs above scanned a specially crafted file, a hacker could have full control of the computer. The file can get to the computer via an email phishing attack or by downloading the malicious file. One of the important details is that the attack can happen over email without reading or even opening the full email (Mix, 2017). Since Microsoft’s anti-virus programs have real time scanning once the file is created, opened, downloaded or moved it will trigger the exploit (Kumar, 2107). Microsoft has released a patch for Windows 7, 8, 10 and RT in only 3 days!

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBCzqnnLyAg6_SjOQs2CZIvAQIWV0g-plxCJirtP0cv36sqXxAqjyI6q4-RhXURj_Dq52nI5vW5xuIaE6EQnCl5rfsiyI_x9I-0l6UdtuXL7TAt1bdmEKTZyFnjVs7AzwkaEDscxoJJpd7/s1600/windows-defender-remote-code-executiont.png

The remote code execution in this instance needs a special file for the exploit to work, but hackers can get their hands on this file and use it to spread malware. This “loophole” can allow a hacker to install new programs such as a Trojan or change program permission because it basically gives them ROOT access. It was good to see Microsoft patch this vulnerability, so quickly because it usually takes longer than 3 days. The scary part of this remote code execution exploit is the file doesn’t even need to run to infect the computer, only the Microsoft anti-virus program has to scan it. These types of exploits make a hacker’s job easy because it doesn’t really require them to trick a user into installing a file.

References

Krebs, Brian. "Krebs on Security." Brian Krebs. May 8, 2017. Accessed May 14, 2017. https://krebsonsecurity.com/2017/05/website-flaw-let-true-health-diagnostics-users-view-all-medical-records/.

Kumar, Mohit. "Microsoft Issues Emergency Patch For Critical RCE in Windows Malware Scanner." The Hacker News. May 09, 2017. Accessed May 14, 2017. http://thehackernews.com/2017/05/windows-defender-rce-flaw.html.

Mix. "Microsoft issues fix for critical exploit in Windows Defender found by Google." The Next Web. Accessed May 14, 2017. https://thenextweb.com/microsoft/2017/05/09/microsoft-google-windows-vulnerability/?amp=1. 

Google Phishing Attack Plus Data Beach

Introduction

For Week 8 there has been no shortage of news articles to pick from. I will be covering another data breach from a large company and a large phishing attempt. Companies seem to be giving less and less details about data breaches, so I have found I need to write about other topics.

Google Phishing Attack

With all the news about the “Great Google Phishing Email” I figured I would talk about it in my blog. It is a simple phishing attempt that many people fell for even security professionals. The phishing email was simple it said “(Person’s name) has invited you to view the following document” and a button to open the link into Google Docs.  Below is a screenshot of the phishing message.

https://static01.nyt.com/images/2017/05/04/business/04spam1/04spam1-master768.png

If a user clicks on the link “Open in Docs” it opens a screen that says a person must allow access to Google Docs for the purpose of reading, sending, deleting and managing a person’s email along with managing a person’s contacts (Khandelwal, 2017).

http://thehackernews.com/2017/05/google-docs-phishing-email.html

If a user clicks allow, the attackers have full control over the user's email. Once full control is gain over the user’s mailbox the attackers use it to spread the phishing email.  If the user has two-factor authentication enabled, it will not stop the attackers from taking over the user’s email account. Per Google, only 1 percent of Gmail users were affected by this phishing attempt, which is about 1 million people (Khandelwal, 2017). Google has since blocked the fake application and phishing email.

Even Google can be a victim of a phishing attack, so it is best to be on alert when opening documents sent by contacts. With security professionals fooled by this phishing attack, it shows that these types of attacks can be complexed. Phishing attacks are thought to be easily spotted, but that is not always the case. Even simple attacks are missed because people don’t always read the entire email, which can lead to trouble. Google already does an excellent job of blocking most phishing emails, but if you use other email clients be aware and always read the email entirely. Another good tip is to look at the sender’s email address and if it is not recognizable don’t click on any links.

SynXis Data Breach

Sabre Corp has had a breach from their software as a service application called SynXis. The application comes from Sabre’s hospitality company called “Sabre Hospitality”. The SynXis system is a reservation software that hotels used to keep track of inventory and rate information. Per saberhospitality.com over 120 property management. 2 revenue management and 7 CRM organizations use the software (http://www.sabrehospitality.com/solutions/hotel-central-reservation-systems).  The hackers gain access to the SynXis application, but there is no information on what information they got ahold of or how they gained access to the system.  Sabre has said the unauthorized access to the system has been terminated and security firm Mandiant is investigating the breach after notifying law enforcement (Krebs, 2017). This breach is thought to be linked to the recent hotel breaches over the last several months. On Sabre’s SynXis system login only a username and password are required and the breach maybe a result of a credential stuffing attack from recent stolen username and passwords.

http://ef67fc04ce9b132c2b32-8aedd782b7d22cfe0d1146da69a52436.r14.cf1.rackcdn.com/sabre-warns-hotels-card-data-potentially-compromised-showcase_image-1-a-9884.jpg

Sabre is a large organization with an annual revenue of over 3 billion dollars and it seems they have not invested in security. The SynXis system does not have two-factor authentication, which could have prevented the hackers from logging onto the system. Sabre paid for cyber security insurance, but without knowing more details it’s hard to say if the insurance will cover the breach. Cyber security insurance is new, but it is like covering a person’s house or car. For some companies, it may be cheaper to buy cyber security insurance then hire a whole security team. Without more information about how the breach occurred, it is hard to say what could have been done to prevent it. Hotel companies seem to have lax security practices, which seems why hackers target them for credit and debit card information. When more information surfaces about the breach I will write a follow-up entry.

References

Khandelwal, Swati. "Warning! Don't Click that Google Docs Link You Just Received in Your Email." The Hacker News. N.p., 03 May 2017. Web. 06 May 2017. <http://thehackernews.com/2017/05/google-docs-phishing-email.html>.

Krebs, Brian. "Krebs on Security." Brian Krebs. N.p., 2 May 2017. Web. 06 May 2017. <https://krebsonsecurity.com/2017/05/breach-at-sabre-corp-s-hospitality-unit/>.