Thursday, July 11, 2019

Malware Mania! What's a Malware Campaign?

Hi Friends,

Sorry for being a flake, you know work, work, work, blah, blah, blah, busy, busy, etc.  :-)  Today I thought I'd talk about what the difference is between a "malware" and a "malware campaign".  It was a new concept for me and I thought I'd explain it in "Neil Speak".

Okay, set the way-back machine back a number of years when I was a System Administrator.  No I'm not going to say how many years.  :-)














When companies I worked for got hit by malware, it was always a mad scramble to try and contain the little beasties from sleazing their way through our network.  Most of them were probably delivered by email, clicked on and then began their nastiness.  Usually that meant network attached drives to Windows Servers were now flooded with malware and moving their way vertically through the company.

As a Sys Admin, my main concern was finding something to neutralize the threat and get production up and running cause business users don't like it when they can't do their work.  No work usually means no revenue for the company.  So get your behind moving Neil!!

Let's back up a little bit, and focus less on the malware itself and more on the campaign.  A malware campaign is just like any other campaign.  You decide what you're going to do, make a plan and then launch that plan.  In the case of malware, a threat actor(s) decides they're going to launch an attack with a certain type of malware, and HOW they're going to get that malware to you.

Remember my example of running around like a chicken with no head trying to stop the malware from spreading?  Those were most likely malware campaigns, but by the time it got to me it was already an end point nightmare.

So what's the differentiation?  Malware is malware, it's the bits and bytes that are going to do the nastiness.  The malware campaign is how it's going to get delivered to you.  Here are some examples:

1.  An email message with the malware right in the email.
The Threat Actor is being pretty bold and just attaching the malware.  If you open it, unfortunately they've got you.  This doesn't seem to be a major delivery method anymore since a lot of anti-malware software will see a .exe, .vbs, etc. and block the file from ever being delivered.

2.  An email message with a link to a website that asks you to download a file once you get there.
Since many anti-malware systems block out questionable files, this seems to be a favorite among threat actors.  The email isn't the malware, the link isn't the malware, the file it downloads MIGHT be the malware, but a lot of times it isn't, it's just another link in the chain, but more on that later.

3.  An email message with a compressed (ZIP) password protected file is included in an email to you with the password to the archive in the email message.
The email is not the malware, it's just the method to expose you to the malware.

4.  This one is really nasty.  A specially written email to someone in a company that handles money, from what seems to be a high ranking officer in the same company.  Typically the threat actor builds up trust and then asks for a large sum of money to be sent to a bank account number for a business transaction.
This is what's called Business Email Compromise (BEC).  In this case NO malware is involved at all.

So you see, the campaign is just as important as the malware itself.  Threat Actors are constantly thinking of new ways to send malware and just because they used a link to the malware in Campaign 1, doesn't mean they'll use the same URL or even a URL at all in Campaign 2.

Before you go running for the hills and throw away all of your technology, just remember, Threat Actors are always trying to kick us in the gut and they do a very good job.  As anti-malware companies build better mouse traps, Threat Actors are continually working on better mice.  This means evolving malware campaigns to new and more nefarious methods.  As you saw in number 4, they don't even use malware, it's just a complex game of smoke, mirrors and misdirection.

Remember I said I'd talk more about number 2.  What's really creepy is Threat Actors have created multi-stage malware campaigns.  Here's an example:
1.  You receive an email that looks like it's from your bank.  There's a link that says you need to go to this link or your account will be deactivated.
2.  You go to the link and to the fake sight which looks legitimate.  You are requested to download a new version of the end user license agreement (EULA).
3.  You download this file and open it up.
4.  A vulnerability in Microsoft's Equation Editor allows for a file to run, NOT the malware.
5.  This file contacts a Command and Control (C&C) server controlled by the Threat Actor.
6.  The Threat Actor puts EMOTET on your desktop.

Here steps 1-5 are the campaign, not the malware.  Emotet, a banking trojan, is put on to your computer after a number of complex steps.  The wild thing is Threat Actors are now using malware to call OTHER malware.  It's just another way to further obscure anti-malware software from stopping the malware.

So how do you avoid all of these shenanigans?
















Unless you live in a cave with no connection to the outside world you can't, but you can be educated and aware of the new tactics Threat Actors are using.  Few things to keep in mind:

1.  If it looks fake, it probably is.
2.  When in doubt, don't click on any links in email.
3.  Password protected ZIPs are suspicious.
4.  If you receive something and you're concerned, DON'T click on links in the email.  Go directly to the official website and log in there.
5.  If you don't want to go to the website, call the vendor.  They normally will have an 800 number for you to call their customer support.
6.  If someone sends you a file in email, ask yourself some questions.
Do I know this person?
Do they normally send me stuff?
Does it seem suspicious?
Can you contact the person and see if they really did send the email and the attachment?
7.  Does the email contain lots of grammatical and spelling mistakes?
That's a good indicator it might be fake.

I know it's a pain in the neck, but welcome to the connected world.  It's both glorious and terrifying at the same time.

Be safe out there!
Neil


Tuesday, May 21, 2019

RobinHood - Steal From Everyone and Keep It!

Hi Friends,

Got some news on a new ransomware making a name for itself.  It doesn't appear to spread itself through spam, but researchers aren't really sure how it's spread yet.  The one thing they do know is that it's pushed out to servers using a Domain Controller.  The ransomware is named RobinHood and unlike good Robin of Loxley, this ransomware doesn't take money from rich people and give it to the poor, it just takes money.

RobinHood is a ransomware, which means when it's kicked off, it goes to work encrypting your files. Yep, encrypting files is good when you have the key to unlock it, but in this case you can only get the key if you've paid the ransom. 

Think of it like this.  Some guy breaks into your house when you're at work.  He changes all the locks on the doors and when you come home he says, "Hey, I've locked up your house and you can't get in.  All of your things are still in the house and I'll give you the new key only if you give me $5000.  If you don't give me $5000 in a few days, you can come in, but all your stuff will be gone."  That would suck!

Ransomware has been declining due to Bitcoin losing a bunch of it's value.  In December of 2017 it was almost up to $20,000 per coin (yes 20,000), but quickly lost value in 2018. (https://en.wikipedia.org/wiki/History_of_bitcoin) The first couple months in 2019 it was around $3500-$4000 per Bitcoin.  That's a heck of a loss!

Ah, but if you've taken a look at the price of Bitcoin lately, it's starting to creep up again.  I checked today's prices and it's almost $8000 a coin, so with the price of cryptocurrency going up, so does the prevalence of ransomware.

One of the first highly publicized instances of RobinHood is when it attacked the city of Greenville in North Carolina in April. (https://www.baltimoresun.com/news/maryland/politics/bs-md-ci-ransomware-attack-20190517-story.html)  According to the article in the Baltimore Sun, 5 weeks after the April attack, the city was still recovering! 

Can you imagine that?  Shutting down a city for over a month!  Now this isn't to say that Greenville was teleported back to the dark ages because their servers were locked-up, but can you imagine the headache that this caused?  Everything is being computerized!

Now shift gears to May and another city is hit by RobinHood.  This time Baltimore in Maryland was hit.  Adding insult to injury, Baltimore was hit last year with malware that took down their 911 system.  So I'm sure the cities IT folks, officials and citizens are less then happy.

Baltimore has decided not to pay the ransom and it is rebuilding it's servers as I write this article.

Can you imagine the huge pain in the behind this causes a city?  Now imagine this happening to a hospital!

It's a brave new world folks and things like this are becoming common place.  You can't stop threat actors from attacking your city or your hospital (Unless you're a security person working for your city or hospital.), but you can educate yourself. 

If you get a weird email about your accounts being locked or compromised or needing additional information, don't click on anything!  If you're truly concerned, go to the actual companies website and login from there.

Be careful out there!
Neil

Friday, May 3, 2019

Got a Ransomware? Check Here Before Paying!

Hi Friends,

I was reading BleepingComputer this morning and came across and article about ransomware and they talked about a free decrypter made by Emsisoft.  There are FREE decrypters out there?!  How cool is that?!  Sorry if I'm a little late to the party, but that is super awesome!  If you're late to the party too, let me help enlighten you.  :-)

Let me first say, I'm not an employee of Emsisoft nor have I used or tested their decrypters.  Use at your own discretion.

So head on over to https://www.emsisoft.com/ and highlight the Support tab.  You should see  Ransomware Decrypter as an option.  Select that and you'll go to the page with all of the decrypters on it.

There are 48 decrypters on the page going back to August of 2013 and they just released a new decrypter yesterday, May 2nd!

Bravo to Emsisoft for trying to help out folks who have unfortunately been infected by ransomware.

I don't wish ransomware on anyone, but if in the unfortunate event you become infected with it, hopefully one of the Emsisoft decrypters can help you without having to pay the ransom.

Neil

Wednesday, April 24, 2019

Watch Out Crime, Cybercrime is Giving You a Run For Your Money!

Holy Cow!!  According to the FBI's Internet Crime Complaint Center (IC3) cybercrime made $2.7 billion(that's billion with a *B*) in 2018.  And that's just from the complaints that they got!  So can you imagine how much money was lost to cybercrime last year?

According to IC3 there were 351,936 complaints of cybercrime last year, leading to the $2.7 billion in losses.  That just boggles my mind.  And you HAVE to know that a lot of people just didn't report when they got attacked. 

How about an example?  :-)   Sextortion has been huge lately and do you think I'm going to call the FBI if some Threat Actor threatened to expose my pornographic tendencies to all my friends?  Yeah that would be awesome, here goes my thought on how the call would go....

"Ugh yeah, is this the FBI?"

"Yes Sir it is, how can we help you?"

"Ummm, yeah, some dude sent me an email and said he broke into my computer and was going to lock up my computer but decided that since I was such a pervert and had horded tons of pornographic material he was going to extort me for a bunch of money or he would contact my wife and all of my friends and tell them I'm a pervert and would release a video of me entertaining myself!"

Yeah, I can see that going REALLY well...  What the heck do you say to something like that if you're the FBI???

But I digress... 

IC3 has been tracking this since May of 2000, so they've got about 19 years of data on this.  From May of 2000 till 2018, 4,415,870 complaints have been reported to the FBI with about 300,000 complaints a year and about 900 per day.  That's a lot of hacking.

Now this is very interesting.  The crimes with the largest losses were business email compromise (BEC), confidence/romance fraud, non-payment/non-delivery and extortion.  So what's BEC you ask?  It's a form of attack where the Threat Actor does a very targeted attack to YOU.  Yep, as creepy as it sounds, Threat Actors do a lot of research on their mark. 

Where does all this information come from?  Think about it, how much information do you have about yourself on LinkedIn, Facebook, Instagram, Twitter, shall I go on?  And I'm not saying unplug, live in a cave and wear furry animal skins.  Just be a little mindful of what you're putting up on the Internet because it's public.  Let that sink in just a little bit before you read on.

BEC is very popular with Threat Actors because targeted attacks make more money.  According to the BleepingComputer article I'm getting this information from (https://www.bleepingcomputer.com/news/security/cybercrimes-total-earnings-skyrocketed-to-27-billion-says-the-fbi/)  BEC made $1.2 billion last year.  So almost half of all the money came from these targeted attacks.

Here's an example.  I'm a threat actor and I find out you're the controller of a company.  Suddenly you get an email from your CEO addressed to you.  It states that he/she is working on an important deal and it's extremely time sensitive.  The email looks legitimate, the names are correct and there's a bank routing number where to transfer the money. 

Do you transfer the money or do you do more research?  If it's real, the CEO might get really pissed if you cause him/her to miss out on this deal.  If it's fake you could end up sending the wrong person a chunk of money.  What to do?

But Neil, it has the correct names on it...  Yep, that's easy to fake.
But Neil, they knew my name...  Yep, that's easy to find.
But Neil, they knew what I did...  Yep, that's easy to find.

So see why it's so successful?  Traditional phishing is usually pretty spammy with mis-spellings and grammatical mistakes and is easier to spot.  BEC is personal and it should worry you.

Well on that sunny note, I think I'll stop scaring everyone.  :-)  If it seems fishy, it's probably cause it is.  If it seems to good to be true, it's probably cause it is.  Threat Actors do a lot of stuff to hit us in the gut and make us ask "how high" when they say jump.

Be careful out there!
Neil

Tuesday, April 16, 2019

Zero Day Exploits Patched by Microsoft (CVE-2019-0859 & CVE-2019-0803)

Hi Friends,

You know how much I LOVE patches, actually they scare they heck out of me...  Here comes the, "When I was a <fill in the blank>" moment.  Ready?  Let me get my rocking chair.

When I was a system administrator patches were the bane of my existence.  Why?  If it isn't broken, DON'T fix it!!  When you work in a production environment, you don't want anything messing up your up-time.  Business people tend to get very fussy when their production applications aren't available and the last thing I wanted to do was add an unknown into a working system.  Yes I know that's what test environments are for, but remember, test isn't something you want to break either.  Where do you think these business folks do all their testing?

But alas, being in the security industry has given me a new perspective on patches that I've never had.  Now that I know about some of the creepy crawly code running around the Internet, it scares me even more than patches!

Zero day this, malware that, exploit this, it's enough to make me want to unplug my Ethernet cable and never plug it back in.  But that doesn't even work anymore because of wireless.  ;-)  So what does this paranoid technical guy do?  Patch.  I'm not saying run out and patch your production environment immediately without some sort of test, but we can no longer hide our heads in the sand and hope it goes away.


















With that said, let's talk about the latest "Patch Tuesday" Microsoft went through.  Microsoft tends to release patch bundles on the second or fourth Tuesday of each month.  It's a practice they started back in 2003.  Unfortunately Patch Tuesday is now followed by Exploit Wednesday.  Yep, just like the rest of us, Threat Actors get to see what Microsoft patched and it's an opportunity to go after vulnerable systems that haven't been patched yet.

Hold onto your socks for this one.  This latest bundle contained patches for 74 vulnerabilities with 15 being classified as critical.  Let's break it down a bit more.  Within that bundle was also a patch for CVE-2019-0859 and CVE-2019-0803.  These two Common Vulnerabilities and Exposures patched a problem with win32k.sys.  Win32k.sys is a very important file and is critical in the startup of Windows.  No file, no boot.

These vulnerabilities are what's called a Use-After-Free, which is the incorrect usage of dynamic memory during the programs operation.  Basically it's a problem of freeing up the memory when a program is done using it.   Because of this situation, Threat Actors have been seen creating PowerShell "HTTP Reverse Shell"  or a backdoor into a system.

Yep it's as bad as it sounds.  The attacker is able to run code in kernel mode and game over man!  They can then install programs, view, change or delete data or create new accounts with full rights.  And FYI, this isn't for some antiquated OS, this is for Windows 7 and 10.

Believe me, I'm not trying to scare you, just tell you the facts.  But if it does scare you a little, you're starting to understand how I feel.  :-)

There's tons of information about this patch bundle and these two CVE's, but here's a great article from BleepingComputer:
https://www.bleepingcomputer.com/news/security/patched-windows-zero-day-provided-full-control-over-vulnerable-systems/

Be safe out there!
Neil

Tuesday, April 9, 2019

Java Catch-22

Hi Friends,

Today I found myself in a Java "Catch-22" and wanted to let you know how I got past it.  I loaded up a webpage that needed Java to run the utility.  The page told me that only Internet Explorer and Firefox were supported.  If you've read my last blog, I let you know that Windows 7 is going away so I decided to jump on the Windows 10 band wagon.  I know, about time Neil!

Anywho, I'll just load up Edge cause that's the IE replacement right?  Nope, the page didn't recognize Edge as IE.  Ah crap!  But that's okay, I still have Firefox!  Firefox will work right?  I load the page and I'm told I need to update Java.  No problem, a couple of clicks and Viola!!  Hmmm, still not working...  Maybe a restart of Firefox will work!  Nope...

Okay, okay, time for my buddy Google.

Firefox:
Apparently Firefox version 52 and above have removed the NPAPI plugin support for Java.  So I can't enable the plug-in.  Doh!!!
https://java.com/en/download/help/enable_browser.xml

Edge:
Apparently the Edge browser does not support plug-ins and won't run Java....  UGH!!
https://www.java.com/en/download/faq/win10_faq.xml

So see my predicament...  I tried Chrome for the heck of it, but nope, that didn't work either.  So I looked around a bit and realized that Edge can open a page in IE.  Whaaaaat?!?!?


























So I went to the page that needed Java in Edge, then selected the Open with Internet Explorer and it worked!!

I'm not sure how long that will be in Edge or how secure it is, but bravo Microsoft for helping me out of the difficult predicament I was in!

All the best,
Neil

Tuesday, March 19, 2019

Windows 7 & 8 Anti-Malware Software Crashing

Hi Friends,

To followup from my last blog about the end of life of Microsoft Windows 7, here's some more good news for you!

According to BleepingComputer, Microsoft's Anti-Malware software has been crashing on Windows 7 and 8 machines.



















Microsoft users believe the error comes from a buggy definition update that was released on March 18th.  The good news is Microsoft is aware of the error and is coming up with a fix.

So why am I bugging you about something that will probably be fixed by the time you read this?  Just more ammunition to use with your boss, spouse, parents, IT department to remind them Windows 7 is coming to the end of it's life....

Windows 10 is the current OS with fixes and learnings from Windows 7 and Windows 8.  As much as I hate to let my good friend Windows 7 go, Windows 10 is the latest and greatest and was released on July 29th of 2015.  Yep, it's been out for almost 4 years.  I KNOW, I was surprised too!! (https://en.wikipedia.org/wiki/Windows_10)


Best,
Neil


Friday, March 8, 2019

Let's Talk About Windows 7

Hi All,

Brain here.  Today I thought I'd talk about Windows 7.  I really like Windows 7.  I was a big fan of it when it came out.  It's stable, looks good and runs well.

For those of you that have read my blog for awhile you know I know Windows.  :-)  When you test VDI you get very close to Windows and learn all about it's special behaviors.  Yep, I tested out other flavors of Windows too, but Windows 7 is still my favorite.

When I first started testing Windows 10, I liked it better than Windows 8, but I still have a special place in my heart for Windows 7.  Windows 8 felt like it was developed for tablets and was a bit ahead of it's time, hence Windows 10.  10 is a nice compromise between the touch screen affinity of Windows 8 and the mouse controls of Windows 7.  I'm still not a huge fan of 10, but I'm slowly warming to it.

Unfortunately Windows 7 is coming to the end of it's life and it feels like a close friend is passing away.  Yes the relationship has been rocky at times and sometimes I just wanted it to go away, but all-in-all I'm really quite sad.  For those of you that don't know Windows 7 will be coming to the end of it's support life on January 14th of 2020.  Now does that mean it'll stop working on that day?  Nah, it'll keep working but you will no longer be getting any updates.  Here's the official Microsoft page on it's end of life:
https://www.microsoft.com/en-us/windowsforbusiness/end-of-windows-7-support

I have a funny relationship with patches.  Coming from a system administration background, patches scare me.  But Neil, aren't patches good?  Yes, yes they are.  However, after patching there were always systems that were finicky and didn't want to boot up afterwards.  Yes patching has gotten better since I've been out of system administration, but you can't run away from your past.  :-)

Now that I'm in security, I see patching in a whole new light.  Now patching seems to be something I can't do quick enough!  Security hole here, zero day there, it's enough to make me want to unplug my network cable.  Well, with that bright and cheery view, I've got some bad news for Windows 7 folks.  Google recently patched a zero day exploit in Chrome (https://www.bleepingcomputer.com/news/security/google-chrome-update-patches-zero-day-actively-exploited-in-the-wild/), but it seems they are advising folks to get off Windows 7.

What a bummer.  So my good friend is not only passing away next year, but now I'm being told I really should stop using it.

Apparently even with the patch, Google recommends leaving Windows 7 and go to Windows 10. (https://www.bleepingcomputer.com/news/security/google-advises-upgrade-to-windows-10-to-fix-windows-7-zero-day-bug/)

Let's face it, Windows 7 came out on October 22 of 2009 (https://en.wikipedia.org/wiki/Windows_7) making it almost 10 years old.  I guess all good things come to an end and so must Windows 7.

So if you're running Windows 7, you should start thinking about your migration path.  Does that mean a new computer or an upgrade?  Well, that's up to you, but my suggestion is get it done before support officially ends.  And if you're running Windows XP....  Let's not talk about that.  :-)

So long my friend, you've been a solid performer and you haven't let me down.  I'll miss you.

Brain



Wednesday, February 27, 2019

How About Some Threat Awareness Goodness?

Hi All,

Thanks so much for the positive wishes on my return, I really appreciate it!  Here's something I've been working on lately.  It's called Threaty Bytes and I have a bunch of webinar recordings that I've created that discuss interesting email threats that are floating around the Internet.  I talk about what they are, what they do and hopefully how you can avoid them.  They have the "Neil" flavor and they're only a few minutes so you're sure to laugh and hopefully learn something cool too!

The only catch (of course there's a catch!) is they're gated behind a site.  Yeah yeah yeah, I know you hate signing up for things, so I've got a few episodes you can watch without signing up for anything!  First three are free.  :-)

Okay, first with the un-gated ones.

1.  Go to www.youtube.com
2.  Search for proofpoint
3.  Select the Proofpoint channel
4.  Click on Videos
5.  There's three of my videos you can watch:

https://www.youtube.com/watch?v=o-5MOPFVKzA
https://www.youtube.com/watch?v=9TESEIdzlzc
https://www.youtube.com/watch?v=cBxX74DFiv0

The first link is about a nasty little beasty called AZORult, the second is how threat actors used Hurricane Michael to try and get money out of people and the third is another nasty one called Marap.

I'm not going to tell you anymore about them, but hold onto your socks cause they're gonna try and fly off!

Now once you've listened to those episodes and say, "Oh my goodness, I need MORE!" I've got you covered.

1.  Go to www.brighttalk.com
2.  Create an account
3.  Search for threat byte
4.  Behold the plethora of videos for you to watch!

I hope you like the videos, if you don't, let me know how I can make them better!

You know what this calls for?

A FLASH JUMP!


Wednesday, February 13, 2019

Hello World - Part II

OMG! I can't believe it's been over 2 years since my last post.  I'm sorry....  But the Brain is BACK!!!

So what the heck happened to me?  I've been heads down for 2 years learning a new industry folks, that's right Brain is now in security and I'm with a new company!  Storage is my first love, but sometimes you gotta take a leap of faith and see where it takes you.

I'm with Proofpoint now and I've been drinking from the security fire hose.  I have TONS of information I want to share with you and I'll start blogging on a regular basis about all the fun and excitement in the world of security.

The security world is exciting and frightening, so be on the look out for an all new Brain!

Best!
Neil