Recent events are changing the topography of the
threat model and attack methodologies across the board and at record speeds –
to say that the impact of the past few weeks in information security news has
been small would be a complete understatement.
The Shadow Brokers releasing full-blown government hack
frameworks, VAULT 7 releases, and
other nefarious deeds, have elevated even the lowliest of script kiddies into
valid threats to enterprise-level businesses.
If you do not believe this, please place your head
back in the sand. Record numbers of breaches of entire networks and payment systems are becoming more the de-facto computer event
to investigate instead of small-scale user-based infections that used to plague
businesses.
It is time to up your game plan to the real world:
an ongoing battle against malicious actors targeting you, your business, your
home, your electronics and potentially every communication device that you own
that is capable of networking.
When Windows 2008 R2 systems can be fully
compromised in less than 120 seconds, it is time to get serious, fast. Here are
a few things you can do to get back in the game and get your network security
up to 21st century
standards.
RDP: Remote death protocol
Do you like
RDP? Good. So do attackers. Wait? What?! Yes, attackers love your
weakly-defended RDP port as the payoff can be huge. Instead of having to use a
pesky sometimes non-persistent terminal shell, they can just log right in with
a Windows interface or use other tools to execute applications on your server
remotely. The lowest hanging fruit is the abandoned credentials that have way
too much access that you forgot to delete years ago, akin to helpdesk:helpdesk
or other credentials that should never have existed, ever.
It is possible to compromise other, seemingly more
password-protected accounts, especially if the password is derived from an
aspect of your business. In this manner, an attacker could easily generate a
mutation wordlist consisting of a few hundred thousand varied words located on
your informative website to run as administrator against the potentially open
RDP port. As an administrator, you should think about changing the port (not to
3390 but something else) or use RDP over a VPN connection, closing off outside
access to unwanted parties.
Another, and even better idea is to also have a
secondary control mechanism, like 2FA (two-factor authentication) to allow you
to have something that a potential attacker does not: a token or OTP (one time
password).
Microsoft even has the ability to lock out accounts
that try to authenticate more than a certain number of times (instructions can
be located here). Check out this link for more info on RDP attacks.
Windows updates, firmware updates, everything
updates
With the release of various exploits from different
avenues that affect Windows 8, Windows Server 2012 and SMBv3, updating Windows
has become more important than ever. There are more dangerous exploits out in
the wild than members in some IT departments: these are precompiled, awaiting
public consumption.
As mentioned previously, the releasing of the
Shadow Brokers’ decryption key for their cache of allegedly stolen
“government” exploit kits is a very real cause for concern since these
tools are now actually being used in real time against targets. The good news
is that Microsoft has already patched the zero-day vulnerability and
other security issues that created the vulnerabilities.
The question is, how up-to-date are the patches in
your network? Updating is a continuous effort, as new threats arise and must be
addressed and newer security holes are discovered and must be closed.
Sometimes, that includes upgrading your antivirus.
Take CVE-2017-0199, a vulnerability that was recently turned into a
Metasploit module for ease of use. This zero-day exploit has been discovered
dropping Dridex and other malware and can be modified for multiple
payloads.
This exploit started getting attention on April 11,
2017. At the time of writing, ESET was one of only nine vendors detecting attachments with
this exploit payload. Sometimes, in updating your defense mechanisms, you find
that you need to update your antivirus strategy as well.
Sleep better at night, play it safe
The fewer footprints you leave on the open
internet, the better. Close those ports that do not need to be opened for
everyone to query. If your business runs a web application that you can get to
from the open internet, ensure that it is tuned, hardened, and not running
vulnerable code.
The last thing you would want is your entire CRM
(customer relationship management software) or other business communications
platforms compromised, with client or personnel data presented to an attacker
who resides halfway around the world.
Explaining this is a difficult letter to write to
your client base; however, it would not be the first time this has ever
happened and it definitely won’t be the last one as this latest issue regarding
HipChat has proven.
The information security world spins pretty fast.
If you don’t stop and look around once in a while, you could miss it. It worked
for Ferris;
make it work for you.