IoT Reaper Ransomware

New Ransomware on the loose

IoT Reaper Ransomware

New extremely large Botnet is being built – Nicknamed IoTroop or IoT Reaper

Remember Mira? The worm that prayed on unsecure IoT devices. It managed to spread and gain control using quite a simple method to gain entry – reusing the hard-coded or default password for IoT devices which were well-known by then, and the spreading was done via the EthernalBlue SMB exploit.

Now security researchers at CheckPoint and NetLab360 claim there is a new botnet being formed (called IoTroop or Reaper). This time the methods used to gain unauthorized entry are more sophisticated – no more trying to exploit traditional hardcoded and default password or to brute-force easy passwords, the Reaper malware tries to exploit different known vulnerabilities that IoT and home network devices have (more than 12 different popular vendors including Linksys, Netgear, D-Link, AVTECH and GoAhead have numerous vulnerabilities already discovered, list and links in the related articles below). The Reaper code constantly evolves, the guys behind it seems to add new exploits into the code based on new vulnerabilities being published openly on the Internet.

Another key difference between Mirai and Reaper is that as Mirai was extremely aggressive in scanning and trying to hop between network and infect other systems (which makes it easily detectable by security controls), the Reaper is stealthier in its way of spreading and tries to stay under the radar for as long as possible.

The likelihood of a successful exploit is quite high due to the fact that traditional home users do not tend to pay much attention to security and are very likely not to have patched their devices.

All sources claim this new botnet will be much bigger and stronger than Mirai – The NetLab360 researchers are claiming the C2 communication they see confirms more than 20k bots per control server and they have estimated more than 2 million vulnerable devices out there that are ripe for the infection. There is a great possibility the total number of bots can swell quite heavily in the coming weeks.

What is at stake here? How will this botnet be used?

At this stage, it is still very early to predict how this botnet will be used but most likely DDoS attacks are on the roadmap – the previous smaller Mirai successfully managed to do a DDoS with more than 1Tbps of traffic (both to Dyn internet infrastructure giant which brought down many popular web services down and French hosting company OVH).

IoT general security problems

The problems with IoT is the inherited lack of security (saying inherited because manufactures do not take security into account when building the devices) and the ever-growing number of IoT devices being deployed by users who are not savvy in networking or security best-practices (changing of default passwords, patching, lowering the attack surface). These two large issues combined with the large number of devices out there (the trend is more and more IoT devices to be manufactured and connected online) really poses quite a large security threat to the Internet community.

Some good news:

Different efforts to secure IoT devices are on the roadmap, US lawmakers are trying to pass a legislative action into forcing hardware IoT manufactures to start taking security into account and not spill out junky unsecure devices.

Also, some of the creators and botnet administrators of the Mirai, have now been arrested and expecting trial and effective sentences. This clearly shows there will be consequence for all actions related to running a botnet and malicious cyber behavior, this must be a deterrent for any future black-hats out there.

New ransomware on the loose

Remember WannaCry and Nyatya, aka NotPetya (a variant of Petya) ransomwares. There is a new one around the corner (initial spotting is on the 24th Oct), again spread predominately in the East Europe (Ukraine, Poland, Bulgaria) and Russia but also in Japan, Germany, South Korea and the USA. It is a changed version of NotPetya. It uses usually a drive-by download on hacked sites to trick the user to run a fake Flash Player installer. The horizontal spread within the compromised network this time is NOT based on the EthernalBlue SMB exploit, but Bad Rabbit uses an open tool MimiKatz to try to extract any login credentials on the infected machine and reuse them to spread itself via legit Windows management protocols such as WMI and SMB to other devices. It also uses a hard-coded list with most commonly used passwords to try to brute-force credentials access.

Most current antivirus and endpoint protection software will detect Bad Rabbit and there is a known Windows Registry based vaccination that can prevent a machine from getting infected, but Bad Rabbit shows the ransomware trend is still strong and not likely to quiet down anytime soon.

Relevant articles:

https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm/

http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/

https://4cornernetworks.com/nyatya-wiper-malware-disguised-ransomware/

https://4cornernetworks.com/wannacry-crypto-virus-outbreak/

https://securelist.com/bad-rabbit-ransomware/82851/

VPN Crypto Attack

New VPN/crypto attack – DUNK (Don’t Use Hard-coded Keys) attack

VPN Crypto Attack

We live in interesting times

There is a Chinese proverb/curse saying: May you live in interesting times?

Why is this intended as a curse? Maybe living in interesting times means living in challenging times.

The security environment is so dynamic these days, it is certainly interesting to see how things change all the time, vulnerabilities are found almost every day, exploits are being developed at a whopping pace and even for professionals, just keeping up with it all is very challenging.

In the last two weeks there have been quite a few major security events/discoveries

Starting with KRACK ATTACK (announced 18th of Oct), which our blog already covered https://4cornernetworks.com/krackattack-kraken-wi-fi-wpa2/ but there are new things around the corner.

New VPN/crypto attack – DUNK (Don’t Use Hard-coded Keys) attack

With KRACK attack still going on strong there is a new one that involves breaking cryptography. This one however does not take advantage of the control messages in WPA-2 to allow sniffing of user data but exploits weak software implementation for the ANSI X9.31 RNG. Until quite recently the  ANSI X9.31 RNG was used to generate cryptographic keys that secure VPN connections and web browsing sessions.

A team of security researchers from the University of Pennsylvania and John Hopkins University found a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key. The DUHK attack allows “attackers to recover secret encryption keys from vulnerable implementations to decrypt and read communications passing over VPN connections or encrypted web sessions”.

The attack has been confirmed to work on Fortinet devices running FortiOS 4.3.0 to FortiOS 4.3.18. The necessary requirement (all of them need to be met) for a device to be vulnerable to the DUHK are:

  • It uses the X9.31 random number generator
  • The seed key used by the generator is hard-coded into the implementation
  • The output from the random number generator is directly used to generate cryptographic key
  • At least some of the random numbers before or after those used to make the keys are transmitted unencrypted. This is typically the case for SSL/TLS and IPsec.

Also, the attacker needs to be able to observe passively the encrypted handshake traffic.

The X9.31 was widely deployed in the past and was even part of the FIPS approved random number generation algorithms set until January 2016. There is a big chance a lot of VPN implementations are still using it.

There is a CVE for this vulnerability: CVE-2016-8492:

Here are the general recommendations:

  1. If you are a Fortinet client, please make sure your FortiOS is not running versions 4.3.0 to 4.3.18, or else upgrade asap.
  2. If you are running any cryptographic software still using the X9.31 generator, reconfigure it to use other random number generator or replace/upgrade software.
  3. Always stick to the latest security approved cryptographic algorithms when creating VPNs. Legacy VPN should be reconfigured to follow the latest practices

Related articles:

https://4cornernetworks.com/krackattack-kraken-wi-fi-wpa2/

https://duhkattack.com/

KRACKATTACK – the kraken of the Wi-Fi WPA2

Wi-Fi is everywhere, everything is on Wi-Fi now, phones, tablets, laptops, even home PCs, game consoles, smart devices (IoT), sensors etc. The security of WiFI is imperative, and has been entrusted to the WPA2 protocol. For that protocol, thus far all exploits have been connected to guessing the security key (hence reliant on customers having a weak key) or surrounding technologies (WPS for example) or older implementation such as the TKIP.

None of them were successful against a strong security-minded implementation.

Until today.

The attack – high-level breakdown of how the attack works and which devices are affected

An extremely interesting paper was released (16th October 2017) by its author, Mathy Vanhoef, this paper would rock the world of Wi-Fi as shines light on how to exploit the WPA2 protocol in such a way as to be able to decrypt the user data.

How does the attack work?

The attack does not allow the attacker to join the protected WiFi, nor does it break the encryption key. The attack is focused on the management plane in the WPA2, more precisely on 4-way handshake exchange during the client join.  It is achieved by manipulating and replaying handshake messages. By replaying message 3 of the handshake the attacker has the ability reinstall an already used nonce instead of a fresh key (a replay is allowed by the protocol because messages can be lost due to low signal etc). To guarantee security, an encryption key combination (key+nonce) should be used only once, then different versions of it (different nonce) should be used. Reusing the same key and nonce allows the attacker to derive the keystream, which combined with knowing a portion of the data that is encrypted and the already encrypted data, is enough to decrypt the rest of the data.

The attacker is positioning himself/herself in the middle of the handshake between the AP and the client by using a spoofed WiFI SSID with same name and making the client join his SSID by advising him to switch channels (hence the attack works best if the client has stronger signal to the attacker than to the legit AP). Only when this man-in-the-middle is completed can the attacker manipulate this handshake (as described above) and starting decrypting what the user sends.

Who is affected? – Practically every Wi-Fi enabled client, as again this is an attack towards the WPA2 protocol itself which all vendors needed to follow in their implementations, so this is not a scenario when the exploit is possible due to bugs in the code.

Android and Linux are the ones that are easier to compromise to the fact they mostly (41% of the devices out there) use wpa supplicant version 2.4. With them the code developers have followed a WPA2 standard advice to delete the nonce after its use so when the replay of message 3 happens the nonce that is used is comprised only from zeros making it trivial to decrypt. Further finding from the same author describe the possibility for that attack to work (with few changes) also towards wpa_supplicant 2.6 and iOS and freeBSD clients. This latest update brings the percentage of vulnerable supplicant to a very high number (as the author states, if you have a phone it is most likely vulnerable).

Impact:

We are sending out massive amount of sensitive data using Wi-Fi these days. Username and passwords are just the start, but credit card information, personal IDs, emails, private pictures etc. I guess nobody wants that data to be shared and read by others. Furthermore, the top choice device for many of these, is your smart phone, which in fact is the most vulnerable type of client device (see Conclusions chapter below).

So, what is next?

Do we go back to WPA or WEP or wait for WPA3?

Answer is no, WPA is also vulnerable and WEP is even less secure, WPA2 can be amended (both as a protocol and as implementation in software) and will continue to be used. It is recommended that WPA2 with CCMP is used, as TKIP and GCMP are even easier to break and attackers can not only listen to data but also manipulate data so malware can be injected into the traffic.

How to protect ourselves

Only the software update can mitigate this attack. Keep a close eye to the vendor announcement and patch as soon as they release the security patch for this exploit. Some of the patches may be silently releases and installed on your devices but please make sure you have them.

Actions like changing your PSK password and such do not make any difference (remember, the attack does not reveal this password nor lets the attacker join your network).

Deploy additional levels of encryption that is independent of the WPA2, such as SSL/TLS or IPSec. In the example on the krackattack page, they were only able to read the data from the web site after striping the SSL from it which in fact is a misconfiguration on the website itself.

Conclusion

The current threat is obviously for the end devices, not the infrastructure devices (APs etc). I expect that Microsoft, Apple and other commercial major OS vendors will react very fast and will silently patch (if they have not done so already). That would be sufficient for laptops and PCs with enabled Wi-Fi. A bigger problem will be for smart phone users, every Android vendor (Samsung, HTC etc) dictates its patching schedules, so I am not expecting a fast reaction from them. Apple runs its own devices so I expect faster reaction.

Having put the spotlight on client devices and not infrastructure, it is mandatory to mention that this new type of attack and the sure-to-come spin-offs from it will lead to new attacks towards infrastructure devices.

Cisco has numerous products that are found vulnerable and still investigating many more for that possibility.

Related materials:

https://www.krackattacks.com/

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171016-wpa

Nyatya Wiper Malware

Nyatya – a Wiper Malware disguised as Ransomware

Nyatya Wiper Malware

A new malware Nyetya (combination of words from Nye Petya, meaning NOT Petya), also known as Petrwrap and GoldenEye has been spreading globally over the last 24 hours.

This virus is distinct from WannaCry and other initially suspected variants, it has some unique new features which makes it harder to detect and defend against, clearly showing that today’s malware landscape is an evolving space. This rapidly changing threat landscape has a number of factors including; leaked tools from government agencies, more advanced security controls that require advanced malware (the cat and mouse game) or just because attackers are more determined and more capable.

Other popular researchers (links below) say Nyetya is more of a nation (state) attack towards a specific country (Ukraine) that is disguised as ransomware so its true nature would remain hidden in the shadow of recent WannaCry ransomware.

Some Characteristics of Nyetya and why it is different

  1. There is recent research that showed Nyetya, despite having major resemblance to Petya ransomware, in fact does not keep a copy of the encrypted MTL (Master File Table) and MBR (Master Boot Record) that it replaces with the random note. That means that even in the case that the user gets its decryption keys there is nothing to decrypt. This behavior resembles specific type of malware called Wiper Malware. All machines that are infected cannot be recovered. Also, the email for contract with the attackers is now disabled so there is no possibility for getting the decryption keys. Obviously, the attackers have not intended to milk the ransom and get rich for their efforts.
  2. It encrypts the master boot record, which makes the whole system unusable and causes more damage. Previous crypto viruses (ransomware) were encrypting specific file extensions
  3. It does not use a common attack vector from the Internet

It does not infect by scanning ports for vulnerable services, nor uses phishing (mails with crafted content with specific covert malware links), nor file attachments or web sites that host malicious content. Instead the initial way in was via an update in a polular accounting software in Ukraine (called MeDoc). The software was tricked into auto-updating with a malicious file (Perfc.dat). Once it is inside it uses the Eternal Blue (SMBv1) exploit to spread (same as WannaCry) but also two other administrative tools (PSexec and WMI) which in general are valid and legitimate tools used inside a network. The use of these tools would not raise any alarms on network security controls. The malware is capable of stealing the current user’s token and use it to distribute itself to other devices via PSexec (still unclear how it is able to steal the token) or again to steal the current user credentials and use them via WMI.

  1. No external Internet scans

There is no evidence of external scans (from the internet) in order to locate unpatched SMB services. The only scans that the virus conducts are horizontal, once it is inside the protected network. That makes the virus very hard to detect as most organisations do not have visibility within their network for such activity

  1. No Command and Control functionality

The virus does not use C&C so any reputation based security controls cannot detect it. IP addresses/domains reputation is widely used to detect zero-day attacks and to monitor the spread of the virus. That does not seem feasible protection from Nyetya

  1. Special attention has been paid to cleaning up any remaining data and logs

All of these unique characteristics point to the fact that cyber criminals have changed their tactics (after the failure of WannaCry due to the incidental but timely discovery of the killswitch) and want the malware spread to be as stealthy as possible.

Protecting yourself from the attack

A short summary of techniques necessary to protect against the attacks are listed below. These cannot be undertaken in isolation and it is assumed that good security practices are already in place such as disaster recovery strategy as well security control such anti-malware controls.

  1. Patch your systems (MS17-010 should be applied), close off any SMBv1 services (disable)
  2. Do not use admin/elevated privileged accounts for normal users
  3. Monitor your network and endpoints for PSexec and WMI communication and try to establish if that is valid communication (could be based on which one the administrators use and also the time of the day)
  4. Monitor your internal network segments using an IDS/IPS

Which type of network security controls are best suited to discover and prevent malware spread?

While other forms of malware attack may have been stopped by reputation based or email and web security controls, neither would have been effective in this instance. An essential tool in the armoury of security controls is endpoint security such as Cisco AMP for Endpoints, which actively analyse the behaviour of executable files on the system and perform sandboxing.

IDS/IPS network controls are able to catch lateral scans and spread via SMBv1 exploit only if they can see the traffic (actively monitoring traffic on the same logical domain).  The most common IDS/IPS deployment model is on the Internet edge, as this malware does not use external scans or gets distributed via normal Internet related channels (mail and web) these controls are not effective.

Following general security best practises is also beneficial – having backup of important systems/files, having proper application visible monitoring on the network and trying to detect unusual behavior, that of course requires both the tools and the people (analyst).

Used materials:

http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

http://thehackernews.com/2017/06/petya-ransomware-wiper-malware.html

https://www.wired.com/story/petya-ransomware-ukraine/

Cisco Umbrella image

Cisco Umbrella – light, easy to deploy and powerful

Cisco Umbrella image

Cisco currently has multiple endpoint security solutions in place – CWS (Cloud Web Security / Scansafe), Umbrella (OpenDNS) and AMP for endpoints are prime examples. AMP is a different breed of endpoint protection, it relies heavily on detection based on heuristics and cloud sandboxing, where as CWS and OpenDNS both concentrate very strongly on making sure your Internet browsing is secure and save.

A bit of history behind the story: when Cisco acquired Scansafe and then sometime later OpenDNS, a lot of people were wondering why Cisco needs two products that have such a large overlap in functionality. At first CWS looked like it was going to last, it had a large customer base, was heavily pushed by Cisco Sales and managed to get a big boost from existing Cisco customers that needed protections for this security gap which was opened by remote/roaming employees.

OpenDNS with most of its customers using the free version seemed like an outsider. It could only detect things based on DNS and was not tunneling any traffic back to the cloud, so it seems like it is not going to be a valid corporate level endpoint protections tool. People underestimated the power of DNS. OpenDNS has something very valuable, via its free version, it had the ability to see a large percentage of worldwide DNS request and using its strong security team it provided a more universal and complete protections that focuses on more than just web browsing. Almost all internet communication is based on DNS, the use of static IPs has been greatly reduced for couple of reasons – for non-malicious users the DNS provides first ease of use and flexibility that static IPs could not, for malicious users – the use of static IPs proved to be unwise as IPs were very quickly blocked (blacklisted) by ISPs and security tools. The result of massive DNS use was that your DNS provider could actively see where your traffic is going and block it (monitoring and enforcement) for all applications (not only Web based).

It was clear Cisco would have to make a choice and I believe they have made the correct one – Cisco is moving forward with the Umbrella and retiring the CWS.

What is Umbrella?

In short, the paid version of OpenDNS, which can support and integrate with other Cisco Products.

How does it work?

It works by forwarding DNS request to OpenDNS servers, either by registering your public IP with Umbrella and forwarding your internal DNS to OpenDNS servers, or by setting your network equipment (DHCP) to directly give out OpenDNS servers for DNS usage, in case the company does not have own internal DNS servers. That secures devices within the offices of the company. For Roaming devices, Umbrella has a Roaming Client (a small agent installed on endpoints, supports Windows and MACs, with vision to support Linux in the future) that makes sure all DNS requests are forwarded to the OpenDNS cloud.

It is very important to note that Umbrella does not work like a traditional Web Proxy, it does not send the all user traffic to the cloud for inspection, it only works and makes decisions based on the information from the DNS requests from the client. User traffic is send for inspection to the cloud only for gray/risky domains (traffic to malicious ones is blocked straight away). Furthermore, this redirection of traffic works for both Agent and Agentless deployments by using the DNS reply to forward the traffic to the Umbrella Cloud proxy service called Umbrella Intelligent Proxy.

The result is a better user experience (instantaneous decision to allow and block traffic to majority of traffic based on good and bad domains), lower deployment complexity and lower operational costs.

How is it configured?

Umbrella is one of the easiest deployments we have seen. It has excellent documentation and simple steps to help you redirect your office traffic to the cloud and deploy Roaming clients to your endpoints. All the management is done via portal in the web (https://dashboard.umbrella.com/). It has a very simple and effective portal layout with intuitive access to both management entities (managed identities and policies) but also monitoring and reporting. A typical simple implementation of Umbrella can be done in a matter of hours, without the need of any on-premise hardware installations (except when AD integration is needed, a lightweight virtual server needs to be installed)

Does it support AD integration for enhanced user visibility?

Yes, it does, it needs a VA (Virtual Appliance, a lightweight virtual server running on either ESX or Hyper-V). The VA servers allows Umbrella to see internal information such as private IP addresses of users and further performs an AD integration with MS AD (servers as a connector) so Umbrella Dashboard can see AD names and be able to define policies based on groups and create reports that include clients AD username (very handy if you want to know who exactly is making all of these malicious outbound requests (such as Command and Control traffic et).

Can it block based on connections that do not use DNS?

Yes, it can, there is a functionality called IP Layer Enforcement that builds IPSEC tunnels to the Umbrella cloud and forward requests to it in case the connection has a suspicious (flagged as malicious) IP address. This is possible only if the client is using Roaming Agent (either the Umbrella one or Anyconnect one).

Does it have integration with other Cisco products?

Umbrella has a module for Anyconnect (Cisco Umbrella Roaming Security module is available for Anyconnect version 4.3 MR1 and newer), which means if the customer has Anyconnect already deployed, there is no need to install Umbrella Roaming Agent. Also, OpenDNS security team is now part of Cisco Talos so OpenDNS both feeds Talos with DNS information but also benefits from Talos to device either certain domain or IP address are deemed risky.

Does it support SSL decryption?

Yes, Umbrella supports SSL decryption so it can do deep inspection for traffic destined for risky/suspicious domains. The configuration of the SSL decryption is very straight-forward, administrators are prompted to download Umbrella (OpenDNS) certificated from the Dashboard and then these certificates need to be installed as trusted on endpoint machines. Next step is just to enable the SSL decryption.

Conclusion:

Umbrella provides enterprise level endpoint security with lower latency than traditional proxies, low capex and deployment costs.

References:

http://www.cisco.com/c/en/us/products/collateral/security/cloud-web-security/eos-eol-notice-c51-738244.html

https://support.umbrella.com/hc/en-us/articles/231246528-Umbrella-Intelligent-Proxy-FAQs

https://umbrella.cisco.com/products/features/intelligent-proxy

https://deployment-umbrella.readme.io/docs/1-introduction

https://deployment-umbrella.readme.io/docs/1-ad-integration-setup-overview

https://deployment-umbrella.readme.io/docs/anyconnect-umbrella-roaming-security-client-administrator-guide

What is Cisco Unified Threat Defense (FTD)?

Cisco has finally decided to merge its two major network security products – the ASA and FirePOWER. These two have been living on the same hardware (5500X) model for years now but they required separate management which increased the deployment and operational costs for a Cisco FirePOWER implementation. Now Cisco has decided to merge these two platforms by removing the logical separation in hardware and the full separation in software by creating a merged OS that combines the features of both worlds, hence lowering the time/costs for deployment and running.

A bit of History

Cisco is a major player in the Firewall Market since the PIX. With the introduction of the first gen ASA, the PIX was given a polish, new features (such as dynamic routing, QoS, new RFC based protocol inspections/fixup and a few more), but ASA’s were and still are a traditional stateful packet firewall positioned at the Internet Edge. The demands to introduce firewalls also in the DC drove the change from IP based object to Name based object and totally different way of doing NAT (including the introduction of the Any as interface) in versions 8.3+. Still the ASA was purely a stateful firewall and the IDS/IPS module that Cisco was offering was quite outdated in technology and had a less than excellent catch-rate. Cisco knew that and purchased the best IPS/IDS vendor out there – SourceFire.

Now Cisco had two flagmen in the network security and naturally decided to offer them as one box – hence the NX 5500X Firewalls were created, no modules needed, all you need to run both ASA and FirePOWER was an upgrade to SSD drives. However, the management, logging, operation of the ASA and FirePOWER was still independent – ASA was managed and monitored by either ASDM or CSM, where FirePOWER was using – FireSight (pre-version 6) and now FMC (Firepower Management Center). Most competitors (Palo Alto and Check Point) did not need nor have separate management platforms to configure their advanced Next-Gen capabilities and frankly speaking users/admins were not happy with having to do double amount of work to enable a Cisco Next Gen Firewall – interfaces, licensing, configuration, policies, monitoring etc.

In 2015 Cisco hinted about the concept of having one unified management OS that would combine the features of both FirePOWER and ASA. The FirePOWER was chosen as a base for that new image, so from day one the FTD image had almost a 100% of the FirePOWER functionality but a very small percentage of the ASA functionality. The first release (6.0) for testing and Cisco partners was in 2016 and then the FTP had about 20% of the features of the ASA – basic features of course were migrated first, but shockingly there was lack of some major features such as – HA, VPNs (both site-to-site and Anyconnect), dynamic routing protocols, virtualization/contexts, QoS.  A quick introduction of 6.0.1 and 6.1 introduced HA failover so the FTD was now ready to go public.

The Situation today

Latest version release early 2017 is 6.2.0

Cisco continued its work to close the gap between the current ASA and FTD functionality. New major functionality added: Clustering for ASA, Site-To-Site IPSec VPN with certificates (6.1 supported Site-to-Site VPN but only with Pre-Shared-Key), PKI support, SGT without Realm, Migration tool (from traditional ASA to FTD), REST API, Packet Tracer and Capture functionality.

On top of the migrated in 6.1 functionalities such as integrations with Cisco ISE, Threat Grip, on-box management for some model, the 6.2 is looking more and more enterprise ready (not only SOHO as the 6.0 and 6.1). Also, adding the tools for automated migration, the FTD becomes more easily available when doing migration. The user base is also enlarging quite quickly (good for discovering of bugs and security/stability issues).  Version 6.2.1 is just around the corner and will close the gap even further introducing the Anyconnect Remote Access functionality and many improvements/new features in NAT, Dynamic Routing, Multicast and QoS, HA, Site-To-Site VPN and interestingly an option for conversion back to ASA image.

This all points that soon there will be a major swift in the Cisco Security community and more and more clients will start using FTD. Naturally after break-point Cisco will start the phase out of the traditional ASA image (functionality gap will be in favor of the FTD) and clients will be forced to switch. Of course, that process will take time but why not be ahead of the curve?

Resources:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/relnotes/Firepower_System_Release_Notes_Version_620/new_features_and_functionality.html

Bad News VPN Users – SHA-1 is Dead!

The breakthrough

SHA-1 is dead, from a security point of view, but has been a long time coming. A combined research collaboration between CWI and Google, published a paper on 23th of February 2017 that proved deliberate collisions can be created for SHA-1 (Secure Hash Algorithm -1). The researchers managed to forge a PDF doc so I have the same SHA-1 value as completely different document (aka collision).

OK, why is that such a big deal?

Background information and the risk

Hash functions are widely used in the cryptography and hence in the VPN world. They are used to verify the presence of a piece of information on the other peer (for example a pre-shared-key) that matches perfectly with yours (that is authentication) and to confirm that data has not been tampered with during transit (integrity), hash functions are used in the Public Key Infrastructure to verify integrity and sign the certificates (aka to verify that certain a person with a certain name has a certain public key).

The ability for someone to create a forged data string so that it matches the computed hash of another data string nullifies the security and the idea of using hash functions in cryptography.

Widespread

SHA-1 is still widely used for integrity/signing in IPsec IKEv1 (and sometimes IKEv2) and some PKI still support it so there are a multitude of certificates using it.

Furthermore, why is that important for Cisco VPN users?

IPsec IKEv1 does not support newer SHA algorithms (SHA-2) and the predominance of IPsec VPN is still built on IKEv1.

Even if you are using IKEv2 there could also be hardware restrictions preventing you from using modern hash functions (SHA-2) – legacy Cisco ASA devices (5505, 5510, 5520, 5540, 5550) cannot support newer hash functions in hardware and Cisco has not implemented the functionality into their software.

Recommendations

If your company is using a VPN and you need to audit them then ensure they are not using SHA-1 anymore. For expert VPN Security advice, contact 4CornerNetworks today.

Sources of Information:

https://shattered.io/static/shattered.pdf

https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html#pgfId-1042794

Network Security

The Importance of Retrospective Network Security

Network Security

We are experiencing a new phase in our vision of network security. There is currently no quick fix solution, no 100% proof network security protection/prevention tool or product. There is always zero-day or purposely built (very focused, low spread) APT malware that current vendors are unable to detect at the time of the breach.

Hence total prevention is a myth.

Most of the current network security solutions offer only Point-In-Time detection/prevention. Namely they inspect the traffic when the traffic goes via the firewall and if they deem the traffic is clean  or unknown, at that exact time, they will allow it and forget about it. That could lead to malware passing through and being undetected for long periods of time. All vendors rely on intercepting the C&C communication to the botnet servers but not all malware uses such a centralized operation method so that cannot be considered a proven method of detection. That is why most of the vendors will apply their own sandboxing solution, namely send all files of unknown malware type to the cloud where they will be detonated in a controlled environment and the result of their execution will be deemed malicious or not by machines or sometimes humans. Upon discovery of malicious actions, the file is marked as malware and an update is shot out to all vendor appliances out there so they can intercept and drop such files. That process however takes time (typically more than 8 hours) and usually stops more than 96% of the malware spread (it depends on how quickly the different vendors discover that the file is malicious and how quickly the update is sent out) and that percentage was deemed high-enough for most companies.

What about that 4% though? I am sure any business owner would not like to be in this position and would like greater protection and value for their money. When a mere 4% can cause 100% of your security problems, you’re not protected.

Cisco is the only vendor in the NGFW market that currently has its vision also set on the retrospective side of the network security, the so-called After-The-Attack phase. Cisco uses the combination between Firepower and AMP for both network and endpoint to be able to provide threat context and to pinpoint the progress and spread of the malware in historical time so you will know exactly when and how the malware moved in your network, which hosts were infected so that you can immediately deploy mitigation techniques. First restrict the malware, block the effect of the malware and finally remove the malware that has already breached your network. Without this continuous analysis, the attack can run rampant on the network and it will be extremely difficult to determine the scope of the outbreak and the root cause or provide on-time/adequate response. Here is an example of such an event and how Firepower and AMP deal with it.

The following 4 simple steps represent how Firepower and Amp works with zero-day malware files:

  1. Unknown file gets downloaded to a client ip (1.2.3.4 for example) via http application with Firefox, the file is then allowed to reach the endpoint. The unknown file is sent to the cloud to be detonated and given a verdict.
  2. The Firepower tracks the movement/copying of the file within the network so it sees the file being propagated via any protocol at any time. For example, the file gets copied to another host 1.2.3.5 via SMB at 12:41 AM on the 1st of Dec 2016.
  3. Within 30min the same file gets replicated to 5 more devices within the internal range, all via SMB. The Firepower has a map of the file trajectory with hosts and timing of the movements.
  4. Two hours since the file was first seen, Cisco Security Intelligence Cloud had reached a verdict that the file in question is in fact malicious. From now on all Cisco AMP and Firepower enabled devices will drop that file upon encounter and alarm/log, but here comes the difference between Cisco and other vendors, namely the retrospective part. In our example, all future transfer of the files will be blocked and the file itself will be quarantined on all endpoints that have this file (requires AMP for endpoint), even more the administrators can leverage the trajectory map and verify the malicious file has been quarantined/removed and hosts have been remediated.

Abbreviations:

APT – Advanced Persistent Threats

C&C – Command and Control

NGFW – Next-Generation Firewall

Network Security, Cyber Security

8 Steps to Secure Your Organization against Cyber-Attacks

Network Security, Cyber Security

There is not a single industry anywhere in the world who are immune from the threat of some form of cyber-attack. Any attacks on your organization’s IT Network will be unpredictable in terms of the exact method of attack, but you can at least be poised to deflect and protect your company from such cyber-attacks with these 8 easy to follow steps.

1. Implement your CyberSecurity strategy from the top-down

Devise a security strategy, make sure Directors and Management understand the importance of your organization’s IT Network Security. The fundamental thing about security is knowing the risks involved and understanding what needs to be secured, namely what are your valuables/assets.

Only after a thorough risk assessment has been carried out can a proper security strategy then be formed and implemented. The importance of cyber-security should be something that senior management understands and supports, resulting in a top-down approach to implementation.

2. Create polices for the allocation of internal IT Resources

Once the importance of security issues is fully understood by management, organizations can then begin to create and implement polices on how to use, manage and allocate company resources to tackle cyber security.

It is vital to then develop and enforce policies and procedures for employees to follow, this will impact:

  • The allocation of company IT resources – allowed and prohibited expenditure
  • Change management procedures to be implemented across all IT systems and related policies
  • Reevaluate risk and security posture at regular intervals

3. Network Security

Have a network design with a strong focus on cyber-security. Segment your network on logical system based zones so you can isolate/segregate critical business systems and be able to apply network security controls to them – firewall/inspect traffic between those zones. Protect your Internet Edge but also internal traffic (east-west), cover the most used vectors of attack (email, web)

Pay special attention to wireless connectivity – use strong authentication based on individual credentials or personal certificates, strong encryption (AES) and proper guest/BYOD access. Plan carefully, home and remote users access – they should have equal security controls as users on corporate networks.

Have a central point for system monitoring (SIEM) that is integrated within your environment and provides a single point that holds all relative logs/events for your systems. Monitor your network/user activity with qualified staff. Fine tune your IPS systems to use relative to your network environment security rules/signatures and to produce relevant alarms. Act on the alarms promptly.

Secure both user/management and physical access to your network assets. Apply only secure configuration using the vendor/standard recommended best practices. Have a lifecycle policy in place – aka review/renew security controls/equipment at regular intervals. Finally, ensure you have an up to date network diagram with HLD/LLD documents.

4. Protect your endpoints/servers

Always use legitimately supported software and hardware. Create and maintain a policy for patching and updates – keep up to date with patches and security updates.

Devise and maintain a hardware and software repository – know what you have in your network. Centrally manage your endpoint from OS and software point of view. Limit user rights to make changes to endpoint security:

  • Never give normal users full access (admin)
  • Limit execution controls/change configuration
  • Create safe-lists of allowed software
  • Disable unnecessary services
  • Disable unnecessary peripheral devices and removable media access
  • Disable auto-run capability if removable media access is deemed necessary

Accessing sensitive information should be done in a secure manner – proper access controls should be in place – secure and robust authentication mechanisms, use two-factor authentication for sensitive access, encryption for data in transit and rest. Monitoring of how sensitive data is handled and transferred should also be in place.

Use endpoint protection mechanism (Anti-Virus, Anti-Spyware, Software, Firewalls) which support centralised management and can be integrated with your network security controls and monitoring tools. Regularly backup all important data in a safe manner (encrypt and secure data in rest in motion) – this mitigates the effects of ransomware attacks. In case of a breach, have a plan to restore normal network operations for different scenarios but also remember to include steps for gathering data for forensic investigations to take place in the aftermath.

5. Train your personnel

Users should be aware of the ideas behind the implementation of security

measures, what threats are out there and what should raise their suspicion – simple things like:

  • Non-solicited mails with strange hidden links – aka “Think before you click campaign”
  • File attachment with general but well-sounding names
  • Plugging/connecting unapproved media or personal devices into the network

Users should undergo training on:

  • How to handle sensitive information
  • Social Engineering training and be aware of the techniques used
  • Report any strange activities or security incidents

The training and development of personnel should be a continuous process not a one-off occurrence to ensure topics are relevant, minimise any potential threats and so staff training can be scaled.

6. Remote/Home Users controls

Access risks for remote corporate users and create a policy on how to mitigate their usage. Use strong/two-factor authentication. Educate remote users on the importance of security and how to work with all security control mechanisms without sacrificing productivity.

Create and regularly update manuals on how to use and configure different security controls (aka VPN Clients etc.) Have a support and escalation procedure in place – this is done so users can work with all security controls in place and do not try to circumvent them. Protect data in transit and rest. Use a common security build for all remote workers – more secure, easier to operate and troubleshoot.

7. Monitoring

We cannot stress enough on the importance of constant monitoring. No environment is bullet proof and buying best of breed products does not guarantee top level of security. There is a lot of factors in play in every complex environment that has many cogs and bolts. The only predictable aspect about security is the unpredictability of the threats they pose (for example the human factor or administrator laziness). A link as strong as its weakest chain. A company should concentrate on having all protection/prevention mechanisms in place but should never forget to have visibility and monitoring tools in place.

Detect attacks and abnormal behaviour – both from outside and inside attacks. React to attacks – in a timely response to stop the spread of damage, can ensure that the attack is blocked in the future and could assist with a forensic investigation. Account for activity – you should have a complete understanding of how systems run, and how data and information is being used by users. Only then will you be able to detect deviations from the norm and act on them.

8. Test, test and test!

The only way to really know your security level is protecting your organization, is to regularly test it!

Security tests should cover all parts of your environment and should be performed on procedures/processes, network equipment, endpoint systems and personnel.

  • Formal security audits that look at procedures and if they are being followed/enforced
  • Automated vulnerability assessments – usually performed every 2-3 months and done internally
  • Penetration tests – external annual security tests that usually give the most accurate information for the company’s security posture and effectiveness of all security measures deployed
  • Social engineering tests on personnel – attempts to get employees to discard sensitive information to none-authorised people either via phone or in person or to get physical access to company restricted areas.

Jargon Buster

  1. HLD – High Level Design
  2. LLD – Low Level Design
  3. IT – Information Technology
  4. IPS – Intrusion Prevention System
  5. SIEM – combination of the SIM (Security Information Management) and SEM (Security Event Management) abbreviations
  6. OS – Operating System
  7. AES – Advanced Encryption Standard
  8. BYOD – Bring Your Own Device
  9. Social Engineering – a method in Penetration Testing when the security experts are trying to exploit the human personality into giving out sensitive information that could lead to a breach in security

References:

https://www.ncsc.gov.uk/guidance/10-steps-cyber-security https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/317481/Cyber_Essentials_Requirements.pdf