Posts

Cyber-security breach at Equifax

Equifax cyber-security breach – lessons to be learned

Cyber-security breach at Equifax

As you probably know the Equifax (one of the three big credit bureaus in North America and UK) announced it was breached (discovered unauthorized access) on the 29th of July. So far, the predictions are that this leak of sensitive personal data impacts over 143 Million American, Canadian and British citizens.

What is a credit bureau? – an organization that makes money by gathering and compiling huge amount of data (personal and financial) about customers and selling it to 3rd party marketers with the purpose of being able to provide a credit score for a certain individual to prove that customers’ financial capability when obtaining credit.

Obviously, these incredibly detailed dossiers contain tons of sensitive information that could be used to impersonate a person for either financial gain or to cause harm.

Historically speaking, all credit bureaus have encountered problems keeping their sensitive information secure, Experian for example had a breach in 2015 which exposed data for over 15 Million people.

Analysis of the breach:

As investigation is on the way (after the detection of the breach in July, Equifax has hired a security company to investigate all details of the breach and the depth of the data leakage and to do proper forensics), there are few released details on what really happened. But what is known so far is very troubling and does not look good for Equifax cyber-security posture. The official statement from Equifax is that the attackers broke into the company’s systems by exploiting an application vulnerability and then gained access to certain files. No mention of the exact vulnerability used which facilitated the breach. The fact that there is no mention of zero-day vulnerability (unknown flow), which could in fact make Equifax less culpable and makes sense for them to highlight, means that the vulnerability was known, meaning that Equifax were not patching on time their internet accessible public services nor had properly configured advanced IPS or security control in place, both are a must when you operate with such highly sensitive data. Other security best practices were obviously not followed by allowing the attackers to get real data after breaching an internet edge service.

Mistakes made:

  1. A long delay in announcing the breach. This could be explained with the ongoing internal investigation but still the delay could have been used by hackers to their advantage to harm Equifax customers.
  2. Equifax reaction after the announcement

Equifax came up with a plan to offer some kind of post factum sense of security to its customers and announced a new portal (www.equifaxsecurity2017.com) where its customers might be able to check if their personal and financial information was amongst the ones that were stolen. However, this portal did not give any such information but usually it was either not working (gave System Unavailable message probably due to high load) or was experiencing certificate issues and hence has been blocked by many web security solutions (such as Cisco OpenDNS) or when they finally got it to work – was giving unclear information, a possible scheduled date for enrolling to another service (credit protection) called TrustedID. On top of that some security researchers have noticed that this output is being presented whether the customer presents real data (the portal asks for Last name and last 6 digits of social security number) or fake made up one. Seems this portal is nothing but an attention diversion from the real problem.

  1. Equifax had problems with the company security vision/leadership

Equifax until recently was looking to hire a vice president of security (they see that position to fulfil the role of a CISO). This position is vital for a company which possess such sensitive information and should not be left vacant. Cyber-security is a mindset and it takes time and persistence to be built. It should always come from the top positions in a large company and have the backing of top managers.

Lessons to learn:

Some simple cyber-security lessons to learn

  1. Know your assets and their value, this will give you an idea on how much you need to invest in protecting these assets
  2. Know the risks to your assets and what impact would a damage or leakage have on your company
  3. Have a strategy/vision that is supported and driven by top management
  4. Take action to put that strategy in place
  5. Have a plan in case of a breach, that would help you react and restore your positions, gain back trust from your customers and do proper analysis/forensics of the breach

More materials:

https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/

Nyatya Wiper Malware

Nyatya – a Wiper Malware disguised as Ransomware

Nyatya Wiper Malware

A new malware Nyetya (combination of words from Nye Petya, meaning NOT Petya), also known as Petrwrap and GoldenEye has been spreading globally over the last 24 hours.

This virus is distinct from WannaCry and other initially suspected variants, it has some unique new features which makes it harder to detect and defend against, clearly showing that today’s malware landscape is an evolving space. This rapidly changing threat landscape has a number of factors including; leaked tools from government agencies, more advanced security controls that require advanced malware (the cat and mouse game) or just because attackers are more determined and more capable.

Other popular researchers (links below) say Nyetya is more of a nation (state) attack towards a specific country (Ukraine) that is disguised as ransomware so its true nature would remain hidden in the shadow of recent WannaCry ransomware.

Some Characteristics of Nyetya and why it is different

  1. There is recent research that showed Nyetya, despite having major resemblance to Petya ransomware, in fact does not keep a copy of the encrypted MTL (Master File Table) and MBR (Master Boot Record) that it replaces with the random note. That means that even in the case that the user gets its decryption keys there is nothing to decrypt. This behavior resembles specific type of malware called Wiper Malware. All machines that are infected cannot be recovered. Also, the email for contract with the attackers is now disabled so there is no possibility for getting the decryption keys. Obviously, the attackers have not intended to milk the ransom and get rich for their efforts.
  2. It encrypts the master boot record, which makes the whole system unusable and causes more damage. Previous crypto viruses (ransomware) were encrypting specific file extensions
  3. It does not use a common attack vector from the Internet

It does not infect by scanning ports for vulnerable services, nor uses phishing (mails with crafted content with specific covert malware links), nor file attachments or web sites that host malicious content. Instead the initial way in was via an update in a polular accounting software in Ukraine (called MeDoc). The software was tricked into auto-updating with a malicious file (Perfc.dat). Once it is inside it uses the Eternal Blue (SMBv1) exploit to spread (same as WannaCry) but also two other administrative tools (PSexec and WMI) which in general are valid and legitimate tools used inside a network. The use of these tools would not raise any alarms on network security controls. The malware is capable of stealing the current user’s token and use it to distribute itself to other devices via PSexec (still unclear how it is able to steal the token) or again to steal the current user credentials and use them via WMI.

  1. No external Internet scans

There is no evidence of external scans (from the internet) in order to locate unpatched SMB services. The only scans that the virus conducts are horizontal, once it is inside the protected network. That makes the virus very hard to detect as most organisations do not have visibility within their network for such activity

  1. No Command and Control functionality

The virus does not use C&C so any reputation based security controls cannot detect it. IP addresses/domains reputation is widely used to detect zero-day attacks and to monitor the spread of the virus. That does not seem feasible protection from Nyetya

  1. Special attention has been paid to cleaning up any remaining data and logs

All of these unique characteristics point to the fact that cyber criminals have changed their tactics (after the failure of WannaCry due to the incidental but timely discovery of the killswitch) and want the malware spread to be as stealthy as possible.

Protecting yourself from the attack

A short summary of techniques necessary to protect against the attacks are listed below. These cannot be undertaken in isolation and it is assumed that good security practices are already in place such as disaster recovery strategy as well security control such anti-malware controls.

  1. Patch your systems (MS17-010 should be applied), close off any SMBv1 services (disable)
  2. Do not use admin/elevated privileged accounts for normal users
  3. Monitor your network and endpoints for PSexec and WMI communication and try to establish if that is valid communication (could be based on which one the administrators use and also the time of the day)
  4. Monitor your internal network segments using an IDS/IPS

Which type of network security controls are best suited to discover and prevent malware spread?

While other forms of malware attack may have been stopped by reputation based or email and web security controls, neither would have been effective in this instance. An essential tool in the armoury of security controls is endpoint security such as Cisco AMP for Endpoints, which actively analyse the behaviour of executable files on the system and perform sandboxing.

IDS/IPS network controls are able to catch lateral scans and spread via SMBv1 exploit only if they can see the traffic (actively monitoring traffic on the same logical domain).  The most common IDS/IPS deployment model is on the Internet edge, as this malware does not use external scans or gets distributed via normal Internet related channels (mail and web) these controls are not effective.

Following general security best practises is also beneficial – having backup of important systems/files, having proper application visible monitoring on the network and trying to detect unusual behavior, that of course requires both the tools and the people (analyst).

Used materials:

http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html

http://thehackernews.com/2017/06/petya-ransomware-wiper-malware.html

https://www.wired.com/story/petya-ransomware-ukraine/