Ransomware Fighters Get New Free Tool

Ransomware has become a gold mine for digital criminals. In the first three months of this year, electronic extortionists squeezed US$209 million from victims desperate to recover their data after it was scrambled by the malicious software, based on FBI estimates. At that rate, ransomware could funnel as much as $1 billion into criminal coffers this year.

Ransomware typically will encrypt most of the files on a computer, but some pernicious programs are selective about what they encrypt on a machine. One such form of ransomware attacks the boot sequence of a computer.

Petya ransomware overwrites the contents of a system’s Master Boot Record, forces a system reboot, and encrypts the operating system’s Master File Table.

With ransomware that’s limited to encrypting data, it’s still possible to use an infected machine. That only makes sense, since an extortionist expects the victim to use the computer to pay the ransom and receive the key unscrambling the data on the afflicted machine.

With an attack on the MBR, however, the extortionist “bricks” the system and makes it unusable until the ransom is paid.

Risky Ransomware

Bricking a computer that you’re holding for ransom is a risky way to do business.

“With ransomware that encrypts the Master Boot Record, you have effectively lost the ability to use the computer,” explained Craig Williams, security outreach manager at Cisco Systems.

“That’s a little bit more risky for the attacker, because it relies on you having another way to get online and pay them,” he told TechNewsWorld, “but because the computer is unusable, you’re more likely to pay them.”

Despite the risks, there are some advantages to MBR ransomware, suggested Edmund Brumaghin, a threat researcher at Cisco and a colleague of Williams.

“One potential benefit to focusing on the MBR versus in-place encryption of files is that it can be completed quickly, regardless of the amount of user data that is stored on the system,” Brumaghin told TechNewsWorld.

“It may also be more difficult for decryptors to be made available if the boot process of the system has been manipulated or disrupted,” he continued. “Recovery may also be more difficult, as it may require a complete reinstallation of the system’s operating system, rather than just recovery of the user’s files.”

MBRFilter to the Rescue

To counter ransomware attacks on the Master Boot Record, Cisco Talos, the company’s threat intelligence organization, released a free program called “MBRFilter.” The program allows a user to enable the read-only default for the MBR. That prevents any program from altering the MBR.

Enabling that default can create problems from time to time, Williams acknowledged.

“Occasionally you have updates to operating systems or changes to the Linux kernel where you do need to poke at the Master Book Record and update it,” he said, “but for the vast majority of the operation of a computer, you don’t need to update it.”

Malicious software that scrambles data on systems is by far a more popular form of ransomware than programs that attack the MBR, but when you protect the MBR, you’re protecting yourself from more than just ransomware.

“The MBR is often targeted by other types of malware, such as rootkits and bootkits,” Brumaghin explained.

Flaw in Secrets Hive

Once hackers penetrate a system, they seek to expand their reach through it as fast as possible.

There is a way to do that using a security feature Microsoft added to Windows, CyberArk discovered last week.

Since Windows 7’s introduction, Microsoft has been protecting service credentials by storing them securely in something called the “LSA Secrets registry hive.”

Although access to the hive is severely restricted and information in it is encrypted, CyberArk discovered that once system intruders obtain administrative privileges on a network, they can use the credentials in the LSA — without decrypting them — to move laterally within a system.

“Vulnerabilities are found all the time in technology,” observed CyberArk CMO John Worrall.

“What’s interesting about this research is that once you get administrative credentials, the number of vulnerabilities opens up dramatically,” he told TechNewsWorld.

The methods for compromsing a system can be very powerful in the wrong hands, noted CyberArk’s Kobi Ben Naim, the senior director of cyber research who conducted the LSA study.

“If an attacker implements these techniques, ” he told TechNewsWorld, “he’s able to take over an entire network in a few minutes.”

SSH Key Jungle

Authentication is a pillar of information security, but sometimes you can have too much of a good thing. Take SSH — an authentication technology that’s taken on a critical role in running all networks. It is used on millions of servers and in about 90 percent of data center environments.

As it is part of the invisible plumbing of networks, not a lot of attention has been paid to the growth of SSH. After all, it’s distributed free with all the popular operating systems, so it doesn’t appear on management’s cost radar, and it’s seen as one of those things stashed in IT’s black box of tricks.

Benign neglect in the face of unchecked growth in the use of SSH has prompted the National Institute of Standards and Technology to raise a red flag, suggesting that poor SSH access controls within IT have resulted in a major operational and security risk.

“Many large organizations have more SSH keys than they have passwords,” noted Tatu Ylnen, CEO of SSH Communications Security.

“The keys have been growing over the years, and there hasn’t been much management of them,” he told TechNewsWorld.

What has NIST concerned is that without proper management of SSH keys, an organization is inviting a security breach.

“In many instances, these keys can give a person the highest access on a system,” Ylnen explained. “They let you read any file and they let you modify the operating system.”

That kind of access can be very dangerous if it falls into the lap of a threat actor.

“You can steal data,” Ylnen said. “You can create false data, and in a cyberwar situation, you can destroy any server you’ve penetrated.”

Breach Diary

  • Nov. 28. U.S. Navy warns more than 130,000 sailors their personal information is at risk after a laptop is compromised by a contractor.
  • Nov. 28. University of Central Florida reports it paid $176,000 for credit monitoring costs related to data breach in February that placed at risk personal information for some 63,000 former employees and students.
  • Nov. 28. A September cyberattack by a state actor may have compromised Japan’s internal military network, The Japan Times reports.
  • Nov. 28. Hackers are trading account details of more than 300,000 users of porn site xHamster on the online underground, Motherboard reports. xHamster told Motherboard the database isn’t genuine.
  • Nov. 29. Deutsche Telecom and German Office for Information Security reveal a system disruption over the weekend affecting some 900,000 customers was part of a failed global attempt by hackers to hijack routers and use them to disrupt Internet traffic.
  • Nov. 29 Idaho Fish & Game announces it is again selling licenses and posting hunter reports online. The service was knocked offline in August by a data breach.
  • Nov. 29. Barrett Brown, a self-proclaimed spokesperson for the hacktivist collaborative known as “Anonymous,” is released from federal prison five months ahead of schedule.
  • Nov. 30. Europol reports sensitive data on terrorism investigations conducted from 2006 to 2008 is at risk after an employee brought the data home in violation of agency policy and stored it on a hard drive connected to the Internet without password protection.
  • Nov. 30. Camelot, the operator of the UK’s national lottery, announces some 26,500 player accounts are at risk after a data breach of its systems.
  • Nov. 30. Michigan State University estimates data breach earlier this month will cost the school $3 million for identity protection services and improvements in systems security.
  • Nov. 30. Greene King, the UK’s largest pub retailer, apologizes and offers identity theft service to some of its staff after an email including a list containing information on more than 2,000 bank accounts was accidentally distributed by its payroll department to pubs in the chain.
  • Nov. 30. Accounting software maker Sage reports increase of 9.3 percent in revenues to Pounds 1.57 billion and 9 percent in profits to Pounds 427 million for its fiscal year ending in September, despite data breach in August that exposed sensitive information of some 300 corporate customers.
  • Nov. 30. Erasmus University in the Netherlands reveals data breach two weeks ago that affected 17,000 students is worse than originally reported. Medical and financial info on the students was compromised in the breach, it said.
  • Dec. 1. International law enforcement authorities announce dismantling of Avalanche, a malware delivery and money mule recruiting platform that produced hundreds of millions of euros in revenues for its operators.
  • Dec. 1. MacKeeper Security Researcher Chris Vickery reports sensitive information of explosives handling company Allied-Horizontal is at risk after a Network-Attached Storage device was exposed to the public Internet.
  • Dec. 1. University of Arkansas business school study finds overcompensating data breach victims can have a negative impact on a company’s bottom line.
  • Dec. 2. Reuters reports hackers using a client’s credentials stole more than $31 million from the central bank of Russia.

Upcoming Security Events

  • Dec. 7. Insider Threats and Critical Infrastructure: Vulnerabilities and Protections. 10 a.m. ET. Webinar by @LKCyber. Free with registration.
  • Dec. 7. Weaponizing Data Science for Social Engineering: Automated E2E Spear Phishing. Webinar by ZeroFOX. Free with registration.
  • Dec. 7. Quantum Threats: The Next Undefended Frontier of Cybersecurity. 1 p.m. ET. Webinar by Isara Corporation. Free with registration.
  • Dec. 7. Trends in Email Fraud, and How to Prevent Enterprise-Facing Email Attacks. 2 p.m. ET. Webinar by Agari. Free with registration.
  • Dec. 7. Forensics Pre-Breach: Sword vs. Shield. 2 p.m. ET. Webinar by ID Experts. Free with registration.
  • Dec. 8. The Role of Supervisors in Mitigating Security Threats. Noon ET. Webinar by Anita R. Wood, Assistant Professor, Computer Information Technology at Pennsylvania College of Technology. Free with registration.
  • Dec. 8. Cybersecurity Trends — Security Analytics Is the Game Changer. 1 p.m. ET. Webinar by Interset. Free with registration.
  • Dec. 8. I Heart Security: Developing Enterprise Security Programs for Millennials. 5 p.m. ET. Webinar by NCC Group. Free with registration.
  • Dec. 9. Abusing Bleeding Edge Web Standards For AppSec Glory. 3 p.m. ET. Webinar by Cyph. Free with registration.

  • Dec. 12. Reducing Threats through Improving Identity Security. 1 p.m. ET. Webinar by co-founder of Criterion Systems and ID DataWeb. Free with registration.
  • Dec. 12. Combating Cloud Security Threats in 2017. 2 p.m. ET. Webinar by Cloudlock. Free with registration.
  • Dec. 12. How Cybersecurity, Technology and Risk Is Maturing the Role of the Modern CISO. 5 p.m. ET. Webinar by City of San Diego, California. Free with registration.
  • Dec. 13. Creating a Winning Player Experience While Battling Online Fraud. 10 a.m. and 1 p.m. ET. Webinar by Iovation. Free with registration.
  • Dec. 13. The 2017 Cyberthreat Landscape. Noon ET. Webinar by Cryptzone. Free with registration.
  • Dec. 13. When Things Misbehave: How to Mitigate Massive DDoS Attacks. 1 p.m. ET. Webinar by Allot Communications. Free with registration.
  • Dec. 13. Key Threats To Look Out for in 2017. 2 p.m. ET. Webinar by Raytheon Foreground Security and Forcepoint Labs. Free with registration.
  • Jan. 12. FTC PrivacyCon. Constitution Center, 400 7th St. SW, Washington, D.C. Free.
  • Jan. 16. You CAN Measure Your Cyber Security After All. 1 p.m. ET. Webinar by Allure Security Technology. Free with registration.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels