Events

CIS Controls v8 (Part 1)

Summary
The Center for Internet Security (CIS) Critical Security Controls is a list of security best practice guidelines that organizations have been utilizing since 2008. Formerly known to many as the “CIS Top 20,” this publication covers a wide variety of security practices that assist organizations in taking the preventative measures needed to limit risk against cyber-attacks. Last month, CIS released the latest version of their publication, v8, to address the rising concerns that organizations are facing in 2021 and beyond. This version consolidates the former 20 controls into 18 and includes focus on many modern practices such as work-from-home, cloud computing, and increased mobility. Let’s take a look at the first 6 controls and how nGuard can help you down the path to compliance. We will cover the remaining controls in a future security advisory.

Controls
Control 1: Inventory and Control of Enterprise Assets
It’s important to know where your company-owned assets are located. How can you actively secure your network if you don’t even know how many devices are connected to it? This practice lays out the controls that are needed to dynamically monitor assets and keep track of the devices that are connected to your network.

Control 2: Inventory and Control of Software Assets
Is your development team standing up new web servers? Is your IT team exposing management style applications to the internet for remote management? It’s important to keep track of these things. nGuard consistently finds management interfaces exposed to the internet that our customers didn’t know existed. Out of the box, these applications can be insecure. It is essential that you know what types of applications exist in your environment.

Control 3: Data Protection
Is customer data living on your company’s network shares forever? Is it encrypted? Does everyone at the company have access to it, or only the people who need it? Data retention can be a difficult thing to manage properly. Complying with this control will give your customers a peace of mind that their data is properly managed within your organization.

Control 4: Secure Configuration of Enterprise Assets and Software
Does your organization have a proper patch management program in place? Can you say for sure that default accounts aren’t enabled on your network equipment? This control will help you develop policy to ensure proper patches are applied and new devices are configured properly.

Control 5: Account Management
8-character passwords are likely not secure. Your employees are probably using similar passwords for their domain and email accounts. Are you confident that your employees won’t fall victim to a social engineering attack? Account management is one of the more important controls for securing access to sensitive data and assets.

Control 6: Access Control Management
When nGuard engineers perform internal penetration testing, they consistently gain access to what are believed to be “low-privilege” user accounts. It turns out that this account has local administrator privileges on the workstation which allows engineers to dump domain administrator credentials from memory and compromise the entire network. Is your organization conducting annual internal penetration testing to identify weaknesses that may lead an attacker to gain elevated privileges?

Next Steps
Whether you are forced to comply with these controls, or just want to elevate the security posture of your organization, nGuard offers a wide variety of services that will assist you along the way. Tactical assessments like Penetration Testing can point out the flaws that exist in your environments while strategical assessments like the Best Practice Strategic Security Assessment (SSA) can assist your organization in implementing the preventive controls needed to minimize risk. Additionally, nGuard specializes in policy development that can lead your organization down the path to compliance. Talk to an nGuard Account Executive today!

Colonial Pipeline – Timeline Of Events

On Friday May 7th Colonial Pipeline suffered a cyberattack involving ransomware, causing them to shutdown their IT systems and temporarily pause production on a majority of their pipelines. Additional details of the attack are still coming out each day, but here is a current timeline of events and details of how the hacker group, DarkSide, has carried out its attacks based on publicly available information.

May 6th
Colonial Pipeline networks are breached, 100GB of data is stolen and computers are encrypted with ransomware.

May 7th
Colonial Pipeline paid $4.4 million to DarkSide hacking group to decrypt their infrastructure.

May 8th
Colonial Pipeline, along with U.S. Government organizations and U.S. companies take systems offline that were in control by the hackers.

Colonial Pipeline issues statement on attack stating they have been victims of ransomware and have engaged a third-party cybersecurity firm and alerted law enforcement. Source:Colonial Pipeline Statement

May 9th
Colonial Pipeline issues second statement giving an update of their investigation into the attack and the status of their pipeline operations. Source: Colonial Pipeline Statement

May 10th
FBI issues statement confirming DarkSide is the responsible party for the hack.

Colonial Pipeline issues a statement that their goal is to substantially restore service by the end of the week.

Colonial Pipeline manually operates a line from Greensboro, NC to Woodbine, MD for a limited period of time, but other main lines continue to be offline.

May 11th
CISA and FBI issue cybersecurity advisory describing ransomware used by DarkSide with strategies for risk mitigation. Source:Joint Advisory.

Colonial Pipeline’s website is offline for part of the day.

May 12th
Colonial Pipeline’s website is restored and a new website is provided to address their response to the attack. Source: CP Cyber Response

Colonial Pipeline is able to restart services around 5:00pm. It will still take many days to replenish the depleted supply chain after panic buying of fuel and delayed fuel deliveries.

How Did Darkside Launch the Attack?
Based on research of DarkSide, the below methods are the tactics they have typically followed in recent attacks. Source: DarkSide Ransomware Research

Attackers were able to gain access in a few different ways:
1. Phishing attacks
2. Brute-force password attacks
3. SQL Injection against VPN networks
4. Utilizing TeamViewer
5. Installing backdoors
Once inside the network, attackers escalated privileges by:
1. Exploiting the Zerologon vulnerability.
2. Utilizing Mimikatz.
3. Accessing and dumping Local Security Authority Subsystem Service (LSASS).
With privileged access, DarkSide uses PowerShell and Certutil to deploy and execute the ransomware across the network.

Where to go from here?
The attack methods used by DarkSide should lead to a review of your organization’s security assessment programs to ensure the below critical assessment activities are included.

nGuard’s security assessment portfolio can help your organization find your vulnerabilities before the bad guys do. If your organization falls victim to a ransomware attack like Colonial Pipeline, bring in our experts for your Cybersecurity Incident Response.

Should We Pay The Ransom?

Summary
Has your organization been a target of ransomware? Did you pay the ransom? If so, did you get all your data back? Whenever an organization becomes a victim of a ransomware attack, paying the malicious attackers may seem like the only hope, especially for companies that don’t have proper backup procedures in place. Unfortunately, statistics are showing us that paying the ransom guarantees little in return. Here are some key data points collected from a large sample size of mid-sized organizations spread across the globe.

In 2021, 37% of organizations have experienced some type of ransomware attack.
The average costs of remediating against a ransomware attack grew in 2021 to $1.85 million.
The average cost of paying the ransom grew to $170,000.
32% of the organizations affected by a ransomware attacks decided to pay the malicious actors.
ONLY 8% WERE ABLE TO DECRYPT AND RECOVER ALL THEIR DATA AFTER PAYING THE RANSOM!

The last point truly brings reality into check. Paying the ransom rarely pays off. This can be attributed to many factors, but the overwhelming majority of organizations say that they received the ransom key after payment, but were unable to use it in an effective manner. This can be linked to poorly coded malware and IT teams with limited experience.

What Can You Do?
It is extremely important for organizations to take proper precautions to protect themselves against the increasing threat of ransomware.

Perform monthly or quarterly vulnerability scans against your external perimeter and internal networks to stay up to date with the latest vulnerabilities that could give an attacker their initial foothold.
Perform annual penetration testing to protect against advanced techniques that may allow an attacker to pivot once they have a foothold.
Create effective Incident Response policies and procedures.
Conduct tabletop exercises to validate and identify gaps in your Incident Response Plan.
Perform consistent security awareness training with employees to limit the chance of successful social engineering and phishing attacks.
Have proper onsite and offsite backup policies and procedures in place. If you fall victim to ransomware, you may be able to recover from backup, with limited, if any data loss, and not rely on paying a large sum of money for an 8% chance of getting your data back.

When it comes to protecting your organization’s critical data, it’s time to get serious. nGuard is ready and willing to discuss all these preventative solutions with you and your team.

FBI Is Removing Back Doors From Private Networks

The FBI was given permission last week by the United States Department of Justice (DOJ) to remove web shells that were maliciously placed as a result of the Microsoft Exchange Server vulnerabilities discovered in January. For more information on the Exchange Server vulnerabilities, check out our prior Security Advisory discussing them. If you have not applied the patch yet, it is urgent you do so immediately.

The FBI was able to identify hundreds of remote web shells that persist on networks even if the patch was applied. Attackers placed these shells there knowing the vulnerability would be fixed but wanted to maintain access for future attacks. The DOJ stated, “The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path).” The FBI is currently making attempts to contact the owners of the exchange servers they removed web shells from and notify them of the actions taken. Although the removal of these web shells is great news for the organizations where they existed, the FBI has not applied patches needed to remove the vulnerabilities or any malware remaining from attackers.

The impact of the court order issued to the FBI to allow these actions on future requests is still unknown, but this will set an interesting precedent going forward. Even though the intentions and actions of the FBI were for the betterment of the organizations, the government was accessing private networks without the owner’s permission. This could allow more intervention from the government on private networks. Opinions are split on the matter, but most believe this will not be the last time we see the government taking steps to remove threats on networks they do not own.

Florida Water Treatment Plant Hack

Summary
Earlier this month, hackers successfully carried out an attack against an Oldsmar, Florida water treatment facility, coming awfully close to poisoning the water supply. Attackers were able to access the water treatment plant’s Supervisory Control and Data Acquisition (SCADA) systems remotely and increase the levels of sodium hydroxide that is added to the water from 100 parts per million to 11,100 parts per million. In small doses this chemical is safe to consume. Fortunately, the change was discovered immediately by an employee and they were able to reverse the change, prior to any modifications in the levels of sodium hydroxide.

How did they do it?
The water treatment plant is running Windows 7 operating system on its computers. This is an outdated, unsupported operating system which had not received any updates in over a year. Attackers were able to compromise the computers due to the outdated systems which are affected by multiple known vulnerabilities. This resulted in unauthorized access to the systems. The computers had also been utilizing TeamViewer, a remote access software, to administer the machines as needed and respond to alerts. All the computers on the network that used TeamViewer utilized the same password and allowed anyone from the internet to access these systems. A recent data breach database that was leaked in 2017 contained passwords that matched the domain of ci.oldsmar.fl.us. It is believed the attackers used these passwords to gain access via TeamViewer. Once attackers had gained access via the outdated operating system, they used this software to remotely access the desktop and modify the sodium hydroxide levels.

What to do?
If your organization is hosting critical infrastructure, like SCADA or Cardholder Data Environments (CDE) for PCI, it’s crucial to:

Properly segment these systems from non-critical networks.
Ensure all operating systems in use, across all networks, are supported by the vendor and receiving and applying regular security patches.
Regular testing to check for proper segmentation should be done to validate the security access controls in place are sufficient to limit access to critical infrastructure.
Limit the types of software allowed on your systems.
Eliminate all local administrator accounts to enforce the principle of least privilege.
Have a strong password policy that is strictly enforced for all types of accounts.

nGuard has broad experience helping to secure all types of critical infrastructure organizations, including energy. By leveraging penetration testing, managed security solutions and Cyber Security Incident Response, we can help your organization become secure and meet your compliance goals.