Financial

How nGuard Pwned Your Network Video Series | Part 1 of 3

This is a 3-part series on how nGuard most commonly gains an initial foothold on your internal network, then takes that initial access and pivots through the network to obtain full command and control over systems. These are attacks that are present in over 90% of the networks we conduct internal penetration testing on. This will show you how quickly nGuard or an attacker can take an initial foothold and create persistent access. Some of the systems shown throughout this series will be Windows 7 machines but make no mistake, these are attacks that work in modern day Windows 10 environments.The first video will utilize a tool called Responder. This is a LLMNR (Link-Local Multicast Name Resolution), NBT-NS (NetBIOS Name Service) and MDNS (multicast DNS) poisoner. It will answer to specific NBT-NS queries based on their name suffix. By default, the tool will only answer to File Server Service request, which is for SMB. By responding to these broadcasts, nGuard can impersonate the host being requested and intercept future requests that may contain sensitive information. Through these requests, an attacker will receive the user’s hashed credentials, which can then be taken offline for cracking or used in other attacks.

The image below shows exactly how this works:

Here is the output to the terminal with a user’s hashed credentials:

The video below shows how this first step unfolds:

Stay tuned for part 2 where we will take these hashed credentials and relay them to other machines/systems which will discover other hosts we can gain access to on the network. If you have any questions about this attack or want to see if nGuard can perform attacks like this on your internal network during one of our internal penetration testing assessments please reach out to an Account Executive.

FBI Flash Alert: Critical Infrastructure Targeted

Introduction
It is no secret that critical infrastructure is on cyber watch here in the United States. On March 7^th, the FBI issued a flash warning regarding a strain of ransomware called RagnarLocker. At least 52 organizations across 10 critical infrastructure sectors have been affected by this variant of ransomware since it was first detected by the FBI in 2020. The list includes government agencies, manufacturing companies, financial services firms, and information technology firms. Threat actors behind RagnarLocker ransomware usually collaborate together, modifying the methods they use to distribute the ransomware constantly.

How It Works
RagnarLocker ransomware is complex and operates in the following way:

1. It attempts to identify the physical location of the infected machine utilizing Windows API GetLocaleInfoW and terminates the encryption process if the victim location is identified as “Azerbaijani,” “Armenian,” “Belorussian,” “Kazakh,” “Kyrgyz,” “Moldavian,” “Tajik,” “Russian,” “Turkmen,” “Uzbek,” “Ukrainian,” or “Georgian.”
2. To prevent multiple encryptions and corrupted data, the tool checks for current infections.
3. In the following step, it identifies all attached hard drives and assigns a drive letter to any volume that has not yet been assigned a logical drive letter. They are then accessible and can be encrypted.
4. All services running on infected machines are examined, and any services used for remote administration are terminated.
5. It then attempts to delete all Volume Shadow Copies, which will further disrupt an organization’s ability to retrieve data from the infected computer.
6. Lastly, it encrypts all available files. Instead of choosing files and folders to encrypt, it picks which to not encrypt. In general, it excludes core Windows OS files to prevent the machine from malfunctioning during the encryption process. Many times hackers will utilize the increasingly popular “double extortion” tactic, in which the attacker first exfiltrates sensitive data, then triggers the encryption attack, threatening to leak the stolen data if the target refuses to pay the ransom.

Indicators of Compromise
The FBI Flash Warning, on page 3, lists a number of Indicators of Compromise (IOC) associated with RagnarLocker Ransomware. Below are some examples of these IOCs.

Conclusion
Keeping ransom payments away from these threat actors is always the FBI’s recommendation. They believe this emboldens attackers to pursue these techniques against other organizations. They also urge all ransomware attacks to be reported. This provides investigators and analysts with the critical information they need to track ransomware attackers and hopefully prevent future attacks. If your organization has fallen victim to a ransomware attack, nGuard can help. Our incident response team is readily available to assist your organization. Preventative measures such as penetration testing and strategic security assessments can help mitigate risk in the first place and hopefully prevent such types of attacks.

Water Utilities Are Critical Infrastructure

Target: Water Utilities
Water Utilities play a critical role in our society. They provide fresh, potable water to residents, businesses and industry as well as manage the wastewater from them. As with other utilities and critical infrastructure, they are increasingly a target for hackers, terrorists, and hostile nation states. A successful hack can contaminate the fresh water supply, impair availability or cause an environmental disaster. It’s a direct risk to the health of the local population and supply chains which depend on readily available fresh water and wastewater management.

Becoming a Hard Target
Managing the risks isn’t trivial, but it’s not rocket science either –the science of cyber security has greatly matured over the past 20 years. The following 5 steps are key to a water utility becoming a hard target that is resistant to cyberattacks. Assess your overall cyber security program. Test your organization’s current readiness to cyber attacks on an annual basis by assessing both your external perimeter and your internal networks. Make sure you include both the IT and the OT (SCADA) sides of the house. Perform ongoing vulnerability management throughout the year. Make sure you have someone watching for suspicious security events. Lastly, make sure you have a Cyber Security Incident Response (CSIR) program in place. Because a cyber security incident is a question of when, not if, you must have a plan in place before it happens.

Strength In Numbers
Recognizing the critical importance of the water supply, leading water associations in the U.S., along with the U.S. federal government, have become increasingly organized in the defense of this essential infrastructure. A key part of this organization has been the formation of the Water Information Sharing and Analysis Center (WaterISAC). Authorized by the United States’ 2002 Bioterrorism Act, the WaterISAC is the key security information source for all threats impacting water and wastewater systems. In support of their mission, they have developed the 15 Cybersecurity Fundamentals for Water & Wastewater Utilities. As part of their ongoing education and outreach, WaterISAC recently invited nGuard to speak about some of these key cybersecurity concepts at an association meeting. You can watch this webinar below.

This Week in Cybersecurity (TWIC)

Russia has launched a full-scale military invasion into the country of Ukraine and with that comes the increased risk of cyber-attacks across the globe. Over the last couple weeks, we have seen many of these threats come to fruition as Ukrainian web sites were defaced and taken offline. New strains of data-destroying malware were also found to be deployed on critical government systems. Below are some of the most current cyber incidents that are taking place as a result of recent Russian aggression.

More than 70 Ukrainian government website have been defaced in cyberattacks (npr.org)
In a call conducted by Mary Louise Kelly, NPR’s cyber security correspondent Jenna McLaughlin detailed a series of cyber attacks that left about 70 Ukrainian government websites defaced. Hackers posted concerning messages in multiple languages telling viewers to be afraid and expect the worst. Jenna says these attacks are unsophisticated operations linked to a hacking group located in Russia and Belarus.

Ukrainian crisis: ‘Wiper’ discovered in latest cyber-attacks (bbc.com)
Late last week, BBC reported that while the websites of several Ukrainian banks and government offices became inaccessible, “wiper” malware was also being deployed on compromised systems. This malware aims to locate and destroy data residing on system drives. “ESET telemetry shows that the malware was installed on hundreds of machines in the country.”

Biden has been presented with options for massive cyberattacks against Russia (nbcnews.com)
Last Thursday, NBC News reported that President Biden had been presented with a menu of options for the United States to carry out impactful cyber attacks against Russia in a response to their recent military action against Ukraine. Two U.S. intelligence officials say that while no final decision has been made, all options remain on the table. “You could do everything from slow the trains down to have them fall off the tracks,” one person briefed on the matter said.

Russian ransomware gang threatens countries that punish Moscow for Ukraine invasion (politico.com)
Last Friday, Politico reported that a Russian ransomware gang, Conti, was making threats to hack the critical infrastructure of any nation or organization that retaliates against Russia for its recent military operations in Ukraine. The Conti gang issued its full support for the Russian government. This group is well known for launching government sponsored cyber attacks across the globe that have had devastating impacts.

Anonymous Hacking Group Declares “Cyber War” Against Russia (infosecurity-magazine.com)
The hacking group Anonymous has made it known that they will be launching a retaliatory cyber campaign against the Russian government following the special military operation launched by President Putin in Ukraine. Posted on their official Twitter account last Thursday read “The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine.” Shortly after this tweet was posted, the group claimed to have taken down multiple Russian government websites.

The United States government has issued strong warnings to organizations that reiterate the need to have a strong security posture during these times of uncertainty. nGuard account executives are ready to discuss any and all cyber security needs to help boost the readiness of your organization.

CIS Controls v8 (Part 3)

Summary
Last month, nGuard released a security advisory called CIS Controls v8 (Part 2) where we covered controls 7-12. This time, we are wrapping it up by covering the remaining 8 controls that are essential for a company who puts emphasis on a strong security posture. Read about these controls below and then take action within your organization to implement them.

Controls
Control 13: Network Monitoring and Defense
If an attacker gained access to your internal network, would you even know that it happened? It is essential that tools be in place to monitor network traffic for malicious activity and take action if necessary. Implementing an intrusion prevention system and log management system, then configuring it to meet the needs of your organization can halt simple attacks in their tracks.

Control 14: Security Awareness and Skills Training
Employees are the weakest link in the chain of organizational security landscape. Step 1 for any company looking to increase their security posture should be training employees to put a halt to social engineering attempts. At nGuard, we regularly conduct advanced social engineering campaigns for our customers — their employees fall for it every time. It is essential to establish and maintain a security awareness program for employees and conduct simulations if possible. Make security part of your company’s culture.

Control 15: Service Provider Management
We have been seeing a lot of disturbing headlines lately in which companies release data to third-parties and those vendors allow the data to become compromised. While the vendor may be responsible, perhaps the contracting organization didn’t conduct proper due diligence. Take service provider management seriously by having a developed process in place to evaluate whether or not this vendor is going to put security first while in possession of your sensitive data.

Control 16: Application Software Security
Any nGuard engineer will tell you that the easiest way to compromise a system is by exploiting critical, widely-known vulnerabilities due to outdated or unsupported software. Although these companies rely on a slew of software packages to conduct daily business operations, they fail to update them when security patches are released. nGuard recommends that you maintain a list of firmware and software that will need to be updated; sign up for mailing lists that will alert you when new patches are to be released; and configure automatic updates if possible. Do not let your software be outdated for an extended period of time!

Control 17: Incident Response Management
Many security professionals will tell you that it’s not a matter of “if,” but a matter of “when” a company will become compromised in some form or fashion. Is your organization prepared to recover from a ransomware attack? If not, maybe it’s time to think about this. Having a well-developed incident response plan in place can prevent a world a trouble. Develop policies, plans, procedures, define roles, conduct training, and develop communication plans to mitigate threats. Once these measures have been implemented, conduct table top exercises to test the plan you have put in place.

Control 18: Penetration Testing
This is nGuard’s favorite control. Penetration testing attempts to evaluate the security of an IT infrastructure by safely trying to exploit vulnerabilities. While vulnerability scans do a great job of pointing you to the low hanging fruit that attackers will take advantage of, penetration testing brings a real-world expert into your environment to chain together vulnerabilities and give you a better evaluation of potential risk. Start with external penetration testing to secure your public facing infrastructure and then move to internal penetration testing to make life harder for an attacker that gets in.

Next Steps
nGuard offers a wide variety of services that will help guide your organization on its path to implementing these critical security controls. Our Strategic Security Assessment allows your organization’s key players the opportunity to sit down with a security consultant who knows these controls like the back of their hand. Not only will they help you strengthen the controls that are already in place, they will make recommendations for the areas in which your organization falls short. Below are some other ways nGuard can help your business implement these controls:

This Week In Cybersecurity (TWIC)

It’s another busy week in the world of cybersecurity and nGuard wants to keep our advisory readers up to date. This week, nGuard is bringing you everything from the US State Department being attacked to Microsoft Power Apps leaking 38 million records.

US State Department Hit By Cyber-Attack

On August 21, Fox News journalist Jacqui Heinrich reported that the U.S. State Department suffered a cyber-attack. This led to the Department of Defense Cyber Command making notifications of a possible serious breach. A spokesperson for the State Department was quoted as saying, “The department takes seriously its responsibility to safeguard its information and continuously takes steps to ensure information is protected. For security reasons, we are not in a position to discuss the nature or scope of any alleged cybersecurity incidents at this time.” The State Department will not likely release any details of the attack. This comes in the wake of recent attacks on Colonial Pipeline and JBS from Russia, and the Microsoft Exchange Server attacks originating from China.

AT&T Data Being Sold On The Dark Web

Last week it was T-Mobile, this week it’s AT&T. The hacker gang, ShinyHunters, is claiming they have the data of 70 million AT&T customers personal identifiable information (PII) which includes names, phone numbers, social security numbers, dates of birth, addresses, and more. ShinyHunters are selling the data on RaidForums in small segments for $30,000 or the entire database for $1 million. AT&T has denied this information came from their systems.

Microsoft Power Apps Leaks 38 Million Records

The data of 38 million people was mistakenly exposed to the internet which was caused by an issue with more than 1000 Microsoft web applications. Some of the companies that were affected are American Airlines, Ford, J.B. Hunt, the Maryland Department of Health, the New York City Municipal Transportation Authority, and New York City public schools. The information leaked included COVID-19 contact tracing platforms, vaccination information, job application portals, and employee databases. The information included vaccination status, social security numbers, home addresses, and phone numbers. The flaw that allowed this leak to occur was in the Power Apps application programming interface (API) default setting which opened the information to the public. The privacy settings needed to be changed manually to prevent this from happening, but a majority of customers were not aware of this option.

President Biden Hosts Tech, Energy, Finance Leaders Meet In ‘Call to Action’

On Wednesday August 25^th, Apple, Amazon, Google, Microsoft and chief executives from insurance, energy and water companies were summoned to the White House to focus on improving cybersecurity. This meeting comes as recent high-profile attacks like the SolarWinds and Microsoft Exchange attacks have become more frequent. The White House wanted to address these areas of concern and determine how to best protect the 16 Critical Infrastructure sectors. Additionally, nonprofit organizations focused on computer science education and several colleges were included in the meeting to discuss efforts on how to address the gap of roughly 500,000 vacant U.S. cybersecurity jobs.