Blogs

Phone scams targeting a variety of organisations in the Health industry

Phone scams targeting a variety of organisations in the Health industry AUSCERT has recently received numerous reports of phone scams targeting a variety of organisations in the Health industry. The exact nature of the unsolicited calls varies but has included conference and event invites, training sessions, and attempts to confirm personal details of the callee or others in the organisation.  The callers have claimed to be associated with varied groups including GE Healthcare (who have been alerted to this), NEOH and the called organisation itself. Organisations should also be aware that fraudsters claiming to be from various GE businesses (including public reports of criminals using the name of GE Healthcare) often commit recruitment fraud and may do so as part of this activity. While phone scams such as these are ever present this recent spate of reports we have received specifically from the Health industry suggests the current need for increased awareness amongst Health industry organisatons. AUSCERT encourages members to review their current security awareness of their staff in relation to phone scams and consider alerting staff to this current activity. Guidelines for staff would include what steps to take when receiving unsolicited calls, the type of information that can and can not be provided, and any reporting guidelines. AUSCERT recommends staff are encouraged to report unsolicited or suspicious calls so that organisations can monitor for concerted attacks. AUSCERT has received reports of numerous calls to the same organisation (and individual) over a very short period of time. Information on what to do should also be provided for staff that have been defrauded or provided personal or organisational information. Useful resources include: https://www.scamwatch.gov.au/ https://www.staysmartonline.gov.au/ http://www.fairtrading.nsw.gov.au/ftw/Businesses/Scams/Business_scams To help gauge how wide spread this activity is AUSCERT would appreciate any feedback from organisations that have been targeted.  

Learn more

Major security incidents

Wannacry ransomware incident

Wannacry ransomware incident [For a short version of this alert, please read just the THREAT and RECOMMENDED ACTION sections below] UPDATE 1: Microsoft published a blog that will serve as their centralized resource for these attacks. [10], and have made patches available for previously unsupported systems. There is now no reason NOT to patch “we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download” [10] UPDATE 2: see APPENDIX for scripts to find vulnerable systems in your network and also to also identify infected systems in your network UPDATE 3: See Introduction for update on affected organisations and information on the malware’s operational aspects. See the Recommended Actions section for additional information on applying IOCs. UPDATE 4: A Wannacry in-memory key recovery for WinXP document has been released. [17] INTRODUCTION An ongoing widespread ransomware worm attack has occurred against organisations in approximately 150 countries. AUSCERT has not received any local reports of such attacks at the moment. Confirmed reports of WannaCry infections have been received from countries in the APAC region. Indonesia is the closest such example with Healthcare organisations being targeted. Attacks have been reported against the NHS, University of Waterloo, Nissan in the UK, the Interior Ministry, banks, railroads in Russia, Telefonica users in Spain, German Rail, a mall in Singapore and ATMs in China, among others. The attacks do not appear to target any particular industry sectors. [1, 14]. The worm part of the malware launches the EternalBlue exploit against Windows hosts vulnerable to CVE-2017-0144. This achieves privilege escalation and Remote code execution within the target host. The worm then proceeds to download the ransomware component. The Double Pulsar exploit is launched to install a backdoor in infected hosts, thereby gaining persistent access. Analyses flag encrypted files containing different extensions. Encrypted file extensions are renamed to “.wnry”, “.wcry”, “.wncry” and “.wncrypt”, likely due to variants of the ransomware. The ransomware targets files with the following extensions: .123,.3dm,.3ds,.3g2,.3gp,.602,.7z,.ARC,.PAQ,.accdb,.aes,.ai,.asc,.asf,.asm,.asp,.avi,.backup,.bak, .bat,.bmp,.brd,.bz2,.cgm,.class,.cmd,.cpp,.crt,.cs,.csr,.csv,.db,.dbf,.dch,.der,.dif,.dip,.djvu,.doc,.docb, .docm,.docx,.dot,.dotm,.dotx,.dwg,.edb,.eml,.fla,.flv,.frm,.gif,.gpg,.gz,.hwp,.ibd,.iso,.jar,.java,.jpeg, .jpg,.js,.jsp,.key,.lay,.lay6,.ldf,.m3u,.m4u,.max,.mdb,.mdf,.mid,.mkv,.mml,.mov,.mp3,.mp4, .mpeg,.mpg,.msg,.myd,.myi,.nef,.odb,.odg,.odp,.ods,.odt,.onetoc2,.ost,.otg,.otp,.ots,.ott,.p12, .pas,.pdf,.pem,.pfx,.php,.pl,.png,.pot,.potm,.potx,.ppam,.pps,.ppsm,.ppsx,.ppt,.pptm,.pptx,.ps1, .psd,.pst,.rar,.raw,.rb,.rtf,.sch,.sh,.sldm,.sldx,.slk,.sln,.snt,.sql,.sqlite3,.sqlitedb,.stc,.std,.sti,.stw, .suo,.svg,.swf,.sxc,.sxd,.sxi,.sxm,.sxw,.tar,.tbk,.tgz,.tif,.tiff,.txt,.uop,.uot,.vb,.vbs,.vcd,.vdi,.vmdk, .vmx,.vob,.vsd,.vsdx,.wav,.wb2,.wk1,.wks,.wma,.wmv,.xlc,.xlm,.xls,.xlsb,.xlsm,.xlsx,.xlt,.xltm,.xltx,.xlw,.zip RECOMMENDED ACTIONS: AlienVault’s Open Threat eXchange (OTX) has a number of threat indicators. [2] (A zip file of the threat indicators is available for download at the end of this publication – wannacry_ioc.zip ) Members are strongly advised to apply these threat indicators, which include: 1. Domains In general domains should be blocked outbound, as these represent C&C servers to which the ransomware attempts to connect. However, among these are two domains that are kill switches for the ransomware. If infected hosts can resolve these domains, the malware exits and propagation ceases. The domains are iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com and ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It is advisable to not block outbound traffic to these sinkholed domains because they can help identify infected hosts. Caution: Updated malware is likely to omit the killswitch feature or amend it. 2. Remote IPs/ports Apply blocks/checks in ACLs,IPS/IDS, network firewalls both inbound and outbound. The IPs represent C&C servers for the ransomware, additional resource download URLs and Bitcoin payment sites. 3. Hostnames Same as above. 4. File paths Applied to Host IDS and/or integrity checkers helps identify known dropped files for the ransomware. 5. Registry keys Applied to Host IDS and/or integrity checks can help identify creation or modifications of registry keys by the ransomware. 6. Snort Applied to IDS/IPS, helps detect EternalBlue exploit activity. 7. Yara YARA signature(s) to detect the presence of ransomware in hosts. [15] 8. BTC Known Bitcoin wallet addresses that are used to receive ransom payments. Outbound traffic to these URLs could help identify infected hosts attempting payment. The accessed URLs will be of the form: https://blockchain.info/address/ + BTC Wallet 9. File Hashes (MD5, SHA1, SHA256) Network security devices such IDS/IPS, SIEMS, Firewalls should be tuned to block these domains, IPs and Host names, both inbound and outbound. Host IDSs should be tuned to monitor changes in Windows hosts for the indicated file paths, file hashes. The malware targets a remote code execution vulnerability in SMB (CVE-2017-0144). This vulnerability was addressed in Microsoft’s update MS17-010. [3] All Windows hosts should be patched immediately, to address this vulnerability if they already haven’t. (See the AUSCERT Security bulletin). [4] Organisations that are unable to patch certain systems, for example, hospitals operating specialised equipment, are advised to consider implementing Private VLANs to isolate such systems. This would help prevent lateral movement. ADDITIONAL RECOMMENDATIONS MS-ISAC issued an advisory addressing the remote code execution vulnerabilities in SMB server that is currently being used to propagate the WannaCry ransomware. MS-ISAC has provided the following recommendations to mitigate the vulnerabilities: “Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing. Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments, especially those from un-trusted sources. Apply the Principle of Least Privilege to all systems and services.” [5] AUSCERT recommends the following measures to mitigate risk of exposure: Anti-virus signatures should be updated immediately If patching is not possible, make a business decision to disable SMB. [6] Block SMB traffic from all but necessary and patched systems (Firewall ports 445/139 ). Segment your networks. Disable or restrict Remote Desktop Protocol (RDP) access – see http://support.eset.com/kb3433/#RDP A snort rule for ETERNALBLUE was released by Cisco as part of the “registered” rules set. Check for SID 41978. [7] Emerging threats has an IDS rule that catches the ransomware activity: (ID: 2024218). [8] AUSCERT has compiled a list of indicators of compromise based on analyses conducted by external parties [11-13]. AUSCERT will continue to issue additional alerts as and when new information becomes available. POST-INFECTION For ransomware, prevention is the best possible outcome. However, if a ransomware infection has occurred, consider the following measures: 1. Immediately isolate the infected host from the network to prevent lateral movement 2. Submit samples of infected files to Crpyto-sheriff. This might help identify a decryptor to recover encrypted files. [16] REFERENCES: [1] http://www.telegraph.co.uk/news/2017/05/12/nhs-hit-major-cyber-attack-hackers-demanding-ransom/ [2] https://otx.alienvault.com/pulse/5915db384da2585b4feaf2f6/ [3] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx [4] https://portal.auscert.org.au/bulletins/45238 [5] https://msisac.cisecurity.org/advisories/2017/2017-024.cfm [6] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012 [7] https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/ [8] https://isc.sans.edu/forums/diary/Massive+wave+of+ransomware+ongoing/22412/ [9] https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ [10] https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ [11] https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware [12] https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/ [13] https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/ [14] https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168 [15] https://blog.malwarebytes.com/threat-analysis/2013/10/using-yara-to-attribute-malware/ [16] https://www.nomoreransom.org/crypto-sheriff.php [17] https://github.com/aguinet/wannakey APPENDIX Please read the DISCLAIMER [17] before using these scripts. IDENTIFICATION OF VULNERABLE SYSTEMS To detect systems on a network (x.x.x.x/xx) that are vulnerable (i.e that are not patched to mitigate MS17-010) a python script is available https://github.com/RiskSense-Ops/MS17-010 This is a standalone version of a corresponding METASPLOIT detection module – https://www.rapid7.com/db/modules/auxiliary/scanner/smb/smb_ms17_010 UBUNTU installation/Usage $ sudo apt-get install prips $ wget https://github.com/RiskSense-Ops/MS17-010/raw/master/scanners/smb_ms17_010.py $ prips x.x.x.x/xx | xargs -l1 python ./smb_ms17_010.py # If the above script is too slow, then you can identify just the Windows servers in you network to pass to smb_ms17_010.py <ip> with the nbtscan tool. $ sudo apt install nbtscan $ nbtscan x.x.x.x/xx IDENTIFICATION OF INFECTED SYSTEMS To detect systems on a network (x.x.x.x/xx) that are already infected (by virtue of DOUBLEPULSAR malware also being installed as part of the worm), another detection script is available: UBUNTU Installation/Usage $ pip install netaddr –user $ git clone git@github.com:countercept/doublepulsar-detection-script.git $ cd doublepulsar-detection-script/ $ python detect_doublepulsar_smb.py –net x.x.x/xx REVISION HISTORY Version Published Changes 1.0 13th May 2017 Original version published 2.0 13th May 2017 Update 1 – Microsoft issues out of band patches 3.0 14th May 2017 Update 2 – Appendix added 4.0 15th May 2017 Update 3 – Additional campaign related information, Indicators of Compromise and reference resources. Post-infection section added 5.0 17th May 2017 Update4 – Wannacry in-memory key recovery for WinXP released AUSCERT Team [17] DISCLAIMER AUSCERT has made every effort to ensure that the information provided is accurate and the advice is appropriate based on the information we have received. However, the decision to use or rely upon the information or advice is the responsibility of each organisation and should be considered in accordance with your organisation’s site policies and procedures. AUSCERT takes no responsibility for adverse consequences which may arise from following or acting on the information or advice provided.   Attached Documents wannacry_ioc.zip

Learn more

Week in review

AUSCERT Week in Review for 30th June 2017

AUSCERT Week in Review for 30th June 2017 Hope you all have had a chance to investigate the new website. Please email us at auscert@auscert.org.au or call 07 3365 4417 with any questions or concerns about the new website. As Friday 30th June comes to a close, there have been numerous security related news items this week. Here’s a summary (including excerpts) of some of the more interesting stories we’ve seen this week: Title: The Petya ransomware is starting to look like a cyberattack in disguiseDate Published: 28/06/2017 URL: https://www.theverge.com/2017/6/28/15888632/petya-goldeneye-ransomware-cyberattack-ukraine-russiaAuthor: Russell Brandom Excerpt: “The haze of yesterdays massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hacks reach touched some of the countrys most crucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.” —– Title: Google Slapped With Record $3.6 Billion Fine In Europe For Manipulating Shopping Results Date Published: 28/06/2017URL:  https://www.gizmodo.com.au/2017/06/google-slapped-with-record-3-6-billion-fine-in-europe-for-manipulating-shopping-results/Author: Matt Novak Excerpt: “Yesterday, government regulators in Europe hit Google with a record 2.42 billion fine, roughly the equivalent of $3.5 billion. The search engine company was found to be manipulating search results to favour its own shopping service, a violation of antitrust laws. And if it doesn’t fix the problem within 90 days it faces an additional 12.5 million ($18.7 million) fine per day.” —– Title: Defence launches ‘Information Warfare Division’ Date Published: 30/06/2017 URL: https://www.computerworld.com.au/article/621324/defence-launches-information-warfare-division/Author: George Nott Excerpt: “The Australian Defence Force is launching a new Information Warfare Division responsible for electronic warfare, the government announced today.” —– Title: Turnbull government continues push against online encryption ahead of Five Eyes meeting Date Published: 26/06/2017 URL: http://www.news.com.au/technology/online/security/turnbull-government-continues-push-against-online-encryption-ahead-of-five-eyes-meeting/news-story/cae2303d24bcfe90cf3d490083c208e9Author: Nick Whigham and AAP Excerpt: “AUSTRALIA will be leading the discussion on an encrypted technology crack down when ministers meet with FiveEyes nations to talk terror prevention. Leaders from Australia, the United States, United Kingdom, Canada and New Zealand, will meet in the Canadian city of Ottawa where they will discuss tactics to combat terrorism and the spread of extremism.” —– Title: Qld ex-cop charged with 44 counts of database snooping Date Published: 28/06/2017 URL: https://www.itnews.com.au/news/qld-ex-cop-charged-with-44-counts-of-database-snooping-466817Author: Allie Coyne Excerpt: “The Queensland Crime and Corruption Commission has charged a former police officer with accessing information in the force’score crimes database 44 times over six years without authorisation.” Here are this week’s noteworthy security bulletins: 1) ESB-2017.1639 – [Ubuntu] Kernel: Multiple vulnerabilitieshttps://portal.auscert.org.au/bulletins/49422 USN 3326-1 fixed a vulnerability in the Linux kernel. However, that fix introduced regressions for some Java applications. That is a lot of regressions 🙁 2) ESB-2017.1643 – [Win] OpenSource Apache Struts: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49438 Struts is in all sorts of products. 3) ESB-2017.1644 – [Appliance] Cisco IOS and IOS XE Software: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49442 Root compromise that is significant. 4) ESB-2017.1602 – [Win][Linux][AIX] IBM Java SDK: Multiple vulnerabilities https://portal.auscert.org.au/bulletins/49270 Oh no not Java vulnerabilities —- Stay safe, stay patched and have a good weekend! Peter

Learn more

Blogs

DDoS Mitigation

DDoS Mitigation Denial of service (DoS) attacks have hit the news in Australia, yet again. But what is a DoS attack? A DoS attack is designed to deny access to a computing resource from its intended users. A distributed DoS (or DDoS) attack is conducted by numerous (could be in the tens of thousands) computers against a single host or network. It’s not possible to prevent DDoS attacks, we can only be prepared to mitigate them. Types of DDoS attacks An attacker may use a stateless protocol like ICMP or UDP with spoofed source addresses, but it is also common for an attack to be carried out with legitimate network traffic (like HTTP GET requests). In the latter case it can be difficult to block malicious traffic without impacting legitimate traffic. A DDoS is commonly directed at a web site, with a sufficiently large number of requests to overwhelm the capacity of the web server to handle them. In extreme cases, the site’s network equipment may be made unavailable by the volume of traffic they are attempting to filter. Preparing for a DDoS attack There are a number of steps that you can take to prepare for a DDoS attack, including: Ensure that senior management is aware of the impact of a DDoS attack and will support your steps to mitigate one Understand your network – knowing what is normal for your network will enable a threshold of activity that indicates the start of a DDoS Keep your OS up to date and hardened – disable any unneeded services Implement firewall measures on your host – an example for linux Implement application protection, like ModSecurity web application firewall and mod_evasive for Apache – note that a large DDoS attack will quickly overwhelm these measures Run a dedicated network firewall that is able to handle a greater load than the one on the host itself Set up your border router with ACLs to allow only valid traffic into your network eg filter bogons and unused protocols Establish contact details for your upstream network provider so that they may be readily contacted in an emergency. Containing a DDoS attack The scale of the attack will determine the effectiveness of mitigation measures. It may be possible to contain the attack on the affected host itself, or it may require upstream filtering. Implement filtering based on the attack eg blocking UDP packets Consider disabling the targeted application until the attack stops Implement rate limiting for network traffic to the target Contact your ISP for traffic filtering Other resources are available; these are recommended reading – Factsheet Technical measures for the continuity of online services, Mitigation Guidelines for Denial-of-Service Attacks and Network DDoS Incident Response Cheat Sheet List of useful links from the blog + one more 1 https://javapipe.com/iptables-ddos-protection2 https://www.modsecurity.org/3 https://www.zdziarski.com/blog/?page_id=442 (andhttps://www.digitalocean.com/community/tutorials/how-to-protect-against-dos-and-ddos-with-mod_evasive-for-apache-on-centos-7)4 https://www.ncsc.nl/english/current-topics/factsheets/factsheet-technical-measures-for-the-continuity-of-online-services.html5 https://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2012/tr12-001-en.aspx6 https://zeltser.com/ddos-incident-cheat-sheet/

Learn more