Tuesday, May 23, 2017

Harden Windows with Group Policy : : Common Exploit Mitigation




Disable a number of "features" exposed by  Windows, office and Adobe reader  applications simply reduce the attack surface .


SL#
Common Exploit s  Mitigation

Generic Windows Features
1
Disable Windows Script Host. Windows Script Host allows the execution of VBScript and Javascript files on Windows operating systems. This is very commonly used by regular malware (such as ransomware) as well as targeted malware.
2
Disabling AutoRun and AutoPlay. Disables AutoRun / AutoPlay for all devices. For example, this should prevent applicatons from automatically executing when you plug a USB stick into your computer.
3
Disables powershell.exe, powershell_ise.exe and cmd.exe execution via Windows Explorer. You will not be able to use the terminal and it should prevent the use of PowerShell by malicious code trying to infect the system.
4
Sets User Account Control (UAC) to always ask for permission (even on configuration changes only) and to use "secure desktop".

Microsoft Office
1
Disable Macros. Macros are at times used by Microsoft Office users to script and automate certain activities, especially calculations with Microsoft Excel. However, macros are currently a security plague, and they are widely used as a vehicle for compromise. macro documents options  "Enable this Content" notification is disabled too, to prevent users from being tricked.
2
Disable OLE object execution. Microsoft Office applications are able to embed so called "OLE objects" and execute them, at times also automatically (for example through PowerPoint animations). Windows executables, such as spyware, can also be embedded and executed as an object. This is also a security disaster which we observed used time and time again, particularly in attacks against activists in repressed regions.  
3
Disabling ActiveX. Disables ActiveX Controls for all Office applications.

Acrobat Reader
1
Disable JavaScript in PDF documents. Acrobat Reader allows to execute JavaScript code from within PDF documents. This is widely abused for exploitation and malicious activity.
2
Disable execution of objects embedded in PDF documents. Acrobat Reader also allows to execute embedded objects by opening them. This would normally raise a security alert, but given that legitimate uses of this are rare and limited,

Sunday, May 14, 2017

Mitigation steps to Prevent WannaCry




Mitigation steps to  Prevent WannaCry: WannaCrypt0r

·         Close Ports tcp 445/udp 137/udp 138/tcp 139  in Firewall 
·         Create Winows Firewall rules Firewall Advanced Settings – Inbound rules – Right-click New Rule – Select UDP, the port number in the dialog box to write 445 to block ---

Dont Miss Microsoft Security Updates 

mitigating factors for this vulnerability.

In Windows Server 2012 R2 and Windows 8.1, Microsoft made SMB1 an optional component that can be completely removed. That optional component is enabled by default,

•             Disable SMBv1

For client operating systems: Windows 8.1 or Windows Server 2012 R2 and later

1.            Open Control Panel, click Programs, and then click Turn Windows features on or off.
2.            In the Windows Features window, clear the SMB1.0/CIFS File Sharing Support checkbox, and then click OK to close the window.
3.            Restart the system.

For server operating systems:

4.            Open Server Manager and then click the Manage menu and select Remove Roles and Features.
5.            In the Features window, clear the SMB1.0/CIFS File Sharing Support check box, and then click OK to close the window.
6.            Restart the system.

Disable Using SCCM /



 

Thursday, May 11, 2017

SHAMOON 2 Mitigations





 SHAMOON 2 ATTACK AGAIN

Malware called : Shamoon has three primary functional components:

1.    Dropper—the main component and source of the original infection. It installs a number of other modules.
2.    Wiper—this module is responsible for the destructive functionality of the malware.
3.    Reporter—this module is responsible for reporting infection information back to the attacker.

After the initial infection, Shamoon spreads via network shares to infect additional machines on the network. Symantec first detected Shamoon on August 16, 2012, and estimates only few infections exist worldwide (less than 50).


Impact
Because of the highly destructive functionality of the Shamoon “Wiper” module, an organization infected with the malware could experience operational impacts including loss of intellectual property (IP) and disruption of critical systems. Actual impact to organizations vary, depending on the type and number of systems impacted. it can log into VDI solutions, wipe any saved snapshots, and thereby prevent an organization from restoring their systems.

Mitigation
Tactical Mitigations


·         Execute daily backups of all critical systems.
·         Periodically execute an “offline” backup of critical files to removable media.
·         Establish emergency communications plans should network resources become unavailable.
·         Isolate any critical networks (including operations networks) from business systems.
·         Identify critical systems and evaluate the need for having on-hand spares to quickly restore service.
·         Ensure antivirus is up to date.
·         Disable credential caching for all desktop devices with particular importance on critical systems such as servers and restrict the number of cached credential for all portable devices to no more than three if possible. This can be accomplished through a Group Policy Object (GPO).
·         Disable AutoRun and Autoplay for any removable media device.
·         Prevent or limit the use of all removable media devices on systems to limit the spread or introduction of malicious software and possible exfiltration data, except where there is a valid business case for use.
·         Consider restricting account privileges. It is our recommendation that all daily operations should be executed using standard user accounts unless administrative privileges are required for that specific function. Configure all standard user accounts to prevent the execution and installation of any unknown or unauthorized software. Both standard and administrative accounts should have access only to services required for nominal daily duties, enforcing the concept of separation of duties. Lastly, disable Web and email capabilities on administrative accounts. Compromise of admin accounts is one vector that allows malicious activity to become truly persistent in a network environment.
·         Ensure that password policy rules are enforced and Admin password values are changed periodically.
·         Consider prohibiting hosts within the production environment or DMZ from sharing an Active Directory enterprise with hosts on other networks. Each environment should have separate forests within Active Directory, with no trust relationships allowed between the forests if at all possible. If necessary, the trust relationships should be one-way with the low integrity environment trusting the higher integrity environment.
·         Consider deployment of a coaching page with click through acceptance; these are traditionally deployed in an environment to log the acceptance of network acceptable use policy or to notify users of monitoring. Coaching pages also provide some measure of protection from automated malicious activity. This occurs because automated malware is normally incapable of physically clicking an acceptance radial button. Automated malware is traditionally hardcoded to execute, then retrieve commands or additional executables from the Internet. If the malware is unable to initiate an active connection, the full train of infection is potentially halted. The danger still exists that the physical user will authorize access, but through the use of coaching pages, infections can be limited or at least the rate of infection reduced.
·         Monitor logs -- Maintain and actively monitor a centralized logging solution that keeps track of all anomalous and potentially malicious activity.
·         Ensure that all network operating systems, web browsers, and other related network hardware and software remain updated with all current patches and fixes.




Strategic Mitigations

·         Always keep your patch levels up to date, especially on computers that host public services accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
·         Build host systems, especially critical systems such as servers, with only essential applications and components required to perform the intended function. Any unused applications or functions should be removed or disabled, if possible, to limit the attack surface of the host.
·         Consider the deployment of Software Restriction Policy set to only allow the execution of approved software (application whitelisting)
·         Recommend the whitelisting of legitimate executable directories to prevent the execution of potentially malicious binaries.
·         Consider the use of two-factor authentication methods for accessing privileged root level accounts or systems.
·         Consider deploying a two-factor authentication through a hardened IPsec/VPN gateway with split-tunneling prohibited for secure remote access.
·         Deny direct Internet access, except through the use of proxies for Enterprise servers and workstations. Perform regular content filtering at the proxies or external firewall points of presence. Also consider the deployment of an explicit versus transparent proxy policy.
·         Implement a Secure Socket Layer (SSL) inspection capability to inspect both ingress and egress encrypted network traffic for potential malicious activity.
·         Isolate network services, such as email and Web application servers by utilizing a secure multi-tenant virtualization technology. This will limit the damage sustained from a compromise or attack of a single network component.
·         Implement best practice guidance and policy to restrict the use of non-Foundation assets for processing or accessing Foundation-controlled data or systems (e.g., working from home, or using a personal device while at the office). It is difficult to enforce corporate policies, detect intrusions, and conduct forensic analysis or remediate compromises on non-corporate owned devices.
·         Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.d
·         Place control system networks behind firewalls, and isolate or air gap them from the business network.
·         When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.


To protect against Shamoon’s destructive forces, enterprises should train their employees to avoid clicking on suspicious links and email attachments. 

Incident Response | Phishing Attack



Incident Response | Phishing Attack

The attacker crafts an “fake” email with a URL in it and sends the message to several users at your organization

  1. The phishing email is received by the company’s SMTP server
  2. Email goes through the SPAM filter
  3. The phish is moved into the end user’s mailbox
  4. User notifies the new email in the mailbox and reads it
  5. User clicks on the link in the malicious email
  6. A website opens up and offers an “.exe” file (disguised with a pdf icon) to be downloaded
  7. User thinks the file is a genuine and opens it
  8. The file was a dropper that downloads some additional content from the Internet
  9. The additional content automatically installs
  10. The malware opens a permanent connection to a certain IP address
  11. Attacker connects to the PC through this permanent tunnel
  12. Attacker enumerates the network and downloads DATA if available
IR Steps: -
If a new report comes in from Helpdesk or End users, create a new ticket
  1. Obtain the original email from the end-user and attach it to the ticket
  2. Validate the email whether it is a phish
1.    Check the hostname part of all links in the email on https://otx.alienvault.com or another feed like Virus total or IBM Xforce Exchange
2.    Check the URL, is it the same? Or masking to a malicious link?
3.    Does the email try to evade SPAM filters? 
If the email is a false positive, resolve the ticket. Otherwise, continue with the instructions below.
Investigation Step 1: Get IoCs
  1. Full download URL(s) from the email
  2. Hostname from URL
  3. Visit http://www.kloth.net/services/nslookup.php and get the IPs belonging to the hostname
Alerting Employees
If this is the fifth ticket related to the same, we need to warn our end-users of the threat.
Block Emails on the SMTP Server
As the phisher can easily change the subject line or sender of the emails, try to find a common pattern in the email headers of the related emails. For instance, all emails might share the X-Mailer: and X-PHP-Script: headers.
Removing Emails from User Inboxes
Check the SMTP logs whether the same email has been delivered to other users. Engage IT in removing similar emails from the affected employee mailboxes.
  1. Search for the subject line from the original phish
  2. Search for the sender email address from the original phish
  3. If you identify other recipients in the SMTP logs
1.    Export affected recipients into a CSV file
2.    Contact System Administrators / ask them to remove the phishes from the affected mailboxes
Blocking Download URL
This process will block the dropper to be downloaded if a user clicks on the malicious URL in the phish.
  1.  Pivot on hostname and collect related hostnames and create a blacklist.
  2. Block it in Perimeter Level, Email Security.



Am I Infected? Malware, Virus, Worm | Incident Response


Virus, Worm | Incident Response         


  • Malware: Software written for malicious purpose - destroy data, steal money, annoy users
  • Virus: Malware which requires human intervention to spread - require user to click on the exe, open a document or visit a website
  • Worm: Malware which can spread automatically - automatically infect other systems in the network - spreads through plug & play devices

Symptoms

  • Unusual Behaviour in Applications
  • System Slowdown/Randomly Restarts / new software icons/Folder-files Created
  • Adware popups / Virus Alerts
  • Password Changes/Reset Email Accounts / for your Bank or Online Accounts
  • Surprise Financial Transactions on your bank Accounts J

TO Do


Detection and Removal
1.       Isolate the system from the rest of the network
2.       Remove temporary files
3.       Look for suspicious file, process, network and registry values
4.       Identify the file generating the suspicious activity
5.       Isolate the suspicious file
6.       verify if the file is malicious
7.       Identify the persistence mechanism
8.       Break its persistence mechanism
9.       Delete the malicious files from the system
10.   monitor for suspicious activities (repeat step 3 to step 9)

Steps to Follow (Contact IT security for below mentioned Software and Advanced Mode)


  • Full Anti-Virus Scan Symantec Endpoint Security 14 .x (manual) - detect known malwares if any
  • Scan with Malwarebytes (free version will work)
  • Rootkit Scan - GMER, SpyDLLRemover (helps in removal of malware DLLs)
  • Scan the Infected or Suspicious file with VirusTotal- Get the name of virus/malware family
         - Use Virus Total Scanner Tool for quick scan
  • Check with AV sites with the detected variant name (McAfee, Symantec for the detected Malware) - to understand infection details or for any removal steps
  • BHO Scan (System Slowdown)  -  Run SpyBHORemover and disable unusable BHOs
  • Delete Locked/Hidden/Protected Malware Files- Use GMER to delete Hidden Files/Registry Keys -  Boot with Backtrack, mount your drives and delete the files/registry keys (Advanced)
§  Change Passwords of important accounts - Corporate Email Accounts | Computer Login Facebook, Google, Twitter, PayPal etc.

Tools:
§  Malwarebytes
§  Rootkit Scan using GMER
§  Remove Malware DLLs using SpyDLLRemover
§  Virus Total Scanner Tool
§  Remove BHOs using SpyBHORemover

Verify Threat Report with Symantec/Checkpoint/MacAfee Websites to check the criticality

In case of full system or widespread infections,

 
  •  System Restore to ‘Right Restore Point’- look at the dates of infected files and it should give you right date to restore from
  • Format and Re-install OS
                - clean-up other drives if necessary

  • Scan other systems/devices in the Network

Am I Infected? RANSOMWARE | Incident Response



Am I Infected? RANSOMWARE | Incident Response                    Symptoms
The symptoms are as follows:
You suddenly cannot open normal files and get errors such as the file is corrupted or has the wrong extension.
An alarming message has been set to your desktop background with instructions on how to pay to unlock your files.
The program warns you that there is a countdown until the ransom increases or you will not be able to decrypt your files.
A window has opened to a ransomware program and you cannot close it.
You see files in all directories with names such as HOW TO DECRYPT FILES.TXT or DECRYPT_INSTRUCTIONS.HTML.


Here is an example of a ransomware screen, the infamous Crypto Locker:



If Infected, immediately take below action.


1.   Disconnect:
·      Disconnect the infected computer from any network
·      Turn off any wireless capabilities such as Wi-Fi or Bluetooth.
·      Unplug any storage devices such as USB or external hard drives.
·      Do not erase anything or “clean up” any files or antivirus. (This is important for later steps.
Simply unplug the computer from the network and any other storage devices.)
2.   Determine the Scope:
Determine exactly how much of your file infrastructure is compromised or encrypted.
Did the infected machine have access to any of the following?
       Shared or unshared drives or folders
       Network storage of any kind
       External hard drives
       USB memory sticks with valuable files
      Cloud-based storage (Drobox, Google Drive, Microsoft OneDrive/SkyDrive etc…)
    tools available that have been specifically made to list out encrypted files
3.    Responses:

3 options, listed here from best to worst:
1.    Restore from a recent backup
2.    Decrypt your files using a 3rd party decryptor (this is a very slim chance)
3. Format the PC (lose your data)

RANSOMEWARE ATTACK CHECKLIST




STEP 1: Disconnect Everything

a.    Unplug computer from network

b.    Turn off any wireless functionality:  Wi-Fi, Bluetooth, NF


STEP 2: Determine the Scope of the Infection, Check the Following for Signs of Encryption a.        Mapped or shared drives
b.    Mapped or shared folders from other computers c.    Network storage devices of any kind
d.    External Hard Drives

e.    USB storage devices of any kind


f.     Cloud-based storage:  DropBox, Google Drive, OneDrive etc.


STEP 3: Determine Ransomware Strain

a.    What strain/type of ransomware? For example: CryptoWall, Teslacrypt etc.


STEP 4: Determine Response

Response 1: Restore Your Files From Backup

1.       Locate your backups

a.    Ensure all files you need are there

b.    Verify integrity of backups (i.e. media not reading or corrupted files)

c.     Check for Shadow Copies if possible (may not be an option on newer ransomware)
d.    Check for any previous versions of files that may be stored on cloud storage e.g. DropBox, Google Drive, OneDrive
2.  Remove the ransomware from your infected system

3.   Restore your files from backups

4.   Determine infection vector & handle




16

RESOURCES

Response 2: Try to Decrypt

      1.      Determine strain and version of the ransomware if possible

   2. Locate a decryptor, there may not be one for newer strains

If successful, continue steps...

 3.  Attach any storage media that contains encrypted files (hard drives, USB

sticks etc.)

 4. Decrypt files

 5.  Determine the infection vector & handle


Response 3: (Lose Files)

Format the infected Device

Backup your encrypted files in an External HDD for possible future decryption (optional)