Categories: Business
Tags: microsoft

Tags:  zero-day

Tags:  exploit

Tags:  CVE-2023-36884

Tags:  storm-0978

Tags:  email

Tags:  phish

Tags:  phishing

Tags:  Ukraine

We take a look at reports of an exploit being deployed via booby trapped Word documents.



(Read more...)




The post Zero-day deploys remote code execution vulnerability via Word documents appeared first on Malwarebytes Labs.

An unpatched zero-day vulnerability is currently being abused in the wild, targeting those with an interest in Ukraine. Microsoft reports that CVE-2023-36884 is tied to reports of:

> …a series of remote code execution vulnerabilities impacting Windows and Office products. Microsoft is aware of targeted attacks that attempt to exploit these vulnerabilities by using specially-crafted Microsoft Office documents. An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim. However, an attacker would have to convince the victim to open the malicious file.

While the CVE is being updated with new information and links to appropriate security information, the Microsoft Security Blog is currently exploring the issue in detail.

This all ties back to a phishing campaign operated by a group being tracked as “Storm-0978” which targets defence and government entities in both Europe and North America. The campaign itself makes use of bait related to the Ukrainian World Congress, a non-profit organisation of “all Ukrainian public organisations in diaspora”.

These infections originate from remote code execution via Word documents exploiting the above Ukraine-themed bait, as well as an “abuse of vulnerabilities contributing to a security feature bypass”. A fake OneDrive loader delivers a backdoor with similarities to RomCom, their primary backdoor tool. It's unusual to observe websites involved in this kind of attack still be online hours after a reveal, but here are some shots we took of both site and downloads (thanks to Jerome):

Some of the other attacks launched by this group involve distribution of trojanized versions of popular software. Once the backdoor has taken hold, the group “may steal credentials to be used in targeted operations”.

Popular tools used for these installations include trojanized versions of Solarwinds Network Performance Monitor, KeePass, Signal, and Adobe products. Bogus domains imitating the real thing are registered and used as convincing fronts for the infected software.

Microsoft notes that this group also has a hand in ransomware attacks, though it is less targeted in nature and unrelated to any espionage-themed operations. Attacks which have been identified as belonging to Storm-0978 in this realm have impacted finance and telecommunications industries.

A variety of attacks on several fronts, then. 

Microsoft gives the following advice for organisations concerned with the potential threat of compromise from the most recent attacks:

**CVE-2023-36884 specific recommendations**

*   Customers who use Microsoft Defender for Office 365 are protected from attachments that attempt to exploit CVE-2023-36884.
*   In current attack chains, the use of the Block all Office applications from creating child processes attack surface reduction rule prevents the vulnerability from being exploited
*   Organizations who cannot take advantage of these protections can set the FEATURE\_BLOCK\_CROSS\_PROTOCOL\_FILE\_NAVIGATION registry key to avoid exploitation.  Please note that while these registry settings would mitigate exploitation of this issue, it could affect regular functionality for certain use cases related to these applications.

You could also consider blocking outbound SMB traffic.

**We don’t just report on vulnerabilities—we identify them, and prioritize action.**

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Zero-day deploys remote code execution vulnerability via Word documents

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_TREE_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

May 17th, 2023

**Linux Kernel ksmbd Tree Connection Race Condition Remote Code Execution Vulnerability****ZDI-23-702  
ZDI-CAN-20592**

CVE ID

CVE-2023-32254

CVSS SCORE

9.8, (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

AFFECTED VENDORS

Linux  

AFFECTED PRODUCTS

Kernel  

VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Linux Kernel. Authentication is not required to exploit this vulnerability, but only systems with ksmbd enabled are vulnerable.

The specific flaw exists within the processing of SMB2\_TREE\_DISCONNECT commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.  

ADDITIONAL DETAILS

Linux has issued an update to correct this vulnerability. More details can be found at:  
https://github.com/torvalds/linux/commit/30210947a343b6b3ca13adc9bfc88e1543e16dd5  

DISCLOSURE TIMELINE

*   2023-04-27 - Vulnerability reported to vendor
*   2023-05-17 - Coordinated public release of advisory

CREDIT

Quentin Minster (@thalium\_team)  

BACK TO ADVISORIES

CVE-2023-32254: ZDI-23-702

A flaw was found in the Linux kernel's ksmbd, a high-performance in-kernel SMB server. The specific flaw exists within the processing of SMB2_SESSION_SETUP commands. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the kernel.

'2208849?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2023-32250: Invalid Bug ID

Debian Linux Security Advisory 5448-1 - Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5448-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
July 05, 2023                         https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : linux  
CVE ID         : CVE-2023-2124 CVE-2023-2156 CVE-2023-2269 CVE-2023-3090  
                 CVE-2023-3212 CVE-2023-3268 CVE-2023-3269 CVE-2023-3390  
                 CVE-2023-31084 CVE-2023-32250 CVE-2023-32254 CVE-2023-35788

Several vulnerabilities have been discovered in the Linux kernel that  
may lead to a privilege escalation, denial of service or information  
leaks.

CVE-2023-2124

    Kyle Zeng, Akshay Ajayan and Fish Wang discovered that missing  
    metadata validation may result in denial of service or potential  
    privilege escalation if a corrupted XFS disk image is mounted.

CVE-2023-2156

    It was discovered that the IPv6 RPL protocol implementation in the  
    Linux kernel did not properly handled user-supplied data, resulting  
    in a triggerable assertion. An unauthenticated remote attacker can  
    take advantage of this flaw for denial of service.

CVE-2023-2269

    Zheng Zhang reported that improper handling of locking in the device  
    mapper implementation may result in denial of service.

CVE-2023-3090

    It was discovered that missing initialization in ipvlan networking  
    may lead to an out-of-bounds write vulnerability, resulting in  
    denial of service or potentially the execution of arbitrary code.

CVE-2023-3212

    Yang Lan that missing validation in the GFS2 filesystem could result  
    in denial of service via a NULL pointer dereference when mounting a  
    malformed GFS2 filesystem.

CVE-2023-3268

    It was discovered that an out-of-bounds memory access in relayfs  
    could result in denial of service or an information leak.

CVE-2023-3269

    Ruihan Li discovered that incorrect lock handling for accessing and  
    updating virtual memory areas (VMAs) may result in privilege  
    escalation.

CVE-2023-3390

    A use-after-free flaw in the netfilter subsystem caused by incorrect  
    error path handling may result in denial of service or privilege  
    escalation.

CVE-2023-31084

    It was discovered that the DVB Core driver does not properly handle  
    locking of certain events, allowing a local user to cause a denial  
    of service.

CVE-2023-32250 / CVE-2023-32254

    Quentin Minster discovered two race conditions in KSMBD, a kernel  
    server which implements the SMB3 protocol, which could result in  
    denial of service or potentially the execution of arbitrary code.

CVE-2023-35788

    Hangyu Hua discovered an out-of-bounds write vulnerability in the  
    Flower classifier which may result in denial of service or the  
    execution of arbitrary code.

For the stable distribution (bookworm), these problems have been fixed in  
version 6.1.37-1.

We recommend that you upgrade your linux packages.

For the detailed security status of linux please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/linux

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmSlxzBfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0TqhA//aamUmnSElduaBWsCIn+Bbz1QeZgUqeAtdLVyAR8DHhWOW5CQtaIYAGCN  
bH8zYl4DULQNoWccNJKAB6mmh+eLK74L4W9Kkd4C3HL2g2CACDijoO79BlOE35VW  
33/S+bhg5gzC1qyv5A6HKt9QltyIA6cI9B+WPPG+uA79T/+12mWI7XbGUYiOaNeR  
WgOFK8iOhg7KemZqUFsbsG4qRGN0fzGHsU8KOLmF83hP6ObbPZKvVIdRHm0z7ff1  
Xba6El+i75LRx0Fqv6tQ3pZE43blXJZIlesUw1M44U493FINmUNTpPAkbJPlHbOb  
zBC61YcNiPhzyDu2bux+fyoNIfZxh4u9THm8SqWz5mejIFcjGgA9tNsQE3o9c1q/  
bZ/QyWoYYOCNBUeLTfOOHuTLlxK7HslTIp4A7J2uLrUiTrmPXldXmIl0FsFc4l+8  
qkBaZ+p58XbB7K02VIkr39gFx90GbF+Na0AaUoPGPyQBLz0X87uY6FyOCBY/SbyU  
3ARTQT4O55jX+zgK7cUasrS/jVIDEczMIWkf0yHbL4a6ihiNc2Isc1s0gjTF26ji  
AAE3BdIXi/V+CU4pHX8uq9BVwrDT0rm5BLgLJEo7n/oAWg6Tiq77TGOovQ1mgqF1  
TTCY/41xmwkD9UflCu5gdq7jyIqDKPBxjemTZuMhoztQXL9D9tI=MBf4  
-----END PGP SIGNATURE-----

Debian Security Advisory 5448-1

If you have an IoT network powered by Pepper, you can now insure it through Embedded Insurance — even if your business is too small to support a SOC.

Consumers and small-to-midsize businesses (SMBs) that use Internet of Things (IoT) devices to manage smart homes and businesses have a new option for obtain cyber insurance — providing their service providers are using the Pepper IoT Platform-as-a-Service (PaaS) back end. The service, announced on June 28, allows users to opt for a minimum of $10,000 per device in coverage from their providers for each device without requiring them to submit cyber insurance applications. The insurance is available either as an add-on at the time of the sale from the service provider, or it can be purchased later.

Pepper CEO Scott Ford says that consumers currently have very few options to obtain comprehensive cyber insurance for their IoT devices. While individuals have some options to reduce their risk and become better candidates for cyber insurance, many do not know how to do so. Offering an actual cyber insurance policy — not just a rider to an existing home policy that might offer nominal coverage — provides real and measurable coverage for common cyber threats, he says.

While the consumer market is the primary target for this partnership, Ford says that SMBs that use surveillance cameras and similar IoT devices also can benefit from this low-cost cyber insurance alternative.

**Consumers Need Simple**

Toby Coleridge, chief product officer at Embedded Insurance (EI), which is Pepper's cyber insurance broker, says the process of obtaining a policy through his company — without the need to fill out long applications that must be processed through underwriting — is easy for the clients to understand. EI's policies are underwritten by Chubb, the top-ranking cyber insurance carrier in 2023.

Coleridge notes that these are real cyber insurance policies that are specifically designed to be simple to purchase. Unlike corporate cyber insurance policies — where rates and terms are based on an organization's existing cybersecurity controls, audits, penetration tests of networks, and negotiations with corporate boards, corporate counsels, and CISOs — these policies are off-the-shelf packages that are preconfigured and priced accordingly, much like purchasing an automobile policy.

"We haven't needed to look at putting in restrictions," he adds. "That's the complexity of SMB insurance versus the residential policy that we're using here. Ultimately, the whole point of this is to keep it as simple as possible."

Among the coverages offered are cyber financial fraud, cyber extortion (including ransomware coverage up to the policy's limits), identity theft, data restoration, device replacement, and cyber bullying. Policies are available starting at $5.28 per month per device. For higher limits, such as coverage up to $100,000 per device, the price could rise to $20 per device per month or more.

Coleridge sees personal cyber insurance as a growing market going forward. As social engineering attacks increase against individuals, the need for personal cyber insurance will increase as well, he says. "It's about protecting you against some of those threats that most consumers are probably naive to today," he adds.

**Security and Insurance Are Natural Partners**

Ford notes that in 2022 State Farm Insurance invested some $1.2 billion into the electronic alarm-monitoring security firm ADT, adding that the insurer could offer better rates to customers who proactively add security controls and thus become lower insurance risks. Similarly, Pepper late last year acquired Comcast business unit Notion, a smart property monitoring sensor system and app that enables home and small-business owners to monitor and reduce loss from costly property damage. In both cases, the acquired firms provide the new parent with on-the-ground intelligence that lowers the user's vulnerability to losses.

The partnership between Pepper and Embedded Insurance is similar to others. For example, earlier this month in the enterprise space, security operations center (SOC) and XDR vendor Arctic Wolf announced a similar program with cyber insurance carrier Cysurance. The Arctic Wolf model is designed for much larger enterprises that can support a SOC, as well as other enterprise-class security controls. As part of the program, Arctic Wolf customers can purchase up to $1 million worth of cyber insurance at an 80% discount from standard market rates.

Pepper and Embedded Insurance Partner on Cyber Insurance for Consumers, SMBs

Though government agencies have hundreds of devices exposed to the open Internet, experts wonder if CISA is moving at the right pace.

Researchers have discovered hundreds of devices running on government networks that expose remote management interfaces on the open Web. Thanks to the Cybersecurity and Infrastructure Security Agency (CISA), that will change quickly — possibly too quickly, according to some experts.

On June 13, CISA released Binding Operational Directive (BOD) 23-02, with the goal of eliminating Internet-exposed management interfaces running on edge devices in Federal Civilian Executive Branch (FCEB) agency networks. The announcement came soon after CISA's advisory about Volt Typhoon, the Chinese state-backed advanced persistent threat (APT) that leveraged Fortinet FortiGuard devices in espionage campaigns against US government entities.

To gauge how significant BOD 23-02 would be, researchers at Censys scanned the Internet for devices exposing management interfaces in federal civilian executive branch (FCEB) agencies. The scans revealed nearly 250 qualifying devices, as well as a number of other network vulnerabilities outside of the scope of BOD 23-02. 

"While this level of exposure probably doesn't warrant an immediate panic, it's still worrisome, because it could be just the tip of the iceberg," says Himaja Motheram, security researcher for Censys. "It suggests that there may be deeper and more critical security issues, if this kind of basic hygiene isn't being met."

**How Exposed FCEB Organizations Are**

Devices qualifying under BOD 23-02 include Internet-exposed routers, switches, firewalls, VPN concentrators, proxies, load balancers, out-of-band server management interfaces, and any others "for which the management interfaces are using network protocols for remote management over public Internet," CISA explained — protocols like HTTP, FTP SMB, and others.

Censys researchers discovered hundreds of such devices, including various Cisco devices exposing Adaptive Security Device Manager interfaces, Cradlepoint router interfaces, and popular firewall products from Fortinet and SonicWall. They also found more than 15 instances of exposed remote access protocols running on FCEB-related hosts.

The search was so bountiful that they even uncovered many federal network vulnerabilities beyond the scope of BOD 23-02, including exposed file transfer tools like GoAnywhere MFT and MoveIt, exposed Barracuda email security gateways, and various instances of defunct software.

Organizations often don't know their level of exposure or don't understand the implications of exposure. Motheram emphasizes that unprotected gear was all quite simple to find. "And what was trivial for us to find is, honestly, probably even more trivial for amateur threat actors out there."

**How Edge Devices Get Exposed**

How is it that so many devices are exposed on otherwise highly scrutinized government networks?

Joe Head, CTO of Intrusion, points to any number of reasons, including "convenience of the administrator, lack of operational security awareness, lack of respect for adversaries, use of default or known passwords, and lack of visibility."

James Cochran, director of endpoint security at Tanium, adds that "staffing shortages can cause overworked IT teams to take shortcuts so they can make the management of the network easier."

Consider, too, the traps unique to the government that can make the problem even worse. "With little oversight and concern about potential threats, devices can get added to the network under the guise of being 'mission critical,' which absolves them from all scrutiny," Cochran laments. Agencies can also merge or expand, with gaps in their network and security integration. “Over time, the overall networks begin to resemble something out of a Mad Max movie, where random things are bolted together and you are not sure why."

**Will BOD 23-02 Turn Things Around?**

In its directive, CISA indicated that it will begin scanning for qualifying devices and informing the culpable agencies. Upon notification, offending agencies will have just 14 days to either disconnect these devices from the Web, or "deploy capabilities, as part of a zero-trust architecture, that enforce access control to the interface through a policy enforcement point separate from the interface itself."

That two-week period will force relevant agencies to act fast to secure their systems. But that could be difficult, Motheram acknowledges. "In theory, removing devices that are exposed from the Internet should be simple, but that's not always the reality. There can be some bureaucracy to deal with when changing access policies that add friction," she explains.

Others believe the burden is undue. "This is not a responsible timeline," Cochran says. "Since the problem is so widespread, I would expect there to be significant impacts to the identified agencies. This is the same as trying to untangle a bunch of wires by sawing through them."

Others applaud CISA's no-nonsense approach. "It is hard to come up with a timeline to stop doing what should have never been done," Head says, arguing that 14 days may be too long to wait. "Five minutes would be more advisable as managers task the corrective network changes. It has been standard practice not to expose management interfaces to the public Internet for years, so making it mandatory is prudent and reasonable."

CISA Wants Exposed Government Devices Remediated in 14 Days

By Waqas
The research mainly aimed at examining VPNs, firewalls, access points, routers, and other remote server management appliances used by top government agencies in the United States.
This is a post from HackRead.com Read the original post: Exposed Interfaces in US Federal Networks: A Breach Waiting to Happen

**Cybersecurity researchers at Censys referred to publicly-accessible exposed interfaces as “low-hanging fruit” for cybercriminals, as they can easily gain unauthorized access to crucial assets.**

Researchers at Censys, an attack surface management company, have discovered hundreds of devices linked to federal networks that have remotely accessible management interfaces. These interfaces can allow for the controlling and configuring of federal agency networks through the public internet.

**Shocking Details Emerge about Federal Network Devices**

According to a blog post from the Censys Research Team, published on June 26, an examination of the attack surfaces of approximately fifty sub-organizations within the federal civilian executive branch (FCEB) revealed 13,000 different hosts spread across 100 autonomous systems.

Further probing uncovered that services running on a subset of 1,300 FCEB hosts, accessible through IPv4 addresses, had hundreds of devices with publicly accessible management interfaces. This revelation falls within the scope of CISA’s BOD 23-02 (Binding Operational Directive).

**What is BOD 23-02?**

CISA’s BOD 23-02 helps federal agencies eliminate risks associated with remotely accessible management interfaces. It requires federal civilian agencies to remove certain networked management interfaces from the internet and mandates them to implement Zero Trust Architecture capabilities to enforce access control to internet-exposed interfaces within fourteen days of discovery.

**What are the Dangers of Internet-Exposed Interfaces?**

Researchers at Censys referred to publicly-accessible interfaces as “low-hanging fruit” for cybercriminals, as they can easily gain unauthorized access to crucial assets. CISA notes that threat actors are taking a keen interest in targeting certain classes of devices, especially those supporting network infrastructures, as it helps them evade detection.

After compromising these devices, attackers can obtain full access to the network. Misconfigurations, insufficient or outdated security measures, and unpatched software make devices vulnerable to exploitation. If the device management interface is directly connected to or accessible from a public-facing internet, it will be far more damaging for the organization.

**Which Devices Are Impacted?**

Researchers mainly examined VPNs, firewalls, access points, routers, and other remote server management appliances. They found around 250 different web interfaces for hosts exposing network appliances, all using SSH and TELNET remote protocols.

Most of the impacted devices were Cisco network appliances with a publicly accessible Adaptive Security Device Manager interface, whereas they also discovered enterprise Cradlepoint router interfaces revealing wireless network details. Other impacted products include Fortinet FortiGuard, SonicWall, and other popular firewalls.

A screenshot shared by Censys shows a publicly accessible Cradlepoint router web interface belonging to a Federal Civilian Executive Branch (FCEB) organization.

In addition, researchers observed exposed remote access protocols, including NetBIOS, FTP, SNMP, and SMB, out-of-band remote server management devices like Lantronix SLC console server, physical Barracuda Email Security Gateway appliances, Nessus vulnerability scanning servers, HTTP services that exposed directory listings, managed file transfer protocols such as GoAnywhere, MOVEit, and SolarWinds Serv-U, and over 150 end-of-life software.

Fifteen of the remote access protocols, which already contain multiple known vulnerabilities exploitable by threat actors, were running on FCEB’s exposed hosts. The report highlights the need for federal agencies to be more proactive in safeguarding their digital assets and improving security mechanisms across all systems to make devices CISA’s BOD 23-02 compliant.

**RELATED ARTICLES**

1.  Avast found backdoor in US Federal Agency Network
2.  Fed Agency securing communication for Trump got hacked
3.  SolarWinds Hack – US Blames Russian Intel Agency Hackers
4.  Iranian Hackers Accessed Domain Controller of US Fed Network
5.  US and China Exposed Most Databases Among 308k Found in 2021

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Exposed Interfaces in US Federal Networks: A Breach Waiting to Happen

One ransomware attack can be devastating for a small or midsize business. Here are four solid survival tips to ensure it doesn't turn into a disaster.

If your organization is hit with a ransomware attack, it's going to cost you. According to Verizon's "2023 Data Breach Investigations Report"(DBIR), released earlier this month, the median loss to a ransomware attack has risen to $26,000 and can go as high as $2.25 million.

"\[T\]he overall costs of recovering from a ransomware incident are increasing, even as the ransom amounts are lower. This fact could be suggesting that the overall company size of ransomware victims is trending down," the DBIR team wrote.

Much of the expense comes from the loss of business and recovery time. The average ransomware attack has a life cycle of more than 300 days. That's nearly a full year in which the organization is tied up with discovery and remediation — and almost two months longer than other types of cyber incidents. And then there are other costs to factor, such as long-term damage to the corporate brand and reputation, as well as loss of institutional knowledge when the employees who are held responsible for the attack are let go.

The costs surrounding a ransomware attack could cripple small and midsize businesses (SMBs) and even cause one to shut down. But it doesn’t have to be that way. Even for SMBs with tight IT/security budgets and limited security expertise, ransomware protection and recovery boils down to planning ahead.

The best way to avoid the high costs of a ransomware attack is to avoid being a victim, but protection and detection tools also come with hefty price tags. How much a company will need to pay depends on the number of employees and devices it needs to protect, but even a company with as few as 50 people can spend five figures on ransomware protection. Cyber insurance to protect the business in case of an attack could add at least $1,500 per $1 million in coverage, depending on the deductible.

Note that getting cyber insurance for ransomware is not easy; many insurance agencies are limiting coverage because of the high payout costs.

Organizations also need to think about the cybersecurity approach they want to take. How cybersecurity teams approach ransomware defense has changed over the years, says PJ Kirner, CTO and co-founder of Illumio. Cybersecurity has shifted from perimeter defense (setting up a secure perimeter to keep the bad guys out), to rapid detection (detecting and stopping as quickly as possible), to containment (limiting the amount of damage the attackers can cause once they break in).

Which approach an SMB decides to take determines the type of tools and protective actions it will need. A company deciding to contain malware would make investments to beef up authentication and privilege management in order to validate all users and devices before granting access to any transaction. A company focused on perimeter defense would have very different investments, requiring firewalls and other methods to keep attackers out of the network.

While an organization can adopt any number of security systems and tools, SMBs should consider the following actions, regardless of their overall security approach.

**1\. Decrease the Attack Surface**

Applying the concept of least-privilege access can close the door against ransomware attacks. The fewer people with access to applications and databases, the lower the chances for cybercriminals to also gain access and get in. Audit your users' roles to make sure they have access only to the software and services they need, especially if the software processes sensitive data.

For example, explains Kirner, Remote Desktop Protocol (RDP) is a popular access point for threat actors to get into a Windows system and launch ransomware. But RDP is most often used for IT help desks and troubleshooting. Most employees across the business have no need to have RDP accounts, yet they might have RDP enabled on their machines. Kirner advises revoking access if employees have no reason to have those accounts.

"Remove all that attack surface from your environment," Kirner says. "This is something you can do proactively and reduce the impact of ransomware."

Also worth disabling — especially in a Windows environment — is PowerShell. Attackers are increasingly using PowerShell in malware-less attacks. The average user is never going to use it, so it's better to disable it when setting up the user machine. Similarly, keep track of what accounts have been created on the network or for cloud applications and services. If the employee no longer needs it or has left the company, remove that account entirely. Cloud access security broker software can help manage and monitor employees’ cloud activity and enforce security policies.

**2\. Shift the Costs to the Attackers**

Another way to make your organization less attractive to bad actors is to make launching an attack more costly for the cybercriminal. Something as simple as restricting access to unnecessary applications shifts the burden to the attacker. If the attacker can’t do much with the application despite having user credentials — maybe they can only view reports but can’t extract data — the attacker has a choice of moving on to easier victims or working harder. Similarly, requiring multifactor authentication adds another roadblock for threat actors because just stealing credentials is no longer enough. Many types of MFA can fit an SMB's budget and security expertise, including biometrics, hardware tokens, and even the employee’s phone.

Attackers are economic actors, just like any other business, Kirner points out. "When they run out of time, they'll go to an environment with less security controls," he says.

**3\. Improve Your Security Hygiene**

Good security hygiene is important, regardless of company size.

The first step is to build an internal security culture around cybersecurity awareness and guidance, explains Dave Gerry, CEO at Bugcrowd. That doesn’t just mean watching security videos and calling it a day. Encourage open communications and give employees the confidence to report anything that seems suspicious.

Explain which external services and resources are allowed and why there are restrictions. Make it easy for employees to go through an approval process for getting access to tools so that they aren’t just going off and creating their own accounts.

Use modern training materials. Security companies are now producing training videos that are episodic, like sitcoms, or use techniques from reality shows that entertain as well as educate.

Gamification, such as setting up contests or offering rewards when designated milestones are met, also creates an environment where employees want to improve their security practices. Human error is a top cause of cyberattacks. When employees are encouraged to take an active role in cybersecurity and understand the consequences when they don't, you add another cybersecurity tool at little cost.

**4\. Don't Fail to Plan**

Prevention is important, but every organization should have a plan in place to mitigate an attack when it happens. The company should know who will be involved in mitigation and recovery, as well as how to handle the negotiations.

For example, because of the possibility that a ransomware attack can lead to permanently shutting down an SMB, many plan to pay the ransom. That requires setting a budget on how much to pay. If the organization does not already have a cryptocurrency wallet or access to cryptocurrency, that will make payment a bit difficult. SMBs are already working with managed service providers, consultants, and contractors. It may be worth lining up a ransomware negotiator ahead of time, who can spring into action when needed. The same goes for a computer forensics team to help figure out what is happening on the network and how to remove the ransomware.

Priority No. 1 has to be a strategy, says Joseph Carson, chief security scientist at Delinea. A ransomware attack isn't a typical incident, he points out. It will make you unavailable to your customers and, in worst-case scenarios, put lives at risk. No matter how small your budget, it is essential to think about what ransomware defense should look like but to also plan out what is needed for a successful recovery.

Protecting Small Businesses From Ransomware on a Budget

Categories: Business
Ransomware is like that stubborn cold that you thought you kicked, but creeps back up determined to run amok again.



(Read more...)




The post Understanding ransomware reinfection: An MDR case study  appeared first on Malwarebytes Labs.

Ransomware is like that stubborn cold that you thought you kicked, but creeps back up determined to run amok again. The question is what medicine is available to kick this nasty infection for good.

In this post, we'll break down the idea of ransomware reinfection and share a real-life episode where Malwarebytes Managed Detection and Response (MDR) mitigated a resilient ransomware reinfection from the Royal ransomware gang.

**What is ransomware reinfection?**

Imagine this scenario: You've recently battled a vicious ransomware attack, finally restoring your systems to their normal functionality. You breathe a sigh of relief, secure in the knowledge that your data is safe and operations are running smoothly.

Alas, it's not the end of the story.

The ransomware attack you just countered was actually just the final act of a long-drawn series of malicious activities. In other words, many ransomware attacks aren't the start of the problem; they're often the result of an unresolved network compromise.

The true culprit is how the threat actor is gaining access to begin with. Once inside, they steal login credentials, deploy malware, or establish a backdoor—a secret gateway into the network that can be exploited later. This is like them leaving a hidden door unlocked for future visits.

Even after successfully mitigating the immediate ransomware attack, these hidden doors may remain unnoticed, enabling the attackers to infiltrate your network stealthily once more. This is the essence of ransomware reinfection.

Having clarified the terminology, let's delve into a real-world instance of a ransomware reinfection in action.

**Initial Ransomware Attack – November 23, 2022**

Prior to their engagement with Malwarebytes, our customer experienced a ransomware attack on their AWS environment. They chose not to pay the ransom.

The subsequent countermeasure involved a complete system rebuild from backup to recover their operations.

**Onboarding with Malwarebytes MDR and Detection of Reinfection – December 9, 2022**

In response to the initial compromise, the customer onboarded with our Managed Detection and Response (MDR) service and Endpoint Detection and Response (EDR) product. Immediately after installing the EDR on the endpoint, detections for additional ransomware were identified.

Our MDR analyst spotted file detections linked to the previous ransomware attack, attempted outbound communications to a known malicious site (a Cobalt Strike C2 server), and remote inbound RDP connection attempts. The MDR analyst promptly contacted the customer, recommending to block the C2 server and the source of the RDP connections, which the customer promptly implemented.

**New Threat Emerges – December 11, 2022**

Only two days later, a new set of remote host RDP connection attempts were detected. Again, the MDR team advised the customer to block the connection source to prevent further infiltration.

**Critical Incident and Response – December 13, 2022**

A new wave of local host file detections indicated a return of the previously encountered ransomware. An unencountered persistent mechanism was also identified, suggesting that the threat was not completely eliminated. As part of our response, we raised a critical incident to the customer, carried out an extensive threat hunt, and identified two compromised domain admin accounts, a domain controller (DC), and an SQL server.

A Potentially Unwanted Modification (PUM) detection of a disabled Windows system restore setting.

The customers’ C:Program Files directory showed peculiar files like 'desktop.ici.royal.w', 'PackageManagement', 'README.TXT', and 'Uninstall Information'.

This new detection, "Ransomware.Royal", suggests that the attackers were either still present in the network or had gained access again.

Our MDR team promptly reached out to the customer's Security team and initiated a strategic consultation via a Zoom call. Detailed insights were shared on the Indicators of Compromise (IoCs) encountered, and we advised the customer to change the passwords of the affected domain admin accounts.

In response, the customer implemented an enterprise-wide password change and blocked the newly identified C2 server. Additionally, the decision was made to rebuild the compromised DC.

**Lessons from the Incident**

This episode underscores the relentless threat of ransomware reinfection in today's threat landscape, as well as the critical role that 24x7x365 diligence of trained cybersecurity experts, swift responses, and collaborative efforts play in cyber defense.

Without having a similar level of expertise in-house, the reality is that many organizations will see reinfections that could lead to catastrophic results.

In this case, our customer had assumed full recovery from the initial ransomware attack, and if not for the MDR service, they may never had realized that the attack was still ongoing. Fortunately, the collaborative efforts of Malwarebytes MDR, EDR, and the customer successfully mitigated the threat and safeguarded the customer’s digital space.

For more information of our EDR and MDR products and services, please visit https://try.malwarebytes.com/mdr-consultation-new/

Read more:

*   ****How to choose an MDR vendor: 6 questions to ask****
*   **Is an outsourced SOC worth it? Looking at the ROI of MDR**
*   ****3 ways MDR can drive business growth for MSPs****
*   **Cyber threat hunting for SMBs: How MDR can help**

Understanding ransomware reinfection: An MDR case study 

Small and midsized companies work to jettison some security tools to simplify operations and reduce cost, even as any economic downturn continues to remain at bay.

Enterprises are not the only organizations looking to consolidate their security tools and vendors in the face of a potential economic slowdown — small and midsized businesses are looking to reduce their costs and simplify their security as well.

The vast majority (86%) of SMB customers using managed security service providers (MSSPs), for example, are aiming to reduce their current portfolio of security tools, according to a survey published this week by OpenText. The majority of those businesses are driven primarily by an effort to reduce costs (28%) or to simplify complex security environments (26%), the survey found.

Consolidation does not just benefit the company, but can help the provider of security services as well, says Geoff Bibby, senior vice president at OpenText Cybersecurity, a cybersecurity conglomerate.

"Consolidation is two-fold," he says. "Businesses are going to service providers because they don't have the staffing or financial resources to purchase and manage multiple tools, and from the service-provider perspective, fewer tools — and fewer vendors — means simplified billing and greater ease of doing business."

Consolidation of vendors has become a major trend following the rush to adapt to the pandemic-era business landscape by moving more services to the cloud. By mid-2022 — when 83% of companies predicted a downturn in the coming year — three-quarters of companies planned to reduce the number of security vendors they used, up from 29% in 2020. The top strategies explored by companies were reducing non-essential spending (43%), re-evaluating vendors (30%), and decommissioning infrastructure (29%), according to Spiceworks Ziff Davis's "2023 State of IT" report.

Efforts to cut costs remain strong, despite a reprieve in the dark economic forecast. A majority of economists (59%) polled in May still predict that the US would enter a recession in the next 12 months, but poor-performance predictions have remained unfulfilled as employment numbers and the stock market continue to resist a downturn.

"This is the most anticipated recession that won't ever seem to arrive, and all of the data indicates that it might never arrive because none of the factors for recession seem to be there," says Jeff Pollard, vice president and principal analyst at market intelligence firm Forrester Research.

**Optimizing Vendors and Security Services**

Yet while economic risks certainly spurred concerns over IT and IT-security budgets, initiatives to both simplify and reduce the cost of security operations inside companies has a life of its own, Pollard says.

"If you go back ... to the heady days of growth just nine months ago or so, what I was consistently hearing from security leaders was: too many tools, too many products," he says. "And it wasn't based on an economic argument. It was based on simplification of technology and portfolio rationalization — they felt like they had too many security controls and too many security products."

Business intelligence firm Gartner sees a similar picture. Most midsized enterprises (MSEs) — firms with $50 million to $1 billion in revenue and up to 2,500 employees — are looking to reduce the number of vendors, but rather than focus on consolidation, the companies are looking to optimize their security operations, says Patrick Long, an analyst with Gartner.

Such optimization generally focuses on two approaches. Outsourcing to service providers allows companies to overcome a shortage of security workers, because there are currently 21 IT employees for every security-focused employee, he says. Another form of consolidating is through the products, adopting all-in-one suites from a single vendor, which helps reduce licensing costs and can result in more holistic security capabilities, he says.

Currently, two-thirds of MSEs (68%) are pursuing security-vendor reduction strategies, while the remaining third have delayed consolidation but will likely simplify their security within the next three years, Long says.

"They are optimizing their architecture and integration strategies, vendor management, workforce management, and their costs," he says, adding that "current economic conditions influence security vendor consolidation but is not the primary driver for consolidation."

**Integration Still a High Hurdle**

Reducing the number of security products is not easy. Licensing can often become a blocker, especially if a company signed long contract periods, and products from the same vendors do not always have seamless integration, says Forrester's Pollard. In addition, any adoption of an integrated product will require a security team to learn the new system, so efficiency gains can take a while to materialize, he says.

"When you buy a bundle and consolidate, in theory, the product will integrate well, but what I really hear from a lot of security leaders is that the cost savings, frankly, doesn't often materialize," Pollard says. "Because what you wind up having to do is learn a new product, a new solution, and people have to get trained on it, so you have to modify your processes."

Yet companies are making headway. Overall, companies that pursue consolidation have seen IT security costs decrease by more than 2%, with data security costs reduced by a quarter and identity management shrink by more than a third, says Ben Pippenger, chief strategy officer at Zylo, a SaaS management platform.

"There tends to be some redundancy within security categories," he says, pointing out the cloud identity and access management are among the top-15 most redundant software functions, with nearly five applications handling that capability in the average company.

"While security is an important business function, it's one that could still likely benefit from consolidation," he says.

Tag

#samba