Data loss prevention
in CYBER ATTACKS
Cyber attacks cause temporary
or permanent loss of information in companies, stop normal
activity, cause economic loss and damage to reputation. For this reason, it is
so important that users and companies update their operating systems and that
they take alarms seriously (cybersecurity bilbao); especially after the
attack has been carried out. On numerous occasions, after the patch that
solves the system vulnerability has been released, there are millions of
defenseless computers.
With the bug
discovered, there is enough information published on the Internet for people
without special skills to figure out how to create proofs of concept (PoC) that
allow DoS attacks to be executed and start to appear. It is true that PoCs
that allow remote code execution (RCE) require more expertise.
WHAT ARE THE NEW CYBER-ATTACKS LIKE
This type of PoCs is
deployed by criminals with the intention of attracting the attention of
security industry technicians to download them and thus infect their computers
with the installation of a backdoor. In this way, the attacker and
developer of the PoC manages to gain control of the victim's computer, which on
this occasion would be an individual from industrial electronic security.
According
to experts, these computer fragilities cause
scanning attempts, in many cases carried out by a single group (or an attacker). There
are networks that are used to identify fragile systems: Tor network and the
Metasploit module.
When
a computer is infected by one of these viruses, the user only sees a message
requesting payment of a certain amount to
re-access the files on the computer. Furthermore, it can affect other
computers connected to the same network.
CHAIN CASE SER
Cybercriminals have
taken advantage of an unpatched flaw to hack into the operating systems of
radio station Cadena Ser and consultancy Éveris. It is an attack using the BlueKeep
vulnerability. Malware is
ransomware that encrypts the content of all visible computers and spreads
through the internal network.
The
attackers demanded 1.5 million Euros
in ransom and the messages that appeared on the affected computers were
personalized for the companies that suffered the hack. A crypto currency
ransom was requested (requiring that it be contacted by email to know it), and
it was also alerted that there was no tool capable of decrypting the content
encrypted by the ransomware. The biggest danger is that it does not require
user interaction and can be used for massive attacks such as the WannaCry
ransomware operation, which damaged thousands of computers around the world in
2017.
Hackers are actively
scanning the web for Windows-based systems that are vulnerable to BlueKeep
(CVE-2019-0708). In mid-May, Microsoft released a patch (Windows XP,
Windows 7, Windows Server 2003, Windows Server 2008 R2, and Windows Server
2008).
The Microsoft
patch also includes a micro
patch aimed
at servers that are constantly in working order.
The
bug is in the Remote Desktop Service (RDP) and allows remote code execution
with administrator privileges and without the need for user interaction.
HARMFUL PROGRAM, VERY ACTIVE
The harmful program
would be related to BlueKeep, an attack revealed in May 2019 with a lot of
activity in summer and that has grown recently. It takes
advantage of helplessness in the Windows Remote Desktop tool. The community of
researchers in the security field has been very attentive to the evolution of
what was happening with this vulnerability. Among the news around
BlueKeep was revealed the existence of a botnet, called Gold Brute, which has
been carrying out brute force attacks on the RDP of more than one and a half
million servers in different locations around the world.
The first information
also suggested that it would be encrypt that would have taken advantage of a
zero-day vulnerability in the Bonjour Update component of Windows that is used
to handle MTP in mobile connections. The experts of the 0patch platform projected
a temporary patch dedicated to constantly running servers, which cannot be
restarted or installed by Microsoft updates on them. The recent patch does
not require a system reboot. Mainly, it is available only for 32-bit
Windows XP SP3, but developers are also studying porting it to Server 2003 and
other systems.
Shortly after the
release of the patch, several information security specialists publicized the
creation of operational exploits for this vulnerability, however, for security reasons;
the technicians refrained from publishing their PoC codes.
INCIBE WHAT IT SAYS
The
National Security Institute has a cybersecurity incident response team for
private companies, CERT. When a crisis occurs, the state agency works
to mitigate and recover from the incident in unity with the affected
companies and the cybersecurity companies that support them.
Within
its usual operations, there is also that of being in permanent combination with
the rest of the national public bodies to support the ongoing investigation.
DR. WEB WHAT IT SAYS
Dr.Web recommends
that updates be installed always and quickly. "Each update improves the
security system of your PC or device.” Alerts that
cybercriminals are actively scanning the Internet for Windows-based systems,
susceptible to the BlueKeep vulnerability (CVE-2019-0708).
Dr.Web is a Russian
antivirus service, which studies cyber attacks in real time. He works with
engineers in continuous research to find the solution to new ransomware. It
guarantees that with the Rescue Pack product it seeks the recovery of files
compromised by encryption and installs one year of antivirus at no cost to the
company. Specifically, Dr. Web has a large team of engineers who
immediately investigate the incident to reach the decryption of all infected
computers.
Seguridad-Profesional.com
is the official distributor for the northern part of the State (cybersecurity
Bilbao).
DATA LOSS PREVENTION
AFTER CYBER-ATTACKS
If the news jumps to
the media and you have not yet been affected, but you are among the potential
victims, it is recommended to follow the protocol established
in cyber attacks today:
1.
- Ask your employees to preventively shut down the equipment.
2. - Block all incoming mail.
3. - Prevent Internet browsing.
4. - Prohibit access to the Wi-Fi network.
5. - Do not connect to the internal network.
The
Department of Homeland Security advises unplugging from the networks those
computers that do not have the latest updates so that, in a preventive manner,
they prevent new infections. The most important thing is that those who have
not yet updated their systems do so as soon as possible.
In
this case, it is advised to update the vulnerable
operating systems, which are Windows
XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and
Windows Server 2008 R2. In addition, you are invited to:
·
Isolate
TCP port 3389 from the firewall, especially any perimeter firewall exposed to
the Internet. This port is handled in the RDP protocol and will obstruct
any attempt to establish a connection.
·
Have
authentication at the network level. This security standard requires
cybercriminals to need valid credentials to be successful at remote code
authentication.
·
Disable
remote Desktop Services. The benefits of this decision are that the
exposure to security vulnerabilities is reduced and it is good practice even for
other possible attacks.
·
Scan
networks for computers vulnerable to BlueKeep.
·
Security
solutions such as those offered by the Security-Professional products
(Ciberseguridad Bilbao), an allied cybersecurity company, which makes managed
security available to SMEs.
AFTER THE CYBER
ATTACK
At first, the
affected companies will have to:
·
Format the computers.
·
Install copies Automatic
backup as often as possible and outside the internal network.
·
Alternative: wait for a tool
to decrypt the
data to be published.
No comments:
Post a Comment