Feed on

If you are a pentester you a perfectly aware of lateral movement but if you are a bit more far away from technology you probably won’t read any more right now but I would advice you to continue reading.

What is lateral movement? It’s the process of getting access to a computer, capture the credentials and use those to move to the next computer in the network, get the next set of credentials and continue until you find a workstation that a domain admin has logged into.
And that’s where the attacker strikes gold for with those credentials it is possible to take control of the Active Directory and with that take full control of everything in the organization.

So, is lateral movement a problem? Yes, it is a problem if you have not implemented a Tier model because sooner or later (often sooner) they will find that workstation where the domain administrator logs in. It is still a problem if you have implemented the Tier model and PAWs but at least the keys to the kingdom is safe (for now). If you have followed best practice how clients access applications and use domain accounts then lateral movement becomes a lesser problem but still it could be blocked rather easily if you implement a few group policies that blocks ‘Local account and member of Administrators group’ from logging on to this computer from the network.

Read more here.

I´m not to fond of not manage to help my clients recover but sometimes shit happens and you´ll have to just stand there looking at a disaster evolving in front of your eyes.

This particular case was in April. I was recovering from a surgery so I wasn´t working. My phone rang and a friend of mine told me that he has a friend that has been hit by a ransomware. It´s not a big company so they can´t afford a specialist helping them but he promised me a good discount if I manage to do something. Being bored in bed I decided to give them a call and was quickly informed that they didn´t have time for my advice as they had some production problems.

About two hours later they called me back and told me that they could use my help as they had no access to their files. They bluntly asked me if I could crack the password and I said no. “Aren’t you supposed to be a security expert?”. I decided that they most probably are in a lot of stress so I swallowed the insult and continued with saying that the tools they use are standard encryption modules with very ling complex passwords so cracking those is possible but it will take a number of years and cost millions so it is not the way you attack this problem.

I asked what has happened and they told me that several users had clicked on a link and activated a ransomware that had encrypted their file server several times. The cost to get the key was about 0.5 Bitcoins. I was sent a file and saw that it was encrypted four times hence impossible to decrypt. This ransomware apparently encrypted everything and added .CRY so the file I was sent was named Financial 2017.xlsx.CRY.CRY.CRY.CRY.

I told them that it was virtually impossible to decrypt and that the only way to recover the files was to pay for the decryption key and have the files decrypted in the right order. The other way was to restore from a backup and lose a few days’ worth of work. That’s when they told me that they haven’t taken any backup ever.

I told them to create an instant backup of the encrypted files so that they could restore them to an encrypted state in case they ran the decryption in the wrong order.

They didn´t take my advice and I later found out that they lost 100% of their data on the fileservers including designs that’s taken them years to finalise.

Cybersecurity has been a thing for quite some time now but the real change here in the Nordics came this year with a lot of ransomware attacks with WannaCry as the current leader of the pack closely followed by GDPR that is every security consultants wet dream. Almost every company have put cybersecurity on the top three things they need to do the following years.

The saddest thing is that most of them actually could have done it a lot easier a few years back. Today the have very complex environments and are integrating everything creating a security disaster waiting to happen. The chances of a company not being hit by a ransomware or an attack is slim to nil. The only hope is that the users don´t click on links or that the antivirus was updated.

I think that we will see a number of devastating attacks this year and also a few companies that will fail due to policy problems or administrative routines that are not followed.

PAW in depth

As you read in my previous message I´m joining Microsoft. One thing you have to do at MS is to return to the school bench as there is so much to learn. As for now I´m only allowed access to external material so let me share with you a few views on the PAW PAW concept.

One of the core principles with the PAW concept is the Tier-model. The Tier-model in itself is quite simple as it builds on the zone concept that we are quite used to today. The big difference is that the zones are enforced using group policies instead but network zoning could be used as well for added security.

The PAWs are restricted to their Tier only making it impossible for a Domain Administrator to logon to a normal workstation or any other place so that the only way to access the Domain Controller is through a PAW for Tier 0.

I just want to inform you all that I have resigned from Sogeti to join Microsoft as a Cybersecurity Architect. This blog will continue to operate independently and still just reflect my views on different topics, assignments that I could share and so forth. Just continue to let the mails come and I´ll try to answer as soon as I can. 🙂

Following my last post a few clients started asking me about the future of ransomware. I brought up this picture showing a number of predictions I have done during the years and when they were found in the wild.

One prediction is that more failures will happened, either intentionally or unintentionally, and that will start to cost a lot more money, not from the ransom in it self but due to that there will be longer downtime.

Today many companies have invested in online-backups with online meaning that the backups are accessible from a network share or similar just to make it easy for to restore the files. This will be costly in the future as ransomware will target those systems to make sure that companies pay the ransom or just to create havoc.

Ransomware makes you wanna cry and the name of the latest outbreak is fitting. You have most probably read 100ths of post regarding how to protect yourself moving forward and I will not repeat those tips and tricks but instead focus on some real-life experiences that actually prevented the ransomware in the first place:

1. Office 365 with ATP
2. SentinelOne
3. Sogeti SOC with QRadar

Following up discussions with our partners and internal delivery we identified three independent ways to contain the outbreak.
Office 365 have an addon called ATP, Advanced Threat Protection. Already in the beginning of the outbreak the detonation chamber in ATP identified the ransomware behavior and blocked it. So all mails containing the ransomware was blocked if the client used ATP.

SentinelOne is a new type of threat protection that identifies ransomware behavior, blocks it, takes a signature and updates the central server that sends out this signature to all clients. But most importantly: it roles back the changes the ransomware did putting you files back in order as nothing had happened.

Our SOC reported quite early on suspect mails and QRadar was very quickly updated to block the malicious traffic effectively stopping the ransomware dead in its tracks.

Learning from this is the same things that security experts like me say over and over:
Upgrade and Update. They days when security threats were a simple and fun game for 15-year old kids are long gone. Today it´s organized crime and state hacking. By having low security and pay out ransom you have become an involuntary financer of crime and terrorism.

Following on the administrator is the DBA, a person that is almost mythical as it´s a very scarce resource. During my years as a DBA I always had full access to everything within the database and as many databases was run under domain admin accounts I could do anything in the environment that I wanted. That´s a lot of trust to put in one person´s hands.

During one assignment I was asked to update the structure of a table as a new version of an application was to be installed. I asked for the name of the application so that I could find any expected problems during the upgrade. Strangely enough I was told that this was a secret because if I new the name of the application I could find a way to break into it.

As it turned out it was the system manages our salaries and when I told them that I had full access to the database that was not a problem because it was only possible to see any data using the application. I told them that wasn´t the case and even offered to show them that I could read the database but no, I was only the DBA not the developer so I could possibly not have access.

This was in the early 2000 but still to this day the DBA quite often has a lot more access to data than they need. Encrypting the database is still quite seldom used, even if it´s a very simple process today. GDPR is coming!

Many years back I was always saying: There are two people that has full control over all the information in your organisation: The CEO and the administrator…and I´m not sure about the CEO.

During my time as an investigator I have found numerous instances of Microsoft Office installed on file servers where there was very visible evidence that files containing very sensitive information, like organisational changes, business plans salary figures etc, was opened on the server. To make things even worse the administrator often had full access to all information in the databases as well, often with no logging. Sadly this was seldom viewed upon as a problem as the administrator was said to be trustworthy. The so-called insider threat was something frown upon as something security consultants used to scare their clients with. Malware during that time was mainly mass mailing worms or ‘fun’ viruses and occasionally a bit nastier malware that took some time to remove with a lot of porn adds popping up.

Today we are harvesting the seeds the clients didn´t want to grow with credentials attacks using lateral movements to get to the domain admin.
I was exposed to a Microsoft concept called PAW recently that want to manage that problem. If you got the time do look into how the PAW concept works.

A client of mine was hit by a simple ransomware this morning and it costed her one workstation and a few hours in reinstallation. She has listened to me and implemented a good way to manage reinstallation of clients and take backups. This specific company has removed file shares and are using SharePoint instead so they weren’t hit that hard this time bit what about the future?

There is way too much money to make in ransomware and there will be more people to enter the market. Some will be sloppy and will not be able to decrypt or just ignore it all together. Others will be building on the success of others and create more complex ransomware that will exploit vulnerabilities etc.

I suspect that the standard malware will include a ransomware component moving forward. In case you cannot steal the credentials of a user you can always initiate a ransomware to at least make a small amount of money.

« Newer Posts - Older Posts »