This entry is the monthly continuation of Anitian’s series of threat intelligence insights from our Sherlock Managed Threat Intelligence team. The purpose of these briefings is to publish some of the significant campaigns that our team of Sherlocks are tracking at this time.
Change happens. People change, governments change, seasons change, threats change, reactions change. Does anything remain unchanged? In cybersecurity, there are often changes that are ultimately superficial. Bugs still haunt code. Phishers still prey on human gullibility. People still use weak passwords. IT operations still do not patch.
The more things change, the more they just get “next-generation” prefixed to their name. This month we look at some new problems, that are really just the same problems…I mean, next-generation problems.
WHAT: 7-zip has some input checking issues that can result in compressed files executing code in a potentially malicious way. The altered compressed files can appear legitimate, but hide threats. This is bad. 7-zip is a super-popular file compressor/decompressor with a vast install-base.
WHY: Hackers using a trusted application to install malware is nothing new. Yet the real issue is the lack of third-party patching. This is a classic example of a new threat, following an age-old pattern. This is why the Sherlock team regularly reviews system inventories and patching practices. One system with an unpatched 7-zip install could become a next-generation headache.
Ransomware Keeps Working
WHAT: Over the last several months, we have tracked a massive, gigantic, and absolutely huge uptick in ransomware. Even us jaded cybersecurity people are shocked at the sheer volume of ransomware attacks.
Why is this happening? Because it works. And the attacks are getting nastier. We see waves of phishing attacks, followed with internal denial of service attacks, and then aggressive encryption of data. Health care and financial institutions are especially at risk. However, sometimes they do spontaneously recant.
WHY: Ransomware is tricky to track at the border because the payload is typically encrypted. We track numerous indicators of ransomware in Sherlock. For example, we specifically watch for any workstation that suddenly accesses all the files on a share. Any system doing this is highly suspect, and subjected to scrutiny and special scans. It is not uncommon for us to pick up the ransomware malware before it starts to spread and encrypt files, saving our clients from untold damage and loss.
However, the other part of this is keeping up with the age-old need of user education and internal patch management. Human reaction is always going to be slower, so if we can automate these defenses we can stop the attack before it gets underway.
WHAT: Everybody hates them, but everybody has to live with them. Passwords, and the challenge of keeping them managed and complex, are another age-old problem. Until we have adequate non-password control mechanisms (and there are some people who are trying) we are stuck with passwords. How do we make this problem get better?
WHY: Monitoring an internal network allows us to see almost everything, including your “admin|admin” or “cisco|cisco” telnet and http logins. Come on, you know better than that? What has us really worried is that it is younger generations (like Millennials) are worse at password management. This does not bode well, since Millennials are taking over the workforce (and our passwords). In a positive development, Microsoft Azure is starting to ban common/exposed passwords. We would like to see other cloud identity platforms do the same.
In conclusion, all these new issues, are old problems.
- Use complex passwords and manage them
- Patch your stuff
- Do not click on funny links emailed to you
These items we have addressed month should be unsurprising except that they are still massive problems in 2016. And it could be argued they are getting more prevalent. However, we are on the case. That is what we do at Anitian Sherlock. Keep on top of the previous, current, and next generation problems.
And change your password.
Check back next month for our July Sherlock report.