River Beach is a small town in Florida, of less than 40,000 people. The City Council in Riviera Beach agreed to pay a $600,000 ransom to hackers who encrypted files on their computers. In hindsight it would have been cost effective to hire a couple of IT guys to go around and apply the Microsoft Security patches to all the computers used by River Beach.
Ransomware attacks targeting small cities are prevalent and growing. Those cities which do not pay the ransom, may end up spending Millions of Dollars rebuilding their IT Systems. Click on this link to visit the Wired website to read their article titled: “ATLANTA SPENT $2.6M TO RECOVER FROM A $52,000 RANSOMWARE SCARE”.
When the Security Patches were being applied, the IT guys could also discuss Phishing emails as most people are not even aware what a Phishing email is. It is not just small cities that fall for Phishing emails. The accounting departments of huge Tech firms have sent out cheques worth Millions of dollars because of fake Phishing emails.
Video courtesy of the RT America YouTube channel
Many of the Ransomware attacks (such as WannaCry) used the Microsoft SMB vulnerability.
There was a prior Cert advisory titled: “Vulnerability Note VU#867968” (Microsoft Windows SMB Tree Connect Response denial of service vulnerability) was issued on Feb 02 2017.
In March Microsoft issued their Microsoft Security Bulletin MS17-012 which addressed the SMB issue.
There was also an even earlier US-CERT Advisory posted on Jan 16 2017 titled: “SMB Security Best Practices”, which suggested “blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. “. Port blocking can be done using your Firewall Software (or Hardware).
A number of attacked city systems had “not” updated “all” their computers with suggested Security Updates. Some of their Operating Systems and Server System software go back to days of Windows 7. The often quoted statement is that they did not have the IT resources to get Security Updates installed on all the computers.
One area which IMHO require more training is Phishing Attacks. That is the use of fake emails sent to emails which are part of a city’s system. The fake email will ask the receiver to click on a link. If the receiver clicks on the link they will link to one of the Hacker’s Command and Control Servers, which will then upload the Ransomware to the receiver’s computer. The Ransomware will be started and spread to the System Servers and to all the other computers. Once running on a computer, the Ransomware will start to Encrypt data files using a secret key. Next messages will pop up on infected computers telling them that their files have been encrypted and that they have so many days to pay a Ransom to get the key to be able to un-encrypt their files.
I recently posted the following article on this site which was titled: “Phishing eMail Scam targeted Facbook and Google for $100 Million Dollars.”.
If the main Servers have Security Updates installed then the Ransomware will not spread. Also, if the System Admins have been doing daily backups, they may be able to recover the Servers using their backup files. They would still have to deal with individual end user computers which were infected.
The “key” is training End Users to not open emails from unfamiliar people. If opened, then the end user should not click on any links and they should immediately contact their IT Support Team. Unfortunately in real life, that is easer said than done.
Click on the CYBERSECURITY box in the menu at the top of this site, to read more Security related posts.
Posted by Vincent Banial
Posted by Vincent Banial
It has been a while since I posted about Cyber Security. Last year’s round of posts were very well received. We even had a major Cyber Security firm linking to our posts.
What a “coincidence“, back in March of this year Microsoft patched a whole bunch of security holes in assorted Windows Operating Systems. On Friday, April the 14th 2017, a Hacker group called the Shadow Brokers released a ton of NSA developed weaponized software Exploits and Malware which allowed the NSA to break into computers around the globe. Not just break in, but potentially to also take control of computers running Windows Operating Systems prior to Windows 10. The Friday, April 14th Easter Egg contained over 200 megabytes of code which was dropped on GitHub.
Yes, Microsoft released a Security Update (patches) In March 2017 for their Windows Operating Systems which plugged the Security Holes used by the code which Shadow Brokers made available to the whole wide world on April 14th 2017. The key question is, will users and Network Admins apply those patches? If the March 2017 release of Microsoft patches are not installed, the computers remain vulnerable, as the Exploit and Malware code is available to everyone from Newbie Wannabe to Elite Hacker. Just wait till modified versions start being used.
One of the most powerful NSA coded Malware released is called FuzzBunch. The video below is a demo (in a controlled test environment) of FuzzBunch breaking into a virtual install of Windows 2008 Server.
Spiceworks did a survey of Network Server Operating systems being used. Windows 2008 Server was installed on over 40% of the Windows Server installations. People are even still using Windows 2003 Server. Hey, if it works and ain’t broke, why upgrade.
Click on this link to visit the Spiceworks website to read their 2016 post.
Click on this link to view other Cyber Security posts on Uniquely Toronto.