Ransomware

Unless you have been living under a rock for the past year you will have seen the rise of ransomware attacks worldwide. There are lots of great online resources that cover ransomware in great detail so we will not repeat that here. Instead, we are going to look at three questions that we are often asked when discussing ransomware.

  1. “What are the current delivery methods for Ransomware that you are seeing?”
  2. “How should we respond to an incident?”
  3. “What should I do to mitigate?”

This article will look at each question in turn.

Ransomware Delivery Methods

We have seen a split between the different delivery methods used by various ransomware gangs, and the methods used differ due to the technical skill set of the attackers and also when targeting end users or corporate systems directly.

Targeting end users 

The main methods employed to get the ransomware on to the target system still fall within the following two categories:

  • Email based attachments – often using fake invoices with embedded malicious macros.
  • Malicious Websites – where exploit kits are used to deliver the malicious payload. This can be through accidentally visiting a site while browsing the Internet or via clicking on a link within a malicious email.

Targeting Corporate Systems

  • Internet Exposed Remote Management – where remote management systems are compromised (often through weak passwords) and the ransomware is directly delivered on to corporate servers.

In terms of remote management compromise, the attacks appear to use the following approach:

  1. Identify remotely exposed RDP with weak credentials.
  2. Create further administrative level accounts on the server to maintain access.
  3. Maintain access for a period of time (in one case, we dealt with, access was maintained for at least four weeks).
  4. Drop ransomware.

It would appear that stages 1-3 is most likely a separate party to those dropping the ransomware. From what we have seen, it is likely that access to the compromised server is being sold once the entity responsible for the initial breach has gained everything they want from the server. My assumption is that the entity selling access, could easily be selling access to a number of malicious parties and if one happens to be focused on ransomware, then that is the impact on the end client.

When dropping the ransomware, more capable gangs are mapping a drive and running the malicious code remotely, while those at the lower end are most likely purchasing ransomware kits and often drop the executable directly on to the box.

Responding to a Ransomware Attack

A key action at an early stage of any incident is to stop the ransomware from continuing to encrypt files and causing further damage. As attacks can be focused towards end users as well as directly against corporate environments, steps should be taken to identify the type of attack. Identification of the type of attack is fundamental to understanding right approach for remediation to allow for the most effective infected asset identification and its removal from the network.

The following high-level approach is suitable for most ransomware attacks, while being agile enough to enable the incident analysts to address the ever changing nature of ransomware families.

  • Identify patient zero and isolate from the network.
  • Analysis of the ransomware family to identify clean up activity required and if files can be recovered directly.
  • Identify route of compromise (email / web browsing / remote access).
  • Block access to malicious sites / remote access solutions / remove infected emails to prevent further re-infection and or command and control.
  • Identify the technology flaw exploited to gain initial compromise and remediate wider environment to protect from repeat infection.
  • Identify key documents encrypted and conduct Internet search to confirm no external exfiltration of data.

Ransomware Mitigation

Again there are many online guides and resources that outline how to mitigate ransomware1. However, this is in essence an arms race between the ransomware gangs and the current defences that can be deployed. As such, it is likely that new approaches that do not have current mitigation will be identified and exploited by the gangs. Therefore, incident planning and response should also play a significant part in your preparation.

Beyond maintaining effective backups that are protected from ransomware attacks and can be successfully restored in a timely manner, a number of further key mitigating activity can be deployed to reduce the likelihood of a successful attack:

  • Reduce technology surface – remove any unnecessary software, technology stacks such as java, flash etc from the enterprise.
  • Hardening of web browser – protect end users from opportunistic attack via malicious web sites by applying additional security controls within the browser.
  • Patching – keep technology up to date, especially java, adobe, browsers and main operating systems.
  • User awareness- work with your staff to raise awareness of phishing style emails, malicious documents and what actions to take if an infection occurs.

  1. https://www.nomoreransom.org/prevention-advice.html
    https://community.sophos.com/kb/en-us/120797
    https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware

 

Inaugural Scottish Cyber Awards 2016

7 Elements had a very successful evening at the inaugural Scottish Cyber Awards 2016. Our CEO David Stubley was shortlisted for the Cyber Evangelist of the year, along with Stu Hirst (Head of Security for Skyscanner) and Prof Bill Buchanan of Napier Uni and The Cyber Academy.

img_3166

 

“It was an honour to be shortlisted along with Bill and David who are absolute champions for cyber security in Scotland and beyond. 2017 is sure to be another challenging but exciting year for security and we can all continue to make great strides in protecting business from the continued threat of cyber crime”. Stu Hirst

 

 

With Bill quite rightly being recognised for all of his hard work within the Scottish cyber security community as the winner of the award.

“The Cyber Security awards showcased the great work within innovation within Scotland, particular with up-and-coming companies such as ZoneFox, 7 Elements and Net Defence. A key highlight of the event for me was the focus on innovation and especially on SME activity, as these companies will provide us the foundation for our economic activity around the area”. Prof Bill Buchanan

7 Elements, along with ZoneFox and Truststream were shortlisted for the SME Cyber Defender of the year award. With such a high quality shortlist, it was an immensely proud moment for the 7 Elements team to walk away with this award. Especially with ZoneFox later on collecting the award for Champions of Champions!

img_20161116_202631“To be recognised at the cyber awards is real confirmation that our commitment to delivering highly technical and client focused engagements makes a real difference to SMEs within Scotland”. David Stubley

“Being nominated for SME defender was a great indication of the fact that SME’s also require the same level of protection that larger orgs invest in, and it’s great to know we’re helping. Winning the international contribution and champion of champion award is a fantastic honour. The team have worked to give us our most commercially successful year, and to win these awards is the icing on the cake”. Dr Jamie Graves (Zone Fox)

The passion and commitment of all of the Scottish Cyber community was evident throughout the evening. We have great talent here within Scotland and the future is bright, bring on next year.

ScotSoft 2016

ScotSoft2016ScotSoft2016, the annual conference for the Scottish digital technologies industry, will take place on 6th October in Edinburgh. The must-attend technology event of the year, ScotSoft2016 comprises the Global Forum, Awards Dinner, the Developers Conference and the Scottish Government Public Sector Briefing. This year 7 Elements are excited to be involved as a main sponsor for the event.

ScotSoft has a packed programme of talks from speakers from all over the industry including Sam Ramji, Troy Hunt and of course, our very own David Stubley will be giving a talk named ‘Breaking Bad’.

‘Breaking Bad’ will focus on just how bad could a breach of your corporate web site be for your organisation. In this talk, David will look at attacking modern enterprise application frameworks and using common exploit code to demonstrate the true impact of a breach, including gaining access to internally sensitive systems and data.

7 Elements will also be running a Capture the Flag (CTF) event to allow delegates to test their hacking skills. It is a security-focused competition with points awarded for gaining unauthorised access to applications and systems within the target environment. The CTF is aimed at all levels, so make sure you come along and put your skills to the test and maybe even win prizes!

More information can be found here.

Scottish Cyber Awards

Logo Scottish Cyber Awards (1)We are very proud to announce that we will be sponsoring the Leading Light Innovation Award at the first ever Scottish Cyber Awards!

The Scottish Cyber Awards are being organised by the Scottish Business Resilience Centre and Scottish Enterprise and their purpose is to recognise Scotland’s commitment towards cyber security excellence. The award ceremony will be held on Wednesday the 16th of November at The Waldorf Astoria in Edinburgh.

If you would like more information about the Scottish Cyber Awards please visit www.sbrcentre.co.uk.

MoD is backing the Cyber Essentials Scheme

As of the 1st January 2016, all MoD contractors and sub-contractors will now be required to have cyber essentials or cyber essentials plus. It is also important to be aware that this extends to all MoD procurement, suppliers and subcontractors, even if they are not working directly with/for the MoD. For projects starting after 1st January, all suppliers will be required to have the relevant Cyber essentials certificate by the contract start date at the latest and thereafter renewed annually.

Key Points

There are four different risk categories for all MoD projects, very low, low, moderate and high, which have different certification requirements:
  • All contractors and sub-contractors on projects with a very low risk rating are required to have a CE certificate.
  • All contractors and sub-contractors on projects with low, moderate and high risk ratings are required to be CE+ certified (which includes gaining CE as part of the process).

Get in Touch

7 Elements are an accredited certification body for Cyber Essentials, more information on the scheme can be found here. As an independent technical information assurance consultancy, 7 Elements is well suited to assist your organisation in gaining a Cyber Essentials Certification.
As the scheme is designed to be available to all sizes of organisations, our pricing is cost effective.
To discuss your Cyber Essentials needs please contact us.

Mitel CCMWeb OpenRedirect

Advisory Information

Title: Mitel CCMWeb OpenRedirect

Date Published: 

Advisory Summary

The application accepts user input and then on completion of an additional task redirects the user to an external link.

Vendor

Mitel

Affected Software

Product Version
MiCC (CcmWeb 7.x and earlier

Description of Issue

A Open Redirect vulnerability was discovered in the MiContact Center version 7.1. This vulnerability was found in the login component of CCMWeb and could be exploited by modifying the ‘redirecturl’ parameter to point to an attacker controlled site. This vulnerability could be used as part of a phishing attack as the domain element will be familiar to the client building trust in the URL. As the site redirection does not happen until the user has authenticated to the site it may be possible to set up credential theft scenarios by cloning the CCMWeb login page.

PoC

The following proof of concept redirect the user to www.google.com after a successful login. This is only a proof of concept and through obfuscation or tiny URL technologies the Google URL could be changed to something miscellaneous.

http://1.1.1.1/CCMWeb/webforms/login.aspx?redirecturl=http://www.google.com

Timeline

Reported – 26th January 2015

Accepted – 31st March 2015

Advisory Published – 4th October 2015

Mitel CCMWeb Unauthenticated Local File Inclusion

Advisory Information

Title: Mitel CCMWeb Unauthenticated Local File Inclusion

Date Published: 

Advisory Summary

A lack of input validation allows an attacker to download arbitrary files from the server.

Vendor

Mitel

Affected Software

Product Version
MiCC (CcmWeb 7.x and earlier

Description of Issue

A local file inclusion vulnerability was discovered in the MiContact Center version 7.1. This vulnerability was found in the flexreport component of CCMWeb and could be exploited by an unauthenticated user to reveal arbitrary files by utilising directory traversal sequences to download files.

PoC

The following proof of concept downloads the Windows host file.

http://1.1.1.1/ccmweb/flexreport.ashx?filename=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\system32\drivers\etc\hosts

Timeline

Reported – 26th January 2015

Accepted – 31st March 2015

Advisory Published – 4th October 2015

 

Aerospace, Defence and Marine (ADM) Industry Leadership Group

7 Elements CEO appointed by the Aerospace, Defence and Marine (ADM)
Industry Leadership Group. The full article can be found here.

ADM Industry Leadership Group

7 Elements CEO appointed by the Aerospace, Defence and Marine (ADM)
Industry Leadership Group

David Stubley, CEO at 7 Elements, a key player in the Scottish information security industry, has been appointed as a new member of the Aerospace, Defence and Marine (ADM) Industry Leadership Group (ILG). The group has expanded its remit to cover Cyber Security as it represents both a significant market opportunity for companies in the sector but also Scotland has a considerable and growing capability in this area. David will bring his years of knowledge and expertise into the group to ensure that the revised 2015 strategy for Aerospace, Defence, Marine and Security (ADMS) fully incorporates this new growth opportunity for Scotland’s economy.

Scottish Enterprise facilitates ILGs, with the groups responsible for developing and delivering forward looking industry strategies. ILG members provide strategic leadership and advice to industry and the public sector in Scotland, drawing on their national and international expertise on global trends and issues and the niche areas where Scotland has global competitiveness. These groups comprise leading business figures drawn from across the private sector as well as senior representatives from the public sector including Scottish Enterprise, Scottish Government and key stakeholders.

The ADMS ILG currently has 18 members from key industrial and academic players in the sector including Vector Aerospace, Selex ES, Thales Optronics, Spirit Aerosystems, BAE Systems, Clyde Marine Group, University of Strathclyde, STUC, Scottish Engineering, Society of Maritime Industries, Inter-Tec Services ltd, British Airways Maintenance Glasgow, Castle Precision Engineering, Beal Group, MacTaggart Scott ltd. 

Mick OConnor, Chairman, of the ADM ILG said;

The need to transmit and store information securely is of paramount importance in today’s business world. There are many high profile examples where data was accessed illegally at both a business and national level. In recognition of the emerging prominence of cyber security we have invited David Stubley to join the Aerospace, Defence and Marine (ADM) Industry Leadership Group (ILG) to provide matter expertise in this area. This appointment will help increase the general awareness of cyber security to business within the ADM community moreover, identify market opportunities for Scottish business.

David Stubley, CEO at 7 Elements, said;

I’m excited to have been appointed to the Industry Leadership Group. The Scottish Aerospace, Defence and Marine sector play a vital role within the national economy and has increasingly become the focus of cyber attacks. Establishing a resilient approach to security will not only reduce the impact of these events, but make Scotland a safer place to do business.

Incident Response

As part of the Cyber Academy ‘Cybercrime Investigations & Incident Response Bootcamp’, our CEO David Stubley will be delivering training to UK Law Enforcement. For more information on our approach to incident response, please visit our site.