Cybersecurity Are You Ready for the Attacks We Face?

Cybersecurity Are you ready for the attacks we face?

MultiHouse IT-partner About me • Tobias Evar Lauridsen • 10 years experience in IT operations and IT security • EC-Council Certified Ethical Hacker • IBM Certified Ethical Hacker • MultiHouse Information Security Officer: • ISAE 3402 Type 2 security declaration • Senior IT Security consultant • Panoply hacker competition: • Blackhat 2014 in Las Vegas #1 winner • Blackhat 2015 in Amsterdam #1 winner

MultiHouse IT-partner 2 Agenda • We are all targets for IT-criminals • Shadow Brokers group and secret NSA exploits • Wannacry, Not Petya, Bad Rabbit attacks and Ransomware 101 • Smishing • CEO Fraud examples and how to analyse • (D)DOS attack – the next cash cow for criminals • From Apple to Apple juice • Let’s wrap it up

MultiHouse IT-partner 3 Let’s learn from each other

I share stories to learn from each other.

Not to point my finger at others.

MultiHouse IT-partner 4 Ransomware CEO Fraud IT-Crime is big bizz

Welcome to the Dungeon © 1986 Brain & Amjads (pvt). BRAIN COMPUTER SERVICES 730 IZANAMI BLOCK ALLAMA IQBAL TOWN LAHORE-PAKISTAN PHONE: 430791,443248,280530. Beware of this VIRUS.... Contact us for vaccination... http://www.internetlivestats.com/internet-users/ Worlds first virus Brain ”proof of concept” I love you virus Cost of 5 billion $ ”pranks” Our First ever Banks/money are breakdown of online – thus the netbank in IT-criminals are Denmark online

http://www.dst.dk/Site/Dst/Udgivelser/GetPubFile.aspx?id=19375&sid=itanvbefeu https://www.av-test.org/en/statistics/malware/#tab-6906-2 5 The current state of cyber security

Danish companies have been tricked into paying more than 180 million kr in the 2nd half of 2016 -threat assesment from Center for Cyber security(NC3) and Danish Defence Intelligence Service

The average salary in denmark is 294.000 kr for people from 15 and older.

MultiHouse IT-partner 6 https://blogs.sans.org/securingthehuman/files/2013/01/STH-Poster-YouAreATarget-LowResolution.jpg

MultiHouse IT-partner 7 ShadowBrokers group leaked NSA hacking tools timeline Bad Rabbit ransomware: EternalRomance is used. “ShadowBrokers” are asking Maybe more… for 1 Million Bitcoins (around ShadowBrokers publishes a bunch of More than 24,000 internet $568 Million) in an auction tools to github. EternalRomance connected windows xp and 2003 to release the ‘best’ cyber (NotPetya) and EternalBlue where still vulnerable to a Remote weapons made by NSA (Wannacry) are part of this dump. Desktop attack called EsteemAudit. May 2017 June 2017

August 2016 April 2017 May 2017 October 2017

The auction failed. NSA hacking Wannacry attack used leaked NSA NotPetya disk wiper attack tools a setup for direct sale on an exploits: EternalBlue exploit and used NSA exploits: Fileshare underground website. DoublePulsar payload. exploit EternalRomance and EternalBlue

MultiHouse IT-partner 8 What is Ransomware? • A program that encrypts all your files • You cannot open your files after the ransomware has encrypted them • The hackers wants you to pay for the key to unlock your files • Or restore from a backup

MultiHouse IT-partner 9 Ransomware timeline

MultiHouse IT-partner https://labsblog.f-secure.com/2017/04/18/ransomware-timeline-2010-2017/ 10 Monday Mornings…..

MultiHouse IT-partner 11 WannaCry Attack Simplified

Stop attack if the kill-switch domain exists hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Attack a range of computers on the internet WannaCry is run on a system with EternalBlue exploit

Spread WannaCry

Attack other computers on the local network with EternalBlue exploit

Run the Ransomware

MultiHouse IT-partner 12 Wannacry Timeline

Microsoft releases patch MS17-010 Day 1: WannaCry with a kill-switch Day 3: WannaCry with no killswitch for EternalBlue. targeted the world. Kill-switches are in the wild. Blasted the internet typically used by nation states. over the next couple of weeks.

April 2017 May 2017 Other info:

March 2017 May 2017 May 2017

Over 99.000 - 300.000 computers in 99 - 150 ETERNALBLUE Remote Day 2: Microsoft releases emergency countries. Exploit via SMB & NBT patch updates for unsupported The attack only made 50.000 $ was leaked by versions. Marcus Hutchins stopped Marcus Hutchins was arrested shadowbrokers outbreak with kill-switch Unrelated: Botnet Sending 5 Million by FBI August the 2nd for Emails per hour to spread Jaff selling and creating Kronos Ransomware banking malware in 2014-15 MultiHouse IT-partner 13 How to defend against the next wannacry

• Install patches on all systems every patch Tuesday • Watch for emergency patches from Microsoft Firewall protection: • Upgrade to windows before the version is end-of-life. Windows XP • Do not listen on and Windows 2003 is end-of-life. SMB(TCP port 445) • Disable protocols that are no longer from the internet used in your environment. In this case SMBv1. • Use endpoint protection not just antivirus. Endpoint protection is Antivirus, Firewall and Intrusion Prevention.

MultiHouse IT-partner 14 Not Petya – Russian disk wiper

MultiHouse IT-partner 15 Not Petya Attack Simplified

Ukrainian tax accounting software was used to distribute Not Petya. M.E. Doc service was compromised. Scans network for internal fileshares. Mimikatz steals credentials from memory Uses EternalRomance and EternalBlue against internal networks Tries to infect computers over sysadmins tool WMIC and PSEXEC Spreading Not Petya

Runs the disk wiper to make the data unuseable to the victim. Disk wiper encrypts the computer harddisk Master Boot Record.

https://cloudblogs.microsoft.com/microsoftsecure/2017/10/03/advanced-threat-analytics-security-research-network-technical-analysis-notpetya/

MultiHouse IT-partner 16 How to stop Not Petya

• Segmentate the network into zones • Users should live without local • Only allow necessary traffic administrator privileges • Limit the use of domain admin • Do not use administrator access per • Users should only have access to default files necessary to perform their job. • Backup is a must

MultiHouse IT-partner 17 October: Bad Rappit attack

https://thehackernews.com/2017/10/bad-rabbit-ransomware-attack.html

MultiHouse IT-partner 18 Bad Rabbit Attack Simplified

Malicious adverts on websites by tricking user to install fake Flash update Scans network for internal fileshares. Attempt to logon with commonly used creds Mimikatz steals credentials from memory Uses EternalRomance against internal networks Tries to infect computers over sysadmins tool Spreading Bad Rabbit WMIC

Runs the Ransomware and show ransomnote when done encrypting the users files

https://thehackernews.com/2017/10/bad-rabbit-ransomware.html

MultiHouse IT-partner 19 Russia’s Enterprises were hit hard

Enterprise vs Consumer Infection attempts by country

MultiHouse IT-partner https://www.symantec.com/connect/blogs/badrabbit-new-strain-ransomware-hits-russia-and-ukraine 20 Protect against Bad Rabbit

• Disable the WMI service if If flash auto updates or possible software is updated from a • Patch computers program. You can tell users: • Use software to update computer programs, such as Do not update flash if flash – or configure flash to prompted. Call the support autoupdate team insted. • Make sure you bakcup your data on regular basis

https://thehackernews.com/2017/10/bad-rabbit-ransomware.html

MultiHouse IT-partner 21 Day-to-day: Examples of Ransomware

MultiHouse IT-partner 22 2017 Q2: Evil Invoices delivered with dropbox links

1. Criminals steal dropbox credentials with Phishing mails to you and me 2. Criminals upload malware to the compromised dropbox accounts. 3. Phishing mails with dropbox links to companies 4. Employees open the invoice 5. Ransomware https://www.phishtank.com/phish_detail.php?phi sh_id=4888479

I wonder what the criminals want to do in the companies?

MultiHouse IT-partner 23 What do hackers want to do?

MultiHouse IT-partner 24 Ransomware 101

You may get ransomware by involuntary download of malware by way of

Compromised webpages Phishing mails Existing botnet SMB open to the internet

MultiHouse IT-partner Protect yourself against day-to-day ransomware • Backup - to restore files • User education – be observant – talk to a colleague • Update systems including 3. part software such as: java, flash, silverligth, firefox, chrome etc. • Do not activate macro files in office files – a macro is a small program in an office file • Do not activate external content in office documents

MultiHouse IT-partner 26 What is smishing • Text message/SMS phishing is the same as Mail phishing • Hackers attempt to trick the receiver into installing an app or give out information such as passwords etc.

MultiHouse IT-partner 27 Smishing – NemID

www.littleleadersecc.com/cu.html massmediaman.com/nets/run/update/

www.littleleadersecc.com

1038 kliks in 36 min. Beware of short links – you never know where you end up! 37,652,825 millioner webpages host Wordpress

MultiHouse IT-partner 28 Smishing: You have received an MMS-message

False sender Analysis of Android App

Bitly.com URL short links

http://enlightek.com/imms.apk = Android App

Targeting Denmark Command and Control

MultiHouse IT-partner 29 CEO Fraud Examples

You press reply…

MultiHouse IT-partner 30 The Hacker has 2584 hours per catch DKK 300.000 transferred to an account in England.

20% in money-laundering fees makes DKK 240.000 in clean money.

It is possible to live 17 months on one big catch.

No wonder why this is so popular.

https://nomadlist.com/lagos-nigeria/cost-of-living

MultiHouse IT-partner 31 CEO Fraud analysis of mail header Received: from EXCH01.danskvirksomhed.local (192.168.1.4) by EXCH01.danskvirksomhed.local (192.168.1.4) with Microsoft SMTP Server (TLS) id 15.0.847.32 via Mailbox Transport; Wed, 31 Aug 2016 12:30:49 +0200 Received: from EXCH01.danskvirksomhed.local (192.168.1.4) by EXCH01.danskvirksomhed.local (192.168.1.4) with Microsoft SMTP Server (TLS) id 15.0.847.32; Wed, 31 Aug 2016 12:30:49 +0200 Received: from mxscanner.dkvirksomhed.dk (8.8.8.8) by EXCH01.danskvirksomhed.local (192.168.1.4) with Microsoft SMTP Server id 15.0.847.32 via Frontend Transport; Wed, 31 Aug 2016 12:30:49 +0200 Received: from mxscanner.dkvirksomhed.dk (localhost [127.0.0.1]) by mxscanner.dkvirksomhed.dk (Postfix) with ESMTP id 3F662ACA27 for ; Wed, 31 Aug 2016 10:30:31 +0000 (UTC) Received: from mxscanner.dkvirksomhed.dk (localhost [127.0.0.1]) by mxscanner.dkvirksomhed.dk (Postfix) with ESMTP id 8E474ACA14 for ; Wed, 31 Aug 2016 10:30:30 +0000 (UTC) Received: from stt-cha-ms1.vipowernet.net (mail.vipowernet.net [65.112.145.72]) by mxscanner.dkvirksomhed.dk (Postfix) with ESMTPS id 1A36EAC8D4 for ; Wed, 31 Aug 2016 10:30:28 +0000 (UTC) From: "Bent Direktør" To: =Peder Subject: =?iso-8859-1?Q?international_bankoverf=F8rsel?= Date: Wed, 31 Aug 2016 10:30:26 +0000 Message-ID: Reply-To: Bent Direktør Content-Language: da-DK received-spf: pass (vipowernet.net: 65.112.145.72 is authorized to use 'SRS0+eC/[email protected]' in 'mfrom' identity (mechanism 'a' matched)) receiver=mxscanner; identity=mailfrom; envelope-from="SRS0+eC/[email protected]"; helo=stt-cha-ms1.vipowernet.net; client-ip=65.112.145.72 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 MultiHouse IT-partner 32 CEO fraud action plan • Inform your employees about the risk of CEO fraud e.g. CEO fraud – mail fraud: The company is at the moment exposed to fraud attempts that look like they are coming from the company CEO. It is an attempt to get the employees to transfer large amounts of money to an account abroad. Recommendation: Always phone the CEO or talk to him directly when it comes to transferring money • You may require the approval of more than one person and that an email cannot stand alone. • Think twice before replying or opening links in mails

MultiHouse IT-partner 33 DOS – quite simpel Fills your line up or overloads central equipment so the service goes offline.

Internet Connection

MultiHouse IT-partner 34 DOS and DDOS

DOS – Denial of Service DDOS - Distributed Denial of Service

Pew pew pew

MultiHouse IT-partner 35 The biggest DDOS ever seen 2016

1 Tbps is equal to 212 DVD discs 212 DVD discs every second quickly fill up a mailbox The same happens to our internet connection

Took down Twitter, GitHub, PayPal, Amazon, Reddit, Netflix, and Spotify https://thehackernews.com/2016/10/iot-dyn-ddos-attack.html https://thehackernews.com/2016/09/ddos-attack-iot.html

MultiHouse IT-partner 36 2017 Q4: A huge IOT botnet is being build • IoT_reaper malware is spreading with exploits for nine previously disclosed vulnerabilities from:

• Dlink (routers) • Netgear (routers) • Linksys (routers) • Goahead (cameras) • JAWS (cameras) • AVTECH (cameras) • Vacron (NVR) • The Mirai botnet from 2016 only used 150.000 devices. This can end very badly… Patch your stuff!

MultiHouse IT-partner 37 Wireless networks have serious security holes

https://thehackernews.com/2017/10/wpa2-krack-wifi-hacking.html

MultiHouse IT-partner 38 Wireless networks have serious security holes

Serious security flaws have been detected in WPA2 and WPA1 that are used to protect wireless networks. The vulnerabilities affect both clients and wireless access points. It is possible to control and change the network traffic. Suppliers are working on releasing updates to patch the vulnerabilities.

Recommendations:

”Update wireless devices, but do not lose any sleep in fear of the vulnerability problem with KRACK” -Henrik Larsen, DKCERT

https://www.cert.dk/da/klumme/2017-10-27/KRACK

MultiHouse IT-partner 39 Are you a part of a public data leakage? • Use your smartphone to access: • haveibeenpwned.com • Enter your email, and press “pwned?”

• You will receive a list of public data leaks in which you appear. Nice – isn’t it? • This is just public data leaks…

MultiHouse IT-partner 40 From Apple to apple juice

41 An historical picture of Windows and Apple - Seen from an IT security point of view

Hackers spend more time finding security holes in Apple after their marked share has increased

MultiHouse IT-partner 42 Virus + MAC OSX = Yes it can happen

Malware can control the computer over the internet, and can start the webcam, monitor, mouse, keyboard and can install more evil programs. The Malware was discovered by Malwarebytes and is called FruitFly. MultiHouse IT-partner 43 Apple bug bounty program

Find securityholes in apple software and get paid. http://thehackernews.com/2016/08/apple-bug-bounty-program.html

MultiHouse IT-partner 44 The free marked pays more than Apple

• Zerodium offers $1.5 Million for iOS Zero-Day Exploits • This is more than 7 times than what Apple pays • Zerodium has already paid 1 million $ for the first 3 iOS 9 vulnerabilities to hacker groups

MultiHouse IT-partner 45 Remember to update

http://thehackernews.com/2017/05/apple-security-patches.html

MultiHouse IT-partner 46 Lets wrap it up!

47 Security is about safeguarding your secrets and what you treasure the most

Maybe it’s your internet search history Or your intellectual property

MultiHouse IT-partner 48 Don’t build a wall; Use security in depth

Strategy: Strategy: Build a fence and expect to keep Discover threats inside threats out using a good firewall your network with security with blinking lights. in depth.

MultiHouse IT-partner 49 Wrap it up – Enterprise security in depth

https://twitter.com/GaryDower/status/912869424650211331

MultiHouse IT-partner 50 Wrap it up – Home security a good start

Wireless Router Firewall Perimeter Security Block connection from the internet Wireless Router WPA2 encrypted network Update Wireless Router Network Security with a looong password Your router needs to be updated as well. Secure DNS DNS translates IP adresses Endpoint Security to Domains. Fx 31.13.72.36 Endpoint Security -> facebook.com Virus protection, Intrusion Fx Cisco Umbrella Prevention System and Application Security Use different passwords and 2 step Firewall login: Use a password manager. Fx: Keepass or master password Update your application Data Security Update the computer Fx Ninite, Heimdal or Build in feature Personal Software Inspector Your crown Drive encryption jewels Fx Bitlocker or FileVault

MultiHouse IT-partner 51 The weakest link is our finger tips

Think before you click, type or tap

MultiHouse IT-partner 52