This document outlines simple steps to prevent ransomware attacks like WannaCry and Petya. It recommends implementing device control, credential control, application control, and access control. Specifically for device control it recommends updating Windows regularly, enabling modern authentication, using modern hardware security, monitoring devices, and encrypting hard disks. For credential control it recommends multi-factor authentication, restricting administrative privileges, using strong unique passwords, and credential guard. For application control it recommends application whitelisting tools like AppLocker. And for access control it recommends implementing least privilege access and using firewalls.
3. Once upon a time, not that long time ago…
Microsoft patches SMB 1 exploit
(They even patched Windows
XP)
March 2017
Shadow Brokers dump Eternal
Blue
April 2017
WannaCry hits
May 12th 2017
People *still* haven't patched,
and NotPetya hits
June 27th 2017
Emotet Trojan emerge using
network sniffing and password
harvesting techniques
July 2017
Another attack on a computer
near you – we are open 24/7…
August 2017
4. Petya type malware Threat Research
SeShutdownPrivilege
SeDebugPrivilege
SeTcbPrivilege
User Rights checking
As local admin
As non-local admin
(Smoke and mirrors – when weaponized)
Data Encryption
Mimikatz technics
Credentials harvesting
EternalBlue
Admin$ share
SMB propagation
Network sniffer
8. Windows as a service
April JuneMay
New security updates New non security updates Exiting fixes from previous cumulative updates
KB4015583 KB4016240 New KB#1 New KB#2 New KB#3 New KB#4
9. How Microsoft Stays Up to Date
80% of patching and reboots are handled with natural
reboots, no user interruption or notifications
DAY 1 – 6 DAY 7
User can choose to install update and
reboot now or schedule for a later time
The user receives final restart notification with a
60 minute countdown timer
DAY 7+ZERO DAY
Move deadline forward and update 75% within 24 hours,
25% additional 24-36 hours
Patch Tuesday (+ 1)
10:00 PST
Monday
10:00 PST
Tuesday
23:59 PST
12. Device Control
1. Windows 10 is part of the solution (… and Windows Server 2016)
2. Ensure to update regular - Follow Best Practice, validate and then add your own
requirements
3. Enable Modern authentication
4. Start using Modern hardware security
5. Start Monitoring your devices
6. Ensure Hard disk encryption on all devices – OFFCAUSE!
7. Follow Best Practice, validate and then add your own requirements
13. Credential Control
1. Multi Factor Authentication (MFA) for all users and administrators
2. No High Risk login on any devices
3. Consider Local Administrative Privileges – DO NOT add domain groups to give
Local Administrative Privileges to users!
4. Password Randomization (LAPS etc.)
5. Ensure Strong Password(s) Policies – Follow Best Practice, validate and then add
your own requirements
6. Ensure to use Credential Guard or similar
14. Application Control
1. Implement Microsoft AppLocker or similar
2. Implement Software Restriction Policies as a minimum
3. Enforce Windows Defender SmartScreen
4. Enforce User account Control (UAC)
5. Microsoft Edge and Enterprise Mode for Internet Explorer 11 Whitelisting
15. Access Control
1. Implement Just Enough Rights Philosophy -Follow Best Practice, validate and then
add your own requirements
2. Limit Remote Access to mobile devices (… and servers)
3. Limit Remote Access to mobile devices to named Jump Station only (… and
servers)
4. Use Windows Firewall Actively – Disabled is not an option (… on servers to)
5. Prepare to upgrade to Latest Windows 10 version and start using Application- and
Exploit Guard (Windows 10 1709+)
Slide 1 [:00:00]
Hit by malware [again]
Simple steps to tackle and cripple WannaCry and Petya type ransomware
//
Slide 2 [HIDDEN SLIDE]
Deck information
//
Slide 3 [HIDDEN SLIDE]
Abstract
//
Slide 4 [00:00]
Hit by ransomware [again]
Ransomware is a type of malicious software from crypto virology that threatens to publish the victim's data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called crypto viral extortion, in which it encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented crypto viral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash and Bitcoin are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
Ransomware attacks are typically carried out using a Trojan that is disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the "WannaCry worm", traveled automatically between computers without user interaction.
Source: https://en.wikipedia.org/wiki/Ransomware
//
Slide 5 [00:00]
Once upon a time…
Over the summer, companies all over the globe has been hit by some really nasty attacks – not all was due to missing patches
Time-line (spring-summer 2017)
A widespread ransomware attack targets Windows systems that do not have the latest updates. Microsoft announce: Given the severity of this threat, update your Windows systems as soon as possible.
The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
The attack began on Friday, 12 May 2017, and within a day was reported to have infected more than 230,000 computers in over 150 countries. Parts of the United Kingdom's National Health Service (NHS) were infected, causing it to run some services on an emergency-only basis during the attack, Spain's Telefónica, FedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide.
Shortly after the attack began, Marcus Hutchins, a 22-year-old web security researcher from North Devon in England then known as MalwareTech discovered an effective kill switch by registering a domain name he found in the code of the ransomware. This greatly slowed the spread of the infection, effectively halting the initial outbreak on Monday, 15 May 2017, but new versions have since been detected that lack the kill switch – These tools are now being weaponized!
The Equifax hack
In May, hackers broke into Equifax’s computer systems, stealing personal information of over 140 million Americans. While the details of what was pilfered is still forthcoming, it appears Social Security numbers, addresses, account information, and personal details were taken.
In terms of hacks, this is by far one of the largest in history, and to date has been underreported, most likely due to competition from the recent hurricanes and North Korea stories dominating the news headlines.
In terms of financial hacks, this is possibly the worst in history. Millions of American consumers are affected. And, unless there are major structural changes made to the way credit is handled, the hacked information could permanently impact victims. In other words, if your information is available for criminals to use, you could be subject to identity theft at any point in the future. It appears, at this point, thieves may have virtually everything they need to steal your identity going forward if you are one of the people listed in the attack.
Equifax did not disclose the hacks until several months after they happened, effectively potentially giving hackers more time to disseminate consumer information. Although Equifax has followed legal guidelines in regards to disclosure, the issue still remains: Millions of consumers now have their sensitive personal information exposed, putting them at risk for identity theft.
Source: http://rapidcityjournal.com/news/local/communities/chadron/opinion/guest-commentary/equifax-hack-steps-to-protect-yourself/article_fa5e649c-a2e2-11e7-8524-73264d03a5d6.html
The CCleaner hack
he attack took place by piggy-backing onto CCleaner by infiltrating the servers that distribute the software, infecting version 5.33 of the Windows utility and version 1.07 of its cloud-based sister application. Those servers belonged to Piriform, the London company that created CCleaner. In July of this year, Piriform was acquired by the Prague-based antivirus maker Avast.
If you've updated CCleaner since Aug. 15 and you're running 32-bit Windows, you may be infected. You should roll back to a pre-Aug. 15 snapshot of your system, or run a malware scan. Following either (or both) of those steps, visit Piriform's site to download and install the latest, clean version of CCleaner.
Source: https://www.tomsguide.com/us/ccleaner-utility-malware-infected,news-25851.html
NotPetya: Timeline of a Ransom worm
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/notpetya-timeline-of-a-ransomworm/
Other hacks
The sophisticated NotPetya cyberattack, which Ukraine blamed on Russia, targeted Ukrainian tax software in June, but infected companies around the globe. FedEx said the attack cost the company $300 million.
Sophisticated attacks are a threat, but the biggest hacks can be the result of known vulnerabilities that don't get fixed in time.
//
Slide 6 [00:00]
Petya type malware Threat Research
On June 27, public announcements were made about a large-scale campaign of ransomware attacks across Europe. The ransomware impacted notable industries such as Maersk, the world’s largest container shipping company. The initial infection vector appears to be the exploitation of a Ukrainian tax software called MEDoc. Spreading on the internal network via exploitation of the EternalBlue SMB vulnerability, PsExec, WMI, and Admin$ shares.
User Rights Checking (Different Effect on Malware Logic)
Looks for three different types of privileges to perform its actions:
SeShutdownPrivilege. Required to shutdown the system
SeDebugPrivilege. A token field that allows the owning process to adjust the memory of other processes on the computer. This is a very powerful privilege that allows the malware to perform near system level tasks.
SeTcbPrivilege. This is another very powerful privilege that allows the owning process to act as part of the operating system.
Based upon the overall values constructed from these checks, the malware will perform varying sets of routines.
Data Encryption
If the running user has the SeDebugPrivilege permission, the malware will assume it has administrative privileges, it will then attempt to encrypt the drive using the known Petya code.
Alternatively, if the user is not running with administrative privileges, as determined by a lack of SeDebugPrivilege, the malware will use a user-space encryption routine.
Credential Harvesting
If the variant detects that its process is running with SeDebugPrivilege privileges, it will call a function to harvest credentials
SMB propagation
Like other recent malware the ransomware utilizes the highly effective EternalBlue exploit for Windows SMB vulnerabilities to copy itself to other systems and execute.
In addition to the SMB exploit propagation method, the malware also attempts to establish default administrative network shares (Admin$) with a call to WNetAddConnection2() using a null username and password. By using null for these two values, the network connection is made using the current user’s credentials, which directly affect organizations with shared local administrator accounts
Source: https://www.carbonblack.com/2017/06/28/carbon-black-threat-research-technical-analysis-petya-notpetya-ransomware/
Network sniffer
There seem to be new malware coming out, with network sniffing capabilities, whatever Petya type malware have/will have these functionality is properly just a mater of time as it has been seen in e.g. the Emotet Trojan.
//
Slide 7 [00:00]
So, consider this…
//
Slide 8 [00:00]
Safe harbor
Imagine one of these boats had four small holes, not anything notable, it will require a needle to get through, it is a hole though – would you patch these small holes before going out?
//
Slide 9 [00:00]
Real life
This is the environment a boat is build to withstand.
Imagine this boat have four small holes, not anything notable, it will require a needle to get through, it is holes though – would you patch these now?
The principles same can be applied to a modern device these days, with a few exceptions;
Safe harbor used to be “in the office” – today it is more of a kind if the device is turned off and stowed away in a bag.
The weather conditions are hardly mild these days – prepare for stormy weather!
//
Slide 10 [00:00]
Windows as a service
Predictable and clear timeframes
Releases are aligned with Microsoft Office products twice a year (Spring and fall)
Microsoft System Center Configuration Manager will be aligned as well, but with an additional update.
//
Slide 11 [00:00]
Windows as a service
New update options for Windows 10, version 1703 and above
With the release of Windows 10, we simplified the servicing process by moving to cumulative updates, where each update released contains all the new fixes for that month, as well as all the older fixes from previous months. Today, most organizations deploy these cumulative updates when they are released on the second Tuesday of every month, also called “Update Tuesday.” Because these updates contain new security fixes, they are considered “Security Updates” in Windows Server Update Services (WSUS) and System Center Configuration Manager.
Based on feedback from customers, we are making some adjustments to the updates that we are releasing for Windows 10, version 1703 (also known as the “Creators Update”). With these changes, we will routinely offer one (or sometimes more than one) additional update each month. These additional cumulative updates will contain only new non-security updates, so they will be considered “Updates” in WSUS and Configuration Manager.
https://blogs.technet.microsoft.com/windowsitpro/2017/04/24/new-update-options-for-windows-10-1703/
//
Slide 12 [00:00]
How Microsoft Stays Up to Date
Microsoft 365: Modern management and deployment
https://techcommunity.microsoft.com/t5/Microsoft-Ignite-Content-2017/Microsoft-365-Modern-management-and-deployment/m-p/106056
//
Slide 13 [00:00]
Preparing the tackle
Let´s get into the tackle and cripple some attacks
Tackle (Rugby move). Most forms of football have a move known as a tackle. The primary and important purposes of tackling are to dispossess an opponent of the ball, to stop the player from gaining ground towards goal or to stop them from carrying out what they intend. https://en.wikipedia.org/wiki/Tackle_(football_move)
//
Slide 14 [00:00]
Preparing the tackle
Device Control
Windows 10 is part of the solution (… and Windows Server 2016)
Ensure to update regular - Follow Best Practice, validate and then add your own requirements
Enable Modern authentication
Start using Modern hardware security
Start Monitoring your devices
Ensure Hard disk encryption on all devices – OFFCAUSE!
Follow Best Practice, validate and then add your own requirements
Credential Control
MFA for all users and administrators
No High Risk login on mobile devices
Consider Local Administrative Privileges
Password Randomization (LAPS etc.)
Ensure Strong Password(s) Policies – Follow Best Practice, validate and then add your own requirements
Ensure to use Credential Guard or similar
Application Control
Implement Microsoft AppLocker or similar
Implement Software Restriction Policies as a minimum
Consider Enterprise Mode for Internet Explorer 11 Whitelisting
Access Control
Implement Just Enough Rights Philosophy -Follow Best Practice, validate and then add your own requirements
Limit Remote Access to mobile devices (… and servers)
Limit Remote Access to mobile devices to named Jump Station only (… and servers)
Use Windows Firewall Actively – Disabled is not an option (… on servers to)
Upgrade to Latest Windows 10 version and start using Application- and Exploit Guard
//
Slide 15 [00:00]
Preparing the tackle
Device Control
Windows 10 is part of the solution (… and Windows Server 2016)
Ensure to update regular - Follow Best Practice, validate and then add your own requirements
Enable Modern authentication
Start using Modern hardware security
Start Monitoring your devices
Ensure Hard disk encryption on all devices – OFFCAUSE!
Follow Best Practice, validate and then add your own requirements
//
Slide 16 [00:00]
Preparing the tackle
Credential Control
Multi Factor Authentication (MFA) for all users and administrators
No High Risk login on mobile devices
Consider Local Administrative Privileges
Password Randomization (LAPS etc.)
Ensure Strong Password(s) Policies – Follow Best Practice, validate and then add your own requirements
Ensure to use Credential Guard or similar
//
Slide 17 [00:00]
Preparing the tackle
Application Control
Implement Microsoft AppLocker or similar
Implement Software Restriction Policies as a minimum
Enforce Windows Defender SmartScreen
Enforce User account Control (UAC)
Microsoft Edge and Enterprise Mode for Internet Explorer 11 Whitelisting
//
Slide 18 [00:00]
Preparing the tackle
Access Control
Implement Just Enough Rights Philosophy -Follow Best Practice, validate and then add your own requirements
Limit Remote Access to mobile devices (… and servers)
Limit Remote Access to mobile devices to named Jump Station only (… and servers)
Use Windows Firewall Actively – Disabled is not an option (… on servers to)
Upgrade to Latest Windows 10 version and start using Application- and Exploit Guard
//
Slide 19 [00:00]
Preparing the tackle (DEMO)
//
Slide 20 [00:00]
Summary
//
Slide 21 [00:00]
Imagine you were the one…
//
Slide 22 [00:00]
Preparing the tackle
Device Control
Windows 10 is part of the solution (… and Windows Server 2016)
Ensure to update regular - Follow Best Practice, validate and then add your own requirements
Enable Modern authentication
Start using Modern hardware security
Start Monitoring your devices
Ensure Hard disk encryption on all devices – OFFCAUSE!
Follow Best Practice, validate and then add your own requirements
Credential Control
MFA for all users and administrators
No High Risk login on mobile devices
Consider Local Administrative Privileges
Password Randomization (LAPS etc.)
Ensure Strong Password(s) Policies – Follow Best Practice, validate and then add your own requirements
Ensure to use Credential Guard or similar
Application Control
Implement Microsoft AppLocker or similar
Implement Software Restriction Policies as a minimum
Consider Enterprise Mode for Internet Explorer 11 Whitelisting
Access Control
Implement Just Enough Rights Philosophy -Follow Best Practice, validate and then add your own requirements
Limit Remote Access to mobile devices (… and servers)
Limit Remote Access to mobile devices to named Jump Station only (… and servers)
Use Windows Firewall Actively – Disabled is not an option (… on servers to)
Upgrade to Latest Windows 10 version and start using Application- and Exploit Guard
//
Slide 23 [00:00]
Thank you
//
Slide 24 [00:00]
About :: Biography
Who he is and what he do:
Jesper Nielsen is a Solutions Architect and Technology Evangelist, Microsoft Most Valuable Professional (MVP) and is part of the Microsoft Partner Technology Solutions Professional (P-TSP) program. He has been working hands-on with small and large scale IT-Infrastructure in many different industries for more than 20 years.
With a long background in supporting Windows technologies, Jesper Nielsen have designed and implemented several generations of Windows and is always happy to share his knowledge around this subject and related technologies.
Jesper Nielsen is the founder of the Everything Windows User Group, Denmark and is active in the community and can often be found at user group events as both speaker and attendee. He has been facilitating numerous seminars and events and has made several speaker appearances over the years were his passionate style of delivery, combined with his sense of humor, has made him a recognize speaker.
He does the work he does, because he is loving it, he likes the people he meets and is always embracing the inner nerd and good presentation skills.
He finished a marathon around the four hours’ mark, have been a gymnastics instructor for more than 30 years, he enjoying exploring technology and guide his kids into new technologies and is currently teaching himself C# for Windows app development.
He was awarded the MVP Status for Windows and Devices for IT for the first time, July 2016.
Find him:
E-mail: j.nielsen@atea.dk
Phone: +45 3078 1393
Follow him:
Twitter: https://twitter.com/dotjesper/
LinkedIn: https://www.linkedin.com/in/dotjesper/
Join him:
Everything User Group Denmark: http://ewug.dk
//
Slide 25 [00:00]
References :: Links
Emotet Banking Malware Steals Data Via Network Sniffing
www.securityweek.com/emotet-banking-malware-steals-data-network-sniffing
Network Spreading Capabilities Added to Emotet Trojan
http://www.securityweek.com/network-spreading-capabilities-added-emotet-trojan
Privileged Access Workstations (PAW)
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations
Software Restriction Policies
https://docs.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies
Windows 10 User Account Control (UAC)
https://docs.microsoft.com/en-us/windows/access-protection/user-account-control/user-account-control-overview
Local Administrator Password Solution (LAPS)
https://technet.microsoft.com/en-us/mt227395.aspx
Microsoft AppLocker
https://docs.microsoft.com/en-us/windows/device-security/applocker/applocker-overview
Windows Defender Application Guard
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview
Windows Defender Exploit Guard
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard
Windows Defender SmartScreen
https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview
';--have i been pwned?
https://haveibeenpwned.com/
Mimikatz
https://github.com/gentilkiwi/mimikatz
//