Daily Archives: January 31, 2022

News

Stories from the SOC – WannaCry malware

Read Time:3 Minute, 35 Second

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive summary

WannaCry malware was first discovered in May 2017 and a patch was released roughly two months prior to its public release. However, 230,000 computers were globally affected by WannaCry as of 3/31/2021. It is unfortunate to hear, but many companies remain vulnerable to this attack due to unpatched systems. We often see that by the time some companies update their systems, they have already experienced a breach.

The Managed Threat Detection and Response (MTDR) SOC analyst team received 56 alarms related to the suspicious use of port 445 within a 24-hour timeframe. Given the high influx of alarms, our team created an Investigation to reveal which assets were using port 445, the destinations that were being communicated with, and the frequency of the connections. The customer quickly identified that the source assets were unpatched Windows 7 production servers affected by WannaCry. They were able to segment the infected computers, block SMB port 445, use Trend Micro’s Anti-Threat Toolkit to clean the machines, and then return the assets to the network.

Investigation

Initial alarm review

Indicators of compromise (IOC)

The initial alarms that triggered this investigation were created from a custom alarm. The MTDR team can create custom alarms specific to the customers environment to help improve time to response. The alarms were triggered when events from Trend Micro showed assets using Server Message Block (SMB) port 445 in which a single source was communicating with multiple destinations.

This initial alarm was one of many that was generated. The alarms came in with a priority of “Low” because use of SMB port 445 is common within the customer’s organization. Our team and the customer began to suspect that a breach had occurred due to the high volume of internal connections as well as those connections attempting to reach external IP’s.

Expanded investigation

Events search

Upon further investigation, we searched for events “CnC Callback” and “Suspicious Connection”. The team then analyzed these events over a 24-hour period. This analysis revealed all of the internal assets and their events’ sources and destinations. These assets were communicating over port 445 and were likely compromised systems.

Event deep dive

Continuing with the investigation, we learned that the affected assets were communicating with unknown external IP’s. Many of these outbound connections were blocked at the firewall; however, at this point, we were able to pivot from the external IP’s to look for more affected assets.

Reviewing for additional indicators

We then made a complete list of all potentially affected internal assets. After individually inspecting the assets, we discovered the following event: “Ransom_WCRY.SM2” on a few of the assets. This particular event confirmed our suspicion that this was, indeed, the WannaCry malware.

Response

Building the investigation

Within minutes of the team creating the investigation, the customer escalated the case. The customer noticed that all of the associated assets were part of a single subnet isolated to one sector of their business. The customer then isolated the subnet of potentially affected assets from the rest of the network in order to begin reviewing the machines.

While the assets were being scanned for further indicators of compromise, we involved the customer’s Threat Hunter (TH). The TH helped generate additional reports of all internal assets that were associated with the malicious events.

At this point, the customer blocked port 445 on the assets, used Trend Micro’s Anti-Threat Toolkit to clean the machines, and then returned the assets to the network.

We continued to closely monitor the customer’s network for further signs of compromise from the WannaCry malware. We maintained this vigilance until the team ensured the situation had been fully resolved.

Customer interaction

Our team worked closely with the customer to ensure we were up to date with any changes being made to their systems. Because of the close communication between our team and the customer, we were able to quickly assess the situation, investigate appropriate assets, and resolve the issue before any systems could be encrypted for ransomware.

Read More

News

Crypto Finance Firm Offers $2m Bug Bounty to Hackers

Read Time:1 Minute, 37 Second

Crypto Finance Firm Offers $2m Bug Bounty to Hackers

A decentralized lending platform that lost $80m to hackers has offered them an astonishing multimillion-dollar bug bounty in return for the stolen funds.

Qubit Finance revealed at the end of last week that an attacker had exploited a vulnerability in its QBridge deposit function.

In doing so, they managed to get away with a large amount of Ethereum, which they converted to Binance coins with a value of tens of millions of dollars. In effect, they were able to exploit a mistake in Qubit Finance’s code to withdraw Binance tokens without depositing any Ethereum.

The firm pleaded with its attacker to return the funds, addressing them on Twitter as “dear exploiter.”

“We propose you to negotiate directly with us before taking any further action,” it wrote on Friday. “The exploit and loss of funds have a profound effect on thousands of real people. If the maximum bounty is now what you are looking for, we are open to have a conversation. Let’s figure out a solution.”

A follow-up note confirmed the firm would offer a “maximum” bug bounty and not seek to press charges if the attacker returned the funds.

Subsequent messages over the weekend then increased this ‘maximum’ bounty to $1m and then on Sunday to $2m.

It’s unclear whether the tactic was merely intended to buy investigators ADDITIONAL time or if the firm was genuinely prepared to hand over a considerable bug bounty to a cyber-criminal.

A new post issued hours ago revealed the firm is working on a new site that will enable affected users to access their digital wallets to file reports with local police. However, they have little hope of getting their money back unless the cyber-thieves decide to cooperate with Qubit Finance.

A report from Chainalysis last week claimed that decentralized finance (DeFi) protocols were attacked most last year, losing over $2bn.

Read More

News

12 CISO resolutions for 2022

Read Time:45 Second

It’s still early days, but if this year is anything like years past, it’s safe to say CISOs will have a lot to contend with, from a continuing labor shortage to the increasing sophistication of cyberattacks to an ongoing threat from nation-state actors.

However, they also have plenty of ideas on how they’ll tackle those challenges.

To learn what they’re planning to do and what they want to accomplish in the months ahead, we asked CISOs across various industries to share their main objectives—or, their top resolutions, if you will—for 2022.

Here’s what they say:

1. Eliminate blind spots

Suyesh Karki, CISO and VP of IT at cloud software company Domo, wants to eliminate blind spots within his tech environment because he knows that he can’t protect what he can’t see.

To read this article in full, please click here

Read More

News

DDoS attacks: Definition, examples, and techniques

Read Time:42 Second

What is a DDoS attack?

A distributed denial of service (DDoS) attack is when an attacker, or attackers, attempt to make it impossible for a service to be delivered. This can be achieved by thwarting access to virtually anything: servers, devices, services, networks, applications, and even specific transactions within applications. In a DoS attack, it’s one system that is sending the malicious data or requests; a DDoS attack comes from multiple systems.

Generally, these attacks work by drowning a system with requests for data. This could be sending a web server so many requests to serve a page that it crashes under the demand, or it could be a database being hit with a high volume of queries. The result is that available internet bandwidth, CPU and RAM capacity becomes overwhelmed.

To read this article in full, please click here

Read More

News

QNAP Ransomware: Thousands Infected with DeadBolt

Read Time:1 Minute, 26 Second

QNAP Ransomware: Thousands Infected with DeadBolt

Thousands of QNAP users have been infected by a new ransomware variant flagged by the network-attached storage (NAS) vendor last week, according to a security vendor.

Taiwan-headquartered QNAP said last week that customers should urgently upgrade their systems to the latest version of its QTS operating systems and take steps to disconnect devices from the internet to mitigate the campaign.

Dubbed “DeadBolt,” the new ransomware variant demands a 0.03 Bitcoin ($1100) payment in return for a decryption key.

“This is not a personal attack,” reads the notice. “You have been targeted because of the inadequate security provided by your vendor (QNAP).”

Inventory firm Censys last week claimed there were around 5000 such devices impacted by the ransomware, although this is out of a total of 130,000 globally.

Interestingly, the vendor observed that the number fell sharply between January 26 and 27.

“Overnight, the number of services with the DeadBolt ransomware dropped by 1061, down to a total of 3927 infected services on the public internet,” it wrote.

“The exact reason for this drop is unknown at the moment, and we are continuing to monitor the situation. But earlier today, Malwarebytes reported that QNAP released a forced automatic update for their Linux-based operating system called QTS to address the vulnerability. This update reportedly removed the ransomware executable and reverted the web interface changes made by the ransomware.”

QNAP’s extorters had given it the opportunity to pay a flat rate of 50 BTC ($1.8m) to decrypt all customer data, but it does not appear to have acceded to these demands.

Some users have reported that decryption keys they were given following payment did not work.

Read More