Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.

Executive summary

WannaCry malware was first discovered in May 2017 and a patch was released roughly two months prior to its public release. However, 230,000 computers were globally affected by WannaCry as of 3/31/2021. It is unfortunate to hear, but many companies remain vulnerable to this attack due to unpatched systems. We often see that by the time some companies update their systems, they have already experienced a breach.

The Managed Threat Detection and Response (MTDR) SOC analyst team received 56 alarms related to the suspicious use of port 445 within a 24-hour timeframe. Given the high influx of alarms, our team created an Investigation to reveal which assets were using port 445, the destinations that were being communicated with, and the frequency of the connections. The customer quickly identified that the source assets were unpatched Windows 7 production servers affected by WannaCry. They were able to segment the infected computers, block SMB port 445, use Trend Micro’s Anti-Threat Toolkit to clean the machines, and then return the assets to the network.

Initial alarm review

Indicators of compromise (IOC)

The initial alarms that triggered this investigation were created from a custom alarm. The MTDR team can create custom alarms specific to the customers environment to help improve time to response. The alarms were triggered when events from Trend Micro showed assets using Server Message Block (SMB) port 445 in which a single source was communicating with multiple destinations.

This initial alarm was one of many that was generated. The alarms came in with a priority of “Low” because use of SMB port 445 is common within the customer’s organization. Our team and the customer began to suspect that a breach had occurred due to the high volume of internal connections as well as those connections attempting to reach external IP’s.

Expanded investigation

Events search

Upon further investigation, we searched for events “CnC Callback” and “Suspicious Connection”. The team then analyzed these events over a 24-hour period. This analysis revealed all of the internal assets and their events’ sources and destinations. These assets were communicating over port 445 and were likely compromised systems.

Event deep dive

Continuing with the investigation, we learned that the affected assets were communicating with unknown external IP’s. Many of these outbound connections were blocked at the firewall; however, at this point, we were able to pivot from the external IP’s to look for more affected assets.

Reviewing for additional indicators

We then made a complete list of all potentially affected internal assets. After individually inspecting the assets, we discovered the following event: “Ransom_WCRY.SM2” on a few of the assets. This particular event confirmed our suspicion that this was, indeed, the WannaCry malware.

Response

Building the investigation

Within minutes of the team creating the investigation, the customer escalated the case. The customer noticed that all of the associated assets were part of a single subnet isolated to one sector of their business. The customer then isolated the subnet of potentially affected assets from the rest of the network in order to begin reviewing the machines.

While the assets were being scanned for further indicators of compromise, we involved the customer’s Threat Hunter (TH). The TH helped generate additional reports of all internal assets that were associated with the malicious events.

At this point, the customer blocked port 445 on the assets, used Trend Micro’s Anti-Threat Toolkit to clean the machines, and then returned the assets to the network.

We continued to closely monitor the customer’s network for further signs of compromise from the WannaCry malware. We maintained this vigilance until the team ensured the situation had been fully resolved.

Customer interaction

Our team worked closely with the customer to ensure we were up to date with any changes being made to their systems. Because of the close communication between our team and the customer, we were able to quickly assess the situation, investigate appropriate assets, and resolve the issue before any systems could be encrypted for ransomware.

Read More

Smartphones have become such an integral part of our lives that it’s hard to imagine a time when we didn’t have them. We carry so much of our lives on our devices, from our social media accounts and photos of our pets to our banking information and home addresses. Whether it be just for fun or for occupational purposes, so much of our time and attention is spent on our smartphones. 

Because our mobile devices carry so much valuable information, it’s important that we stay educated on the latest cyber schemes so we can be prepared to combat them and keep our data safe.  According to Bleeping Computer1, researchers have developed a trojan proof of concept tool that fakes a shutdown or reboot of iPhones, preventing malware from being removed and allowing hackers to secretly snoop on microphones and cameras.  

Let’s dive into the details of this technique.  

How “NoReboot” allows hackers to spy on a device 

Typically, when an iOS device is infected with malware, the solution is as simple as just restarting the device. However, with this new technique researchers are calling “NoReboot,” ridding a device of malware is not quite as simple. 

“NoReboot” blocks the shutdown and reboot process from being carried out, preventing the device from actually restarting. Without a proper shutdown and reboot, a malware infection on an iOS device can continue to exist. Because the device appears to be shut off with a dark screen, muted notifications, and a lack of response, it is easy to assume that the device has shut down properly and the problem has been solved. However, the “NoReboot” technique has only simulated a reboot, allowing a hacker to access the device and its functions, such as its camera and microphone. If a hacker has access to these functions, they could record the user without their knowledge and potentially capture private information.  

This attack is not one that Apple can fix, as it relies on human-level deception rather than exploiting flaws found on iOS. That’s why it’s important that we know how to use our devices safely and stay protected. 

How to know if your smartphone has been hacked 

As previously mentioned, smartphone usage takes up a big chunk of our time and attention. Since we are so often on these devices, it is usually fairly easy to tell when something isn’t working quite like it is supposed to. While these things could very well just be technical issues, sometimes they are much more than that, such as malware being downloaded onto your smartphone. 

Malware can eat up the system resources or conflict with other apps on your device, causing it to act oddly. 

Some possible signs that your device has been hacked include: 

Performance issues 

A slower device, webpages taking way too long to load, or a battery that never keeps a charge are all things that can be attributed to a device reaching its retirement. However, these things may also be signs that malware has compromised your phone. 

Your phone feels like it’s running hot 

Malware running in the background of a device may burn extra computing power, causing your phone to feel hot and overheated. If your device is quick to heat up, it may be due to malicious activity. 

Mysterious calls, texts, or apps appear 

If apps you haven’t downloaded suddenly appear on your screen, or if outgoing calls you don’t remember making pop up on your phone bill, that is a definite red flag and a potential sign that your device has been hacked. 

Pop-ups or changes to your screen 

Malware may also be the cause of odd or frequent pop-ups, as well as changes made to your home screen. If you are getting an influx of spammy ads or your app organization is suddenly out of order, there is a big possibility that your device has been hacked. 

Six tips to prevent your phone from being hacked 

To avoid the hassle of having a hacked phone in the first place, here are some tips that may help. 

1. Update your phone and its apps

Promptly updating your phone and apps is a primary way to keep your device safe. Updates often fix bugs and vulnerabilities that hackers rely on to download malware for their attacks. 

2. Avoid downloading from third-party app stores

Apple’s App Store and Google Play have protections in place to help ensure that apps being downloaded are safe. Third-party sites may not have those same protections or may even be purposely hosting malicious apps to scam users. Avoiding these sites altogether can prevent these apps from allowing hackers into your device. 

3. Stay safer on the go with a VPN

Hackers may use public Wi-Fi to gain access to your device and the information you have inside of it. Using a VPN to ensure that your network is private and only you can access it is a great way to stay protected on the go. 

4. Turn off your Wi-Fi and Bluetooth when not in use

Turning off your Wi-Fi and Bluetooth when you are not actively using them is a simple way to prevent skilled hackers from working their way into your devices. 

5. Avoid public charging stations

Some hackers have been known to install malware into public charging stations and hack into devices while they are being charged. Investing in your own personal portable charging packs is an easy way to avoid this type of hack.  

6. Encrypt your phone

Encrypting your phone can protect your calls, messages, and information, while also protecting you from being hacked. iPhone users can check their encryption status by going into Touch ID & Passcode, scrolling to the bottom, and seeing if data protection is enabled.  

7. Determine whether your device rebooted properly

Although researchers agree that you can never trust a device to be fully off, there are some techniques that can help you determine whether your device was rebooted correctly.2 If you do suspect that your phone was hacked or notice some suspicious activity, restart your device. To do this, press and hold the power button and either volume button until you are prompted to slide the button on the screen to power off. After the device shuts down and restarts, notice if you are prompted to enter your passcode to unlock the device. If not, this is an indicator that a fake reboot just occurred. If this happens, you can wait for the device to run out of battery, although researchers have not verified that this will completely remove the threat.  

Stay protected 

If you are worried that your device has been hacked, follow these steps: 

Install and run security software on your smartphone if you haven’t already. From there, delete any apps you didn’t download, delete risky texts, and then run your mobile security software again. 
If you still have issues, wiping and restoring your phone is an option. Provided you have your photos, contacts, and other vital info backed up in the cloud, it’s a relatively straightforward process. A quick search online can show how to wipe and restore your model of phone. 
Lastly, check your accounts and your credit to see if any unauthorized purchases have been made. If so, you can go through the process of freezing those accounts, getting new cards, and credentials issued with the help of McAfee Identity Protection Service. Further, update your passwords for your accounts with a password that is strong and unique.   

The post Latest Proof of Concept Details How iOS Malware May Snoop on Our Devices appeared first on McAfee Blog.

Read More