Show me where the 0-day touched you!

Shortly after the first shock and awe about the effectiveness of this piece of wiper-cloaked-as-ransomware, the usual game of blaming the NSA for hoarding security vulnerabilities – they are an intelligence agency, it’s their job, even if I don’t like it – and fetishization of 0-days started.

Funnily enough, people are also angry at the ShadowBrokers for promising to sell more exploits in the future, ‘shaming’ them for trying to profit off of stolen exploits – completely ignoring the fact that their agenda can’t really be motivated by financial reasons, because otherwise they wouldn’t have burned something like ETERNALBLUE to the public, something worth hundreds of thousands of dollars on the exploit markets. This whole thing isn’t about money. But that’s a completely different story.

When this happened with WannaCrypt, as it had with earlier occurrences of that “theme”, I silently mumbled stuff to myself, but didn’t really voice my disagreement, because I felt, that the thought leaders of this planet had done so properly and plentily. But since we’re, apparently, at exactly the same spot again: Come on guys, this shit again?

0-days are a rare thing, and 0-days aren’t the biggest problem we’ve seen with !Petya. And while the use of, almost exclusively, legitimate tools for lateral movement (psexec, wmic) instead of self-written code was, in a bad sense, ‘cool’, was bad, this wasn’t it either. Yeah, the lack of a killswitch complicated initial containment. Malware using legitimate credentials threaten the effectiveness of snakeoil security appliances, making sales bullshit even harder, yes. That many AV-solutions can be easily foiled by fake certificates is horrible, yes. That there was no employee to blame for clicking on a bad phishing link made it hard for the IT to cover eventual mistakes they made themselves, absolutely.

The real problems were the same things that ’caused’ the success of WannaCrypt. After WannaCrypt, IT departments and security teams world wide were up, running and hyped for approximately two weeks, and it looked like there was an understanding that patch management, disabling outdated network protocols, proper network segmentation, (least privilege) account management was something that should have happened yesterday, or even the decade before that, and need to be done immediately.

A few weeks later, that urgency seems to have had died and it was “back to normal”, and companies, executives were back to the usual game of “what’s the easiest way to become compliant”, while IT departments were back on the hunt for cool stuff. Or, as someone on Twitter put it:

Me: *You should clean up all these old accts on your flat network.* Them: *We should take a class on reverse engineering 0-day exploits.”

(Apologies for not giving credits, I was sent this quote. If anyone has the original link, hit me up!) And I’m reasonably afraid that we’ll see the exact same behavior with !Petya, with even more dangers on the horizon.

This was an attack by (most likely) a nation state actor, somewhat, targeted at Ukraine, or companies doing business in or with Ukraine. Yes, the collateral damage through lateral movements in company networks was significant, and even spilled over into the ‘real world’.

But we didn’t see some things WannaCrypt did, the random scanning of the Internet for vulnerable systems. We mostly saw it spreading though internal networks an VPNs connecting companies and their suppliers.

So let’s play devils advocate for a moment: What would have happened if the same destructive behavior would have targeted everyone and everything?

What would have happened, or would happen (pls no) if someone takes code similar to !Petya and replaces the wiping component with actual, functioning ransomware. Or to play the “muh cyber cyber cyberterrorism”-angle that the media loves so much: What if a terrorist group wants to spread (digital) destruction?

If anything of the aforementioned had happened, I probably wouldn’t sit here writing this  post, I would either still be trying to contain fires or already at home, crying in the shower, after I quit my job.

We shouldn’t be needing another wake-up call, and I’m not convinced we could so ‘easily’ deal with another one. It’s time to do something now.

After shooting my mouth off I want to end this post on a more helpful note, jolting down some standard operational procedures to avoid suffering from similar attacks in the future (You might still get hit, but the impact would be significantly lower!).

I am aware, that these tips are only feasible for private persons. Corporate network security isn’t my field of knowledge, I’ll leave that to @swiftonsecurity. And yes, I didn’t call it “best practices”, because following some basic rules of IT operations shouldn’t be considered that, it should be considered “the least you should do”.

  • Updates, updates, updates, .. and hygiene!

Restarting your computer after you’ve done Windows updates is boring, restarting your browser because Flash needs a security fix is annoying, I understand that. But not doing so is potentially putting you in grave danger. I’d rather wait five minutes to watch the next meme compilation on Youtube, rather than get hit by a vulnerability in Windows Defender.

Additionally, do ask yourself: Do you really need Adobe Flash? Do you really need Java? Do you really need all of those semi-useful browser plugins? If you don’t, throw them out! The less software you’ve installed, the smaller is your attack surface.

  • Backups, backups, backups .. and restores!

I can’t stress this enough, one of the most effective remediation tactics for ransomware are proper backups, which means you have also tested that you can actually restore your files from the backup. You regularly do that, .. right?

There is a lot of software that can do encrypted, incremental backups to your external hard drive, NAS or cloud storage of choice easily – on Windows (UrBackup, Arq, Duplicati), Linux (Duplicati, Deja Dup, BackupPC) and OSX (Arq, Time Machine). The times were having backups in place was a complicated and expensive are long gone. If there’s only one piece of advice you want to take away from this article, take this one. Please!

Antivirus solutions are an intensely discussed topic in the security community, especially since @taviso started taking a closer look at them. They have greatly matured since the days when McAfee actually belonged to McAfee (Or do they again? I’ve lost track of the developments.), yet in my personal opinion, NoScript has done more to improve client security than a lot of other developments in that realm. If you can somehow, anyhow get yourself to get used to manually unblocking elements, do it. Really, it’s a good thing!

  • Show file extensions in explorer.exe

Enable the ‘Show file extensions’ option in the Windows settings on your computer. This will make it much easier to spot potentially malicious files, especially for your siblings and parents who are prone to clicking on anything. Hitting them with an object of your choice until they remember not clicking on .scr or .exe from unknown sources is optional, but highly recommended. I’m not responsible if you’re losing access to your inheritance as a consequence of your actions.

Last but not least, two not-so-technical things:

  • Don’t rely on NAT as protection!

It’s amazing that I have to say this, but especially amongst semi-technical people, the myth about NAT saving you lives on. Only because something or -body can’t directly access your computer, that doesn’t mean you are safe from harm. Accidentally forgotten and misconfigured port-forwardings and UPnP exist!

  • Don’t follow stupid advice by stupid people on the Internet!

Yes, the irony of this statement in a blog post written by me isn’t lost on myself. Please don’t tell me about it too often. There are a lot of guides out there, especially since the release of Windows 10 and the controversy surrounding telemetry gathering, that talk about measures you can take in order beat ‘Big Brother’.

Those range from “not exactly ideal, but mostly harmless” such as disabling Google Safe Browsing to “please don’t do that”, such as blocking access to some of Microsofts servers or diabling the “Cloud Protection”-component of Windows Defender, neither of which are really doing good things for your privacy, but are rather actively decreasing the security of your system.

If you disable some of those things to, theoretically, increase your privacy, for yourself, that’s (somewhat) fine. But please don’t do these things on the computers of people you care about that aren’t technically versed, such as parents and spouses. Should you really be worried, use OpenBSD instead.

This entry was posted in Ramblings, Security. Bookmark the permalink.