Defending the education of the next generation

The mission continues

It seems clear that the threat of ransomware is still high, prevalent and that criminal enterprises are having great success at delivering significant negative impact on organisations around the blog.

To this end we have seen that some of those in the Education sector are vulnerable and may not have the resources required to identify, protect, detect, respond and recover from ransomware attacks.

From my point of view this simply is not acceptable, we can not leave people at the mercy of criminal activity.

Whilst CV19 can’t save the world we can at least try to help those in greatest need.

We have a team of dedicated cyber security professionals who already invest time for the community and industry to offer support.

We conduct a range of activities in the background to help organisations from an internet facing perspective.

Having seen the comments in the chat from CYBERUK 2021 I believe we should try and do more to help the education sector and next generation.

Today I’ve committed to conducting Active Directory Assessments for organisations in the UK public education sector space as part of CV19’s activities.

Active Directory Monitoring Azure Diagram
Active Directory Monitoring Azure Diagram

This will be supported with resources from our industry supporters.

The challenge here isn’t so much technical as it is human.

We have the skills, tools and capabilities to deliver help where it’s needed.

The challenge is getting people to accept the help.

We have already had two educational organisations request support.

We’ll update with progress as we go.

We can’t save the world but we can at least try and help those who are in need!

Daniel Card (CV19 Head of Technical Operations)

Ransomware and Remote Desktop Services

A major threat to healthcare organisations

Insecure, misconfigured and under-protected remote desktop services are a major vulnerability. This attack vector is simple to find, easy to access and operate, very simple to exploit and can be the initial entry to a chain of devastating actions by a threat actor to take down your systems.

This screenshot is of a single, exposed live system that our team of volunteers has obtained (amongst a range of others) from live vulnerable systems on the internet:

You can see here that not only are we able to enumerate valid usernames, but we are also able to enumerate and identify the operating system (in this case it’s an out-of-support Windows Server 2008 R2 Standard Edition Server).

It’s important to also recognise that it’s not just RDP (Remote Desktop Protocol) services, there are a ton of systems which have remote code execution or authentication bypass vulnerabilities which will enable threat actors (cybercriminals) to potentially own your systems and data! Examples of these include vulnerabilities in systems such as PULSE VPN, CITRIX NETSCALER and RDP:

Common Ransomware Phases

Phase 1 – Recon

Threat actors identify exposed RDP services. They identify if NLA (Network Level Authentication) is disabled (if so, this provides them username enumeration to increase the likelihood of success). It should be noted that threat actors also buy and sell access credentials on marketplaces, so it some cases they skip straight to initial access.

Phase 2 – Exploitation

Threat actors obtain breached credential data and leverage this amongst other techniques (such as brute force) to attack the exposed services. These methods include:

  • Valid credentials
  • Credential stuffing
  • RDP exploits (such as Bluekeep)
  • Brute force

Phase 3 – Initial Access

Once a valid connection is made, the threat actor now has an initial foothold. From here they will attempt to do the following:

  • Harvest local access and data sources to elevate privileges (often they will run mimikatz)
    • Check web browser password caches
    • Check for clear text credentials stored in files
    • Check saved credentials in RDP sessions (Windows Credential Manager)
  • Enumerate the network using legitimate network scanning tools
  • Prepare ransomware payloads
    • Some ransomware requires communication with a command and control (C2) server; however, some ransomware such as REvil can be executed with a custom binary which does not require server communication.

Phase 4 – Lateral Movement

The threat actors will attempt to move to other nodes on your network to increase their position. In some cases, they will also establish persistence and several backdoors in case one access method is discovered and removed. You will often see them dump legitimate tools to scan networks to attempt to evade detection.

Phase 5 – Actions on Target

Once all resources have been exhausted, the threat actor will execute (run) the payloads to encrypt your data.

Phase 6 – Victim Contact and Payment

Once the servers and data have been encrypted, the ransomware operator will either wait for contact or will establish contact. This will usually be conducted using throwaway (burner) email accounts, etc. Most ransomware leaves a ransom note with details as to how to establish contact and how to arrange payment to the attacker.

Identify, Protect, Detect, Respond and Recover

There are a range of actions that can be taken to not only reduce the risk of incident occurrence but also to help mitigate the impact. The range of options are wide, so we’ve gone into the common ones:

  1. Ensure you have an ‘offline’ backup
    1. This may be in the form of a network-based backup that is NOT domain joined and is significantly isolated. Ideally, you want a copy of these backups shipped offsite as well.
  2. Ensure you have an incident response plan
    1. Ensure that it is tested (alongside restoration tests from backup services)
  3. Ensure you have NLA enabled. This will in some cases stop exploits (e.g. Bluekeep) or will significantly increase the complexity of the attack required.
  4. Use IP whitelists and/or “just in time” access
  5. Use VPNs and Secure Gateway services
  6. Ensure you have account lockout policies configured
  7. Implement proactive security monitoring
  8. Implement Multi-Factor Authentication (MFA)
  9. Use hardened configurations, jump boxes, limit standard user accounts
  10. Ensure systems are patched and maintained in line with vendor support
  11. Ensure logging configurations are set appropriately
  12. Deploy sysmon, if suitable
  13. Deploy EDR (Endpoint Detection and Response), if safe to do so

Alongside our guidance, please review the NCSC guidance on ransomware defence and response:

https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks

In short, practise good systems’ management. You can harden your attack surface with some very simple changes and you can make it insanely stronger with a bit more effort!

Summary

The risks that exposed RDP services present are huge. It’s estimated that ~80-85% of ransomware incidents use this vector as an initial foothold. One of our founders (Daniel Card) has personal experience responding to ransomware and in the last ~6 months, 100% of his responses have been due to exposed RDP.

There are clearly requirements to enable remote administration, but what we are seeing is many servers being exposed with high risk configurations in the healthcare sector. It’s imperative during this time that healthcare providers and IT service providers ensure their internet-facing assets are not exposed to unnecessary risks. We hope this article is useful, but if you need further guidance or support, please get in touch.  We have a large group of volunteers who are experienced cyber security professionals and skilled in detection, protection and response services.

If you need support please visit this url : http://cyberv19.org.uk/service-request/

and one of our team will be in contact to help!

Stay safe, stay secure!

References

https://www.bleepingcomputer.com/news/security/chubb-cyber-insurer-allegedly-hit-by-maze-ransomware-attack/

https://www.coveware.com/blog/2019/1/21/covewares-2018-q4-ransomware-marketplace-report