Monthly Archives: July 2019

Think Before You Sync. Why just moving to the cloud does not solve the ransomware threat.

27 July 2019

On May 7th, 2019 the city of Baltimore was hit by a ransomware attack.  Although the city hired Microsoft and five other firms it has not fully recovered from the attack yet.(1)

Since the city’s email system was down officials started to use Gmail accounts for communications.(1)(2) This makes sense in the case of an emergency. Not communicating in the case of a publicly visible cyber-attack commonly has a large financial impact on businesses; but in the case of cities this may result in the loss of public security.

The ransomware attack on Norsk Hydro on March 19th, 2019 impressively shows the effect of good communications(3)(4): Investor’s confidence was not endangered at any time, the share price remained unchanged.

But from a strategic point of view, just moving to the whatever cloud is not a good idea. Google’s idea behind ChromeOS was simply clever: If everything (applications and data) is stored in the cloud the impact of e.g. ransomware will be negligible because the malware cannot jump across the https barrier to your cloud storage. The same holds for O365.

Unfortunately, users are not used of this way of working in the browser. It’s often slow, requires a change in working habits, travelling requires extra preparation, etc. So, Microsoft invented OneDrive and Google came up with Sync for Windows. Similar tools are available for Box and DropBox, and for all desktop operating systems, even for Linux.

Linux Setup Online Accounts

Linux setup online accounts during first login

With these syncing tools, the data stored in the cloud is made available on the user’s desktop. Changes to local files are synchronized immediately to the cloud and vice versa. And with this, the ransomware problem still exists because if a ransomware encrypts the synchronized files on the local copy the change is immediately synchronized to the cloud.
Game over.

So, if you want to take advantage of the cloud you have to run a vast change project: The whole working environment with all forms, templates, etc. must be provided in the cloud. And the employees must get used of the new way of working.

We need change!

We need change!

But the effort pays off: Your network becomes more resilient against cyber-attacks, workstations can be easily exchanged, the endpoint complexity can be reduced, windows domains and in the end, the campus network, will become dispensable.

So, think before you sync!

Have a great weekend.

  1. Duncan I. Google Pitches to Baltimore after Ransomware Attacks [Internet]. Government Technology. 2019 [zitiert 27. Juli 2019]. Verfügbar unter: https://www.govtech.com/computing/Google-Pitches-to-Baltimore-after-Ransomware-Attacks.html
  2. Cyber-spies tight-lipped on Baltimore hack. BBC News [Internet]. 27. Mai 2019 [zitiert 27. Juli 2019]; Verfügbar unter: https://www.bbc.com/news/technology-48423954
  3. Norsk Hydro. Update: Hydro subject to cyber attack [Internet]. 2019 [zitiert 24. Mai 2019]. Verfügbar unter: https://www.hydro.com/de-DE/medien/news/2019/update-hydro-subject-to-cyber-attack/
  4. Norsk Hydro ASA. Norsk Hydro: Update: Hydro subject to cyber-attack – 19.03.19 – News – ARIVA.DE [Internet]. de. 2019 [zitiert 24. Mai 2019]. Verfügbar unter: https://www.ariva.de/news/norsk-hydro-update-hydro-subject-to-cyber-attack-7476743

How to defend against file-less malware?

15 July 2019

Stories on file-less malware are constantly appearing in the news. Zeljka Zorz’s post “A file-less campaign is dropping the Astaroth info-stealer” (1), published on 9 July 2019 in Help Net Security, gives a great introduction into the techniques used in file-less attacks.

Andrea Lelli’s technical analysis (2) shows that the malware downloads some DLLs and injects them into the userinit.exe process after becoming persistent. So, no big development since the first report on a file-less malware, Poweliks (3), published in 2014.

Pattern based anti-malware solutions are still no effective means to protect against file-less malware because the malware uses the hacker’s favorite toolkit, the Windows OS, for installation of the malicious payload.

But there is no reason to panic. The Windows OS is part of the problem; the Windows OS is also part of the solution.

First things first.

Don’t work with permanent administrative privileges!

It cannot be repeated often enough! Userinit.exe is part of the Windows OS. Admin privileges are required to load a DLL into the userinit.exe process. So, no admin rights, no DLL injection.

Now the big change.

We need change!

We need change!

In a Windows environment, Microsoft AppLocker does the job. AppLocker is an efficient solution; it is part of the Windows OS and it can be configured centrally by group policies. AppLocker is an effective solution; all kind of dropper malware is blocked, and with DLL rules enforced, DLL injection is no longer possible. Thus, AppLocker is the perfect solution for SMBs to overcome the shortcomings of pattern based anti-malware solutions. For a brief overview on AppLocker see my post (4).

If AppLocker does not fit into your computing environment, for example in production, look at the application whitelisting solutions from the big anti-malware solution providers. Application whitelisting provides additional features, e.g. the lockdown of systems, which is of interest especially in production because of the much longer solution lifecycles.

Application whitelisting is the long overdue change in the strategic approach to cyber security. Give it a try. Once you locked down your systems you can take care of the really important issues. Like supporting your business in digitalization initiatives.

Have a great week.

References

  1. Zorz Z. A fileless campaign is dropping the Astaroth info-stealer [Internet]. Help Net Security. 2019 [zitiert 15. Juli 2019]. Verfügbar unter: https://www.helpnetsecurity.com/2019/07/09/astaroth-fileless-malware/
  2. Lelli A. Dismantling a fileless campaign: Microsoft Defender ATP next-gen protection exposes Astaroth attack [Internet]. Microsoft Security. 2019 [zitiert 15. Juli 2019]. Verfügbar unter: https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/
  3. Jochem K. Review – ‘Poweliks’ malware variant employs new antivirus evasion techniques [Internet]. IT Security Matters. 2014 [zitiert 15. Juli 2019]. Verfügbar unter: https://klausjochem.me/2014/08/09/poweliks-malware-variant-employs-new-antivirus-evasion-techniques/
  4. Jochem K. Windows Applocker – The almost forgotten IT security workbench [Internet]. IT Security Matters. 2019 [zitiert 15. Juli 2019]. Verfügbar unter: https://klausjochem.me/2019/01/05/windows-applocker-the-almost-forgotten-it-security-workbench/