Category Archives: Endpoint security

Windows 7 reaches End of Life (EOL) – Are you ready for the risks or would you rather update your OS?

Estimated reading time: 2 minutes

14 Jan 2020 marked a huge day for Windows, as Microsoft ended support for Windows 7, the operating system that had been touching lives for nearly 11 years.

Introduced almost a decade back, Windows 7 was designed basically to fix the failures that came with Windows Vista. The popularity of this OS was so massive that it took Microsoft years of efforts, to instigate people to upgrade to Windows 10 for free. In fact, millions of PCs even today continue to run on Windows 7 especially in the corporate environment, which now leaves them susceptible to security vulnerabilities and exploits as Microsoft ends its mainstream support.

What does End of Support mean?

Well, during the lifecycle of an operating system, constant support in terms of security patches and bug fixes are provided to users of that OS, to protect them against new and advanced malware threats.

Thus, end of life for Windows 7 OS would specifically mean that no more security patches, bug fixes or new functionalities would be available for its users (individual or enterprise), leaving them susceptible to malware attacks. While users can continue using Windows 7, remember that the cost of using an outdated operating system can be really high.

Not to forget the devastating cyber-attacks like WannaCry in 2017 that widely affected the Windows 7 version. Imagine the impact of yet un-discovered and unknown vulnerabilities possibly still lurking around in Windows 7.

For those who are still reluctant about updating to Windows 10 OS, Microsoft will continue to provide support, but at a cost! So, businesses wanting to continue with Windows 7 can still do so, by making costly investments for extended security updates.

Preparing for Windows 7 EOL

Despite Microsoft notifying its users about the Windows 7 EOL for a considerably long time, there are still an estimated 200 million PC users who continue to run Windows 7 (https://zd.net/30lKOC0). The simplest way out of this crisis is to upgrade to Windows 10 OS. The longer users take to upgrade their OS, the bigger are the risks of potential cyber-attacks, especially for those using the OS for accessing business or personal data. So, the best things current users of Windows 7 OS can do are:

  • Immediately upgrade all devices currently running on Windows 7 to Windows 10.
  • Do not use the Windows 7 OS for accessing bank, personal or other sensitive data.
  • Consider accessing personal Email IDs or other important logins from different device.

How Seqrite can help Windows 7 Users

To your much relief, Seqrite products will continue detecting malware files/infections and providing support on Windows 7 OS just as on any other supported Microsoft OS.

We will no more be able to support external dependency features of SEQRITE EPS specifically such as Vulnerability Scan and Patch Management since these are dependent on Microsoft for any further updates.

For example, if a Seqrite product requires Microsoft to provide a fix and Microsoft does not provide the fix, then the support cannot be provided any longer.

We assure to keep you posted about any latest advancements in this regard.

NOTE: End of Life (EOL) is for Windows server 2008 and 2008 R2 as well and same rules are applicable for these versions too.

The post Windows 7 reaches End of Life (EOL) – Are you ready for the risks or would you rather update your OS? appeared first on Seqrite Blog.

sLoad launches version 2.0, Starslord

sLoad, the PowerShell-based Trojan downloader notable for its almost exclusive use of the Windows BITS service for malicious activities, has launched version 2.0. The new version comes on the heels of a comprehensive blog we published detailing the malware’s multi-stage nature and use of BITS as alternative protocol for data exfiltration and other behaviors.

With the new version, sLoad has added the ability to track the stage of infection on every affected machine. Version 2.0 also packs an anti-analysis trick that could identify and isolate analyst machines vis-à-vis actual infected machines.

We’re calling the new version “Starslord” based on strings in the malware code, which has clues indicating that the name sLoad may have been derived from a popular comic book superhero.

We discovered the new sLoad version over the holidays, in our continuous monitoring of the malware. New sLoad campaigns that use version 2.0 follow an attack chain similar to the previous version, with some updates, including dropping the dynamic list of command-and-control (C2) servers and upload of screenshots.

Tracking the stage of infection

With the ability to track the stage of infection, malware operators with access to the Starslord backend could build a detailed view of infections across affected machines and segregate these machines into different groups.

The tracking mechanism exists in the final-stage, which, as with the old version, loops infinitely (with sleep interval of 2400 seconds, higher than the 1200 seconds in version 1.0). In line with the previous version, at every iteration of the final stage, the malware uses a download BITS job to exfiltrate stolen system information and receive additional payloads from the active C2 server.

As we noted in our previous blog, creating a BITS job with an extremely large RemoteURL parameter that includes non-encrypted system information, as the old sLoad version did, stands out and is relatively easy to detect. However, with Starslord, the system information is encoded into Base64 data before being exfiltrated.

The file received by Starslord in response to the exfiltration BITS job contains a tuple of three values separated by an asterisk (*):

  • Value #1 is a URL to download additional payload using a download BITS job
  • Value #2 specifies the action, which can be any of the following, to be taken on the payload downloaded from the URL in value#1:
    • “eval” – Run (possibly very large) PowerShell scripts
    • “iex” – Load and invoke (possibly small) PowerShell code
    • “run” – Download encoded PE file, decode using exe, and run the decoded executable
  • Value #3 is an integer that can signify the stage of infection for the machine

Supplying the payload URL as part of value #1 allows the malware infrastructure to house additional payloads on different servers from the active C2 servers responding to the exfiltration BITS jobs.

Value#3 is the most noteworthy component in this setup. If the final stage succeeds in downloading additional payload using the URL provided in value #1 and executing it as specified by the command in value #2, then a variable is used to form the string “td”:”<value#3>”,”tds”:”3”. However, if the final stage fails to download and execute the payload, then the string formed is “td”:”<value #3>”,”tds”:”4”.

The infinite loop ensures that the exfiltration BITS jobs are created at a fixed interval. The backend infrastructure can then pick up the pulse from each infected machine. However, unlike the previous version, Starslord includes the said string in succeeding iterations of data exfiltration. This means that the malware infrastructure is always aware of the exact stage of the infection for a specific affected machine. In addition, since the numeric value for value #3 in the tuple is always governed by the malware infrastructure, malware operators can compartmentalize infected hosts and could potentially set off individual groups on unique infection paths. For example, when responding to exfiltration BITS jobs, malware operators can specify a different URL (value #1) and action (value #2) for each numeric value for value #3 of the tuple, essentially deploying a different malware payload for different groups.

Anti-analysis trap

Starslord comes built-in with a function named checkUniverse, which is in-fact an anti-analysis trap.

As mentioned in our previous blog post, the final stage of sLoad is a piece of PowerShell code obtained by decoding one of the dropped .ini files. The PowerShell code appears in the memory as a value assigned to a variable that is then executed using the Invoke-Expression cmdlet. Because this is a huge piece of decrypted PowerShell code that never hits the disk, security researchers would typically dump it into a file on the disk for further analysis.

The sLoad dropper PowerShell script drops four files:

  • a randomly named .tmp file
  • a randomly named .ps1 file
  • a ini file
  • a ini file

It then creates a scheduled task to run the .tmp file every 3 minutes, similar to the previous version. The .tmp file is a proxy that does nothing but run the .ps1 file, which decrypts the contents of main.ini into the final stage. The final stage then decrypts contents of domain.ini to obtain active C2 and perform other activities as documented.

As a unique anti-analysis trap, Starslord ensures that the .tmp and.ps1 files have the same random name. When an analyst dumps the decrypted code of the final stage into a file in the same folder as the .tmp and .ps1 files, the analyst could end up naming it something other than the original random name. When this dumped code is run from such differently named file on the disk, a function named checkUniverse returns the value 1, and the analyst gets trapped:

What comes next is not very desirable for a security researcher: being profiled by the malware operator.

If the host belongs to a trapped analyst, the file downloaded from the backend in response to the exfiltration BITS job, if any, is discarded and overwritten by the following new tuple:

hxxps://<active C2>/doc/updx2401.jpg*eval*-1

In this case, the value #1 of the tuple is a URL that’s known to the backend for being associated with trapped hosts. BITS jobs from trapped hosts don’t always get a response. If they do, it’s a copy of the dropper PowerShell script. This could be to create an illusion that the framework is being updated as the URL in value #1 of the tuple suggests (hxxps://<active C2>/doc/updx2401.jpg).

However, the string that is included in all successive exfiltration BITS jobs from such host is “td”:”-1”,”tds”:”3”, eventually leading to all such hosts getting grouped under value “td”:”-1”. This forms the group of all trapped machines that are never delivered a payload. For the rest, so far, evidence suggests that it has been delivering the file infector Ramnit intermittently.

Durable protection against evolving malware

sLoad’s multi-stage attack chain, use of mutated intermediate scripts and BITS as an alternative protocol, and its polymorphic nature in general make it a piece malware that can be quite tricky to detect. Now, it has evolved into a new and polished version Starlord, which retains sLoads most basic capabilities but does away with spyware capabilities in favor of new and more powerful features, posing even higher risk.

Starslord can track and group affected machines based on the stage of infection, which can allow for unique infection paths. Interestingly, given the distinct reference to a fictional superhero, these groups can be thought of as universes in a multiverse. In fact, the malware uses a function called checkUniverse to determine if a host is an analyst machine.

Microsoft Threat Protection defends customers from sophisticated and continuously evolving threats like sLoad using multiple industry-leading security technologies that protect various attack surfaces. Through signal-sharing across multiple Microsoft services, Microsoft Threat Protection delivers comprehensive protection for identities, endpoints, data, apps, and infrastructure.

On endpoints, behavioral blocking and containment capabilities in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) ensure durable protection against evolving threats. Through cloud-based machine learning and data science informed by threat research, Microsoft Defender ATP can spot and stop malicious behaviors from threats, both old and new, in real-time.

 

 

Sujit Magar

Microsoft Defender ATP Research Team

The post sLoad launches version 2.0, Starslord appeared first on Microsoft Security.

SECURITY ALERT: Microsoft releases critical security updates to fix major vulnerabilities

Microsoft released its regular patches on the second Tuesday of the month, and as always, they included fixes for multiple vulnerabilities. Namely, 49 security bugs have been now fixed, out of which eight are considered to be critical.

Rumors started to circulate before the patches were officially out and sources were saying that Microsoft was very likely to fix “an extraordinarily serious security vulnerability in a core cryptographic component present in all versions of Windows.” The same sources were indicating that Microsoft had quietly shipped a patch for the bug to branches of the U.S. military and to other highly valuable customers that manage key Internet infrastructure. Those organizations were allegedly asked to sign agreements that forbade them from disclosing details of the flaw prior to the January 2020 Patch Tuesday.

Microsoft declined to respond to these allegations, saying that they do not wish to discuss the details before the patches were officially released.

In short, there were some early signs that some serious flaws were going to be fixed, and the first Patch Tuesday of this year only confirmed the rumors.

So, keep on reading to find out what you should expect from Microsoft’s January 2020 updates.

CVE-2020-0601, the Windows CryptoAPI Spoofing Vulnerability

By far the most significant security bug that has been fixed (CVE-2020-0601) is indeed critical.

Here is what Microsoft has to say about it in its Security Update Guide:

A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates.

An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear the file was from a trusted, legitimate source. The user would have no way of knowing the file was malicious because the digital signature would appear to be from a trusted provider.

A successful exploit could also allow the attacker to conduct man-in-the-middle attacks and decrypt confidential information on user connections to the affected software.

The security update addresses the vulnerability by ensuring that Windows CryptoAPI completely validates ECC certificates.

In other words, this vulnerability can allow spoofing and bypassing normal security mechanisms that validate the credibility of binary code, including ECC certificates and this can circumvent your endpoint protection.

The vulnerability impacts Windows 10, Windows Server 2019, and Windows Server 2016 OS versions. According to Microsoft and the NSA (which first reported the bug), no active attacks were spotted before this month’s patch was released. The Agency has published its own security guide, with details on mitigation and on how to detect exploitation.

CVE-2020-0609 and CVE-2020-0610, the vulnerabilities found in RDP

An additional relevant security update is related to the Windows Remote Desktop Gateway (RD Gateway) that address the CVE-2020-0610 and CVE-2020-0609 vulnerabilities. The update applies to Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019 and it’s crucial you apply this update as well in a timely manner.

Sending a specially crafted request to an accessible and vulnerable RD Gateway via RDP opens the risk of arbitrary code execution. These vulnerabilities can be seen before the RDP authentication process and require no user interaction. A malicious hacker who manages to exploit these vulnerabilities may be able to then install programs, view, change, and delete data and even create new accounts with full user rights, Microsoft said in their Security Update guide.

We recommend that you place RDP services internally, so that they can, for instance, be accessed via a VPN connection and never as a service available via WAN / Internet.

Other notable vulnerabilities covered in January’s Patch Tuesday

Some other products that received fixes this month, besides Windows, include Internet Explorer, Microsoft Office, Microsoft Office Web Apps, Microsoft Dynamics, ASP.NET, the .NET Framework, and OneDrive for Android.

Patch, patch, and patch again

Here at Heimdal we always advise both organizations and individuals to never fall behind on their updates, since this practice alone will notably increase one’s defenses. Through our X-Ploit Resilience, which covers both Microsoft and 3rd party software, our corporate customers apply their patches four times faster than the global average. X-Ploit Resilience features all updates and patches within four hours since their launch, silently, in the background, with zero user interruption.

Conclusion

Even though Microsoft’s January 2020 Patch Tuesday is smaller compared to most of the other patches that were released seen in the past, it is, without doubt, still highly important. And the main lesson here is to always keep up with your patches!

The post SECURITY ALERT: Microsoft releases critical security updates to fix major vulnerabilities appeared first on Heimdal Security Blog.

Freeware vs. Shareware vs. Open Source – What is Each and How to Use Them Safely

During the last decade or so, software deployment for both SMBs and enterprise has become rather problematic – not so much on the upscaling part, but rather on the number of licenses an institution has to purchase and renew. The costs can be ginormous, which is the very reason why the company owner resorts to cost-effective alternatives such as freeware, shareware, and open-source. In this article, I’m going to run you through each category. After that, you can decide which is better for your business.  Let’s get to it – freeware vs. shareware vs. open source. Who will win the race?

What is Freeware?

Loosely defined as a type of proprietary software, that it’s being distributed at no cost whatsoever for the user, freeware is the answer to accomplishing very simple tasks without the need of investing in expensive, license-based software. Freeware software has no EULA, license, or rights of any kind, which means that it can be deployed on both home and enterprise machines.

Freeware is not a modern concoction. In fact, the term itself was coined in the golden 80s by Andrew Fluegelman, who sough of means of making PC-Talk (Skype’s long-forgotten ancestors) available outside regular distribution channels. The key differentiator between freeware, shareware, and open-source is that freeware does not make its source code available, despite being free of charge.

A couple of freeware examples: Discord (IM used by the gaming community), Yahoo Messenger (rest in peace, my friend), µTorrent, IrfanView, Groove Music, Winamp, DVD Shrink, CCleaner, and others.

Freeware pros:

  • Easy to use and deploy (for home users and enterprises\SMBs).
  • A great way to incentivize your potential customers (for soft makers and marketeers gunning for paid licenses).
  • Solve daily tasks without having to invest in expensive software.
  • Quickly grow your user base.

Freeware cons:

  • Limited functionality.
  • No way of reverse-engineering it since the source code is not made available.
  • Customers may sometimes perceive the product as inferior.

 

What is Shareware?

Probably most of the apps found online and offline fall under this category. Shareware is so widespread that it ‘felt’ the need to have its own consortium. Called the Association of Shareware Professional or ASP, for short, this international trading and trade organization comprises over 1,500 vendors, authors, and online retailers. The term was coined around the same time as freeware.

While Fluegelman was pushing his PC-Talk comm app. Jim “Button” Knopf, an IBM employee at that time, was releasing a database program called PC-File. In legal terms, the main difference between Knopf’s apps and Fluegelman’s freebie is that the database program was never meant to be offered free of charge.

Knopf himself called his creation “user-supported software” meaning that users would need to cover some of the fees associated with the continual development of the product. No doubt, an interesting marketing praxis, but a lucrative one, given shareware’s popularity and availability.

Shareware is an umbrella term, encompassing various types of apps, each following a unique business model.

Types of shareware

1. Adware

Also called “advertising-supported software”, this type of shareware has embedded ads running alongside the apps. The purpose of adware is to generate revenue for its creator. Ads may be present during the installation process or as part of the user interface. Most are ‘hardwired’ to analyze the users’ traffic in order to display customized ads. Adware is free-to-use, but the sheer number of ads can interfere with normal operation. A large number of apps currently available on Google Play are adware.

2. Crippleware

It may sound like a new form of malware, but it’s actually a legit type of software. Why is it called “Crippleware”? Because the author purposely “cripples” the app’s vital functions, making them available in the paid or premium version. For instance, if you have photo-editing apps, the download as jpeg function may be disabled or the photos may have watermarks that can be removed by upgrading to full.

3. Trialware

Trialware apps can be used for a limited period.  In most cases, users will be granted access to all of the app’s functions (including the ones available in the paid version). However, once the trial period expires, the app will be disabled or revert to a very basic (and very unusable version). From my experience, trialware that doesn’t cover vital system processes (i.e. antivirus or malware-scanner), will simply stop working. They will, of course, display a splash screen meant to inform the user that the software has expired and that he must upgrade to full.

4. Donationware

The software grants the user access to all of its features. However, it does come with one small request: the user is asked to shell out a small amount of cash to support the project or just show appreciation for the author’s work. The payout part is optional, having no bearing of the app’s functionality. Given its behavior, one could consider that donationware has more in common with freeware than with shareware.

5. Nagware

Pejorative in nature, the term “nagware” describes a software category that reminds users via on-screen messages that their licenses are about to expire and that they should upgrade to the full version. In most cases, the nags will continue well after the trial period is over. The functionality will be reduced, the user having access only to basic functions.

6. Freemium

A portmanteau term (“free” + “premium”) describing a type of software that ‘withholds’ advanced features, making them available in the premium version. The free version is fully functional. Nags are rare, but users might receive ads from time to time regarding the advantages of the premium versions.

Shareware pros:

  • Free to use.
  • Powerful feature. Great for getting a one-time task done.
  • Donationware is just as good as any license-based application.
  • Diversity and abundance.
  • Most of them are cross-platformers.

Shareware cons:

  • Some legal issues may arise if deployed on enterprise machines.
  • Poor compatibility with newer operating systems.
  • Ads and nags can become annoying.
  • Shareware doesn’t benefit from regular security and functionality updates as licensed software.

One last thing to mention – neither freeware nor shareware authors don’t make the software code available for studying or altering. Which brings us to the third software category: open-source.

What is Open-Source?

Open-source software or OSS is a type of software in which the author releases the source code. Furthermore, as far as the copyright is concerned, whoever holds the software’s license can distribute, study or alter the source code. Enterprises would often turn to open-source solutions since they’re much easier to customize compared to licensed software.

The best example of OSS I can think of is VLC player, one of the most popular video players available online. That’s on the consumer side.

As for enterprises and SMBs, there are a number of open-source software that successfully replaced their license-based counterparts: OpernCart (online shopping platform), SuiteCRM (useful for managing customer info), Helpy (self-service support), Mailman (management tool for email lists), WordPress (blogging), Daawarpper (data visualization), Gimp (powerful image editor), LibreOffice (perfect and free alternative to Microsoft Office), and the list goes on.

Open-source software pros:

  • Free and cheaper compared to (paid) license-based products.
  • Modable, reliable, and easy to use.
  • Safer from a cybersecurity standpoint compared to free and even some license-based products.
  • Very flexible. It can be used beyond its intended purpose (you’re going to need a talented backend hand for that).

Open-source software cons:

  • It can incur some long-term (and unforeseeable) costs. Any issues that arise have to be dealt with by yourself or your dev team. This usually happens when the software has been outstretched or altered more than necessary. Doing in-house patching and/or repair points to another con: no support for the product. So, if something goes wrong, you’re on your own.
  • Less-than-friendly UI. It will also take you a while to learn the product.

 

Freeware vs. Shareware

Now that we’ve got the basics in place, let’s take a closer look at the first contenders: freeware vs. shareware.

First of all, I think it’s important to see which category the two of them address. We can agree (to disagree) that both types of software can be used on home and work machines alike. As someone who didn’t have a lot of money to spend on software, I can wholeheartedly say that freeware is what dreams are made of – imagine what it would have meant to buy a Photoshop license just to tweak some family photos or to pull a plank on your roommate.

Game streaming – for those of you familiar with the concept, the costs alone can make your head spin, that is if you want to go pro. Still, even the basics can cost a pretty penny. Luckily you can accomplish basic tasks like screen or voice recording with some very nice (and free) online tools.

Things change a bit when it comes to deploying freeware on enterprise machines. Of course, some shareware can handle some of the routine tasks. For instance, ePrompter is a great and hassle-free alternative to Microsoft Outlook or some other desktop-based email management tool. Even TeamViewer, the (over)glorified remote computer control tool is free and can be used to accomplish very simple tasks.

Other honorable mentions: Discord (great alternative to Teams, Skype for business, and even WhatsApp), B1 Free Archiver (if you really don’t want to buy WinRAR), Recuva (powerful data recovery application), CCleaner (registry cleaner), Foxit Reader (open and print pdf files), and Microsoft Visual Studio Express (supports multiple IDEs, pitch-perfect for web designers).

Indeed, they are very powerful tools, but, in my opinion, simply not enough to meet the needs of a bustling enterprise. It all boils down to statistics: the bigger the database, the likelier it is to find a solution (or more) to suit your needs.

Why shareware? There are literally thousands of apps, available both online and offline, some of them just as good, if not better than license-based software. One thing about shareware – it’s a short-term solution.

Basically, it’s your ‘emergency-only’ kit: problem – shareware – problem solved. This type of software wasn’t designed for long-term use. As I pointed out in the section about shareware, most have some kind of built-in ‘safety’ to prevent users from doing just that; except for donationware, of course. There’s also the matter of overexposing your machine(s) to malicious content. I will cover this in the last section of the article.

The main reason why shareware is better than freeware for enterprise needs – evergreen(ess). Most freeware is outdated, meaning that they may not even run properly on Windows 10 machines. If you also add the fact that they are unpatched, you’ve got yourself a major cybersecurity vulnerability. Last, but not least, to my knowledge, few freeware support platforms other than Microsoft Windows. So, if you need to deploy freeware on a machine running Linux or macOS, you’re in for a world of pain.

Winner – shareware. Hassle-free, tons of content, suitable for any kind of needs, be them home- or enterprise-related.

Shareware vs. open-source

Clearly, shareware is the better alternative to freeware, but how does it fare against open-source software. Clearly, the latter category holds the high ground here. Why? Because, as the name suggests, the source code is made available, which means that a talented backend hand can easily customize it. But, will it prove to be a match for shareware’s availability and ‘widespreadness’?

It could and it does. Open-source software is definitely getting a lot of attention and for a very good reason – even though OSS is free, it’s extremely reliable and tends to take quite a beating when subjected to repeated reverse-engineering. And, on top of that, OSS software, compared to freeware and shareware, is much more secure.

Open-source software is amazing simply because it’s out there and can potentially be molded into anything you like. However, it’s not the Holy Grail of enterprise software, nor does it want to be. OSS is scalable, dependable, and, in all cases, it’s made by an experienced computer engineer who isn’t necessarily motivated by money. Don’t get me wrong – shareware-type software is also developed by experienced people, but on the sample-now-buy-full-later basis.

As an enterprise, you should also consider the support aspect. If something goes terribly wrong with the software, there’s no one out there to help.

Well, that’s entirely correct; there’s an entire community out there of experts willing to give you a helping hand, but that means hours upon hours of digging through forums, asking questions and praying for someone to come up with the right answer. This perspective is not exactly compatible with an enterprise’s credo.

So, do we have a winner here? It would say that it’s a tie: open-source is dependable, flexible, and scalable, but low on support and could incur unforeseen costs, especially when you try to use for purposes other than it was designed for. On the other hand, shareware holds an abundant database but falls back as far as a long-term commitment.

Freeware vs. shareware vs open source

Now that we have all the pieces of the puzzle, it’s easier to figure out which is the best enterprise-grade solution.

Let’s start with freeware.

Major advantages – it’s free, easy to install, and can solve any number of issues. On the other hand, disadvantages wise, the freeware pool is very limited and can only address a handful of issues. Freeware would best be used on home machines. Take that and its questionable compatibility, no support of any kind, and the fact that most of them are obsolete, it’s safe to assume that freeware and enterprises just don’t mix.

Shareware – an entire database, laid down at your feet. Plenty of possibilities, but is shareware the answer to your company’s needs? It’s just a matter of how you look upon the problem: if it’s a one-time thing, then you should definitely consider deploying software on a couple of machines.

There’s no need to concern yourself with the trial period, as long as you can solve the task or tasks in one go. Just bear in mind that some apps will revert to basic functions or stop working altogether after a certain number of uses. Of course, if the app suits your needs, you can always activate the full version by buying the license.

Open-source – dependable, can easily be taken apart by any IDE, and free to use. Do take in mind that OSS can come with hidden costs and it’s harder to get used to it compared to shareware or license-based software. If you encounter issues along the way, you can always ask the dev community for help. Just don’t expect the answer to be prompt as in the case of an app that offers round-the-clock support.

In the end, it’s all up to you to decide which one clicks with your company’s needs.

Cybersecurity issues and safety tips

Tackling non-licensed-based software should come with a warning label. Up next, I’ll be discussing the risk of using shareware, freeware, and open-source software. I will also include some cybersecurity tips along the way.

1. Adware also means malware

If you plan on using shareware, pay extra attention to apps that use ads-generated revenue. Some of them may contain links to malicious websites that could seriously harm your machine. Best to check the security certificate after clicking on an ad, though I advise you not to.

2. Fake apps

Some applications advertised as freeware could be fake. Don’t download the first app you find on Google. Take your time and do some research. You would do well to stay away from websites that use too many CTAs and “free download” buttons. It’s like playing Russian Roulette with your personal data.

3. Freeware used as a malware entry point

As you know, outdated and unpatched software can be used by malicious hackers to circumvent your antivirus\antimalware solution. Since freeware does not receive regular security patches, it can become an entry point for malware.

4. Strengthen your cyber-defenses

When all else fails, ensure that you have a good antivirus\antimalware solution. Thor Premium Enterprise, our product that incorporates two of our award-winning technologies (Thor Foresight Enterprise and Thor Vigilance Enterprise) will ensure that no malware lands on your machine, by continuously scanning your outbound and inbound traffic, severing any malicious C&C connection it detects.

Wrap-up

Companies, regardless of their size and needs, can also benefit from freeware, shareware, and open-source software. It’s all about figuring out your needs and selecting the solution that makes the most sense. As always, if you have any questions, feel free to send me a message.

The post Freeware vs. Shareware vs. Open Source – What is Each and How to Use Them Safely appeared first on Heimdal Security Blog.

CISO series: Lessons learned from the Microsoft SOC—Part 3b: A day in the life

The Lessons learned from the Microsoft SOC blog series is designed to share our approach and experience with security operations center (SOC) operations. We share strategies and learnings from our SOC, which protects Microsoft, and our Detection and Response Team (DART), who helps our customers address security incidents. For a visual depiction of our SOC philosophy, download our Minutes Matter poster.

For the next two installments in the series, we’ll take you on a virtual shadow session of a SOC analyst, so you can see how we use security technology. You’ll get to virtually experience a day in the life of these professionals and see how Microsoft security tools support the processes and metrics we discussed earlier. We’ll primarily focus on the experience of the Investigation team (Tier 2) as the Triage team (Tier 1) is a streamlined subset of this process. Threat hunting will be covered separately.

Image of security workers in an office.

General impressions

Newcomers to the facility often remark on how calm and quiet our SOC physical space is. It looks and sounds like a “normal” office with people going about their job in a calm professional manner. This is in sharp contrast to the dramatic moments in TV shows that use operations centers to build tension/drama in a noisy space.

Nature doesn’t have edges

We have learned that the real world is often “messy” and unpredictable, and the SOC tends to reflect that reality. What comes into the SOC doesn’t always fit into the nice neat boxes, but a lot of it follows predictable patterns that have been forged into standard processes, automation, and (in many cases) features of Microsoft tooling.

Routine front door incidents

The most common attack patterns we see are phishing and stolen credentials attacks (or minor variations on them):

  • Phishing email → Host infection → Identity pivot:

Infographic indicating: Phishing email, Host infection, and Identity pivot

  • Stolen credentials → Identity pivot → Host infection:

Infographic indicating: Stolen credentials, Identity pivot, and Host infection

While these aren’t the only ways attackers gain access to organizations, they’re the most prevalent methods mastered by most attackers. Just as martial artists start by mastering basic common blocks, punches, and kicks, SOC analysts and teams must build a strong foundation by learning to respond rapidly to these common attack methods.

As we mentioned earlier in the series, it’s been over two years since network-based detection has been the primary method for detecting an attack. We attribute this primarily to investments that improved our ability to rapidly remediate attacks early with host/email/identity detections. There are also fundamental challenges with network-based detections (they are noisy and have limited native context for filtering true vs. false positives).

Analyst investigation process

Once an analyst settles into the analyst pod on the watch floor for their shift, they start checking the queue of our case management system for incidents (not entirely unlike phone support or help desk analysts would).

While anything might show up in the queue, the process for investigating common front door incidents includes:

  1. Alert appears in the queue—After a threat detection tool detects a likely attack, an incident is automatically created in our case management system. The Mean Time to Acknowledge (MTTA) measurement of SOC responsiveness begins with this timestamp. See Part 1: Organization for more information on key SOC metrics.

Basic threat hunting helps keep a queue clean and tidy

Require a 90 percent true positive rate for alert sources (e.g., detection tools and types) before allowing them to generate incidents in the analyst queue. This quality requirement reduces the volume of false positive alerts, which can lead to frustration and wasted time. To implement, you’ll need to measure and refine the quality of alert sources and create a basic threat hunting process. A basic threat hunting process leverages experienced analysts to comb through alert sources that don’t meet this quality bar to identify interesting alerts that are worth investigating. This review (without requiring full investigation of each one) helps ensure that real incident detections are not lost in the high volume of noisy alerts. It can be a simple part time process, but it does require skilled analysts that can apply their experience to the task.

  1. Own and orient—The analyst on shift begins by taking ownership of the case and reading through the information available in the case management tool. The timestamp for this is the end of the MTTA responsiveness measurement and begins the Mean Time to Remediate (MTTR) measurement.

Experience matters

A SOC is dependent on the knowledge, skills, and expertise of the analysts on the team. The attack operators and malware authors you defend against are often adaptable and skilled humans, so no prescriptive textbook or playbook on response will stay current for very long. We work hard to take good care of our people—giving them time to decompress and learn, recruiting them from diverse backgrounds that can bring fresh perspectives, and creating a career path and shadowing programs that encourage them to learn and grow.

  1. Check out the host—Typically, the first priority is to identify affected endpoints so analysts can rapidly get deep insight. Our SOC relies on the Endpoint Detection and Response (EDR) functionality in Microsoft Defender Advanced Threat Protection (ATP) for this.

Why endpoint is important

Our analysts have a strong preference to start with the endpoint because:

  • Endpoints are involved in most attacks—Malware on an endpoint represents the sole delivery vehicle of most commodity attacks, and most attack operators still rely on malware on at least one endpoint to achieve their objective. We’ve also found the EDR capabilities detect advanced attackers that are “living off the land” (using tools deployed by the enterprise to navigate). The EDR functionality in Microsoft Defender ATP provides visibility into normal behavior that helps detect unusual command lines and process creation events.
  • Endpoint offers powerful insights—Malware and its behavior (whether automated or manual actions) on the endpoint often provides rich detailed insight into the attacker’s identity, skills, capabilities, and intentions, so it’s a key element that our analysts always check for.

Identifying the endpoints affected by this incident is easy for alerts raised by the Microsoft Defender ATP EDR, but may take a few pivots on an email or identity sourced alert, which makes integration between these tools crucial.

  1. Scope out and fill in the timeline—The analyst then builds a full picture and timeline of the related chain of events that led to the alert (which may be an adversary’s attack operation or false alarm positive) by following leads from the first host alert. The analyst travels along the timeline:
  • Backward in time—Track backward to identify the entry point in the environment.
  • Forward in time—Follow leads to any devices/assets an attacker may have accessed (or attempted to access).

Our analysts typically build this picture using the MITRE ATT&CK™ model (though some also adhere to the classic Lockheed Martin Cyber Kill Chain®).

True or false? Art or science?

The process of investigation is partly a science and partly an art. The analyst is ultimately building a storyline of what happened to determine whether this chain of events is the result of a malicious actor (often attempting to mask their actions/nature), a normal business/technical process, an innocent mistake, or something else.

This investigation is a repetitive process. Analysts identify potential leads based on the information in the original report, follow those leads, and evaluate if the results contribute to the investigation.

Analysts often contact users to identify whether they performed an anomalous action intentionally, accidentally, or was not done by them at all.

Running down the leads with automation

Much like analyzing physical evidence in a criminal investigation, cybersecurity investigations involve iteratively digging through potential evidence, which can be tedious work. Another parallel between cybersecurity and traditional forensic investigations is that popular TV and movie depictions are often much more exciting and faster than the real world.

One significant advantage of investigating cyberattacks is that the relevant data is already electronic, making it easier to automate investigation. For many incidents, our SOC takes advantage of security orchestration, automation, and remediation (SOAR) technology to automate investigation (and remediation) of routine incidents. Our SOC relies heavily on the AutoIR functionality in Microsoft Threat Protection tools like Microsoft Defender ATP and Office 365 ATP to reduce analyst workload. In our current configuration, some remediations are fully automatic and some are semi-automatic (where analysts review the automated investigations and propose remediation before approving execution of it).

Document, document, document

As the analyst builds this understanding, they must capture a complete record with their conclusions and reasoning/evidence for future use (case reviews, analyst self-education, re-opening cases that are later linked to active attacks, etc.).

As our analyst develops information on an incident, they capture the common, most relevant details quickly into the case such as:

  • Alert info: Alert links and Alert timeline
  • Machine info: Name and ID
  • User info
  • Event info
  • Detection source
  • Download source
  • File creation info
  • Process creation
  • Installation/Persistence method(s)
  • Network communication
  • Dropped files

Fusion and integration avoid wasting analyst time

Each minute an analyst wastes on manual effort is another minute the attacker has to spread, infect, and do damage during an attack operation. Repetitive manual activity also creates analyst toil, increases frustration, and can drive interest in finding a new job or career.

We learned that several technologies are key to reducing toil (in addition to automation):

  • Fusion—Adversary attack operations frequently trip multiple alerts in multiple tools, and these must be correlated and linked to avoid duplication of effort. Our SOC has found significant value from technologies that automatically find and fuse these alerts together into a single incident. Azure Security Center and Microsoft Threat Protection include these natively.
  • Integration—Few things are more frustrating and time consuming than having to switch consoles and tools to follow a lead (a.k.a., swivel chair analytics). Switching consoles interrupts their thought process and often requires manual tasks to copy/paste information between tools to continue their work. Our analysts are extremely appreciative of the work our engineering teams have done to bring threat intelligence natively into Microsoft’s threat detection tools and link together the consoles for Microsoft Defender ATP, Office 365 ATP, and Azure ATP. They’re also looking forward to (and starting to test) the Microsoft Threat Protection Console and Azure Sentinel updates that will continue to reduce the swivel chair analytics.

Stay tuned for the next segment in the series, where we’ll conclude our investigation, remediate the incident, and take part in some continuous improvement activities.

Learn more

In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

To learn more about SOCs, read previous posts in the Lessons learned from the Microsoft SOC series, including:

Watch the CISO Spotlight Series: Passwordless: What’s It Worth.

Also, see our full CISO series and download our Minutes Matter poster for a visual depiction of our SOC philosophy.

The post CISO series: Lessons learned from the Microsoft SOC—Part 3b: A day in the life appeared first on Microsoft Security.

Mobile threat defense and intelligence are a core part of cyber defense

The modern workplace is a mobile workplace. Today’s organizations rely on mobility to increase productivity and improve the customer experience. But the proliferation of smartphones and other mobile devices has also expanded the attack surface of roughly 5 billion mobile devices in the world, many used to handle sensitive corporate data. To safeguard company assets, organizations need to augment their global cyber defense strategy with mobile threat intelligence.

When handled and analyzed properly, actionable data holds the key to enabling solid, 360-degree cybersecurity strategies and responses. However, many corporations lack effective tools to collect, analyze, and act on the massive volume of security events that arise daily across their mobile fleet. An international bank recently faced this challenge. By deploying Pradeo Security alongside Microsoft Endpoint Manager and Microsoft Defender Advanced Threat Protection (ATP), the bank was able to harness its mobile data and better protect the company.

Pradeo Security strengthens Microsoft Endpoint Manager Conditional Access policies

In 2017, the Chief Information Security Office (CISO) of an international bank recognized that the company needed to address the risk of data exposure on mobile. Cybercriminals exploit smart phones at the application, network, and OS levels, and infiltrate them through mobile applications 78 percent of the time.1 The General Data Protection Regulation (GDPR) was also scheduled to go into effect the following year. The company needed to better secure its mobile data to safeguard the company and comply with the new privacy regulations.

The company deployed Microsoft Endpoint Manager to gain visibility into the mobile devices accessing corporate resources. Microsoft Endpoint Manager is the recently announced convergence of Microsoft Intune and Configuration Manager functionality and data, plus new intelligent actions, offering seamless, unified endpoint management. Then, to ensure the protection of these corporate resources, the company deployed Pradeo Security Mobile Threat Defense, which is integrated with Microsoft.

Pradeo Security and Microsoft Endpoint Manager work together to apply conditional access policies to each mobile session. Conditional access policies allow the security team to automate access based on the circumstances. For example, if a user tries to gain access using a device that is not managed by Microsoft Endpoint Manager, the user may be forced to enroll the device. Pradeo Security enhances Microsoft Endpoint Manager’s capabilities by providing a clear security status of any mobile devices accessing corporate data, which Microsoft can evaluate for risk. If a smartphone is identified as non-compliant based on the data that Pradeo provides, conditional access policies can be applied.

For example, if the risk is high, the bank could set policies that block access. The highly granular and customizable security policies offered by Pradeo Security gave the CISO more confidence that the mobile fleet was better protected against threats specifically targeting his industry.

Get more details about Pradeo Security for Microsoft Endpoint Manager in this datasheet.

Detect and respond to advanced cyberthreats with Pradeo Security and Microsoft Defender ATP

The bank also connected Pradeo Security to Microsoft Defender ATP in order to automatically feed it with always current mobile security inputs. Microsoft Defender ATP helps enterprises prevent, detect, investigate, and respond to advanced cyberthreats. Pradeo Security enriches Microsoft Defender ATP with mobile security intelligence. Immediately, the bank was able to see information on the latest threats targeting their mobile fleet. Only a few weeks later, there was enough data in the Microsoft platform to draw trends and get a clear understanding of the company’s mobile threat environment.

Pradeo relies on a network of millions of devices (iOS and Android) across the globe to collect security events related to the most current mobile threats. Pradeo leverages machine learning mechanisms to distill and classify billions of raw and anonymous security facts into actionable mobile threat intelligence.

Today, this bank’s mobile ecosystem entirely relies on Pradeo and Microsoft, as its security team finds it to be the most cost-effective combination when it comes to mobile device management, protection, and intelligence.

About Pradeo

Pradeo is a global leader of mobile security and a member of the Microsoft Intelligent Security Association (MISA). It offers services to protect the data handled on mobile devices and applications, and tools to collect, process, and get value out of mobile security events.

Pradeo’s cutting-edge technology has been recognized as one of the most advanced mobile security technologies by Gartner, IDC, and Frost & Sullivan. It provides a reliable detection of mobile threats to prevent breaches and reinforce compliance with data privacy regulations.

For more details, contact Pradeo.

Note: Users must be entitled separately to Pradeo and Microsoft licenses as appropriate.

Learn more

To learn more about MISA, visit the MISA webpage. Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Microsoft Endpoint Manager

Transformative management and security that meets you where you are and helps you move to the cloud.

Get started

12019 Mobile Security Report, Pradeo Lab

The post Mobile threat defense and intelligence are a core part of cyber defense appeared first on Microsoft Security.

Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks

Computers with Windows Remote Desktop Protocol (RDP) exposed to the internet are an attractive target for adversaries because they present a simple and effective way to gain access to a network. Brute forcing RDP, a secure network communications protocol that provides remote access over port 3389, does not require a high level of expertise or the use of exploits; attackers can utilize many off-the-shelf tools to scan the internet for potential victims and leverage similar such tools for conducting the brute force attack.

Attackers target RDP servers that use weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security protections. Through RDP brute force, threat actor groups can gain access to target machines and conduct many follow-on activities like ransomware and coin mining operations.

In a brute force attack, adversaries attempt to sign in to an account by effectively using one or more trial-and-error methods. Many failed sign-ins occurring over very short time frequencies, typically minutes or even seconds, are usually associated with these attacks. A brute force attack might also involve adversaries attempting to access one or more accounts using valid usernames that were obtained from credential theft or using common usernames like “administrator”. The same holds for password combinations. In detecting RDP brute force attacks, we focus on the source IP address and username, as password data is not available.

In the Windows operating system, whenever an attempted sign-in fails for a local machine, Event Tracing for Windows (ETW) registers Event ID 4625 with the associated username. Meanwhile, source IP addresses connected to RDP can be accessed; this information is very useful in assessing if a machine is under brute force attack. Using this information in combination with Event ID 4624 for non-server Windows machines can shed light on which sign-in sessions were successfully created and can further help in detecting if a local machine has been compromised.

In this blog we’ll present a study and a detection logic that uses these signals. This data science-driven approach to detecting RDP brute force attacks has proven valuable in detecting human adversary activity through Microsoft Threat Experts, the managed threat hunting service in Microsoft Defender Advanced Threat Protection. This work is an example of how the close collaboration between data scientists and threat hunters results in protection for customers against real-world threats.

Insights into brute force attacks

Observing a sudden, relatively large count of Event ID 4625 associated with RDP network connections might be rare, but it does not necessarily imply that a machine is under attack. For example, a script that performs the following actions would look suspicious looking at a time series of counts of failed sign-in but is most likely not malicious:

  • uses an expired password
  • retries sign-in attempts every N-minutes with different usernames
  • over a public IP address within a range owned by the enterprise

In contrast, behavior that includes the following is indicative of an attack:

  • extreme counts of failed sign-ins from many unknown usernames
  • never previously successfully authenticated
  • from multiple RDP connections
  • from new source IP addresses

Understanding the context of failed sign-ins and inbound connections is key to discriminating between true positive (TP) and false positive (FP) brute force attacks, especially if the goal is to automatically raise only high-precision alerts to the appropriate recipients, as we do in Microsoft Defender ATP.

We analyzed several months’ worth of data to mine insights into the types of RDP brute force attacks occurring across Microsoft Defender ATP customers. Out of about 45,000 machines that had both RDP public IP connections and at least 1 network failed sign-in, we discovered that, on average, several hundred machines per day had high probability of undergoing one or more RDP brute force attack attempts. Of the subpopulation of machines with detected brute force attacks, the attacks lasted 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.

Figure 1: Empirical distribution in number of days per machine where we observed 1 or more brute force attacks

As discussed in numerous other studies [1], large counts of failed sign-ins are often associated with brute force attacks. Looking at the count of daily failed sign-ins, 90% of cases exceeded 10 attempts, with a median larger than 60. In addition, these unusual daily counts had high positive correlation with extreme counts in shorter time windows (see Figure 2). In fact, the number of extreme failed sign-ins per day typically occurred under 2 hours, with about 40% failing in under 30 minutes.

Figure 2: Count of daily and maximum hourly network failed sign-ins for a local machine under brute force attack

While a detection logic based on thresholding the count of failed sign-ins during daily or finer grain time window can detect many brute force attacks, this will likely produce too many false positives. Worse, relying on just this will yield false negatives, missing successful enterprise compromises: our analysis revealed several instances where brute force attacks generated less than 5-10 failed attempts at a daily granularity but often persisted for many days, thereby avoiding extreme counts at any point in time. For such a brute force attack, thresholding the cumulative number of failed sign-ins across time could be more useful, as depicted in Figure 3.

Figure 3: Daily and cumulative failed network sign-in

Looking at counts of network failed sign-ins provides a useful but incomplete picture of RDP brute force attacks. This can be further augmented with additional information on the failed sign-in, such as the failure reason, time of day, and day of week, as well as the username itself. An especially strong signal is the source IP of the inbound RDP connection. Knowing if the external IP has a high reputation of abuse, as can be looked up on sites like https://www.abuseipdb.com/, can directly confirm if an IP is a part of an active brute force.

Unfortunately, not all IP addresses have a history of abuse; in addition, it can be expensive to retrieve information about many external IP addresses on demand. Maintaining a list of suspicious IPs is an option, but relying on this can result in false negatives as, inevitably, new IPs continually occur, particularly with the adoption of cloud computing and ease of spinning up virtual machines. A generic signal that can augment failed sign-in and user information is counting distinct RDP connections from external IP addresses. Again, extreme values occurring at a given time or cumulated over time can be an indicator of attack.

Figure 4 shows histograms (i.e., counts put into discrete bins) of daily counts of RDP public connections per machine that occurred for an example enterprise with known brute force attacks. It’s evident that normal machines have a lower probability of larger counts compared to machines attacked.

Figure 4: Histograms of daily count of RDP inbound across machines for an example enterprise

Given that some enterprises have machines under brute force attack daily, the priority may be to focus on machines that have been compromised, defined by a first successful sign-in following failed attempts from suspicious source IP addresses or unusual usernames. In Windows logs, Event ID 4624 can be leveraged to measure successful sign-in events for local machine in combination with failed sign-ins (Event ID 4625).

Out of the hundreds of machines with RDP brute force attacks detected in our analysis, we found that about .08% were compromised. Furthermore, across all enterprises analyzed over several months, on average about 1 machine was detected with high probability of being compromised resulting from an RDP brute force attack every 3-4 days. Figure 5 shows a bubble chart of the average abuse score of external IPs associated with RDP brute force attacks that successfully compromised machines. The size of the bubbles is determined by the count of distinct machines across the enterprises analyzed having a network connection from each IP. While there is diversity in the origin of the source IPs, Netherlands, Russia, and the United Kingdom have a larger concentration of inbound RDP connections from high-abuse IP.

Figure 5: Bubble chart of IP abuse score versus counts of machine with inbound RDP

A key takeaway from our analysis is that successful brute force attempts are not uncommon; therefore, it’s critical to monitor at least the suspicious connections and unusual failed sign-ins that result in authenticated sign-in events. In the following sections we describe a methodology to do this. This methodology was leveraged by Microsoft Threat Experts to augment threat hunting and resulted in new targeted attack notifications.

Combining many relevant signals

As discussed earlier (with the example of scripts connecting via RDP using outdated passwords yielding failed sign-ins), simply relying on thresholding failed attempts per machine for detecting brute force attacks can be noisy and may result in many false positives. A better strategy is to utilize many contextually relevant signals, such as:

  • the timing, type, and count of failed sign-in
  • username history
  • type and frequency of network connections
  • first-time username from a new source machine with a successful sign-in

This can be even further extended to include indicators of attack associated with brute force, such as port scanning.

Combining multiple signals along the attack chain has been proposed and shown promising results [2]. We considered the following signals in detecting RDP inbound brute force attacks per machine:

  • hour of day and day of week of failed sign-in and RDP connections
  • timing of successful sign-in following failed attempts
  • Event ID 4625 login type (filtered to network and remote interactive)
  • Event ID 4625 failure reason (filtered to %%2308, %%2312, %%2313)
  • cumulative count of distinct username that failed to sign in without success
  • count (and cumulative count) of failed sign-ins
  • count (and cumulative count) of RDP inbound external IP
  • count of other machines having RDP inbound connections from one or more of the same IP

Unsupervised probabilistic time series anomaly detection

For many cybersecurity problems, including detecting brute force attacks, previously labeled data is not usually available. Thus, training a supervised learning model is not feasible. This is where unsupervised learning is helpful, enabling one to discover and quantify unknown behaviors when examples are too sparse. Given that several of the signals we consider for modeling RDP brute force attacks are inherently dependent on values observed over time (for example, daily counts of failed sign-ins and counts of inbound connections), time series models are particularly beneficial. Specifically, time series anomaly detection naturally provides a logical framework to quantify uncertainty in modeling temporal changes in data and produce probabilities that then can be ranked and thresholded to control a desirable false positive rate.

Time series anomaly detection captures the temporal dynamics of signals and accurately quantifies the probability of observing values at any point in time under normal operating conditions. More formally, if we introduce the notation Y(t) to denote the signals taking on values at time t, then we build a model to compute reliable estimates of the probability of Y(t) exceeding observed values given all known and relevant information, represented by P[y(t)], sometimes called an anomaly score. Given a false positive tolerance rate r (e.g., .1% or 1 out of 10,000 per time), for each time t, values y*(t) satisfying P[y*(t)] < r would be detected as anomalous. Assuming the right signals reflecting the relevant behaviors of the type of attacks are chosen, then the idea is simple: the lowest anomaly scores occurring per time will be likely associated with the highest likelihood of real threats.

For example, looking back at Figure 2, the time series of daily count of failed sign-ins occurring on the brute force attack day 8/4/2019 had extreme values that would be associated with an empirical probability of about .03% out of all machine and days with at least 1 failed network sign-in for the enterprise.

As discussed earlier, applying anomaly detection to 1 or a few signals to detect real attacks can yield too many false positives. To mitigate this, we combined anomaly scores across eight signals we selected to model RDP brute force attack patterns. The details of our solution are included in the Appendix, but in summary, our methodology involves:

  • updating statistical discrete time series models sequentially for each signal, capturing time of day, day of week, and both point and cumulative effects
  • combining anomaly scores using an approach that yields accurate probability estimates, and
  • ranking the top N anomalies per day to control a desired number of false positives

Our approach to time series anomaly detection is computationally efficient, automatically learns how to update probabilities and adapt to changes in data.

As we describe in the next section, this approach has yielded successful attack detection at high precision.

Protecting customers from real-word RDP brute force attacks through Microsoft Threat Experts

The proposed time series anomaly detection model was deployed and utilized by Microsoft Threat Experts to detect RDP brute force attacks during threat hunting activities. A list that ranks machines across enterprises with the lowest anomaly scores (indicating the likelihood of observing a value at least as large under expected conditions in all signals considered) is updated and reviewed every day. See Table 1 for an example.

Table 1: Sample ranking of detected RDP inbound brute force attacks

For each machine with detection of a probable brute force attack, each instance is assigned TP, FP, or unknown. Each TP is then assigned priority based on the severity of the attack. For high-priority TP, a targeted attack notification is sent to the associated organization with details about the active brute force attack and recommendations for mitigating the threat; otherwise the machine is closely monitored until more information is available.

We also added an extra capability to our anomaly detection: automatically sending targeted attack notifications about RDP brute force attacks, in many cases before the attack succeeds or before the actor is able to conduct further malicious activities. Looking at the most recent sample of about two weeks of graded detections, the average precision per day (i.e., true positive rate) is approximately 93.7% at a conservative false positive rate of 1%.

In conclusion, based on our careful selection of signals found to be highly associated with RDP brute force attacks, we demonstrated that proper application of time series anomaly detection can be very accurate in identifying real threats. We have filed a patent application for this probabilistic time series model for detecting RDP inbound brute force attacks. In addition, we are working on integrating this capability into Microsoft Defender ATP’s endpoint and detection response capabilities so that the detection logic can raise alerts on RDP brute force attacks in real-time.

Monitoring suspicious activity in failed sign-ins and network connections should be taken seriously—a real-time anomaly detection capable of self-updating with the changing dynamics in a network can indeed provide a sustainable solution. While Microsoft Defender ATP already has many anomaly detection capabilities integrated into its EDR capabilities, which enrich advanced threat protection across the broader Microsoft Threat Protection, we will continue to enhance these detections to cover more security scenarios. Using data science, we will continue to combine robust statistical and machine learning approaches with threat expertise and intelligence to deliver industry-leading protection to our customers through Microsoft Threat Protection.

 

 

Cole Sodja, Justin Carroll, Joshua Neil
Microsoft Defender ATP Research Team

 

 

Appendix 1: Models formulation

We utilize hierarchical zero-adjusted negative binomial dynamic models to capture the characteristics of the highly discrete count time series. Specifically, as shown in Figure 2, it’s expected that most of the time there won’t be failed sign-ins for valid credentials on a local machine; hence, there are excess zeros that would not be explained by standard probability distributions such as the negative binomial. In addition, the variance of non-zero counts is often much larger than the mean, where for example, valid scripts connecting via RDP can generate counts in the 20s or more over several minutes because of an outdated password. Moreover, given a combination of multiple users or scripts connecting to shared machines at the same time, this can generate more extreme counts at higher quantiles resulting in heavier tails, as seen in Figure 6.

Figure 6: Daily count of network failed sign-in for a machine with no brute force attack

Parametric discrete location/scale distributions do not generate well-calibrated p-values for rare time series, as seen in Figure 6, and thus if used to detect anomalies can result in too many FPs when looking across many machines at high time frequencies. To overcome this challenge dealing with the sparse time series of counts of failed sign-in and RDP inbound public connections we specify a mixture model, where, based on our analysis, a zero-inflated two-component negative binomial distribution was adequate.

Our formulation is based on thresholding values that determine when to transition to a distribution with larger location and/or scale as given in Equation 1. Hierarchical priors are given from empirical estimates of the sample moments across machines using about 1 month of data.

Equation 1: Zero-adjusted negative binomial threshold model

Negative binomial distribution (NB):

To our knowledge, this formulation does not yield a conjugate prior, and so directly computing probabilities from the posterior predicted density is not feasible. Instead, anomaly scores are generated based on drawing samples from all distributions and then computing the empirical right-tail p-value.

Updating parameters is done based on applying exponential smoothing. To avoid outliers skewing estimates, such as machines under brute force or other attacks, trimming is applied to sample from the distribution at a specified false positive rate, which was set to .1% for our study. Algorithm 1 outlines the logic.

The smoothing parameters were learned based on maximum likelihood estimation and then fixed during each new sequential update. To induce further uncertainty, bootstrapping across machines is done to produce a histogram of smoothing weights, and samples are drawn in accordance to their frequency. We found that weights concentrated away from 0 vary between .06% and 8% for over 90% of machines, thus leading to slow changes in the parameters. An extension using adaptive forgetting factors will be considered in future work to automatically learn how to correct smoothing in real time.

Algorithm 2: Updating model parameters real-time

Appendix 2: Fisher Combination

For a given device, for each signal that exists a score is computed defined as a p-value, where lower values are associated with higher likelihood of being an anomaly. Then the p-values are combined to yield a joint score across all signals based on using the Fisher p-value combination method as follows:

The use of Fisher’s test applied to anomaly scores produces a scalable solution that yields interpretable probabilities that thus can be controlled to achieve a desired false positive rate. This has even been applied in a cybersecurity context. [3]

 

 

[1] Najafabadi et al, Machine Learning for Detecting Brute Force Attacks at the Network Level, 2014 IEEE 14th International Conference on Bioinformatics and Bioengineering
[2] Sexton et al, Attack chain detection, Statistical Analysis and Data Mining, 2015
[3] Heard, Combining Weak Statistical Evidence in Cyber Security, Intelligent Data Analysis XIV, 2015

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft Defender ATP community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks appeared first on Microsoft Security.

This Year in Ransomware Payouts (2019 Edition)

Even though 2017 still remains the year when we saw the ransomware pandemic at its peak, cybercriminals will not stop these attacks on individuals and businesses anytime soon. Unfortunately, ransomware attacks continued to make headlines this year as well. So, in this article, I’m going to look at the highest ransomware payouts of 2019, what organizations paid the ransom, and explain why it’s never a good idea to pay.

But first of all, let’s start with some mind-blowing 2019 ransomware statistics from 2019.

Ransomware statistics in 2019

Here are the most shocking ransomware facts coming from 2019 alone:

  • Two-thirds of ransomware attacks targeted state and local governments.
  • 55% of SMBs from the US would pay hackers to recover their stolen data in ransomware attacks.
  • Over 500 US schools were affected by ransomware attacks in 2019.
  • Almost 70 US government organizations were infected with ransomware since January 2019.
  • A total of 140 US local governments, police stations, and hospitals have been infected with ransomware.
  • In the third quarter of 2019, the average ransomware payout increased to $41,000.

The most significant ransomware payouts of 2019

In the best-case scenario, victims of ransomware could simply wipe their systems and recover their data from offline backups. However, some organizations don’t keep any backups at all. Or worse, even if they do have copies of their data, sometimes they also end up being locked up by cybercriminals.

There are times when ransomware victims can decrypt their files with free ransomware decryption tools but sadly, there isn’t a decryptor available for all the ransomware strains out there. This sometimes leads to companies paying the ransom, being desperate to get their business back up and running.

Without further ado, below you will find the most significant ransomware payouts of 2019.

#6. Park DuValle Community Health Center, Kentucky, USA

June 2019

Amount paid: $70,000

In June 2019, Park DuValle Community Health Center had the medical records of almost 20,000 patients encrypted by ransomware and ended up paying the $70,000 ransom. The attack had left them locked out of their system for almost two months, impacting the health center’s medical records system and appointment scheduling tool.

For seven weeks, they had to record the patients’ information on pen and paper and ask them to speak from memory about their past treatments. The health care center basically had to operate on a walk-in basis since they were not able to schedule appointments or view any data.

“This is everything. This is medical records, contact information, insurance information, anything about a patient…everything is gone,” said Elizabeth Ann Hagan-Grigsby, CEO of Park DuValle. “The records involved are for past and present patients,” she continued.

This was the second time during the same year that Park Duvalle was impacted by a ransomware attack. Back in April 2019, their systems had been locked down for about three weeks. This time, they had their data backed up, so they did not pay the ransom. However, the second time, they were unable to recover their data from the backups, so they decided to pay the ransom to restore it.

The amount was paid in 6 bitcoins (the equivalent of $70,000). Cybercriminals provided the encryption keys and Park DuValle was able to recover its data.

#5. Stratford City, Ontario, Canada

April 2019

Amount paid: $71,000

In April of this year, the City of Stratford also became a victim of a ransomware attack that chose to pay the ransom. According to the story published on Cybersecurity Insiders, the malware was installed on six of their servers on a physical note, that encrypted two virtual servers as well, leaving their sensitive data locked down.

Even though they received warnings from officials, they paid 10 bitcoins, which at the time of attack meant roughly $71,000. The security company they contacted was not able to recover their data and was only involved in forensics. Consequently, the city negotiated the price that needed to be paid for their information to become available again. Their cyber insurance covered $15,000 of the ransom.

It seems that no personally identifiable information data was compromised and revealed in this ransomware incident.

#4. La Porte County, Indiana, USA

July 2019

Amount paid: $130,000

Another victim of the Ryuk ransomware, La Porte County, Indiana, paid $130,000 to recover their data.

The attack happened on July 6 and was noticed right before it managed to spread to all of the network’s computers. The IT staff confined it to less than 7% of machines, however, two domain controllers were impacted and thus, network services became unavailable.

According to the source, the FBI and a forensic investigation firm attempted to recover the data without paying the ransom, but their efforts proved to be unsuccessful. $100,000 out of the $130,000 payment demand was covered by insurance.

Apparently, the county did have back up servers in place, however, they became infected by ransomware as well.

The ransomware that affected La Porte County’s systems is allegedly Ryuk, the same strain that affected Lake City. It was called a “triple threat” because it originated from an Emotet infection that delivered the Trickbot trojan, which then launched Ryuk.

#3. Jackson County, Georgia, USA

March 2019

Amount paid: $400,000

Back in March, Jackson County had its network shut down by a ransomware attack, leaving only its website and 911 emergency system untouched. This meant they had to do their reports and bookings in pen and paper, just like they did before using computers became the norm.

Their officials contacted the FBI and hired a cybersecurity consultant. The security specialist negotiated with the cyber attackers and it was decided that Jackson County had to transfer $400,000 to receive the decryption key and gain access to their data once again.

“We had to make a determination on whether to pay. We could have literally been down months and months and spent as much or more money trying to get our system rebuilt”, said Kevin Poe, Jackson County Manager.

Apparently, the county’s network had been infected with the Ryuk ransomware strain, which as of now, does not have a free decryption tool available. According to experts, this type of ransomware had one of the most active campaigns in 2019, also affecting over 500 schools in the US.

Researchers are saying the Ryuk ransomware only launches after it completely spreads on the target’s network.

Here is what the Ryuk ransomware note would look like:

What the Ryuk ransomware note looks like

Source: cnet.com

#2. Lake City, Florida, USA

June 2019

Amount paid: $500,000

A second city in Florida paralyzed by ransomware agreed to pay the ransom: 42 bitcoins ($500,000).

Even though their IT staff disconnected the systems within ten minutes of the attack’s detection, the ransomware managed to infect their network almost entirely. The police and fire departments were not affected, as they were running on a separate network. The people who needed to pay their bills could only do it in cash or money orders and they received handwritten receipts.

Cybercriminals reached out to the city’s insurance provider a week after the infection took place and the ransom payment of 42 bitcoins was negotiated. The money was paid from the city’s insurance.

Over 100 years’ worth of records (ordinances, meeting minutes, resolutions, and City Council agendas) were encrypted for almost a month. A few weeks after the ransom was paid, they did not even recover all of their data. What’s more, Lake City’s information technology director was accused of failing to secure the network and not recovering the data quickly enough and eventually lost his job.

Lake City was another victim of the Ryuk ransomware strain.

#1. Riviera Beach City, Florida, USA

May 2019

Amount paid: $600,000

This brings us to the biggest ransomware payout of 2019, which was made by Riviera Beach City in Florida.

Allegedly, right after an employee clicked on a phishing email link received on May 29, hackers managed to infiltrate into the city’s network and locked it up. All of the city’s online systems went down, including email and even some phones, and on top of that, water utility pump stations were affected as well. As a result, payments could only be accepted in person or by mail (only in cash or by check) and communication was conducted by phone.

The City Council unanimously agreed to pay the ransom. The requested amount was 65 bitcoins, the equivalent of nearly $600,000. More than $300,000 from the city’s insurance policy was used to pay the ransom. The payment was officially made merely a few weeks after Riviera Beach agreed to spend around $1 million to replace the infected computer equipment.

Riviera Beach’s attack looked similar to what Jackson County experienced in March, so it seems they were yet another victim of the Ryuk ransomware strain.

The biggest ransom ever paid

Even though we’ve witnessed several major ransomware payouts this year, none of them was the all-time biggest.

In 2017, the Korean web hosting firm Internet Nayana received the largest ransom demand ever (a whopping $1.14 million), which they also ended up paying. During their negotiations, some of their data was permanently deleted. To make up for the incident, Nayana offered free hosting for life and refunds to its affected customers. So, of course, besides the actual payment, the ransomware attack involved additional costs and reputational damage.

Others refused to pay

Paying the ransom is not something that every ransomware victim considers. And sadly, data recovery costs for some organizations that decline the payment end up being much higher than the actual ransom. For instance, back in March 2018, the City of Atlanta was infected with the SamSam ransomware variant. Cybercriminals demanded a $52,000 ransom payment, however, Atlanta refused to pay and they had to spend $2.6 million to recover from the attack. So, since it has been proven that paying the ransom can be a lot cheaper than dealing with an attack’s aftermath, local governments are increasingly choosing to pay.

But here is an example of an organization that declined the ransomware payment.

Baltimore City’s ransomware resistance story

On May 7, 2019, cybercriminals froze around 10,000 Baltimore government computers and asked for a $100,000 payment in bitcoins. The city’s employees were locked out of their email accounts and citizens were unable to pay their bills. This wasn’t the first time the city became a victim of ransomware – in 2018, their 911 system was shut down for about a day by another similar attack and in both cases, they did not transfer money into the attackers’ Bitcoin wallet.

The second time, their computer systems were infected with the RobbinHood ransomware strain.

Bernard C. Jack Young, Mayor of Baltimore City, explained why they chose not to pay the ransom:

The city representative acknowledges that by paying the ransom there is no guarantee their systems will be unlocked and also emphasizes the fact that they are choosing not to encourage criminal behavior.

“Why don’t we just pay the ransom? I know a lot of residents have been saying we should’ve just paid the ransom or why don’t we pay the ransom?

Well, first, we’ve been advised by both the Secret Service and the FBI not to pay the ransom. Second, that’s just not the way we operate. We won’t reward criminal behavior.

If we paid the ransom, there is no guarantee they can or will unlock our system.

There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future.

Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action.” – Bernard C. Jack Young, Mayor of Baltimore City

US mayors have adopted a resolution against paying the ransom

A proposal to ban ransom payments was put forward by Bernard Young, the abovementioned mayor of Baltimore City, which has also been adopted. The resolution reads:

“Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit.”

“The United States Conference of Mayors has a vested interest in de-incentivizing these attacks to prevent further harm.”

“The United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach.”

Although the adopted resolution doesn’t have any legal binding, it can be used to justify not paying the ransom in front of federal authorities and taxpayers.

Paying the ransom is a short-term solution

Ransomware payouts have become a highly controversial topic and for a good reason. Several questions arise when it comes to paying the ransom: Are you really going to recover your data? Where is your money actually going? Are you funding terrorist groups?

The FBI has explicitly stated that they do not support the practice and they urge organizations to report any ransomware incidents to law enforcement, no matter if they paid or not.

I strongly believe no one, be them consumers or organizations, should ever pay the ransom.

Here is why:

#1. There is no guarantee you will ever recover your files

In some cases, people still lost their data even if they paid the ransom. For instance, the GermanWiper ransomware deletes your files even though you did pay.

Also, malicious hackers actually like to be taken seriously, so if you think that by paying only a fraction of the requested amount you will get your data back (or at least some part of it), you are wrong. For example, the City of New Bedfords, Massachusetts, was yet another government institution infected with the Ryuk ransomware. They tried to negotiate for $400,000 instead of $5.3 million, aiming to align the payment with the ones that were paid by cities hit by the same type of malware. However, their offer was declined.

 #2. You are funding criminal organizations

Yes, it may be cheaper and faster to get your data back (if you are “lucky” enough) by paying the ransom. But are you really okay with transferring your money to shady hacking groups who may be using it for more malicious purposes?

#3. You are only encouraging this behavior

If organizations continue to pay the ransom, cybercriminals will not stop this practice anytime soon. In fact, it has already become a highly profitable underground business, also known as Ransomware as a Service (RaaS).

So, do you actually want to incentivize more and more attacks and contribute to the further propagation of the ransomware illegal industry?

Think about it this way. In the long run, if you’ve chosen to pay the ransom, you will definitely not save any money. Why not use the amount that you would have given to those ransomware attackers to improve your defenses instead?

How to Prevent Ransomware in Your Organization

Ransomware disasters can, fortunately, be avoided. As you’ve probably noticed from the ransomware incidents that I’ve listed, the best targets seem to be government entities that have outdated IT systems in place and that don’t always follow cybersecurity best practices.

Here is how you can stop ransomware from infecting your organization:

#1. Back up your data

I can’t stress this enough. The first and most important thing you can do is have copies of your data stored somewhere safe, that won’t get infected as well. What’s more, make sure that your back up system actually works and test it frequently.

#2. Watch out for excessive admin rights inside your organization

Sometimes, ransomware can prove to be a result of abused privileged accounts (malware propagation is often linked to compromised credentials that belong to admin accounts).

So, be certain that your organization runs on the principle of least privilege and the Zero Trust model. In short, be careful whom you grant admin rights to within your organization. A tool such as Thor AdminPrivilege™ can help you easily escalate and de-escalate privileges and when used in tandem with our other security solutions, you will get notified when threats are discovered and more than that, admin rights will be automatically de-escalated on your compromised accounts.

#3. Use security tools specifically designed to stop ransomware

For instance, a product like Thor Foresight Enterprise is properly equipped to protect your organization against ransomware. First of all, it instantly blocks any incoming attacks (for example, associated with malicious URLs) and secondly, it contains a patch management tool, created to help you close all vulnerabilities related to outdated systems and software.

#4. Train your users

Last, but not least, your users should be able to recognize the signs of cyberattacks. I often hear IT admin struggling with compromised accounts and malware infections that happen due to users that seem to keep clicking on phishing links and following the instructions (for example, submitting their login credentials).

Conclusion

All in all, 2019 has shown us that ransomware is still a lucrative business for cybercriminals. The organizations that are choosing to pay the ransom only worsen the situation, setting high expectations for future ransomware attackers. So, the bottom line is this: if you are ever faced with this tough decision – to pay or not to pay – think about what paying actually means.

Are you in favor of paying the ransom? Let me know your thoughts in the comments section below.

The post This Year in Ransomware Payouts (2019 Edition) appeared first on Heimdal Security Blog.