Category Archives: Microsoft Windows

Smashing Security #131: Zap yourself from the net, and patch now against BlueKeep

Microsoft issues warning to unpatched Windows users about worm risk, and how do you delete all traces of yourself off the internet after your murder your podcast co-host?

All this and much more is discussed in the latest edition of the award-winning “Smashing Security” podcast by computer security veterans Graham Cluley and Carole Theriault.

Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware

For almost the past month, key computer systems serving the government of Baltimore, Md. have been held hostage by a ransomware strain known as “Robbinhood.” Media publications have cited sources saying the Robbinhood version that hit Baltimore city computers was powered by “Eternal Blue,” a hacking tool developed by the U.S. National Security Agency (NSA) and leaked online in 2017. But new analysis suggests that while Eternal Blue could have been used to spread the infection, the Robbinhood malware itself contains no traces of it.

On May 25, The New York Times cited unnamed security experts briefed on the attack who blamed the ransomware’s spread on the Eternal Blue exploit, which was linked to the global WannaCry ransomware outbreak in May 2017.

That story prompted a denial from the NSA that Eternal Blue was somehow used in the Baltimore attack. It also moved Baltimore City Council President Brandon Scott to write the Maryland governor asking for federal disaster assistance and reimbursement as a result.

But according to Joe Stewart, a seasoned malware analyst now consulting with security firm Armor, the malicious software used in the Baltimore attack does not contain any Eternal Blue exploit code. Stewart said he obtained a sample of the malware that he was able to confirm was connected to the Baltimore incident.

“We took a look at it and found a pretty vanilla ransomware binary,” Stewart said. “It doesn’t even have any means of spreading across networks on its own.”

Stewart said while it’s still possible that the Eternal Blue exploit was somehow used to propagate the Robbinhood ransomware, it’s not terribly likely. Stewart said in a typical breach that leads to a ransomware outbreak, the intruders will attempt to leverage a single infection and use it as a jumping-off point to compromise critical systems on the breached network that would allow the malware to be installed on a large number of systems simultaneously.

“It certainly wouldn’t be the go-to exploit if your objective was to identify critical systems and then only when you’re ready launch the attack so you can do it all at once,” Stewart said. “At this point, Eternal Blue is probably going to be detected by internal [security systems] systems, or the target might already be patched for it.”

It is not known who is behind the Baltimore ransomware attack, but Armor said it was confident that the bad actor(s) in this case were the same individual(s) using the now-suspended twitter account @Robihkjn (Robbinhood). Until it was suspended at around 3:00 p.m. ET today (June 3), the @Robihkjn account had been taunting the mayor of Baltimore and city council members, who have refused to pay the ransom demand of 13 bitcoin — approximately $100,000.

In several of those tweets, the Twitter account could be seen posting links to documents allegedly stolen from Baltimore city government systems, ostensibly to both prove that those behind the Twitter account were responsible for the attack, and possibly to suggest what may happen to more of those documents if the city refuses to pay up by the payment deadline set by the extortionists — currently June 7, 2019 (the attackers postponed that deadline once already).

Some of @robihkjn’s tweets taunting Baltimore city leaders over non-payment of the $100,000 ransomware demand. The tweets included links to images of documents allegedly stolen by the intruders.

Over the past few days, however, the tweets from @Robinhkjn have grown more frequent and profanity-laced, directed at Baltimore’s leaders. The account also began tagging dozens of reporters and news organizations on Twitter.

Stewart said the @Robinhkjn Twitter account may be part of an ongoing campaign by the attackers to promote their own Robbinhood ransomware-as-a-service offering. According to Armor’s analysis, Robbinhood comes with multiple HTML templates that can be used to substitute different variables of the ransom demand, such as the ransom amount and the .onion address that victims can use to negotiate with the extortionists or pay a ransom demand.

“We’ve come to the conclusion Robbinhood was set up to be a multi-tenant ransomware-as-a-service offering,” Stewart said. “And we’re wondering if maybe this is all an effort to raise the name recognition of the malware so the authors can then go on the Dark Web and advertise it.”

This redacted message is present on the Dark Web panel set up by the extortionists to accept payment for the Baltimore ransomware incident and to field inquiries or pleas from them. The message repeats the last tweet from the @robihkjn Twitter account and conclusively ties that account to the attackers. Image: Armor.

There was one other potential — albeit likely intentional — clue that Stewart said he found in his analysis of the malware: Its code included the text string “Valery.” While this detail by itself is not particularly interesting, Stewart said an earlier version of the GandCrab ransomware strain would place a photo of a Russian man named Valery Sinyaev in every existing folder where it would encrypt files. PCRisk.com, the company that blogged about this connection to the GandCrab variant, asserts Mr. Sinyaev is a respectable finance professional who has nothing to do with GandCrab.

Finally, since we’re on the subject of major ransomware attacks and scary exploits, it’s a good time to remind readers about the importance of applying the latest security updates from Microsoft, which took the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003. Microsoft did this to head off another WannaCry-like outbreak from mass-exploitation of a newly discovered flaw that Redmond called imminently “wormable.”

That vulnerability exists in Windows XP, Windows 2003, Windows 7, Windows Server 2008 R2, and Windows Server 2008. In a reminder about the urgency of patching this bug, Microsoft on May 30 published a post saying while it hasn’t seen any widespread exploitation of the flaw yet, it took about two months after Microsoft released a fix for the Eternal Blue exploit in March 2017 for WannaCry to surface.

“Almost two months passed between the release of fixes for the EternalBlue vulnerability and when ransomware attacks began,” Microsoft warned. “Despite having nearly 60 days to patch their systems, many customers had not. A significant number of these customers were infected by the ransomware.”

How to Secure your PC after a Fresh Windows Installation [Updated 2019]

 

You chose to install Windows operating system on your computer or, maybe, for various technical reasons, you had to reinstall it. No matter your reasons, it’s important to keep in mind various security layers after this procedure, so your computer is safe from threats.

How to secure your PC after a fresh Windows installation

After finishing the Windows installation, whether it’s Windows 7, 10 or another operating system, we encourage you to follow these security measures below to enhance protection:

1. Keep your Windows operating system up to date

Probably the most important step to do is checking for the latest security updates and patches available for your Windows operating system.

To get the security updates automatically, go to “Control Panel” and check if your automatic updating system is enabled or follow these steps:

  1. Access the search box in your Windows operating system, type Windows Update.
  2. Select Advanced options.
  3. Click on Automatically download updates in case it is not already selected/turned on.

After checking for available updates for your Windows operating system, keep the automatic update turned on in order to download and install the important updates that can help protect your PC against new viruses or next-generation malware.

Always remember to keep your OS up to date with the latest security available. Software patching remains an essential key to improve online safety and security experts make a good case of emphasizing its importance. Cybercriminals still try to benefit from security holes found in users’ systems and PCs. That’s one of the reasons why cyber attacks still work and they make a lot of money of it.

 2. Update your software

You don’t have to update only the Windows operating system, but your software as well. Therefore, make sure all the latest updates and security patches for your main programs and apps are installed.

Needless to say that most popular pieces of software (such as Java, Adobe Flash, Adobe Shockwave, Adobe Acrobat Reader), especially the outdated ones, are always under threat from malicious actors who exploit them to get easier access to your sensitive data.

Since these pieces of software are always under threat from criminal minds, don’t just rely on your memory to manually update every program or application you have installed.

A better option would be to start using a dedicated cyber security solution for you and keep your software program up to date.

3. Create a restore point

If you already installed the security updates for Windows OS, the next step recommended is to create a restore point in Windows.

You can do this by clicking on the Start button, then select Control Panel -> System and Maintenance (or System and Security) -> System. Then select System protection and click the Create button.

After installing Windows, you can create the Restore Point and name it Clean installation, and continue installing drivers and applications.

If one of the drivers causes issues on the system, you can always go back to the Clean installation restore point.

system_restore

 4. Install a traditional antivirus product

When you consider installing an antivirus program on your PC, make sure you use one from a legitimate company, because there can be fake software programs out there. It is important to have a reliable security solution on your system, which should include real-time scanning, automatic update, and a firewall.

To find the best antivirus that suits your needs, read this ultimate guide that will teach you more about antiviruses, its main features and what should you look for.

If you choose to install a security product that doesn’t have a firewall, make sure you have turned on the Windows firewall.

To turn it on, go to Control Panel, select System and Security, then Windows Defender Firewall and turn it on or off.


Super useful guide on how to secure your PC after a fresh Windows installation:
Click To Tweet


5. Install a proactive security solution for multi-layered protection

On our blog, we explained on many occasions why traditional antivirus is no longer the go-to solution, simply because it cannot keep up with the rise of new and advanced online threats. Financial malware especially is created to steal sensitive data and confidential information and it uses sophisticated methods to do so.

Next-gen malware usually has the ability to evade detection and bypass antivirus software that users have installed on their PCs to keep their data safe. We recommend reading these 12 examples of spam campaigns behind the scenes indicating a low detection rate for AV engines during the first stages of a cyber attack.

With the help of a proactive cybersecurity solution, you get the best protection against financial and data-stealing malware, such as Zeus or Cryptolocker.

To improve the financial control of your online banking account, you can always set banking alerts to track your account activity and apply these simple and effective financial protection tips.

 

6. Back up your system

You updated the operating system and your system applications, you have installed additional security products for your system safe and even created a Clean installation restore point for your Windows.

The steps above are meant to keep you safe from malicious software and online threats, but you may still encounter hardware issues that could endanger your private information.

To make sure your data stays safe, you should be using a twofold strategy, which should include combining an external hard drive usage with an online backup service.

We need to emphasize the importance of having a backup solution which provides stability (look for a big company name), it’s easy to use (so you won’t have a headache backing up from files), allows you to synchronize your files with the online backup servers and provides some sort of security, such as encryption capabilities.

Online Backup

Our guide on how to do a data backup includes more information on most popular backup solutions available and what the best ways to keep your data safe are.

At the same time, you could simply use your Windows Backup system. To set it up, access your Windows Control Panel and then click Backup and Restore to access the location. From this place, you can set an automatic backup, create a schedule and even choose a network location for your backup files.

7. Use a standard user account

Windows provides a certain level of rights and privileges depending on what kind of user account you have. You may use a standard user account or an administrator user account.

To secure your PC, it is recommended to have a standard account to prevent users from making changes that affect everyone who uses the computer, such as deleting important Windows files necessary for the system.

With a Standard user account, you have limited rights and cannot do things like changing system settings, or installing new software apps, hardware or changing the username and passwords. Here’s why you should use an account like this one and how to create it.

If you want to install an application or make security changes, remember that you will need an administrator account.

We also recommend that you set a strong password for your Windows user account.

Use this security guide that will help you set unique and strong passwords and manage them like an expert.

Top Security Tip:
Using a standard account ensures that a piece of malware which infects a limited-user account won’t do much damage as one infecting an administrator account.

Windows account

8. Keep your User Account Control enabled

User Account Control (UAC) is an essential security feature of Windows that prevents unauthorized changes to the operating system. Many users have the tendency to disable it after installing/reinstalling the Windows operating system.

We don’t recommend to turn it off. Instead of disabling the UAC, you can decrease the intensity level using a slider in the Control Panel.

UAC monitors what changes are going to be made to your computer. When important changes appear, such as installing a program or removing an application, the UAC pops up asking for an administrator-level permission.

In case your user account is infected with malware, UAC helps you by keeping suspicious programs and activities from making changes to the system.

 

UAC

 

9. Secure your web browser before going online

Here’s another thing to do after installing Windows: pay attention to browser security. Since our web browser is the main tool used to access the Internet, it is important to keep it safe before going online.

The vulnerabilities in your web browser are like open door invitations to cybercriminals who find creative ways to harvest your most important data. For example, if you are using Adobe Flash, be aware of its security flaws and how it can expose you to attacks.

To stay safe while accessing various web pages, follow these steps:

  1. Choose the latest version for your browser.
  2. Keep it updated.
  3. Choose a private browsing session when you access a website you are not sure about. Choosing this mode will prevent authentication credentials (or cookies) from being stored and steal by attackers.
  4. Since data-stealing malware spreads through malicious code embedded in pop-up windows even in legitimate websites, make sure your web browser can block pop-ups:

And there’s, even more, you can do. Use these step-by-step instructions to enjoy the best secure browsing.


On my next Windows install, I’ll follow these security tips to improve my data safety:
Click To Tweet


10. Use an encryption software tool for your hard drive

Even if you set a password to your Windows account, malicious actors can still get unauthorized access to your private files and documents. They can do this by simply booting into their own operating system – Linux, for example – from a special disc or USB flash drive.

A solution for this case is to encrypt your hard drive and protect all your sensitive files. It is recommended to use this level of security if you have a laptop, which can be very easily stolen. The same thing applies to a computer.

A free encryption tool you can use is BitLocker, which is available on the latest Windows operating systems and you can enable it at any moment. Even after you have enabled the BitLocker protection, you won’t notice any difference because you don’t have to insert anything else but your normal Windows user account password. The benefits of using this encryption tool:

  • It encrypts your entire drive, which makes it impossible for malicious actors stealing your laptop to remove the hard drive and read your files.
  • It’s also a great encryption software if it happens to lose your PC/laptop or get it stolen.
  • Easy to use and already integrated into your Windows OS, so there’s no need to add another encryption software.

If you’d rather want to use another solution, here’s a full list of encryption software tools you can choose to protect your data.

 11. Be careful online and don’t click on suspicious links

To make sure you won’t be infected by clicking on dangerous links, hover the mouse over the link to see if you are directed to a legitimate location. If you were supposed to reach your favorite news website, such as “www.cnn.com”, but the link indicates “hfieo88.net“, then you probably shouldn’t access it. Chances are you’ll be infected with malware and cybercriminals steal your sensitive data.

It’s worth trying shortening services, such as goo.gl or tinyurl. But in some cases, an unknown link may send you to a malicious site that can install malware on the system.

So, how can you know where you’ll arrive if you click it?

To make sure you are going to the right direction, use a free tool such as Redirect Detective that will allow you to see the complete path of a redirected link. Another tool which can provide very helpful in checking suspicious links is the reliable URL checker, VirusTotal.

For more information on how to maximize your financial data protection, check out this article.

 Conclusion

It’s not just about staying safe. 

This guide above is meant to keep you safe online. But, at the same time, following these security measures mean that you also set up your system to work smoothly for online browsing and financial operations, activities you do every day.

Since there are many other solutions to protect a system after a Windows installation, we would like to know your opinion on this.

How do you increase your security after a Windows installation?
Do you have a particular routine?
We’d love to add your tips to the list, so share them in the comments below.

Spend time with your family, not updating their apps!
Thor Foresight Home anti malware and ransomware protection heimdal security
Let THOR FREE Silently and automatically update software Close security gaps Works great with your favorite antivirus

INSTALL IT, FORGET IT AND BE PROTECTED

Download Thor FREE

The post How to Secure your PC after a Fresh Windows Installation [Updated 2019] appeared first on Heimdal Security Blog.