Category Archives: Patch management

Threat Actors Impersonate Oil and Gas Companies in Latest Shade Ransomware Attack

Digital criminals tried to impersonate oil and gas companies in a recent attack campaign distributing Shade ransomware.

Between January and February, Yoroi observed an attack campaign leveraging email as an infection vector. Each of the emails came with an attached ZIP file called slavneft.zakaz.zip. The name of this file means “Slavneft order” in English, which includes a direct reference to the Russian oil and gas company PAO NGK Slavneft. Building on this disguise, the ZIP file contained a JavaScript file named «ПАО «НГК «Славнефть» подробности заказа, which translates to “PAO NGK Slavneft order details” in English.

Clicking on the JavaScript file activated a downloader that pulls Shade from one of several compromised websites. At that point, the ransomware payload, which had a VirusTotal detection rate of just 24 out of 69 tools at the time of discovery, encrypted all of the infected machine’s files using Advanced Encryption Standard (AES). It then created a ransom note, which included instructions for victims to visit a dark web site so they could receive payment instructions from the attackers.

A Busy 2019 for Shade

Yoroi isn’t the only digital defense company that recently detected a new Shade ransomware campaign. In January 2019, ESET witnessed a large uptick in emails containing malicious JavaScript attachments, including those responsible for downloading Shade. In February, Carbon Black observed a similar campaign also leveraging JavaScript attachments to target primarily Russian speakers.

These attacks come at a time when targeted ransomware remains one of the most prominent threats targeting organizations. Europol said as much in 2018 after it observed threat actors turning to targeted ransomware, not banking Trojans, as their preferred payload in financially motivated cyberattacks. This preference contributed to Cybersecurity Ventures‘ estimate that ransomware damages would surpass $8 billion by the end of 2018.

How to Protect Against Shade Ransomware

Security professionals can help defend their organizations against Shade ransomware and similar malware by making sure their endpoint software is up-to-date and all applications are updated to their most secure versions. Organizations should also make sure to isolate their data backup systems so that attackers can’t encrypt these copies in the event of a successful ransomware infection.

The post Threat Actors Impersonate Oil and Gas Companies in Latest Shade Ransomware Attack appeared first on Security Intelligence.

To Improve Critical Infrastructure Security, Bring IT and OT Together

As connectivity in the industrial internet of things (IIoT) continues to accelerate, efforts to secure industrial control systems (ICSs) struggle to keep pace. While many ICS security conversations have involved endpoint security, improving the state of ICS security demands attention to more than just endpoints.

Attacks on critical infrastructure systems are proliferating. Nearly half (41.2 percent) of ICS computers suffered a malicious software attack in H1 2018, according to Kaspersky Lab. Despite growing security concerns, traditionally air-gapped operational technology (OT) is increasingly being tasked with using internet-connected devices to improve operational processes, reduce costs and minimize downtime.

Until security becomes a priority, industrial organizations will remain soft targets for threat actors.

Are ICS Environments Too Trusting?

Data from CyberX’s recent “2019 Global ICS & IIoT Risk Report,” which analyzed network traffic data from 850-plus production OT networks worldwide, confirmed that ICSs continue to be easy targets for adversaries, with security gaps in key areas. These areas included the use of plain-text passwords (69 percent of sites), direct connections to the internet (40 percent), weak antivirus protections (57 percent) and legacy Windows systems such as XP that no longer receive patches from Microsoft (53 percent).

According to Andy Jones, a research specialist with the Information Security Forum, one of the most concerning risks to critical infrastructure stemming from emerging internet-connected technologies is that many ICS environments were designed with safety, rather than security, in mind. As a result, they are inherently trusting environments. They trust that instructions received are bona fide and will execute them without verification or validation.

“ICS environments were designed in an unconnected world, so where else would an instruction have come from if not a trusted peer environment?” Jones said. “However, these systems are now often internet-connected, exposing their operations to new threats. In addition, they move, which poses physical dangers.”

Beyond Identity and Patch Management

While identity and patch management may be the biggest obstacles to securing ICS environments in some cases, there is often a broader inadequacy, according to Sandy Carielli, director of security technologies at Entrust Datacard.

Because IT security leaders are still learning about the differences in their practices and priorities from those of OT and operational leaders, there are gaps in understanding and communication that make even something like patch management problematic. For example, it’s one thing to say a server must be taken offline once a week to apply patches, but in reality, many ICSs may not allow for that kind of downtime.

“Without all stakeholders understanding and accepting the realities of ICS requirements, security owners will develop policies and security road maps that are not adequate. That will trickle down to individual security practices like patching,” Carielli said.

Aspects of Current ICS Security That Need to Change

Before the IIoT started complicating the security of ICSs, systems ran safely and securely for many decades. As the world of technology has changed around these legacy systems, however, innovations that promise enhancements and efficiency have introduced risks, such as the dangers from remote hacking, malware and other attacks that simply were not part of original design briefs.

Now that connected ICSs face many of the same threats as IT systems, security needs to be a priority item for ICS designers and suppliers.

“The complicating factor is that many of these complex systems are part built and part assembled from common components, which may be sourced from multiple suppliers on the basis of lowest price,” said Jones. “If these core components are not secured, then anything built from them may remain vulnerable.”

Also problematic is the device manufacturing process. Rishi Bhargava, co-founder at Demisto, said the problem is tantamount to trying to fit a square peg in a round hole. Because manufacturers typically have outdated operating system (OS) and patching features on their products (if at all), are lax with password protection and changes, and have no regular software update mechanisms to communicate with their customers, things don’t always fit together in these complex environments.

“We need a better alternative to network segmentation and air-gapping IT and OT environments,” Bhargava said. “The potential upside to connected devices is massive and the better alternative going forward is to find a way to ‘stay connected and stay secure’ rather than isolating different infrastructures.”

Improving the Security of Critical Infrastructure Systems

It’s hard to say how to improve something if you don’t know who is responsible for making those improvements. That’s why defining who is responsible for OT security is a necessary first step toward improving the security of critical infrastructure systems.

“The sophistication of recent cyberattacks has demonstrated the need to leverage the skills of existing security operations center (SOC) personnel to combat threats that often cross IT and OT boundaries,” said Phil Neray, vice president of industrial cybersecurity at CyberX. “From a governance point of view, it also makes more sense to have a single C-level executive — typically the chief information security officer (CISO) — be responsible and accountable for all of the digital risk in your organization, regardless of whether it affects IT or OT networks.”

One of the greatest challenges with ICS environments is limited visibility, which is why the next step in ICS security is conducting a thorough risk assessment. It’s critical to know and document what ICS environments exist and identify their criticality to the organization. Jones noted that this is a nontrivial undertaking for complex and global organizations.

“Once this is complete, the focus should be on identifying which of these environments are connected and which of them would be vulnerable to attack,” he advised. “This can very quickly give a focal point for remediation activity.”

It’s also smart to leverage security frameworks that address both IT and OT, such as the white paper on a new security maturity model published last year by the Industrial Internet Consortium. According to Carielli, “Such frameworks will help [organizations] focus on their goals, understand the impact of industry regulations and practices, clarify the resulting security requirements, and prioritize their investment accordingly.”

Bring IT and OT Together

Strong collaboration between IT and OT is a critical step toward improving the security of critical infrastructure systems. When organizations encourage communication between and among their IT, OT and security stakeholders, these different groups can better understand each other’s constraints and work together to meet common goals.

The post To Improve Critical Infrastructure Security, Bring IT and OT Together appeared first on Security Intelligence.

Attack Campaign Targets Linux Servers to Install New SpeakUp Trojan

Security researchers observed an attack campaign that is targeting Linux servers to install samples of SpeakUp, a new backdoor Trojan.

According to Check Point Research, the campaign is currently targeting servers in East Asia and Latin America. The attack begins with the exploitation of CVE-2018-20062, a reported vulnerability affecting ThinkPHP. The campaign then uses command injection techniques to upload a PHP shell, which is responsible for delivering and executing the SpeakUp Trojan as a Perl backdoor.

Upon execution, SpeakUp continuously communicates with its command and control (C&C) server to receive a variety of instructions. It can use the newtask command to execute arbitrary code or execute a file from a remote server, for example. This ability enables SpeakUp to deliver additional backdoors, each of which comes equipped with a Python script designed to scan and infect more Linux servers within its internal and external subnets.

Furthermore, the Trojan can leverage the newconfig command to update the configuration file for XMRig, a cryptocurrency miner that it serves to listening infected servers.

Linux Servers Under Attack

SpeakUp isn’t the only malware targeting Linux servers. On the contrary, these IT assets are under attack from a range of malicious software.

In December 2018, Slovakian security firm ESET identified 21 Linux malware families that serve as OpenSSH backdoors. Around the same time, Anomali Labs unveiled its discovery of Linux Rabbit and Rabbot, two malware families served by a campaign targeting Linux servers in Russia, South Korea, the U.K. and the U.S. that are both capable of installing crypto-miners.

Also in December, Bleeping Computer learned of a new campaign that had leveraged unsecured Intelligent Platform Management Interface (IPMI) cards to infect Linux servers with JungleSec ransomware.

How to Defend Against the SpeakUp Trojan

Security professionals can help defend against malware like SpeakUp by utilizing a unified endpoint management (UEM) tool to monitor assets such as Linux servers for malicious activity. Experts also recommend practicing timely patch management to defend endpoints against cryptocurrency miners, and investing in education and role-based training to help cultivate a security-aware workforce.

The post Attack Campaign Targets Linux Servers to Install New SpeakUp Trojan appeared first on Security Intelligence.

The State of Security: 3 Tips for Enterprise Patch Management

A few weeks ago, I woke up one morning to discover that Android had 34 software updates waiting for me. This was followed by my laptop wanting to reboot after installing the latest patches from Microsoft, my tablet needing a reboot after its latest firmware update, and my server screaming for me to put “yum” […]… Read More

The post 3 Tips for Enterprise Patch Management appeared first on The State of Security.



The State of Security

3 Tips for Enterprise Patch Management

A few weeks ago, I woke up one morning to discover that Android had 34 software updates waiting for me. This was followed by my laptop wanting to reboot after installing the latest patches from Microsoft, my tablet needing a reboot after its latest firmware update, and my server screaming for me to put “yum” […]… Read More

The post 3 Tips for Enterprise Patch Management appeared first on The State of Security.

Maximize Your Defenses by Fine-Tuning the Oscillation of Cybersecurity Incidents

Information security is an interesting field — or, perhaps more accurately, a constant practice. After all, we’re always practicing finding vulnerabilities, keeping threats at bay, responding to cybersecurity incidents and minimizing long-term business risks.

The thing is, it’s not an exact science. Some people believe that’s the case, but they are only fooling themselves. Some security professionals strive for perfection in terms of their documentation. Others want their users to make good decisions all the time. I’ve even had people ask if I could do my best to provide a clean vulnerability and penetration testing report when doing work for them. Scary stuff.

I believe we’ve reached this point of striving for perfection largely due to compliance. Rather than truly addressing security gaps, we’re stuck in the mindset of checking boxes so that someone, somewhere can get the impression that work is being done and all is well in IT. Striving for perfection only serves to skew expectations and set everyone involved up for failure. The reality is you’re never going to have a perfect state of security, but you can have reasonable security if you take the proper steps.

Ready, Set, Practice

To improve enterprise security, organizations must do what I refer to as fine-tuning the oscillation of their security program. What do I mean by that? Let me give you a car racing analogy.

I compete in the Spec Miata class with the Sports Car Club of America (SCCA). It’s a super-competitive class with very little room for mistakes. Everything that we do as Spec Miata racers has to be fined-tuned — that is, if we’re going to win. Everything matters, from how hard we get on the brakes to how quickly we turn the steering wheel to how we get on and off the throttle. Even the turn-in points and apexes of corners are extremely important. Each little thing we do either works in our favor or works against us.

In car racing, fine-tuning the oscillation means getting better and better at the little things over time. In other words, we minimize atypical events — the mistakes that would show up as spikes on a graph — and get more consistent the more we race. You can certainly make improvements throughout a single race, but most fine-tuning comes with experience and years of seat time.

Make Small Adjustments Over Time

Information security is no different. In the context of your overall security program, threats, vulnerabilities and subsequent cybersecurity incidents represent the oscillation. If you’re looking for a visual, fine-tuning the oscillation means minimizing the amplitude and maximizing the frequency of a sine wave to the point where you have a tiny squiggly line that represents your security events. It’s almost a straight line, but as I said before, there’s no such thing as perfection in security.

Instead of having low-hanging fruit such as missing patches and weak passwords, you’re staying on top of patch management and password policy enforcement. Instead of a lack of network visibility, you have systems and technologies in place that allow you to see things happening in real time. Instead of experiencing a security incident, you’re able to prevent or mitigate the threat. Instead of a breach, you have business as usual.

Rather than playing by the terms of malicious actors seeking to bring down your business, you are the one in control. This is all done through acknowledging your weaknesses and blind spots and making small adjustments over time.

Minimize the Impact of Cybersecurity Incidents

Start viewing your security program from this perspective by asking a few simple questions. What areas need the most attention? Do you have some quick wins that you could start with to get your momentum going? Most organizations have a handful of areas with known security gaps that are creating big exposures — things like third-party patching, unstructured (and unprotected) information scattered about networks, and user security awareness and training. Aim to quickly close the gaps that create the greatest risk so you can spend more focused time on the smaller, but more difficult, problems.

Stretching out that sine wave and fine-tuning the oscillation of impactful cybersecurity incidents should be your ultimate goal. Be it racing cars or running a security department, time, money and effort are the essential elements. If you’re going to do either one well, it’s going to require good information, solid decision-making, and intentional and disciplined practice over and over again. That’s the only way you’ll get better.

The post Maximize Your Defenses by Fine-Tuning the Oscillation of Cybersecurity Incidents appeared first on Security Intelligence.

The importance of updating your systems and software

The importance of updating your systems and software updates

Unpatched software leaves businesses open to attack

There seems to be a system or piece of software for everything nowadays – from apps that let you explore internet browsers in virtual reality to software that can help improve your speech, technology is helping push the boundaries of what can be achieved both inside and outside of the workplace.

But while every business, on the face of it at least, is happy to acquire new systems and applications to drive productivity and reduce costs, far too few update these systems and/or software on a regular basis to ensure security. The “gold standard” for the implementation of critical patches is 30 days, and 90 days for non-critical patches, although that’s still more than enough time for cyber criminals to do damage.

Often, these businesses have bespoke systems and/or software applications that are set up in a certain way and only work with specific versions of software. A lack of updates to the system/software infrastructure could result in critical parts of it not working.

Businesses cannot afford to adopt an approach of “if it’s not broken, don’t fix it”. The fact is that outdated systems and third-party applications often have a host of vulnerabilities, and ignoring software updates could prove to be a grave mistake.

Cybercriminals target software and system vulnerabilities

The majority of impactful cyberattacks often have one thing in common: they target known vulnerabilities in systems and third-party software. WannaCry and the Equifax and BA hacks are all high-profile examples of successful attacks on unpatched systems.

But these cases also have something else in common: each one could have been avoided. Software updates and patches were released before the attacks took place, and the only reason that so many businesses fell victim to these cyberattacks is because they neglected to download, run and install them.

In the case of WannaCry, an investigation by the National Audit Office discovered that the NHS had repeatedly been warned to migrate away from its dated systems – and that “basic IT security” was all that was required to prevent the “unsophisticated” WannaCry attack.

The same applies to the Equifax with an out of date version of Apache on their webserver, and BA who had not updated a cross-site scripting vulnerability.

Without a doubt, the fundamental issue is that many businesses mistakenly believe themselves to be secure because they have advanced cyber security and intrusion detection solutions in place.

But cybersecurity is only as good as its weakest link. If a business uses outdated systems or software, endpoints are left vulnerable and can be readily compromised by a cybercriminal with very little working knowledge.

Businesses face a multi-faceted challenge in the form of patch management

Indeed, the management of system software updates and patches has become a serious challenge for modern organisations. As the technology landscape has evolved and diversified, businesses now use a variety of systems and third-party applications to manage and enhance processes. Updating infrastructure is no longer a simple button press on an operating system – it’s a business-wide decision that affects all existing activities.

For many businesses, and large enterprises in particular, updating their technology stacks often means stopping critical operations for a day or two as system software updates and patches are downloaded, installed and configured. And as their infrastructure is incredibly intricate, any update or change could result in key bits of software malfunctioning.

Subsequently the patch management process becomes time-consuming, and businesses face the difficult decision of taking crucial elements of their infrastructure offline for updates and maintenance. Neglecting these updates is akin to someone leaving their front door open and windows unlocked, but many businesses simply cannot afford to take their activities offline for even a minute.

Manage software and system updates through automated patch solutions

For businesses with this kind of complex infrastructure, it’s easy to understand why updates and patches are pushed further and further back. Installing a patch as soon as it’s available is best practice, but that kind of agility can only really be applied to a small business with limited systems and software or a single user.

Basic operating system updates can (and should) be applied as and when they are available. But for more bespoke in-house systems, which are connected to a suite of tools, a more considered approach is necessary.

Fortunately, businesses can readily manage and update their systems and third-party software infrastructure through automated patch management solutions.

Automated patch management does exactly what it says on the tin: it analyses software and systems in use to determine whether patches and/or updates are available and downloads them. These patches and/or updates are acquired in the background and can be installed at a specified time.

Panda Patch Management, a module of Panda Adaptive Defense, manages vulnerabilities – outdated systems and third-party software – and their corresponding updates and patches. Full visibility of endpoint health, i.e. whether systems or software is outdated and patch status, is provided in real time and across the enterprise.

The solution also correlates detected and identified threats with uncovered vulnerabilities to minimise response time and contain and remediate attacks through automated patch application. This kind of patch management allows businesses to get ahead of software vulnerability exploit attacks, enhance endpoint security and reduce attack vectors.

Businesses cannot afford to overlook or avoid patching and updating software infrastructure. Cybercriminals are banking on businesses not updating or patching their systems or software so that they can exploit vulnerabilities and deal damage. If an update is available, it should be applied at the earliest and most practical opportunity.

If you want to find out more about Panda Patch Management and how it can ensure that your business remains protected, click here.

The post The importance of updating your systems and software appeared first on Panda Security Mediacenter.

What Does Healthcare Cybersecurity Look Like in a Future of Connected Medical Devices?

As technology continues to transform the way healthcare is delivered, the industry is burdened by the growing cybersecurity risks inherent in the expansion of connected devices. Understanding that each connected device opens another pathway for threat actors, it’s incumbent upon device manufacturers to keep security foremost throughout the development life cycle.

The question is, how can manufacturers ensure the security of the devices they create? Furthermore, what can healthcare companies do to mitigate the risks inherent in the future of healthcare cybersecurity?

Taking the Pulse of Health Care Cybersecurity Today

Because they are so often the target of cyberattacks, healthcare organizations took a beating once again in 2018. We saw some significant data breaches last year, such as the attack on Med Associates where more than 270,000 patient records were breached.

New research from Clearwater found that the three most common vulnerabilities in healthcare cybersecurity are user authentication deficiencies, endpoint leakage and excessive user permissions — which, combined, account for nearly 37 percent of all critical risk scenarios. Credential misuse continues to threaten enterprise security across all sectors, including healthcare.

“When malicious actors gain access to accounts — whether by weak passwords or phishing attacks — they are given the literal keys to the kingdom,” said Justin Jett, director of audit and compliance for Plixer.

When it comes to medical devices, however, cybersecurity is making progress. According to Leon Lerman, CEO of Cynerio, “We are currently in the increased awareness state where healthcare providers, the Food and Drug Administration (FDA), the Department of Health and Human Services (HHS) and device manufacturers are starting to be more active in the space.”

Moving Toward a More Secure Future

The good news is that healthcare providers at hospitals are starting to include cybersecurity requirements in their procurement process. In fact, some are no longer depending on the medical device manufacturers and instead actively looking for dedicated device security solutions.

According to Lerman, the FDA and Department of Homeland Security (DHS) recently launched a joint initiative to “increase coordination in dealing with threats related to medical devices.” In addition, HHS released cybersecurity best practices to help healthcare organizations manage threats and protect patients from internet of things (IoT)-based attacks and other threats.

Manufacturers have not progressed alongside hospitals, though there are more conversations about strengthening the security of their devices, taking part in cybersecurity testing and streamlining the patching process. In reality, though, it’s only been within the last decade that these conversations have been taking place, and according to Anura Fernando, chief innovation architect at UL, medical devices can take at least that long to develop and get into the market.

“If you couple that with the fact that many devices are used by hospitals for 20–25 years, you can see that there is a major legacy systems issue, with many devices lacking security controls at the device level. Based on that timing offset, it could easily be five to 10 years before we see the complete turnover of equipment in use by hospitals that didn’t even have cybersecurity considered during design,” Fernando explained.

The Challenges of Securing Connected Devices

Legacy systems present myriad cybersecurity challenges, but there are other obstacles to securing medical devices. One that is closely related to legacy equipment is that of component obsolescence.

“When you consider the lengthy development timelines associated with most devices, it can easily be the case that security-related components such as operating systems and microcontrollers cease to be supported by the component vendor soon after a medical device reaches the market,” Fernando said.

As a result, maintenance activities such as security patches are no longer feasible for hospitals. Let’s say that security patches are released by the vendors, however. The time and cost it takes to validate these updates to devices is onerous.

“Even once this validation process is complete, it can be a daunting task to manage the deployment of a patch into the highly dynamic operational life cycle phase of a device, which may be in process of performing critical functions like life support,” said Fernando.

How Health Care Organizations Can Mitigate Security Risks

You can’t protect what you can’t see, so proper visibility into connected devices and their ecosystem is critical. Once you have visibility, understand the risk that each of these devices poses and take necessary proactive measures to minimize this risk, such as network segmentation, patching and removing devices from networks.

By monitoring device behavior and understanding what devices do in the context of medical workflows, you can detect anomalies when devices behave suspiciously. And, of course, early detection enables quicker response.

Strengthening password requirements can help you reduce risk, but when malicious actors gain a foothold, organizations need network traffic analytics to understand where the attack started and determine whether it has spread.

“By looking at how credentials are used throughout the network and creating a baseline of normal usage, network and security teams can be alerted to anomalous credential use and stop attacks as they happen,” Jett said.

Furthermore, all of the different stakeholders in the healthcare value chain need to be invested in securing the future of connected healthcare. Since this is a widespread effort across the healthcare environment, industry leaders should develop guidelines and standards to evaluate whether products and devices meet cybersecurity standards.

The post What Does Healthcare Cybersecurity Look Like in a Future of Connected Medical Devices? appeared first on Security Intelligence.

University of Maryland Researchers Use Audio Files and AI to Defeat reCaptcha Challenges

University of Maryland researchers warn that with limited resources, threat actors could launch a successful cyberattack on Google’s bot-detecting reCaptcha service.

In an academic paper detailing their findings, the researchers discuss how they created a tool called unCaptcha, which uses audio files in conjunction with artificial intelligence (AI) technologies such as speech-to-text software to bypass the Google security mechanism.

Over more than 450 tests, the unCaptcha tool defeated reCaptcha with 85 percent accuracy in 5.42 seconds, on average. This study proved that threat actors could potentially break into web-based services, pursue automated account creation and more.

How Researchers Got Around reCaptcha

Online users will recognize reCaptcha as a small box that appears on many websites when signing up or logging in to digital services. Website visitors are typically asked to solve a challenge to prove they’re human, whether it’s typing in letters next to a distorted rendering of the letters, answering a question or clicking on images.

In this case, the University of Maryland researchers took advantage of the fact that Google’s system offers an audio version of its challenges for those who may be visually impaired. The attack method involved navigating to Google’s reCaptcha demo site, finding the audio challenge and downloading it, then putting it through a speech-to-text engine. After an answer had been parsed, it could be typed in and submitted.

While Google initially responded by creating a new version of reCaptcha, the researchers did the same thing with unCaptcha and were even more successful. In an interview with BleepingComputer, one of the researchers said the new version had a success rate of around 91 percent after more than 600 attempts.

Securing the Web Without CAPTCHAs

The research paper recommends a number of possible countermeasures to a tool such as unCaptcha, including broadening the sound bytes of reCaptcha audio challenges and adding distortion. CAPTCHAs are far from the only option available to protect digital services, however.

IBM Security experts, for example, discussed the promise of managed identity and access management (IAM), which allows organizations to not only protect online services with additional layers of security, but also have a third party deal with operational chores such as patching and resolving upcoming incidents. If a group of academics can automate attacks on CAPTCHA systems this successfully, it may be time for security leaders and their teams to look for something more sophisticated.

The post University of Maryland Researchers Use Audio Files and AI to Defeat reCaptcha Challenges appeared first on Security Intelligence.

NRSMiner Crypto-Mining Malware Infects Asian Devices With the Help of EternalBlue Exploit

Security researchers report that the newest version of NRSMiner crypto-mining malware is causing problems for companies that haven’t patched the EternalBlue exploit.

Last year, the EternalBlue exploit (CVE-2017-0144) leveraged Server Message Block (SMB) 1.0 flaws to trigger remote code execution and spread the WannaCry ransomware. Now, security research firm F-Secure reports that threat actors are using this exploit to infect unpatched devices in Asia with NRSMiner. While several countries including Japan, China and Taiwan have all been targeted, the bulk of attacks — around 54 percent — have occurred in Vietnam.

According to F-Secure, the newest version of NRSMiner has the capability to leverage both existing infections to update its code on host machines and intranet-connected systems to spread infections to machines that haven’t been patched with Microsoft security update MS17-010.

Eternal Issues Facing Security Professionals

In addition to its crypto-mining activities, the latest version of NRSMiner is also capable of downloading new versions of itself and deleting old files and services to cover its tracks. Using the WUDHostUpgrade[xx].exe module, NRSMiner actively searchers for potential targets to infect. If it detects the current NRSMiner version, WUDHostUpgrade deletes itself. If it finds a potential host, the malware deletes multiple system files, extracts its own versions and then installs a service named snmpstorsrv.

Although this crypto-mining malware is currently confined to Asia, its recent uptick serves as a warning to businesses worldwide that haven’t patched their EternalBlue vulnerabilities. While WannaCry infections have largely evaporated, the EternalBlue exploit/DoublePulsar backdoor combination remains an extremely effective way to deploy advanced persistent threats (APTs).

How to Curtail Crypto-Mining Malware Threats

Avoiding NRSMiner starts with security patching: Enterprises must ensure their systems are updated with MS17-010. While this won’t eliminate pre-existing malware infections, it will ensure no new EternalBlue exploits can occur. As noted by security experts, meanwhile, a combination of proactive and continual network monitoring can help identify both emerging threats and infections already present on enterprise systems. Organizations should also develop a comprehensive security framework that includes two-factor authentication (2FA), identity and access management (IAM), web application firewalls and reliable patch management.

EternalBlue exploits continue to cause problems for unpatched systems. Avoid NRSMiner and other crypto-mining malware threats by closing critical gaps, implementing improved monitoring strategies and developing advanced security frameworks.

The post NRSMiner Crypto-Mining Malware Infects Asian Devices With the Help of EternalBlue Exploit appeared first on Security Intelligence.