Friday 30 June 2017

Cyber Security Roundup for June 2017

Another large scale ransomware cyber attack caused chaos and dominated the media headlines around the world this month. The Petya ransomware, a copycat of WannaCry, caused major operational impact to organisations neglecting to apply Microsoft Windows critical security updates. There were reports of the malware significantly impacting British marketing firm WPP, a Jewson hardware store, Ukrainian national infrastructure associated firms, and even halting production at a Cadbury chocolate factory in Australia.

Aside from the Peyta ransomware outbreak, it was another busy month of significant cyber security attacks and data compromises across the UK. The UK Parliament's email system was hacked with around 90 email accounts compromised due to the usage of weak passwords by parliament staff, it is not certain how many of 90 were MPs or not, but I wouldn't surprised if there were more than a few using weak passwords. There were further cyber troubles for the UK government after its Digital Service website data.gov.uk data was compromised. Virgin media told 800,000 of its users to change their router passwords after it was discovered that hackers could access Virgin's Super Hub 2 routers. And there was yet more critical security patches released this month, as Microsoft and application vendors fight to stay ahead of cyber criminals and nation-state actors software exploits.

Over in the United States, a US Health Insurer forked out £90 million to cover compensation and legal costs after hackers stolen customer records in its care. We could well see these types of large payouts in the UK soon after the General Data Protection Regulation (GDPR) kicks in May 2018. The GDPR gives the Information Commissioners Office (ICO) new powers to fine up to 10 Million Euros or 2% the previous year global turnover of the company, for any cyber security breaches. Data subjects will also have the right to take companies to court to seek damages as well. The ICO will get double those penalty rates for privacy rights breaches, ouch! Under the GDPR companies are forced to fess up to all security incidents which compromises or places personal data at risk, both to the ICO and to each data subject impacted, so there will be no hiding place for security breaches in the UK after next May.

Finally, US Cert and Incapsula released an interesting advisory about 'Hidden Cobra', a North Korean Cyber Threat group. This nation-state group is seemingly ramping up their capabilities at the moment, and are behind the DeltaCharlie campaign and linked with the WannaCry ransomware outbreak last month, well worth a read.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Tuesday 27 June 2017

Peyta / NotPeyta / Petrwrap Ransomware Explained & Advice

Here we go again, another large scale ransomware attack is causing chaos across the globe, including at British marketing firm WPP, a Harpenden Jewson hardware store, several Ukrainian national infrastructure firms, and even causing a halt in production at a Cadbury chocolate factory in Australia.
The ransomware in question is a new strain of the Petya ransomware family, modded to take advantage of the same EternalBlue SMB (Server Message Block) vulnerability (CVE-2017-0144) as the WannaCry ransomware. EternalBlue was leaked by the Shadow Brokers hacker group in April 2017 and is believed to be developed by the NSA.  The malware also uses another exploit for vulnerability CVE-2017-0145 known as EternalRomance. Both of these Microsoft Windows vulnerabilities enables the Peyta ransomware to spread rapidly across local area networks, potentially self-infecting any other Windows systems without the MS17-010 security update applied. It is this rapid spread capability within company networks with unpatched Windows systems which is causing the major impact at organisations around the world.The Microsoft MS17-010 Critical Security Update, released on 14th March 2017, prevents both EternalBlue and EternalRomance exploits and the rapid internal spread of the malware, so reducing the potentially high impact on businesses.

The Petya ransomware has been around since early 2016, instead of encrypting individual files like most ransomware, it goes after locking out the operating system by attacking the operation system's Master File Table (MFT). The MFT is a database in which information about every file and directory on the file system (NTFS) volume is stored. This new version or copy of Petya is also known as NotPetya and Petrwrap.

The most common malware entry into organisations is via a Phishing Email, there are reports of Peyta loaded emails having a subject of ‘Hi’ along with a .zip or .scr attachment with the title of ‘gone’.

The ransomware element of Peyta requires Window Administrator rights, however, with basic level Windows User Rights Peyta is still able to propagate onto other insecure local area network connected Windows systems. Peyta doesn't have a killswitch which brought the WannaCry outbreak to an abrupt end last month, so expect the Peyta outbreak to last longer.

How to Protect your Organisation from Peyta
Much of the same protection advice applies as with the WannaCry ransomware.
  1. Perform regular Staff Phishing Email Awareness, teach staff how to spot suspect emails and to not open attachments or click on any links within them.
  2. Ensure the Microsoft MS17-010 security update is applied to all Windows systems or disable SMBv1, as this prevents Peyta from rapidly spreading within the internal network.
  3. Adopt a robust Patch Management process, ensure all Critical Security Updates are quickly applied, they are marked as critical for a reason! 
  4. Ensuring Anti-Virus (AV) is running on all Microsoft Windows systems, with AV definitions kept up-to-date. Most anti-virus solutions have updates released which detect and prevent the latest Peyta strain - see https://virustotal.com/fr/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/. However, be aware your anti-virus product may not be able to detect and prevent new versions of the malware for a period of time, that is until the AV vendors are able to update their products (virus detection definitions) to detect, which is why it is important to keep your anti-virus solutions updated daily.
    • There is a Peyta Infection Blocking alternative to Anti-Virus, see Petya Vaccine
  5. Back up your data regularly, it is far quicker to recover from ransomware when you know your data is safe.
  6. If you do suspect your Windows device is infected with Peyta
    • do not reboot or power back on the computer, Peyta does its damage during the bootup sequence, it runs a fake CheckDisk/ChkDsk as per the below screenshot, warning not to switch off the computer. If you see that message power off immediately
    • Peyta creates a scheduled task to reboot the computer between 10 and 60 minutes after infection, find and remove this task to prevent the Windows reboot. Petya does not reschedule the reboot task.

Detecting Infections through Network Traffic Monitoring
Any devices scanning ports 139 and 445 across the LAN is a solid indication of a Peyta compromised system attempting spread. 

The Ransom Payment - Don't Pay it
Peyta demands a ransom of $300 worth of Bitcoin and provides an email address to confirm the payment. However, that email address has been shut down by the email provider, so do not pay the ransom. 

Petya Data Recovery
At this time there are no known methods to recover Petya encrypted data. Restoring the MBR will not decrypt the data. Wipe the disk drive and reinstall/reimage the Operation System and restore data from an anti-virus scanned backup.

Nation-State or Cyber Criminal Orchestrated?
This cyber attack has all the hallmarks of a nation-state attack, given the initial outbreak of Peyta was reported to occur at large national infrastructure organisations in the Ukraine and India, and then went on to spread globally. In my opinion, at this time, the attack was probably conducted by either a nation-state or a group affiliated with a nation-state, motivated to cause national infrastructure mayhem by mirroring the impact of the recent WannaCry attack, and not by Cyber Criminals out to make easy money. Cyber Criminals tend to target home users with ransomware attacks which are a far more lucrative and rewarding market for them than companies. Although there was a report of a South Korean company paying a $1m ransom recently, it is worth noting Petya only asks for $300 worth of Bitcoin, which is low for business ransomware, and only $8,000 worth of Bitcoin has been paid so far, which again is extremely low financial reward for the scale of the attack. In late 2016 Ukraine had several state websites hacked and the Ukraine national electricity grid was also cyber attacked in late 2015, suggesting the country does have an advanced persistent cyber threat advisory that is active.

Kaspersky have named the malware as calling the malware 'NotPeyta', as they believe it is a new type of ransomware. Petrwrap is another popular name for it within the cyber security industry.

List of organisations known to be impacted.
  • UK - WPP, Jewson
  • US - Marck &Co, DLA Piper, a Pittsburgh Hospital
  • Ukraine - Central bank, power grid
  • Russia - Evraz, Rosneft
  • France - Saint-Gobain
  • Germany - Metro, Deutsche Post
  • Denmark - AP Moller-Maersk
  • Norway - Unnamed firm
  • The Netherlands - APM Terminals
  • India - Jawaharlal Nehru container port in Mumbai
  • Australia - Cadburys and another yet unnamed company
File Indicators and Example Hashes
Windows Executable (DLL) Size is 354K
SHA-1 34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
MD5 71b6a493388e7d0b40c83ce903bc6b04

SHA-1 68f98db6d599286f61395dd1bc9a0febc82006e7
MD5 4481411bd9b5d08ca31f4af62571fb58

SHA-1 9717cfdc2d023812dbc84a941674eb23a2a8ef06
MD5 e285b6ce047015943e685e6638bd837e

SHA-1 101cc1cb56c407d5b9149f2c3b8523350d23ba84
MD5 415fe69bf32634ca98fa07633f4118e

SHA-1 9288fb8e96d419586fc8c595dd95353d48e8a06
MD5 a1d5895f85751dfe67d19cccb51b051a

Detailed Technical Breakdown of Peyta
This Peyta version was compiled on 18th June 2017
Scans your local network and tries to spread using PsExec and WMI calls.
Uses SMB exploits EternalBlue and EternalRomance (Patched by MS17-010).
Uses API calls to map Active Directory and DHCP environments
Uses bespoke version of Mimikatz to dump admin credentials
Excellent video analysing how Peyta works - https://www.youtube.com/watch?v=vtDgA_aasf
Full technical brief by Microsoft https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

Monday 26 June 2017

Simple GDPR Information Security Guidance: Don't believe the Hype

PDF version of this blog post is available here - ITSE-GDPR-InfoSec-Guide-Jun17.pdf

There are plenty of Cyber Security Sales and Marketing teams jumping on the General Data Protection Regulation (GDPR) bandwagon at the moment, often peddling fear of massive fines and in far too many cases spouting nonsense and unnecessary guesswork about the GDPR's information security requirements.

You do not need to be a lawyer or a fancy pants security consultant to understand the GDPR's information security requirements, they are freely provided by the European Union. It is just a matter of taking the time to actually read and digest each of the GDPR's requirements and then interpreting how your organisation will comply, albeit some requirements result in full blown project plans. I recommend reading the bite-sized formatted and section headed version of the GDPR on www.privacy-regulaton.eu rather than the EU released GDPR paper

Everything in this blog post is not official legal advice but an interpretation and personal opinion on meeting the GDPR’s requirements. Further official and detailed GDPR Information Security guidance are expected to be released.

Brexit
The United Kingdom’s exit from the European Union will not occur before GDPR comes into UK law on 25th May 2018. Therefore all UK organisations storing or processing any personal data records will have to comply with the GDPR from May 2018. It is highly likely GDPR compliance will continue to be a UK personal data legal requirement post Brexit. The GDPR applies to any non-EU country processing EU Citizen personal data, it is unlikely that the UK will adopt a tiered data protection legal requirements system, where UK nationals have fewer privacy rights than EU nations.  

Only 3 of the 99 GDPR Requirements are directly Information (Data) Security Related
That's right, there are just three information (data) security requirements in the GDPR, Articles 33, 34, and 35, the other 96 Articles relate to data subject rights, data controller responsibilities, sending personal data outside the EU and general administration. There is a hidden Information Security requirement in GDPR Recital 63, but aside from that, there is not a lot for information security professionals to worry about unless you have been tasked to prepare an organisation to meet all the GDPR's requirements, in which case you need to be a data privacy qualified. 

Information Security Vs Data Privacy
Some companies like to lump data privacy within information security management, but to properly understand and manage modern data privacy rights in medium to large organisations, it requires individual(s) with the appropriate qualifications and background in privacy law. Data Privacy is a completely separate discipline, applying privacy rights intricacies within business processes can be completely alien to the average information security professional. We still live in an age where the information security function is incorrectly placed as a subset of IT in some organisations, but nether-the-less even though privacy and security are linked they should be regarded as separate business functions and as separate professions, a notion included as a requirement in the GDPR under Article 37.

Article 37 “Designation of a Data Protection Officer”
"the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39."  
Article 37 & Article 38 requires the designation of a Data Protection Officer (DPO)

Article 39 “Tasks of a Data Protection Officer” outlines a number of privacy officer duties, including monitoring compliance with the GDPR.

GDPR's Information Security Requirements (Recitals & Articles)
GDPR has 173 Recitals and 99 Articles. Recitals set out the reasons and what is trying to be achieved by the regulation, while Articles are the regulatory requirements, the GDPR rules.

Article 32 Apply an Appropriate level of Information Security (Risk Assess)
This is best practice Information Security Management, nothing specific or new here, it all should be already being done. Take a risk assessed approach, 101 information security; confidentiality, integrity and availability of all personal data within the organisation. Don't forget the availability as unlike PCI DSS the GDPR security regards the availability of personal data as a requirement. Article 32 requires information security to be of an industry best practice standard, appropriate to the size and nature of the organisation, this means information security does not need to achieve a 'state of the art' level but what a level that is generally considered an adequate level of security for the nature and type of organisation. So if your organisation already has a strong security posture, to the standard of ISO27001:2013, you are in an excellent position to meet GDPR information security requirements.

Article 33 Notification of Breaches to the ICO
The ability report data breaches to the ICO within 72 hours, so part of incident management and response policy and planning, include a process to inform the company designated Data Protection Officer (DPO) about any detected personal data breaches, allowing the DPO to be informed and to report any data breaches to the ICO.

Article 34 Notification of Breach to Data Subjects
As per article 33, ensure company DPO notification is included as part of your incident management/response process, to allow your DPO to inform data subjects should their personal data be at risk due to a security incident.

Article 35 Data Protection Impact Assessment
“7. The assessment shall contain at least: (7d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”
Article 35’s 11 requirements is a Data Privacy Officer responsibility in my view so it is not concluded as one of the 3.  However to meet some of Article 7d it cites a repeat of Article 32, a risk assessed approach to applying information security controls appropriate to protecting personal data.

Documentation and assessments evidence is required to demonstrate compliance, again such documentation and security assessments should already be in place if your organisation operates a best practice level information security management.

Article 30 – Records of Processing Activities
“1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information. g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).”

“2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Another Data Privacy Officer set of requirements, but Article 30 references the Information Security “Article 32”. In other words, make sure the record processing activities are in scope of the information security policy/programme, and the security controls are documented, which they already should be.

Data Subject Access Rights Portal
Recital 63 refers to organisations providing a Data Subject Access Rights Portal.
"Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data."
Providing a portal is “possible” for most organisations, for many organisations it could mean adding additional functionality to existing staff and customer facing websites/portals. 
Bear in mind even though Recital 63 reads like a GDPR requirement, it is the Articles are the legal requirement to meet not Recitals. Then there is Article 12 which states 
"Where the data subject makes the request by electronic form means, the information shall be provided by electronic means".

The provision or expansion of an internet-connected portal to handle GDPR's data privacy rights could fulfil this requirement. Obviously, the privacy portal needs to be secure. As such it will be an information security responsibility and GDPR requirement to secure it.

GDPR Privacy Data Subject Rights (via an Internet Portal)
The GDPR requires the following data subject privacy rights to fulfilled within a one month and without any charge, so given Recital 63 and Article 12 the best way to do achieve this, especially where there are thousands of personal data records in the care of the organisation, is using internet facing portal to provided each data subject with the ability to exercise their new GDPR privacy rights.
  • Article 13 - explain how personal data is processed
  • Article 15 - provide a copy of personal data (Data Subject Access Request)
  • Article 16 - correct any incorrect personal data
  • Article 17 - personal data erasure
  • Article 18 - restrict the processing of personal data
  • Article 20-  personal data portability, provide personal data to another data controller
  • Article 21 - object at any time to the processing of personal data
  • Article 22 - not be subject to not automatic data processing and profiling
Not complying with the above articles means a data subject can go after compensation through engaging with a solicitor and complaining to a court (Article 79 & Article 80). Or through a complaint to the ICO (Article 77) which has the infamous up to 20M Euro or 4% of global turnover fine potential.

Should go without saying, the security of any Internet facing portal hosting personal data on mass, needs to be highly robust and security tested via penetration testing at least annually and after any significant change.

The Information Security Breach GDPR Fines Truth
A breach of Information Security means an up to 10 Million Euro (not 20 Million Euro) or up to 2% of global turnover (not 4%)
Article 83 states "be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:  - (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43" - Articles 32, 33, & 34 are the information security requirements, the higher level penalty rates are for privacy breaches.

The GDPR Right to Data Protection (not that clear-cut as you might think) 
Recital 1 is titled "Data Protection as a fundament right*
but Recital 4 states "The right to the protection of data is not an absolute rightand goes on to state "it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality".  

So the GDPR is rights-based and respects all other EU 'rights', which must include the right of 'the freedom to conduct business' as stipulated in various EU Charters and Treaties, remember the EU is founded upon a free trading block of countries, not as a nation state.  I am not a lawyer so I am not making a conclusion, but pointing out what might be an area of interest to lawyers fighting GDPR enforcement penalties.

Saturday 24 June 2017

Facebook Live Oyster Pearl Party Scams

A little off-topic but recently I've been asked so many times about the Pearl Parties live broadcasts appearing all over Facebook status walls. If you haven't heard of Pearl Parties, they are sales broadcasts where the hosts entice viewers to buy sealed oysters which are opened live on the broadcast, any pearls found inside are sent to the buyer, and there always seems to be plenty of pearls found.

So I did some research and watched several of these broadcasts, it becomes clear why these broadcasts are appearing all over Facebook, as the party hosts constantly offer the chance to win free oyster opening to all viewers that share the broadcast. After further investigation, it becomes even clearer these Pearl Party broadcasts aren't the harmless fun the presenters insinuate but appear to be deceptive.
Oysters Originate from the Far East & Individually Vacuum Packed

The oysters opened on the Facebook live broadcast are real enough, they are bought in wholesale by the oyster party rep, but the copious pearls discovered inside them aren't quite as legit, rare and valuable as you might think. I have discovered two methods behind the high number pearls found inside them.  Either the freshwater oysters have been cultured, basically hacked and farmed into growing the pearls, or the oysters had the pearls inserted within them, after which they are dropped into a chemical bath to make them snap close, killing and preserving the oyster. With either method, the oysters individually vacuum packed before being shipped off from the Far East to the party hosts in bulk.
Cheap as Chips Oysters are bought in Bulk

On the Pearl Party broadcasts I observed, it cost £30 to £50 to open a batch of 5 oysters, which is a considerable markup from the direct online price of around £1 to £2 per oyster. Often the punters don't get the chance to buy a set number of oysters to be opened in the hope of receiving any pearls found inside, as there is a random based game to be played to determine how many oysters are opened for their set payment. These games involve rolling a dice or spinning a wheel to decide the number oysters open, which in itself probably breaks gaming licensing laws in many countries. This game is part of the deception, it is used to make buyers think they have won something and disguise the fact are paying well over the odds for the low grade nearly worthless pearls they end up receiving.


Pearl Party Sales are similar to the Shopping Channels

As the party host opens each oyster on the broadcast, they blag how wonderful the pearls look, using lightning and display techniques to make each pearl look as glamorous as possible, the same techniques employed the professionals on jewelry shopping channels, but they really exaggerate the quality and value. In reality, the pearls you presented with are nothing of the quality of actual rare high-value natural pearls. Some hosts will even measure, rate the colour and shape, and conclude a value for each pearl, which is always way more the buyer has actually paid. Consider this if the host really thought the pearls were worth as much as they are saying, why on earth would they bother with the broadcast and just sell them directly themselves! 

The host will also offer to set your pearls in jewelry, like earrings and necklaces, all for an extra cost of course.

I also found some hosts operate on behalf of companies in a pyramid-like scheme, where they pay a set amount in, oysters are supplied to them, the more they sell the more they rise up the pyramid ranks and the more money they make.

So be warned, don't participate in promoting these scams to your friends by sharing Pearl Party Facebook Live broadcasts. You'd think Facebook would do something about these types of illicit practices and gambling on their Facebook Live service, but apparently not. Given the lawless of Facebook Live, I think we can expect further scams of this nature in the near future.

Thursday 1 June 2017

Cyber Security Roundup for May 2017

The WannaCry ransomware outbreak within the NHS dominated the national media headlines earlier this month. Impacting 45 NHS sites in England and Scotland, the massive cyber attack led to cancelled operations and diversions of emergency medical services. The WannaCry outbreak was not just limited to the NHS, as thousands of computers were shut down at companies in almost 100 countries. After an initial infection via a phishing email and file encryption, the ransomware has the added ability to rapidly self-replicate, infecting other networked Windows computers without Microsoft’s March 2017 critical update (MS17-010) installed, this drove the swift spread of the malware within large organisations and across the world.

Debenhams had 26,000 customer personal details stolen through its flowers service website, which was operated on Debenhams behalf by a third party company. The data breach has been reported to the ICO.

With a year to ago until General Data Protection Regulation (GDPR) goes into law, there were several news reports stating UK businesses need to do more to prepare and highlighting the new data breach fines which could run into Billions for FTSE 100 companies.

If you live in Manchester, your computer is 4 times more likely to be infected with malware than elsewhere in the world according to statstics by Enigma Software Group.

Over in the United States, Brooks Brothers disclosed a major payment card breach, after an individual installed malicious software which captured credit card information within payment systems at locations across the USA and Puerto Rico for 11 months, a remind of the importance of PCI DSS compliance where businesses store, process and/or transmits credit/debit card data (cardholder data). 

Hackers stole a copy of Disney's forthcoming Pirates of the Caribbean film, and tried to hold Disney ransom, Disney didn't pay.

Interesting blog post by MacKeeper Security, on how cyber criminals are linking various stolen credential datasets to leverage access to systems.

And finally, it was another busy month of security update releases by Microsoft and Adobe, the WannaCry impact on the NHS is a stark warning to ensure all newly issued critical security updates are quickly applied

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS