Archives

WannaCry

Uncover Security Blind Spots in Your Organization with Citrix & Bitdefender

If security used to be a compliance-only conversation, today it is a hot topic even at C-level. Recent ransomware attacks, such as WannaCry and GoldenEye, affected entire organizations, including companies like FedEx and Renault. Big brands, banks or state departments …


  

Related Stories

Continue reading..

WannaCry y Petya: Los nombres del miedo a perder los datos corporativos

Hace unas semanas el mundo se detuvo: WannaCry atacó a diversas empresas alrededor del mundo secuestrando sus datos corporativos y pidiendo rescate por devolverlos. La seguridad de la información volvió a estar una vez más en el centro de la …


  

Related Stories

Continue reading..

WannaCry e Petya: os nomes do medo de perder os dados corporativos

Há algumas semanas, o mundo parou: o WannaCry atacou diversas empresas, sequestrando seus dados e pedindo resgate para devolvê-los. A segurança da informação novamente esteve no centro da cena graças ao ransomware e ficou mais tangível esse temor sempre existente …


  

Related Stories

Continue reading..

Mitigación de WannaCry con VMware NSX

El WannaCry, que afecta el sistema operativo de Microsoft Windows, ya ha infectado cientos de miles de ordenadores de todo el mundo en un incesante ataque con ransomware a una escala sin precedentes.

Ángel Villar Garea, ingeniero en sistemas de VMware, comenta y muestra cómo puede ayudar VMware NSX a proteger infraestructuras contra los ataques de WannaCry y otros similares.

Si quieres saber más sobre cómo protegerte de las amenazas más recientes a la ciberseguridad con VMware NSX, descarga tu ejemplar gratuito de &#rsquo;Network Virtualization for Dummies&#rdquo;

Echa un vistazo a nuestro blog y sigue a @VMware_ES para estar al tanto de todas las novedades de VMware.

 

Read more..

Mitigación de WannaCry con VMware NSX

El WannaCry, que afecta el sistema operativo de Microsoft Windows, ya ha infectado cientos de miles de ordenadores de todo el mundo en un incesante ataque con ransomware a una escala sin precedentes.

Ángel Villar Garea, ingeniero en sistemas de VMware, comenta y muestra cómo puede ayudar VMware NSX a proteger infraestructuras contra los ataques de WannaCry y otros similares.

Si quieres saber más sobre cómo protegerte de las amenazas más recientes a la ciberseguridad con VMware NSX, descarga tu ejemplar gratuito de &#rsquo;Network Virtualization for Dummies&#rdquo;

Echa un vistazo a nuestro blog y sigue a @VMware_ES para estar al tanto de todas las novedades de VMware.

 

Read more..

WannaCry Fallout: Implement ‘Least Privilege’ Now

Co-Author: Sisimon Soman is a senior member of the technical staff for VMware EUC, responsible for VMware User Environment Manager R&D. Having worked at Bromium, Citrix, EMC and others, he is well versed in end-user security and threat remediation.

It&#rsquo;s been a few weeks since WannaCry ransomware captured headlines and computers the world over. We now know how it spread, and how it captured so many Windows 7 machines.

The WannaCry (also known as WannaCryptor) attack was first reported on May 12 and spread to more than 230,000 computers in over 150 nations. Attackers used strong encryption to render captured computers useless without the correct unlock keys. Additionally, there are reports that victims could not decrypt their files even after paying the ransom.

WannaCry&#rsquo;s ransomware component of the payload works just like other ransomware; it searches for files with specified extensions and encrypts them. But its worm component is different, and it uses an Server Message Block (SMB) v1 vulnerability (CVE-2017-0144) to spread.

Microsoft released a security update (MS17-010) to fix this vulnerability on March 14, 2017. This March-to-May windowdemonstrates that even if OEM manufacturers respond in a timely manner to exploits, often, the weak link is the end user failing to apply the required patch.

At VMware, we believe there&#rsquo;s another way. If computers and networks are intelligently locked down, then end-user tardiness may be temporarily mitigated.

Technical Details

After the infection, the malware dropper code attempts to connect to the below URL using InternetOpenA() WinInet API and exits if the connection is successful. We therefore recommend that you allow this traffic through your filters in order to stop the malware activity.

www [dot] iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com

Next, the dropper installs and starts a service named mssecsvc2.0, which in turn, drops the payload &#lsquo;C:WINDOWStasksche.exe&#rsquo; and executes it. Prior to copying the payload, dropper renames the existing tasksche.exe.

The worm component scans all internal and external endpoints, and exploits the SMB v1 vulnerability to spread. The ransomware component searches files with specified extensions (Microsoft research shows 178 file types) and encrypts them.

Attack Vectors

According to Microsoft there are two highly likely scenarios used by WannaCry:

  1. SMB vulnerability
  2. Social engineering

It is not easy to exploit the SMB vulnerability from outside an organization because of the multiple layers of protection (firewalls, multi-tiered DMZ, etc.) commonlydeployed. It&#rsquo;s often easier to trick a user into clicking and launching malware using social engineering and phishing techniques.

After this initial infection within the organization, it can then use the SMB vulnerability to spread inside. Our analysis shows that this initial attack vector, using social engineering, can be prevented by enforcing the principle of “least privilege.”

As part of infecting an endpoint, WannaCry performs the following actions:

  1. Drops a payload to the C:WINDOWS directory
  2. Creates / updates several HKLM keys including ‘Run’ key
  3. Creates a service

When a user inadvertently clicks on a malware attachment in an environment where they do not have local admin privileges or elevated permissions to system folders and the HKLM registry hive, the process does not have the ability to drop and execute its payload.

In other words, if computers and networks are intelligently locked down, then malware struggles to propagate. Although the SMB vulnerability vector does not require any user action, the social engineering vector does, and the principle of least privilege could potentially prevent infection. The United States Computer Emergency Readiness Team(US-CERT) mentions the principle of least privilege as one of their recommended steps for preventing attacks like this.

Removing Users’ Admin Rights

Part of the answer to attacks like WannaCry is to simply remove admin rights from end users. However, that&#rsquo;s not as straightforward as it may sound. There are a couple of reasons why enterprises continue to provide local admin access to user accounts:

  1. Legacy applications (vendor and in-house written) update files and sub-folders in system and program files directories instead of writing to user data folders. Some of them also update HKLM locations instead of HKCU.
  2. Users need to install applications.

Balancing Least Privilege & User Empowerment

Very few users are happy with a totally locked down PC. There&#rsquo;s often a case for a user patching software, or installing something that is outside of a corporation&#rsquo;s standard image in order to be more productive at their job.

What is needed is a smart management system, that allows for the flexible application of admin rights in a policy-controlled way. Many vendors offer such a system. VMware&#rsquo;s answer is VMware User Environment Manager. (Clearly, we believe our technology is better than that of our competitors, but for the sake of computers everywhere, please investigate deploying such a solution.)

It is precisely for handling the use cases mentioned above—whilst maintaining the principle of least privilege—that we recently announced the ability to configure privilege elevation for applications in our newest release of User Environment Manager 9.2. You can remove the administrator privilege from domain users and still allow users to start certain applications as administrators.

[Read more: Introducing VMware User Environment Manager 9.2 with Privilege Elevation]

Additionally, if your internal network is completely open, we strongly encourage you to consider micro-segmentation to help arrest the spread of infections should your perimeter defenses prove insufficient.

[Read more: Use a Zero Trust Approach to Protect Against WannaCry]

VMware is committed to help IT secure interactions between users, applications and data, in an environment that is changing and becoming increasingly dynamic—from public and private multi-cloud environments to the proliferation of mobile devices. Read more about our approach to transforming security, or download a free trial of User Environment Manager and experience policy-controlled least privilege yourself.

References:

  1. https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
  2. https://www.us-cert.gov/ncas/alerts/TA17-132A

The post WannaCry Fallout: Implement &#lsquo;Least Privilege&#rsquo; Now appeared first on VMware End-User Computing Blog.

Read more..

WannaCry Fallout: Implement ‘Least Privilege’ Now

Co-Author: Sisimon Soman is a senior member of the technical staff for VMware EUC, responsible for VMware User Environment Manager R&D. Having worked at Bromium, Citrix, EMC and others, he is well versed in end-user security and threat remediation.

It&#rsquo;s been a few weeks since WannaCry ransomware captured headlines and computers the world over. We now know how it spread, and how it captured so many Windows 7 machines.

The WannaCry (also known as WannaCryptor) attack was first reported on May 12 and spread to more than 230,000 computers in over 150 nations. Attackers used strong encryption to render captured computers useless without the correct unlock keys. Additionally, there are reports that victims could not decrypt their files even after paying the ransom.

WannaCry&#rsquo;s ransomware component of the payload works just like other ransomware; it searches for files with specified extensions and encrypts them. But its worm component is different, and it uses an Server Message Block (SMB) v1 vulnerability (CVE-2017-0144) to spread.

Microsoft released a security update (MS17-010) to fix this vulnerability on March 14, 2017. This March-to-May windowdemonstrates that even if OEM manufacturers respond in a timely manner to exploits, often, the weak link is the end user failing to apply the required patch.

At VMware, we believe there&#rsquo;s another way. If computers and networks are intelligently locked down, then end-user tardiness may be temporarily mitigated.

Technical Details

After the infection, the malware dropper code attempts to connect to the below URL using InternetOpenA() WinInet API and exits if the connection is successful. We therefore recommend that you allow this traffic through your filters in order to stop the malware activity.

www [dot] iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com

Next, the dropper installs and starts a service named mssecsvc2.0, which in turn, drops the payload &#lsquo;C:WINDOWStasksche.exe&#rsquo; and executes it. Prior to copying the payload, dropper renames the existing tasksche.exe.

The worm component scans all internal and external endpoints, and exploits the SMB v1 vulnerability to spread. The ransomware component searches files with specified extensions (Microsoft research shows 178 file types) and encrypts them.

Attack Vectors

According to Microsoft there are two highly likely scenarios used by WannaCry:

  1. SMB vulnerability
  2. Social engineering

It is not easy to exploit the SMB vulnerability from outside an organization because of the multiple layers of protection (firewalls, multi-tiered DMZ, etc.) commonlydeployed. It&#rsquo;s often easier to trick a user into clicking and launching malware using social engineering and phishing techniques.

After this initial infection within the organization, it can then use the SMB vulnerability to spread inside. Our analysis shows that this initial attack vector, using social engineering, can be prevented by enforcing the principle of “least privilege.”

As part of infecting an endpoint, WannaCry performs the following actions:

  1. Drops a payload to the C:WINDOWS directory
  2. Creates / updates several HKLM keys including ‘Run’ key
  3. Creates a service

When a user inadvertently clicks on a malware attachment in an environment where they do not have local admin privileges or elevated permissions to system folders and the HKLM registry hive, the process does not have the ability to drop and execute its payload.

In other words, if computers and networks are intelligently locked down, then malware struggles to propagate. Although the SMB vulnerability vector does not require any user action, the social engineering vector does, and the principle of least privilege could potentially prevent infection. The United States Computer Emergency Readiness Team(US-CERT) mentions the principle of least privilege as one of their recommended steps for preventing attacks like this.

Removing Users’ Admin Rights

Part of the answer to attacks like WannaCry is to simply remove admin rights from end users. However, that&#rsquo;s not as straightforward as it may sound. There are a couple of reasons why enterprises continue to provide local admin access to user accounts:

  1. Legacy applications (vendor and in-house written) update files and sub-folders in system and program files directories instead of writing to user data folders. Some of them also update HKLM locations instead of HKCU.
  2. Users need to install applications.

Balancing Least Privilege & User Empowerment

Very few users are happy with a totally locked down PC. There&#rsquo;s often a case for a user patching software, or installing something that is outside of a corporation&#rsquo;s standard image in order to be more productive at their job.

What is needed is a smart management system, that allows for the flexible application of admin rights in a policy-controlled way. Many vendors offer such a system. VMware&#rsquo;s answer is VMware User Environment Manager. (Clearly, we believe our technology is better than that of our competitors, but for the sake of computers everywhere, please investigate deploying such a solution.)

It is precisely for handling the use cases mentioned above—whilst maintaining the principle of least privilege—that we recently announced the ability to configure privilege elevation for applications in our newest release of User Environment Manager 9.2. You can remove the administrator privilege from domain users and still allow users to start certain applications as administrators.

[Read more: Introducing VMware User Environment Manager 9.2 with Privilege Elevation]

Additionally, if your internal network is completely open, we strongly encourage you to consider micro-segmentation to help arrest the spread of infections should your perimeter defenses prove insufficient.

[Read more: Use a Zero Trust Approach to Protect Against WannaCry]

VMware is committed to help IT secure interactions between users, applications and data, in an environment that is changing and becoming increasingly dynamic—from public and private multi-cloud environments to the proliferation of mobile devices. Read more about our approach to transforming security, or download a free trial of User Environment Manager and experience policy-controlled least privilege yourself.

References:

  1. https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
  2. https://www.us-cert.gov/ncas/alerts/TA17-132A

The post WannaCry Fallout: Implement &#lsquo;Least Privilege&#rsquo; Now appeared first on VMware End-User Computing Blog.

Read more..

Come mitigare gli effetti di WannaCry con VMware NSX

Il ransomware WannaCry, che ha come target il sistema operativo Microsoft Windows, ha infettato in questi giorni centinaia di migliaia di computer in tutto il mondo: un attacco ancora in corso e su una scala senza precedenti.

Nel video seguente Ángel Villar Garea, Systems Engineer di VMware, spiega e dimostra come VMware NSX può aiutare a proteggere le infrastrutture da WannaCry e da attacchi simili.

 

 

Vuoi conoscere meglio come VMware NSX protegge dalle minacce più recenti alla sicurezza informatica? Clicca qui per scaricare una copia gratuita della guida “Network Virtualization for Dummies“.

Read more..

WannaCry : comment une entreprise peut-elle se protéger d’une cyber-attaque ?

Article proposé par nos experts Stéphane Padique & Ghaleb Zekri

Appareils connectés détournés, ville de Dallas piratée, cyber-attaques contre Yahoo et aujourd&#rsquo;hui Ransonware &#lsquo;WannaCry&#rsquo;… les cyberattaques n&#rsquo;en finissent plus de défrayer la chronique.

Voici 3 étapes clés que les entreprises devraient suivre pour se prémunir de ces menaces aux effets parfois dévastateurs:

1) Avant l&#rsquo;attaque : la prévention

Il est important que les entreprises mettent en place une infrastructure informatique préparée à recevoir ce type d&#rsquo;attaque et puisse prendre le contrôle de la partie contaminée rapidement.

Les directeurs informatiques doivent ainsi changer l&#rsquo;approche qu&#rsquo;ils ont de la sécurité en adoptant une sécurité en couches englobant l&#rsquo;utilisateur, le terminal, les applications, les données et le réseau.

Ils doivent très rapidement être capables d&#rsquo;identifier les éléments faibles qui nécessitent un renforcement de la protection en appliquant les mises à jour nécessaires ou, en cas d&#rsquo;indisponibilité de cette mise à jour, d&#rsquo;élever le niveau de filtrage pour ces éléments.

2) Au moment de l&#rsquo;attaque : l&#rsquo;isolation

Il est aujourd&#rsquo;hui technologiquement possible de mettre en quarantaine le serveur ou toute autre partie de l&#rsquo;informatique contaminée automatiquement et instantanément sans intervention humaine et sans revoir l&#rsquo;architecture en place du système d&#rsquo;information (VMware NSX). Cela permet d&#rsquo;isoler l&#rsquo;élément contaminé et d&#rsquo;éviter la propagation latérale de la menace qui pourrait, à l&#rsquo;image de la grippe, devenir très virale selon les cas.

En parallèle, le département informatique devra aussi rapidement déplacer l&#rsquo;environnement utilisateur infecté pour en créer un nouveau, sain, ce qui nous amène à l&#rsquo;étape 3.

3) Après l&#rsquo;attaque : la remise en état

Il est essentiel pour les entreprises de réinstaller à distance le système dans son état d&#rsquo;avant attaque et d&#rsquo;effectuer toutes les mises à jour nécessaires.

L&#rsquo;utilisateur retrouvera ainsi son environnement de travail ainsi que ses données décryptées sans avoir cédé à la demande de rançon du pirate.

Il faudra évidemment penser à décontaminer les éléments qui avaient été précédemment isolés.

Si nous prenons le scénario d&#rsquo;une grande entreprise sous attaque avec 10 000 postes infectés utilisant VMware NSX et VMware Workspace One:

  1. Le virus est détecté dans l&#rsquo;entreprise, les administrateurs système bloquent les postes de travail du site infectés avec VMware NSX et protègent les serveurs d&#rsquo;applications
  2. Les administrateurs poste de travail activent les image VDI WS1 et rendent disponibles 2000 environnements de travail instantanément dans le Software-Defined Data Center (SDDC) pour les sous-traitants et fonctions vitales de l&#rsquo;entreprise.
  3. En parallèle chaque utilisateur parmi « les autres 8 000 » reçoit dans son Smartphone avec VMware Workspace One un email de notification d&#rsquo;accès à ses applications métiers en mobilité et sur des postes de travail Home office et BYOD. Les applications sont ajoutées par les administrateurs au profil des utilisateurs instantanément sans passage sur aucun poste.
  4. Les administrateurs entament un retour automatique en conformité des postes de travail.
  5. Tout rentre dans l&#rsquo;ordre sans interruption de services côté utilisateur et Datacenter.

Pour aller plus loin, regardez cette vidéo sur comment stopper une attaque grâce à la micro-segmentation avec VMware NSX :

Vous pouvez aussi lire notre blog post « Use a Zero Trust Approach to Protect Against WannaCry »

Read more..

WannaCry : comment une entreprise peut-elle se protéger d’une cyber-attaque ?

Article proposé par nos experts Stéphane Padique & Ghaleb Zekri

Appareils connectés détournés, ville de Dallas piratée, cyber-attaques contre Yahoo et aujourd&#rsquo;hui Ransonware &#lsquo;WannaCry&#rsquo;… les cyberattaques n&#rsquo;en finissent plus de défrayer la chronique.

Voici 3 étapes clés que les entreprises devraient suivre pour se prémunir de ces menaces aux effets parfois dévastateurs:

1) Avant l&#rsquo;attaque : la prévention

Il est important que les entreprises mettent en place une infrastructure informatique préparée à recevoir ce type d&#rsquo;attaque et puisse prendre le contrôle de la partie contaminée rapidement.

Les directeurs informatiques doivent ainsi changer l&#rsquo;approche qu&#rsquo;ils ont de la sécurité en adoptant une sécurité en couches englobant l&#rsquo;utilisateur, le terminal, les applications, les données et le réseau.

Ils doivent très rapidement être capables d&#rsquo;identifier les éléments faibles qui nécessitent un renforcement de la protection en appliquant les mises à jour nécessaires ou, en cas d&#rsquo;indisponibilité de cette mise à jour, d&#rsquo;élever le niveau de filtrage pour ces éléments.

2) Au moment de l&#rsquo;attaque : l&#rsquo;isolation

Il est aujourd&#rsquo;hui technologiquement possible de mettre en quarantaine le serveur ou toute autre partie de l&#rsquo;informatique contaminée automatiquement et instantanément sans intervention humaine et sans revoir l&#rsquo;architecture en place du système d&#rsquo;information (VMware NSX). Cela permet d&#rsquo;isoler l&#rsquo;élément contaminé et d&#rsquo;éviter la propagation latérale de la menace qui pourrait, à l&#rsquo;image de la grippe, devenir très virale selon les cas.

En parallèle, le département informatique devra aussi rapidement déplacer l&#rsquo;environnement utilisateur infecté pour en créer un nouveau, sain, ce qui nous amène à l&#rsquo;étape 3.

3) Après l&#rsquo;attaque : la remise en état

Il est essentiel pour les entreprises de réinstaller à distance le système dans son état d&#rsquo;avant attaque et d&#rsquo;effectuer toutes les mises à jour nécessaires.

L&#rsquo;utilisateur retrouvera ainsi son environnement de travail ainsi que ses données décryptées sans avoir cédé à la demande de rançon du pirate.

Il faudra évidemment penser à décontaminer les éléments qui avaient été précédemment isolés.

Si nous prenons le scénario d&#rsquo;une grande entreprise sous attaque avec 10 000 postes infectés utilisant VMware NSX et VMware Workspace One:

  1. Le virus est détecté dans l&#rsquo;entreprise, les administrateurs système bloquent les postes de travail du site infectés avec VMware NSX et protègent les serveurs d&#rsquo;applications
  2. Les administrateurs poste de travail activent les image VDI WS1 et rendent disponibles 2000 environnements de travail instantanément dans le Software-Defined Data Center (SDDC) pour les sous-traitants et fonctions vitales de l&#rsquo;entreprise.
  3. En parallèle chaque utilisateur parmi « les autres 8 000 » reçoit dans son Smartphone avec VMware Workspace One un email de notification d&#rsquo;accès à ses applications métiers en mobilité et sur des postes de travail Home office et BYOD. Les applications sont ajoutées par les administrateurs au profil des utilisateurs instantanément sans passage sur aucun poste.
  4. Les administrateurs entament un retour automatique en conformité des postes de travail.
  5. Tout rentre dans l&#rsquo;ordre sans interruption de services côté utilisateur et Datacenter.

Pour aller plus loin, regardez cette vidéo sur comment stopper une attaque grâce à la micro-segmentation avec VMware NSX :

Vous pouvez aussi lire notre blog post « Use a Zero Trust Approach to Protect Against WannaCry »

Read more..

Go Que Newsroom

Categories