Ransomware has become a gold mine for digital criminals. In the first three months of this year, electronic extortionists squeezed US$209 million from victims desperate to recover their data after it was scrambled by the malicious software, based on FBI estimates. At that rate, ransomware could funnel as much as $1 billion into criminal coffers this year.
Ransomware typically will encrypt most of the files on a computer, but some pernicious programs are selective about what they encrypt on a machine. One such form of ransomware attacks the boot sequence of a computer.
Petya ransomware overwrites the contents of a system's Master Boot Record, forces a system reboot, and encrypts the operating system's Master File Table.
With ransomware that's limited to encrypting data, it's still possible to use an infected machine. That only makes sense, since an extortionist expects the victim to use the computer to pay the ransom and receive the key unscrambling the data on the afflicted machine.
With an attack on the MBR, however, the extortionist "bricks" the system and makes it unusable until the ransom is paid.
Risky Ransomware
Bricking a computer that you're holding for ransom is a risky way to do business.
"With ransomware that encrypts the Master Boot Record, you have effectively lost the ability to use the computer," explained Craig Williams, security outreach manager at Cisco Systems.
"That's a little bit more risky for the attacker, because it relies on you having another way to get online and pay them," he told TechNewsWorld, "but because the computer is unusable, you're more likely to pay them."
Despite the risks, there are some advantages to MBR ransomware, suggested Edmund Brumaghin, a threat researcher at Cisco and a colleague of Williams.
"One potential benefit to focusing on the MBR versus in-place encryption of files is that it can be completed quickly, regardless of the amount of user data that is stored on the system," Brumaghin told TechNewsWorld.
"It may also be more difficult for decryptors to be made available if the boot process of the system has been manipulated or disrupted," he continued. "Recovery may also be more difficult, as it may require a complete reinstallation of the system's operating system, rather than just recovery of the user's files."
MBRFilter to the Rescue
To counter ransomware attacks on the Master Boot Record, Cisco Talos, the company's threat intelligence organization, released a free program called "MBRFilter." The program allows a user to enable the read-only default for the MBR. That prevents any program from altering the MBR.
Enabling that default can create problems from time to time, Williams acknowledged.
"Occasionally you have updates to operating systems or changes to the Linux kernel where you do need to poke at the Master Book Record and update it," he said, "but for the vast majority of the operation of a computer, you don't need to update it."
Malicious software that scrambles data on systems is by far a more popular form of ransomware than programs that attack the MBR, but when you protect the MBR, you're protecting yourself from more than just ransomware.
"The MBR is often targeted by other types of malware, such as rootkits and bootkits," Brumaghin explained.
Flaw in Secrets Hive
Once hackers penetrate a system, they seek to expand their reach through it as fast as possible.
There is a way to do that using a security feature Microsoft added to Windows,CyberArk discovered last week.
Since Windows 7's introduction, Microsoft has been protecting service credentials by storing them securely in something called the "LSA Secrets registry hive."
Although access to the hive is severely restricted and information in it is encrypted, CyberArk discovered that once system intruders obtain administrative privileges on a network, they can use the credentials in the LSA -- without decrypting them -- to move laterally within a system.
"Vulnerabilities are found all the time in technology," observed CyberArk CMO John Worrall.
"What's interesting about this research is that once you get administrative credentials, the number of vulnerabilities opens up dramatically," he told TechNewsWorld.
The methods for compromsing a system can be very powerful in the wrong hands, noted CyberArk's Kobi Ben Naim, the senior director of cyber research who conducted the LSA study.
"If an attacker implements these techniques, " he told TechNewsWorld, "he's able to take over an entire network in a few minutes."
SSH Key Jungle
Authentication is a pillar of information security, but sometimes you can have too much of a good thing. Take SSH -- an authentication technology that's taken on a critical role in running all networks. It is used on millions of servers and in about 90 percent of data center environments.
As it is part of the invisible plumbing of networks, not a lot of attention has been paid to the growth of SSH. After all, it's distributed free with all the popular operating systems, so it doesn't appear on management's cost radar, and it's seen as one of those things stashed in IT's black box of tricks.
Benign neglect in the face of unchecked growth in the use of SSH has prompted the National Institute of Standards and Technology to raise a red flag, suggesting that poor SSH access controls within IT have resulted in a major operational and security risk.
"Many large organizations have more SSH keys than they have passwords," noted Tatu Ylönen, CEO of SSH Communications Security.
"The keys have been growing over the years, and there hasn't been much management of them," he told TechNewsWorld.
What has NIST concerned is that without proper management of SSH keys, an organization is inviting a security breach.
"In many instances, these keys can give a person the highest access on a system," Ylönen explained. "They let you read any file and they let you modify the operating system."
That kind of access can be very dangerous if it falls into the lap of a threat actor.
"You can steal data," Ylönen said. "You can create false data, and in a cyberwar situation, you can destroy any server you've penetrated."
Source.....
Source.....
No comments:
Post a Comment