FoxGuard opens its doors

Last week we did something special and unusual – we opened our doors to show off what we have been working on.

FoxGuard Solutions along with our partner TDi Technologies came together and unveiled our joint solution for U.S. Department of Energy’s Cybersecurity for Energy Delivery Systems. The solution is a result of a $4.3 million Cooperative Agreement awarded in 2013 from the U.S. Department of Energy’s Cybersecurity for Energy Delivery Systems (CEDS) division.

Believing the nation’s security, economic prosperity, and the well-being of its citizens depends on reliable energy infrastructure, the DOE solicited our expertise to develop the patch and update management project (PUMP) for energy delivery systems. The energy sector places an emphasis on the availability and reliability of energy delivery operations. While best practice avoids the connection of energy delivery system devices to external networks, their increasing interconnectivity poses greater risk to cyber vulnerabilities, making proper and timely patches and updates critically important to maintaining system cybersecurity.

As part of the unveiling FoxGuard hosted an open house that was attended by government officials, Mayor Michael Barber and Delegate Nick Rush, as well as representatives from NRG Energy, US Department of Energy, University of Arkansas, Arkansas Electric Cooperative Corporation, Argonne National Laboratory, and Virginia Tech.

Our team had a lot of fun showing off our research and development lab. Our team is using a model train, which has equipment representative of an ICS energy environment, to demonstrate what can happen when patches are not properly validated prior to being introduced into production.

During this event, we demonstrated technology and techniques to identify and verify the integrity of updates and patches for energy
delivery systems software, hardware and firmware, while also
facilitating the deployment of those updates.

KEY ELEMENTS:

• Patch & Update Data Aggregator & Web Portal
• Patch & Update Authentication
• Validation Techniques
• Query Engine


           

The PUMP program simplifies the process of understanding what patches are available for energy delivery industrial control system devices for both end users and equipment vendors, while also simplifying a utilities adherence to NERC CIP v6 requirements involving patching, ultimately leading to a safer grid.

FEEDBACK FROM OUR DEMONSTRATION HAS BEEN EXTREMELY POSITIVE:

“Excellent materials and presentations. I really like the way each of the program element presentations, including the demo, had a brief overview describing the problem statement, why it matters and how your R&D work addressed it. The Q&A and discussion was great and it made the participants, especially the utility folks, think about and understand how the PUMP program will help them.” – US Department of Energy

“Very Impressive! Look forward to more results from you!!!” – University of Arkansas

“Wonderful tool set.” – NRG Energy

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert

Recent attack identified as Petya.2017-ExPetra

After further investigation on the recent attack, FoxGuard can confirm that this attack was not actually PetrWrap as recently believed, but yet another variant now being called Petya.2017 or ExPetr.

The initial infection appears to have been targeted at Ukraine by setting up a watering hole attack by compromising Ukrainian news agencies websites, as well as corrupting an update for the ME DOC tax software. After the initial infection, the malware reboots and starts to encrypt the MFT table, and overwrites the MBR with a fake bootloader. During the encryption process, the malware displays a screen similar to the “Check Disk” dialogue for windows, after encryption is leaves a ransom message. It also attempts to move laterally using a variant of mimikatz to steal credentials, and then execute using the stolen credentials and PSExec and WMIC. It also spreads across networks using the Eternal Blue and Eternal Romance exploits.

This malware IS NOT a ransomware, but rather a malware designed to wipe data, and masquerade itself as a ransomware to throw off researchers. For starters, this malware uses only one bitcoin wallet, which is not what we normally see in ransomwares, but rather a separate bitcoin wallet for each victim to prove payment was sent/received. Secondly, in a regular ransomware, an installation key is generated which contains crucial information to generate a recovery key. After a victim gives this ID to the attacker, the attacker can then extract the decryption key. That decryption key would then be used to decrypt the data on the drive and restore the MBR to that the boot process is restored. ExPetr, however, did not implement an actual installation key system, but rather generates random characters to display on the screen to make it look like an installation key is being provided. This is just a random string of characters, and cannot actually be used to generate a recovery key. The malware also writes to disc sectors in such a way that permanent damage is done to the disc and recovery is impossible. This indicates that the attackers had no intention to decrypt any data all along, and were not interested in the monetary gains from their endeavor, but rather performed the attack simply to cause harm. Lastly, the attackers setup only one email account, which has already been shutdown. Therefore, even if there WAS a way to recover the data, there is no way to get in touch with the attackers.
FoxGuard recommends taking the below mitigation strategies:
     •  Offline backups
            o  Shadow volumes can be deleted and connected backups can be accessed by the
                malware, it is therefore crucial that backups be kept completely offline and disconnected.
     •  SMB
            o Disable SMBv1 if it is unneeded
            o Apply the Microsoft SMB patch (MS17-010)
     •  Secure Active Directory
            o Filter user privileges, password policy, etc
     •  Secure Boot
            o UEFI ignores MBR, so machines with secure boot enabled are not affected by the MBR overwrite
     •  Network
            o If possible, block incoming traffic on TCP port 445 (Used by the Eternal Romance exploit)

For more information on some of the technologies used in the attack, see the below links:
     Psexec: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
     WMIC: https://msdn.microsoft.com/en-us/library/bb742610.aspx
     Mimikatz: https://www.offensive-security.com/metasploit-unleashed/mimikatz/
     MBR: https://technet.microsoft.com/en-us/library/cc976786.aspx

For newer information regarding this attack, see the links below:
     https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/
     https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b
     https://securelist.com/schroedingers-petya/78870/

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert

 

 

FoxGuard monitors PetrWrap ransomware attack

REMEMBER WannaCrypt?

This morning (June 27th) Ukraine’s critical services were hit with a set of cyber attacks, which affected Ukraine’s power companies, airports, banks, and even a radiation monitoring system for Chernobyl. The attack in question is another piece of ransomware call PetrWrap, an adaptation of Petya. Petya is similar to WannaCrypt, which hit the industry just a short time ago, in that it encrypts the victim’s data using a public private key pair, and demands money (around $300 US) to recover the files. PetrWrap/Petya also throws in its own twist by also overwriting the master boot record of the victim hard drive, making it unable to boot. Ukraine was the first hit, but the attack has spread and now affects many countries in Europe, as well as the US. PetrWrap/Petya seems to be using the same exploit (EternalBlue) that was used by WannaCrypt. It is believed that a Microsoft Office exploit is used and malicious office files are delivered via phishing emails, which then use the EternalBlue exploit to spread across a company’s network.
FoxGuard recommends applying the EternalBlue patches supplied by Microsoft, as well as the patches for the Office exploit to make sure you are protected against this infection and infections using the same exploits.

To view the Microsoft Patches available to prevent the exploits, refer to the links below:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

For more information on the attack carried out, refer to the links below:
https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported
https://www.theverge.com/2017/6/27/15879480/petrwrap-virus-ukraine-ransomware-attack-europe-wannacry
https://www.tomsguide.com/us/petya-ransomware-attack,news-25389.html

For more information on the ransomware used in the attack, refer to the links below:
https://securelist.com/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/77762/
https://securelist.com/petya-the-two-in-one-trojan/74609/

Below is a screenshot of what would be seen after the ransomware has been deployed and the files encrypted.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert

FBI’s 2016 Cyber crime report released

Last week, the FBI’s Internet Crime Complaint Center (IC3) released its 2016 Crime Report on the different types of reported cybercrimes and their subsequent losses. In 2016, the IC3 received a total of 298,728 complaints with losses exceeding $1.3 billion. The top three types of cybercrime reported were non-payment and non-delivery, personal data breach, and payment scams, while the top types of cybercrime by reported loss were Business Email Compromise (BEC), romance and confidence scams, and non-payment and non-delivery scams.

Other types of cybercrime that wreaked havoc in 2016 are ransomware, tech support fraud, and extortion. Through tactics such as phishing emails, fraud tech support calls, and/or government impersonation schemes, victims are threatened with financial or physical harm or the release of personal information. Once they have control over the device, cyber criminals can install viruses, hold onto the application or threaten to destroy it unless a ransom is paid, usually with virtual currency as a payment mechanism, and can access financial accounts to wire funds. These tactics are only expected to evolve and grow in popularity as cyber threats become more deceiving. The IC3 has created an accessible report of complaints organized by state, so you can examine and be made aware of the top Internet crime trends in your area.

Here are some other patching and prevention tips to protect yourself from cybercrime:
    • Be aware of what you post on social media. Make sure all media accounts are private,
       require two-factor authentication, and use secure passwords.
    • Be suspicious of opening email links or ZIP file attachments, even if the sender seems
       to be someone you know. Verify if an email is legitimate by checking previous statements
       for contact information and/or contacting a company directly.
    • Patch your operating systems and applications with the latest security updates.
       Older software is more vulnerable to attack.
    • Be cautious in supplying personal or financial information on the Internet,
       especially if a website is not secure. A website may look the same as a legitimate
       site, but vary in URL spelling or domain.
    • Install anti-virus software and firewalls to reduce susceptibility.

Only 15 percent of the nation’s cybercrime victims report their cases to law enforcement, though any report of Internet fraud to the IC3, no matter the dollar amount helps the FBI gain a better understanding of Internet crime. Victims are encouraged to file a complaint at http://www.ic3.gov/ and can take further actions to alleviate loss by contacting banks and/or credit card companies to block accounts, attempt to recover lost funds, and to track credit transactions.

For more information on, refer to the links below:
https://pdf.ic3.gov/2016_IC3Report.pdf
https://www.fbi.gov/news/stories/ic3-releases-2016-internet-crime-report
https://www.us-cert.gov/security-publications/Ransomware

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert

FoxGuard monitors attack targeting ICS – Crash Override / Industroyer

Earlier in the week, an attack framework was brought to the attention of the cyber security industry that specifically targets industrial control systems. This framework is being referred to as Crash Override, and Industroyer.

It is largely believed that this framework was utilized in the Ukraine attack in December of 2016 which shutdown a large portion of the Kiev, Ukraine transmission substation. Currently analyzed versions of the framework show that the attackers have an extensive knowledge of industrial control systems used in electric power systems.

Support has been observed for the following ICS protocols:
   •    IEC 60870-5-101
   •    IEC 608570-5-104
   •    IEC 61850
   •    OLE for Process Control Data Access (OPC DA).

There have not been any observed cases of the malware utilizing the DNP3 protocol, which is the preferred protocol used in North America as opposed to IEC 101 and IEC 104. This, however, does not mean the DNP3 module does not exist in the framework and has not been revealed. Due to the modular design of the attack framework, a DNP3 module could also be easily implemented if there is not one already.

The attack gains access to ICS equipment through the HMI’s controlling them. It is therefore extremely important to make sure all HMI’s are updated fully, and hardened to the fullest extent. The framework has three primary modules: the backdoor, the launcher module, and the payload module. The backdoor authenticates with a local proxy and opens an http channel to a command and control server, which is used to send commands to the framework. The launcher module starts itself as a service, loads the payloads defined during execution, then starts a time to launch a data wiper, which renders the system unusable. The payload modules carry out the actual attack on the ICS equipment and contains protocol specific information.

Microsoft has also released patches to deprecated operating systems to harden against several vulnerabilities such as remote code execution. Microsoft has released these patches due to “heightened risk of exploitation due to past and threatened nation-state attacks and disclosures.” Operating systems still in support received the patches as well. The release of these patches does NOT constitute a return to service for the deprecated operating systems and was only released due to the severity of the vulnerabilities. The deprecated operating systems that the patches were made available for are as follow: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. It is strongly recommended to apply these patches as soon as possible to prevent attacks to your systems.

For more information on Crash Override / Industroyer, refer to the links below:
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

For more information on Microsoft’s release of patches, refer to the links below:
https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms
https://technet.microsoft.com/en-us/library/security/4025685.aspx#ID0ETJAC

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert

Confirm the Wannacry patch is installed

Microsoft released a patch in March of this year for all currently supported operating systems. Due to the seriousness of the WannaCry ransomware attack, Microsoft has also provided security updates for previously unsupported operating systems. Here are some tips that can be used to confirm the WannaCry patch is installed on your system.

Windows 7
   • To see if the patch is already installed:
   • Click Start > Control Panel > System and Security.
   • Under Windows Update click the View installed updates link.
   • Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see
      if you have ANY of these patches installed, then you are protected:
           –      2017-05 Security Monthly Quality Rollup for Windows 7 (KB4019264)
           –      April, 2017 Preview of Monthly Quality Rollup for Windows 7 (KB4015552)
           –      April, 2017 Security Monthly Quality Rollup for Windows 7 (KB4015549)
           –      March, 2017 Security Monthly Quality Rollup for Windows 7 (KB4012215)
           –      March, 2017 Security Only Quality Update for Windows 7 (KB4012212)

Windows 8.1
   • To see if the patch is already installed:
   • Click Start > Control Panel > System and Security.
   • Under Windows Update click the View installed updates link.
   • Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see
      if you have ANY of these patches installed, then you are protected:
           –      2017-05 Security Monthly Quality Rollup for Windows 8.1 (KB4019215)
           –      April, 2017 Preview of Monthly Quality Rollup for Windows 8.1 (KB4015553)
           –      April, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4015550)
           –      March, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4012216)
           –      March, 2017 Security Only Quality Update for Windows 7 (KB4012213)

Windows 10
   • CREATORS UPDATE (version 1703) is OK.
   • ANNIVERSARY UPDATE (version 1607) – If you have Build 14393.953 or later, you are fine.
      If you do not, use Windows Update to install the latest build 14393.1198.
   • FALL (er, November) UPDATE (version 1511) – use the steps above to check your build number.
      You must be at build 10586.839 or later.
   • RTM (“version 1507”) – same procedure, make sure you’re up to or beyond build 10240.17319.

   To see what build version of Windows 10 you are using:
           –      Use the Cortana search box (to the right of the Start icon)
           –      type: winver
           –      Press Enter

NEED MORE HELP!
FoxGuard Solutions has the key to starting a successful patch and update management program. We have a complete program that includes asset analysis, patch reporting, validation and deployment solutions to ensure our clients are secure and compliant. 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
We host a webinar series to discuss ways to develop and implement a robust patch management program. We can help identify and mitigate gaps in the security of ICS systems and prepare for NERC CIP audits.  Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert

FoxGuard monitors global ransomware cyber attack – WannaCry

FoxGuard continues to monitor a global ransomware cyber-attack, identified as Ransom:Win32/WannaCrypt and referred to as WannaCrypt or WannaCry, that seems to be targeting organizations and individuals in various countries. While FoxGuard remains unaffected by the attack, we are in the process of reaching out to current customers of our Patch Availability Reporting (PAR) and Validation services who were notified of this critical patch as part of our March reports.

The ransomware encrypts files and extorts a fee from the user in order to unencrypt the files. It also attempts to exploit a Server Message Block (SMB) protocol vulnerability in Microsoft Windows operating systems in order to spread out to random computers. There are reports that affected systems have also had the DoublePulsar backdoor installed. Countermeasures have been taken by the Internet community and vendors to slow, detect and stop the spread of the ransomware.

Microsoft released a patch in March of this year for all currently supported operating systems. Due to the seriousness of this attack, Microsoft has also provided security updates for previously unsupported operating systems including Windows XP, Windows 8 and Windows Server 2003. If you are unable to install the patch at this time then Microsoft suggests that SMB v1 be disabled on all vulnerable systems.

Attacks of this nature may have a significant impact and it is important for organizations and individuals to ensure that they:
   •    Keep antivirus and antimalware applications up to date.
   •    Install security updates as soon as they become available and in accordance with
         patch management processes.
   •    Create regular backups of important files and store them in a location that vulnerable
         systems cannot reach.
   •    Do not click on or open any attachments received within unsolicited emails.

For more information:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.0000umhdb0m5mdizwzh13u3fz7x7z

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147

https://www.us-cert.gov/ncas/alerts/TA17-132A

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert

Patch Availability Reports – NEW FEATURES!

FoxGuard Solutions has made improvements to the monthly Patch Availability Reports. We believe there will be a lot of excitement around these NEW ADDED FEATURES. There will be new fields represented on the report for Patch Evidence and CVE Details.

PATCH EVIDENCE – Better meet the requests from your auditors.
We have added a table to the end of the report that will show two types of evidence: Patch Quantity and Patch Quality. 

PATCH QUANTITY – A screenshot will be provided that shows the number of patches provided from the source vendor within your report time line. This will also include a screenshot if NO patches were provided by the vendor within the same report time line.

PATCH QUALITY – If a patch was released within the report time line, this evidence is a screenshot of the actual patch data ensuring FoxGuard has provided the correct details, as well as date/time stamp of when the evidence was captured.

Note: Patch Evidence is captured at the Vendor> Product> Version level, so if you have multiple listings of the same item in your Availability table in the report (first in the report), it will only be shown once in the evidence table, making this a more condensed, easier-to-use listing.

CVE DETAILS – More Vulnerability Details!
We are adding the CVSS (version 2) Score and Description – This will provide further vulnerability details to allow you to better assess the full critical nature of your patches.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert

 

Regulatory Growth as of April 2017

Earlier this month, Compliance & Risks published its quarterly regulatory growth charts for April 2017. The charts shows regulatory growth by subject and region. 

Overall growth by year shows an increase in regulations of over 30% from April 2016 to April 2017 (and pending), covering the areas of batteries, climate change, energy, packaging, product safety, substances, and waste.

By region, the largest growth during this time period was in the Latin America / Caribbean region.

FoxGuard tracks pending new legislation, as well as upcoming changes to existing legislation, and works closely with our supplier network to ensure continued compliance of systems and components.

Regulatory Changes Requiring New Documentation

As always, the world of regulatory compliance for IT equipment evolves and expands, and changes are on our doorstep, with further changes being right around the corner.

EU Declaration of Conformity – EMC standard EN 55032:2012 mandatory as of March 5, 2017

In less than one month, EMC standard EN 55022:2010 expires, and EN 55032:2012 must be reflected on EU Declarations of Conformity. 

Two items of note regarding this change:

  • EN 55032:2012 v. EN 55032:2015

Although EN 55032:2015 has been published, it has not yet been adopted by the European Commission under EMC Directive 2014/30/EU.  Until the 2015 version is adopted under the EMC Directive, EN 55032:2012 is the standard that must be on the CE Declaration.  Recommendations have been made to have products tested to both versions, so both versions of the standard can be cited on the product CE Declaration.  For a complete list of EMC standards currently adopted under Directive 2014/30/EU, please visit https://ec.europa.eu/growth/single-market/european-standards/harmonised-standards/electromagnetic-compatibility_en.

  • EN 55032 v. EN 55011

Certain types of equipment are in scope of both EN 55022/55032 (Information Technology Equipment) and EN 55011 (Industrial, scientific and medical equipment), which is still in force.  If your equipment falls into this category, please note that EN 55011 cannot be accepted in lieu of EN 55032, since the CE Declaration must include all standards relevant to the product.

REACH – Four Additions to Substances of Very High Concern (SVHC) List

Four new chemicals have been added to the REACH Substances of Very High Concern (SVHC) list, bringing the total number of substances on the list to 173. 

Around the corner …

  • Taiwan RoHS enters into force in 2017, with mandatory enforcement dates ranging from May to November. Please check with your test lab for product-specific dates.
  • Singapore RoHS also enters into force, in June 2017. Please check with your test lab regarding specific requirements for your products.