FOXGUARD MONITORS PETRWRAP RANSOMWARE ATTACK

REMEMBER WannaCrypt?

This morning (June 27th) Ukraine’s critical services were hit with a set of cyber attacks, which affected Ukraine’s power companies, airports, banks, and even a radiation monitoring system for Chernobyl. The attack in question is another piece of ransomware call PetrWrap, an adaptation of Petya. Petya is similar to WannaCrypt, which hit the industry just a short time ago, in that it encrypts the victim’s data using a public private key pair, and demands money (around $300 US) to recover the files. PetrWrap/Petya also throws in its own twist by also overwriting the master boot record of the victim hard drive, making it unable to boot. Ukraine was the first hit, but the attack has spread and now affects many countries in Europe, as well as the US. PetrWrap/Petya seems to be using the same exploit (EternalBlue) that was used by WannaCrypt. It is believed that a Microsoft Office exploit is used and malicious office files are delivered via phishing emails, which then use the EternalBlue exploit to spread across a company’s network. 
FoxGuard recommends applying the EternalBlue patches supplied by Microsoft, as well as the patches for the Office exploit to make sure you are protected against this infection and infections using the same exploits.

To view the Microsoft Patches available to prevent the exploits, refer to the links below:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

For more information on the attack carried out, refer to the links below:
https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported
https://www.theverge.com/2017/6/27/15879480/petrwrap-virus-ukraine-ransomware-attack-europe-wannacry
https://www.tomsguide.com/us/petya-ransomware-attack,news-25389.html

For more information on the ransomware used in the attack, refer to the links below: 
https://securelist.com/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/77762/
https://securelist.com/petya-the-two-in-one-trojan/74609/

Below is a screenshot of what would be seen after the ransomware has been deployed and the files encrypted.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

CIP & YOUR HMI: A SIMPLIFIED SOLUTION

NERC CIP Simplified Solution

“Discusses the process of increasing the level of security compliance for entities operating in the Bulk Electric System (BES) by putting a large amount of the burden on those that supply the assets to the utilities.”

FBI’S 2016 CYBERCRIME REPORT RELEASED

Last week, the FBI’s Internet Crime Complaint Center (IC3) released its 2016 Crime Report on the different types of reported cybercrimes and their subsequent losses. In 2016, the IC3 received a total of 298,728 complaints with losses exceeding $1.3 billion. The top three types of cybercrime reported were non-payment and non-delivery, personal data breach, and payment scams, while the top types of cybercrime by reported loss were Business Email Compromise (BEC), romance and confidence scams, and non-payment and non-delivery scams.

Other types of cybercrime that wreaked havoc in 2016 are ransomware, tech support fraud, and extortion. Through tactics such as phishing emails, fraud tech support calls, and/or government impersonation schemes, victims are threatened with financial or physical harm or the release of personal information. Once they have control over the device, cyber criminals can install viruses, hold onto the application or threaten to destroy it unless a ransom is paid, usually with virtual currency as a payment mechanism, and can access financial accounts to wire funds. These tactics are only expected to evolve and grow in popularity as cyber threats become more deceiving. The IC3 has created an accessible report of complaints organized by state, so you can examine and be made aware of the top Internet crime trends in your area.

Here are some other patching and prevention tips to protect yourself from cybercrime:
    • Be aware of what you post on social media. Make sure all media accounts are private, 
       require two-factor authentication, and use secure passwords.
    • Be suspicious of opening email links or ZIP file attachments, even if the sender seems 
       to be someone you know. Verify if an email is legitimate by checking previous statements 
       for contact information and/or contacting a company directly. 
    • Patch your operating systems and applications with the latest security updates. 
       Older software is more vulnerable to attack. 
    • Be cautious in supplying personal or financial information on the Internet, 
       especially if a website is not secure. A website may look the same as a legitimate 
       site, but vary in URL spelling or domain. 
    • Install anti-virus software and firewalls to reduce susceptibility.

Only 15 percent of the nation’s cybercrime victims report their cases to law enforcement, though any report of Internet fraud to the IC3, no matter the dollar amount helps the FBI gain a better understanding of Internet crime. Victims are encouraged to file a complaint at https://www.ic3.gov/ and can take further actions to alleviate loss by contacting banks and/or credit card companies to block accounts, attempt to recover lost funds, and to track credit transactions.

For more information on, refer to the links below:
https://pdf.ic3.gov/2016_IC3Report.pdf
https://www.fbi.gov/news/stories/ic3-releases-2016-internet-crime-report
https://www.us-cert.gov/security-publications/Ransomware

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

FoxGuard monitors attack targeting ICS – Crash Override / Industroyer

Earlier in the week, an attack framework was brought to the attention of the cyber security industry that specifically targets industrial control systems. This framework is being referred to as Crash Override, and Industroyer.

It is largely believed that this framework was utilized in the Ukraine attack in December of 2016 which shutdown a large portion of the Kiev, Ukraine transmission substation. Currently analyzed versions of the framework show that the attackers have an extensive knowledge of industrial control systems used in electric power systems.

Support has been observed for the following ICS protocols:
   •    IEC 60870-5-101
   •    IEC 608570-5-104
   •    IEC 61850
   •    OLE for Process Control Data Access (OPC DA).

There have not been any observed cases of the malware utilizing the DNP3 protocol, which is the preferred protocol used in North America as opposed to IEC 101 and IEC 104. This, however, does not mean the DNP3 module does not exist in the framework and has not been revealed. Due to the modular design of the attack framework, a DNP3 module could also be easily implemented if there is not one already.

The attack gains access to ICS equipment through the HMI’s controlling them. It is therefore extremely important to make sure all HMI’s are updated fully, and hardened to the fullest extent. The framework has three primary modules: the backdoor, the launcher module, and the payload module. The backdoor authenticates with a local proxy and opens an http channel to a command and control server, which is used to send commands to the framework. The launcher module starts itself as a service, loads the payloads defined during execution, then starts a time to launch a data wiper, which renders the system unusable. The payload modules carry out the actual attack on the ICS equipment and contains protocol specific information.

Microsoft has also released patches to deprecated operating systems to harden against several vulnerabilities such as remote code execution. Microsoft has released these patches due to “heightened risk of exploitation due to past and threatened nation-state attacks and disclosures.” Operating systems still in support received the patches as well. The release of these patches does NOT constitute a return to service for the deprecated operating systems and was only released due to the severity of the vulnerabilities. The deprecated operating systems that the patches were made available for are as follow: Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. It is strongly recommended to apply these patches as soon as possible to prevent attacks to your systems.

For more information on Crash Override / Industroyer, refer to the links below:
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

For more information on Microsoft’s release of patches, refer to the links below:
https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms
https://technet.microsoft.com/en-us/library/security/4025685.aspx#ID0ETJAC

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert

Confirm the Wannacry patch is installed

Microsoft released a patch in March of this year for all currently supported operating systems. Due to the seriousness of the WannaCry ransomware attack, Microsoft has also provided security updates for previously unsupported operating systems. Here are some tips that can be used to confirm the WannaCry patch is installed on your system.

Windows 7
   • To see if the patch is already installed:
   • Click Start > Control Panel > System and Security.
   • Under Windows Update click the View installed updates link.
   • Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see
      if you have ANY of these patches installed, then you are protected:
           –      2017-05 Security Monthly Quality Rollup for Windows 7 (KB4019264)
           –      April, 2017 Preview of Monthly Quality Rollup for Windows 7 (KB4015552)
           –      April, 2017 Security Monthly Quality Rollup for Windows 7 (KB4015549)
           –      March, 2017 Security Monthly Quality Rollup for Windows 7 (KB4012215)
           –      March, 2017 Security Only Quality Update for Windows 7 (KB4012212)

Windows 8.1
   • To see if the patch is already installed:
   • Click Start > Control Panel > System and Security.
   • Under Windows Update click the View installed updates link.
   • Scan the list (which can be alphabetized by clicking the box marked Name, or sorted by date) to see
      if you have ANY of these patches installed, then you are protected:
           –      2017-05 Security Monthly Quality Rollup for Windows 8.1 (KB4019215)
           –      April, 2017 Preview of Monthly Quality Rollup for Windows 8.1 (KB4015553)
           –      April, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4015550)
           –      March, 2017 Security Monthly Quality Rollup for Windows 8.1 (KB4012216)
           –      March, 2017 Security Only Quality Update for Windows 7 (KB4012213)

Windows 10
   • CREATORS UPDATE (version 1703) is OK.
   • ANNIVERSARY UPDATE (version 1607) – If you have Build 14393.953 or later, you are fine.
      If you do not, use Windows Update to install the latest build 14393.1198.
   • FALL (er, November) UPDATE (version 1511) – use the steps above to check your build number.
      You must be at build 10586.839 or later.
   • RTM (“version 1507”) – same procedure, make sure you’re up to or beyond build 10240.17319.

   To see what build version of Windows 10 you are using:
           –      Use the Cortana search box (to the right of the Start icon)
           –      type: winver
           –      Press Enter

NEED MORE HELP!
FoxGuard Solutions has the key to starting a successful patch and update management program. We have a complete program that includes asset analysis, patch reporting, validation and deployment solutions to ensure our clients are secure and compliant. 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
We host a webinar series to discuss ways to develop and implement a robust patch management program. We can help identify and mitigate gaps in the security of ICS systems and prepare for NERC CIP audits.  Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert

FoxGuard monitors global ransomware cyber attack – WannaCry

FoxGuard continues to monitor a global ransomware cyber-attack, identified as Ransom:Win32/WannaCrypt and referred to as WannaCrypt or WannaCry, that seems to be targeting organizations and individuals in various countries. While FoxGuard remains unaffected by the attack, we are in the process of reaching out to current customers of our Patch Availability Reporting (PAR) and Validation services who were notified of this critical patch as part of our March reports.

The ransomware encrypts files and extorts a fee from the user in order to unencrypt the files. It also attempts to exploit a Server Message Block (SMB) protocol vulnerability in Microsoft Windows operating systems in order to spread out to random computers. There are reports that affected systems have also had the DoublePulsar backdoor installed. Countermeasures have been taken by the Internet community and vendors to slow, detect and stop the spread of the ransomware.

Microsoft released a patch in March of this year for all currently supported operating systems. Due to the seriousness of this attack, Microsoft has also provided security updates for previously unsupported operating systems including Windows XP, Windows 8 and Windows Server 2003. If you are unable to install the patch at this time then Microsoft suggests that SMB v1 be disabled on all vulnerable systems.

Attacks of this nature may have a significant impact and it is important for organizations and individuals to ensure that they:
   •    Keep antivirus and antimalware applications up to date.
   •    Install security updates as soon as they become available and in accordance with
         patch management processes.
   •    Create regular backups of important files and store them in a location that vulnerable
         systems cannot reach.
   •    Do not click on or open any attachments received within unsolicited emails.

For more information:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.0000umhdb0m5mdizwzh13u3fz7x7z

https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0147

https://www.us-cert.gov/ncas/alerts/TA17-132A

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert

Patch Availability Reports – NEW FEATURES!

FoxGuard Solutions has made improvements to the monthly Patch Availability Reports. We believe there will be a lot of excitement around these NEW ADDED FEATURES. There will be new fields represented on the report for Patch Evidence and CVE Details.

PATCH EVIDENCE – Better meet the requests from your auditors.
We have added a table to the end of the report that will show two types of evidence: Patch Quantity and Patch Quality. 

PATCH QUANTITY – A screenshot will be provided that shows the number of patches provided from the source vendor within your report time line. This will also include a screenshot if NO patches were provided by the vendor within the same report time line.

PATCH QUALITY – If a patch was released within the report time line, this evidence is a screenshot of the actual patch data ensuring FoxGuard has provided the correct details, as well as date/time stamp of when the evidence was captured.

Note: Patch Evidence is captured at the Vendor> Product> Version level, so if you have multiple listings of the same item in your Availability table in the report (first in the report), it will only be shown once in the evidence table, making this a more condensed, easier-to-use listing.

CVE DETAILS – More Vulnerability Details!
We are adding the CVSS (version 2) Score and Description – This will provide further vulnerability details to allow you to better assess the full critical nature of your patches.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

Talk to an Expert

 

Valley Business Front Feature Article

FoxGuard Solutions is proud to be featured in the April 2017 edition of Valley Business Front.

SPECIAL NETWORK AGENT
FoxGuard specializes in utilities. It has built full-featured security and compliance programs for several of the largest energy equipment vendors in the world. Through these programs, it has deployed solutions at hundreds of sites in over 30 countries throughout the world. It also works directly with energy utilities to assist them in building their patch management programs across their infrastructures. FoxGuard has seen great demand for these solutions in the electric utility market as cyberattacks involving malware create more awareness, and as compliance standards increase the scope of assets that need to be addressed.

The importance of how private and municipal utilities will protect and defend their networks is monumental, giving FoxGuard a strong footprint in the industry. Industrial control systems (ICS) in critical infrastructure are high-risk targets for attack and exploitation. These systems are considered so vital to the United States that the interruption or disablement could have catastrophic effects on the security, economy, health, or safety of its citizens. As a result, the North American Electric Reliability Corporation (NERC) has established standards and regulations on securing systems in the ICS environment. Patches and updates are required to help resolve security vulnerabilities, address functional issues, and meet compliance requirements. Besides utilities, other critical infrastructure markets include water and health care, Muscatello says.

See the full article here.

Regulatory Growth as of April 2017

Earlier this month, Compliance & Risks published its quarterly regulatory growth charts for April 2017. The charts shows regulatory growth by subject and region. 

Overall growth by year shows an increase in regulations of over 30% from April 2016 to April 2017 (and pending), covering the areas of batteries, climate change, energy, packaging, product safety, substances, and waste.

By region, the largest growth during this time period was in the Latin America / Caribbean region.

FoxGuard tracks pending new legislation, as well as upcoming changes to existing legislation, and works closely with our supplier network to ensure continued compliance of systems and components.

SIGNING, HASHING & UPDATE SECURITY

Creating confidence and security in your product’s pipeline