HomeResourcesBlogCategory: Blog

Patching Lessons Learned – Part 2

 Information Technology (IT) vs. Operational Technology (OT)

Our last post focused on the definition of a “patch” and why “patching” is important.  Today, we are sharing some of our lessons learned with regard to building a healthy patch management program.For starters, all systems are not the same and should not be treated as such.

There IS a difference when it comes to patching in the Information Technology (IT) vs. Operational Technology (OT) environments.  With a common office desktop, if you have an issue with your computer, it may simply be rebooted after patch installation and, in many cases that will resolve the issue. However, with OT equipment, timing and validation are critical to patch installation on a critical asset. Additionally, many of these devices cannot be rebooted or turned off at will, as there could be grave consequences to doing so cavalierly. 

 

 

Check back for more in our series on lessons learned that should be considered when building a healthy patch management program or click here to download the Ten Lessons Learned About Patch Management Whitepaper.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

What’s a “Patch” and Why is It Important?

This is the first post in a series that we’ll be sharing with regard to Patch Management “lessons learned”.

FoxGuard Solutions has been in business since 1981 and has been serving the energy industry for over 25 years. We have also been providing patch management solutions for industrial control systems via original equipment vendors (OEMs), as well as directly to energy utilities for many years. We have a long history of doing this work which provides us with a unique perspective, as well as gives us extensive knowledge of the patching burden. As such, we want to share our insight and some “lessons learned” along the way.

It is important to level set on what a “patch” really is. According to Wikipedia (https://en.wikipedia.org/wiki/Patch_(computing), a patch can be defined as follows:A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bugfixes or bug fixes.

In the instance of industrial control systems, patches are applied to firmware, operating systems and software applications installed as part of the control system suite. It is important to understand the scope and depth of equipment which is susceptible to needing a software patch applied.

Scope is defined in NERC CIP based on the User’s ability to apply an update and may include: 

    –    Devices (network, field, and other single-purpose devices that run firmware)
    –    Appliances (usually an embedded or full OS with a controlled set of installed applications and services)
    –    Workstations
    –    Servers

Each of these items may have their own unique way of managing, validating, installing and monitoring for patches, making it difficult to manage a healthy and comprehensive patch management program. When patching is so involved and difficult, it is worthwhile to talk through WHY it is so important. It may be obvious, but energy utilities are high-risk targets. Attacks such as Stuxnet and the one in Ukraine show that the “bad guys” (funded Nation States, not just casual hackers) have their eyes on this industry. In addition, patches are crucial to protect against vulnerabilities.

According to Kaspersky Labs Industrial Control Systems Vulnerabilities Statistics, there were: 

    –    4,189 known vulnerabilities in ICS in 2015
    –    426 had exploits available
    –    4,170 had patches available

If protecting critical assets from vulnerabilities is not motivation enough, regulatory standards, such as NERC CIP-007-6, R2.1, 2.2, 2.3 and 2.4, have clear requirements surrounding patch management with large fines threatened as consequence for failure to comply. Now that we understand what needs to be patched and why, check back for more in our series on lessons learned that should be considered when building a healthy patch management program or click here to download the Ten Lessons Learned About Patch Management Whitepaper.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

Security Patch could have prevent breach.

The Equifax security breach exposing sensitive information of approximately 143 million consumers is one that we now know could have been prevented with the installation of a security patch that was made available two months before the breach occurred.
Equifax has indicated, “We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638. We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”
Apache Struts is a framework for developing Java-based applications that run both front-end and back-end Web servers. Many industries including internet companies, banks, government agencies, and many large Fortune 500 companies rely on Apache Struts.
It’s been reported that Equifax failed to update its web applications, despite proof that the bug gave cyber-thiefs an easy way to take control of sensitive sites and consumer information. Patching the security hole would have been labor intensive and difficult because it involved downloading an updated version of Struts and rebuilding all associated applications. There were websites which depended on dozens or even hundreds of such applications which likely were stored on many servers scattered across multiple continents. Plus, you don’t just release rebuilt applications into production without extensive testing to ensure that the updates don’t break key functions of the unit itself.
The bottom line is that cybersecurity, and more specifically patch management, isn’t always easy or convenient but it is worth it. And, we feel that our Patch Management program sets-up companies like Equifax for success to prevent these and other types of attacks.

For more information related to Apache Struts CVE-2017-5638:
https://nvd.nist.gov/vuln/detail/CVE-2017-5638

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

Dragonfly 2.0 targets Critical Infrastucture

FoxGuard continues to monitor Dragonfly and its effects on critical infrastructure. Dragonfly is a campaign by (possibly Russian) actors targeting US and European critical infrastructure. Dragonfly has been active as early as 2010, but according to Symantec, has seen a resurgence in activity within the last year2. This new campaign has been dubbed “Dragonfly 2.0” by security researchers at Symantec. Several different attack vectors are used in the Dragonfly campaign, including spear phishing emails, watering-hole attacks, and Trojan software. Phishing emails are emails sent out masquerading as someone else to try and get you to divulge sensitive information, or clicking a link to download a malicious file. Spear phishing is targeting those emails to specific people to increase the likelihood of success. In the case of Dragonfly, emails including a New Year’s Eve party invitation were sent out. A watering hole is when an attacker compromises a website that is visited frequently by their target. Once compromised, the attacker can load malicious code into the site with the possibility of the user never knowing anything has changed. Using these attacks, actors were able to steal credentials from employees which they used to gain remote access to the machines. Though no interruptions in service have been attributed to this campaign, the attackers appear to have had the ability to cause harm if they wanted. Screenshots of the user interface for industrial control systems, such as circuit breakers, have been found. Access to these types of controls would allow attackers to open circuit breakers, cutting the flow of electricity to potentially millions of U.S citizens. So, why haven’t they used these capabilities to wreak havoc? Security researcher Eric Chien of Symantec believes that the attackers are waiting for the most strategic time to use the attack, such as to deter threats from the US of attack2.
Isn’t there a way to prevent this? Well, security is not an absolute, and while there are mitigation techniques, nothing is certain. An important concept in the security industry is “defense in depth” which means that layers of security should be implemented, and not just one measure should be relied on. A hardware firewall is extremely important to have on a network, but assuming no one will get through that firewall, and therefore you need no additional protection, is a huge mistake. Instead, standards such as antivirus, least privilege, encryption, firewalls, intrusion detection, honey pots, etc., should all be used together for cyber defense. These measures should be thought of as a fire door. They may not hold off the problem indefinitely, but they can help delay the problem, giving you time to react. The more of these you can practically use in your system, the harder it will be for an attacker to get through, leaving more time for security experts to mitigate the attack. If your intrusion detection system picks someone up at the firewall, they may still have several more layers to get through, which means security professionals have time to re-write rules, or shut down access to machines to prevent the attack.
Another common ideology used commonly in industrial control systems is “air gapping”. Air gapping is the idea that a controls network should be completely separate from a business or corporate network. The business network has no control over the functions of the equipment, and the controls network has no remote or internet access. Theoretically, this would protect against a virus coming into a machine on the controls network, if they never talk to anything but themselves. The problem here is that operational demands mean that a system is never completely isolated, so the idea that the air gap alone will keep you safe is a myth. Even if your systems are not networked together, you may need to pull configuration files down from your corporate network. Even if this network is not accessible from the control network, a flash drive may be used to transport the configuration file between a machine connected to the corporate network and one connected to the control network. This lends the opportunity for malicious code to jump from the machine connected to the corporate network, to the flash drive, and ultimately to the machine connected to the controls network, thus “jumping” the air gap. If a 16GB flash drive is used only once per day and taken from an infected machine to a machine on the controls network, this is roughly the same data bandwidth capability as a 24/7 1.5mbps network connection. The latency may be high in this case, but the throughput is possible. This particular jump could be prevented by locking down which USB devices are allowed to connect to a machine, or even physically disabling USB ports on a machine if they are not needed. This is just one of many ways an air gap can be jumped.
One famous example of jumping an air gap is in that of the Stuxnet virus. Stuxnet was an infection that targeted Iran’s nuclear program by infecting centrifuges and changing the operating frequencies of the centrifuges. This caused stress to the machines, causing aluminum tubes to expand and forcing contact with other parts, which caused destruction to as many as 1,000 centrifuges. Natanz, the Iranian research site being used to enrich the Uranium, had their control systems air gapped, with no network connection to the outside world. So, how did the virus make its way into the research center? A flash drive, possibly from an Iranian double agent, or possibly by the mistake of one of the researchers in the facility, was plugged into the internal systems, and the virus made the jump onto the controlled network.
At this point, it would appear that no nuclear sites have been affected by Dragonfly, which is possibly due to the stricter requirements nuclear sites have for the separation of their internet-connected networks, and operational controls. Dragonfly is not been seen to jump total air gaps at this point, but as you can see, air gapping alone should not be relied upon to prevent any attack. FoxGuard recommends a “Defense in Depth” strategy to help prevent against infection. Making sure only designated flash drives can connect to a machine is an important security step to take, or if operationally feasible, no USB access at all. Control networks should ideally not be connected to any other network, nor any client on the control network also be connected to an external network. Patch management is also of great importance, since even an offline machine can be infected, having the most recent patches installed to close vulnerabilities can mitigate many potential attacks.

To find virus signatures, more examples and more details take a look at the the links below:
https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power-systems/
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
http://thehackernews.com/2017/09/dragonfly-energy-hacking.html
https://www.cnet.com/news/stuxnet-delivered-to-iranian-nuclear-plant-on-thumb-drive/
https://hacked.press/2017/06/23/wikileaks-cias-malware-brutal-kangaroo-jumping-air-gap/

 

 

Regulatory Growth as of July 2017

Last month, Compliance & Risks* published its quarterly regulatory growth charts for July 2017.   The overall growth in the number of regulations in the past 15 years has climbed from just over 2,000 to just under 16,000.  This constitutes a total increase of over 700%!

Regulatory Growth by Subject

The first chart depicts regulatory growth by subject, including Batteries, Climate Change, Packaging, Product Safety, Energy, Waste, and Substances.  Results show the highest number of regulations in the area of Substances, at just over 6,000, with regulations concerning Batteries having the lowest count, at approximately 1,000. 

Regulatory Growth by Region

The second chart depicts regulatory growth by region, including International Organizations; Latin America with the Caribbean; Asia Pacific; the United States and Canada; and Europe, the Middle East, and Africa, with Central Asia (EMEA).  Results show the highest growth in Latin America with the Caribbean, and the EMEA regions, at approximately 500% each!  Asia Pacific regulations have climbed approximately 300% over the past 15 years, and the United States and Canada have multiplied regulations by approximately 340%!

Recent RoHS regulatory additions that impact Information Technology are Taiwan RoHS (already in force for certain products), Singapore RoHS (already in force for certain products), and UAE (United Arab Emirates) RoHS, which has its first enforcement date on January 1, 2018, for certain products. 

Over the past few years, we have seen additional legislative changes and new legislation in various regions, including the following:

  • Mercury ban in Canada;
  • China RoHS 2;
  • The G mark in the Gulf Cooperation Council and Yemen;
  • Changes from C-Tick and A-Tick in Australia to RCM;
  • Change from GOST-R in the Russian Federation to EAC in the Eurasian Customs Union;
  • K-Reach in Korea;
  • Changes in the European Union’s directives and standards in the areas of Low Voltage and EMC;
  • Numerous additions to the European Union’s Substances of Very High Concern list (REACH).

FoxGuard tracks pending new legislation, as well as upcoming changes to existing legislation, and works closely with our supplier network to ensure continued compliance of systems and components.

* http://www.complianceandrisks.com/c2p/

 

WANT TO LEARN MORE ABOUT FOXGUARD’S SIMULATION CAPABILITIES?

FoxGuard has 35+ years’ experience configuring computer solutions, integrating racks, developing images, securing licenses, and ensuring hardware, software and OS compatibility to free up your resources to pursue growth. We can configure and ship a turnkey solution to your designated solution.

LEARN MORE

Government calls it “Hidden Cobra”.

As military tensions rise between the US and North Korea, so too do tensions rise on the battlefield of the twenty first century. This is, of course, in the cyber realm. The FBI and Homeland Security are currently monitoring denial of service capabilities in North Korea and targeted at US businesses including critical infrastructure. The malicious activity is being referred to by the US government as “Hidden Cobra” and leverages a malware known as “DeltaCharlie.” DeltaCharlie is a DDoS bot that is being used to by the North Korean government to control its botnet. A botnet is a network of infected machines that can be used to flood a targeted system with requests, which overloads the targeted system and causes legitimate requests for resources on that system to be denied. It is capable of launching attacks using the Domain Name System (DNS), Network Time Protocol (NTP), and Character Generation Protocol (CHARGEN). The malware is capable of updating itself, updating its configuration, downloading additional executables, terminating itself, and launching/stopping a DDoS attack. Although no new DDoS attacks have been discovered that can be attributed to this malware, the US Computer Emergency Readiness Team has warned to be on the lookout for suspicious network and computer behavior that may be indicative of an attack. If users or administrators detect anything the appears to be from Hidden Cobra, they are encouraged to report it immediately to the Department of Homeland Security Cybersecurity Communications and Integration Center, or the FBI Cyber Watch and begin best practices for mitigation. In addition to using DeltaCharlie for the botnet, it is also believed Hidden Cobra actors are using keyloggers, remote access Trojans, and wiper malware including tools such as Destover, Wild Positron, and Hangman. The DHS and FBI have identified IP addresses used in the botnet and are distributing them so that administrators can take the proper steps to mitigate the possibility of an attack. 

 Additionally, known vulnerabilities exploited by Hidden Cobra include:

   • CVE-2015-6585: Hangul Word Processor Vulnerability
   • CVE-2015-8651: Adobe Flash Player 18.0.0.324 and 19.x Vulnerability
   • CVE-2016-0034: Microsoft Silverlight 5.1.41212.0 Vulnerability
   • CVE-2016-1019: Adobe Flash Player 21.0.0.197 Vulnerability
   • CVE-2016-4117: Adobe Flash Player 21.0.0.226 Vulnerability

Hidden Cobra commonly targets systems running older operating systems and outdated software. As always, FoxGuard recommends keeping you system up to date with the latest security patches to help eliminate vulnerabilities and prevent attacks.

More information, including the list of IP’s associated with this warning, can be found on the us-cert.gov site (links below).
https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
http://mashable.com/2017/06/14/north-korea-hidden-cobra-cybersecurity-hack/#Tis4eU_ejOqg
http://www.securityweek.com/us-warns-north-koreas-hidden-cobra-attacks

PARTNERING WITH BOHEMIA INTERACTIVE SOLUTIONS

Bohemia Interactive Simulations built a demo room to showcase their flagship simulation products VBS3 and VBS Blue in Orlando, FL.  This demo room is located in the Central Florida Research Park, along with tenants such as Program Executive Office for Simulation and Training (PEO STRI) and PM TRASYS.  Bohemia is a global simulation software company and its flagship product, VBS3, is operated by the U.S. Army for its Games for Training Program.

The demo room Bohemia built blazes the trail in terms of setting an industry standard for game-based military simulation.  The room allows for a VR Apache helicopter, F/A-18 Fighter Jet, Spotter, and an administrator to all work together to complete a predefined mission.  The administrator can observe on a large overhead projector the status of his team while providing instruction and coaching along the way.  The ability of all these training systems to be linked together is part of the ongoing mission of the Army.  At TSIS in June, MG Maria R. Gervais, Deputy Commanding General, Combined Arms Center – Training, noted that, “The Army requires integrated training capabilities that can adapt to emerging technologies.”

To support this demo room, Bohemia and FoxGuard collaborated on the build of high-end workstation computers that would optimize the training scenarios utilized during customer simulations.  Customers such as the Army, Navy, and Air Force require a vast and varied generation terrain and VBS3 supports that demand with a content rich library of thousands of vehicles, weapons, people, and objects.

Introducing the High-End FoxGuard Workstation Computer, the SimITAR Flex that supports live synchronized training missions that utilize VBS3 and VBS Blue. 

Technical Specs:

  • Motherboard: High-end ASUS Prime Z270 Motherboard
  • Processor: i7-7700K Kaby Lake, 4.2GHz base, 4.5 GHz turbo, Quad Core
  • RAM: 32GB DDR4-3200 Over clockable memory
  • Power Supply: 750 Watt
  • Storage: 512 GB – Pcle 3.0×4, NVMe 1.2 – 3,500 MB/s Read, 2,100 MB/s Write
  • Graphics: NVIDIA Quadro P5000

 

WANT TO LEARN MORE ABOUT FOXGUARD’S SIMULATION CAPABILITIES?

FoxGuard has 35+ years’ experience configuring computer solutions, integrating racks, developing images, securing licenses, and ensuring hardware, software and OS compatibility to free up your resources to pursue growth. We can configure and ship a turnkey solution to your designated solution.

LEARN MORE

FOXGUARD OPENS ITS DOORS

Last week we did something special and unusual – we opened our doors to show off what we have been working on.

FoxGuard Solutions along with our partner TDi Technologies came together and unveiled our joint solution for U.S. Department of Energy’s Cybersecurity for Energy Delivery Systems. The solution is a result of a $4.3 million Cooperative Agreement awarded in 2013 from the U.S. Department of Energy’s Cybersecurity for Energy Delivery Systems (CEDS) division.

Believing the nation’s security, economic prosperity, and the well-being of its citizens depends on reliable energy infrastructure, the DOE solicited our expertise to develop the patch and update management project (PUMP) for energy delivery systems. The energy sector places an emphasis on the availability and reliability of energy delivery operations. While best practice avoids the connection of energy delivery system devices to external networks, their increasing interconnectivity poses greater risk to cyber vulnerabilities, making proper and timely patches and updates critically important to maintaining system cybersecurity.

 

As part of the unveiling FoxGuard hosted an open house that was attended by government officials, Mayor Michael Barber and Delegate Nick Rush, as well as representatives from NRG Energy, US Department of Energy, University of Arkansas, Arkansas Electric Cooperative Corporation, Argonne National Laboratory, and Virginia Tech.

Our team had a lot of fun showing off our research and development lab. Our team is using a model train, which has equipment representative of an ICS energy environment, to demonstrate what can happen when patches are not properly validated prior to being introduced into production.

During this event, we demonstrated technology and techniques to identify and verify the integrity of updates and patches for energy
delivery systems software, hardware and firmware, while also 
facilitating the deployment of those updates.

KEY ELEMENTS:
• Patch & Update Data Aggregator & Web Portal
• Patch & Update Authentication
• Validation Techniques
• Query Engine

      

The PUMP program simplifies the process of understanding what patches are available for energy delivery industrial control system devices for both end users and equipment vendors, while also simplifying a utilities adherence to NERC CIP v6 requirements involving patching, ultimately leading to a safer grid.

FEEDBACK FROM OUR DEMONSTRATION HAS BEEN EXTREMELY POSITIVE:

“Excellent materials and presentations. I really like the way each of the program element presentations, including the demo, had a brief overview describing the problem statement, why it matters and how your R&D work addressed it. The Q&A and discussion was great and it made the participants, especially the utility folks, think about and understand how the PUMP program will help them.” – US Department of Energy

“Very Impressive! Look forward to more results from you!!!” – University of Arkansas

“Wonderful tool set.” – NRG Energy

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

RECENT ATTACK IDENTIFIED AS PETYA.2017-EXPETRA

After further investigation on the recent attack, FoxGuard can confirm that this attack was not actually PetrWrap as recently believed, but yet another variant now being called Petya.2017 or ExPetr.

The initial infection appears to have been targeted at Ukraine by setting up a watering hole attack by compromising Ukrainian news agencies websites, as well as corrupting an update for the ME DOC tax software. After the initial infection, the malware reboots and starts to encrypt the MFT table, and overwrites the MBR with a fake bootloader. During the encryption process, the malware displays a screen similar to the “Check Disk” dialogue for windows, after encryption is leaves a ransom message. It also attempts to move laterally using a variant of mimikatz to steal credentials, and then execute using the stolen credentials and PSExec and WMIC. It also spreads across networks using the Eternal Blue and Eternal Romance exploits.

This malware IS NOT a ransomware, but rather a malware designed to wipe data, and masquerade itself as a ransomware to throw off researchers. For starters, this malware uses only one bitcoin wallet, which is not what we normally see in ransomwares, but rather a separate bitcoin wallet for each victim to prove payment was sent/received. Secondly, in a regular ransomware, an installation key is generated which contains crucial information to generate a recovery key. After a victim gives this ID to the attacker, the attacker can then extract the decryption key. That decryption key would then be used to decrypt the data on the drive and restore the MBR to that the boot process is restored. ExPetr, however, did not implement an actual installation key system, but rather generates random characters to display on the screen to make it look like an installation key is being provided. This is just a random string of characters, and cannot actually be used to generate a recovery key. The malware also writes to disc sectors in such a way that permanent damage is done to the disc and recovery is impossible. This indicates that the attackers had no intention to decrypt any data all along, and were not interested in the monetary gains from their endeavor, but rather performed the attack simply to cause harm. Lastly, the attackers setup only one email account, which has already been shutdown. Therefore, even if there WAS a way to recover the data, there is no way to get in touch with the attackers.
FoxGuard recommends taking the below mitigation strategies:
     •  Offline backups
            o  Shadow volumes can be deleted and connected backups can be accessed by the 
                malware, it is therefore crucial that backups be kept completely offline and disconnected.
     •  SMB
            o Disable SMBv1 if it is unneeded
            o Apply the Microsoft SMB patch (MS17-010)
     •  Secure Active Directory
            o Filter user privileges, password policy, etc
     •  Secure Boot 
            o UEFI ignores MBR, so machines with secure boot enabled are not affected by the MBR overwrite
     •  Network
            o If possible, block incoming traffic on TCP port 445 (Used by the Eternal Romance exploit)

For more information on some of the technologies used in the attack, see the below links:
     Psexec: https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
     WMIC: https://msdn.microsoft.com/en-us/library/bb742610.aspx
     Mimikatz: https://www.offensive-security.com/metasploit-unleashed/mimikatz/
     MBR: https://technet.microsoft.com/en-us/library/cc976786.aspx

For newer information regarding this attack, see the links below:
     https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/
     https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b
     https://securelist.com/schroedingers-petya/78870/

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT

FOXGUARD MONITORS PETRWRAP RANSOMWARE ATTACK

REMEMBER WannaCrypt?

This morning (June 27th) Ukraine’s critical services were hit with a set of cyber attacks, which affected Ukraine’s power companies, airports, banks, and even a radiation monitoring system for Chernobyl. The attack in question is another piece of ransomware call PetrWrap, an adaptation of Petya. Petya is similar to WannaCrypt, which hit the industry just a short time ago, in that it encrypts the victim’s data using a public private key pair, and demands money (around $300 US) to recover the files. PetrWrap/Petya also throws in its own twist by also overwriting the master boot record of the victim hard drive, making it unable to boot. Ukraine was the first hit, but the attack has spread and now affects many countries in Europe, as well as the US. PetrWrap/Petya seems to be using the same exploit (EternalBlue) that was used by WannaCrypt. It is believed that a Microsoft Office exploit is used and malicious office files are delivered via phishing emails, which then use the EternalBlue exploit to spread across a company’s network. 
FoxGuard recommends applying the EternalBlue patches supplied by Microsoft, as well as the patches for the Office exploit to make sure you are protected against this infection and infections using the same exploits.

To view the Microsoft Patches available to prevent the exploits, refer to the links below:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199

For more information on the attack carried out, refer to the links below:
https://www.us-cert.gov/ncas/current-activity/2017/06/27/Multiple-Petya-Ransomware-Infections-Reported
https://www.theverge.com/2017/6/27/15879480/petrwrap-virus-ukraine-ransomware-attack-europe-wannacry
https://www.tomsguide.com/us/petya-ransomware-attack,news-25389.html

For more information on the ransomware used in the attack, refer to the links below: 
https://securelist.com/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/77762/
https://securelist.com/petya-the-two-in-one-trojan/74609/

Below is a screenshot of what would be seen after the ransomware has been deployed and the files encrypted.

 

WANT TO LEARN MORE ABOUT PATCH MANAGEMENT?
FoxGuard provides a wide range of patch management solutions that help entities identify and mitigate gaps in the security of their systems and prepare for NERC CIP audits. We host a webinar series to discuss ways to develop and implement a robust patch management program. Reserve your spot in our next session.

RESERVE YOUR SPOT

If you want to discuss something specific, we will do that too! Just reach out, tell us what your challenges are, and we will have one of our security experts contact you.

TALK TO AN EXPERT