After coaching all three of my kid’s soccer teams this Fall (and 40 other people’s children), I’m drained. Don’t get me wrong, I love investing in these young lives and helping them realize their potential and that hard work pays off. I strongly feel coaching is one of my ministries, but eight hours of practices and three hours of games each week for ten weeks (not including driving time or additional tournaments!) can get overwhelming at times. However, one of the things I enjoy most is experiencing each of the teams playing at different age, skill and energy levels. As a dedicated coach, I am continually introducing and exploring fresh ideas, different skills, unique games and new formations with the teams. Some of these new strategies work and are then incorporated as core routines for the weekly practices, and honestly, others may work for one age/skill level but fall flat or even back fire for another. I have learned that much of coaching is about trial and error.
Lately, dealing with cybercriminals, especially those associated with ransomware, feels a lot like coaching. These evil doers (let’s call them out for what they are!) are continually trying to incorporate their own fresh strategies or modify their existing ones in order to do harm and financially capitalize on users. In my experience, ransomware authors rely heavily on two vectors for infection. Let’s call them their “core” routines.
(1) Email Attachments: This is easily the most common vector for the proliferation of ransomware - it is a simple technique for cybercriminals to implement. Incorporating malicious attachments has proven successful for 15 years now dating back to the infamous LoveLetter worm. And at this point the spam campaigns that are based from Botnets are widespread and very large, and it is probable that many of these ransomware families share similar databases of emails. Anyhow, we are all well aware of how this vector works - attachments usually come in zip or rar files having ".exe", ".scr", ".js", ".vbs", ".doc “or “.xls" files in them, and the contents of the Email are such that they lure/trick the recipient into opening the attachment. Ransomware like CryptoWall, Locky, Zepto, etc . rely on this method.
(2) Drive by Download: This is the other commonly used vector for the spread of ransomware. This common method of propagating ransomware uses “malvertising” and exploits kits to infect PC's and other devices just by visiting a compromised site. Most of the time, the sites visited by the unknowing user are legitimate websites that have been compromised by the attacker. Ransomware like CryptoMIC, etc rely on this method.
In recent months, we have seen a significant increase in newer techniques being tested to infect users with ransomware. We have seen modifications within existing ransomware families to now incorporate Internet worm-like techniques to further propagate up a network. In other observed new samples, we see ransomware trying to gain access of offsite back-up locations. Remember the more damage and havoc that can be caused to the user (the encryption of their files), the more willing those users are to pay big dollar ransoms. However, the latest game-changer in the fight against ransomware is their new strategy of infecting network systems via Brute Force Attack.
Brute Force Attack: By definition, a brute force attack consists of an attacker utilizing a “trial and error” method trying a large number of passwords (commonly used credentials, dictionary words, and other combinations) with the hope of eventually guessing correctly to gain access to a system.
Let’s take the case of the Troldesh ransomware (also known as XTBL), a ransomware that mainly targets the Windows Operating System. Like most brute force style attacks, the attack starts with scanning a large Internet Protocol (IP) range and TCP ports: in this particular case, the attacker is searching for vulnerable networks that have Remote Desktop (RDP) enabled and open for connection, and this is done by scanning port: 3389. If an exposed network is found, the attacker will attempt to gain direct access to the network through Remote Desktop by systematically checking all possible passwords and passphrases until the correct one is found. Unfortunately, if the attacker is successful on their quest and server access is obtained, the cyber attacker can disable the installed antivirus/security solution (if it exists) and run the encryption payload directly. This newer technique is “trial and error” at its finest.
Given this new strategy which we feel will only expand and become common with future ransomware, here are a few things you can do to safeguard against such attacks.
1. Use long and complex passwords. Avoid commonly used phrases, incorporate CAPS, lowercase, special character into your passwords and make your passwords at least 12 characters.
2. Disable the Administrator account and create an alternate username for administrative activities. Most brute-force attempts are done on the Administrator account. It’s also recommend that any unused accounts are deleted.
3. Change your default ports. In the case of Troldesh, changing the default port (3389) of Remote Desktop to an unused port could have helped prevent a port specific attack.
4. Take advantage of the Account Lockout Policy that would automatically lock an account after a specific number of failed login attempts.
5. Install a strong multi-tier security solution like Thirtyseven4. Regardless of what security vendor you install or already have, make sure you take advantage and configure its password protection option so that security settings can’t be easily disabled.
If you are thinking that my correlation of cyber-security and coaching three soccer teams is that they are both draining, then I missed my mark. (Okay that assessment has truth in it, but I was trying to make a different point!) In coaching I try new things-- I am always changing my approach to find a physical fit, a mental fit, and an age-appropriate fit with the each age-group and team. Unfortunately, cyber-thugs are also constantly changing their game, or bringing new game, if you will. Attacking with Brute Force by trying every combo until they crack the password? Yep, they are going that distance.
Searching for loop holes like having remote-desktop enabled? Yes, they are turning over every stone, or should I say machine, and they keep looking until they find one that can be taken advantage of.
These hackers are on their game. On their negative, malicious, notorious game. We have to outsmart them by trumping their efforts with proactive and intelligent security precautions. Complicated passwords! Yes, I have said this before, but I mean it with all seriousness this time. Believe me—you do not want your network compromised because your password was “123456” or is still stuck at “password”. We are more intelligent than that, and the hackers are making their fortune by being more intelligent than that.
Security has its parallels with soccer. We can win if we prepare, are proactive and have a plan in place. We can lose miserably if we are not suited up correctly (a strong antivirus protection!). We will be sorry if we have not practiced drills and learned the plays—set difficult passwords and have strong policies in place!
Security is the goal of Thirtyseven4. Make it your goal too.