Ransomware and Lateral Movement: Why sensor placement matters!

When I work with enterprise organizations in regards to their security posture, I usually run into the same scenario. The Information Security has a reduced budget and a more traditional approach to security.  Unfortunately, as the global landscape of enterprise networks continues to evolve, it’s clear this approach won’t be applicable.

In a new generation of adversarial attacks, inside-out attacks are becoming more common and lateral movement through leaked exploits is the new game. As we’ve seen in the past with XP exploits – MS08-067, unpatched workstations and servers are the new “norm”.

With the new ransomware, “BadRabbit”, the attackers used EternalRomance, an exploit that bypasses security over Server Message Block (SMB) file-sharing connections, enabling remote execution of instructions on Windows clients and servers. This attack leverages the same methods revealed in the Shadowbrokers code release. NotPetya also leveraged this exploit.



Attackers steal restricted data on F-35 fighter, JDAM, P-8 and C-130

In a scenario that’s become all too common these days, it seems that a subcontractor responsible for the development of F-35, JDAM, P-8, and C-130 parts and assemblies has been hacked.

Unfortunately, it wasn’t just credit card and other consumer data compromised. It was detailed information on some of the world’s major shared military defense systems – aircraft, bombs and naval vessels. Additionally, it seems that this breach has been active for a bit of time.

In fact, it was said that almost a year ago, in November 2016, by the Australian Cyber Security Centre (ACSC):

…became aware that a malicious cyber adversary had successfully compromised the network of a small Australian company with contracting links to national security projects. ACSC analysis confirmed that the adversary had sustained access to the network for an extended period of time and had stolen a significant amount of data.

The attackers had been inside the company’s network at least since the previous July, had “full and unfettered access” for several months, and exfiltrated about 30GB of data including, “restricted technical information on the F-35 Joint Strike Fighter, the P-8 Poseidon maritime patrol aircraft, the C-130 transport aircraft, the Joint Direct Attack Munition (JDAM) smart bomb kit, and a few Australian naval vessels.”

Though the company was not named, it has been described as a 50-person company with a single IT person handling all aspects of Information Technology and Security. It’s also apparent that the company was not compliant with CSC or similar regulatory frameworks, as…


Comments Off on Attackers steal restricted data on F-35 fighter, JDAM, P-8 and C-130

Protecting Against Key Reinstallation Attacks in WPA2 (KRACK)

Just recently, a paper was leaked in regards to a vulnerability in WPA2 that affects just about everyone who uses a wireless connection. More specifically, the vulnerability lies at the 3rd stage of the 4-way handshake used by WPA2 to provide authentication and session key agreement. The attack also requires an evil twin access point since the session key is derived from the MAC address.

The paper, written by Belgian researchers, Mathy Vanhoef and Frank Piessens, is 16 pages long and goes into detail on the various exploitations possible. We don’t want to rehash everything here when you can go straight to the source, so for those who want to know the technical ins and outs of this vulnerability, we recommend reading about it from the horse’s mouth: https://papers.mathyvanhoef.com/ccs2017.pdf

What most people probably want to know, though, is “how do I avoid getting hacked?” The safest and most immediate solution is switch to wired for the time being. Although the chances of a hack are low, if you live in an area with a high population density that has more technically inclined people, and if you’re responsible for protecting significant assets, your chances of experiencing a hack go up. So for now, and until patches are released by various vendors, we recommend moving to wired networking. For those of you on laptops without an Ethernet port, you can purchase USB to Ethernet dongles online or at your local tech store. Yes, this is inconvenient for many people, so each person will have to weigh that inconvenience vs. the sensitivity of the data they work with and make the best decision for them.



Principal Security Engineer, Patrick Kelley, Lectures at GSU.

Principal Security Engineer, Patrick Kelley, was given the opportunity to Guest Lecture for the Master of Science in Information Systems - Cybersecurity Concentration, last evening. The discussion was centered around implementation of security controls in cloud environments and the anatomy of a Penetration Test.