7. Fending Off Canadian Tuxedos
Coming up this week on Breaking Badness. Today we discuss how an Aluminum Giant Was Foiled by LockerGoga Ransomware, Shocking Heart Defibrillator Vulnerabilities and, Introducing Endlessh: The Pit of Despair.
Here are a few highlights from each article we discussed:
- Norsk Hydro share prices had fallen by almost 40% in the last 13 months because of a court-ordered shutdown following a spill.
- The company’s shares are down 2.1% since the attack.
- Switched from automated control to a manual control of their plants.
- There isn’t any public data indicating this was an explicit targeted attack.
- Ransomware is in this fuzzy area, where we see it being leveraged by sophisticated and unsophisticated threat actors across the board.
- Windows based ransomware.
- LockerGoga first hit with a major attack on a French consulting company.
Traditional Ransomware Behavior LockerGoga Mimics
- Drops ransom note for accessing the decryption method via BitCoin payment.
- Target’s MS Office file extensions & PDF’s.
- Sandbox aware.
- No network traffic involved, ransomware note and capabilities are all self-contained.
Non-Traditional Ransomware Behavior LockerGoga
- Modifies passwords for each user – which is interesting. This must occur post-ransomware note.
- Otherwise, you lock users out without giving them the ability to pay to decrypt their files
Defending Against LockerGoga?
- DON’T PAY THE RANSOM.
- Leverage network segmentation (in case of wormable).
- Data segmentation and backups.
- Behavioral based AV, something that will detect the behavior of ransomware such as bulk API calls to Windows crypto and file-writes.
- The impact is huge here, obviously, but vulnerabilities are normal in software. It’s all about the patch-response process each of the manufacturers adhere to.
- Tarik is scared of abandoned hardware akin to Android. What if I got a defibrillator is installed and 6 years later there is a public exploit and the manufacturer doesn’t support it anymore?
- CVE-2019-6538 & CVE-2019-6540 – The protocol used for communication with the Medtronic defibrillator does not do any checks for data tampering or authN or authZ. NO ENCRYPTION EITHER.
- Attacker needs to be in close range.
- Attacker will likely use HackRF.
- Name came from the La Brea Tar Pits.
- Tarpitting is a technique used to slow down attackers, often implemented with a honeypot service.
- Tarpitting is neat, but Tarik generally doesn’t think they have a place in the Enterprise world unless they are internally facing and stood up independently.
- DON’T INSTALL ON A PRODUCTION SERVER! Even then, be sure you don’t have automated services trying to connect to every endpoint as you’ll bork those. Whitelist your honeypot from automation!
- After the TCP 3-way handshake is established but before the SSH handshake is completed, EndlessSSH sends tons of randomly generated data payloads back to the client without completing the handshake.
- This leaves the connection effectively open but not complete, and prevents it from timing out.
This Week’s Hoodie Scale
Aluminum Giant Was Foiled by LockerGoga Ransomware
[Tarik]: 5.5/10 Hoodies
[Tim]: 4/10 Hoodies
Shocking Heart Defibrillator Vulnerabilities
[Tarik]: 10/10 Hoodies
[Tim]: 6.5/10 Hoodies
Introducing Endlessh: The Pit of Despair
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included in our blog. Catch us next Wednesday at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!