Category: Jeff Lanza’s Blog

Full Article Here:

https://arstechnica.com/information-technology/2018/11/mass-router-hack-exposes-millions-of-devices-to-potent-nsa-exploit/

More than 45,000 Internet routers have been compromised by a newly discovered campaign that’s designed to open networks to attacks by EternalBlue, the potent exploit that was developed by, and then stolen from, the National Security Agency and leaked to the Internet at large, researchers said Wednesday.

The new attack exploits routers with vulnerable implementations of Universal Plug and Play to force connected devices to open ports 139 and 445, content delivery network Akamai said in a blog post. As a result, almost 2 million computers, phones, and other network devices connected to the routers are reachable to the Internet on those ports. While Internet scans don’t reveal precisely what happens to the connected devices once they’re exposed, Akamai said the ports—which are instrumental for the spread of EternalBlue and its Linux cousin EternalRed—provide a strong hint of the attackers’ intentions.

The attacks are a new instance of a mass exploit the same researchers documented in April. They called it UPnProxy because it exploits Universal Plug and Play—often abbreviated as UPnP—to turn vulnerable routers into proxies that disguise the origins of spam, DDoSes, and botnets. In Wednesday’s blog post, the researchers wrote:

Taking current disclosures and events into account, Akamai researchers believe that someone is attempting to compromise millions of machines living behind the vulnerable routers by leveraging the EternalBlue and EternalRed exploits.

Unfortunately, Akamai researchers are not able to see what happens after the injections have occurred, they can only see the injections themselves and not the final payloads that would be directed at the machines exposed. However, a successful attack could yield a target rich environment, opening up the chance for such things as ransomware attacks, or a persistent foothold on the network.

Currently, the 45,113 routers with confirmed injections expose a total of 1.7 million unique machines to the attackers. We’ve reached this conclusion by logging the number of unique IPs exposed per router, and then added them up. It is difficult to tell if these attempts led to a successful exposure as we don’t know if a machine was assigned that IP at the time of the injection. Additionally, there is no way to tell if EternalBlue or EternalRed was used to successfully compromise the exposed machine. However, if only a fraction of the potentially exposed systems were successfully compromised and fell into the hands of the attackers, the situation would quickly turn from bad to worse.

The new instance, which Akamai researchers have dubbed EternalSilence, injects commands into vulnerable routers that open ports on connected devices. Legitimate injections often include a description such as “Skype.” EternalSilence injections use the description “galleta silenciosa”—”silent cookie/cracker” in Spanish. The injections look like this:

A scourge called UPnP

Wednesday’s post is only the latest piece of concerning news to involve UPnP, a protocol that is designed to make it easy for connected devices to operate by using code that lets them automatically discover each other and open ports needed to connect to the outside Internet. Two weeks ago, a separate team of researchers reported UPnP flaws were exploited to spawn a 100,000-router botnet used to send spam and other types of malicious email. Most if not all of the exploited vulnerabilities have been public knowledge since 2013, when a landmark Internet scan found 81 million IPv4 addresses responded to standard UPnP discovery requests, even though the standard isn’t supposed to communicate with devices that are outside a local network.

EternalBlue is an attack developed and used by the NSA that exploited server message-block implementations in Vista and all later versions of Windows. In April 2017, a mysterious group calling itself the Shadow Brokers made the attack code available to the world at large. A month later, EternalBlue was folded into WannaCry, a quick-spreading ransomware worm that paralyzed hospitals, shipping companies, and train stations around the globe. A month later, a disk-wiper dubbed NotPetya also used EternalBlue as an engine to self-replicate extremely rapidly.

While fixes for EternalBlue and EternalRed have been in place for more than a year, some organizations have yet to install them. Failing to patch doesn’t automatically mean a network is vulnerable. If ports are adequately restricted, exploits may not be able to spread. Akamai researchers say the new attacks are likely an opportunistic attempt to open devices to attacks they otherwise would be resistant to.

“The goal here isn’t a targeted attack,” they wrote. “It’s an attempt at leveraging tried-and-true off-the-shelf exploits, casting a wide net into a relatively small pond, in the hopes of scooping up a pool of previously inaccessible devices.”

To prevent attacks, people should ensure their routers aren’t vulnerable to UPnP attacks, either by buying new hardware or ensuring their older device is running updated firmware. Once a router has been exploited by UPnProxy, devices should be rebooted or, better yet, reset to their original factory settings to ensure port forwarding injections are cleared. People with compromised routers should also thoroughly inspect connected devices to ensure they haven’t been infected.

Most businesses use the power of technology to communicate with existing customers or as a tool to reach a wider audience. As a business owner, your responsibility is to provide your employees with a safe and secure network.

A recent study shows that nearly 60 percent of business owners polled think that cyber-attacks are getting more sophisticated with each passing year. The amount of collateral damage that can result from one of these attacks can be quite significant.

Rather than waiting until your network is hacked to take action, you need to find ways to secure your network now. Implementing the use of things like virus software or cybersecurity risk management software can help you identify network vulnerabilities and address them rapidly.

Here are some of the cybersecurity mistakes you need to avoid when trying to keep your small business network functional.

See Full Article Here:  http://thefutureofthings.com/12396-4-cyber-security-mistakes-small-business-owners-need-to-avoid/

1. Monitoring User Activity is a Must

Some business owners think that simply having an antivirus program on their network is enough protection to fend off potential hacks. While this type of software can be helpful, you will have to do much more to keep your network safe.

One of the biggest mistakes made by small business owners when it comes to cyber-security is failing to monitor user activity. If there is a security breach, you can easily find the source if you are monitoring your employee’s online activities.

Often times, cyber-attacks are initiated through email attachments. Knowing which of your employees opened the email will provide you with the opportunity to reprimand them accordingly.

2. Failing to Educate Employees About Cyber-Security

Attempting to fend off hackers without the help of your employees will be a futile effort. Educating your employees about things like how to spot a potential phishing scam and what to do is their computer is infected with a virus is crucial.

If you don’t have the time or the experience to provide your team with this information, consulting with IT and cyber-security professionals is a good idea. With their help, you can provide your team with helpful information about how to keep the network safe and virus-free.

3. Routine Security Testing is Important

Do you feel as if you have a handle on securing your network? While you may feel you have mastered the art of network security, there may still be vulnerabilities that need to be addressed.

The best way to find these vulnerabilities is by routinely running tests on your network. Allowing cyber-security professionals to put your network to the test is a great way to see where changes need to be made.

The methods used by hackers are always evolving, which is why this type of testing is crucial. The cyber-security solutions that worked a few months ago may now be obsolete. Finding out what needs to be updated can help you avoid letting your sensitive information fall into the wrong hands.

4. You Need a Reactionary Strategy

While most business owners work hard to put the right preventative measures in place regarding their cyber-security, many fail to have a plan in place should these measures fail. Having a reactionary strategy in place can help you get through a cyber-attack with minimal damage.

These reactionary plans should include things like cloud-based backups of your data and a disaster recovery strategy. While developing these plans will take some time, it is worth the energy you invest.

If you are having a problem getting a handle on your network security, now is the time to reach out to professionals for help. Allowing them to weigh in on these important matters can help you avoid mistakes.

Read full post here: https://internetofbusiness.com/cybersecurity-nearly-as-many-organisations-see-ai-as-foe-not-friend/