Probably, all SOC analysts are sleeping and see how their detecting rules catch the fashionable techniques of pro-government APT groups, and investigations lead to the discovery of exploits for zero-day vulnerabilities. Unfortunately (or fortunately), most of the incidents that the average response specialist has to deal with are much less romantic: using un renamed PsExecs for distribution, classic UAC bypass methods for privilege escalation, and a huge number of vulnerabilities for which patches have long been released .
Recalling past incidents, one involuntarily comes to the conclusion that almost every one of them could be relatively easily prevented if ... If everything is done as it has already been described many times in different manuals and best information security practices. Therefore, today I want to not only talk about one of our recent incident response cases, but also remind you of the need to install patches even on “turnkey systems”.
Until now, quite often there is a misconception that information security should be a function, but not a process. As a rule, this is as follows: “Do it for us safely, and then we ourselves will support everything.” The peculiarities of the information security business are such that the service integrator company, which “does it safe”, will not argue with the customer. Will do and go further - to carry information security to the masses. And the customer, after signing the acts of delivery of work and payment of money under the contract, will remain in the naive confidence that everything is fine with him, the information security system has been built for centuries. Surprise, as they say, will come later. Because information security is an active, constantly changing process that cannot be fixed once and for all. And consumers often forget about this “small feature”. Information security, like any business process, consists of many elements without which it does not work. One of them is patch management.
As the name implies, patch management is the process of managing software updates designed to eliminate security holes or maintain an adequate level of security (typical of server software or OS), as well as to solve problems with application software.
From the case
A geographically distributed closed network based on Microsoft solutions, consisting of approximately 200 hosts. Two of them carry on board a second network card and have Internet access. In all respects, the infrastructure should fall under the requirements of No. 187-FZ “On the Security of Critical Information Infrastructure”. Due to the specifics of the main software, two service companies are involved in infrastructure maintenance. At the time of connecting the "fire brigade" Solar JSOC, the infrastructure was not functioning for more than 2 days.
The need to install "patches", especially those that are aimed at updating security, has been talked about a lot and often. If you drive in “Patch Management Policy” in any search engine, the result will be about 100 million results, by which you can track the first active discussions that began already back in 2006. In early 2007, SANS published a document entitled “Patch Management. Part of standard operations ... ”, at the very beginning of which it is quite intelligibly explained what patch management is and why it is needed. Moreover, it is explained in a language that is accessible not only to a technical specialist, but also to a manager who is far from IT. The more recent NIST Special Publication 800-40 Revision 3. Guide to Enterprise Patch Management Technologies document dates from 2013 and continues to emphasize the need for critical updates. Even so beloved in Russia, the ISO / IEC 27001: 2015 standard contains subsection 12.6. “Management of technological vulnerabilities”, the purpose of which is to prevent the use of discovered vulnerabilities.
From the case
According to information provided by service companies: over the past 48 hours, almost all network hosts experience CPU load in the region of 100% and cause BSOD. Numerous attempts to use certified anti-virus software have failed: multiple repeated infections of malware Trojan.Equation are recorded. Moreover, a rollback of antivirus databases for December 2017 was detected. No RDP access. And as a cherry on the cake: data on the number of AWPs received from both integrators and the injured party diverge. The last inventory was carried out several years before the incident by the already resigned system administrator. There is no semblance of continuity plans.
However, the scattered information obtained allows us to draw preliminary conclusions about the method of spreading the virus through the network and give first recommendations for counteraction.
One of the main ones is to disable the SMBv.1 and SMBv.2 protocols to stop the spread of malware over the network.
About 3 hours passed from the moment a request for help was received until recommendations were issued.
The most widely known viral attacks are WannaCry and NotPetya. Both viruses exploit the SMB protocol vulnerability in Windows systems and were published by the ShadowBrokers group in April 2017. At the same time, a month earlier, Microsoft released a patch covering the EternalBlue vulnerability in its security bulletin MS17-010. But it “kicked” in May – June 2017. The consequences of these virus attacks would not be so critical if the victims had not ignored the critical update and installed the patch in time. Unfortunately, there are also known cases where critical patches caused malfunctioning of third-party software, but the consequences were not as global as in the case of mass virus attacks.
In the wake of the hype around mining cryptocurrencies, vulnerabilities in company networks become especially attractive: you can use other people's resources for the necessary calculations, bringing hosts to physical destruction.
From the case
The Solar JSOC fire brigade identified multiple attempts to infect the infrastructure under investigation with cryptomainer viruses, one of which used the EternalBlue vulnerability to spread it.
An analysis of the anti-virus protection quarantine logs and samples also showed the presence of WannaMine malware in the affected infrastructure, which is intended for mining the Monero cryptocurrency. One of the features of the detected virus is the distribution mechanism, similar to the previously appeared WannaCry. Also, in SpeechsTracing directories, files were found that are completely identical to the archive that ShadowBrokers published a year and a half before.
During the work to neutralize the virus attack in the infected infrastructure, multiple updates were released by Microsoft from 2016 to the present.
About 50 hours passed from the moment JSOC specialists were involved in the work until the infrastructure was put into “combat” mode. Moreover, most of the time was spent on coordinating actions between the affected party, service companies and our team.
Practice shows that many problems could be avoided if you did not try to reach everything with your own mind. Do not rely on the fact that "we have our own, special, way." In the digital age, this paradigm does not work. Now a huge number of recommendations and manuals on the prevention of disasters of various genesis have been written. Moreover, with modern technology it is relatively easy to do. Since childhood, I remember the excellent phrase of Service 01: “A fire is easier to prevent than to put out”, which perfectly reflects a sound approach to patch management.
How to put updates on a stream
First of all, it is necessary to build the process of managing updates in the infrastructure for the rapid closure of old and counteracting new vulnerabilities in the OS, components of application and system software, namely:
- to develop and enforce regulations for managing OS updates, application and system software components;
- carry out work on the deployment and configuration in the server segment of Windows Server Updates Services (WSUS) - a service for updating operating systems and Microsoft products;
- carry out continuous monitoring of the relevance of the updates installed in the infrastructure of the affected party and quickly install new critical security updates.