The purpose of this alert is to inform organizations of current or imminent security concerns so that proper precautions may be taken.
Vulnerabilities were publically disclosed on October 16th, 2017
Wi-Fi Protected Access 2 (WPA2), the current industry standard for WiFi security, is susceptible to attack and exploitation. Several "critical" vulnerabilities have been discovered in Wi-Fi Protected Access which can be leveraged to break client encryption and disclose confidential information.
"An attacker within the wireless communications range of an affected AP and client may leverage these vulnerabilities to conduct attacks that are dependent on the data confidentiality protocol being used. Impacts may include arbitrary packet decryption and injection, TCP connection hijacking, HTTP content injection, or the replay of unicast, broadcast, and multicast frames."
The vulnerabilities in question were discovered by Mathy Vanhoef, a security researcher at KU Leuven. Initial notifications were select Wi-Fi hardware manufacturers on July 14th, 2017 with CERT issuing broad notification to all affected manufacturers on August 28th, 2017. Upon CERT's notification to all manufacturers, a security embargo was put into effect, preventing public disclosure of the vulnerabilities in order to allow manufacturers time to develop patches. Vulnerabilities were then publically disclosed on October 16th, 2017
rmsource recommends the following:
Affected vendors were informed of WPA2 KRACK vulnerabilities on Aug 28th, 2017 and have been working to develop patches for affected systems. Patches are forthcoming and availability is still limited at the time of this writing. rmsource recommends monitoring bulletins issued by affected vendors and applying all patches associated with WPA2 KRACK immediately upon release.
The US Computer Emergency Readiness Team (US-CERT) has issued an alert stating that it has received multiple reports (worldwide) of Petya ransomware infections.
"Petya ransomware encrypts the master boot records of infected Windows computers, making affected machines unusable. Open-source reports indicate that the ransomware exploits vulnerabilities in Server Message Block (SMB)."
Security Bulletins and Updates
rmsource recommends updating all Intrusion Prevention platforms to detect or prevent on signatures addressing the following CVEs.
Microsoft issued work-around:
Microsoft has provided the following link for disabling SMBv1 as a work-around.
Please note: System Administrators will need to evaluate individual network environments and requirements prior to disabling any protocols.
WannaCry is a ransomware program first detected on
Friday, May 12, targeting vulnerabilities in Microsoft software. Since
the onset of the attack, it is estimated that 200,000 computers in 150
countries have been affected.
WannaCry utilizes the "EternalBlue" SMBv2
exploit, believed to be developed by the NSA and leaked to the public by the
"Shadow Brokers" hacker group on April 14th, 2017.
While a patch was released by Microsoft on March 14th, 2017 (MS
Bulletin MS17-010), unpatched devices and legacy systems (systems like Windows
XP that no longer receive security patches) are still vulnerable.
The initial infection appears to have resulted from
a malicious phishing email, however once a device is compromised, the malware
spreads through the networks as a worm, scanning and exploiting connected
Upon successfully infecting a system, the WannaCry
malware installs an encryption package that targets commonly used files, such
as audio, video and text documents:
The following image shows a comprehensive list of
targeted file extensions:
Infected systems will then display a pop-up window,
informing the users that their files have been encrypted and providing
instructions and links for payment and decryption.
Next Steps and Protection
While the spread of the WannaCry worm was greatly
slowed by a "kill-switch" being triggered this weekend, it is
extremely likely that new, more resilient versions will be released.
In order to ensure users and networks are protected
from various versions of this and other malware, the following practices should
It’s no secret that the cloud is taking its place as the leading technology for SaaS, IaaS and PaaS. However, there’s another shift taking place – IT departments are moving from managing costs to generating revenue. It’s a digital transformation that’s focused on the cloud. And, Microsoft Azure is leading the way.
The cloud is a huge part of this because of its flexibility. It can deliver what we’ve all come to expect from most any service in our personal and work lives – greater user experiences and powerful capabilities – something business organizations across industries are also expecting from their technology. That means organizations are making the technology shift to the cloud, especially Microsoft Azure, and they need cloud service providers to help manage this for them.
Chances are it’s at the core of your business strategy, too. The reality is that if you aren’t currently investing in the cloud, over the next five years you will be. Many organizations that have already invested in the cloud are now finding they need assistance maximizing its efficiencies, increasing security, and helping IT estimate the consumption dollars. Truly, the flexibility of cloud environments can easily get out of financial control – it’s not a simple turn-on-and-go scenario.
Because of this shift, we are often asked:
Do I get 24x7 support?
How do we manage security?
How can I properly estimate my monthly consumption costs?
Which workloads or applications should I move to the cloud?
Do I have to pay for Disaster Recovery when my VM’s are turned off?
Can I specify a geographic region to guarantee my data stays in the United States?
These conversations are drastically different than just a few years ago. If it’s time to make the shift or get your cloud services under control, find an experienced provider with the experts in place to help you get it right the first time.
As a Microsoft Cloud Service Provider, we have the resources and experience to help you take your business to the next level. Please contact our sales teams for more information.
rmsource spent the end of 2016 at CIO conferences and several charity golf events with customers. We also celebrated with our employee family with picnic's, team building events, and various after work activities. We closed the year with new employees, new relationships, and new vendor partnerships. We are looking forward to 2017!
For more information visit rmsource.com and follow us on Twitter @rmsourceinc!
Weaponized IoT (Internet of Things) - Mirai Botnet
Last year, the "Mirai Botnet" was used (in part) to mount a large-scale, multiple wave attack on DNS Service Provider Dyn, resulting in many high-profile sites such as Twitter, Amazon, Reddit and Paypal becoming inaccessible during the attack.
In a statement by Dyn's Chief Strategy Office, Kyle York, "This was a sophisticated, highly distributed attack involving 10s of millions of IP addresses."
This is believed to be the same botnet used in a record-breaking 620 Gbps attack on Krebsonsecurity.com in September.
Mirai source code was released by Anna-senpai (online pseudonym) on Hackforums (a hacker community site) this past September. Mirai works by using Mirai-infected devices to scan for IoT devices using default credentials. Once discovered and accessed using known default credentials, the Mirai code infects the device and creates a connection to a command and control server to then be utilized in large-scale DDOS attacks.
According to Dyn, a distributed denial-of-service (DDoS) attack began at 7:00 a.m. (EDT) and was resolved by 9:20 a.m. A second attack was reported at 11:52 a.m. and Internet users began reporting difficulties accessing websites. A third attack began in the afternoon, after 4:00 p.m. At 6:11 p.m., Dyn reported that they had resolved the issue.
The following map shows the affected areas and outage scope of the Oct 24 attack on Dyn. Source: Downdetector.com
While there is currently no definitive list detailing which specific device makes and models are vulnerable, Allison Nixon of Flashpoint stated that the botnet is "mainly comprised of IP Cameras and DVRs with components made by Xiongmai Technologies."
While many of the username and passwords within the botnet source code are generic and can be applied to multiple devices, Krebsonsecurity.com compiled the following table by reviewing the Mirai source-code for username and password combinations that could be linked to specific manufacturers and device type.
The Mirai code is loaded into memory, therefore infected devices can be temporarily cleaned by rebooting, however as the botnet is constantly scanning for vulnerable devices, re-infection can occur within minutes. Users of IoT devices should be advised to set strong usernames and passwords, however many devices that allow credentials to be changed by a web-based interface still contain telnet or SSH accessible passwords that are hard-coded into firmware, according to Flashpoints Zach Wikhom.
"The issue with these particular devices is that a user cannot feasibly change this password," Flashpoint's Zach Wikholm told KrebsOnSecurity. "The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist."
Flashpoint's researchers said they scanned the Internet on Oct. 6 for systems that showed signs of running the vulnerable hardware, and found more than 515,000 of them were vulnerable to the flaws they discovered."
While electronics company Xiongmai denies that the majority of the attack came from its devices, and has even threatened legal action against various publications for tarnishing the company's reputation, the electronics firm has vowed to recall affected devices.
"The company confirmed that it will recall some of its older products sold in the US made before April 2015 in an effort to improve its password functionality."
Unfortunately, while there are many current suggestions and strategies to resolve this issue, ranging from ISPs detection and client notification, to a defensive counter-hack of infected devices, no clear long-term strategy exists.
What should you do if you believe your device is infected or vulnerable? While the following steps do not guarantee complete safety from the Mirai or other botnet infections, they are basic security steps that should be applied when using any network-connected devices:
Tech-Support Scammers Targeting a Younger Generation
At one point or another, most of us have received an unsolicited call by someone claiming to be from "tech support," informing us that they have detected a virus on our PC. While their delivery and tactics vary, their end goal is usually the same:
A recent Spiceworks report on the 2016 state of IT says that nearly 60% of IT pros surveyed don't expect their IT staff to increase in 2016.
In addition, the report states that despite rising average annual company revenue, IT budgets remain relatively flat. So in turn, IT departments will be tasked with doing more with less. This IT crossroads between fewer resources and growing demands is a perfect avenue for C-Suite leaders to bring in managed resources.
By utilizing one of our managed service offerings, we are able to provide our clients with access to certified engineers and software developers for a fraction of hiring full time employees.
For example, we recently provided a managed solution that offered 24/7 support for a client's call center sites, LAN, WAN and security infrastructure. It also gave the client access to our security, networking, and application engineers for a fixed monthly cost with guaranteed SLA's. By outsourcing these resource-intensive pieces of their security, networking, and specific applications, the client was able to lower costs and capitalize on the skilled expertise of our professional services teams – without the cost or extended timeline involved with hiring each specialized resource individually.
In addition, we also created a Private Cloud Solution for a client in the healthcare field, which allowed them to expand their physicians care network quickly while reducing the IT organization's workload and cutting infrastructure costs. The technologies utilized enabled scalability with a high level of dedicated support for the practitioners and office staff, which were also HIPAA and PCI compliant.
What IT needs are you finding squeezed? Contact us for information on how our solutions can help -- 877-319-3051.
It's no secret that mobile apps are the fastest growing segment of software development. Our custom application development team is experiencing a measurable uptick in requests for mobile apps designed to help businesses increase productivity by keeping employees connected across all devices.
The mobile app development space is also evolving quickly. One of the latest announcements came from Microsoft, who is continuing to deepen its developer resources through the acquisition of leading platform provider Xamarin.
The February 24th announcement describes the acquisition this way,
"In conjunction with Visual Studio, Xamarin provides a rich mobile development offering that enables developers to build mobile apps using C# and deliver fully native mobile app experiences to all major devices – including iOS, Android, and Windows. Xamarin's approach enables developers to take advantage of the productivity and power of .NET to build mobile apps, and to use C# to write to the full set of native APIs and mobile capabilities provided by each device platform. This enables developers to easily share common app code across their iOS, Android and Windows apps while still delivering fully native experiences for each of the platforms. Xamarin's unique solution has fueled amazing growth for more than four years."
"Through Xamarin Test Cloud, all types of mobile developers (C#, Objective-C, Java and hybrid app builders) can also test and improve the quality of apps using thousands of cloud-hosted phones and devices."
What does this mean for your business? With Xamarin integrated natively into the Microsoft stack, our development team can build and test native apps more efficiently and effectively than ever before. That translates to more robust options for you.
Toll Free: 877-319-3051