Protecting against CryptoLocker inside your network

Forums › IT Pro and developers › Protecting against CryptoLocker inside your network

1 | 2 | 3

5288 posts

Uber Geek
+1 received by user: 2159

#1518178 23-Mar-2016 09:40

bjorn:

The end user isn't opening files from the internet; these are legitimate web searches that end in a user clicking on a compromised website and the malware executing in the background without the user having to do anything.

Really? Then isn't this a severity 1 security hole in the web browser?

How such a major security hole can be unfixed for so long?

It is almost as bad as the worm that was going around in 2004'ish -- you only needed to be connected to the internet to be infected.

gzt

18684 posts

Uber Geek
+1 received by user: 7824

Lifetime subscriber

#1518182 23-Mar-2016 09:43

Could be Adobe Flash is not updated.

Also ad blocking may be another way to close that one.

networkn

Networkn
32864 posts

Uber Geek
+1 received by user: 15454

ID Verified

Trusted

Lifetime subscriber

#1518183 23-Mar-2016 09:43

freitasm:

What endpoint protection are you using?

It won't matter to be honest. We have quite a variety, of up to date products across our sites, pretty much all of them have been breached at one point or another. AV is pretty much useless at this point in our experience.

The only policies which have worked are Group Policies preventing apps from executing in temp directories, but they soon worked that out, and now extract into folders off the root, or in unrestricted folders.

User Vigilance is pretty much the best weapon. We are making more use of gateway protection products that block or quarantine or digest attachments.

We have spent a LOT of time educating the users we look after about attachments in emails and links on websites, and how to detect spoofing attacks.

Ultimately however, your last line of defense is Backups.

wasabi2k

2102 posts

Uber Geek
+1 received by user: 860

#1518221 23-Mar-2016 09:59

We are currently going through this now.

We have found that old versions of flash (n-1) have been responsible for the last 3 infections. This is a major change as previously it was email attachments (AusPost etc). It requires 0 user interaction and to be perfectly honest I would have been hit in the same way as the last user was. Perfectly legit looking site - invisible flash file - pulls down dropper.

We are using McAfee (VSE 8.8) and their recommended access protection rules to prevent execution from dodgy locations. We are also implementing TIE (reputation based stuff with some clever heuristics).

Signature based AV will do absolutely nothing against the 0 day crypto stuff that is coming out daily.

First step is figure out how the initial malware drop is happening:

Flash - check you are absolutely up to date and you are updating as soon as new versions come out.

Adobe Reader - the same

Java - unless you require it, remove it. Otherwise same as above

IE/Browsers - enable the protected modes/recommended security settings (after testing any custom apps).

Then you move on to your gateways:

Mail - what scanning is done - what are policies on attachments

Web - Are you at least logging? This helps enormously with diagnosis.

Firewall - can you use a subscription based service to block known bad C & C servers?

In short - there is no easy fix. Just ensure you have backups.

It also helps when a helpful admin doesn't give their standard user account local admin to a file cluster - then get hit by Crypto.

Oblivian

7345 posts

Uber Geek
+1 received by user: 2117

ID Verified

#1518222 23-Mar-2016 10:05

bjorn:

nathan: Have you discovered which vuln this is using to get to your PCs

Seems it's either a browser vuln or maybe more likely a vulnerable plugin

After further trawling through logs it's looking like a flash vuln. More specifically compromised flash advertising.

This. Good ol drive-by malware.

The last 4 experiences we have been pulled into have been people browsing during a break (or not) and an advert presented on the page that has been compromised. Its the very same reason Firefox and Chrome dropped NAPI flash support until flash fixed it. They've enabled it again but those using IE and old flash are still the highest risk.

Dynamic

4015 posts

Uber Geek
+1 received by user: 1852

ID Verified

Trusted

Lifetime subscriber

#1518227 23-Mar-2016 10:12

wasabi2k: It also helps when a helpful admin doesn't give their standard user account local admin to a file cluster - then get hit by Crypto.

I'll wager someone's little brown starfish caved in when they realised this. How long did that cleanup take? Just restoring that volume of data may have been a mission (unless you were lucky enough or have the equipment to have been able to roll back to a recent snapshot).

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

gzt

18684 posts

Uber Geek
+1 received by user: 7824

Lifetime subscriber

#1518234 23-Mar-2016 10:37

Oblivian: Its the very same reason Firefox and Chrome dropped NAPI flash support until flash fixed it. They've enabled it again but those using IE and old flash are still the highest risk.

Chrome dropped NPAPI forever some time ago at v45 forward. It cannot be enabled.

wasabi2k

2102 posts

Uber Geek
+1 received by user: 860

#1518238 23-Mar-2016 10:44

We have VSS running on our file servers with twice daily snapshots so restores weren't too bad.

freitasm

BDFL - Memuneh
80652 posts

Uber Geek
+1 received by user: 41045

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1518239 23-Mar-2016 10:44

surfisup1000:

bjorn:

The end user isn't opening files from the internet; these are legitimate web searches that end in a user clicking on a compromised website and the malware executing in the background without the user having to do anything.

Really? Then isn't this a severity 1 security hole in the web browser?

How such a major security hole can be unfixed for so long?

It is almost as bad as the worm that was going around in 2004'ish -- you only needed to be connected to the internet to be infected.

Drive-by malware has been around for years. Vulnerabilities have also been around for years - one is fixed another one shows up. Some are not even in the browser - the usual culprits are Java applets and Flash.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

surfisup1000

5288 posts

Uber Geek
+1 received by user: 2159

#1518277 23-Mar-2016 11:11

freitasm:

Drive-by malware has been around for years. Vulnerabilities have also been around for years - one is fixed another one shows up. Some are not even in the browser - the usual culprits are Java applets and Flash.

True but usually if you have the latest updates you were ok.

In the past, generally the worst exploits require you to open a file (assuming one is applying OS updates).

The OP seems to be saying it has recently become difficult to protect against this cryptolocker software. Just opening a webpage can infect your computer, even with latest patches installed.

And, I think java applets have been disabled in most browsers anyway....the last time i tried to use the Mount wavecam website i got java security errors and it was not a trivial process to disable them.

So, this leaves flash -- which is on the way out too so surely you could just disable flash completely.

Dynamic

4015 posts

Uber Geek
+1 received by user: 1852

ID Verified

Trusted

Lifetime subscriber

#1518278 23-Mar-2016 11:11

wasabi2k:

We have VSS running on our file servers with twice daily snapshots so restores weren't too bad.

I would have thought the volume of data changed might exceed the % disk space allocated to VSS snapshots. Just my musings.

We've generally had no issues restoring shares from backup. Just an annoyance for the client to lose X amount of work.

We have had a (very casual) client infect their server from the console in the past. They had not been managing their own backups properly and the best available backup was 2 weeks old. Unsurprisingly they agreed to let us manage their server and backups after that.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Dyson

Shop now for Dyson appliances (affiliate link).

1101

3141 posts

Uber Geek
+1 received by user: 1143

#1518287 23-Mar-2016 11:19

lNomNoml:

Decent Anti-virus: ESET Endpoint

Will...not...help...in..the..real..world (cypto can past it , somehow, has happened on 2 companies I know of )
Also , zero day or new variants will get past any AV

Install Ghostery browser addon, set it to Block everything . Not perfect solution, but its a start . It can be disabled on certain websites if need be.
https://www.ghostery.com/try-us/download-browser-extension/

quote
"Each time the user has been searching something in Google, clicked on a search result and been infected."

I have to ask, just what were they searching for. Are they not giving you the complete story of what they were up to
online ? Perhaps they were in their personal webmail & that caused the issues ? Do you have any firewall logs to check where they have been online ?
I do google searches every day, but have yet to have this sort of issue. In fact, even when Ive been to some dodgy/suspect sites at home
I still dont have issues .

networkn

Networkn
32864 posts

Uber Geek
+1 received by user: 15454

ID Verified

Trusted

Lifetime subscriber

#1518328 23-Mar-2016 12:07

We also have seen 4 instances of ESET not catching crypolocker. Symantec which was on one of the sites we don't actively manage caught cryptolocker. It was a 4 year old version of endpoint security with 1 year old defintions. Customer got cryptolocker because he "wanted" the file and turned off the AV so he could have it! Didn't identify it by name, but said it was dangerous and blocked it.

networkn

Networkn
32864 posts

Uber Geek
+1 received by user: 15454

ID Verified

Trusted

Lifetime subscriber

#1518329 23-Mar-2016 12:08

Also AV protection on Sonicwalls have multiple times allowed zero day exploits (Not crypto) in.

wasabi2k

2102 posts

Uber Geek
+1 received by user: 860

#1518348 23-Mar-2016 12:27

Dynamic:

wasabi2k:

We have VSS running on our file servers with twice daily snapshots so restores weren't too bad.

I would have thought the volume of data changed might exceed the % disk space allocated to VSS snapshots. Just my musings.

We have dedicated VSS drives for each data drive. Obviously then we have regular backups with offsite Tape etc behind it.

Regarding infection via browser - I can almost guarantee it is flash. The last flash update (20->21) addressed 23 critical vulnerabilities.

Unless you have something like Flashblock stopping flash from loading you go from nothing to malware executing with 0 user interaction. It is scary to see in action (which we did with a PC on an isolated network). Suffice to say we are addressing this vector with aggressive update policies and locking down IE.

With regards to ESET/Sonicwall/Random vendor not catching it - the vast majority of these threats are variants that are being released daily or more often. Anything that uses signature based recognition (almost all traditional AV) will not catch them when they are out there. The standard timeframe for McAfee is:

1. We find a new threat when it starts breaking stuff

2. Submit malware to McAfee

3. New DAT or EXTRA.DAT released (3 hours - 3 days)

4. Server Repository pulls new DAT (0-1 days later)

5. Endpoints pull new definitions (0-1 days later)

By which time there are already another 65 new variants. The only way to catch this stuff is advanced heuristics/machine learning/realtime signature checking which is what McAfee claims to deliver with TIE.

1 | 2 | 3