Hello All. Well it was only a matter of time before the 7-year old Samba remote code execution vulnerability bubbled to the surface, given the craziness with Wannacry. For those of you who do not know what Samba is, it is an open-source software package that provides file and print services to SMB/CIFS clients.
This flaw, referred to by CVE-2017-7494, can be exploited if the vulnerable hosts make port TCP/445 reachable via the Internet and have configured shared files to have write privileges, and use known or guessable server paths for those files. When those requirements are met, a remote attacker could potentially upload any code of their choosing and cause the server to execute it, possibly with root privileges, depending on the vulnerable platform.
As per Ars, “When the Windows vulnerability was first disclosed in April, many security experts assumed it would be hard to exploit because few computers would expose file- and print-sharing capabilities on the Internet. The rapid spread of WCry quickly dashed those assumptions. Dan Tentler, founder of security firm Phobos Group, told Ars that more than 477,000 Samba-enabled computers exposed port 445, although it wasn’t clear how many of them were running a vulnerable version of the utility. Tentler cited figures returned by the Shodan computer search engine.
There are also clear differences between the Windows and Samba vulnerabilities. For starters, Samba isn’t as widely used as Microsoft’s implementation of SMB. Another key difference is the absence of any equivalent to “DoublePulsar,” the advanced weaponized backdoor developed by the National Security Agency and leaked by a mysterious group calling itself the Shadow Brokers. DoublePulsar made capitalizing on the Windows flaw easy for WCry.”
Rapid7 has an exploit available for Metasploit and has also provided some good stats – https://community.rapid7.com/community/infosec/blog/2017/05/25/patching-cve-2017-7494-in-samba-it-s-the-circle-of-life
Heads on a swivel everyone….heads on a swivel.
Hello All. More nasty ransomware has reared its ugly head. This time, the worst to date, sending organizations in to turmoil around the globe. As CNN reported in their headline, “WannaCrypt ransomware attack should make us wanna cry”. On Friday, May 12, 2017, this well coordinated ransomware attack hit some 74 countries, affecting a large number or organizations globally including companies, rail operators, universities, hospitals and Internet providers.
As per The Register, “WannaCrypt is installed on vulnerable Windows computers by a worm that spreads across networks by exploiting a vulnerability in Microsoft’s SMB file-sharing services. It specifically abuses a bug designated MS17-010 that Redmond patched in March for modern versions of Windows, and today for legacy versions – all remaining un-patched systems are therefore vulnerable and can be attacked. This bug was, once upon a time, exploited by the NSA to hijack and spy on its targets. Its internal tool to do this, codenamed Eternalblue, was stolen from the agency, and leaked online in April – putting this US government cyber-weapon into the hands of any willing miscreant. Almost immediately, it was used to hijack thousands of machines on the internet. Now someone has taken that tool and strapped it to ransomware: the result is a variant of WannaCrypt, which spreads via SMB and, after landing on a computer, encrypts as many files as it can find. It charges $300 or $600 in Bitcoin to restore the documents. It is adept at bringing offices and homes to a halt by locking away their data. And it installs Doublepulsar, a backdoor that allows the machine to be remotely controlled. That’s another stolen NSA tool leaked alongside Eternalblue. The malware is also controlled via the anonymizing Tor network by connecting to hidden services to receive further commands from its masters.”
As noted, Microsoft has released the bulletin MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx), and suggest disabling SMBv1 to avoid potential spread of the malware. Microsoft has also released a patch to combat the SMBv1 vulnerability – https://support.microsoft.com/en-us/help/4013389/title. My suggestion is if you plan is to disable SMBv1 – be totally sure of what in your environment may be relying on this protocol (i.e. authentication, etc.) as you may break something by taking this route.
Cisco’s Talos team have done a great job breaking down the components of this malware – http://blog.talosintelligence.com/2017/05/wannacry.html as has Forcepoint Labs – https://blogs.forcepoint.com/security-labs/wannacry-ransomware-worm-targets-unpatched-systems
Hello All. It is a very sad day for the information security community. Howard Schmidt, information security pioneer passed away after a long battle with cancer on Thursday, March 2, 2017. I had the privilege of calling Howard a friend and was very honored to have known him. He was always full of great stories about all his past endeavors and was always there to lend a hand when needed. He will truly be missed.
CSO Magazine summed it up perfectly, “He advised both President Brack Obama and George W. Bush on cybersecurity. He was a CSO at Microsoft and a CISO at eBay. He led several industry groups, and wrote books on cybersecurity. But when security professionals remember him, it is not so much for his technical accomplishments as for the impact he had on the people around him. He is remembered as a mentor, a communicator, and an educator.”
Even with all his impressive roles and how well-known he was in the industry, Howard was always there to mentor the community – on the numerous occasions when I was running industry events, he would always make himself available to speak.
My heart goes out to Howard’s wife, Raemarie and his family including his grandchildren that he often spoke of – we will be thinking about you during this difficult time.
Hello All. I wanted to share this really inspiring 14min TEDx talk from the TEDxUniversityofNevada delivered by former Navy SEAL Jocko Willink. It is about taking ownership over everything in your life and pushing on as a leader. It was told using the example of his experiences fighting in Ramadi, Iraq, where he served as commander of SEAL Team Three’s Task Unit Bruiser. This is so very inspiring and a great life lesson for everyone. It is a great message to teach our kids. Jocko Willink’s Twitter page can be found at https://twitter.com/jockowillink.
Hello All. I have just been informed that I will be presenting at this year’s ISACA North America CACS 2017 being held from May 1-3, 2017 at the Cosmopolitan in Las Vegas. I will be presenting a session on the use of honeypots to improve detection of lateral movement on internal networks. Hope to see you there. More information on the event, can be found on their website – https://www.isaca.org/ecommerce/Pages/north-america-cacs.aspx