Since early May, the city of Baltimore has struggled to recover IT systems following a ransomware attack that has left many departments unable to function or even send and receive emails.
Citizens have been unable to complete house sales, pay their water bills or receive health alerts. The RobbinHood malware that has attacked the city’s IT infrastructure is based on the EternalBlue exploit. EternalBlue was originally developed by the NSA and was leaked back in 2017 and quickly adopted by many nation state actors and cyber-criminals. EternalBlue exploits a defect in the Microsoft SMB server which Microsoft patched back in March 2017. (So dangerous was this remote code execution vulnerability that Microsoft also issued patches to fix the defect in Windows Vista and XP; even though those Operating Systems had fallen out of support)
So yes, the city of Baltimore IT systems have been brought down by a vulnerability that was fixed in a free Windows Update issued more than two years ago. The cost to the city in lost and late payments is estimated at $18million (so far).
Almost two months passed between the release of fixes for the EternalBlue vulnerability and when ransomware attacks began. Despite having nearly 60 days to patch their systems, according to Microsoft many customers had not. And to this day, many still have not patched their systems.
On the 14 May 2019 Microsoft released a patch for another critical Remote Code Execution vulnerability, this time in Remote Desktop Services. CVE-2019-0708
This vulnerability is so powerful, that in a proof of concept video recently released it takes just 20 seconds to obtain the hashed passwords of other Windows systems attached to the same network.
Microsoft stated in a blog post:
Microsoft is confident that an exploit exists for this vulnerability, and if recent reports are accurate, nearly one million computers connected directly to the internet are still vulnerable to CVE-2019-0708. Many more within corporate networks may also be vulnerable. It only takes one vulnerable computer connected to the internet to provide a potential gateway into these corporate networks, where advanced malware could spread, infecting computers across the enterprise. This scenario could be even worse for those who have not kept their internal systems updated with the latest fixes, as any future malware may also attempt further exploitation of vulnerabilities that have already been fixed.
Prompt installation of security patches for both the operating system and applications installed on each computer system is the simplest yet most effective step any organisation can take to improve its cybersecurity. All modern operating systems and most applications now provide the option to automatically install updates. You can read more about security patching and learn how best to approach it in this article.
To the uninitiated, cybersecurity can appear to be a complex and difficult area; and as security professionals we can be tempted to focus in on the more interesting (and technical) threats and their mitigation. However, the greatest incremental gains in protecting our networks come from doing the basics. Programs such as Cyber Essentials provide an easy to follow framework for any organisation to implement the basic yet essential steps to protect their networks and data.
Another mistake we may be tempted to make, is to think that cyber-criminals are all expert hackers with significant resources at their disposal. While this may be true for some nation state actors and established criminal gangs, recent evidence points out that many would be cyber-criminals are not very clever or competent at all. They can be kept at bay with basic cyber-security hygiene.
A recent article from one of the researchers at New Sky Security records the rise of online video tutorials that aim to show complete novices how to set up their own Botnets in order to attempt credential stuffing or DDoS attacks. The researcher was able to discover and take over several Botnets totalling some 25,000 devices because the command and control servers had been set up with weak or default credentials. It’s a bad week indeed when your systems are taken down by a hacker whose own security is so weak their command and control systems use the login details: ‘root/root’. In several cases, non-functional botnets were discovered because the target IP address in the configuration file was still set to: <INSERT-IP-ADDRESS-HERE>
With an increase in ‘off the shelf’ malware and hacking kits available online, complete with video tutorials – it is ever easier for almost anyone to attempt to make a quick buck by attacking your network. For these types of threats, the basics of cybersecurity is all you need to protect your network.
Top tips to protect your network
Install security patches as soon as possible (within a month of release) – turn on automatic updates for the operating system and applications wherever possible.
Check every device directly connected to the internet with automated vulnerability scans each month. This will identify missing security patches and mis-configured systems that are vulnerable.
Segment your network. Use firewalls to separate your network from the Internet and then split your internal network into different zones, so if one zone gets compromised, the rest of the network remains secure. Review your firewall rules regularly and use a Default Block All Traffic approach and then only allow specific traffic through when you understand what it is and where it is going.
Validate your network security with network penetration testing at least once per year – using real life humans to try to get into your network and then explain to you how they did it and how to fix any vulnerabilities.
Follow an existing standard, such as Cyber Essentials , rather than inventing your own security strategy.
Turn on Windows Defender (or your chosen anti-malware tool) and ensure it is allowed keep itself up to date on all systems on your network.
Do not share login details – ensure everyone has their own login. For those who need Administrator privileges, give them two logins – one with and one without admin rights – and train them to only use the admin login when needed and then revert to the standard login as soon as possible.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)