Year: 2018

  • Helping Nonprofits and Other Growing Businesses Understand Security Risks

    Helping Nonprofits and Other Growing Businesses Understand Security Risks

    I’m excited that NTEN, the Nonprofit Technology Network with more than 50,000 community members, invited me to be a guest blogger this week.

    It’s important that nonprofits avoid the mindset that leaves so many businesses vulnerable. Specifically, I’m talking about the idea that they are too small or have too little money to be of interest to scammers, hackers, and other cyber criminals. The truth is that the bad guys often don’t discriminate, and you may have something they want more than money.

    For example, if you keep detailed donor records, that personally identifiable information (PII) might be devastating in the wrong hands. A skilled hacker or social engineer can do a lot with names, email addresses, and phone numbers alone. Add in Social Security numbers or bank account information, and you may be sitting on a gold mine for a malicious actor.

    Some of today’s most serious threats are driven by political goals more than financial interests. In many cases, these are well-financed state-sponsored attacks, and your organization may have data that can help them breach a government agency’s security or social engineer their way into a large corporation.

    And forget about hackers leaving you alone because of your mission. After my years in the cybersecurity sector, I’m no longer shocked at how low some of these black hats will go. We’ve seen hospitals and health care organizations, charities, churches, schools, and other do-good groups fall prey.

    The saddest part is knowing that some of these attacks were successful for the very reasons the organizations thought they would never happen. To a hacker, the idea that you’re too small to notice may mean they see you as an easy target, even if you’re only one step toward their larger goal.

    If you’re a nonprofit leader, board member, or even a volunteer, please take a moment to check out the article above. You may find some nuggets that will help you help your organization avoid a breach. And that may be the most important contribution you can make to your favorite cause.

  • Bonnie featured in VoyageATL interview!

    Bonnie featured in VoyageATL interview!

    We’re so very proud to have Bonnie on our team at Raxis.   Check out her VoyageATL Interview!

    Transcript from the Interview, courtesy of VoyageATL:

    “Today we’d like to introduce you to Bonnie Smyre.

    Bonnie, please share your story with us. How did you get to where you are today?

    When I graduated from the University of North Carolina, I wanted to work in international sales. Fast forward a few years and a job at BellSouth International in Midtown and the Southern Center for International Studies in Buckhead led me down an unexpected route. I became interested in technology, specifically databases and computer programming.

    When I found an opportunity to work in both these fields at my alma mater, I returned to UNC and worked at IT departments on campus, at UNC’s School of Government and finally at the state PBS station, UNC-TV. As over fifteen years went by, I kept in touch with friends in the Marietta area where I had grown up.

    Mark Puckett, Raxis’ owner and visionary, and his wife Alison came to see me perform in an improv show up in Carrboro, NC. We started chatting about Raxis, his boutique information security company and needs he had within the company. In less than a year, I had moved back to Marietta and had filled the role of COO as well as becoming one of the penetration testers at Raxis.

    Overall, has it been relatively smooth? If not, what were some of the struggles along the way?

    I believe everyone can look back on times that were a struggle, but I also feel that people who find their way and love what they do appreciate what those times teach them. For me, I’ve had some jobs that were energizing and exciting that later became stagnant and sometimes toxic. I can remember wondering if I could update my resume enough to escape and find something fun.

    But looking back, I’m appreciative of those times because I learned that I won’t settle in my career or in my life and that I don’t want to be a part of an environment that makes others settle either. When Mark asked if I would be interested in running operations at Raxis, my first thoughts were that I would be leaving North Carolina where I had lived for fifteen years as well as leaving software development, a career that I had enjoyed for even longer.

    My second thought was absolute excitement that I had an opportunity to become an integral part of Raxis, and, from that moment I haven’t looked back. I joined Raxis in 2013 part-time and then, in 2014, I moved back to Marietta and joined Raxis full time, taking over scheduling and employee support as well as reporting. Things can get hectic, especially in the fall and towards the holidays when many customers realize that they’d better complete their pen test by the end of the year.

    Juggling penetration testing along with my operations tasks can make my head spin sometimes! Scheduling is very interesting to me. At Raxis, we aim to customize each engagement to meet the customer’s needs as best as possible. I’m working with a limited number of pen testers, and sometimes I have to shut out outside noise and focus on the puzzle pieces until I can make them fall into place.

    In the end, though, I’ve loved every minute since I’ve been at Raxis, even if sometimes it’s in retrospect!

    Please tell us about Raxis.

    I’m very proud to be a part of Raxis. When Mark started the company himself in 2012, he made the sales, ran the business and did the penetration tests himself. Over the next few years, he brought in Raxis’ first employees, including our CTO, Brian Tant, who is amazingly creative both technically and in social engineering engagements. Since I joined in 2014, we’ve brought in several more talented folks, but we still pride ourselves in being small enough to be able to accommodate the needs of all types of customers.

    We focus on information security tests, including network penetration tests as well as web and mobile application tests and code reviews. We also have a lot of fun with social engineering tests, whether onsite or using phishing emails and calls. The goal of all of these tests is to help our customers learn how their companies could be affected by hackers of all types. We always say that it’s better to learn about that in a Raxis report than to learn about it after a hacker has been in your systems.

    Last year we introduced the Raxis Transporter device which allows us to perform onsite work remotely. For many of our customers, the cost savings of not paying for a consultant onsite makes all the difference. Many customers also leave the device in place so that Raxis employees can perform incidence response (IR) work quickly if there is a security event.

    I especially take pride in our process and our reports. As more rules and regulations are created in answer to high profile hacks, increasing numbers of companies are interested in penetration tests. But, even though it’s a positive goal, it’s still going to feel unsettling to invite technical experts in to attempt to break into the systems that are your bread and butter. We pride ourselves in making that process calm and easy on the customer.

    I run project management at Raxis, and I strive to keep all customers informed throughout the process. They know how to reach us, and they also know we’ll let them know if they have critical issues that they should jump on immediately. In the end, though, the customer is left with a report and the knowledge that Raxis is only a phone call away for their next annual test, remediation consulting or incidence response work in the event of an outside hack.

    When we walk away, I want that report to be a tool for our customers to use throughout the year. My wish is that they call us back the next year and that we are unable to exploit any of the previous vulnerabilities because the report was so useful that their teams were able to remediate all of the issues. There are a lot of good information security firms out there, but I’m very proud of the work that we do and feel that we can truthfully say that we are one of the best.

    Is our city a good place to do what you do?

    Atlanta has been great to us. Over the years several tech companies have flourished here.

    We’ve found many customers in Atlanta and the neighboring regions because it’s such a great environment for companies of all sizes. And when we travel to locations all over the US & Canada, we’re lucky enough to have the world’s busiest airport ready to take us there!

    Among Raxis’ customers are a number of Atlanta based Fortune 500 companies. In fact, our CEO, Mark Puckett, and CTO, Brian Tant, met while working at The Home Depot, one of Atlanta’s very own multi-million dollar businesses. Atlanta is such an important hub for the South that we also find several customers within the large group of companies that choose to open regional offices here. We’ve enjoyed working with local companies of all sizes and also pride ourselves in treating smaller companies with the same respect and consideration as larger companies.

    Many of our customers have told us stories of failed past penetration tests where the vendor they hired did not listen to them or take the time to understand their needs. I love that Atlanta prides itself on supporting companies of all sizes flourishing. Some of our most loyal customers are small local companies… but I wouldn’t be surprised if you hear their names in the coming years!

    Raxis employees all work virtually, so we’ve had employees working from offices all over the US. Atlanta is a city filled with talented people, though, and many of Raxis’ employees live right here in Marietta. We’ve never had trouble finding great employees right here at home.

    Though I truly enjoyed my time in North Carolina as well as the locations I see in my job with Raxis, I’m always happy to be back at home in Atlanta. I enjoy living and working here. Atlanta truly is home.”

     

  • Our COO, Bonnie Smyre, Featured on Fox 5 News!

    Our COO, Bonnie Smyre, Featured on Fox 5 News!

    Our Chief Operating Officer, Bonnie Smyre, was interviewed on Fox 5 News in Atlanta in a story regarding a Facebook scam involving Tyler Perry. Essentially, the scammers behind the Facebook sites and accounts are “data mining to get your information”.   If you clicked the Facebook scam link, it’s probably too late to reverse it, but try to avoid it next time – if something seems too good to be true, it almost always is.

    Click here to watch the video on Fox 5 Atlanta’s website

  • Top Five Actions NOT to Take When Your Pentest Results are High Risk

    Top Five Actions NOT to Take When Your Pentest Results are High Risk

    Monday Morning Voicemail:

    Good morning high-powered CSO, this is Brian with Raxis. I sent over a draft of the most recent assessment report as you requested. Just to recap, there were seven critical findings, 5 severe, and a menagerie of others that we can discuss at your convenience.

    You’re the CSO of a major enterprise. You’ve hired us to perform a penetration test, and the results aren’t pretty.  What now?The team at Raxis brings a rich depth of experience in articulating risk to all audiences. We can talk technical with the engineering groups and discuss strategy with C-level executives. It’s how someone deals with adversity that defines them as a leader. We’ve seen leaders emerge from the fire to rise above the fray. We’ve also witnessed the fallout when leadership decisions are made in ignorance or for political expediency.A security assessment is only one step in a process, and its value is largely determined by what happens after we’re out of the fray, so to speak.  So, there you are; you have an unexpectedly thick and verbose penetration test report sitting in your inbox. Here are the 5 worst things you can do, based on what we’ve seen happen in the real world.

    5. Sweep it Under the Rug

    It may be tempting to just quietly file that report away because you think it might tarnish your reputation or because, “that only happens to other companies.” Maybe you would prefer to fix the findings with minimal political overhead. Here’s the problem. The report you received is a bona-fide disclosure of risk. When it landed in your inbox, all level of plausible deniability left the building. If you do anything less than boldly embrace it, and the company is breached, you are going to be in a rough spot with tough questions to answer. By owning the problem, you can own the resolution. Let that be the focus.

    4. Play the “Blame Game”

    It is easy in the world of corporate culture to get bogged down in political maneuvering.  A corporate leadership role requires a certain level of posturing, but there are few things less productive than finger pointing. The fact that you were against rolling out the vulnerable application or platform that was compromised may carry weight in your inner circle of colleagues, but your stockholders only want to know their investment has underlying value and that effective leadership is at the helm. It’s helpful to acknowledge mistakes and learn from them, but keep the emphasis on moving forward.

    3. Cling to Penny Wise and Pound Foolish Remediations

    The findings in the assessment report are not a checklist to be ticked off and call it a day. Yes, of course they should be fixed, but it’s critical to understand that a penetration test is opportunistic. The findings that are presented are probably not the only significant exposure. Look at the bigger story that they tell and formulate remediations at a systemic level. Were all the findings related to applications?  If so, the problem probably is not the applications but more likely with their development and deployment. Yes, fix the symptom, but do not neglect the underlying problems that led to it.

    2. Rain Down Fire and Wrath

    We see this far too often. A phishing email is sent out, and an employee clicks on the link, which then becomes the bridgehead for a compromise. When the report is delivered, specific individuals are identified as the source of the compromise and are promptly fired. That is absolutely the wrong course of action. Look at it this way. Once they understand the ramifications of their action, that person is the most secure person in the company at that moment. It’s likely that they will continue to operate under a heightened level of vigilance and will be the last person to click on a suspicious link in the future. Replacing them with someone who has not learned that lesson, simply presses the reset button for future phishing attacks. Help them understand the attack and how their actions contributed, and they may become a power advocate among their peers for better security.

    1. Silo Solutions

    Would a capable attacker limit themselves to a single application, network, or technology?   The answer, of course, is that they would not. Lateral movement is a huge component of privilege escalation.  It’s important to scrutinize specific elements of any environment. We conduct assessments regularly against a single application or system, but what we always try to underscore is that rarely are attacks vertical. Rather, the attack chain tends to zigzag across technologies and business units within an organization. Just because you tested and remediated a specific web application does not mean that the app no longer presents a risk. It means that the direct exposure created by the app has been mitigated. Maybe there is another vulnerable application running on the same server that can be used as a point of compromise?The point is that attackers do not silo their efforts, so don’t silo your defenses.

    Your Decisions Make the Difference

    Fortunately, these observations are more the exceptions than the rule, but they do happen. And they happen in surprising large and mature organizations. Most of these mistakes can be attributed to a knee-jerk moment of self-preservation. When our lizard brain steps in, sometimes we don’t make the best decisions for our career.The best way to avoid these pitfalls is to never put yourself in that situation in the first place. Yes, some pentests are horrific. In leadership, it’s not how you fall.  It’s how you rise above.

    A security assessment is not a chance for someone to make you look bad. It’s a learning exercise. Embrace it and use it for a platform from which to build positive change..

    Raxis CTO, Brian Tant
  • Goodies for Hoodies: TCP Timestamps

    Goodies for Hoodies: TCP Timestamps

    The Picts were a tribal culture in northern Scotland that history has relegated to the realm of myth and enigmatic legend. Largely forgotten, the Picts fought off the military superiority of Rome’s army and built a sophisticated civilization on the whole before disappearing from history. These were a people dismissed by the advanced thinkers of the day as unimportant and trivial in their capabilities, only to rise up unexpectedly to great effect. What does this have to do with Security? Nothing really, unless your data center is staffed by Roman centurions on horseback. If that’s you, then I am ripe with envy. But all levity aside, so it was with the Picts, it is today with the humble and unassuming TCP Timestamp.

    What is a TCP Timestamp?

    If you’ve ever run a vulnerability scan, you’ve probably seen a low or informational severity finding associated with TCP Timestamp responses. The recommendation is always to disable them, but rarely is any background information provided. What are those little timestamps doing there and who really cares anyway? Like the Picts, much lies below the surface, and we dismiss them at our peril. Before we can get into the ramifications of this misunderstood protocol option, we must understand the mechanics behind TCP Timestamps, and what they actually are. The basis of TCP is that it is a stateful, reliable means of sending and receiving IP packets. In order for reliable communications to take place, there must be bidirectional communication between the sending and receiving nodes so that, in basic terms, the sender can know that the target system received the communication correctly, and the receiving node has confidence that the message it received was correct. To such ends, TCP communications are session-based, and the two nodes employ features in the protocol as a framework to manage the reliability of communications. This involves things like resets, syn-acks, re-transmissions, and the like, that you’ve probably seen in any number of network captures. TCP was designed to communicate reliably over any transmission medium at any speed; it provides the same level of communications integrity over dial up as it does on a LAN.

    It is important to understand that TCP was originally designed to overcome the challenges of unreliable communication channels. Not much thought was given to excessively reliable and fast communications.

    It seems counter intuitive, but, because TCP is synchronous and keeps track of packets, it can break down over high bandwidth connections. It sounds crazy, I know, but let’s look at how this might happen.

    Grab your pocket protector here, folks. We have to get a little nerdy.

    If you asked President Trump about packet loss on TCP communications, he might respond, “It’s bad, very, very, very bad.” And he would be correct. But packet loss does occur for any number of reasons, and TCP maintains reliability by using selective acknowledgments to tell the sending node what TCP segments are queued on the receiving node and what segments it is still waiting for. These segments are, like anything else in network communications, numbered in finite sequence numbers. This value occupies a 32 bit space and exists within the confines of a Maximum Segment Lifetime (MSL), which is enforced at the IP level by something we’re more familiar with, the Time to Live (TTL). This MSL is usually adjusted based on the transfer rate so that faster speeds have smaller MSLs. This works pretty well until we introduce things like fiber optics. The bandwidth on a fiber connection can be so high that a TCP session can exhaust all of its sequence numbers and still have segments queued up in the same connection, leading to sequence number reuse, aka TCP Wrapping. This causes problems.

    In short, as things get faster, it becomes more error prone to use timeout intervals to manage reliability.

    The number of sequence numbers can not exceed the 32 bit value of 4,294,967,295 so as transmission speed increases, the MSL values must get shorter to compensate. With enough bandwidth, they can shrink to the point that they are no longer able to provide message integrity. If only there was a way to identify whether packets were dropped based on actual timing rather than a sequence number, but how?

    Behold the mighty TCP Timestamp!

    TCP Timestamps are an important component of reliable high speed communications because they keep TCP from stumbling over its own sequence numbers!Officially, this benefit is referred to adoringly as “PAWS” or Protection Against Wrapped Sequence Numbers. PAWS operates within the confines of a single TCP connection under the assumption that the TCP timestamp value increases predictably over time. If a segment is received with an older timestamp than one that was expected, it’s discarded. In doing so, PAWS protects against sequence numbers being reused in the same connection. It’s worth pointing out that there are a lot of weird exceptions and math around how that actually takes place, but for purposes of a blog post, we’ll steer clear of that rabbit hole. It should be clear at this point that TCP Timestamps serve a purpose in network communications, and that disabling them as a standard practice is a perilous endeavor.

    Still awake? Good! Now we can talk about security!

    Strictly speaking, TCP Timestamps are no more a security risk than the TCP protocol itself. Why then are they subject to all the bad press and mob calls for their disablement? The security concerns arise with the underlying mechanisms that are used to populate the values within the timestamp option itself. As the name suggests, the timestamp makes use of a virtual “timestamp clock” in the sender’s operating system. This clock must approximate real time measurements in order to remain compatible with other RTT measurements. There is no requirement for the timestamp clock to match the system clock, but it often maps to it for ease of design. After all, why make a new clock if you can just use the existing clock to derive values to be presented as those belonging to the new clock?

    This leads to the one thing for which we hackers profess a deep and undying love for, unintended and predictable behavior. Am I right?

    By measuring multiple timestamp replies, we can determine what the clock frequency is of the target system. The clock frequency is how many “ticks” the timestamp clock increments per unit of real time. For example, if we measure 5 timestamp replies each 1 second apart, and each timestamp value increases by 100 with each reply, we can infer that the clock increments 100 ticks for every second of real time processed by the system clock.Since most (not all!!) clocks start at 0, we can compute the approximate uptime of the system. Using the above example, if the timestamp value is 60000, we know that each 100 ticks of that value equate to one second of real time. We can assume that 600 seconds have elapsed since the clock was started. In laymen’s terms, the system was rebooted 10 minutes ago. We’re using small whole numbers here for purposes of illustration, but you get the idea.

    In the real world, accurately fingerprinting the system will help with establishing timestamp validity, since clock specifications are documented.

    System uptime by itself is an arbitrary value and doesn’t give away much on it’s own. But consider that patch cycles almost always include mandatory reboots. By surveying these values over time, one might be able to determine patching intervals by correlating reboot times across systems. What if you surveyed the same IP address multiple times and received different but consistently disparate values in the timestamp responses? That might allow you to identify systems that are behind a NAT or a load balancer, and may even allow you to draw conclusions about the load balancing configuration itself. Suppose you were testing a customer for susceptibility to DOS attacks. You may be able to use timestamps to determine with certainty whether the target system was knocked over, or whether you were just shunned by the IPS.

    TCP Timestamps grant the hacker insight into a given system’s operational state, and how we use that information is limited only by our imagination.

    But to dismiss their presence as a low severity security finding just to be remediated is inappropriate, and it may do more harm than good. When to use TCP timestamps should be determined by operational requirements, not by blanket assumptions of their importance. Are you listening, vulnerability scanners?So next time you find yourself knee deep in informational findings from a vulnerability scan, put your ear close to a network cable. It’s possible you may hear the faint battle cry of a forgotten hero. Want to keep reading? Learn the difference between vulnerability scans and penetration tests, more about Vulnerability Management, and how a penetration test can help you understand which risks are most relevant to your network.

  • IKE VPNs Supporting Aggressive Mode

    IKE VPNs Supporting Aggressive Mode

    In Raxis penetration tests, we often discover IKE VPNs that allow Aggressive Mode handshakes, even though this vulnerability was identified more than 16 years ago in 2002. In this post we’ll look at why Aggressive Mode continues to be a vulnerability, how it can be exploited, and how network administrators can mitigate this risk to protect their networks and remediate this finding on their penetration tests.

    What is an IKE VPN?

    Before we get into the security details, here are a few definitions:

    • Virtual Private Network (VPN) is a network used to securely connect remote users to a private, internal network.
    • Internet Protocol Security (IPSec) is a standard protocol used for VPN security.
    • Security Association (SA) is a security policy between entities to define communication. This relationship between the entities is represented by a key.
    • Internet Key Exchange (IKE) is an automatic process that negotiates an agreed IPSec Security Association between a remote user and a VPN.

    The IKE protocol ensures security for SA communication without the pre-configuration that would otherwise be required. This protocol used by a majority of VPNs including those manufactured by Cisco, Microsoft, Palo Alto, SonicWALL, WatchGuard, and Juniper. The IKE negotiation usually runs on UDP port 500 and can be detected by vulnerability scans.There are two versions of the IKE protocol:

    • IKEv2 was introduced in 2005 and can only be used with route-based VPNs.
    • IKEv1 was introduced in 1998 and continues to be used in situations where IKEv2 would not be feasible.
    Pre-Shared Keys (PSK)

    Many IKE VPNs use a pre-shared key (PSK) for authentication. The same PSK must be configured on every IPSec peer. The peers authenticate by computing and sending a keyed hash of data that includes the PSK. When the receiving peer (the VPN) is able to create the same hash independently using the PSK it has, confirming that the initiator (the client) has the same PSK, it authenticates the initiating peer.

    While PSKs are easy to configure, every peer must have the same PSK, weakening security.

    VPNs often offer other options that increase security but also increase the difficulty of client configuration.

    • RSA signatures are more secure because they use a Certificate Authority (CA) to generate a unique digital certificate. These certificates are used much like PSKs, but the peers’ RSA signatures are unique.
    • RSA encryption uses public and private keys on all peers so that each side of the transaction can deny the exchange if the encryption does not match.

    Cisco goes into details on these options in their VPN and VPN Technologies article

    Aggressive Mode vs. Main Mode

    In this post, we are discussing the first phase of IKEv1 transmissions. IKEv1 has two phases:

    1. Establish a secure communications channel. This is initiated by the client, and the VPN responds to the method the client requested based on the methods its configuration allows.
    2. Use the previously established channel to encrypt and transport data. All communication at this point is expected to be secure based on the authentication that occurred in the first phase. This phase is referred to as Quick Mode.

    There are two methods of key exchange available for use in the first IKEv1 phase:

    1. Main Mode uses a six-way handshake where parameters are exchanged in multiple rounds with encrypted authentication information.
    2. Aggressive Mode uses a three-way handshake where the VPN sends the hashed PSK to the client in a single unencrypted message. This is the method usually used for remote access VPNs or in situations where both peers have dynamic external IP addresses.

    The vulnerability we discuss in this article applies to weaknesses in Aggressive Mode. While Aggressive Mode is faster than Main Mode, it is less secure because it reveals the unencrypted authentication hash (the PSK). Aggressive Mode is used more often because Main Mode has the added complexity of requiring clients connecting to the VPN to have static IP addresses or to have certificates installed. 

    Exploiting Aggressive Mode
    ike-scan in Kali Linux

    Raxis considers Aggressive Mode a moderate risk finding, as it would take a great deal of effort to exploit the vulnerability to the point of gaining internal network access. However, exploitation has been proven possible in published examples. The NIST listing for CVE-2002-1623 describes the vulnerability in detail.A useful tool when testing for IKE Aggressive Mode vulnerabilities is ike-scan, a command-line tool developed by Roy Hills for discovering, fingerprinting, and testing IPSec VPN systems. When setting up an IKE VPN, ike-scan is a great tool to use to verify that everything is configured as expected. When Aggressive Mode is supported by the VPN, the tool can be used to obtain the PSK, often without a valid group name (ID), which can in turn be passed to a hash cracking tool.If you use Kali Linux, ike-scan is included in the build: We can use the following command to download the PSK from an IKE VPN that allows Aggressive Mode:

    ike-scan -A [IKE-IP-Address] --id=AnyID -PTestkey
    ike-scan
    psk-crack

    Here is an example of the command successfully retrieving a PSK:The tool also comes with psk-crack, a tool that allows various options for cracking the discovered PSK.Because Aggressive Mode allows us to download the PSK, we can attempt to crack it offline for extended periods without alerting the VPN owner. Hashcat also provides options for cracking IKE PSKs. This is an example Hashcat command for cracking an IKE PSK that uses an MD5 hash:

    ./hc.bin -m 5300 md5-vpn.psk -a 3 ?a?a?a?a?a?a -u 1024 -n 800

    Another useful tool is IKEForce, which is a tool created specifically for enumerating group names and conducting XAUTH brute-force attacks. IKEForce includes specific features for attacking IKE VPNs that are configured with added protections. 

    What VPN Administrators Can Do to Protect Themselves

    As Aggressive Mode is an exploitable vulnerability, IKE VPNs that support Aggressive Mode will continue to appear as findings on penetration tests, and they continue to be a threat that possibly can be exploited by a determined attacker.We recommend that VPN administrators take one or more of the following actions to protect their networks. In addition, the above actions, when documented, should satisfy any remediation burden associated with a prior penetration test or other security assessment.

    1. Disable Aggressive Mode and only allow Main Mode when possible. Consider using certificates to authenticate clients that have dynamic IP addresses so that Main Mode can be used instead of Aggressive Mode.
    2. Use a very complex, unique PSK, and change it on a regular basis. A strong PSK, like a strong password, can protect the VPN by thwarting attackers from cracking the PSK.
    3. Change default or easily guessable group names (IDs) to complex group names that are not easily guessed. The more complex the group name, the more difficult of a time an attacker will have accessing the VPN.
    4. Keep your VPN fully updated and follow vendor security recommendations. Ensuring software is up to date is one of the best ways stay on top of vulnerability management.

    Also see our post on creating a secure password for more information on creating a strong PSK.

  • Raxis API Tool

    Raxis API Tool

    At Raxis we perform several API penetration tests each year. Our lead developer, Adam Fernandez, has developed a tool to use for testing JSON-based REST APIs, and we’re sharing this tool on GitHub to help API developers test their own code during the SDLC process and to prepare for third-party API penetration tests.This code does not work on its own… it’s a base that API developers can customize specifically for their code. You can find the tool at https://github.com/RaxisInc/api-tool.

    Here’s a basic overview of the tool from Adam himself:

    The Raxis API tool is a simple Node.js class built for assessing API endpoints. The class is designed to be fully extensible and modifiable to support many different types of JSON-based REST APIs. It automatically handles token-based authentication, proxies requests, and exposes several functions designed to make it easier and faster to write a wrapper around an API and associated test code for the purposes of a penetration test. This tool is not designed to work on its own, but to serve as a building block and quickstart for code-based API penetration testing.

     

  • Tailgating & Other Physical SE – SOCIAL ENGINEERING [PART 3]

    Tailgating & Other Physical SE – SOCIAL ENGINEERING [PART 3]

    In Part 1 and Part 2 of this series, we discussed remote social engineering that an attacker could perform from any location. Those types of attacks rarely are traced back to the attacker who could be located anywhere. The social engineering attack that we’re discussing in this post is much more brazen. In this case the social engineer is actually located onsite, possibly talking with you face-to-face.The stories below are all from ethical physical social engineering engagements that my colleagues and I have performed. Our goal was to help each company find weaknesses so that they could correct them and educate their employees to make the job site more secure. My goal in writing this post is the same. As with all social engineering attack vectors, education is the best defense. For that reason, I’m focusing this post on the interpersonal aspects of SE. Some of my colleagues at Raxis made a video last year explaining some of the technology that can be used on physical SE engagements. Check it out at https://raxis.com/2017-04-19-physical-security-pitfalls/ to learn more about that.

    Getting In

    Companies often put safeguards in place to secure entrances and then hope that the bad guys stay out. Surprisingly, getting in is often much easier than you might expect. I have used platters of cookies and cakes to gain access on some engagements, but often it’s even easier than that.I once was attempting to enter an office building located in the suburbs of a large city and scoped out the building on the Sunday afternoon before the engagement started. I find this to be a good way to find out about the building and security policies in place so that I can make a plan before the Monday morning rush. Also, different security guards are often on duty on the weekends, meaning I likely won’t be recognized the next day when I start the engagement. In this case, a colleague and I checked out the building and discovered that all doors except the main entrance were locked. The main entrance was open during posted hours, and a uniformed security guard was visible behind glass windows. We decided that tailgating during the morning rush was our best option. The next day we arrived and immediately split up. After a few attempts, I saw a woman heading towards a door I was near. I looked upset & riffled through my purse frantically. When she walked up, I told her I couldn’t find my badge anywhere and could she let me in. She was definitely suspicious. “What department do you work in?” I told her IT, a department that is likely to have employees in or to need access to several buildings. She let me in and told me that it was okay because I worked for IT. And then she told me that she disliked the rule that they could not let people in, and IT made that rule, so I had better not tell my coworkers. Once in the building, I plugged a device into a network port in an open cube and called my colleague so that he could begin remote access to the network.I could tell multiple stories of people holding doors for me, especially during busy times of day — morning, lunch, and at the end of the day. On one engagement I was attempting to clone badges and eventually wondered why since every single person who passed me as I obnoxiously stood outside a locked door held the door for me. When you realize that many companies rely on locked doors for security, this starts to become scary.So how about another story that is much the same, but possibly not as expected. On an engagement in the financial district of New York City a few years ago, I had more hurdles to make my way into the office. The large skyscraper I was in had two elevator banks. Each bank had turnstiles that required employee or visitor card access. Two guards were seated at a security desk that had a clear view of both elevator banks. Once I made it to the elevator, I knew a floor number but did not know what security measures were in place. I stood near a snack shop and watched as most people used the elevator bank for the floors I didn’t need. When I eventually saw someone head to my elevator bank, I casually, but closely, followed. No alarm. Later testing showed me that the alarm would go off if I allowed a comfortable distance between myself and the person I was tailgating but the turnstile would still work as long as I followed someone through. I followed my target onto an elevator and discovered that she was going to the floor I needed. She used her card to allow the elevator to go to that floor and then used her card to get into the office area of the floor. Though the floor was designed to lock visitors in the elevator area where they used a phone to request access, my target held the door open for me. Once I was on the floor, I sat in the break room, walked around work areas and file cabinets, and, fifteen minutes in, eventually had to start acting suspicious before anyone asked me who I was and what I was doing. The safeguards in place made everyone believe that they floor was secure and that everyone there must have been fully vetted.

    Staying In

    It’s definitely a win to say that we got into our customer’s building. The test, though, is to see how we can exploit that, and, unless we know exactly what we are looking for, that requires staying in the building for an extended period of time without getting caught. Finding our way around takes a while. I’ll take photos of fire exit maps and then run into restroom to have time to look them over and figure where to go next. Most of the time we’re entering buildings blind and figuring out where to go as we go.Remember that suburban office building I mentioned above? My colleague and I went back at 5pm. We bought coffee at a local spot across the street and stood outside a locked door drinking that local coffee. The first person who walked out the door held it for us. We walked in and walked past rooms labeled with department names. When we found one with no name, we walked in and saw that it housed offices and cubes that appeared to no longer be used. We waited inside an office there for an hour. When we left our hiding space around 6pm, the building was deserted except for the cleaning crew. We ran into the same members of the cleaning crew multiple times, and they never stopped us or reported us. Earlier in the day we had gathered some credentials in a phishing campaign. We were able to use those credentials to login on a customer service representative’s PC and to view customer financial and medical information. We had full access because internal doors were left unlocked after hours and the only employees we met did not report us.Another time I was in a large hospital. As you’d expect, at a hospital, it wasn’t hard to gain access. There were nurses and doctors all around, though, and the computer access and private documents that were my aim, were all behind nurses stations. Luckily I had guessed this might be the case and had bought a cheap pair of scrubs before starting the job. I wore the scrubs along with a lanyard that had a blank white card on it, and I gained full access. To what?

    • Computers
    • Papers on printers and fax machines
    • Medical files and binders with patient information

    I took my time and went from floor to floor. I was not stopped or questioned even one time. In fact, I made a friend in the elevator as I was leaving the building. We chatted about how being a nurse hurts your feet after running around all day. I later found out that the scrubs I was wearing were a color not even used at that hospital.So timing helps and dressing the part helps. One last story on this topic. Back to that skyscraper in NYC. On one occasion there I was tailgating with the lunch crowd to a different floor using the popular elevator bank. I slid through the turnstile following someone but wasn’t quite fast enough. The alarm went off, and a security guard started walking towards me. Just then an elevator opened, and I walked in with the crowd. On the way up, as the elevator stopped at several floors, a man turned to me and asked why I didn’t use my card to go through the turnstile. I pointed to my big computer bag and said that I didn’t feel like looking through there to find it. He laughed and started talking to his buddies about the fight on television the night before.So add confidence to that list. It’s shocking what you can get away with when you expect someone to believe you.

    Getting What You Came For

    In the end, it’s all moot if you don’t demonstrate that a security breach can lead to a compromise. This can be plugging a small device into the network so that you can later gain remote access, it can be photographing private documents found on desks and in file cabinets, and it can even be accessing employee computers that are left unattended. I already mentioned in passing that I have had opportunities to install devices on networks and to access computers on some of the engagements I’ve done, but there’s more!Hospitals often hire us because they have a lot of private information and critical equipment to protect while also often allowing many people through their doors daily. They walk a fine line of being kind to patients and their families while still protecting patient rights by guarding their security. At one busy hospital, I was set on getting access to the files in the Medical Records room. I tried in a doctor’s coat and in scrubs and didn’t make it past reception. I went back in jeans and told them I was from IT to fix a computer. The receptionist let me in without another word. I opened file cabinets and took photos of the papers inside.At another hospital, I walked up to a reception desk that blocked my way to a cancer center. I told the receptionist that I was from IT and had to manually install updates using a USB drive because the automatic security updates were failing. Not wanting to miss a security update, she let me into the locked area behind her and told me to take my time. She left me alone to install payloads to open remote sessions on several machines and photograph patient records that were lying on desks.On one job I had been hired for had an SE engagement and an internal penetration test combined. This is a great idea because it demonstrates how a real attacker might put the pieces together to gain more access. From the penetration test, I already knew of administrative interfaces on the internal network that allowed default credentials. With my SE hat on, I walked into one of the hospital’s specialty buildings. This is where they treated cancer patients and other patients who would be back for multiple visits. There was a very nice room, open to anyone, off the lobby. Computers were provided to allow patients, friends and family to research what they had heard from their doctors. I sat down at one of these computers and proceeded to login to the internal admin websites that were all accessible from those public computers. In this way, I, or an attacker, could access and change administrative controls for the hospitals systems.

    Getting Out

    When we perform physical SE jobs for our Raxis customers, we discuss carefully with the customer to discover what they want us to test and not to surpass those bounds. The customers provide us with a “get out of jail free” letter that we use if we are caught. The letter is on the company’s letterhead and provides information about who to call to verify the testing in the event that we are challenged by a vigilant employee. With this, we can boldly enter company buildings without fear of arrest. True attackers will likely not be as careful as we are in our testing… their goal is to get in, get what they came for and then to get out without being caught, whether they cause other harm or not.Once, at a small insurance office, I had gained access to everything that was in scope, but I still had extra time. I had done it all by staying under the radar the first time, so I went back a second time and tried to talk my way into gaining the same access again so that I could see if the people I spoke to would allow me to have access or would stop me. Kudos to them for not believing my story about performing an audit without calling first. Unfortunately, they did not want to be mean to me, so they placed me in a conference room alone for ten minutes while they attempted to reach someone for confirmation. Because I wanted to test them thoroughly, I stayed and eventually handed them my “get out of jail free” letter. If I had wanted to leave, I could have left the building before they checked on me.Then there was the time that I was in a hospital’s administrative building attempting to gain access to Human Resources. I had already spent time in the hospital itself and read a free hospital newspaper that mentioned three star employees by name and with photos. One was in HR, so I went over to the HR building and told the receptionist that the star employee had told me I could wait in their conference room so I could work until my flight arrived. The receptionist happily took me right over to see this star employee. She looked me in the face and told me that she had never seen me before. Since I had nothing to lose, I told her that we had only met twice and I was sorry that she didn’t remember me. I didn’t offer to leave. I stood next to the receptionist and just stared after that. My target told me that she had never met me but that I could stay in the conference room anyway. I stayed long enough to plug a device into the network and then walked out telling everyone that I got an earlier flight. Sometimes the best way to be able to get out is to act like you are comfortable staying… as if you belong there so fully that you have nothing to hide.In my SE career, I have only been forced to show my “get out of jail free” letter once (without me forcing the situation into that). This was an example of an employee doing everything right. I had discovered that a high level manager at the small firm we were tasked with assessing, as well as his wife, had public Facebook profiles. I learned all about them, bought a cake that said “Congratulations, Dad!” and walked up to the receptionist saying that I was his daughter in town to surprise him for his anniversary (which happened to be coming up according to Facebook). I knew my mother’s name and my siblings names, and I had a whole story set up. It was enough to get me into his office, but the receptionist called his assistant to escort me, and the assistant didn’t take her eyes off me. When I tried to catch a coy photo of a paper on my target’s desk, she entered the room and told me that she was calling security. After a brief attempt to talk my way out of it, she stood her ground. Upon receiving my letter, she called the people on the letter to verify that the letter was true. While a lot of these stories make this sound easy, this was an example of a situation where a real attacker could have ended up talking to the police. And it shows what diligence from employees can do to protect the company.

    What You Can Do

    Hopefully this article was a fun read, and hopefully it scared you a little as well. When someone wants something from your company, they can be very convincing, but you don’t have to be an unwitting accomplice. What can you do?

    • Many companies have physical security policies. Ask what yours is. It likely includes several of the following items as well.
    • Don’t allow people to tailgate behind you. If a door is locked or protected in some way, let people unlock the door themselves. If they complain, explain that it’s company policy (if it’s not it should be!) and tell them where they can go to sign in and gain access if they don’t have the key or badge needed at your door.
    • If you see people you don’t recognize in your internal office space, ask who they are. Ask to see a visitor badge if your company provides those. Many visitor badges have blurry photos and small “approved for” dates. Check the badge closely.
    • If you find someone to be suspicious and don’t want to or don’t know how to confront them, call security. That’s what they’re there for. Tell them as much information as you can and keep an eye on the suspicious person until they arrive if possible.
    • Keep private and critical documents in locked drawers. Don’t leave them on desks or in unlocked cabinets. Remove these documents from printers and fax machines as quickly as possible as well.
    • Let your IT department know of any network ports that are not being used. If an attacker plugs a malicious device into a network port that IT has turned off, you’ve thwarted their remote access to your company’s network.

    While this is my last post in this Social Engineering series for now, we’re always happy to discuss what Raxis can do to help you improve your company’s security in this area. You can find more information at https://raxis.com/redteam/social-engineering, or drop us a line at https://raxis.com/company/contact.I’ve heard a rumor that my colleague, Brian Tant, is working on a related blog post about Neuro-Linguistic Programming (NLP) using cognitive resets, visual cues, and body language. Keep an eye out at the Raxis blog for that coming up soon!

    Want to learn more? Take a look at the first part of our Social Engineering discussion.

  • Voice Phishing – Social Engineering[Part 2]

    Voice Phishing – Social Engineering[Part 2]

    We’ve all heard of phone scams such as Rachel at card services offering to help us out of a jam we didn’t even know we had. Scams such as this have become common in the workplace as well. These scams, called vishing or phone phishing, are a type of test we often perform for Raxis’ customers.You may be surprised to hear that often we achieve a high success rate with these phone phishing assessments. During one particular assessment, we called a large number of people throughout a company and told them we were contractors performing the annual credential check and asked the employees to please provide their email username and password. Often those credentials are used to login to their computers as well. Providing this information yielded more access than the targeted user was aware of. During this assessment, approximately one fourth of the people we called provided their credentials.

    PREPARATION

    This type of phishing is different from the email phishing attacks that most people are familiar with. First, a telephony-based phishing campaign requires additional preparation to sound convincing. We rehearse what we plan to say as well as how we will respond to questions, suspicion, and anger. We invent a story and background as part of a convincing pretext. It is said that the devil is in the details. A sense of legitimacy can be borrowed by peppering the conversations with specific information. Are we saying we work for the same company as the target? Then we’d better be able to say what office we work in. We’re calling from IT? Who’s our manager?Unlike email phishing campaigns, it is imperative to hook the target as soon as the call starts. Once the target hangs up, it’s unlikely they will call back or take another call from our number unless they trusted us (though I once had a person call me back to check who answered the phone). For this we prepare a persona.

    We need a name, possibly an accent, a department, a purpose for calling, and just enough back story that we never say “umm”.

    When we call our target, we’re unlikely to provide most of these details, but we need to be in character. Our target is likely to start off suspicious and will only get more suspicious if we say we work at the IT Help Desk and then act like we’re a high level manager telling them what to do. I’ve also had targets question me on what building I work in as well as my manager’s name. If I have a number of people to call, I often make small talk to gather more information to use in my next calls. Every bit helps in establishing rapport and building trust.Another part of preparation is technical. While it’s illegal to spoof (imitate) a phone number maliciously, in phishing campaigns it’s all part of the test. We use services like SpoofCard to display the phone number of the company that we claim to be calling from to make the call seem even more real.

    A SIMPLE, MULTI-TARGET VISHING CAMPAIGN

    Many companies hire us to call a large number of people in various departments to see if they reveal private information. The goal is to get something simple like their username and password for the email system or the direct phone number for an employee who doesn’t have that listed publically. We often seek to check the effectiveness of their security awareness training by evaluating employees’ responses to the attack. As an employee, knowing that a company tests employees in this way can be a great incentive to exercise vigilance when handling unknown calls.In campaigns like this, I like to make myself a low level contractor. This job is so lowly that they don’t even make the lowest level employees do it! My goal is to establish rapport and then elicit a sense of empathy. Maybe you feel sorry for me. Maybe you realize that I get paid by results, so I will keep calling until you give me what I ask for. Most importantly, I have an excuse for not knowing answers to all your questions or not having a phone number that looks familiar.So back to my sad, lowly contractor. I make the call. I’m friendly. If they don’t believe me, I sound like I am used to hearing this and hate my job. I don’t tell them I’m a contractor; my goal is to get their credentials, but if they push back or ask me questions like “what building do you work in?, I “admit” that I’m just a contractor. I look for any opportunity to ask the best way to get a job there. I ask if my target likes working there. Are the managers nice?This allows me to keep the target engaged without knowing all the answers and makes people feel important because they possess information that the caller doesn’t have. If they refuse to answer, I’m polite and tell them that is no problem at all… but someone will have to come to their office in person, and it will take longer. Sometimes that threat of someone physically coming to see them is enough to change their mind.These types of campaigns can be conducted under a myriad of personas. Some people mumble a lot so that it’s easier to act like you know answers you may not know. Think of calls you’ve received from spammers that you believe are legitimate at first. Sometimes it’s hard to say no.

    SPEAR PHISHING CAMPAIGNS
    Webpage Showing Entire Raxis Leadership Team
    Company Website Reveals Partners

    Spear phishing campaigns, whether using email, phone, or a combination, are much more complex to set up but can be well worth the effort when all the pieces fall into place. In these campaigns, we focus on a small number of specific targets and spend a great deal of time researching them to tailor the campaign specifically for these individuals.We start with research, and it may surprise you what we can find from the comfort of our own home using the Internet. I’m not discussing the dark web here; I’m talking about search engines like Google and Bing, social media, such as LinkedIn, Facebook and Twitter, and even the websites of your own company and your customer companies.A few years ago I was hired by a small firm of about fifteen people who each worked with two or three customer companies. I won’t reveal the specific industry, but they worked mostly with financial information. I was tasked with using only phone calls and calling as few or many people as I wished as long as I extracted any type of critical, private information.My first step was to look at the company’s website where I found a list of key employees along with a small write-up about them. Many companies do this… it’s a great way to show prospective customers that your team has experience and would serve them well. Even Raxis has a page like this: Using Raxis as an example to illustrate the value of seemingly extraneous information, from this web page I gathered names, and I made short bullet lists of personal and professional information that might be useful in my calls.I also looked around the webpages and got an idea of the company itself. Sometimes information is revealed about products or companies that work closely with our target company. The Raxis webpage lists our partners, Rapid7 and GE Digital Cyber Security, giving an attacker an idea of who might be calling us, as well as lending a sense of importance to the calls that are believed to originate from them.  Next I looked at LinkedIn and found many of the same people. LinkedIn is used by most people when they are looking for a job, and, because of this, many LinkedIn profiles have a great deal of information about people and what they do at work. School and work history give an idea of the target’s age as well as their interests. We look for any connection that we could exploit to build a bond.

    You went to Carolina? I can’t believe it. I did too! What year did you graduate? Go Heels!

    LinkedIn Page Showing Past Work Experience

    LinkedIn also can provide detailed information about our target’s job. Part of my LinkedIn job history is shown below. You’ll see that I once worked at a PBS station and a university. All of this type of information can be helpful as we enhance the target’s attack profile and determine under what pretext the attack will take place. In the case of the company I was researching, two people stood out. Each of them posted names of their customers on either the company website or LinkedIn. Next, I researched these customers. Immediately one customer stood out. Their website showed an org chart showing the structure of all of the top management.Since I’m female, I picked a woman on the list and decided to call my target using her name. I also found two other names that were higher in the org chart. With this information, I made my call.

    Hi, this is Stephanie Smith. I hate calling you at the last minute like this. My phone died, and I’m running around trying to get all the financial statements together for our annual planning meeting. Rich and Jim decided at the last minute that they need statements for the full fiscal year, and I can’t find them anywhere. The meeting starts in thirty minutes. Is there any way you can fax them to me ASAP? You can? Great! Our fax machine is actually broken too. Would you use this number instead?

    When you have time to sit and read this, it sounds ridiculous. There are red flags throughout. I never even said my company name, but I had enough information that I hooked my target into believing that I was trustworthy because she believed me when I gave my name, which happened to be a name that the target had been conditioned to view as a very important client that she wanted to please. She did not expect the call and made a split second decision to comply, rather than risk alienating a customer.She sent over 50 pages of financial statements to my fax machine.Of course, this was a security test. I deleted all of the data and provided my customer with a customized report that they used to train their staff. If I had been a malicious attacker, that one call could have broken the trust that company had with all of their clients. 

    GET THEM TO CALL YOU – THE REVERSE PHISH
    Phishing Email With My Phone Number

    In Part One I talked about email phishing. Why limit ourselves to emails or calls when attackers will use any means they have at hand?When customers allow us to combine emails and calls, one method that we’ve found value in is asking targets to call us. It may sounds silly, but think about it. Something you use daily on your computer to get your job done stops working. You call the help desk, but they are already swamped. You’re waiting unproductively and your work is piling up. We’ve all been there, and we all hate it.So along comes an email with a link in it. The wording in the email gives you a special number to call. This webpage is so important that there is a priority number for it. This type of hybrid vishing campaign makes it easy to target a large group of people. Once someone calls back, we know they, at least partially, buy our story, and we can hook them in even further. When people call us they are more likely to trust us. They have no proof of who we are, but most people feel more comfortable with the person on the other end of the line when that person is answering them on their own terms at their own time. 

    WHAT YOU CAN DO TO PROTECT YOURSELF

    When someone calls us, it often takes us off guard, and we are deciding if we should trust them at the same time that they are talking and encouraging us to get this over with by giving them what they want. We are conditioned to comply, especially in the work environment. But it’s important to maintain a sense of vigilance when dealing with any electronic communication including phone calls.

    • Remember that you can hang up on people. Tell them no or just hang up the phone. If you don’t trust them, just hang up.
    • If you don’t want to be rude or worry that they may really be who they say they are, put them on hold. Think about what they’ve said. Ask a manager or call the IT help desk and ask. IT often can help you decide if a call is legitimate.
    • Calling from a different number? Even if the calling number looks right, an attacker may be spoofing it. Before giving any private information, tell them you’ll need to call them back at the number you already have on record.
    • After hanging up, call the number you already have and verify that they just called. If the call was false, they’ll appreciate you checking. Call the department they say they’re from and ask. It’s obvious you have their security in mind. Most people appreciate that.
    • Are they asking you to send to a different fax or email? Tell them you can send to known ones you already have.
    • Most importantly, report it. Make note of the number and any details they provide. They may call other people, so the sooner you alert your company the better. If your company does not provide a way to report possible phishing and vishing attacks, report them to your IT department.

    Raxis provides social engineering tests, including phishing and vishing tests, that are tailored to your company. See our Social Engineering site at https://raxis.com/redteam/social-engineering for more information.

    Social engineering testing such as this is a critical part of compliance testing for companies in the financial sector. Learn more here https://raxis.com/industry/financial.If you have questions or ideas for further blog posts, contact us at https://raxis.com/company/contact.

    Want to learn more? Take a look at the next part of our Social Engineering discussion.

  • City of Atlanta 2018 Ransomware Hack: What We Know and What You Can Learn From It

    City of Atlanta 2018 Ransomware Hack: What We Know and What You Can Learn From It

    What do we know?
    Municipal Court of Atlanta Site Unable to Take Payments
    Error on Alternative Citation Payment Webpage
    Citation & Case Number Lookup Tool

    While events are still unfolding, we’re piecing together facts pertaining to the March 22nd ransomware attack on the City of Atlanta. As an Atlanta-based company, my colleagues at Raxis and I have been keeping a close eye on the happenings since the attack. The City of Atlanta has so far successfully kept people informed without revealing information that may be critical in responding to the attack.It appears that the epicenter of the attack was Atlanta’s municipal court (including tickets, citations, and other information) and bill-payment systems. I examined the Municipal Court of Atlanta website as I researched this post late Monday and found that the site displayed an error message explaining that payments could temporarily be made at a different site. When I clicked through to that site, I was given two options: a link back to the original site where I had started and a link to an error message, both seen here. Whether these sites were directly affected by the attack or are disrupted as part of the aftermath, people using these sites are affected just the same. The ‘Online lookup tool’ on the same page leads to a webpage that times out. It is possible that this service was not affected by the ransomware attack directly, but access to this page may have been removed as a precautionary measure to prevent further attacks. Based on these observations, we can infer that the attack has effectively diverted Atlanta’s resources to understanding, containing, and recovering from the attack. A trusted source tells Raxis that Atlanta is still working to fully confirm that critical infrastructure systems, such as fire, water and the airport, have not been impacted. All systems that may have been impacted have been taken offline until their state of compromise can be determined.Employees have been directed not to turn on or login to their workstations, which is another proactive security measure implemented in immediate response to the attack. A source has informed Raxis directly that vendors have physically been locked out of city buildings since the attack took place. A direct source has also confirmed to Raxis that construction companies have been unable to obtain permits that had already been submitted for approval due to the attack.Raxis also noted Atlanta’s Outlook Web App (OWA) and GIS server were displaying application errors after the attack. The City of Atlanta appears to be working around the clock to fix these services, nonetheless, these issues speak to the severity of the attack and the breadth of Atlanta’s response to an active threat. 

    What can we speculate about the attack itself?

    The city has not released details about the attack yet, but we can speculate. A Raxis source stated that the attackers were demanding three bitcoin per decrypt key. Internet sources shows that the attackers are asking $6,800 per system or $51,000 to unlock the entire Atlanta system. While the math does not quite add up (currently Bitcoin rates are $8,056.44), we can see that the costs are high but also possible for Atlanta to pay.Raxis has spoken to a trusted source who confirmed that it is believed that the attackers gained access to Atlanta systems using MS-RDP (Microsoft Remote Desktop Protocol) and then installed SamSam ransomware which made the ransom demand. Our source stated that, as of close of business on Monday March 26th, Atlanta had not made a determination of whether to pay the ransom or to pursue other methods to recover business continuity.

    RDP (Remote Desktop Protocol)

    As noted above, a trusted Raxis source has informed us that the current belief is that attackers used MS-RDP as the entry point to Atlanta’s network. Raxis’ source, while not privy to the passwords that were harvested in the attack, believes that passwords likely were weak, which may have contributed to the success of the attack.While the focus currently is on the ransom demands, the full access that the attackers may have achieved in this type of attack likely may have allowed them to create back doors to Atlanta systems that they accessed, which would allow them to maintain a persistent presence for use in future attacks. Atlanta now finds itself in a position where it does not know whether a persistent threat is present on the internal network. It will need to maintain ongoing vigilance to determine the effectiveness of its response.Both the externally accessible MS-RDP service and the possible use of weak passwords are security issues that many companies deal with. This attack makes clear the importance of basic security housekeeping in protecting any network.

    Patching & EternalBlue Rumors
    Shodan Results Showing SMB Version 1.0 Enabled

    While our sources do not point to patching issues such as EternalBlue being involved in this attack, there are multiple rumors circulating on the internet stating that EternalBlue was the entry point the attackers used. Even if EternalBlue was not a part of this attack, it has been used in other recent attacks, such as the RedisWannaMine cryptominer attacks.EternalBlue was one of several exploits released by ShadowBrokers in April 2017. Microsoft released a patch (MS17-010) the previous month on March 14th. EternalBlue was also used in the WannaCry and Petya/NonPetya attacks that made headlines in 2017. It exploits SMB 1.0 and affects several versions of Windows and Windows Server, including newer versions such as Windows 10 and Windows Server 2016. Using Shodan, a search engine that focuses on the configuration aspects of publicly exposed systems, Raxis confirmed that a system reported to be a part of Atlanta’s infrastructure still allowed SMB 1.0 as of Monday afternoon. As a career penetration tester, I know how easy this attack is to perform. In many cases, a successful exploit of EternalBlue leads to administrative rights on the system itself. An experienced hacker can often use other vulnerabilities, such as weak passwords and inappropriate delegation of administrative privileges, to gain further access on the network.

    SamSam Ransomware

    A trusted Raxis source has confirmed that SamSam (also known as Samas or SamsamCrypt) ransomware, first seen in late 2015, was used in the attack. Once the attackers infiltrated Atlanta’s systems using RDP, they appear to have deployed the SamSam ransomware that alerted Atlanta. Attacks of this type have been widespread, victimizing governments, the healthcare industry, and educational institutions, as well as businesses of all sizes. The attacks have been profitable because the ransoms have often been affordable, often making it more appealing to pay to decrypt the affected files, rather than take on the expense and administrative burden of adjusting operations to compensate for lost data. Even with backups in place, it can take days or even weeks to restore systems fully. It seems best not to pay an attacker who is holding your information at ransom, but, in many cases, restoring business operations in a timely manner takes precedence.

    What now?
    Atlanta Mayor Keisha Lance Bottoms at a March 26th Press Conference

    While our source tells us that the initial internal response efforts were disorganized, Atlanta now appears to be engaged with the Microsoft and Cisco experts that they’ve brought in. The current lack of details is a positive; like any active investigation, managing communications is paramount until as many facts as possible have been discovered.A trusted source tells Raxis that Atlanta has made it clear that brand management is a priority as its bid to become the second Amazon headquarters and the 2019 Super Bowl loom large.That said, Atlanta has demonstrated effective triage measures in response to the attack. As mentioned above, employees were told not to login to their workstations, decreasing the surface area for the attack. An airport spokesman told the Associated Press that the airport Wi-Fi network (as well as part of the webpage) had been taken down as a precaution.Atlanta has also been updating the public actively with news that is considered appropriate to release. Atlanta has leveraged their Twitter account, @cityofatlanta, to great effect, using it to post videos of press conferences with Atlanta Mayor Keisha Lance Bottoms as well as alerting constituents as city information services are restored to service.

    Finally, what can your company do to not end up in this position?

    Test, test, test. Working at Raxis I’ve seen penetration tests open customer’s eyes to issues they may not have known about or did not understand. While a penetration test may feel scary (you’re asking a hacker to enter your systems; the fear is understandable!), if you choose a good company, you should find that a penetration test is an indispensable tool to discover and prioritize your security tasks. The report you receive at the end of each test should do just that. To learn more about Raxis’ penetration testing services or just to find out more about the types of tests we recommend, see our site at https://raxis.com/pentest/. At Raxis, we’ve also worked with smaller companies that don’t need or can’t afford a full penetration test. We’ve recently launched a new service, the Baseline Security Assessment, that is meant to provide the benefit of security awareness for these companies that may not require the full depth of engagement that comes with our penetration testing services. Mature organizations that have mastered the art of managing a strategic security program that includes regular testing, vulnerability and patch management, as well as identity and access control, will benefit from the next step in security readiness. Investing in our Rapid Response Incident Response retainer is a strong measure of preparedness for when a security incident does occur. See Specialized Services to learn more about how Raxis can help you with this as well.If you have questions about where to start and what services could be right for you, fill out the contact form at https://raxis.com/company/contact, and we’ll be happy to discuss how we can help fortify your defenses to keep you open for business and out of the headlines.