Everyone has heard of Spyware and Malware. Ransomware is becoming an all too familiar term but I feel many IT Organizations assume it is a threat isolated to consumers and not Enterprises. In my opinion, I think most IT Organizations are uneducated about the attack vectors that Ransomware can use to infect an IT Infrastructure.
Case in point, most companies that I interact with do not prevent their IT System Administrators from using Internet Explorer (or other web browsers) from the console of their servers. Only a handful of companies that I have encountered over the years actually restrict outbound TCP connections on the firewall to thwart IT Sys Admins from web browsing on server consoles.
Why is this significant, and how does this behavior relate to the topic of Ransomware? This is the attack vector that most IT Organizations are unaware of. Most of the IT Systems Administrators that I have encountered have justified their behavior of using a web browser on a server by stating that they are smart enough to only browse “Safe” websites to download hotfixes, patches, or search for error messages on IT forums. It is that false assumption that can allow Ransomware to infect an Enterprise. I will explain below how an Enterprise Application such as Microsoft Exchange Server could be taken down by such behavior.
The alarm needs to be sounded because leading security researchers have proven that the most successful attack vectors are being exploited by hackers who are placing advertisements on legitimate web sites. You could be browsing a completely legitimate and “Trusted” web site, but because of an advertisement that contains malicious code, your web browser is now the attack vector that downloads an attack payload into your Infrastructure! Today on June 10th 2014, Microsoft released hotfixes for 59 vulnerabilities in Internet Explorer. This shows you that attackers are going after the web browser to target the enterprise! Hackers are smart enough to not hit an Enterprise head on by attacking the firewall. Instead they target the weak points in the infrastructure, namely the end user who is browsing legitimate web sites. Some of these vulnerabilities are “zero day”, meaning that attackers have discovered the vulnerability before the good guys and no patch is available to fix the problem. These types of lurking vulnerabilities can lay dormant on a web server for weeks or months before being discovered.
Now, imagine if one of your Domain Administrators browsed a legitimate web site which contained an advertisement placed by a hacker? It is safe to assume that any server that Domain Admin had access could now be “owned” by Ransomware, because most of the recent advanced persistent threats (APT’s) spread by multiple attack vectors once they infect just a single host. Once ransomware lands on a host, the only way to unlock the data is to pay the ransom! When searching for products to remove the ransomware, use caution, because most of these so called cures are actually viruses that masquerade as ransomware removal tools!
I think most readers would agree with me that we are now talking about a very real scenario, because we are talking about legitimate websites that have been compromised with advertisements. IT Sys Admins that use privileged accounts and perform web browsing to search for solutions to error messages (a common IT Sysadmin task) are the most at risk. They are exposed when browsing to download patches or drivers onto a server from the internet, because it is more convenient for them than copying it over the network from their workstation.
I highly recommend reading this Cyber Heist newsletter (not from your server console, and not while logged in with your Domain Administrator account!). In this newsletter, the author describes the latest advances in ransomware and I promise it will open your eyes to just how bad things have gotten! I don’t blame you if you were too paranoid to click on the link after reading this blog. =)
The threat to Enterprise Applications: Case Study: Microsoft Exchange
The Microsoft Exchange “Preferred Architecture” was published by Microsoft on April 21st 2014 and recommends against traditional backups. I think you know where this is going if you read the Cyber Heist Newsletter referenced above.
“With all of these technologies in play, traditional backups are unnecessary; as a result, the PA leverages Exchange Native Data Protection.”
The limitation of Exchange Native Data Protection (mailbox replication) is that all copies of the mailbox data are accessible from the Layer3 IP network (a requirement for replication to work). The doomsday scenario is a worm or skilled hacker could destroy or “ransom” all copies of the data. This would leave an organization with 100% data loss. Not only is Office 365 susceptible to this threat, but all customers who follow Microsoft’s preferred architecture.
Therefore, Exchange Administrators should carefully consider the risk of a worm or hacker before completely eliminating traditional backups. All other layers in your defense in depth security apparatus better be air tight! For example, you would have less risk if you deploy a whitelisting solutions from Bit9 Lumension, or Microsoft Applocker. However, it’s nearly impossible to eliminate all risk because according to McAfee Phishing Quiz, 65 percent of respondents can’t properly identify email scams. Theoretically, the human responsible for making decisions on what to allow into the whitelist could be tricked into allowing ransomware to be trusted.
- To reduce the risk of ransomware spreading to servers, prevent IT Administrators from being able to browse web pages while logged onto a server. If servers are located in a separate IP subnet, create an ACL to block outbound 80 and 443 requests from the server subnet. The caveat is you could potentially break applications that rely on external connections to the internet. Therefore you could enable the ACL with logging mode enabled so you could then create a whitelist of allowed sites and then block everything else. The downside is this will increase the administrative burden of the firewall administrator to maintain the ACL. However, the alternative of permitting an IT Administrator to browse websites while logged onto servers is to accept the risk of of infecting the entire Server farm with a worm, virus or Ransomware.
- Create an IT Policy for Administrators to sign where they will not browse the internet using privileged accounts such as Domain Admin credentials on any workstation. Consider deploying a proxy server that uses Radius or Windows Authentication, and only allow a global group that does not contain these admin accounts.
- Research commercially available whitelisting solutions (ex: Bit9 Lumension, or Microsoft Applocker).
This approach would not prevent all worms, ransomware and hackers from getting onto your servers, because modern advanced persistent threats (APTs) will spread and distribute themselves across multiple attack vectors. For example, just one infected laptop that has IP connectivity to the back-end servers could spread by taking advantage of a vulnerability in an unpatched 3rd party application. Even unpatched security products from the top security vendors have ironically been used to infiltrate a server. Therefore, Kevin Mitnick style security awareness training is also recommended.
Disclaimer: This blog post is for educational use only. Both myself and my employer are not responsible for any actions you take or do not take as a result of reading this blog post.