Do you filter your employees’ email? Scan incoming email for malware, or phishing attacks, or scripts embedded in HTML? Quarantine suspect messages and attachments before they get to your users? If you are a company in the Middle East who just found workstation hard drives wiped and unusable, odds are pretty good the answers to those questions is “no,” and that’s why we’re talking about this, as a targeted and highly destructive attack back in November combined some older malware with some stolen credentials to devastate machines.
W32.Disttrack.B is a variant of malware that has been seen in the wild as early as 2012. This malware does one thing really well…it crawls the network of any machine it infects, spreading to other machines, and when it is ready, it wipes data. The worm comes in 32 and 64 bit varieties so that any infected Windows machine can spread the worm to any other Windows machine regardless of architecture. It spreads to accessible network shares, then on the infected machine it sets itself up as a service, places an entry in scheduled tasks, overwrites the MBR, overwrites data in common locations, then finally phones home over HTTP to register another victim.
Research published by Symantec on 2017-01-23 seems to indicate that the malware has made a comeback in targeted attack against its victim organizations throughout the Middle East. According to the report, a hacking group knowns as Greenbug has been targeting organizations and governments with a two-fold attack. The first used a RAT called Trojan.Ismdoor to steal administrative credentials from several organizations. These credentials were then used to configure the W32.Disttrack.B malware to spread throughout the infected organizations’ systems, timed to execute the overwrite of data and erasure of MBRs after the start of the weekend. The timing was no doubt set to help the attacks run for as long as possible without detection.
There are a few object lessons to be learned from this attack. While the methods are new, the malware used is not, and has been detected and blocked by various antimalware products since it came out in 2012. Why was the malware able to spread? Well it’s either due to out of date or disabled antimalware on systems, or worse, unprotected systems running without any antimalware solution in place. How were the credentials stolen? It’s known that in at least one case, the Trojan.Ismdoor was used, but how did that get in? Phishing attacks seem to be the most likely way in. And how did stolen credentials prove to be so devastating? If administrative credentials can be used on a machine where malware is running, they can be compromised. So what is an organization to do in order to protect themselves?
Antimalware on all machines
Install antimalware software on all machines (yes, even Macs) and ensure it’s running full time and kept up to date. If antimalware is slowing a machine down, don’t just turn it off. Work to ensure the proper exceptions, documented by the manufacturer, are in place to ensure you don’t have to sacrifice protection for performance.
Message hygiene scanning all email
Scan everything that comes into, and goes out of, your messaging system. Use strong mail filtering like what is found in GFI MailEssentials to block spam and phishing, and to scan all email and attachments for malware. With so many attacks starting with stolen credentials, most of which are obtained by phishing attacks, doing everything you can to make email safe is a vital step in protecting your network and your customers.
Web filtering protecting all Internet access
Filter all Internet access possible through a web filtering solution. Even if you don’t want to enforce an Acceptable Use Policy, you can still protect your users and your systems from Internet threats by filtering access.
Tighten up administrative accounts
Whether you have the same local username and password for the admin account on all your workstations, or you have a domain account that can access all those workstations, once those creds are compromised it’s game over. Worse, what happens when it’s domain admin creds? Now Active Directory, Exchange, servers and their data, workstations, and worse are at risk and the attacker has the master key to the kingdom. Take a close look at Privileged Access Management and see if that’s right for you. Too much? Then at least ensure your admins are not accessing workstations or the Internet with their domain creds, and are using multi-factor authentication wherever possible to reduce the scope of damage from stolen credentials.
Should the worst occur, having offline/offsite backups from which to restore critical data is key to ensuring you can get back to business as soon as possible. Make regular backups and test them to be sure you can recover if need be.
Now, more than ever, defense in depth is vital. Combining phishing with targeted destruction of data could be devastating to any organization, especially when the compromised credentials have broad administrative access. Protect your machines, limit administrative scope wherever you can, filter both Internet and email, and make sure you have backups. You’ll greatly reduce your risk, and help ensure you can recover.