VPNFilter – A sophisticated threat to businesses

2018 has seen a lot of new cyber threats. Hackers, scammers and the like are getting smarter. VPNFilter takes me back to the famous Stuxnet virus which infiltrated Iran’s nuclear program.

VPNFilter is an advanced threat which targets predominantly home/small business routers. So far, the threat has infected over half a million routers worldwide. But this number is expected to grow as more is discovered about the threat.

The threat performs a number of hostile functions. One of these is whats called a man-in-the-middle attack. Once the router has become infected, internet traffic that passes through the router is actively spied upon and can be tampered with, without the victims knowing.

The main point of this attack at this point in time is to steal sensitive data, such as usernames and passwords or banking information. However, with more being found out about this threat from various researchers, it is becoming clear that VPNFilter has the potential to be a far greater threat.

Cisco is expected to release a report this Wednesday (14th June NZD). From Arstechica:

“Initially when we saw this we thought it was primarily made for offensive capabilities like routing attacks around the Internet,” Craig Williams, a senior technology leader and global outreach manager at Talos, told Ars. “But it appears [attackers] have completely evolved past that, and now not only does it allow them to do that, but they can manipulate everything going through the compromised device. They can modify your bank account balance so that it looks normal while at the same time they’re siphoning off money and potentially PGP keys and things like that. They can manipulate everything going in and out of the device.”

It has become apparent that more models and brands of routers are susceptible to this threat.

Layer3 provide a managed security gateways (security focused routers), among other security-focused services. Layer3 was alerted to this threat early. Currently, our security gateways are not listed as being compromised by VPNFilter. Customers with the affected routers have all been patched against the VPNFilter threat.

It is another reminder that security is the number one priority in IT and for Layer3 as a managed service provider.

What you need to know about ‘Meltdown’ & ‘Spectre’

Over the Christmas break, Intel has disclosed a security vulnerability within its processors. Google who initially found the issue, has released a statement which now shows further processor manufacturers like AMD and ARM might also be affected by a different variant of the issue, codename ‘Spectre’.

There is currently a non-disclosure agreement in place until the 9th of January until further details are known. This has expired early.

There is currently a patch which has been deployed for Linux systems. Microsoft is planning to release a patch this week. Microsoft Azure and Amazon Web Services (AWS) are patching immediately.

With the patch release for Linux, people have noticed and performed benchmarks indicating a 30% drop in performance when the patch is applied.

Until Layer3 have tested the patch(s) from Microsoft, we will not automatically release these patches to customers. This is so we can internally test the performance implications of these patches. While the performance issues won’t affect desktop/laptop computers much, the performance of servers could be a real issue.

Please bookmark this post as we will update it as this issue progresses.

Update 1 (06/01): Updates will be applied to Cloud Office v1 and v2 on 05/01/2018 at midnight. Outage window of 2 hours

Update 2 (09/01): Microsoft has pulled the update amid issues with AMD and Intel processors. Layer3 have not officially rolled out these patches yet to customers as we are waiting for our Antivirus vendor to finish testing compatibility with these new Microsoft patches. More information can be found here about Microsoft re-issuing the patches

We will begin patching our datacenter operating systems this weekend (13/01/2018). Please keep an eye on our status page for more information.

Update 3 (12/01): We are patching our virtual environments hypervisors this weekend. This does not include Microsoft patching, as we are still testing the patches and the performance impacts.

A New Phishing Threat

There is a new Phishing threat making the rounds which combine quite a bit of research on behalf of the attacker, along with a bit of social engineering.

Over the last few weeks, a number of our customers have seen what look like an internal email from either a CFO, CTO or CEO asking for funds to be released to a particular party. Normally the ‘owner’ of the company (no one likes to question the owner).

The attackers are buying domains which are very similar to the victim’s domain. As an example, the customer would by Layerr3.nz (with an extra R) and send emails imitating myself.

The emails usually contain a signature that is almost identical to the signature used by the victim. This shows the attacker has done research and possibly seen emails written from the company previously.

Because of the nature of this threat, it is almost impossible for IT/Security companies to block them effectively. However, there are steps your business can take to better protect yourself:

  • Train staff on what to look for in forged emails. This includes domain names, spelling mistakes, tones of voice etc
  • Remove key contacts from your website. The CFO and CEO are normally the main targets of this attack
  • Review your payment processes. Possibly including two levels of sign-off
  • Investigate doing an internal social engineering penetration test – this is something you can talk to Layer3 can assist with

As attackers become more sophisticated, it’s important to stay vigilant and ahead of threats. If you have any concerns about these threats, please contact us.

Petya – Not all Cryptoviruses are equal

The latest round of Cryptovirus hit yesterday. Petya, named after a similar virus, which shares very little with the original, hit with the same destructive force as the WannaCry virus last month, this time without a ‘kill switch’.

Originating in Ukraine via a company called M.E.Doc, a tax company, the cryptovirus was spread by using the auto-update feature within the tax software. I’m sure there will be more investigation on how this came to be (hacked, or inside job?).

At first, many believed this was another cryptovirus made for financial gain. However, it became quickly apparent that this virus was designed to cause as much destruction in a short amount of time as possible.

Within the first few hours, the crypto’s email address which is used to send your encryption key to unlock your files was disabled. If you look at the blockchain (effectively your BitCoin wallet) which the hackers have used, there have only been a little over 40 payments. At $300USD, that’s not a lot of money considering.

Analyzing the Petya virus further, it propagates throughout Windows networks using three different methods. First is the original method WannaCry used which was based on the leaked NSA tool, EternalBlue. The other two are more technical ways of using the Windows operating system to exploit security weaknesses where end users have ‘administrator’ privileges.

Based on the methods used, and few payments made to the cryptovirus Bitcoin wallet, coupled with the early takedown of the payment email address, I can conclude this was simply an attack to cause as much damage as possible.

We have had no reports of infection from our monitoring systems. All our customer’s devices and our own infrastructure were checked when the WannaCry virus was active. We doubled checked again today and found no issues.

This cryptovirus was well written and destructive, so what can you do to ensure to keep safe?

  • Make sure your antivirus is up to date
  • Don’t turn off Windows Updates (you’d be surprised)
  • Don’t turn off Windows UAC
  • Be vigilant when opening emails with attachment and links

If you would like a more technical explanation, Microsoft has published a great post.

Microsoft 0-Day Exploits

On Tuesday 12th April (US time) Microsoft had identified a security breach within their Microsoft Office Suites.  Microsoft has acted quickly and have rolled out a batch of updates that plug the security holes. This type of attack is known as zero-day exploits and are often attempted by hackers before or on the day that updated are released to the public. The hacker attempts to install malware on fully patched computers. It does so by exploiting a vulnerability in most or all versions of Microsoft Word. Zero-day attacks are a severe threat.

The security of our customer’s networks is our top priority. We have acted quickly; the Microsoft updates have been applied last night.

You may have been prompted by Microsoft to update this morning, please ignore this message and restart your device. If in doubt, please save your work and restart your device.

Our spam filter was also updated to detect these vulnerabilities within the email to stop these threats at the border.

If you have any questions, please email support.

Reference: CVE-2017-0210

Copper Services are an Endangered Species

Most businesses will by now be aware of the fibre roll out and hopefully, are now using UFB fibre Internet. However, what many do not realise, is that, as fibre rollout is completed in an area, traditional copper services which support stuff like phone lines and ADSL/VDSL Internet connections will eventually be decommissioned.

Read about the pending copper cut off here.

“…Chorus would have the option of withdrawing service and removing the copper network according to its own timeframes…”

What does this mean for you? Well, most importantly, if you are a small business and not using fibre connectivity already, it’s time to make the change. Fibre connectivity is much faster and more stable than copper connections and will help facilitate better connectivity for cloud-based services such as Microsoft Office 365 and Layer3 solutions like Filecloud (NZ-based file sharing and management platform), Cloud Office remote desktop server and VoIP (Internet-based phone systems).

Secondly, with fibre in place, it would be a very good idea to review your phone system. Analogue phone lines are expensive compared to VoIP services and offer far fewer features and benefits. And with the possible pending removal of the copper network, they are an endangered species. Switching to a VoIP system will allow your business to get the most out of its fibre Internet, cut costs or at least implement a brand new, feature-rich system on a cost-neutral basis. VoIP will also open up possibilities for your business to aggregate services (like having 3 offices share a pool VoIP ‘lines’) and be connected to your phone system from anywhere.

If you have an alarm/security system connected over a phone line, you’ll also need to contact your security provider to talk about getting you switched over to an fibre-based alarm option. This is usually a relatively easy and low cost migration. If you are being told otherwise, have a look around at new options.

Finally, think of fibre as a tether to the cloud. With fibre in place, you will have a fast, direct link to the world of cloud services. Microsoft Office 365 is a cloud-based option for your office applications (email, Word, Excel, etc). Xero is a very popular cloud-based accounting system. And services like Filecloud and Cloud Office will enable your team to access company data from anywhere. Migrating to the cloud will also fit into a prudent DR solution with your data safely backed up and accessible from anywhere.

If you would like any help reviewing your Internet services and looking at cloud options to improve your business efficiency, give us a buzz and our in-house business Internet and VoIP expert, Daniel Bohan, will be happy to have that discussion.

LAYER3 Security Alert – WannaCry Ransomware Virus

Simply having an antivirus subscription is no longer enough to protect your organisation from today’s threat landscape.

On Friday, May 12, a global cyber-attack was launched using a ransomware program called WannaCry. It is estimated so far that almost 250,000 machines have been infected in 150 countries, which according to Europol, makes it an attack on an unprecedented scale. That number is sure to grow as the attack continues to spread and more impact is reported. It is imperative that all businesses take immediate steps to ensure the integrity of their network and data – this is a very real and very imminent threat.

WannaCry highlights the true menace of ransomware, virus and malware attacks on businesses and the extreme importance of having robust, managed security systems in place.

About Ransomware

Ransomware is a particular breed of malware that carries out what is called a ‘cryptoviral extortion attack’. In simple terms, what this means is that the software, once it has found a way into your network, will generally encrypt the files or the entire hard drives of the targeted machines or lock you out of the operating system altogether.

It will then display an image with instructions on the ‘ransom’. This is the amount demanded by the perpetrator to release your files. Payments are required in BTC because this crypto-currency is untraceable. There is also usually a time limit given to comply, after which the price will either go up, or the data will be lost forever.

Ransomware can find its way onto your network through a variety of means, but most commonly by ‘phishing’, a tactic that induces the victim to click on a link in a malicious email or on a malicious website. Once that magic button is pushed, the program gets to work, worming through your files, scanning for any other machines connected to yours, encrypting them all as it goes.

More on WannaCry

Like most ransomware attacks, WannaCry spreads through phishing emails, but what makes this attack so dangerous, is that it exploits a vulnerability in Microsoft and uses a backdoor tool developed by the US National Security Agency (NSA). Once a machine is infected, it will scan and propagate to all other computers and servers on your network. All infected machines are encrypted, files are locked, and a message appears demanding a ransom be paid or the victims will lose their data.

The tools used to launch the Wannacry attack were leaked from a group within the NSA and work by exploiting a vulnerability in Microsoft’s Server Message Block (SMB) protocol. When the leak became known, Microsoft released a critical advisory and security patch. However, many systems did not implement that patch due to a variety of reasons such as compatibility restraints, negligence, other risk factors or just a lack of proper management and awareness. Any machines without the patch that came into contact with WannaCry were likely infected.

While the amount demanded is relatively low ($300 at the first level), the impact of WannaCry so far has been massive. The National Health Service (NHS) in England and Scotland had up to 70,000 devices hit and some NHS facilities NHS services had to re-direct ambulances and turn away non-critical cases. Other examples of large enterprises hit hard include Telefónica in Spain, Nissan Motor Manufacturing, FedEx, Renault, Deutsche Bahn railway in Germany, etc. In New Zealand information is limited so far, but one known victim so far is Lyttleton Port in Christchurch.

The Layer3 Response

Notifications on the WannaCry event came flying in via our security devices and security vendors. We quickly established that this attack was exploiting a bug in Microsoft Windows. Although all Layer3 managed services and security customers had already been patched for this exploit, our team still went through a process of verifying this patch implementation across all customer networks and our own in-house cloud infrastructure.

These checks were completed by Saturday evening with no issues encountered. Our firewalls, antivirus, and mail filtering tools were all updated as soon as the threat became known. To date our main cloud infrastructure has seen around 5,000 attempts to broadly attack our networks. We have only received a small number of emails which have been blocked through our Mail Filtering system.

What can you do to protect your business?

The days of purchasing an annual antivirus (AV) subscription – or worse, not even doing that – are long gone. Low-end antivirus tools operate by blocking threats from a list of definitions, which means that they can only stop a virus that is already known about.

When something new like WannaCry breaks out, as they do all the time, definition-based AV tools are worse than useless. At the absolute very least, you must use an AV tool that operates based on ‘behaviour’ – they identify suspicious behavior from a program and shut it down. Layer3, for example, uses BitDefender in our managed security stack. BitDefender is consistently in the top 2 ranked AV tools in the world and stopped WannaCry out of the box.

Antivirus just isn’t enough though to protect the integrity and continuity of your vital business infrastructure.

Here is a list of some important components to ensure the best possible protection for your network:

Security Gateway – a next generation firewall that guards against external attacks, fully managed and monitored by Layer3.

Managed Antivirus – Layer3’s best of breed, fully monitored antivirus service learns and watches behavioral patterns on a system which can predict malicious activity.

Managed Patching – Automated management of patching to ensure critical security and performance updates are consistently installed on all machines. Included on most Layer3 Managed Services plans.

DNS Protection – Building on from the Security Gateway product, if an attack gets through, Layer3 DNS Protection will among other features, stop the virus from ‘calling home.’

Replication and Recovery – Cloud Shadow from Layer3 will completely replicate your infrastructure offsite and allow you instant recovery in the event your servers fail or are compromised – even to an online virtual server.

Managed IT – IT security can be complex and multi-faceted. A comprehensive IT managed services plan from Layer3 will help guide your organisation safely through the many pitfalls and hazards that can plague any business in this world evolving technology and very real cyber threats. A feature-rich managed service should be the cornerstone of every organisations IT strategy.

Security Consultation

To talk about improving your security and/or IT management, contact Daniel Bohan at Layer3 on 0508 LAYER3 (0508 529373) or info@layer3.nz.

Backup; A Thing of the Past

If you are talking about backup, you’re living in the past.

The North Canterbury 7.8m earthquake on the 14th of November, 2016 was very reminiscent of the Christchurch earthquake of 2011.

Businesses in the South Island have been forced to close, with those in Kaikoura majorly affected, some irreparably so. Wellington did not escape either, of course. To date, over 50 tenancies in Wellington have been closed, which represents an astonishing 11% of the CBD.

On top of the November quake, Wellington was further hit with punishing rains and flooding in the subsequent days which severely inhibited accessibility in a number of areas and shut businesses down as staff were unable to get work.

Layer3 operates from two datacenters in Wellington and Auckland. Over the last four years, we have progressively moved the majority of our customers into some form of cloud computing, most notably, our Cloud Office platform which is hosted across that two datacenter environment. Cloud Office is what we call VDI, or Virtual Desktop Infrastructure. It allows you, the customer, to access your desktop, files, and applications from wherever you are. So on the Monday morning after the earthquake, while it was all hands on deck for Layer3, it was very refreshing to see no tickets in our queue, and all services up and running.

Many of our customers were affected in Wellington, of course,  with quite a few locked out of their buildings for 2-3 days. However, all of them were able to resume operations and work from home with full desktop services, as well as IP telephony services provided by our CloudPBX service.

So the days of having a backup, whether in the cloud or on – *gasp* – rotating portable hard drives is gone. When disaster strikes, your business needs to be able to function with little or no interruption. In light of this, businesses need to ask themselves a few poignant questions now. What good will the data in your backup system do for you if your business cannot operate in any productive manner to even make use of that data? What good is your new PABX system if no one can get into the building to answer the phones? How many days can your business survive without being operational?

Business continuity is key. Not backup. Build systems that allow you to work through a disaster, not ones that just let you hopefully reload some files after one.

For more information on how Layer3 can help you improve your IT continuity, give us a call at 0508 LAYER3.

LinkedIn data breach – Act now!

Back in June 2012, LinkedIn was hacked by Russian hackers who stole approximately 6.5 million usernames and passwords. At least that is what was reported at the time.

However, in May 2016 it was ‘discovered’ that a further 100 million email address and passwords had been taken in the attack. This reveals what was a bad security incident to actually be a really, really bad security incident.

At the time of the original lesser breach notification, the 6.5 million compromised LinkedIn users were prompted to change their passwords, and within a few months, the incident was largely forgotten. Fast forward about four years, and this breach seems to be coming back to immediate. significance. The further 100 million compromised accounts had their passwords invalidated by LinkedIn if they had not been changed since the 2012 breach.

Since the beginning of June, Layer3 has started observing issues with TeamViewer, a popular tool for remotely accessing devices such as servers. It seems that TeamViewer accounts were being compromised. When the issue was finally publicly addressed, TeamViewer has stated that this is due to LinkedIn’s hacked information becoming public.

Then, last night, that database of 100 million accounts was made public, published online. Anyone can get a copy of it with passwords in plain text. The implications of this are massive. Even if an affected user has since changed his/her LinkedIn password.

In a world with tons of logins required for a multitude of sites and services used daily, weekly, monthly or just occasionally, it is common practice for many users to simply recycle a memorable password over and over again across the board. However, when one of those sites is breached, as LinkedIn was, just getting what might seem like pretty harmless information – your email address and password for that site – can in fact, provide hackers all they need to break into every other account you have. For example, if your email account is compromised, hackers can then reset passwords to other services you may have. Password resets will be sent to your compromised email account, allowing the hackers to compromise these services as well. Imagine having a bunch of individually locked doors but using the same lock and key on all them. If some is able to get a copy of that one key, they just unlock every door with ease.

Since the release of the LinkedIn database last night, I have had multiple attempts to access internet accounts associated with my LinkedIn login credentials. Luckily, I had changed my password using long pass phrases some time ago.

What do you need to do now? We highly recommend that you change your password for all internet services, using something like pass phrases. Make sure that the password is different for every service. It might be a bit of pain, but it definitely will be less of a pain than trying to undo whatever trouble hackers are able to cause by accessing your accounts. Even if you have changed your LinkedIn password since 2012, it is possible that you may have used that old password other sites and services, so let this be your prompt to do a password refresh across the board.

If you have trouble remembering these passwords, there are services out there that store your passwords in a secure database, such as LastPass.

To see if you email address and password have been compromised, check https://haveibeenpwned.com/https://haveibeenpwned.com/

The State of Windows 10 – April 2016

To upgrade now, or to upgrade now? That is the question

No – you didn’t read that wrong. This, of course, refers to that famous quote which deals with a fundamental question about the human ‘operating system’. As far as your computer’s operating system, Microsoft is trying to take away the question and make it a given.

In late 2015, I was still advising our customers to refrain from upgrading to Windows 10 until at least early 2016. I still stick to this advice and extend that timeframe out.

Windows 10 started off its life as Windows reborn… it came out with a start menu. As you probably know, with the Windows 8 launch, there was much talk – and anger – at the removal of the start menu.

Personally, I thought dumping the start window was the right move, and the new system actually worked better. The problem, though, which has always been an issue for Microsoft, was the way they went about informing customers on how to use the new Windows without a start menu. By that, I mean they virtually didn’t advise anyone at all. This left Windows 8 in a very confused state. Was Windows 8 a tablet operating system? A desktop operating system? Or something else?

Windows 8.1 fixed this. If you can remember Windows 98, you might remember some of the issues it had from its release. So a year later, Microsoft put out Windows 98 SE (Second Edition) to fix things. Well, they did the same thing for Windows 8 with Windows 8.1 to fix the main issues with Windows 8 and including the old trusty start menu. Fast forward to 2015 and we have Windows 10, which is essentially a mix of Windows 8 and 8.1, supposedly perfected. However, that’s not quite the case.

Now, Microsoft has recently changed the way Windows 10 is being pushed out to Windows 7 and 8 computers

Before the end of 2015, Windows 10 was originally just marked as an optional update within Windows Update, and so was not automatically installed by the current operating system. Microsoft has changed this, though, and Windows 10 is now marked as a recommended update. This means that most computers will install this update without telling you as part of its automatic updates.

This poses a problem for business customers. By default, administrators and IT support companies like Layer3 can block this update. Indeed, we can still do this. However, Microsoft re-releases the patch which upgrades computers to Windows 10 every month, which overwrites our rules and inhibits the administrator’s ability to manage the update process.

Why is this an issue?

Besides the fundamental problem of having Microsoft forcing you to do what it thinks is best for you, this is a practical issue because Windows 10 still has many flaws. From sleep and hibernation issues on laptops and tablets to dual monitors not working, application incompatibility, and of course, driver issues, Windows 10 clearly has some leaks to plug. On top of that, some of the recent Windows Updates have even been recalled, almost on a monthly basis.

To be fair, some major issues were fixed early February 2016, but many remain. So when you add all that up, it doesn’t equate for network administrators to blindly take every Windows update that comes down the pipe.

What you should do (or not do)

The free Windows upgrade expires on the 28th of July, 2016. While this puts a bit of urgency into the upgrade discussion, in my opinion, Microsoft will extend that deadline.

The majority of Layer3’s desktop support tickets raised are related to upgrades to Windows 10 and issues that have come about from doing this. So as of now, we still advise customers not to upgrade to Windows 10 unless you really, really have to. We will review this again next month, but for now, sit tight.

If you have any questions surrounding the upgrade to Windows 10, please don’t hesitate to contact us.