Ransomware Attack Hits Local Governments In Texas
- Thread starter Bobk
- Start date
The #1 community for Gun Owners in Texas
Member Benefits:
Fewer Ads! Discuss all aspects of firearm ownership Discuss anti-gun legislation Buy, sell, and trade in the classified section Chat with Local gun shops, ranges, trainers & other businesses Discover free outdoor shooting areas View up to date on firearm-related events Share photos & video with other members ...and so much more!
Member Benefits:
Those are the scenarios that have me more concerned. A local workstation privilege escalation is not scary at all, the exposure is still very low, and on detection the workstation will typically be automatically quarantined off the network. But, if these are sophisticated enough to jump the gap so to speak, well now it can cause me some headache. If they exploit service-level access and do some more intelligent application-level work (e.g. using an application's SQL connection to trash data) that could cause some headaches doing log rollbacks and piecing data together. etc. etc. etc.
Shoot, for me that'd be best case scenario. Lose a workstation, no big deal. Slide in a new box and re-image at our leisure. Lose a filer, muck up a database, purge messages from a service queue, well now we have some time to spend making sure everything is 'right'.
The ability to hijack a system and components/peripherals at the bios level and propagate via system buses is a problem not easily mitigated or remediated. If a hard drive bios is compromised, it’s difficult to diagnose or determine the extent of the problem in an IT environment,
There’s some info on NIST’s site that covers similar topics that folks would find interesting. Including STIG’s that target these exploits.
There’s some info on NIST’s site that covers similar topics that folks would find interesting. Including STIG’s that target these exploits.
That's one example (and a good one), but even still is only scratching the surface.
What it really comes down to is that any system/application/component with the ability to receive, ingest, parse, or otherwise process any type of input in any way (including any type of file/object, data stream, etc.) , is theoretically susceptible to remote and/or blind compromise.
This goes way beyond just being worried about someone banging on keys in real-time or tricking users into clicking a file/link (though, to be sure, those are low hanging fruit and thus most common vectors), as virtually any object which is handled in some fashion can potentially be weaponized against the respective object handler, etc.
***This also includes the very systems which are used to protect against attack (e.g. anti-malware systems themselves may be susceptible to blind attack vectors).
Finally, there are a number of methods for performing both simple and multi-tiered obfuscation of malicious functionality - in other words, completely evade detection of malicious content by the vast majority of anti-malware technologies.
Keep in mind, none of this is easy to do, and there's a number of interim steps involved between exploitation and successful execution- in other words, any attack with that level of sophistication likely has your name on it and was not addressed "to whom it may concern".
To the the point I made above, anything 'generic' may just stay local on an infected workstation unless a viable direct-propagation mechanism is present (e.g. vulneable software running/listening/reachable on multiple endpoints.
That said, assuming successful privilege escalation on a workstation in nearly any "enterprise" environment, we can also assume that anything targeted (or with C&C actively shoveled to a live/human threat actor), escalation and off-box lateral movement will very likely be trivially easy, especially in the case of any centrally-managed endplint agents/components being present (pretty much a given in any enterprise environment). Multiple methods/vectors are available for this, just depends on the environment specifics.
EDITED TO ADD: One point I forgot to mention earlier here is that escalation is not a prerequisite for lateral movement through an environment
Case in point, a 20-year old vulnerability was made known recently which has affected every version of Windows (past & present, though has now been patched by MS), and allowed for arbitrary manipulation of any running process, period.
Definately a thing, but fairly uncommon. There are far easier methods for covert propagation & lateral movement.
The real value in this type of thing is around resiliency and anti-forensics, and once again, the level of skill/sophistication required to pull this off (not to mention hard costs such as physical equipment to test/stage on), sets a pretty high bar.
Last edited:
One other point to be made is that ransomeware doesn't necessarily mean just encrypted files/drives and threat of destruction (or disclosure). Those have just been the most common and publicly disclosed.
I'm going to be deliberately vague on this, but consider the possibilities around ransomeware with potential cyber-kinetic impact (in other words, "pay us or people die/infrastructure fails/etc.).
Last edited:
I hear ya, but there's a limit to how much detail can (or should) be presented on an open (and anonymously viewable) forum.
Send me a PM if you want to discuss in more detail (more than here anyway; some things are beyond what can ever be discussed), happy to share what I can once bona fides have been confirmed...
Got that right. Anyone working on the issues has a signed NDA. Broad generalizations or even mentioning specifics regarding attack vectors is one thing, saying something that could cost you not only your job but a significant legal and financial liability would be downright stupid.
Bios level threat propagation is much more prevalent than most tech professionals think. Bladeservers, virtualization, and system bus based data paths vs switch fabric data paths (to reduce latency) has been one of the causes.
Rarely does an IT group have the resources to detect it, much less deal with it.
^Fully agree with this statement - management plane attacks (e.g. lateral movement, control-plane manipulation, direct storage-fabric data exfil, etc.) are all very real, and in many cases trivially easy to execute against, given widespread deficiencies in solution/deployment architecture, mis-configurations, etc.
My earlier comment about attacks at the bios/firmware/VMM/SMM layers was referring more to actual manipulation/replacement of the applicable firmware, etc. with malicious varients - something which is very difficult to do.
As for how to detect/prevent that, there are various architecture patterns which potentialy decrease the viability of attacks against those components/subsystems, but aside from that, there's really only two decent options:
1. Off-box detection - if system bios/vmm/smm/etc. is compromised, then that machine is "inside the Matrix" (for lack of a better way of putting it), and the nature of reality as experienced by that system cannot be trusted. Only from an outside observation point can you get a more trusted/realistic view of what is happening.
2. Hardware (TPM 2.0) based Attestation with Intel TXT (Trusted Execution Technology). Very effective for protecting against malicious firmware, etc. (not going to do much for control-plane misconfigurations, but that's a different issue anyway), but somewhat complex and the hardware has to support it...
Last edited:
TheMailMan
TGT Addict
Would this not be an act of war?
Did you pay the ransom, or find a way to fix it?
They wanted payment by bitcoin.
I did not pay.
**** em, I don't pay terrorists.
I had some stuff saved elsewhere, but lost everything else.
Got a new computer.
- Oct 7, 2015
- 3,686
- 96
The company I work for just got hit with ransomware/ malware. The while office was closed today and will be until its resolved. Our network drives were encrypted as well as our backup. We hope the back up back up is still okay. If not this will be very bad for us.
Sent from my SM-G960U using Tapatalk
Sent from my SM-G960U using Tapatalk
WAYnorthTX
Active Member
About a month ago, I got a screen saying that my computer was locked up and that I needed to get ahold of someone at a [fake] Microsoft website and pay to get it unlocked. How did I know that it was fake ? Because I run Linux on my computer, not Microsoft Windows or any Microsoft product. I simply shut off my computer without saving anything and restarted it. I have had no problems since then.
Staff online
-
VaqueroMoving stuff to the gas prices thread.....
Members online
- jamespres2001
- kbaxter60
- Younggun
- deemus
- Johnny Diamond
- mroper
- brashears9567
- findingZzero
- ZX9RCAM
- popper
- paknheat
- toddnjoyce
- Vaquero
- Ausländer
- Coon
- Gulfpirate101
- Trooper Glen
- Oldbullhorn
- striker55
- Odiferous
- PoolBoy22
- mountainbull
- RankAmateur
- Big Dipper
- etmo
- james9793
- rman
- red442joe
- prisondoc
- crystalphoto
- Txmark
- 1911'S 4 Me
- jertex
- andre3k
- Gorp2007
- Ioannes
- TxAgZ28
- Dinoble1
- 35whelenshooter
- thescoutranch
- jonevill
- Nick!
- roadkill
- toby1
- innominate
- Txhighlander
- Fishkiller
- angel71rs
- Geezer
- GMK
