Other issues in this category (35)
Friday, June 5, 2020
(In a sad voice): May 2020. It all started when our technical support service received a weird request:
Just now something started changing the DNS IPs on my servers to 22.214.171.124 and 126.96.36.199, even though Dr.Web is installed on those machines.
Both addresses are generally well known and are not involved in any malicious schemes. But because something other than the administrator is changing the addresses, a more thorough investigation is necessary. And for this we needed to gather more information. So we armed ourselves with our special Dr.Web utility and pressed on!
Preliminary results. A subsequent analysis of the gathered data showed that the option to scan potentially dangerous software hadn't been enabled in the anti-virus settings.
It was not the anti-virus's fault. It could have helped, if it had had the chance!
Since it was obvious that a third-party application had somehow managed to find its way onto the computer, the investigation continued.
The report indicates that a server with the IP address _____ is connected to your network. It appears that there is suspicious network activity associated with this server.
It seems that a brute-force attack is being mounted from that host. A comprehensive examination is necessary.
What operating system do you think the server was running? Linux. And, of course, there was no anti-virus: And why should there be one? Everyone knows that Linux malware doesn’t exist!
Once that was established, we could proceed with analysing how the malware worked:
An entire toolkit containing an RDP brute-force attack module based on the eternalblue exploit and a bluekeep and smbghost vulnerability scanner.
All familiar words. Let's recall: in 2017, the same loophole was used by WannaCry to infect computers.
How many years have passed, and yet some people never installed the security patch, and attackers are still penetrating systems through this "gaping hole".
The first thing you need to do is check the operating system patches to make sure that all security updates are installed and that the anti-virus has been updated properly with the latest version you can install.
First, install security update MS17-010. It was released for Windows XP, too. It wasn't applied on the machine in question, and now a whole menagerie of malicious services and scheduled nefarious tasks are on it.
Generally speaking, this failure to install the security update permeates the entire support request. One has to make sure that the patch has been applied on all the hosts.
A quick way to do that is to check the version of the file %systemroot%\system32\drivers\srv.sys You can find an article describing the second method here. Verify by determining the file version for %systemroot%\system32\drivers\srv.sys" under all OS versions.
Check the file version for your operating system. If your file version is older than the listed version, MS17-010 is not installed. Apply the update as soon as possible. If your current version is equal to or greater than the listed version, the patch is already installed.
MS17-010’s absence in a system is unacceptable. Now we are discussing an incident involving a malware infection in a corporate network. To mitigate the threat or prevent attacks from happening in the network, security patches must be installed on all the computers.
Even one vulnerable host will jeopardize security efforts for the entire infrastructure. Attackers can gain remote access to an ill-protected machine or run arbitrary code on a computer. For example, they can download a script or an executable file, execute the malicious payload and then use the compromised machine as a foothold for further attacks across the network. Perpetrators can run any kind of code: they can mount a brute-force attack to crack account passwords and gain remote access to other nodes, encrypt data, steal personal or confidential information, etc.
Even though other PCs and servers may be protected from attacks involving the EternalBlue exploit, they can still be vulnerable to other types of attacks inside their infrastructure.
If the security update doesn’t install, determine what’s causing the error and apply it because otherwise keeping the network secure is a Sisyphean task.
And all this time the host and the whole network were vulnerable to even more devastating attacks.
Install security patches and sweep the systems clean…
Doctor Web's technical support service response.
It wasn't applied on the machine in question, and now a whole menagerie of malicious services and scheduled nefarious tasks are on it.
And such support requests are not uncommon!
On the same day:
Malware has managed to sneak into every shared folder on our local network. Deleting the file resolves the issue only temporarily; the file reappears.
Furthermore, we discovered the suspicious process DOC001.exe on the hosts as well as multiple system process clones that used up all the system memory. The same file was found in that location as was the pools.txt file containing a number of links. The URLs contained words related to cryptocurrency mining.
We are experiencing multiple issues across the network; the servers hosting our applications are often inaccessible. All the hosts are domain members, but none of them can access domain resources and the Internet simultaneously.
And this, too, could have been avoided.
The Anti-virus Times recommends
Such situations can be avoided provided that:
- All security patches are installed promptly.
- Anti-virus software is installed on all machines.
- No scanning exceptions exist that would make certain areas inaccessible to the anti-virus.