Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Day-To-Day Stuff’ Category

(2020-02-11) Fox-IT Report Available On Cyber Attack Against University Of Maastricht

Posted by Jorge on 2020-02-11


On December 23rd 2019 a cyber-attack occurred against the University of Maastricht. Fox-IT, a Dutch security company and part of the NCC Group, supported the University of Maastricht and in the end wrote a report with the findings. The University of Maastricht made that report publicly available so that others could learn from it. Kudos to the University of Maastricht for sharing this information.

The report is in Dutch and can be found through: https://www.maastrichtuniversity.nl/file/49715/download?token=B0jN2wyV

If you do not understand Dutch, or do not want to read the full report, below you can find an extract in English of that report. Please be aware that the text below is a summary of the Dutch report written by Fox-IT. This summary may lack the required (detailed) context that is available in the report.

High Level:

  • Cyber-attack on December 23rd 2019
  • Infrastructure of 1647 Linux/Windows Servers and 7307 workstations. Attack against part of the infrastructure, 267 servers in the AD domain (e.g. domain controllers, e-mail servers, file servers, backups servers)
  • Attacker focused on encrypting data in the AD domain to demand ransom in the end. Part of systems were compromised, incl. (online) backups

Environment:

  • University of Maastricht
  • Public organization, with 4500 employees, 18000 students and 70000 alumni
  • Infrastructure contains multiple server (types) and workstations that are not (fully) controlled by central IT
  • Part of the infrastructure centrally managed and part decentrally managed by faculties, and both connected to central network
  • Workstations are desktops, laptops and VDIs. VDIs accessible through thin-clients and browsers

Lessons Learned

  • Multiple phishing mail variants received. Because phishing mails looked similar, one variant did not get enough attention. Better detection needed
  • Signed macros only. Phishing mails contained links to Excel files with unsigned macros
  • Improved processes for vulnerability and patch management. Keep systems up-to-date and make sure updates are installed successfully. Attackers used vulnerabilities in software (Eternal Blue Exploit). (e.g. One patch was not installed because its installation had failed.)
  • Better segmentation of the AD domain (tiering and delegation) and implement secure configurations as much as possible, and get rid of insecure configurations. Default domain admin account was used for work on regular servers (was against existing policy!). Due to a compromised server and usage of a very powerful account on that server, AD domain was compromised too. Malware and ransomware got installed after that using default domain admin account
  • Better segmentation of the network itself. Current network has multiple VLANs, but still too open. Due to that openness of the network it was still too easy to move around. Stricter segmentation would have made it more difficult to move around by the attacker
  • (Better) 24/7 monitoring/logging through SIEM and SOC. Signals with unusual patterns, peak activities and/or high risks need to be filtered and detected better/easier/earlier and become more visible from the huge amount of data (per second 30000 breach attempts blocked, 1400 malware attacks stopped, thousands of signals a day in multiple logs). Implementation of end-point monitoring and network sensors started to detect traffic and distinguish between regular and malicious traffic (both incoming as lateral movement) (was already planned before breach to do so)
  • Up-to-date and clean CMDB. During recovery lots of time was invested to determine impact on systems/environment. View on active systems and decommissioned systems was not good enough, which made it more difficult to get understanding of actual status
  • Multiple backups, both online for quick recovery as needed and offline availability of backups to make sure these remain uncompromised. Due to having only online backups for quick recovery when system(s) became unavailable, the backups were also encrypted
  • Make sure to have incident response plans for different scenarios and keep it up-to-date. On planned basis, practice different crisis scenarios and improve plans as needed
  • Increase security awareness of both employees as students

More details (not in structured order):

  • Compromised system is system with attacker activity of malware traces. 269 servers were determined to be compromised
  • Compromised account is account used by attacker, after forensic analysis. 5 accounts were determined to be compromised
  • Next to Windows systems, Linus and OS X systems are in use that were not touched by the attack. Attack focus was Windows servers
  • 2 phishing e-mails opened on October 15th and 16th 2019. Phishing mails contained links to Excel file with Macro that downloaded malware (SDBBot) from server on internet.
  • Multiple systems compromised between October 16th 2019 and December 23rd 2019
  • On November 21st 2019 attacker gained access to infrastructure through a server that was missing security updates (vulnerable for Eternal Blue exploit)
  • On December 23rd 2019, "Clop-ransomware" was deployed to 267 Windows Servers. "Clop-ransomware" uses RC4 encryption algorithm. RC4 key is generated randomly per file and encrypted with an RSA 1024 bit public key. Only the attacker has the private key. All encrypted file received the “.CIop” extension and in every folder the file “CIopReadMe.txt” with instructions was added
  • After thorough analysis of the breach, ransom was paid on December 30th 2019
  • Traces were found that attacker gained information amongst others about topology, servers, usernames and passwords
  • Carbon Black was installed by security company and used to get insights on traffic and activity. Installation was initiated on compromised servers followed by non-compromised servers and workstations (more than 90% of systems were covered by this tool)
  • Focus was on quick recovery of functionality, but also safeguarding all kinds of research information to be able to perform forensic analysis at a later stage
  • With forensic analysis, attack path and scope or attacker was made visible
  • Counter measures to stop attack (amongst others): close network traffic to and from internet, and to and from WIFI networks, reset passwords of all accounts (admin, service, regular)
  • Network traffic gradually being allowed again after setting up monitoring/sensors
  • Definition of so called crown jewels determine the priority of recovery
  • Malware communicated on regular basis with home server (every 15 minutes) and registered itself to become and remain persistent, event after reboots. Through this malware other tools (Meterpreter) were used for interaction. Meterpreter was installed on other servers (2x Windows Server 2003 R2 lacking the MS17-010 patch, 1x Windows Server 2012R2 and 1x unnamed), most likely through the Eternal Blue exploit as those servers were vulnerable for it. Other unnamed server was not vulnerable for Eternal Blue exploit, but still got infected somehow. Patch KB4525243 prevents the Eternal Blue exploit
  • PowerSploit was used for reconnaissance of systems/network and vulnerabilities
  • PingCastle was used to get graphical view of AD structure and misuse weak configurations
  • Cobalt Strike with mimikatz was used
  • SAGE.EXE was “installed” on 4 servers and was used to distribute ransomware and at the same time turn off Windows Defender, all through the use of the default domain admin account. On one server antivirus detected and removed SAGE.EXE. In the end attacker removed antivirus and reinstalled SAGE.EXE. Later antivirus was removed from other servers too
  • Attacker activity was already detected in earlier stage and send to central log server. Unfortunately those detections were not proactively taken care of or actioned upon (Windows Defender detected, removed (and logged this) PowerSploit) (Antivirus multiple times detected and logged use of Cobalt Strike and Mimikatz, but did not stop due to “observer/audit only mode”)

Info about attacker:

  • Group “TA505” or “GraceRAT” or “Dridex-RAT-Group”
  • Use Clop ransomware
  • Targets orgs with AD
  • 150 victim orgs in 2019
  • In period 2014-2017 attacker focused on attacking orgs in financial sector in EU as USA
  • In period 2017-2019 attacker focused on attacking financial orgs with creditcard issuing systems in South- and Central America, Africa and Central and Southeast Asia.
  • Attacking orgs in financial sector still takes place

Modus operandi attacker:

  • Infect systems through phishing mails
  • Identify org
  • Lateral movement within network
  • Remove and encrypt backups
  • Deploy ransomware on as many systems as possible
  • Demand ransom per e-mail (amount depends on size of org)

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Cyber Attack, Day-To-Day Stuff, IT News | Leave a Comment »

(2019-10-30) A Thousand Blog Posts!

Posted by Jorge on 2019-10-30


I started blogging in 2005. My very first blog on the internet from me was on November 8th 2005. At that time I was inspired by a friend at Microsoft and a little bit by myself. I was active in the, back then, Microsoft newsgroups for AD (Directory Services). My main reason to start blogging was that I was so tired of repeating the same answer in those newsgroups over and over again, that I started searching for a way to repeatedly provide the same answer without too much additional work. Starting a blog was a very good idea. Back then I started my blog somewhere else and about 8 years ago I migrated my blog away to WordPress, which provided me more autonomy and freedom in doing what I wanted the way I wanted it to be done.

image

Now about 14 years later THIS is 1000th blog post!

image

Soon after starting my blog, and along the way my goal changed to blog about my real world experiences, knowledge and scripts so that others could learn from it and directly use that knowledge and tools/scripts in their day to day jobs. Based upon the stats I can say, since the first day the blog has had a serious amount of visitors and it is referenced quite many time in the Microsoft Forums and other places. Good to see that many other people are using it. I also love the comments being made people and the mails that I get from people regarding the issues they have and for which they are seeking some answers.

A serious THANK YOU to all of you who read this blog, and also a THANK YOU to Microsoft for awarding me the MVP Award the past 14 years and helping me with the great technology.

Cheers,     

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Day-To-Day Stuff, Personal Stuff | 1 Comment »

(2019-01-03) Some Phones Are Not That Good With Face Recognition

Posted by Jorge on 2019-01-03


Are you using face recognition to unlock your mobile phone?

And is that mobile phone on the following list?

It appears all the mobile phones on the list can be unlocked by using a picture instead of your face.

To be sure nobody access your personal data that easy, preferably and if possible use finger or a code to unlock the mobile phone

All the phones on the list titled “Toestellen ontgrendeld met een foto” can be easily unlocked with a photo of your face

All the phones on the list titled “Toestellen ontgrendeld met een foto, maar met betere beveiliging” can also be easily unlocked with a photo of your face but also provide more secure settings for face recognition

All the phones on the list titled “Toestellen die niet met een foto zijn te ontgrendelen” appear to be secure and face recognition is not fooled by a photo of your face.

From the dutch consumers authority:

https://www.consumentenbond.nl/veilig-internetten/gezichtsherkenning-te-hacken

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided “AS IS” with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-

########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################

————————————————————————————————————————————————————-

Posted in Day-To-Day Stuff, Mobile Devices, Security | Leave a Comment »

(2019-01-01) Happy New Year 2019!

Posted by Jorge on 2019-01-01


A happy new year 2019 to everyone!. Enjoy, have fun and make the best of it!

Related image

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Day-To-Day Stuff | Leave a Comment »

(2018-10-07) Oh My Dear Blog – How Much I Have Neglected You!

Posted by Jorge on 2018-10-07


It has been quite some time since I blogged quite frequently. Due to family reasons (my mom passed away after being ill for quite a long time) I was not able to post all kinds of stuff on my blog. There was just too much emotion and I ended up with a huge amount of work that had the highest priority and that I wanted to finish before doing anything else.

Now, while getting back on track again, I hope to pick up where I "left" and start blogging again any time soon about all kinds of stuff I have in mind.

Thanks.

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Day-To-Day Stuff | Leave a Comment »

(2016-12-31) Happy New Year!

Posted by Jorge on 2016-12-31


I would like to wish everyone a happy New Year. Be careful with the fireworks!

https://i1.wp.com/www.happy-newyearimages.com/wp-content/uploads/2016/09/Happy-New-Year-2017-Wallpapers-1.jpg

Figure 1: Happy New Year 2017 (Source: http://www.happy-newyearimages.com/wp-content/uploads/2016/09/Happy-New-Year-2017-Wallpapers-1.jpg)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Day-To-Day Stuff | Leave a Comment »

(2016-12-24) Merry Christmas Everyone!

Posted by Jorge on 2016-12-24


I would like to wish everyone a merry Christmas! Enjoy the holidays!

https://i1.wp.com/www.planwallpaper.com/static/images/Merry_christmas-6.jpg

Figure 1: Merry Christmas By Patrice (Source: http://www.imagesbuddy.com/merry-christmas-wallpaper-by-patrice/)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Day-To-Day Stuff | Leave a Comment »

(2015-11-10) 10 Years Of Blogging!

Posted by Jorge on 2015-11-10


About 10 years ago I started blogging and created my “Jorge’s Quest For Knowledge” blog, which has been and still is being read by many people around the world My biggest drive and passion to do this is to research and acquire knowledge, and then share it with others around the globe so that those people can use the information to their best usage in their day-to-day jobs. The very first post was on Tuesday November 8th 2005.

image

It has been so much fun to do this, and I hope it remains fun to continue to do this for the next ten years! Smile

Some statistics:

  • 807 blog posts
  • 1821 comments

From 2005 until 2011 I hosted my blog on DirTeam. Somewhere in 2011 I moved/migrated my blog to WordPress. Unfortunately I do not have any statistics from my old blog provider. The statistics from my current blog provider since I started using WordPress are:

  • 2011:
    • Views: 19326
    • Visitors: 0
  • 2012
    • Views: 110347
    • Visitors: 5324
  • 2013
    • Views: 141557
    • Visitors: 82533
  • 2014
    • Views: 213639
    • Visitors: 127577
  • 2015 (Year-To-Date)
    • Views: 204279
    • Visitors: 126209

image

Figure 1: Some Other Blog Statistics

A very big THANK YOU to all my readers/visitors. Feel free to comment!

PS: I would appreciate if you are willing to share this post as many times as possible in any ways you can. Thank you in advance!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Day-To-Day Stuff | 1 Comment »

(2015-10-07) European Court Rules Against The ‘Safe Habor’ Agreement

Posted by Jorge on 2015-10-07


The European Court Of Justice (EUCJ) has ruled against the current Safe Harbor Agreement. Global cloud services/providers, mainly in the USA, may face a huge problem as it is no longer allowed to move personal data from EU countries to the USA.

Additional Reading:

Update 2015-10-09: Reaction to the above by Brad Smith (President and Chief Legal Officer @ MSFT): http://blogs.microsoft.com/on-the-issues/2015/10/06/a-message-to-our-customers-about-eu-us-safe-harbor/

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Day-To-Day Stuff | Leave a Comment »

(2015-10-07) Microsoft Announces The Surface 4 Pro – What MSFT And Others Are Saying

Posted by Jorge on 2015-10-07


Microsoft announced the Surface 4 Pro with Windows 10. I understand it can support up to 16GB of RAM and 1TB of storage. I do not want to know what that thing costs with those specs, but it is cool and definitely a laptop replacer!

Additional Reading:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Day-To-Day Stuff, Hardware/Devices | Leave a Comment »

 
%d bloggers like this: