info@qualityplusconsulting.com l +1 262-553-6510

Special note for Ubuntu users

Breakfast Bytes podcasts are streaming MP3. In order for Firefox on Ubuntu to play the streaming MP3, install the GStreamer extra plugins that list MP3 as one of the supported formats. GStreamer can be obtained through the Ubuntu Software Center.

Breakfast Bytes - Fileless Ransomware

8/5/2017

 

 

Fileless Ransomware



Understanding fileless ransomware and mitigation techniques.

MP3 - Fileless Ransomware

 
 

 DontFallPrey

Fileless Ransomware

Ransomware and malware in general is harder to detect and defend against than ever before. Understand the threat and what can be done to mitigate it.
 

Sorebrecht

http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/

Sorebrecht is an example of the types of threats that a lot of organizations are trying to create an effective way to mitigate now.

A lot of fileless ransomware and malware is traversing systems, using mimikatz to exploit credentials, injecting its malicious code into otherwise legit processes.

There is a huge pile of effort involved in setting up logging and analysis of events such as 4798 and 4799.

But getting that system in place is becoming a necessity even in the smallest organizations due to the impact of the malware and the lack of detecting the malicious activities in any other way.

Sorebrecht is also extremely stealthy in that it deletes traces of its activity and presence.

It is worth noting that the source of the infection could have completely been stopped by a few items:

  • Using LAPS on a network
  • Preventing the compromise of domain admin credentials by NOT allowing DA creds to logon to non-servers
  • It could have also been stopped at the server level by setting up restrictions that disable WMI and WinRM unless the traffic is coming from an appropriate source. There is no reason for inbound WMI and WinRM traffic to servers from non-server or non-management subnets. This is MORE reason why your network must be segmented and properly designed.

Credentials on remote systems can be brute forced if there is no account lockout and/or no tracking of account logon failures.

Use of MFA can eliminate this threat.

RDP can also be used to install malware as well as PSExec using compromised credentials.

RDP from non-management LANs should not be allowed.

As an admin, you need to restrict access to these inputs based upon IP space restrictions at the host-based firewall level.

 

The Rise of Fileless Threats that Abuse PowerShell

https://www.trendmicro.com/vinfo/us/security/news/security-technology/security-101-the-rise-of-fileless-threats-that-abuse-powershell

PsExec

http://windowsitpro.com/systems-management/psexec

 

Enable PowerShell Logging - Heading Off Malicious Code

Enabling PowerShell Logging

https://blogs.msdn.microsoft.com/powershell/2015/06/09/powershell-the-blue-team/

Windows PowerShell - Heading Off Malicious Code

https://technet.microsoft.com/en-us/library/2008.01.powershell.aspx

Hardening via execution policies

 

How endpoint solutions can protect business against ransomware

How endpoint solutions can protect business against ransomware

http://blog.trendmicro.com/trendlabs-security-intelligence/how-endpoint-solutions-can-protect-businesses-against-ransomware/

Ransomware arrival tactics

http://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-arrival-methods/

 

Network solutions to ransomware - stopping and containing its spread

https://blog.trendmicro.com/trendlabs-security-intelligence/network-solutions-ransomware-stopping-containing-spread/

  • Command and control
  • Propagation
Linkedin