MSP Blog Logo

BDR

Business Growth

Cybersecurity

Help Desk

MDM

RMM

Sales & Marketing

Subscribe


Empowering Your MSP Business to Grow and Prosper—One Post at a Time

The-Ultimate-Guide-to-Success-in-Managed-IT-Services


Featured Post

The Ultimate Guide to Success in Managed IT Services

What are the fundamentals to building a profitable managed IT services business? Keep reading to discover the four key ingredients for success.

Read Now

Breaking Alert Issued Against SamSam Ransomware

Posted December 4, 2018by Lily Teplow

Breaking-Alert-Issued-Against-SamSam-Ransomware

On Monday, December 3, the FBI and Department of Homeland Security (DHS) issued an alert for SamSam ransomware—also known as MSIL/SAMAS.A—after identifying certain cyber threat actors using the ransomware to target industries in the United States and worldwide.

In this post, we cover the breaking news and what MSPs should take note of, how the SamSam ransomware works, and what you can do to protect against it.

SamSam Ransomware: How it Works

As explained in the DHS alert, the SamSam actors exploit Windows servers to gain persistent access to a victim’s network and infect all reachable hosts. According to earlier reports, this is done by:

  • The cyber actors using the JexBoss Exploit Kit to access vulnerable JBoss applications
  • The cyber actors using Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks

After gaining access to a particular network—typically through brute force attacks or stolen login credentials—the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization.

Detecting RDP intrusions can be challenging because the malware enters through an approved access point. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.

What MSPs Should Know About SamSam Ransomware

SamSam relies on known vulnerabilities, so it’s important for businesses and MSPs to not forget security basics in these instances. But what else should MSPs know about SamSam and threats like it? Here is some advice and insight from Michael Vincent, Senior Product Manager at Continuum:

“SamSam is significant for MSPs as the deployment is decidedly low-tech in most cases, and there isn't a patch that prevents an attacker from using stolen credentials. While it is possible to use other vectors to infect a network, many recent SamSam attacks have been deployed by the attacker remotely logging into machines via RDP, disabling or removing antivirus software and then installing the malware. This requires the attacker to be able to remotely connect to the system with a user account that has permission to manage software on the target machine. To protect against this, MSPs should either disable RDP access if it is not needed or restrict access to RDP by either requiring a VPN connection or only allowing access from trusted IP addresses. With Continuum’s Profile & Protect, for example, providers can monitor and report on user permissions and RDP being enabled—helping identify systems at greater risk for malware such as SamSam and its variants.

Additionally, a user’s ability to add or remove software should be restricted if possible. As a final measure, MSPs should deploy a tamper-proof endpoint protection product that places additional controls on administrators when removing the endpoint protection software. Continuum’s Detect & Respond – Endpoint, which is powered by SentinelOne, has this tamper-proof feature—making it difficult for an unauthorized user to uninstall the protection software.”

Protecting Against SamSam Ransomware

DHS and FBI recommend that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems and mitigate the risk of SamSam ransomware infection:

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good backup strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users' ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.  

We will continue to update this story as it develops.

Read more:

 

Lily is a Content Marketing Manager at Continuum and is passionate about helping businesses solve their biggest challenges. She is responsible for managing Continuum’s MSPblog and writing on a variety of topics, from sales and marketing to cybersecurity, helping establish authority in the MSP market. Lily is also a seasoned content creator and has supported Continuum’s PR and media efforts. In her spare time, Lily enjoys singing, traveling the world, and cheering on her favorite Boston sports teams!

RMM 101: Must-Haves for Your IT Management Solution
MSP Guide to Managed Services SLAs  [white paper]
comments powered by Disqus