By Check Point’s Incident Response Team
In our industry, we tell our stories with an eye toward the hackers. While the antagonists take up all the spotlight, the heroes that stop the attacks are relegated to cameo roles.
Nowadays, thought leaders in the security industry are shifting their views on sharing information after cyber attacks – instead of just shaming the victim, there’s an oppurtinity to safely share knowledge and intelligence for the greater good.
From the trenches of cyber-warfare, this blog is the first part of a regular series telling the Check Point incident response teams’ war stories. We hope that our experiences and insights can help the security community while educating the public on handling cyber attacks.
In the middle of April 2018, Check Point’s Managed Security Services (MSS) team and Check Point Incident Response noticed that something was amiss at a particular university in the Asia-Pacific region.
A PC in their trusted network was displaying some signs of malicious activity – in this case, a known malicious command and control communication pattern – while connected to medical research equipment. The Check Point teams notified the university, and they engaged the Check Point Incident Reponse team to investigate the incident.
The Dangers Of Lateral Movement
On arrival, we identified server message block (SMB) scanning activity, and got to work on conducting a forensic analysis. We found three suspicious files and three suspicious drivers, and further reverse engineering analysis by our research team, revealed our culprit: a new variant of the sophisticated and virulent dropper, Glupteba.
SMB is an application layer network protocol mainly used to share files – for example, \\directory, commonly found in offices, runs on SMB protocol. In this particular case, once the malware infects the computer, they’ll start scanning both internal and external network (as in, the Internet) for open SMB ports, in order to try to “hop” to other parts of the network and infect the entire organization.
That means an organization only needs one vulnerability, in only one machine, for one infection to hit the entire network. One employee connecting their phone to an unsecured wi-fi network, or one user giving up his credentials to a phishing email scam… just one momentary lapse and the whole organization is at risk.
WannaCry spread through hundreds of countries and caused billions of dollars of damage by using EternalBlue – the military-grade hacking weapon stolen from the NSA – and exploiting a known Microsoft SMB vulnerability. This allowed WannaCry to move laterally across networks, which is a core reason why WannaCry and NotPetya are often considered the turning point between fourth and fifth generation cyber-attacks.
Once the Check Point incident response team saw the lateral movement between the SMB ports and identified the malware, we set out to figure out how a PC – connected only to medical research network – got infected with this malware.
Finding Patient Zero
The network was properly segmented, meaning that the different networks with different security needs had effective barriers to prevent cross-contamination.
But somehow, the malware managed to move laterally from the open, public student network onto the private, sensitive research network. Thankfully, the university’s IT team was on top of their game and consolidated their management far in advance.
Across all IT teams, there’s a clear best practice: consolidate the system’s management across all networks onto a single pane of glass, and you’ll be much more effective against cyber attacks. And because the university was already practicing this advice, we were able to retrieve logs from both the research lab network and the public student network, giving the clue our forensics team needed.
As we turned to the public student network, we quickly saw exactly what we needed to see: several students had the same malware on the laptop. A few questions to the faculty later, we found our patient zero.
One particular student, an occasional volunteer at the lab, had accessed the machine the day the suspicious activity began. The logs confirmed that for a few minutes, the student logged onto the medical device and connected it to the open student wireless network.
Those few minutes were all it took for the machine to get infected.
That momentary lapse in cyber hygiene was the only way the malware could get into the sensitive research network, which is all thanks to the university’s IT team staying on top of their game and properly segmenting the networks ahead of time. If the university didn’t segment the two networks, then the second the Glubepta malware enters the easy-to-access public network… it’d have a much easier time getting into the research network.
The best security strategy and practice is no match to human error, but it can greatly minimize the risks. In this case, the university did segment the two networks and did consolidate the system’s management, allowing for a quick and effective response on our part.
The university avoided disaster, but this case highlighted several important lessons:
- Proper network segmentation is still one of the most critical security controls – if the university didn’t segment their research network, the infected machine would have enabled the host malware to spread laterally, quickly attacking the entire organization even without the cross contamination.
- Improperly connecting to an unsecured network can get your machine infected in a blink of an eye – so organizations should monitor devices that connect to multiple wireless networks.
- Patching is equally critical, and it is vital that vendors providing PCs for medical research provide/approve patches in a timely fashion.
- Most medical devices and research tools are mission critical and not designed with security in mind, and so updating them takes down time – in lieue of patching, isolation and micro-segmenting works in a pinch.
In The Fifth-Generation of Cyber Attacks, Prevention Is The Best Cure
Our intelligence shows that many malware families are incorporating the fifth-gen sophisticated, laterally moving-tools that we saw in this incident, and organizations need to be prepared for a breach. From the response perspective, micro-segmentation and inspecting internal traffic for lateral movement along with Endpoint Detection and Response were all critical toward swiftly resolving the issue.
But more than anything, the main takeaway, as we say time and time again: investing in prevention is much cheaper than having the best tools to detect a breach.
Stay tuned for more cyber-war stories from the Incident Response Team by following us on: