General 3min de Leitura - 03 de May de 2017

Port forwarding: care to prevent ransomware attacks

Tela exibindo números binários

This post is also available in: English Português Español

[vc_row row_type=”row” use_row_as_full_screen_section=”no” type=”full_width” angled_section=”no” text_align=”left” background_image_as_pattern=”without_pattern” css_animation=”” css=”.vc_custom_1508957190897{padding-top: 25px !important;padding-bottom: 25px !important;}”][vc_column][vc_column_text]Talking about perimeter security, one of the main things we should consider is the care with exposing the ports used in the company’s internal services to the internet.

This type of vulnerability, easily exploited by criminals with the use of relatively simple techniques (port scan with Nmap, for example), has been one of the major causes of ransomwarein companies.

Knowing the anatomy of the attack

In order for us to work on prevention, it is important to understand the anatomy of this type of attack. In short, the modus operandi occurs as follows:

  1. A criminal performs port scan at the company’s url, searching for ports exposed to the internet (i.e. for connections coming from any source).
  2. In possession of this information, patterns are sought to direct the attacks, usually based on the standard ports used by the services (3389, for example, well known in remote Windows connections).
  3. Attacks follow two lines: exploiting system vulnerabilities and/or vulnerabilities in credentials via brute-force (trial and error-breaking password).
  4. When getting access to the environment, the goal is to find what is important in the company network; databases are common targets.
  5. This data is encrypted with a virtually unbreakable key, usually based on AES-256. Another criminal practice that has also occurred is to threaten the data leakage (criminal technique called doxing, which focuses on the risk of disclosure of confidential information).
  6. In order for the company to have access to its data again and/or have no confidential information disclosed, a kind of redemption is charged in bitcoin (virtual currency quoted in dollar and without traceability). It is worth emphasizing that payment gives absolutely no guarantee of redemption or maintenance of the confidentiality of your data, you are in the hands of criminals.

After contextualizing on the type of attack, it is possible to present suggestions to prevent the occurrence of such a claim.

Forwarding ports to combat Ransomware attacks

The first step is to perform a port scan to identify the visibility of your company’s ports on the internet. The same as a malicious individual would do to reveal your weaknesses.

When identifying open ports, it is important that a study be done on each of them, starting from the following model for classification:

  1. Obsolete and/or unnecessaryport forwarding:

For these cases, the recommendation is simple and obvious: they should be immediately canceled.

  1. Port forwarding used sporadically and/or by specific users:

These services, because they are used by a specific and predefined public, allow control and restriction policies to be applied more easily. Accesses can be used through secure VPN tunnels with individual credentials or implemented source restrictions only for specific IP addresses.

  1. Forwarding ports that need to be exposed to the internet:

For cases where there is no choice, we need to be aware of some critical details:

Credentials: Avoid using standard user names such as “admin”, etc.

Passwords: Use complex passwords, including number letters, special characters with at least 12 characters.

Updates: Keep services always up to date. Many security loopholes are exploited in outdated systems, and updates released by manufacturers are precisely, for the most part, to solve discovered and mapped vulnerabilities.

Web Cryptography: For services running under the HTTP protocol, enable HTTPS (secure). Data trafficked over non-secure HTTP can be easily intercepted.

During the process, it is possible to identify a port whose existence is not clear. For these cases it is recommended to cancel port forwarding(as presented in item 1), documenting such intervention. After the intervention, establish a monitoring window to avoid compromising any critical service for the business. Taking these precautions, if necessary it will be possible to restore the redirection quickly.

Another valuable tip is to modify, whenever possible, the default ports of services, making it harder for malicious users to act.

As a complement, it is important to consider the implementation of monitoring policies with alerts and logs of external port accesses in order to facilitate the identification of abnormal connections, which may in fact be signs of malicious exploit attempts.

Now that you know a little more, take the opportunity to close the ports of your company, avoiding virtual threats. If you still have questions about the topic, feel free to talk to one of our experts.[/vc_column_text][vc_custom_heading text=”Keep increasing your knowledge” font_container=”tag:h3|text_align:left” use_theme_fonts=”yes” css=”.vc_custom_1529094170909{padding-top: 25px !important;padding-bottom: 25px !important;}”][blog_slider type=”carousel” auto_start=”true” info_position=”info_in_bottom_always” order_by=”date” order=”ASC” blogs_shown=”” category=”problem-recognition” show_categories=”no” show_date=”yes” title_tag=”h4″ show_comments=”no” enable_navigation=”enable_navigation”][/vc_column][/vc_row]

This post is also available in: English Português Español