Ransomware is once again in the news. Attackers are reportedly targeting health care providers and are using targeted phishing campaigns disguised as meeting invites or invoices that contain links to Google documents, which then lead to PDFs with links to signed executables that have names with distinctive words like "preview" and "test".
Once the ransomware enters a system, attackers go after low-hanging fruit left behind on our networks to move laterally and do more damage. Such easy access is preventable and might be the result of an old and forgotten setting or an outdated policy. Here’s how you can check for seven common Windows network weaknesses and keep ransomware perpetrators from embarrassing you and your team.
1. Passwords stored in Group Policy preferences
Did you ever store passwords in Group Policy preferences? In 2014, MS14-025 patched Group Policy preferences and removed the ability to store passwords insecurely but did not remove the passwords. Ransomware attackers use the PowerShell script Get-GPPPassword to obtain left-behind passwords.
Review your Group Policy preferences to see if your organization ever stored passwords in this fashion. Think of any other time that you’ve left credentials behind in a script or batch file. Review your administrative processes for passwords left behind in notepad files, scratchpad locations and other files that are not protected.
2. Using Remote Desktop Protocol
Do you still use insecure and unprotected Remote Desktop Protocol (RDP)? I still see reports where attackers use brute force and harvested credentials to break into RDP open to the web. It was very easy to set up servers, virtual machines and even Azure servers with remote desktop. Enabling remote desktop without at least minimum protections such as limiting or restricting access to specific static IP addresses, not protecting the connection with RDgateway protection, or not setting up two-factor authentication means you are at severe risk of having an attacker take control of your network. Remember, you can add software like Duo.com to on-premises computers to better protect remote desktop.
3. Password reuse
How often do you or your users reuse passwords? Attackers gain access to harvested passwords in online data dump locations. Knowing that we often reuse passwords, attackers use these credentials in various attack sequences against both websites and accounts as well as against domains and Microsoft 365 access.
The other day someone said, “Attackers don't break in these days; they log in.” Ensuring that you’ve enabled multi-factor authentication in your organization is key to thwarting this style of attack. The use of a password manager program encourages better and more unique passwords. In addition, many password managers will flag when a username and password combination is reused.
4. Unpatched privilege escalation vulnerabilities
Do you make it easy for attackers to move laterally? Recently, attackers have been using several means for lateral movement such as the CVE-2020-1472 NetLogon vulnerability called ZeroLogon to elevate privileges on domain controllers that lack the August (or later) security patches. Microsoft recently indicated that attackers are now attempting to exploit this vulnerability.
5. SMBv1 is enabled
Even if you have applied all the patches for known Server Message Block version 1 (SMBv1) vulnerabilities, attackers could have other vulnerabilities to exploit. When you install Windows 10 version 1709 or later, by default SMBv1 is not enabled. If the SMBv1 client or server is not used for 15 days, (excluding the time that the computer is off), Windows 10 automatically uninstalls the protocol.
The SMBv1 protocol is over 30 years old and you should move away from using it. There are various ways to disable and remove SMBv1 from your network ranging from Group Policy to PowerShell and registry keys.
6. Inadequate email protections
Have you done all you can to ensure your email—a key entry point for attackers—is protected from threats? Attackers frequently gain entry to networks via spam emails. All organizations should use an email hygiene service to scan and review messages that enter your network. Have a filtering process in front of your email server. Whether that filter is Office 365 Advanced Threat Protection (ATP) or a third-party solution, have a service in front of your email that assesses the reputation of the email sender, scans links, and reviews content. Review any email hygiene you have previously set up. If you use Office/Microsoft 365, review the secure score and ATP settings.
7. Untrained users
Last but certainly not least, make sure you patch your humans. Malicious emails often enter my inbox even with all the appropriate ATP settings. A slightly paranoid and educated end user can be your final firewall to ensure malicious attacks don’t enter your systems. ATP includes tests to see if your users will fall for phishing attacks.
Troy Hunt recently wrote about how fonts used in browsers often make it difficult to determine what is a good website and what is a bad website. He pointed out that password managers will automatically validate websites and offer to fill in the password only for those sites that match your database.