Sunday, May 14, 2017

US-CERT : Indicators Associated With WannaCry Ransomware

U.S. Department of Homeland Security US-CERT
National Cyber Awareness System:

05/12/2017 09:36 PM EDT

Original release date: May 12, 2017 | Last revised: May 15, 2017

Systems Affected

Microsoft Windows operating systems

Overview

According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages.
The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

This Alert is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) to highlight known cyber threats. DHS and the FBI continue to pursue related information of threats to federal, state, and local government systems and as such, further releases of technical information may be forthcoming.

Description

Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2003 operating systems on May 13, 2017. According to open sources, one possible infection vector is via phishing emails.

Technical Details

Indicators of Compromise (IOC)

IOCs are provided within the accompanying .xlsx file of this report.

Yara Signatures

rule Wanna_Cry_Ransomware_Generic {
       meta:
              description = "Detects WannaCry Ransomware on Disk and in Virtual Page"
              author = "US-CERT Code Analysis Team"
              reference = "not set"                                        
              date = "2017/05/12"
       hash0 = "4DA1F312A214C07143ABEEAFB695D904"
       strings:
              $s0 = {410044004D0049004E0024}
              $s1 = "WannaDecryptor"
              $s2 = "WANNACRY"
              $s3 = "Microsoft Enhanced RSA and AES Cryptographic"
              $s4 = "PKS"
              $s5 = "StartTask"
              $s6 = "wcry@123"
              $s7 = {2F6600002F72}
              $s8 = "unzip 0.15 Copyrigh"
              $s9 = "Global\WINDOWS_TASKOSHT_MUTEX"    
              $s10 = "Global\WINDOWS_TASKCST_MUTEX"
             $s11 = {7461736B736368652E657865000000005461736B5374617274000000742E776E7279000069636163}
             $s12 = {6C73202E202F6772616E742045766572796F6E653A46202F54202F43202F5100617474726962202B68}
             $s13 = "WNcry@2ol7"
             $s14 = "wcry@123"
             $s15 = "Global\MsWinZonesCacheCounterMutexA"
       condition:
              $s0 and $s1 and $s2 and $s3 or $s4 and $s5 and $s6 and $s7 or $s8 and $s9 and $s10 or $s11 and $s12 or $s13 or $s14 or $s15
}
/*The following Yara ruleset is under the GNU-GPLv2 license (http://www.gnu.org/licenses/gpl-2.0.html) and open to any user or organization, as long as you use it under this license.*/
rule MS17_010_WanaCry_worm {
       meta:
              description = "Worm exploiting MS17-010 and dropping WannaCry Ransomware"
              author = "Felipe Molina (@felmoltor)"
              reference = "https://www.exploit-db.com/exploits/41987/"
              date = "2017/05/12"
       strings:
              $ms17010_str1="PC NETWORK PROGRAM 1.0"
              $ms17010_str2="LANMAN1.0"
              $ms17010_str3="Windows for Workgroups 3.1a"
              $ms17010_str4="__TREEID__PLACEHOLDER__"
              $ms17010_str5="__USERID__PLACEHOLDER__"
              $wannacry_payload_substr1 = "h6agLCqPqVyXi2VSQ8O6Yb9ijBX54j"
              $wannacry_payload_substr2 = "h54WfF9cGigWFEx92bzmOd0UOaZlM"
              $wannacry_payload_substr3 = "tpGFEoLOU6+5I78Toh/nHs/RAP"
       condition:
              all of them
}



Initial Analysis

The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.
The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.
The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.
This malware is designed  to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.

Impact

Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including
  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution

Recommended Steps for Prevention
  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
·         Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing. 
·         Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
·         Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
·         Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary. 
·         Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares. 
·         Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
  • Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
  • Have regular penetration tests run against the network. No less than once a year. Ideally, as often as possible/practical.
  • Test your backups to ensure they work correctly upon use.
Recommended Steps for Remediation
  • Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
  • Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup. 
Defending Against Ransomware Generally
Precautionary measures to mitigate ransomware threats include:
  • Ensure anti-virus software is up-to-date.
  • Implement a data back-up and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
  • Scrutinize links contained in e-mails, and do not open attachments included in unsolicited e-mails.
  • Only download software – especially free software – from sites you know and trust.
  • Enable automated patches for your operating system and Web browser.
Report Notice
DHS and FBI encourages recipients who identify the use of tool(s) or techniques discussed in this document to report information to DHS or law enforcement immediately. We encourage you to contact DHS’s National Cybersecurity and Communications Integration Center (NCCIC) (NCCICcustomerservice@hq.dhs.gov or 888-282-0870), or the FBI through a local field office or the FBI’s Cyber Division (CyWatch@ic.fbi.gov or 855-292-3937) to report an intrusion and to request incident response resources or technical assistance.

References

Revision History

  • May 12, 2017: Initial post
  • May 14, 2017: Corrected Syntax in the second Yara Rule
  • May 14, 2017: Added Microsoft link to patches for Windows XP, Windows 8, and Windows Server 2003
  • May 14, 2017: Corrected Syntax in the first Yara Rule

This product is provided subject to this Notification and this Privacy & Use policy.

Wanna CryRansomware : How to protect personal and enterprises systems


What is ransomware?

Ransomware is a kind of cyber-attack that involves hackers taking control of a computer system and blocking access to it until a ransom is paid. For cyber criminals to gain access to the system they need to download a type of malicious software onto a device within the network. This is often done by getting a victim to click on a link or download it by mistake.

Once the software is on a victim's computer the hackers can launch an attack that locks all files it can find within a network. This tends to be a gradual process with files being encrypted one after another. 


Large companies with sophisticated security systems are able to spot this occurring and can isolate documents to minimize damage. Individuals might not be so lucky and could end up losing access to all of their information. 
Cyber criminals often demand payment in return for unlocking the files. This is normally in the form of bitcoin, the online cryptocurrency. 



Friday, May 5, 2017

Converged vs. Hyper-Converged Storage

Converged vs. Hyper-Converged Infrastructure Solutions


Storage Transformation - from Legacy to Hyper Converged

Hyper-Converged Infrastructure: Main Differentiation

Let's say a company is implementing server or desktop virtualization. In a non-converged architecture, physical servers run a virtualization hyper-visor, which then manages each of the virtual machines (VMs) created on that server. The data storage for those physical and virtual machines is provided by direct attached storage (DAS), network attached storage (NAS) or a storage area network (SAN).
In a converged architecture, the storage is attached directly to the physical servers. Flash storage generally is used for high-performance applications and for caching storage from the attached disk-based storage.
The hyper-converged infrastructure has the storage controller function running as a service on each node in the cluster to improve scalability and resilience. Even VMware is getting into the act. The company's new reference architecture, called EVO (previously known as Project Mystic or Marvin) is a hyper-converged offering designed to compete with companies such as NutanixSimpliVity or NIMBOXX. The two systems, EVO:RAIL and EVO:RACK, were announced at VMworld 2014 in August. Previously, VMware was active only in the converged infrastructure market with the VCE partnership.
Using Nutanix as an example, the storage logic controller, which normally is part of SAN hardware, becomes a software service attached to each VM at the hypervisor level. The software defined storage takes all of the local storage across the cluster and configures it as a single storage pool. Data that needs to be kept local for the fastest response could be stored locally, while data that is used less frequently can be stored on one of the servers that might have spare capacity.

Hyper-Converged Infrastructure Costs

Like traditional infrastructures, the cost of a hyper-converged infrastructure can vary dramatically depending on the underlying hypervisor. An infrastructure built on VMware's vSphere or Microsoft's Hyper-V can have fairly costly licensing built in. Nutanix, which supports Hyper-V, also supports the free, open source KVM, the default hypervisor in OpenStack cloud software. However, as with any open source application, "free" can be a relative term, since there are other costs involved in configuring the software for use in a given environment.
Because the storage controller is a software service, there is no need for the expensive SAN or NAS hardware in the hyper-converged infrastructure, the company says. The hypervisor communicates to the software from the Nutanix software vendor in the same manner as it did to the SAN or NAS so there is no re configuring of the storage, the company says. However, the Nutanix software eliminates the need for the IT team to configure Logical Unit Numbers (LUNs), volumes or read groups, simplifying the storage management function.
Niel Miles, software defined data center solutions manager at Hewlett-Packard, described "software defined" as programmatic controls of the corporate infrastructure as a company moves forward, while speaking at the HP Discover 2014 conference in Las Vegas earlier this year. He said this approach adds "business agility," noting that it increases the company's ability to address automation, orchestration, and control more quickly and effectively. Existing technology cannot keep up with these changes, requiring the additional software layer to respond more quickly than was possible in the past.
For those looking to reuse their existing hardware to take advantage of a hyper-converged infrastructure, several companies offer approaches more similiar to the converged infrastructure approach of discrete server, storage and network devices, but with software defined technology added to improve performance and capabilities.
One such company is Atlantis of Mountain View, CA, which offers software defined storage system that can convert direct-attached storage (DAS) into a pooled array, increasing the number of VMs that can share the storage and effectively creating a hyper-converged infrastructure. The technological secret sauce is Atlantis USX, a software platform that resides between the VM and storage infrastructures, the company says.
In August, Sunnyvale CA-based Maxta introduced the MaxDeploy Hyperconverged Reference Architecture built on Intel server boards and systems. MaxDeploy pre-validations include testing with server-side flash technology and magnetic disk drives to support a spectrum of cost / performance options, the company says. Maxta's VM-centric offering simplified IT management and reduces storage administration by enabling customers to manage VMs and not storage.
Generally speaking, the investment in a converged infrastructure system will be made in conjunction with a greenfield project rather than a forklift upgrade, says Todd Pavone, executive VP of product development and strategy for VCE. Companies that consider a converged infrastructure will know already that they need to expand their computing environment so a pilot project with a converged infrastructure system will be cost-effective. Rolling out x86-based servers in a building-block chassis permits the company to test the new environment with new hardware that would have already been budgeted for expansion.
From a CapEx perspective, Pavone says, hardware is essentially neutral. The downstream savings is from lower support and maintenance costs.
New investments for a hyper-converged infrastructure differs because the hardware cannot be decoupled should the pilot program prove unsuccessful. Because the software is a key component to a hyper-converged infrastructure, initial entry costs could be higher, Pavone says.
But Duncan Epping from VMware's EVO:RAIL (aka MARVIN) team suggests that upfront costs for converged systems need to be taken into account when considering upgrading a company's infrastructure. For hyper-converged systems, he says integration with existing infrastructure and figuring out how to manage different platform needs to be included in the financial considerations as well.
While many of the vendors that provide components and systems in the converged market are established vendors, EMC, Cisco, NetApp, Hewlett-Packard, for example, Epping says, "Some vendors in the hyper-converged space are relatively new; can you trust them with your mission-critical workloads?"  
Not all of the companies offering hyper-converged offerings are new, however. Among the established IT vendors with hyper-converged products are the aforementioned EMC, Dell, Nutanix and Epping's own VMware. Though VMware is a bit unique, as Epping explains, "EVO:RAIL is not a pure VMware offering, it is a partner program that enables customers to select a hyper-converged offering from their preferred vendor."
Among the relative newcomers in the hyper-converged space are GridstoreSimplVityYottabytePivot3, and Maxta.

Converged Infrastructure: Main Differentiation

There are two approaches to building a converged infrastructure, explains Bharat Badrinath, senior vice president of solutions marketing at EMC. The first is using the building-block approach, such as that used in the VCE Vblock environment, where fully configured systems -- including servers, storage, networking and virtualization software -- are installed in a large chassis as a single building block. The infrastructure is expanded by adding additional building blocks.
While one of the main arguments in favor of a converged infrastructure is that it comes pre-configured and simply snaps into place, that also is one of the key arguments against this building-block technology approach as well. As Chris Ward noted in his Tom’s IT Pro article To Converge Infrastructure or not, That is the Question, because all the parts are pre-configured, the users of the products have a predefined configuration. If the IT manager wants a configuration that is different from the system a provider offers, they are essentially out of luck.
The same holds true for the components themselves. Because each component is selected and configured by the vendor, the user does not have the option to choose a router or storage array customized for them. Also, the building-block approach ties the user in to updating patches on the vendor's timetable, rather than the user's. Patches must be updated in the pre-configured systems in order to maintain support.
It is possible to build a converged infrastructure without using the building block approach. The second approach is using a reference architecture, such as the one dubbed VSPEX by EMC, which allows the company to use existing hardware, such as a conforming router, storage array or server, to build the equivalent of a pre-configured Vblock system.

Converged Infrastructure Costs

As noted, each building block consists of separate hardware that is prepackaged and tested to work almost as a plug-and-play module. Unlike the hyper-converged infrastructure, the separate components of the converged infrastructure can be decoupled from the rest of the components and used in a standalone environment, Bardinath says. The simplicity of simply adding a fully configured and tested infrastructure block makes it easier to expand and maintain the network without needing to spend a lot of time reconfiguring the various components, he says. The blocks effectively snap together similar to the colorful Lego-brand building blocks found in a child’s toy box.
Pricing for converged infrastructure building blocks will vary by vendor, of course, but Unisys provides the following comparison: the base price for a Unisys Forward! system starts at $89,000. By contrast, a customer buying the same equipment and software a la carte would pay in excess of $100,000.
Companies that plan to migrate to the VSPEX reference design and use their existing server, storage and network hardware can work with a reseller or use a do-it-yourself approach to configure their existing hardware to meet the VSPEX design, he says. Such an approach would permit a company with a more modern network to migrate to the converged infrastructure at a lower cost. However, he says, most companies tend to deploy converged infrastructures in pilot projects, such as migrating from Microsoft Exchange 2010 to 2014, or in new data centers to reduce the hardware expense.
One advantage of the converged infrastructure is lower support and maintenance costs, he says. Data centers with hardware from a variety of vendors can run into finger-pointing problems when hardware issues arise. A Vblock is supported by a single vendor that takes responsibility for all of the internal components, regardless of the manufacturer.
"Technology is the easy part," Badrinath says. "The people part is much more tricky." Finding qualified engineers that can work on the wide variety of hardware from various vendors found in many data centers can be a real challenge, he notes.

Thursday, May 4, 2017

What is Hyper-Converged Storage ?

WHAT IS HYPER-CONVERGED INFRASTRUCTURE?

Hyperconverged infrastructure combines x86-based compute and storage resources with intelligent software to create flexible building blocks that replace legacy infrastructure consisting of separate servers, storage networks, and storage arrays.

At its simplest, storage virtualisation abstracts all the available physical storage – whether inside servers or in separate storage subsystems – into generic virtualised blocks. These are added to a shared pool which can then be carved up into new logical volumes, all managed by a distributed storage controller. A logical volume could draw its individual blocks from multiple physical devices, plus the controller supports multiple storage classes, and therefore tiers. It may also be able to replicate, mirror, snapshot and migrate data in the background, invisibly to the host file systems, never mind the applications.


“The storage virtualisation layer is what makes hyper-convergence data center-friendly,” explains Everett Dolgner, director of storage and replication product management for WAN specialist Silver Peak. “[Hyper-convergence] puts all the storage back in the server, but without an abstraction layer that's a problem – there's a reason we took it out of the servers and invented SANs in the first place!”

Generally speaking, there are two approaches companies can take to building a converged infrastructure:
  • The hardware-focused, building-block approach of VCE (a joint venture of EMC, Cisco, and VMware), simply known as converged infrastructure;
  • The software defined approach of Nutanix, VMware, and others called hyper-converged infrastructure


How Nutanix Hyper-Converged works ?


The Nutanix Solution Nutanix converges the entire datacenter stack including compute, storage, storage networking, and virtualization. Complex and expensive legacy infrastructure is replaced by simple 2U appliances that enable enterprises to start small and scale one node at a time. Each server, also known as a node, includes Intel-powered x86 hardware with flash SSDs and HDDs. Nutanix software running on each node distributes all operating functions across the cluster for superior performance and resilience. 




In order to understand what is Converged and Hyper-converged Infrastructure , please see below video tutorial. 




Who is leader in the market ? 


Nutanix



Simplivity



Pivot3



Atlantis Computing 



EMC



VMware



Cisco



HP


How to Block the Windows 11 Update From Installing on Windows 10

G oal: Block windows 11 Auto upgrade but at the same time you will be able to install the latest update To use the  Registry  Editor method ...