What is Google Analytics and How to Use It?
15.04.2022
General Information
Since August 2016, a hacker group called “Shadow Brokers” has been publishing information, exploit codes, and malware belonging to a cyber espionage unit called “Equation Group”. In addition to the published data going back to January 2009, it contains detailed information about cyber security vulnerabilities targeting various operating systems and software published to date.
The published exploit codes also target network devices used in institutions. In addition, it has been observed that malware targeting end-user computers is among the published information. The ‘Wannacry’ malware, which recently affected corporate and individual systems worldwide, uses the aforementioned vulnerabilities and exploit codes that have been published. The hacker group announced that it will publish similar exploit codes and malware on a monthly basis.
Also, as of March 2017, data claimed to belong to foreign intelligence agencies, announced under the name ‘Vault 7’, has been leaked to the internet. This data includes software used to leave backdoors on IT system assets, primarily end-user systems. At the same time, malware that tends to spread through corporate networks using file servers is also included in ‘Vault 7’. It is likely that similar data will continue to be published in 2-3 week intervals.
In order for this leaked data not to affect corporate information security, it is necessary to create an inventory of information systems within the institution and to perform vulnerability detection and impact analysis on this inventory.
Affected Devices
Exploit codes and malware have been developed and spread on the internet that will affect the products listed below by type/brand/model. Therefore, it is important for institutions and organizations to detect these devices in their own information systems inventories (all internal and external networks) and take the necessary actions.
1. Network Devices
- Juniper Netscreen (NS5XT, NS50, NS200, NS500, ISG 1000, SSG140, SSG5, SSG20, SSG 320M, SSG 350M, SSG 520, SSG 550, SSG 520M, SSG 550M)
- Cisco PIX (500 Series) Cisco ASA (5505, 5510, 5520, 5540, 5550 series)
- Cisco Switch/Router (711, 712, 721, 722, 723, 724, 802, 803, 804, 805, 821, 822, 823, 824, 825, 831, 832, 841, 842, 843, 844)
- Fortinet FortiGate (60, 60M, 80C, 200A, 300A, 400A, 500A, 620B, 800, 3600)
- WatchGuard, Huawei
- Solaris 6 – 11
2. Operating System
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows 7
- Windows Server 2008
- Windows 8
- Windows 8.1
- Windows Server 2012
- Windows 10
- Windows Server 2016
3. File Server
- Windows File Server
Solution
Institutions and organizations that have the products listed above in their inventories are required to apply the following controls:
Access controls
- Access to management ports of network devices should be restricted on the internal network (access should be allowed only from certain interfaces and IPs) and access from the Internet should be blocked.
- Access restrictions should be imposed on Windows devices from the Internet, and access to services such as SMB and RDP should be blocked if not necessary.
- Access from the server network open to the Internet to the internal network should be restricted and domain structures should be kept separate.
Software with Update Support
- It is observed that security patches are being published for products and services affected by published vulnerabilities or exploit codes. Although in exceptional cases, security patches are not published for old version software or operating systems without support. Institutions must use supported software and operating systems in their IT system assets, especially those accessible to the internet or to everyone or other systems on the network.
Password management
- Use of simple and default passwords on servers, end-user devices and network equipment should be avoided.
Patch management
- Security patches on network devices should be tracked and up-to-date firmware versions should be used.
- Patch management platforms for Windows environments should be reviewed and security patches, especially those for remote code execution vulnerabilities (e.g. MS17-010), should be applied as soon as possible.
- Antivirus usage
- Attention should be paid to the use of up-to-date antivirus/antimalware on end-user devices and servers.
Note: Cyber incident detection in the product families mentioned above; the control of possible compromise situations on network devices, servers and end-user computers can be ensured as follows;
The following controls are recommended for detecting possible intrusion situations on network devices:
- Network device configuration files should be examined and compared with backup files to detect possible anomalies.
- Log records (self log) on network devices should be examined; possible anomalies in admin/system/root activities should be detected.
- Processes on network devices and firewalls should be examined.
Doublepulsar; this malware published to open an authorized backdoor on the system in Windows operating system exploit codes can be controlled over the network. A scan can be performed using the “nmap” tool on the SMB and RDP ports of the compromised machine:
https://nmap.org/nsedoc/scripts/smb-double-pulsar-backdoor.html
The Pandemic malware has been developed to spread to other devices on the internal network using file servers. This malware creates the following registry variable on Windows File Server; this record should be searched on the relevant servers.
HKLMSYSTEMCurrentControlSetServicesNull -> Null value in the Instances sub-key.
Leave a Comment
* Your comment will be published after approval.
Comments
0No comments yet. Be the first to comment!