Helping Protect Against Todays Cyber Threats


My CFP Submission for Kaspersky Security Analyst Summit 2018

So, I’m pushing the envelope here just a bit with this Call Papers for the 2018 Kaspersky Security Analyst Summit taking place in Mexico City, March 7-11.  I’d be interested to hear your feedback. Over the top? Too Microsoft? Offensive already and I haven’t even […]

Petya Outbreak – What we know so far

UPDATE 20:51 GMT-6 Looks like I was off on which file but we have a killswitch (temp measure) for the time being:  #StopPetya Мы нашли локальный “kill switch” для #Petya: создать файл “C:\Windows\perfc” Zero-byte “perfc” in c:\windows  UPDATE 16:18 GMT-6 Please see Kaspersky Labs update […]

WannaCrypt (WannaCry) Decryption Tool Now Available!

In May 2017, a large cyber attack was launched, infecting over 230,000 computers in 99 countries, demanding ransom payments in 28 languages. The attack has been described by Europol as “unprecedented in scale”.

Yeah, whatever. Blah, blah, blah… You just got pwned!

Had this site been infected with a file-less “drive-by” ransomware, your system would have likely fallen victim by now. Allow me to explain…
First, phishing schemes tend to play on the human factor by using crafty messages that play on the emotions of fear, excitement or the need to please others. In this scenario, you were likely excited to see that a decryption tool had been made available for the “WannaCry” ransomware variant. I can’t say I blame you. I’m sure many of the 200K+ victims worldwide feel quite the same! However, malicious actors will use these types of social trends as a means of enticing folks into falling for their tricks.

Now, combine this with the more recent introduction of JScript file-less malware with legitimate website advertising networks and you have a recipe for disaster. Well known sites, such as YouTube or Reuters, have been targeted by attackers preying on users’ implicit trust of the sites to inject their malwares into the advertisements. Using such methods, visitors don’t even have to hover over or click on the ads to become infected. All they have to do is visit a site that has had its ad network compromised. This is the method known as “drive-by”. No user interaction is required.

Such could have been the case here.

Lastly, with advancements that the hackers have implemented of late, the malware can be injected into memory and, as a result, avoid detection by most antivirus programs since they tend to only read the input/output of whatever is being written to or read from the hard disk.

So, how can this be avoided?

Well, ask yourself what you did prior to clicking on the link that brought you here.

  1. Did you know and trust the source from which you received the link?
  2. Did you know the full path of the website address (URL) that the link was directing you to? (i.e. your web browsers status bar)
  3. Were you excited about the potential of a decryption tool?

All of these are behaviour patterns that we must educate our end users about.

Now, from a defensive approach, what can we do to help protect & defend our organisations against these threats?
  1. Application Whitelisting – If it can’t run, it can’t infect. Need I say more?
  2. Device Control – Such solutions may be able to prevent auxiliary connections from also being encrypted during land & expand process. These include UNC shares, connected USB devices & NAS-based storage.
  3. Validated Backups – Those that have recovered from a ransomware infection without paying up have only been able to do so through weak encryption methods defeated by the decryption tools that brought you here to begin with or through good backups. Use the 3-2-1 rule and test them regularly.
  4. Incident Response Plan – Let me just say that having a bitcoin wallet loaded and ready to go is NOT an incident response plan!
  5. Next Generation Firewalls– NGFWs and their inherent stateful packet inspection can help shut down ransomware attacks before they happen. If you’re not up on this tech yet, you should seriously look into it. Write it down!
  6. Threat Detection – Assume you’ve been breached! Failure to do so and respond accordingly proves one thing only: you deserve to be breached and you’ve been warned!
  7. Known Tor Entry/Exit Blacklist – Refer to:
  8. Anti-Virus Software – Yes, sadly it’s still a tickbox requirement.
  9. End-user Awareness Campaigns – They are our greatest inside threat. Educate. Educate. Educate. Conduct regular phishing tests using a reputable third-party like
  10. Firings – I fully believe that we’ve come to the point that we have to take more drastic measures to emphasise the point that end-users are the greatest, single inside threat to the organisation. Fire one or two (maybe a few!) after a second infraction and the point will get across: this will not be tolerated!
Bonus tip:Change default file file associations.
Perhaps the simplest approach of all… if an end-user invokes an action that would result in launching the malware through the Windows Scripting Host, PowerShell or the Command Shell and those file extensions are also associated with those scripting environments, then infection will ensue.
However, if those file extensions (i.e. .js, .ps1, .cmd, etc.) are re-associated with, say, notepad.exe, what will be the result? An infection or a confused end-user looking at a script within Notepad.exe? Think about it for a second… Pretty ingenious, right? Sometimes the simplest solution is the one most easily overlooked.
Do you know a fellow SysAdmin that could benefit from this exercise? Perhaps you’re a member of a Facebook group or Twitter list that includes like-minded professionals? Please consider sharing this post with them in hopes of bringing about a meaningful awareness of what we as IT/InfoSec professionals are charged with on a daily basis. We have a job to do here, y’all. Let’s get it done!
P.S. Aren’t you glad I’m an ethical hacker? Tick, tock… Tick tock… Time is running out. What are you still doing here?

About the Author

As a nearly 20-year veteran of Information Technology with a laser focus on Systems & Security Management, Duncan McAlynn, is a driven and passionate IT professional. He is a contributing author/editor to several books, magazine publications, and websites as well as a popular presenter at many Microsoft events. These activities have led to him receiving the Microsoft Most Valuable Professional award for six consecutive years and being named a member of the FBI InfraGard division.

Duncan has held a number of certifications and awards including 6x Microsoft MVP, MCITP, MCSA, MCSE, & CISSP.

Today, Duncan is a Principal Security Engineer & Evangelist for Ivanti, ISSA Gulf Coast TX chapter president & author of Advanced Windows Security

Third-Party Patching – A Vendor Neutral Framework for Addressing the Other 85% of Vulnerabilities

Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti If your organization is like most, you likely have clearly defined processes in place for deploying newly released Microsoft security updates each month. If not, you should. We’ve only had 15 years to hone the process, dating back to […]

HP Audio Driver Exposes Real-time Keystrokes via Local API

HP Audio Driver Exposes Real-time Keystrokes via Local API

Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti The audio driver installed on some HP laptops includes a feature that could best be described as a keylogger, which records all the user’s keystrokes and saves the information to a local file, accessible to anyone or any third-party […]

Everything You Need to Know About MSFT Anti-Malware Engine Updating

Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti

Unless you’ve been completely off the grid for the past week, you’re likely aware of the huge vulnerability in the Microsoft anti-malware engine (mpengine.dll) found in many of the software giant’s security products.

However, many are still confused by Microsoft’s response, leaving them unsure how to update their systems, verify they’re up-to-date and report on the status. Thankfully, the following link covers everything you need to know and do to protect against this “crazy bad” vulnerability (as the Google Project Zero team members refer to their finding).

 If you find this useful, please let me know by leaving a comment below & sharing with others. Thank you!

BitKangaroo Ransomware Decryption Tool

Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti We have a new, albeit amateurish, ransomware variant on the loose. This one haphazardly begins deleting files every hour until the ransom is paid. Foolish, since it could take 2-3 days for the victims in question to get setup […]

SCCM DCM Script for vPro Vulnerability

SCCM DCM Script for vPro Vulnerability

Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti (Reposted with permission from Eric Holzhueter. Thank you!) If someone needs a SCCM DCM script or another method to report on vPro vulnerability, you can use this as a base for your solution. You’ll need to distribute and run […]

How Your Social Profiles Help Hackers

Duncan McAlynn, Principal Security Engineer/Evangelist, Ivanti

As I sit here looking at my LinkedIn notifications, I’m disappointed to see one of my own co-workers showing up in the list of those celebrating a birthday today. You may be asking why the disappointment. Allow me to explain…

LinkedIn is the de facto standard for online professional networking. However, the site is also a bit of a bully when it comes to completeness of your profile – strongly encouraging its membership to provide full name (including maiden/previous names), high schools/universities attended, previous & current workplaces, professional memberships, birthday, contact information, etc. Failure to fully complete each of these items will lead to nagging notifications when logging into the site. A profile completeness meter maintains your progress, rewarding you with an “All Star Profile” badge once you’ve met the Sunnyvale, CA company’s objectives.

So, how does your all star profile help hackers? Allow me to illustrate the flow of a targeted spear phishing attack. For those unfamiliar with the term, Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data.


Social Profile Phishing Scheme

  1. Identify Employees of Targeted Organization Through LinkedIn FeaturesLinkedIn has the search capabilities for all company pages, including employees that have affiliated themselves with the organization.
  2. Uses Data from Profile to Profile Target Employee & Craft Phishing Email MessagingThe more complete the profile page is, the easier the task is for the hacker to craft a believable phishing email to encourage the user to view the email and open the attachment containing the malware payload.
  3. User Receives Email: “Happy Birthday, Eric from Hofstra University!” (Graduation photos attached)The malicious email seems to be legitimate enough. The sender (using a disposable email that looks close enough to the real thing) knows personal details about the recipient.
  4. Payload DeliveredThe ransom/malware payload is in an attached , password protected .ZIP file trying to defeat A/V scanners, with a note in the body of the email that the password is the birthdate of the recipient. In the anxiousness to see these graduation pics, the recipient bypasses the macro warnings from the payload.
  5. Land & ExpandDepending on the intent of the threat actor, at this point files on the system could be encrypted to solicit a ransom payment, or lay in wait working in the background to expand its reach within the organization & increase its privileges on this system and others as well.
  6. Payday!Whether hitting a payday in the sense of bringing the company to the point of having to pay the ransom to get their files back or using the newfound system(s) access for other malicious intent, the hacker has won. And, it all started with the employee’s All Star LinkedIn profile.

As you can see, this is a very simple and effective means to use social media profiles to provide enough bait for the recipient to fall for the phishing scheme and take a bite. Here I pick on LinkedIn, but they’re all susceptible to the concept. Unfortunately, being a all star on LinkedIn isn’t going to win you any brownie points or badges with the folks in Information Security. So stay safe, stay protected and limit the amount of information you share with your social media profiles.

Good luck out there!