Cybersecurity Alert: Windows 10 Credential Theft and SEC Issues Risk Alert on WannaCry Ransomware

May 17, 2017

This alert contains information about the Windows 10 credential theft and an SEC risk alert on the WannaCry ransomware.

Windows 10 Credential Theft and SEC Issues Risk Alert on WannaCry Ransomware

The default file download configuration in Google Chrome browsers allows files to be downloaded automatically, which could allow attackers to automatically download files to a Windows PC and steal user credentials. The attacker entices users to visit their website, which triggers an automatic download of a Windows Explorer Shell Command (.scf) file without the user opening or clicking the file. Through a backend icon lookup initiated by the Windows in saving the .scf file, an attacker can gain access to the victim's username and password hash which leaves them susceptible to attacks such as a Server Message Block (SMB) relay attack. Google is working on resolving the vulnerability.

For more information, see: http://www.zdnet.com/article/windows-10-credential-theft-google-is-working-on-fix-for-chrome-flaw/

ACA Aponix Guidance

ACA Aponix recommends taking the following precautionary measures:

  • If you use Google Chrome, disable automatic downloads (Settings → click Show advanced settings → Under Downloads, select Ask where to save each file before downloading);
  • Implement application whitelisting as possible;
  • Enable Google Chrome auto-updates to install the fix once it’s released; and
  • Block .scf files on email filters and web filters.

SEC Issues Risk Alert on WannaCry Ransomware

The SEC released a risk alert today regarding the widespread WannaCry ransomware attack that has affected organizations in over 100 countries. Reports show that the hacker behind the attack is gaining access to enterprise servers through the SMB protocol and Microsoft Remote Desktop protocol. The SEC encourages broker-dealers and investment managers to review the alert from the United States Department of Homeland Security’s Computer Emergency Readiness Team for recommendations on protecting against WannaCry. The SEC also highlights the importance of conducting risk assessments, penetration tests and implementing system upgrades in a timely manner. Private Equity and Venture Capital advisers are recommended to reach out to their portfolio companies to ensure they are aware and responding to this attack.

For more information, see the SEC's risk alert: https://www.sec.gov/ocie/announcement/risk-alert-cybersecurity-ransomware-alert

For indicators and recommendations, see the US-CERT's alert: https://www.us-cert.gov/ncas/alerts/TA17-132A

ACA Aponix Guidance

ACA Aponix recommends taking the following precautionary measures:

  • Apply the latest security updates from Microsoft and install future updates as soon as they are released.
  • Disable SMBv1 via Group Policy Objects (GPO), if possible.
  • Block port 445 using a hard firewall rule, in addition to blocking third parties with direct network access from port 445 access, to prevent the worm from tunneling from a partner's network.
  • Disable remote desktop on internal machines (RDP), if possible.
  • Configure IDS and IPS systems to look for the signatures provided by the FBI, CERT, and other authorities relevant to WannaCry.
  • Do not open attachments in emails from senders you don’t know.
  • Block inbound Microsoft Office document attachments that contain macros; and
  • Enable the "Show file extensions" option on your computer. This will make it much easier to identify malicious files. Do not open files with extensions such as ".exe," ".vbs," and ".scr."  

If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.