South Korean Firm Pays Massive Ransom

stacksofplates

$20 says it was an unmatched plugin for a CMS/CMF.

stacksofplates

@black3dynamite said in South Korean Firm Pays Massive Ransom:

Does anyone know what Linux distro that was a attacked? Besides using certain antivirus, wouldn't apparmor or selinix would of help prevent the attack?

Another $20 says they had either one disabled.

brianlittlejohn

http://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/

They were running an old kernel, old php, and old apache. According to the article.

DustinB3403

wow

Obsolesce

@scottalanmiller said in South Korean Firm Pays Massive Ransom:

@Mike-Davis said in South Korean Firm Pays Massive Ransom:

I thought it was interesting that so many linux systems were hit. Has anyone heard of phishing attacks (or others) that went after linux boxes before?

I've heard of a few. they are rare, but Linux system are the much bigger payoff targets. The data, on average, on Linux servers are worth a lot more. but a lot harder to hit.

I'm sure that if Linux was as targeted as Windows is, there would be just as many vulnerabilities found... or at least a lot more than you think. However, I'm sure they would be fixed much faster than Microsoft fixes things, due to being open source.

IRJ

@Tim_G said in South Korean Firm Pays Massive Ransom:

@scottalanmiller said in South Korean Firm Pays Massive Ransom:

@Mike-Davis said in South Korean Firm Pays Massive Ransom:

I thought it was interesting that so many linux systems were hit. Has anyone heard of phishing attacks (or others) that went after linux boxes before?

I've heard of a few. they are rare, but Linux system are the much bigger payoff targets. The data, on average, on Linux servers are worth a lot more. but a lot harder to hit.

I'm sure that if Linux was as targeted as Windows is, there would be just as many vulnerabilities found... or at least a lot more than you think. However, I'm sure they would be fixed much faster than Microsoft fixes things, due to being open source.

Sorry, but this is wrong. I work in cyber security department and my focus is server vulnerabilities. Untouched and unpatched linux servers have far less vulnerabilities than Windows servers. It's really a staggering difference. If I take a sample of 100 Windows Servers and 100 Linux Servers. I would venture to guess you'd have at 10x the amount of vulnerabilities on Windows. Keep in mind that generally around 10 or so patches are released each month for Windows. Linux OS updates are much more rare.

Obsolesce

@IRJ said in South Korean Firm Pays Massive Ransom:

@Tim_G said in South Korean Firm Pays Massive Ransom:

@scottalanmiller said in South Korean Firm Pays Massive Ransom:

@Mike-Davis said in South Korean Firm Pays Massive Ransom:

I thought it was interesting that so many linux systems were hit. Has anyone heard of phishing attacks (or others) that went after linux boxes before?

I've heard of a few. they are rare, but Linux system are the much bigger payoff targets. The data, on average, on Linux servers are worth a lot more. but a lot harder to hit.

I'm sure that if Linux was as targeted as Windows is, there would be just as many vulnerabilities found... or at least a lot more than you think. However, I'm sure they would be fixed much faster than Microsoft fixes things, due to being open source.

Sorry, but this is wrong. I work in cyber security department and my focus is server vulnerabilities. Untouched and unpatched linux servers have far less vulnerabilities than Windows servers. It's really a staggering difference. If I take a sample of 100 Windows Servers and 100 Linux Servers. I would venture to guess you'd have at 10x the amount of vulnerabilities on Windows. Keep in mind that generally around 10 or so patches are released each month for Windows. Linux OS updates are much more rare.

From what I've seen on Linux, there's updates almost daily. But you have to define "OS updates". Linux is just a kernel, so in that case I'm sure it's true. How often are Windows kernel updates? The Windows kernel is not patched 10 times a month, either.

Any OS un-touched/un-updated/un-patched shouldn't even be included in any kind of statistics. Nobody would or should use something like that anyways. The more people looking at something, the more things with it you will find... bad (vulnerabilities) or good things.

DustinB3403

@Tim_G Good Vulnerabilities?

I get what you mean, and I think @IRJ is simply stating that Windows is less maintained because of update schedules and patch release schedules.

Obsolesce

@Tim_G said in South Korean Firm Pays Massive Ransom:

Untouched and unpatched linux servers have far less vulnerabilities than Windows servers.

You also need to define which OS you are comparing.

Are you suggesting that a comparison between Minimal install/deployment of RedHat is more secure than a full GUI install of Windows Server 2012 R2? That's comparing apples to oranges.

How about a minimal Linux install vs minimal Nano server install?

Obsolesce

Also, you need to consider what it is that's vulnerable. Is it Linux? Is it Windows?... or is it a program running on top of Linux/Windows such as Apache, Office, video driver? Which doesn't mean the OS is vulnerable.

IRJ

@DustinB3403 said in South Korean Firm Pays Massive Ransom:

@Tim_G Good Vulnerabilities?

I get what you mean, and I think @IRJ is simply stating that Windows is less maintained because of update schedules and patch release schedules.

Not exactly. Windows is just more vulnerable by default. There is really no comparison.

Do you guys not do vulnerability scanning on your networks? The proof is in the pudding, I challenge you to scan your Windows vs Linux servers to see what I am talking about. Everywhere I have been and done scanning, It has the same result no matter what the company. Linux is less vulnerable than Windows.

Seriously though, don't take my word for it. Test it yourselves.

scottalanmiller

The cultural differences are big too. Look at Spiceworks. Nearly everyone runs Windows and there is a huge cultural thing of not patching or not running current versions. No idea why. You only see this in Linux in a weird Ubuntu subset group.

Treating Windows like a production level system changes things significantly. Just so many people running it don't

IRJ

@Tim_G said in South Korean Firm Pays Massive Ransom:

Also, you need to consider what it is that's vulnerable. Is it Linux? Is it Windows?... or is it a program running on top of Linux/Windows such as Apache, Office, video driver? Which doesn't mean the OS is vulnerable.

Does it matter from an attackers point of view? Windows software by design is usually less secure than Linux software. I mean we are looking at attack surface here. If you scan two web servers (Linux and Windows) the Windows one will be more vulnerable every day of the week.

I understand what you are saying, and yes alot of Windows vulns come from shitty coded applications. However, we cannot ignore that because it is relevant to protecting servers. Your original statement was

@Tim_G said

I'm sure that if Linux was as targeted as Windows is, there would be just as many vulnerabilities found... or at least a lot more than you think. However, I'm sure they would be fixed much faster than Microsoft fixes things, due to being open source.

No there isn't as many vulnerabilities found, and from an attacker point of view who cares if they get in because of the OS or because of an IIS flaw or Adobe Reader flaw. It is the server admin's fault for having Adobe Reader on a server in this case. Maybe we see this pattern because of the difference in mindset between Windows and Linux admins, but for me it's held true in at least a dozen different organizations where I have done this type of work.

stacksofplates

@IRJ said in South Korean Firm Pays Massive Ransom:

@DustinB3403 said in South Korean Firm Pays Massive Ransom:

@Tim_G Good Vulnerabilities?

I get what you mean, and I think @IRJ is simply stating that Windows is less maintained because of update schedules and patch release schedules.

Not exactly. Windows is just more vulnerable by default. There is really no comparison.

Do you guys not do vulnerability scanning on your networks? The proof is in the pudding, I challenge you to scan your Windows vs Linux servers to see what I am talking about. Everywhere I have been and done scanning, It has the same result no matter what the company. Linux is less vulnerable than Windows.

Seriously though, don't take my word for it. Test it yourselves.

Our Nessus scans show much less vulnerabilities for patched Linux than patched Windows.

You also have to look at the real world examples already. Windows makes up around 15-20% of the web. The rest is Linux. I'm pretty sure it's heavily targeted daily.

IRJ

@stacksofplates said in South Korean Firm Pays Massive Ransom:

@IRJ said in South Korean Firm Pays Massive Ransom:

@DustinB3403 said in South Korean Firm Pays Massive Ransom:

@Tim_G Good Vulnerabilities?

I get what you mean, and I think @IRJ is simply stating that Windows is less maintained because of update schedules and patch release schedules.

Not exactly. Windows is just more vulnerable by default. There is really no comparison.

Do you guys not do vulnerability scanning on your networks? The proof is in the pudding, I challenge you to scan your Windows vs Linux servers to see what I am talking about. Everywhere I have been and done scanning, It has the same result no matter what the company. Linux is less vulnerable than Windows.

Seriously though, don't take my word for it. Test it yourselves.

Our Nessus scans show much less vulnerabilities for patched Linux than patched Windows.

You also have to look at the real world examples already. Windows makes up around 15-20% of the web. The rest is Linux. I'm pretty sure it's heavily targeted daily.

Yes, I have used Nessus, OpenVAS, and Qualys, and Nexpose. They are all virtually the same, but their results are consistent in showing Linux as more secure than Windows.

IRJ

@scottalanmiller said in South Korean Firm Pays Massive Ransom:

Treating Windows like a production level system changes things significantly. Just so many people running it don't

I know many Windows admins who think all they have to do is deploy MS patches and they are safe. It is quite comical, really. They dont patch 3rd party with any centralized tool and they don't run vuln scans on their servers. As long as their MS patches are up to date, it is smooth sailing. Who cares if you have Adobe Reader 8 on your server as long as you have MS patches

DustinB3403

@IRJ I'm working to get a proper security assessment of everything in my org.

I'm also drafting my own documentation on how things are setup, and what is what. So no I don't run security audits of the items on premise, but wish I could / do.

IRJ

@DustinB3403 said in South Korean Firm Pays Massive Ransom:

@IRJ I'm working to get a proper security assessment of everything in my org.

I'm also drafting my own documentation on how things are setup, and what is what. So no I don't run security audits of the items on premise, but wish I could / do.

I can give you some advice on getting started if you'd like. All free , opensource tools

DustinB3403

@IRJ Sure, lets create a new topic though

scottalanmiller

@IRJ said in South Korean Firm Pays Massive Ransom:

@scottalanmiller said in South Korean Firm Pays Massive Ransom:

Treating Windows like a production level system changes things significantly. Just so many people running it don't

I know many Windows admins who think all they have to do is deploy MS patches and they are safe.

I know tons that feel that all they have to do is AVOID patching Windows and they'll be safe. How many people have argued with me that the risk of patching and keeping systems up to date is worse than the threat of malware and hacking! I've literally been told this, over and over again! So many Windows Admins fear Windows itself more than they fear anything else.