Blog Layout

Do You Have MFA Enabled On ALL Remote Access?

Scott Minneman • Jun 18, 2021

Share This Article

NetStandard's Security Minute Series

The DoJ announced that it recovered "most" of the $4.4 million ransom that Colonial Pipeline paid, by seizing the BitCoin wallet: US recovers most of Colonial Pipeline's $4.4M ransomware payment (
  • This news is potentially huge, or potentially a one-time event. Time will tell. Hopefully it sends a message to the ransomware threat actors that the United States is getting serious.
Colonial Pipeline also announced the root cause of its attack - A single legacy account, which was enabled for VPN and did not have MFA. One password allowed hackers to disrupt Colonial Pipeline, CEO tells senators (
  • All it takes is one account, one vulnerable weak point, for an attacker to get in. Make sure you have MFA enabled on ALL remote access, not just most!
If you have VMware vCenter, make sure it's patched. A recent critical-severity vulnerability is being actively exploited: This is not a drill: VMware vuln with 9.8 severity rating is under attack | Ars Technica

For those of you that have not gone through a ransomware incident (lucky you!), there's a fascinating live-blog of a company going through it right now: Driftinfo - AK Techotel
  • Look at the time stamps on the posts. Even after the company agreed to pay the ransom, look at how long it took to get the decryption started, and how many problems they still had after that. Paying the ransom does not get you back up and running quickly!

On another note...

NetStandard Technology Blog

By Scott Minneman 16 Aug, 2021
It's Patch Tuesday again! This one's especially important because it fixes some of the Print Spooler issues over the past couple months, as well as the PetitPotam attacks that are gaining traction in the wild: Microsoft's August 2021 Patch Tuesday: 44 flaws fixed, seven critical including Print Spooler vulnerability | ZDNet I've written about this before, but a good reminder: CISA has a good collection of FREE cybersecurity training resources. Check it out: Cybersecurity Training & Exercises | CISA Speaking of training, here's a structured program to teach you cybersecurity basics: Welcome to! | When a company laptop gets stolen, that obviously puts company data at risk. Disk encryption such as BitLocker definitely helps, but a determined attacker can still get in. Here's how: From Stolen Laptop to Inside the Company Network — Dolos Group Another game development company was hit by ransomware - this time it's Crytek: Crytek confirms Egregor ransomware attack, customer data theft ( Not really security-related, but still cool: Some Facebook engineers built a new device for keeping time, as accurately as an atomic clock, as a PCIe card that can be installed into a server or desktop. It's a very cool look into what hardware design is really like: Open sourcing a more precise time appliance - Facebook Engineering (
By Scott Minneman 26 Jul, 2021
A new Windows 10 issue was discovered, which exposes local user account passwords to an attacker. So far, it appears to only affect Windows 10 1809 or later, and requires an attacker to already have a foothold on the PC. Microsoft will certainly patch this soon, but in the meantime, Microsoft has released workarounds that you can use: CVE-2021-36934 - Security Update Guide - Microsoft - Windows Elevation of Privilege Vulnerability The widespread Exchange attacks earlier this year have been formally attributed to China, according to the US government and many allies. This was widely anticipated and not really a surprise: Chinese Cyber Threat Overview and Actions for Leaders | CISA Fortinet disclosed a new vulnerability in FortiManager and FortiAnalyzer. If you’re using FortiManager, make sure you’re patched: FortiManager & FortiAnalyzer - Use after free vulnerability in fgfmsd daemon | FortiGuard The Olympics start this week! It's always exciting to see the Games, but it also brings a wave of cyberattacks. Remember that the 2018 Winter Olympics was very nearly disrupted by a major cyberattack during the Opening Ceremony, and this year, the FBI is warning that similar attacks are possible: Apple released new security updates this week for iOS. For those of you with iPhones or iPads, make sure you update to version 14.7. Apple hasn't yet disclosed all of the bugs that were fixed, but given all of the recent attacks and iPhone exploit attacks over the past few weeks, it's safe to expect there are some important fixes included: Apple security updates - Apple Support And finally, a very interesting writeup of the full chain of a Revil ransomware attack - From infection to negotiation to payment to what happens to the cryptocurrency after payment is made: REvil Revealed - Tracking a Ransomware Negotiation and Payment (
By Scott Minneman 25 Jun, 2021
If you want to see how attackers are using phishing to get into victims' mailboxes, Microsoft has a good writeup: Behind the scenes of business email compromise: Using cross-domain threat data to disrupt a large BEC campaign | Microsoft Security Blog Or, if you want to see how ransomware gangs get into the network after the initial phish, here's a good article on the market for buying access: Researchers: Booming Cyber-Underground Market for Initial-Access Brokers | Threatpost Fujifilm was hit with ransomware earlier this month - And didn't pay the ransom!! Fujifilm resumes normal operations after ransomware attack ( A US nuclear weapons contractor was also hit - And also apparently didn't pay: REvil ransomware hits US nuclear weapons contractor ( For those of you who are interested in reverse-engineering malware, here's an analysis of DarkSide (the ransomware that hit Colonial Pipeline): A step-by-step analysis of a new version of Darkside Ransomware (v. – CYBER GEEKS On another note... Ukraine arrested six people connected to the Cl0p ransomware gang, which was heavily targeting organizations using Accellion equipment: Krebs on Security – In-depth security news and investigation Carnival Cruise Lines recently disclosed a data breach affecting many of its customers: Carnival-March-bc-data-breach-notice - DocumentCloud
By Scott Minneman 08 Jun, 2021
The big ransomware victim of the week was JBS Meats. It's not known if JBS paid a ransom or not. The US government has pointed the finger at Revil / Sodinokibi: US: Russian threat actors likely behind JBS ransomware attack ( All ransomware articles tend to be pretty much alike. This one is different: How cybercriminals use sales best practices in ransomware attacks | 2021-02-21 | Security Magazine Part of the ransomware response process that most people don't see is the negotiator. Oftentimes there's a person whose specialty is communicating and negotiating with the attackers. Here's a very interesting long-form article about one of these people: How to Negotiate with Ransomware Hackers | The New Yorker A good reminder of the most common Microsoft 365 attacks: Microsoft 365: Most Common Threat Vectors & ... ( 10 steps to improve enterprise preparedness for an attack: The state of enterprise preparedness for ransomware attacks - Help Net Security On another note... Microsoft will be hosting a virtual event on June 24 to unveil the next version of Windows: Microsoft Windows Event - Watch the June 24 LIVE stream What Amazon Ring knows about you: What Amazon Ring Knows About You | Avast
By Scott Minneman 28 May, 2021
In 2011, the IT world was shocked to learn that RSA was hacked, and the seed values for SecurID tokens were stolen. This left every SecurID token in the world vulnerable and exposed - if you were in the industry at the time, you surely remember this incident. Now, 10 years later, the NDAs have expired and the full story is out: The Full Story of the Stunning RSA Hack Can Finally Be Told | WIRED Spoiler alert: It began with a phishing email, containing a malicious Excel attachment titled "2011 Recruitment Plan." It's a trap! Want to play with Microsoft 365 E5 in a sandbox, and really get hands-on with all of the advanced tools and functions? Get a free, renewable E5 developer subscription here (really!): Developer Program - Microsoft 365 The DarkSide ransomware gang, which was responsible for Colonial Pipeline, is believed to have made over $90 million in just nine months, based on transfers into its Bitcoin wallet. The average payment was $1.9 million: Darkside gang estimated to have made over $90 million from ransomware attacks | The Record by Recorded Future In a ransomware incident, the attackers normally try to exfiltrate data out of the network, so they can threaten to leak that data if you don't pay the ransom. Two ways this is done are through Rclone and MegaSync. How to proactively detect and block these applications: Rclone Wars: Transferring leverage in a ransomware attack ( CISA has published detailed technical guidance for how to evict an attacker from your network, once that attacker has breached Active Directory and/or Azure Active Directory. It includes a lot of good advice in general: Eviction Guidance for Networks Affected by the SolarWinds and Active Directory/M365 Compromise | CISA On another note... It's possible to remove the "External Sender" warnings from emails, by simply using CSS: Phishing Scammers Remove ‘External Sender’ Email Warnings Impersonating Internal Users ( A new malware tactic is to pretend that it encrypted your files, without actually encrypting them: A week after insurance company AXA announced that it will stop providing insurance coverage for ransomware extortion payments, it itself was hit with the Avaddon ransomware: Insurer AXA hit by ransomware after dropping support for ransom payments (
By Scott Minneman 21 May, 2021
The big ransomware news from last weekend was Colonial Pipeline, the largest fuel pipeline operator on the East Coast, which was forced to shut down its entire network and all operations after being hit with ransomware from DarkSide. There are reports that the company paid $5 million in ransom: Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom - Bloomberg A detailed writeup on DarkSide can be found here: Shining a Light on DARKSIDE Ransomware Operations | FireEye Inc Update: There are reports today that DarkSide’s infrastructure has been taken down, and that the gang is shutting down. Do not overreact to this news. There’s a decent chance that the criminals did it themselves, claiming “We were taken down!” as an excuse to lay low until the spotlight fades, then pop back up with a new name. This has happened before. In more under the radar news, the City of Tulsa OK was hit with ransomware last weekend, which disrupted citizen-facing services: City of Tulsa hit by ransomware over the weekend | The Record by Recorded Future The Biden administration issued an executive order on cybersecurity this week, which requires federal IT contractors to disclose breaches, requires MFA and encryption for government systems, and establishes a "Cyber Safety Review Board," among other things. This is a good thing for all businesses, not just federal contractors: Executive Order on Improving the Nation's Cybersecurity | The White House Windows 10 version 1909 has reached end of service, and will no longer receive security updates: Windows message center | Microsoft Docs I know I send a lot of uber-nerdy info, but this might be the deepest one yet. How MFA works in Windows: MFA is Hard to do Right ( On another note... November 2020, the US Air Force discovered a cryptominer inside its internal law enforcement agency. Agents raided a home in Olathe KS last week: Agents raid home of Kansas man seeking info on botnet that infected DOD network | The Record by Recorded Future
By Scott Minneman 12 May, 2021
Data exfiltration by attackers is on the rise. By some statistics, up to 80% of all ransomware attacks now include the threat of leaking data publicly. It's the future of ransomware: Ransomware: The Data Exfiltration and Double Extortion Trends ( Google is starting to push aggressively toward two-factor authentication, with almost all users getting automated prompts to enable 2FA on their Google accounts . This is great news for cybersecurity: Google Wants to Make Everyone Use Two Factor Authentication ( Microsoft continues to try to rid the world of Adobe Flash. In January, Microsoft disabled Flash from running, and in July 2021, will remove it from Windows systems through a cumulative update: Update on Adobe Flash Player End of Support - Microsoft Edge Blog ( A vulnerability has existed in Dell's firmware updating system for 12 years. Update your Dell systems to protect yourself: DSA-2021-088: Dell Client Platform Security Update for an Insufficient Access Control Vulnerability in the Dell dbutil Driver | Dell US Network Solutions and both were hit with a DNS outage this week. Both companies are owned by the same parent company, raising the question of whether the two incidents are linked: Network Solutions and hit by ongoing DNS outage ( If you want a visual reminder of the kind of ad targeting that Facebook does: Signal >> Blog >> The Instagram ads Facebook won't show you Don't use cracked software - it might lead to ransomware: Ryuk ransomware finds foothold in bio research institute through student who wouldn’t pay for software | ZDNet
By Scott Minneman 01 May, 2021
This Tuesday , 5/4, I'm doing a webinar with Miller Group. Sign up , tell your friends! The Ransomware Task Force, a group of more than 50 cybersecurity experts, has published a detailed framework for how public and private entities can work together to help stem the rising tide of ransomware. It calls for a "whole of government" response, treating ransomware as the national security threat that it has become: Institute for Security and Technology (IST) » RTF Report: Combatting Ransomware One of the priority recommendations calls for better regulation and oversight over cryptocurrency, to try to restrict the money flow. Ransomware is really just a money grab, after all. Coveware has released its Q1 2021 ransomware report. The average ransom payment is over $200,000, and 77% of all ransomware attacks featured data exfiltration. "[D]espite the increase in demands, and higher prevalence of data theft, we are encouraged that a growing number of victims are not paying. Over hundreds of cases, we have yet to encounter an example where paying a cyber criminal to suppress stolen data helped the victim mitigate liability or avoid business / brand damage. On the contrary, paying creates a false sense of security, unintended consequences and future liabilities." The latest group to fall victim to a ransomware attack is the Washington DC Police Department. The Babuk gang is threatening to release the identities of police informants if the ransom is not paid: D.C. Police Department Data Is Leaked in a Cyberattack - The New York Times ( If you qualify for a .gov domain, but didn't get one because it's more expensive, now you can. Starting now, .gov domains are available for free: A new day for .gov | DotGov Government entities should get a .gov domain if they can; it immediately marks the domain as being "official" and not an impersonator. Back in January, international law enforcement seized much of the Emotet control infrastructure, and used it to deploy a new configuration that would cause infected machines to uninstall Emotet on April 25, 2021. The mass uninstall has begun: Emotet malware nukes itself today from all infected computers worldwide ( Microsoft is replacing Calibri as the default font for Microsoft Office. Which font should they choose next? Beyond Calibri: Finding Microsoft's next default font - Microsoft 365 Blog This week we learned… The moon is getting 4G coverage, courtesy of Nokia. If it's anything like the old Nokia candybar phones, it should be nearly indestructible: The Moon is going to get its own 4G network, thanks to this rugged lunar rover | ZDNet
By Scott Minneman 27 Apr, 2021
In this week's big-game ransomware news, Revil announced that they have attacked Quanta, a Taiwanese computer manufacturer. Quanta is notable because the company is one of Apple's largest suppliers, and manufactures MacBooks and Apple Watches. Revil is demanding $50 million ransom, or else they will release confidential Apple schematics, plans, and other info that Quanta had. A very scary supply-chain attack: Hackers threaten to leak stolen Apple blueprints if $50 million ransom isn't paid ( NPR has published a very detailed account of the SolarWinds attack, tracing it all the way back to Sept 12, 2019 and providing a blow-by-blow account of everything that happened since then. Fascinating reading: How Russia Used SolarWinds To Hack Microsoft, Intel, Pentagon, Other Networks : NPR Want to explore a Microsoft datacenter? We Live in the Cloud | Microsoft Story Labs It is well-known that North Korea performs criminal cyberattacks to raise money (including ransomware). The New Yorker has a fascinating article about how the North Korean cyberattack operation works: The Incredible Rise of North Korea’s Hacking Army | The New Yorker Stop connecting kitchen appliances to the internet! Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Vulnerability Spotlight: Remote code execution vulnerabilities in Cosori smart air fryer Geico disclosed that a security issue in their website allowed attackers to steal customers' drivers license numbers from the Geico website, and that it had been going on for months: Geico admits fraudsters stole customers’ driver’s license numbers for months | TechCrunch On another note... Microsoft is bringing Linux GUI support to Windows Subsystem for Linux (WSL), including GPU support, meaning that soon (or now if you're an Insider) you can run the vast majority of Linux apps on Windows: The Initial Preview of GUI app support is now available for the Windows Subsystem for Linux | Windows Command Line ( Helicopters can fly on Mars. I know it isn't security-related, it's just really cool, and a huge step forward for science and humanity: Mars Helicopter - NASA Mars The first helicopter flight on Earth and the first helicopter flight on Mars happened within the span of one human lifetime. Isn't technology amazing?
By Scott Minneman 21 Apr, 2021
This past week was Patch Tuesday! This month includes new patches for Microsoft Exchange. The new Exchange vulnerabilities are not known to be exploited in the wild….yet….though with the increased attack focus on Exchange these days, exploits will surely come soon. Patch now! April 2021 Security Updates - Release Notes - Security Update Guide - Microsoft As IT professionals, we often get messages from recruiters about new job opportunities. Be careful with these - a spearphishing campaign is using fake job offers to distribute a backdoor trojan named more_eggs. Don't be a victim! eSentire | Hackers Spearphish Professionals on LinkedIn with Fake Job… A Kansas man was indicted for allegedly hacking into the Ellsworth County water system and tampering with the water supply. This is a different case from the one in Florida a couple months ago, and shows that attacks on US infrastructure are becoming more common: INDICTMENT: KANSAS MAN INDICTED FOR TAMPERING WITH A PUBLIC WATER SYSTEM | USAO-KS | Department of Justice The managed services provider CompuCom, with customers including Target, Citibank, and Wells Fargo, was hit with the DarkSide ransomware in March. The company is expecting a loss of over $20 million dollars from the incident: CompuCom MSP expects over $20M in losses after ransomware attack ( Speaking of DarkSide, the ransomware group recently gave an interview that sheds some light on how the group thinks: A chat with DarkSide ( The Clop ransomware is on the rise, targeting a wide variety of industries. Palo Alto released a very detailed writeup of how it works and how to defend against it: Threat Assessment: Clop Ransomware ( Shall we play a game? Microsoft has released a toolkit called CyberBattleSim, which is essentially a game simulating a security breach. The results are used to improve machine learning models to better automate network security: Gamifying machine learning for stronger security and AI models - Microsoft Security The GitHub project is here: GitHub - microsoft/CyberBattleSim Think it's always safe to open txt files in email? Think again: a-txt-file-can-steal-all-your-secrets ( On another note... KnowBe4 is preparing to go public with an IPO: KKR-backed cybersecurity firm KnowBe4 aims for $3 bln valuation in U.S. IPO ( NASA can install software patches on a helicopter on Mars, you can install patches on your computer: NASA Says Oops, Mars Helicopter Needs Software Update to Fly ( If you failed to clean up your Exchange servers from the recent zerologon attacks, the FBI might have secretly cleaned it up for you: FBI Accesses Computers Around Country to Delete Microsoft Exchange Hacks (
More Posts
Share by: