Monthly Archives: January 2018

In-House SOCs Vs. Outsourced – Which Should You Go For

Businesses of all shapes and sizes are moving their networks to the cloud at an increasingly fast rate!

Cloud computing has officially taken off, and with good reason! The benefit of being able to access your network files from anywhere in the world and the promise of potentially unlimited amounts of storage have opened up a world of new possibilities for organization everywhere.

The new technology, however, has brought its own set of challenges and risks to the IT industry.

The threat of cyber-attacks is more prevalent than it has ever been, and IT security teams need to be on top of their game if they want to keep out this modern generation of hackers. At the same time, organizations are cash-strapped, and most can’t afford to train and keep experienced in-house security staff.

In-house Vs. Outsourced

Modern day companies in the UAE are faced with a simple question: Does it make sense anymore to manage our security in-house, or should we opt for a managed SOC solution?

If your company is facing a similar situation, here are the factors you need to consider in this debate.

Building your own team:

In-house operation centers ultimately suit organizations who value the confidentiality and integrity of their data over the increased expenses.

  • The biggest benefit is that you ultimately have complete control over all of your sensitive data.
  • This minimizes the risk of the loss of critical data that a business may be particular about, like trade secrets or new innovations.
  • The solutions being used can be modified to suit your company’s needs.
  • Certain industries like nuclear or space exploration have regulations in place that make having an in-house team far more desirable.
  • The cost of hiring, training, and retaining specialist staff continues to increase as skill shortages in the industry grow. It is already a more expensive solution than outsourcing.
  • It can take anywhere from 18 to 24 months to hire and set up a new team. Time is a luxury new businesses can’t afford.
  • Most in-house teams won’t have the capacity or the required expertise to identify and respond to threats in real time.


Outsourced security solutions are far more cost-effective and stable for small and medium sized businesses.

  • There’s no time delay. Businesses that decide to outsource instantly get the full services of an experienced, professional team of experts.
  • There’s no 9 A.M – 5 P.M with managed SOCs. Your networks are monitored around the clock, 24 hours a day, 365 days a year.
  • You’ll only have to pay the monthly costs which the MSSP charges. There are no additional costs of setting up and training a team.
  • The identification of and response to threats is instant. 3rd party service providers have access to technologies and techniques which an in-house team might not even be aware off.
  • Outsourcing creates a dependency on an outside party to manage your security, which can’t be carried out effectively without proper communication.
  • An MSSP might employ solutions or services that are great for the general industry, but don’t suit your specific needs.
  • You lose control over the ability to manage confidential and sensitive information.

Choosing what’s right for you!

When making your decision, ask yourself the following question:

  • What is my current approach, and how efficiently is it working out?
  • Do I have the budget to hire and retain an in-house team full time?
  • How confidential is the data?

You’ll also want to consider the physical safety of your offices. A managed SOC allows you to monitor both virtual and physical networks at the same time, thanks to the advances in ELV systems like CCTV cameras and motion sensors etc.


via:  managedsecurity

AT&T Aims to Deploy 5G in 2018

Carrier announces it plans to be the first in the U.S. with 5G this year.

After years of development and hype about 5G potential, 2018 is likely going to be the year in which 5G wireless is officially deployed in the U.S And AT&T is predicting that it will be the first U.S. carrier to do so.

AT&T announced on Jan. 4 that it expects to deploy 5G in at least 12 cities across the U.S. by the end of 2018.
“5G will change the way we live, work and enjoy entertainment,” Melissa Arnoldi, president, AT&T Technology and Operations, said in a statement. “We’re moving quickly to begin deploying mobile 5G this year and start unlocking the future of connectivity for consumers and businesses.”

“With faster speeds and ultra-low latency, 5G will ultimately deliver and enhance experiences like virtual reality, future driverless cars, immersive 4K video and more,” Arnoldi added.



via:  enterprisenetworkingplanet


240,000 Federal Employees’ PII Potentially Exposed in DHS Data Breach


A data breach involving the U.S. Department of Homeland Security (DHS) might have exposed more than 240,000 current and former federal employees’ personally identifiable information (PII).

On 3 January, DHS published a statement about the security incident. In it, Chief Privacy Officer Phillip S. Kaplan reveals that the U.S. Attorney’s Office and the Department of Homeland Security’s Office of the Inspector General (OIG) discovered the breach on 10 May 2017 as part of a criminal investigation. Officials specifically found an unauthorized copy of the Department’s investigative case management system in the possession of a former DHS OIG  employee.

At the time of its discovery, that copied DHS OIG system contained the PII of two separate groups. First, it contained the names, Social Security Numbers, dates of birth, and employment information for 247,167 current and former federal government employees whom DHS directly employed in 2014. Second, it stored names, email addresses, physical addresses, Social Security Numbers, phone numbers, and other data for individuals who were involved in a DHS OIG investigation between 2002 and 2014.

Kaplan is confident that external actors weren’t responsible for the breach and that potentially affected individuals’ PII was not the main target of the incident.

The Department of Homeland Security had its reasons for waiting to send notifications to all possible victims on 18 December some seven months after discovery. As it explains in the statement:

The investigation was complex given its close connection to an ongoing criminal investigation. From May through November 2017, DHS conducted a thorough privacy investigation, extensive forensic analysis of the compromised data, an in-depth assessment of the risk to affected individuals, and comprehensive technical evaluations of the data elements exposed. These steps required close collaboration with law enforcement investigating bodies to ensure the investigation was not compromised.

DHS also took the time to introduce additional security measures that limit who can access the types of information exposed in the data breach and that can better monitor suspicious access patterns.

While the Department continues to work to better secure its systems, potential victims of the incident can take advantage of 18 free months of AllClear services that can help protect them against identity theft and credit card fraud. They should also consider placing a security freeze on their credit reports with TransUnion, Experian, Equifax, and Innovis.


via:   tripwire

VERT Threat Alert: CPU Vulnerabilities – Meltdown and Spectre


Meltdown and Spectre are hardware design vulnerabilities in CPUs utilizing speculative execution.

While the defect exists in the hardware, mitigations in operating systems are possible and are currently available.

CPU hardware implementations are vulnerable to side-channel attacks referred to as Meltdown and Spectre. The issues are organized into three variants:

  • CVE-2017-5753, Spectre Variant 1: CPUs utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
  • CVE-2017-5715, Spectre Variant 2: Branch target injection
  • CVE-2017-5754, Meltdown: allows attackers to read arbitrary physical memory (including kernel memory) from an unprivileged user process.

These attacks are possible due to the interaction between operating system memory management and CPU implementation optimization choices.

The Linux kernel mitigations for this vulnerability are referred to as KAISER, and subsequently KPTI, which aim to improve separation of kernel and user memory pages.


Attacks require the ability to execute code locally on a target system. Typically, this type of attack requires a valid account or independent compromise of the target. Attacks using JavaScript in web browsers are also possible. Multi-user and multi-tenant systems (including virtualized environments) likely face the greatest risk. Systems used to browse arbitrary web sites are also at risk. Single-user systems that do not readily provide a way for attackers to execute code locally face significantly lower risk.


Vendors are releasing patches for vulnerable systems and cloud environments like Amazon and Azure are patching the operating systems they deliver.


ASPL-759 shipped on January 5, 2018 contained checks for the following products:

  • Microsoft Windows Patches/Mitigations for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754 (x64 only)
  • Microsoft SQL Server 2016 & 2017 Patches/Mitigations for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
  • RHEL Patches/Mitigations for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
  • CentOS Patches/Mitigations for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
  • VMware ESXi Patches/Mitigations for CVE-2017-5715, CVE-2017-5753
  • OEL Patches/Mitigations for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
  • Amazon Linux Patches/Mitigations for CVE-2017-5754
  • Apple Mac OS Patches/Mitigations for CVE-2017-5754
  • Google Chrome, Mozilla Firefox, Microsoft Internet Explorer related mitigation detection.
  • Host Information indicating the values of related Microsoft Windows Server registry configuration.



via:  tripwire

How to Check and Update Windows Systems for the Meltdown and Spectre CPU Flaws

Hope here to present a simple, dumbed-down, step-by-step article on how to get these updates and navigate Microsoft’s overly complicated announcement.

There are four Microsoft help pages that we used to compile this information, which you may also want to read, just in case:


1) Guidance for Windows desktop users
2) Guidance for Windows Server users
3) Security advisory ADV180002  (contains KB numbers for update packages)
4) Update
compatibility warning for users with third-party anti-virus software


The key and most important sentence on all these pages is:

To help prevent stop errors caused by incompatible anti-virus applications, Microsoft is only offering the Windows security updates released on January 3, 2018 to devices running anti-virus software from partners who have confirmed their software is compatible with the January 2018 Windows operating system security update.

What does this mean?

It means that if you go to the Windows Update section of your Windows operating system and you press “Check for updates,” if something comes up, you’re safe to install it.

Windows update packages (KB numbers) are available here. A different KB number will appear, depending on your operating system and hardware platform.

If nothing comes up, that means Windows has detected the presence of an incompatible anti-virus (AV) application on your system.

The whole mess with anti-virus programs

Microsoft says that during tests, it detected some anti-virus programs causing BSOD crashes that prevented computers from booting after the installation of the Meltdown and Spectre patches.

The company says it instructed anti-virus vendors to modify their products and create a registry key on customers’ computers when they’ve confirmed or updated their products so not to crash Windows PCs post-Meltdown/Spectre updates.

Microsoft says that currently, whenever users want to update Windows, its update system will check for that registry key on users’ PCs.

If the key exists, the Windows update process will believe the anti-virus software received an update to support the Meltdown and Spectre patches, and install the proper OS updates as well.

This is where things get messy. Some AV companies have said they don’t plan to create that registry key, some said they cannot “technically” create that key, while others will ship updates in the following days.

This Google Docs file contains a list of the responses from some AV companies.

In simple terms, most AV users will have to wait, as most AV companies have promised to update their products and automatically add the registry key.

The simplest way to go about this is if you can go to the Windows Update section every day and press the “Check for updates” button and you’ll receive the update after your AV product creates that registry key.

If you’re one of the unlucky souls whose AV company doesn’t plan to add that registry key, this is a .reg file Bleeping Computer put together to automatically create the following registry key for you.

Key="HKEY_LOCAL_MACHINE" Subkey="SOFTWARE\Microsoft\Windows\CurrentVersion\
QualityCompat" Value="cadca5fe-87d3-4b96-b7fb-a231484277cc" Type="REG_DWORD”

We’ll display this in red so it sticks out. Do not run the .reg file unless you’ve confirmed with your AV vendor that they’re compatible with the Meltdown andSpectre patches.

Once you’ve run the file or added the registry key manually, your PC will receive the patches for the Meltdown and Spectre vulnerabilities.

How can you check the status of the patches?

Microsoft has also released a set of Powershell one-liners that you can use to check if your PC installed the updates properly, or if you need additional firmware updates.

When starting PowerShell, make sure you start it with Admin privileges so that you can install the required modules.

The Powershell command below will download and install a Powershell module for testing for the Meltdown and Spectre flaws.

Install-Module SpeculationControl

If you run the command and get execution errors, you might need to adjust your Powershell execution policy. Run the following command:

Set-ExecutionPolicy Bypass

Now, you know can run a second Powershell command that actually checks your system:


Google says that not all CPUs are vulnerable to the Meltdown and Spectre flaws, but if the result will look like this, with lots of red-colored text, then you’re CPU and OS are vulnerable to these attacks. Most likely, it looks like this.

Before patches

The next step is to press the “Check for updates” button until you receive a Meltdown/Spectre patch. As explained above, this might take a few days for some users with “problematic” anti-virus software.

Windows Update for Meltdown and Spectre patches

After the updates, you’ll need to run the Get-SpeculationControlSettings again. There are two possible scenarios.

The most common scenario is the following result:

After patches, but needed more firmware updates

The image means that your system received patches for the Meltdown bug, but has received incomplete patches for the Spectre bug.

This was to be expected, as Google said yesterday that Spectre is harder to exploit, but also harder to patch.

What the red text means is that you need additional chipset firmware updates. Microsoft and Google say that OEMs will need to provide users with these additional firmware updates to complete the Windows OS-level Spectre patches. Depending on your computer’s age, some OEM might not make these firmware updates available, meaning you’ll be stuck with an incomplete Spectre patch.

If your laptop/desktop/server vendor has provided extra chipset firmware updates, you can get them from their official sites, install them, and complete the patch.

If everything is OK, all checks will appear in green-colored text, like so:

Complete Meltdown and Spectre patches

When the output is all green and each item is set to True, as shown above, then you are now protected from these attacks.

Once you’re done, remember to set the Powershell execution police back to a restricted mode, which may be useful in mitigating malware attacks that use Powershell to run malicious commands.



via:  bleepingcomputer

Permissions Flaw Found On Azure AD Connect

A permissions flaw in Microsoft’s Azure AD Connect software could allow a rogue admin to escalate account privileges and gain unauthorized universal access within a company’s internal network.

Microsoft issued an advisory for the vulnerability. Affected are Office 365 customers running Microsoft’s Active Directory Domain Services in conjunction with Azure AD Connect software installed with the Express Settings, according to Preempt Security that first identified the vulnerability.

Microsoft didn’t release a patch to fix the bug, rather it made available a PowerShell script that adjusts the permissions of the Active Directory domain accounts to protect customers from the vulnerability. Microsoft also said future versions of affected software (after version 1.1.654.0) would not be impacted by this vulnerability.

“Before this release, the account was created with settings that allowed a user with password administrator rights the ability to change the password to a value know to them. This allowed you to sign in using this account, and this would constitute an elevation of privilege security breach. This release tightens the setting on the account that is created and removes this vulnerability,” Microsoft states.

The flaw allows trusted users with limited or temporary privileges within a domain, such as the ability to change passwords or add users to administrative groups, to escalate privileges, said Roman Blachman, CTO and co-founder of Preempt.

He said there are several scenarios where “stealthy admins” can elevate their access within a domain. One way is a rogue technical support operator (or “stealth admin”) could use their limited privilege of managing passwords to change the password of a domain administrator. They could then login as the domain administrator and configure their own profile with greater access to the company’s network.

“The flaw allows a support operator to replicate all of the domain passwords of every user and compromise any account in the domain and give themselves full administrator rights,” Blachman said. “So, this support operator could go from having limited access to making themselves a domain admin.”

In another attack scenario, a rogue admin with limited privileges of adding and removing users from administrative groups could simply add themselves to a group with more privileges.

To circumvent detection, Preempt said a stealthy admin would alternatively target the MSOnline (MSOL) PowerShell Module, part of Windows Azure Active Directory. “Such (service) accounts are often less monitored than full domain admins even though they have relatively high privileges,” researcher said.

“Imagine a help desk technician with permissions to reset non-admin passwords but no other domain admin privileges. Because the MSOL account is generated under the Built-in Users container, and the Built-in Account Operators group (e.g. helpdesk team) has permissions to reset passwords for the Built-in Users container, this gives the account operator full de facto access to domain passwords, as well as other elevated privileges (e.g. Domain Admin),” researcher wrote in a technical write up of the vulnerability posted.

Using the aforementioned technique, Blachman said, it is possible for an admin to escalate their privileges via the MSOL service account.

“Now the stealthy admin can log into Azure AD Connect and reconfigure the account so everything would work properly and no one would ever notice the changes to the account,” Blachman said. 

“Microsoft acknowledged the issue and has released a Microsoft Security Advisory 4056318 and a PowerShell script that addresses the flaw by adjusting the permissions of the Active Directory domain accounts to modify properties of the AD DS synchronization account (MSOL),” Preempt said.


via:  threatpost

How to Protect Your Devices Against Meltdown and Spectre Attacks–Quick Guide

Recently uncovered two huge processor vulnerabilities called Meltdown and Spectre have taken the whole world by storm, while vendors are rushing out to patch the vulnerabilities in its products.

The issues apply to all modern processors and affect nearly all operating systems (Windows, Linux, Android, iOS, macOS, FreeBSD, and more), smartphones and other computing devices made in the past 20 years.

What are Spectre and Meltdown?

We have explained both, Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753, CVE-2017-5715), exploitation techniques in our previous article.

In short, Spectre and Meltdown are the names of security vulnerabilities found in many processors from Intel, ARM and AMD that could allow attackers to steal your passwords, encryption keys and other private information.


Both attacks abuse ‘speculative execution’ to access privileged memory—including those allocated for the kernel—from a low privileged user process like a malicious app running on a device, allowing attackers to steal passwords, login keys, and other valuable information.

Protect Against Meltdown and Spectre CPU Flaws

Some, including US-CERT, have suggested the only true patch for these issues is for chips to be replaced, but this solution seems to be impractical for the general user and most companies.

Vendors have made significant progress in rolling out fixes and firmware updates. While the Meltdown flaw has already been patched by most companies like Microsoft, Apple and Google, Spectre is not easy to patch and will haunt people for quite some time.
Here’s the list of available patches from major tech manufacturers:

Windows OS (7/8/10) and Microsoft Edge/IE

Microsoft has already released an out-of-band security update (KB4056892) for Windows 10 to address the Meltdown issue and will be releasing patches for Windows 7 and Windows 8 on January 9th.

But if you are running a third-party antivirus software then it is possible your system won’t install patches automatically. So, if you are having trouble installing the automatic security update, turn off your antivirus and use Windows Defender or Microsoft Security Essentials.

“The compatibility issue is caused when antivirus applications make unsupported calls into Windows kernel memory,” Microsoft noted in a blog post. “These calls may cause stop errors (also known as blue screen errors) that make the device unable to boot.”

Apple macOS, iOS, tvOS, and Safari Browser

Apple noted in its advisory, “All Mac systems and iOS devices are affected, but there are no known exploits impacting customers at this time.”

To help defend against the Meltdown attacks, Apple has already released mitigations in iOS 11.2, macOS 10.13.2, and tvOS 11.2, has planned to release mitigations in Safari to help defend against Spectre in the coming days.

Android OS

Android users running the most recent version of the mobile operating system released on January 5 as part of the Android January security patch update are protected, according to Google.


So, if you own a Google-branded phone, like Nexus or Pixel, your phone will either automatically download the update, or you’ll simply need to install it. However, other Android users have to wait for their device manufacturers to release a compatible security update.

The tech giant also noted that it’s unaware of any successful exploitation of either Meltdown or Spectre on ARM-based Android devices.

Firefox Web Browser

Mozilla has released Firefox version 57.0.4 which includes mitigations for both Meltdown and Spectre timing attacks. So users are advised to update their installations as soon as possible.

“Since this new class of attacks involves measuring precise time intervals, as a partial, short-term mitigation we are disabling or reducing the precision of several time sources in Firefox,” Mozilla software engineer Luke Wagner wrote in a blog post.

Google Chrome Web Browser

Google has scheduled the patches for Meltdown and Spectre exploits on January 23 with the release of Chrome 64, which will include mitigations to protect your desktop and smartphone from web-based attacks.

In the meantime, users can enable an experimental feature called “Site Isolation” that can offer some protection against the web-based exploits but might also cause performance problems.

“Site Isolation makes it harder for untrusted websites to access or steal information from your accounts on other websites. Websites typically cannot access each other’s data inside the browser, thanks to code that enforces the Same Origin Policy.” Google says.

Here’s how to turn on Site Isolation:

  • Copy chrome://flags/#enable-site-per-process and paste it into the URL field at the top of your Chrome web browser, and then hit the Enter key.
  • Look for Strict Site Isolation, then click the box labelled Enable.
  • Once done, hit Relaunch Now to relaunch your Chrome browser.
Linux Distributions

The Linux kernel developers have also released patches for the Linux kernel with releases including versions 4.14.11, 4.9.74, 4.4.109, 3.16.52, 3.18.91 and 3.2.97, which can be downloaded from

VMware and Citrix

A global leader in cloud computing and virtualization, VMware, has also released a list of its products affected by the two attacks and security updates for its ESXi, Workstation and Fusion products to patch against Meltdown attacks.

On the other hand, another popular cloud computing and virtualization vendor Citrix did not release any security patches to address the issue. Instead, the company guided its customers and recommended them to check for any update on relevant third-party software.



via: thehackernews

Macos LPE Exploit Gives Attackers Root Access

A researcher that goes by the handle “Siguza” released details of a local privilege escalation attack against macOS that dates back to 2002. A successful attack could give adversaries complete root access to targeted systems.

Siguza released details of the attack on Dec. 31 via Twitter, wishing followers a “Happy New Year” and linked to a technical write-up outlining the research.

The local privilege escalation (LPE) attack requires a pre-existing foothold on targeted systems. For that reason, LPEs are generally not considered critical vulnerabilities.

“An attacker needs to already have a presence on the system to take advantage of this vulnerability. This could be through infecting the target system via a remote vulnerability, such as a Safari bug, or could be through physical access, such as on a kiosk-type system,” said Jasiel Spelman, senior vulnerability researcher with Zero Day Initiative.

The most troubling thing about this vulnerability is that it has existed for years,  said Jason Haddix, head of trust and security at Bugcrowd. “We see this every so often where a bug has been latent in a system for years and no one has found it – or we hope no one has. It does go to show that automation, which Apple is no-doubt using, is not a catch-all solution for finding bugs.”

Apple did not return a request for comment for this story.

The vulnerability identified by Siguza allows for compromise of the IOHIDFamily macOS kernel driver from a process with low privileges. The IOHIDFamily is a kernel extension that provides an interface for human interface devices, such as keyboards and mice, which can be implemented by vendors, describes ZDI.

“This particular code path is only supposed to be used by a privileged process known as WindowServer, however part of this attack involves breaking the assumption that WindowServer will interact with this particular component within IOHIDFamily,” Spelman said.

An attacker wanting to exploit the vulnerability has several options, depending on the level of access already gained on the targeted system.

“Even in the most extreme case, where an attacker must first compromise an unprivileged process, evidence of the attack may be visible to the user. Specifically, in order to trigger this bug, the user must logout, either forcibly by the attacker, or manually by the user while the attacker’s code waits for an opportune moment. If successful, the attacker will be able to escalate to have kernel privileges,” ZDI wrote.

Spelman said this type of vulnerability, where data from userland is trusted, has existed for years. “The assumption that was made, and unfortunately not enforced, was that only a trusted process would be able to access the vulnerable code path. The researcher managed to break that assumption through the use of the forced logout,” he said.

Siguza stated via Twitter he declined to first share his research of the macOS exploit with Apple and opted instead to post it online for maximum exposure to the problem.


“My primary goal was to get the write-up out for people to read. I wouldn’t sell to blackhats because I don’t wanna help their cause. I would’ve submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable,” Siguza said in a tweet.

A patch for the bug is expected by Apple later this month as part of a cumulative update, say experts.


via:  threatpost

Health Care System Notifies 29K Patients of Privacy Breach

An American health care system is notifying 29,000 patients of a privacy breach that might have exposed their medical records.

On 29 December 2017, SSM Health published a statement about a security incident it had learned about two months earlier. The not-for-profit organization, which employs 1,600 physicians and 33,000 other individuals in Wisconsin, Oklahoma, Illinois, and Missouri, launched an investigation to determine what had happened. Its analysis revealed that a former employee at a customer care call center had inappropriately accessed protected health information (PHI), specifically medical records belonging to a small number of patients who had a controlled substance prescription and a primary care physician in St. Louis.

The statement clarifies that the employee had access to PHI, including demographic and clinical information, in order to perform the duties of his job.

It’s believed the event, which classifies as a privacy breach under the Health Insurance Portability and Accountability Act (HIPAA), first started on 13 February of 2017.

SSM Health is currently in the process of notifying all 29,000 patients whose information the former employee might have accessed. Those victims can take advantage of identity theft protection services offered to them by SSM Health at no cost. Additionally, while it works with the Office for Civil Rights and local law enforcement to better understand what happened, the provider is taking steps to better secure its systems and monitor employee access.

Scott Didion, system privacy officer at SSM Health, has apologized to all those whom the incident might have affected:

We take very seriously our role of safeguarding our patients’ personal information, and we deeply regret any inconvenience or concern this situation may have caused our patients.

In an age of insider threats and other digital security risks, it’s important that companies take the necessary steps to maintain the security and integrity of their electronic medical record (EMR) systems. Learn how Tripwire can help in that regard here.


via:  tripwire

School District to Spend $314K on Rebuilding Servers after Malware Attack

A school district in North Carolina intends to spend $314,000 on rebuilding more than a dozen servers affected by a malware attack.

On 27 December 2017, the board for Rockingham County School District held an emergency meeting and voted 7-1 to approve a 12-month, $314,000 service contract with Georgia-based technology solutions provider ProLogic ITS. The contract, which is currently pending review, will give 10 Level 3 and 4 engineers at ProLogic the necessary funding to rebuild 20 servers after the school district suffered a malware attack. It will also cover virus mitigation services offered by the provider, including on-site imaging for 12 servers and 3,000 client systems.

Greensboro News & Record reports that the monies, which will come out of the school’s unrestricted fund balance of approximately $5 million, will cover a total of 1,200 onsite repair hours. It’s estimated the cleanup won’t take longer than a month.

According to WMFY, the malware infection occurred on 11 December 2017 when employees at Bethany Elementary, Western Rockingham Middle School, and the district’s Central Office opened an “incorrect invoice” email that appeared to come from Rockingham County School District’s antivirus provider. The emailed used that lure to trick the employees to click on a Microsoft Word document containing Emotet, a trojan which injects itself into the networking stack and software modules of an infected machine. From those locations, the malware can steal financial and personal information, perform distributed denial-of-service (DDoS) attacks on other systems, and distribute additional banking trojans.

Tech Scout’s Kent Meeker is familiar with Emotet and says the malware is difficult to remove from an infected server. As he told WMFY in a separate article:

So if you click on something that you shouldn’t or didn’t know about it can immediately load that onto your system, and if you don’t have the right virus protection, or malware protection, it will get right through and just kind of live on the machine. It may lay dormant for a while before it activates itself, and starts doing crazy stuff. This seems like something that probably, hopefully should have been caught and now this is the repercussions of that. They are going to have to go in and rebuild all of these machines, all of these servers to get rid of it because once it is embedded in the system, it is really rough getting it out. Now, I think they are just doing everything they can to get rid of it. It is not a small deal, but it is rectifiable. It always is.

Three days after the infection occurred, the school’s administrative office received reports of machines not being able to connect to the school’s network. This prompted officials on 19 December to order that teachers and staff leave their computers behind during the winter break. The school district then worked to try to clean up the virus over the holidays.

Rockingham County School District’s administration has said the malware attack didn’t expose any data.



Kacey Sensenich, CTO at the district, rearticulated those thoughts for Greensboro News & Record:

There is no concern when it comes to financial data in Rockingham County Schools. That is all secure. None of that was compromised. The worst thing that we’ve had happen is it was able to grab people’s email and their login information and then re-spam out. We asked people to change their password. …As far as data, personnel records, all those horror stories you have, at this time we have no evidence of that [being compromised] and the security team is helping validate for us.

The $314,000 contract will cover the costs of rebuilding 20 of the school district’s severs. Even so, Rockingham will need to also pay for the replacement of teacher devices affected by the malware. Superintendent Dr. Rodney Shotwell says that amount could be as much as $834,000.

News of this attack follows several months after ransomware attackers demanded $19,000 from a California school district for a decryption key that would unlock its encrypted data.


via:  tripwire