Gameover ZeuS & Cryptolocker

There has been a great deal of media attention concerning the ‘Gameover ZeuS & Cryptolocker’ threats this week, particularly since the NCA Announcement on Monday, 2nd June 2014. A handful of SureCloud clients and partners have been in contact with us for expert guidance and recommendations to help mitigate the threat.

Why is this different from any other attack?

The size and scale of the operation behind this attack is far greater than any other seen in recent times. The success rate of the attacker/s has been high which in turn has led to exceptional growth and spread of these threats. The only reason for the intense level of attention is due to the sheer volume of infections and extent of the botnet’s control over infected machines. Nothing however is ground breaking and the attack vectors, exploitation techniques and delivery methods are no different from many other infections.

Why two weeks?

The NCA and other law enforcement agencies have shut down a large portion of the command and control networks used by the attackers. They have ‘estimated’ a two week window for the criminal organisation/s behind these attacks to be fully functional again, this window may be longer or much shorter.

What is the risk?

The risk of these similar threats are:-

• Infection of machines which are then in turn used to attack the internal network.
• Machines which then form part of a wider attack against other organisations (Distributed Denial of Service etc.) via a BotNet.
• Encryption of system files (including local and network devices) and ‘random’ demands made for decryption of files (which if paid then lead to credit card theft and absolutely no guarantee of the private keys).

How can we protect ourselves?

In spite of the ‘frenzied panic’ depicted in the media, being infected does not necessarily lead to an immediate compromise of your bank account, credit cards, website passwords or other secrets. The delivery mechanism for both of these threats is ‘usually’ via spear phishing. A user or batch of users will receive an email with either a hyperlink to a website or malicious attachment which they are encouraged to open. If clicked/opened, the machine will be infected via a browser-based or third party software-based vulnerability (e.g. Adobe Reader, Flash, Java Runtime etc.).

• It’s critical that users are educated (and continually re-educated) as to these threats and how to identify a spear phishing attack. The same rules apply here, do not follow links within emails or open attachments unless you are absolutely certain of their origin/intention.
• Ensure that browsers, third party software, user machines and servers and kept fully patched and up to date.
• Ensure that backups of all critical files are kept ‘offline’ (separate segregated site or tape) and away from the ‘production’ network. If you are infected, this ensures you are in a position to recover critical data which has (potentially) been encrypted by an attack.
• Apply the principle of least privilege throughout the network. Ensuring that user’s only have access to network systems/shared that they are required to in order to perform their job function.  This includes ensuring that users are not set as ‘local administrators’ or ‘power users’ on their workstations.
• Ensure that Anti-Virus software versions and definitions are fully up to date, with appropriate alerting in place if machines fall behind.
• Anti-Virus scan and filter all incoming emails before they reach your mail server/users.
• Implement alerting within any network Intrusion Detection Systems (if implemented) to notify of active infections from Zeus P2P Traffic.

How can SureCloud help?

• SureCloud’s vulnerability scanning has active detections in place for systems missing patches to ensure that authenticated scans are being run on your entire estate frequently.
• SureCloud’s CESG CHECK Approved Penetration Testing team regularly perform IT Health CHECKs (ITHCs) and Penetration Tests for clients. Outside of this, we can offer focused build review, threat analysis and risk consultancy.
• Using the Government, Risk and Compliance (GRC) functionality in the SureCloud Platform allows users to take a risk based approach when managing threats, enabling a business-as-usual methodology and in turn a continuous compliance status.

Further Reading

Sophos

https://nakedsecurity.sophos.com/2013/10/18/cryptolocker-ransomware-see-h…
https://blogs.sophos.com/2014/06/02/heres-how-you-can-help-stop-gameoverz…

PC Advisor

https://www.pcadvisor.co.uk/how-to/security/3523019/how-protect-your-pc-f…

McAfee

https://blogs.mcafee.com/mcafee-labs/game-zeus-cryptolocker

Should you wish to discuss this or any other threats, please contact the SureCloud team today by opening a Support Ticket (https://secure.surecloud.com) or sending an email to support@surecloud.com.

Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organization may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.