1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

bloody bloody cryptolocker bloody

Discussion in 'Business & Enterprise Computing' started by Joshhy, Sep 12, 2014.

  1. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    Fortinet can do it with FortiOS 5.2 onwards, but I haven't tried it.
     
  2. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    I hear that sort of thing heaps when questions peoples real world experiences.

    "Yeah, our X can do Y... But I haven't tried it"

    Then when push comes to shove and you enable it, it either rapes the box and you have to turn it off, or spend $Fuckton getting a bigger box. OR, it "works" but its so intrusive or terrible that it breaks other functionality.
     
  3. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    There is a reason i explicitly asked if it was DONE, not can be done. Have a customer with a few 500Mb/s internet feeds, and doing a bunch of work, some of which is replacing Checkpoints with Palo's.. but would love some real world examples of some of the more beneficial components. Everyone I know with Palo's talks them up about all the advanced crap, but only uses stuff thats equivalent to ASA/CP AI/Protocol analysis stuff.

    The fancy pants Palo stuff is a pretty considerable burden on the boxes, but a few 5000 series are big enough.. in theory.
     
  4. Daemon

    Daemon Member

    Joined:
    Jun 27, 2001
    Messages:
    5,475
    Location:
    qld.au
    Both the Palo Alto and Fortinet systems are quite good, so I'd believe it works as advertised. They've had fairly granular application control for a while, I've just never configured either system for end user style applications. However, the throughput figures they quote (at least on the mid tier systems) do line up with what they say and the IPS engine is quite mature on both platforms.

    I've used the IPS and Application control on both the Palo and Fortigate systems and both have worked well. The Fortigate isn't quite as advanced but considerably cheaper with great performance. Content checks on the Foritgate boxes is handled by dedicated ASIC chips, so they're quite fast. Utilising the IPS and Application monitoring works well on the Fortigate systems, which is what I have the most experience with (and currently deploy). Real world experience is that the advanced features do work as intended, I just haven't used the deep application inspection side.
     
    Last edited: Dec 1, 2014
  5. m0n4g3

    m0n4g3 Member

    Joined:
    Aug 5, 2009
    Messages:
    3,744
    Location:
    Perth, WA
    We have PA and it can do both i believe. There is quite a few detailed things you need to setup (our Network Admin looks into it).

    I've had a little bit of a sticky beak into the PA and the amount of options for FB is damn detailed.

    I'll get a list from our NA guy on what can be done.
     
  6. bsbozzy

    bsbozzy Member

    Joined:
    Nov 11, 2003
    Messages:
    3,925
    Location:
    Sydney
    Have done facebook - allow base but no posting, no apps, no media. Not on 500mb links, but 100mb links on a few 3020's

    At least with the Palo's, when they tell you that after enabling all the features you will roughly halve the throughput - which they do explicitly mention - unlike the chec..............
     
  7. g00nster

    g00nster Member

    Joined:
    Sep 10, 2004
    Messages:
    353
    Location:
    Melbourne
    This was from the WatchGuard platform -

    Example 1: We allow dropbox & iCloud. All other file sharing is blocked.

    Example 2: Yep, Facebook is allowed. All Facebook games/dating and all that other crap are blocked.

    There's quite a lot in the application control. Other things worth disabling are p2p/proxy avoidance/TOR
     
  8. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    Thats not Example 1... Thats Not Example 1 at all
     
  9. g00nster

    g00nster Member

    Joined:
    Sep 10, 2004
    Messages:
    353
    Location:
    Melbourne
    You are right, it's not because we don't use example 1 but yes it's been tested and works.

    For DropBox you've got two behaviour options (Authority or Access) and can configure Allow or Drop for either.

    If I configure the application to allow 'Authority' but drop 'Access' it means I can login to Dropbox.com and navigate all folders but I can't download/read any files (i'll get a popup saying connection interrupted)

    If I change both to deny both the website and client die. No connection at all.
     
  10. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    So one of the Auspost ones got flagged for us today... So I thought I'd take a look at it.

    Link takes you to a hacked web app install, that redirects you to a fake auspost page.

    Fake auspost page requires a captcha to be filled before the link becomes active.

    Clicking other links asks me to download the file before I can 'track my package'

    Clicking it then tells me I should install winrar so I can open it

    Opening it then provides me with a pdf_information_about_your_parcel.exe

    that is the payload.

    Fuck its a long winded process to get yourself infected these days... It reminds me of ye-olde manual virus, where there was some sigged ascii art, promting you to copy it into your own signature to spread it.

    So on an up to date system, to get myself crpto lockered I need to take about 5 steps.

    Son, I am Dissapoint. They don't even use any of the freely available RCE's for Acrobat, that would make in an *actual* pdf file... its just a single exe, in a Zip.
     
  11. elvis

    elvis OCAU's most famous and arrogant know-it-all

    Joined:
    Jun 27, 2001
    Messages:
    46,809
    Location:
    Brisbane
    They don't need to. They've netted a tonne of cash from moron users opening this thing up.

    Honestly, I know it's not *real* security, but thank the good lord we run Linux and Mac on our production network, and not Windows. Just since dumping Windows alone, we've dropped to zero incidents of malware infection in the last 2 years.

    Users still do stupid things. But now we get support calls like "How do I run $RANDOM_EXE I downloaded in WINE?", to which IT respond: "Don't".
     
  12. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    They are setting the bar way to high :).

    I almost put infecting myself in the to hard basket when I failed the captcha and it wouldn't download for me.
     
  13. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    Saw some of these Auspost ones caught today as well as as a few UPS ones and also a non de-script on-line bank advising of a $2xxx.xx deposit being made and to click on the link to see the payment details.
     
  14. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    I've seen a stack being blocked from *.sa.gov.au addresses, It looks like they have exhausted all the idiots in the Eastern states, and have shifted to sleepy Adelaide.
     
  15. slavewone

    slavewone Member

    Joined:
    Jul 9, 2002
    Messages:
    2,196
    Location:
    B.Mtns2774 Status:Unhappy
    I got one from the "fax machine" today asking me to open .zip when I know our fax sends multipage tiffs and isn't smart enough to zip or forward them (it comes as a fwd from userx).

    Code:
    INCOMING FAX REPORT : Remote ID: 649-877-9664
    Incoming Fax <no-reply@dcfm.com.au>
    .
    .
    .
    faxmessage.zip (102kb)
    Date/Time: Tue, 16 Dec 2014 08:26:12 +0800
    Speed: 4702bps
    Connection time: 01:07
    Pages: 4
    Resolution: Normal
    Remote ID: 711-669-4168
    Line number: 1
    DTMF/DID:
    Description: Internal Docs
    
    Fax message attached in PDF format (Adobe Photoshop).
    
    as an aside, 67 seconds for 102kb is pretty good at 4702bps, must be compressed.
     
    Last edited: Dec 22, 2014
  16. Cubix

    Cubix Member

    Joined:
    Apr 15, 2011
    Messages:
    110
    add the fact that it wouldn't carry your local domain name in the address.

    Our users are pretty good at detection now after we have ran a number of educational sessions on spam/malmail detection.
     
  17. IACSecurity

    IACSecurity Member

    Joined:
    Jul 11, 2008
    Messages:
    760
    Location:
    ork.sg
    I read on a forum someplace, that they are getting smashed atm. You can imagine how well it works when people get emails from other peoples in the same org.. and there is 100,000 of them to fish each other with.
     
  18. PabloEscobar

    PabloEscobar Member

    Joined:
    Jan 28, 2008
    Messages:
    14,678
    Might I trouble you for a link? The stuff I've seen *looks* to be using actual real employees in the from field. I'm curious as to if said departments have been nailed, or if they people behind it have been farming real address from press releases and things, and are using them for the phish.
     
  19. callan

    callan Member

    Joined:
    Aug 16, 2001
    Messages:
    5,181
    Location:
    melbourne
    Over the past few days a metric fuckton of fake AustraliaPost bombs have been lobbing into the spambait account for our domain. The odd one has made it through to a legitimate email address, but I think we're pretty inured here.

    At Chez Callan I've taken precautions over the last month or so to ensure our automated backups are sufficiently "detached" from mapped network drives that they can't be overwritten by Crypto. (File server backs itself up daily, it replicates at a different time to another server, that other server backs itself up, and they're timed so that any crypto attack would take 2 days to overwrite the backups - and neither the replicant server nor the backup drives are shared/remotely accessible) Data is off-lined every week or so into a fireproof safe.
    I fear cryptolocker more than any other threat of late..

    Callan
     
    Last edited: Dec 22, 2014
  20. cbb1935

    cbb1935 Guest

    Might start to see this die down a little hopefully.

    Many of the files were hosted off the back of exploited Wordpress sites.

    Wordpress recently released a patch to resolve this specific issue (amongst a stack of other things).
     

Share This Page

Advertisement: