APT10 and Shadow Brokers: 5 things you need to know

| By:
Brett Cheloff

After learning of the latest operation by APT10 (Advanced Persistent Threat group 10), dubbed “Cloud Hopper”, technology solution providers (TSPs) around the world got quite the scare this past weekend thanks to The Shadow Brokers’ “Lost in Translation” leak. Multiple media sources, like CNN, PC World, and Ars Technica, reported the leak contained numerous zero-day exploits, which Microsoft was quick to debunk.

However, the most thorough analysis came from security researcher Kevin Beaumont’s blog post on Medium, where he gave a brief rundown of each implant and exploit contained in the leak.

While this leak doesn’t contain any zero-day exploits for a “supported platform,” thanks to presumed communications between the National Security Agency (NSA) and vendors like Microsoft, it’s important for TSPs to use this as a cautionary tale—both internally and with clients—and re-double efforts to minimize their attackable surface area.

Beyond the standard security precautions your business likely has in place, like educating users about phishing scams and the protections offered by different security solutions (e.g. anti-malware, backup, multi-factor authentication, and filters for web and email), it’s important to remember the basics—as they can often be forgotten.

In light of this most recent scare, and the fact that these exploits are now readily available for APT10, here are some key takeaways to ensure your business and clients are protected:

1. Keep your systems patched

Vendors continually release patches to close security holes – but until the patch is installed, your system is still vulnerable. The most recent batch of patches from Microsoft to address these exploits was released on March 14, 2017. How many of your systems haven’t been patched in the past 30 days? With ConnectWise Automate®, you can use the Report Center’s Patch Stats Summary to find out (readily available in the Solution Center).

2. Migrate off unsupported operating systems

Vendors only release patches for things they still support. And while this leak didn’t contain any zero-day exploits for a “supported platform,” three (3) confirmed zero-days specifically target Windows Server 2003 and XP—which Microsoft ended support for multiple years ago and ConnectWise ended support for a couple weeks ago. Unfortunately, 66% of ConnectWise partners still support 1 or more Server 2003 systems and 71% still support Windows XP. If you haven’t already, it’s time to discuss how to address these systems and the risks they pose.

3. Disable legacy protocols

Server Message Block (SMB) is a great example because over 30% of the exploits in this leak target early versions of the SMB protocol. Microsoft has said stop using SMB1. The United States Computer Emergency Readiness Team (US-CERT) has said disable SMB1 and block the ports. And with Windows Server 2016, SMB 2+ using NetBIOS over TCP (NetBT) has been deprecated. Microsoft really goes the extra mile by publishing charts that help Administrators understand which protocol version are needed in their environment(s) (see section 4), but it may be time to disable SMB all together and investigate a Data Management / File Sync and Share solution.

4. Implement network segmentation

Even the most educated user can get infected with malware that will try to replicate itself across the network. The best way to mitigate this risk is to simply isolate the infected machine; but isolation after the fact is rarely effective, which is why setting up your network with segmentation in mind is so important. If you’re unfamiliar with network segmentation, the SANS Institute provides excellent whitepapers on Designing a Secure Local Area Network and Secure Network Design.

5. Get it in writing

In spite of your best efforts, certain clients just will not approve the work needed to address some of these issues. Downtime sensitive clients may insist on quarterly patching. Price sensitive clients will want in-place upgrades, but won’t approve the required hardware, and will fail to see the value in redesigning the network or switching from shared drives to a Data Management solution. Regardless, as a TSP, you need to make clients aware of the risks while protecting your business should they refuse to address them… so get it in writing. Put together a formal Risk Assessment for each client to sign, listing out the issues, risks, and resolution options. That way, if/when a penetration occurs, the right people are held responsible. Again, the SANS Institute provides a great whitepaper on the Introduction to Information System Risk Management that will help you get started (see section 6.3 and figure 6).

ConnectWise encourages all TSPs and channel vendors to read the APT10 report and Kevin Beaumont’s assessment of the Shadow Brokers’ leak, as the potential for questions from clients is high and the opportunity for an open and frank security discussion is higher.