Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (70)
  • add to favourites
    Add to Bookmarks

Betrayed by a file archiver

Read: 27018 Comments: 9 Rating: 16

Tuesday, June 9, 2020

"Aren't you afraid of your file archiving application?" Many people will probably be startled by this question: "Of course I'm not. Having the system infected with encryption ransomware may indeed be scary. But how can an archiver program be dangerous?"

This is a support request received by Doctor Web the other day:

As a result of a malware attack, a portion of my data has been placed in a password-protected archive.

From a request submitted to the Doctor Web support service

The good-for-nothing anti-virus failed and allowed the attack to happen. But, in reality, it turned out that.

Most likely, the intruder mounted a brute force attack and cracked a user account password to gain unauthorised RDP access (or establish a terminal session).

Then they launched a legitimate data compression program, added files to an archive and entered a strong archive password manually.

From a request submitted to the Doctor Web support service

No malware was involved in the attack.

It was about a weak password and a legitimate file archiver—and that proved to be enough for the user to lose their data. Meanwhile, the intruder took care to set a strong password.

Our regular readers know that legitimate programs are often used in attacks. The incident we've just described is by no means unique. An operating system has everything an attacker may need. And that includes encryption software.

And no anti-virus will respond to the action if data is being removed on the user's behalf using legitimate software. How can an anti-virus tell that someone else is doing it?

#firewall #backup #VCIs #data_loss_prevention #corporate_security #patch

The Anti-virus Times recommends

Set strong passwords for all user accounts under all operating systems you use (at least eight character, using lower- and uppercase characters as well as digits and symbols.)

Block the unused user accounts.

Enable a security policy that will not allow users to set weak passwords and define a password expiry date. This will prevent attackers from using leaked credentials that may have been used on a compromised computer. Password policies are configured using the GPO (Group Policy Objects): Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy.

Use the Account Lockout Policy (also accessible via the GPO) to define how many times an incorrect password can be entered before the account gets locked. Doing so will prevent attackers from cracking passwords.

Enable automatic updates and install all available updates. First, ensure the security update MS17-010 is installed.

Use the firewall to ensure a remote connection can only be established for specific addresses.

If other hosts connect to the machine remotely, change the default listening port for RDP connections. You can do this by modifying the registry.

Use protection against port scan attacks and audit your services that use network connectivity and make them inaccessible outside your infrastructure.

Consider revising your RDP access policy by making Remote Desktop connections possible only over an encrypted tunnel and ensure your servers are accessible from other networks only via a VPN tunnel.

Only use the current version of Dr.Web software -- Version 12 is the latest.

If you use a corporate anti-virus solution, take advantage of the application control feature. It lets you configure a list of allowed and blocked applications (the programs permitted to launch and those that aren't), further enhancing your infrastructure's security.

When you're online, never toggle off the file monitor SpIDer Guard or the preventive protection.

To prevent anti-virus components from being disabled, protect your anti-virus settings with a password. The anti-virus settings password and user account password must not match. To learn how you can protect anti-virus settings with a password in a corporate Dr.Web solution, please refer to the documentation.

Do not permit users in your network to disable the anti-virus's components or modify its settings. In corporate Dr.Web solutions, user permissions can be changed in the Control Center: go to Anti-virus Network →, select a host or a group and click → Permissions.

If a computer is connected to the Internet, the anti-virus must be updated at least once an hour. Ensure virus database updates are being downloaded and installed.

Don't overuse scan exceptions: do not add folders containing temporary files and application files to the list.

Attackers often disguise malicious executables by adding a fake .doc extension to file names. Disable the option to hide extensions for known file types. This way you will always see what kind of file you are opening. Go to Start → Control Panel → Folder Options → View → and clear the Hide extensions for known file types checkbox.

Back up your valuable information regularly to media on which no data can be written from the system where the original files are stored.

Enable the security audit policy on the Windows servers being accessed from the Internet (Local security policy → Local Policies → Audit Policy) and analyse security logs regularly to promptly discover attempts at gaining unauthorised access to the system and take action. You can find detailed information about security audit events here.

And one last thing. The situation we've described above may be part of a planned attack on your infrastructure. Doctor Web is always ready to assist organisations in investigating malware-related incidents.

To find out more, visit this page.

[Twitter]

Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments