Webcheck Security has access to several Ex-NSA analysts in its managed threat hunting department. The following advice concerning the recent Solarwinds attack has been given from one of these key analysts. We recommend reaching out to us to set up a time to discuss the implications for your organization.

First, we recommend quarantining any vulnerable SolarWinds product from your network and if possible, take a forensic image to investigate for any indication of compromise before updating to the latest version. Reimaging all OS’s hosting instances of SolarWinds is recommended. Second: Reset all credentials used by the SolarWinds software and make sure there is a rotation policy for these accounts and enforce long, complex passwords. After quarantining and/or re-imaging, search through your network logs for any device that has called out to specific domains used as command and control servers: zupertech[.]com panhardware[.]com databasegalore[.]com incomeupdate[.]com highdatabase[.]com websitetheme[.]com freescanonline[.]com virtualdataserver[.]com deftsecurity[.]com thedoccloud[.]com digitalcollege[.]org globalnetworkissues[.]com seobundlekit[.]com virtualwebdata[.]com kubecloud[.]com lcomputers[.]com solartrackingsystem[.]net virtualdatacenter[.]com webcodez[.]com ervsystem[.]com (teardrop) infinitysoftwares[.]com (teardrop) Moving forward, we strongly recommend using an Intrusion Detection System(IDS) with the latest snort/suricata signatures that can detect this threat actor and others. FireEye has published these detection signatures here: https://github.com/fireeye/sunburst_countermeasures/blob/main/all-snort.rules There are also excellent Endpoint Detection and Response(EDR) software solutions that can detect and block these SolarWinds exploits as well as thousands of other signatures and signature-less attacks based on malicious behavior.

To set up a time to discuss enhancing your cyber security posture, please reach out to us at getintouch@WebcheckSecurity.com

By Greg Johnson, CEO Webcheck Security

Recently, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal

Bureau of Investigation (FBI) posted this notice: US think tank organizations were being

targeted by advanced persistent threat (APT) actors. The resultant list of mitigations, though directly suggested to strengthen the affected orgs’ cyber posture, applies equally to most businesses. The mitigations, or controls as most would call them, are divided into three categories: Leaders, Users/Staff, and IT Staff/Cybersecurity Personnel.


The first mitigation, and in fact the only one suggested for the Leaders category, was

the implementation of a cyber awareness training program. Such a program is critical to stave off the onslaught of vishing and phishing success which fraudsters are perpetrating.

Minutes ago I was on a call with a large organization hit by a fraudster in an email and voice call

scam. The bad actor had gained root access to the unsuspecting user’s machine, spanning a

couple of hours. Finally the user realized he was being taken and notified IT, who immediately

“pulled the plug” by disconnecting from all network sources and initiated a forensic

investigation with our team.

Fortunately, no access to other servers was apparent and very little data of consequence

exfiltrated, but a few minutes more on the network and the results, including ransomware and

other malware introduction, might have been disastrous. The moral here is to take CISA

seriously – implement a training program!


Next, CISA recommends the following six controls which in my mind are foundational and should be had in all organizations:

1) Log off remote connections when not in use.

2) Be vigilant against tailored spearphishing attacks targeting corporate and personal

accounts (including both email and social media accounts).

3) Use different passwords for corporate and personal accounts.

4) Install antivirus software on personal devices to automatically scan and quarantine

suspicious files.

5) Employ strong multi-factor authentication for personal accounts, if available.

6) Exercise caution when: 

-Opening email attachments, even if the attachment is expected and the sender appears to be known. See Using Caution with Email Attachments.

-Using removable media (e.g., USB thumb drives, external drives, CDs).

IT Staff/Cybersecurity Personnel

Finally, these controls will help round out a more robust cyber security program, especially if documented into policy and put into practice:

-Segment and segregate networks and functions.

-Change the default username and password of applications and appliances.

-Employ strong multi-factor authentication for corporate accounts.

-Deploy antivirus software on organizational devices to automatically scan and

quarantine suspicious files.

-Apply encryption to data at rest and data in transit.

-Use email security appliances to scan and remove malicious email attachments or links.

-Monitor key internal security tools and identify anomalous behavior. Flag any known

indicators of compromise or threat actor behaviors for immediate response.

-Organizations can implement mitigations of varying complexity and restrictiveness to

reduce the risk posed by threat actors who use Tor (The Onion Router) to carry out

malicious activities. See the CISA-FBI Joint Cybersecurity Advisory on Defending Against

Malicious Cyber Activity Originating from Tor for mitigation options and additional


-Prevent exploitation of known software vulnerabilities by routinely applying software

patches and upgrades. Foreign cyber threat actors continue to exploit publicly

known—and often dated—software vulnerabilities against broad target sets, including

public and private sector organizations. If these vulnerabilities are left unpatched,

exploitation often requires few resources and provides threat actors with easy access to

victim networks. Review CISA and FBI’s Top 10 Routinely Exploited Vulnerabilities and

other CISA alerts that identify vulnerabilities exploited by foreign attackers.

-Implement an antivirus program and a formalized patch management process. Block certain websites and email attachments commonly associated with malware (e.g. .scr, .pif, .cpl, .dll, .exe).

-Block email attachments that cannot be scanned by antivirus software (e.g. .zip files).

-Implement Group Policy Object and firewall rules.

-Implement filters at the email gateway and block suspicious IP addresses at the firewall.

-Routinely audit domain and local accounts as well as their permission levels to look for

situations that could allow an adversary to gain wide access by obtaining credentials of a

privileged account.

-Follow best practices for design and administration of the network to limit privileged

account use across administrative tiers.

-Implement a Domain-Based Message Authentication, Reporting & Conformance

(DMARC) validation system.

-Disable or block unnecessary remote services.

-Limit access to remote services through centrally managed concentrators.

-Deny direct remote access to internal systems or resources by using network proxies,

gateways, and firewalls.

-Limit unnecessary lateral communications.

-Disable file and printer sharing services. If these services are required, use strong

passwords or Active Directory authentication.

-Ensure applications do not store sensitive data or credentials insecurely.

-Enable a firewall on agency workstations, configured to deny unsolicited connection


-Disable unnecessary services on agency workstations and servers.

-Scan for and remove suspicious email attachments; ensure any scanned attachment is

its "true file type" (i.e., the extension matches the file header).

-Monitor users web browsing habits; restrict access to suspicious or risky sites. Contact

law enforcement or CISA immediately regarding any unauthorized network access


Many organizations have the governance and IT support to implement all of the mitigations

listed above, but many don’t. Webcheck Security not only has partnerships with wonderful IT

augmentation groups but can lease a CISO or what is called a Fractional Information Security

Officer (FISO) to guide the prioritization, policy and implementation of the above initiatives. For

more information, please contact Webcheck Security at GetInTouch@webchecksecurity.com

31 views0 comments

If you’re a managed service provider (MSP) or IT provider/consultancy, a surfing analogy may apply to you! A friend of mine recently described a return to surfing. He was frustrated to note that a few decades and pounds past his glory days, he had a hard time catching the waves. He said they would just roll by and leave him in the dust. So, he adapted and did some body surfing, then knee surfing for a while, re-acquainting himself with balance and timing. 

Similarly, we find that many MSPs are “missing the wave” by leaving revenue on the table and not catching the cybersecurity surf. For a long time, businesses across Corporate America have tried to rely upon their own IT Departments in order to meet both their technological and security needs.  While this may serve its purpose, the world today is fast evolving into something that has never been imagined before – primarily fueled by the COVID19 pandemic.  

Rather than simply deploying the latest and greatest security tools/technologies and walking away until something goes wrong, the MSP of 2020 is trying to help their clients adopt a proactive mindset to Cybersecurity, including “leasing” them a CISO through partner companies like Webcheck Security.  

Webcheck calls this FISO, or Fractional Information Security Officer, services. This involves the creation of plans that will help businesses greatly mitigate the chances of being hit by a security breach.  We are all at risk of becoming a victim, there is no question about that.  But the key here is what are the necessary steps a business can take so that the statistical odds of being impacted in the first place are as low possible?

According to Earl Foote, the CEO & Founder of Nexus IT Consultants of Salt Lake City, Utah, for an MSP to make the transition from the break- fix model to one which provides a long-term relationship with the client takes a fundamental mind shift.  In other words, it takes a huge cultural change in which the MSP has to align their value proposition with the needs of the customer.  

The MSP must make themselves an extension of the customer and fulfill all of their contractual obligations.  For Nexus IT Consultants, this has been very easy to do with Webcheck Security, as they have been able to offer various Penetration Testing and FISO services to Nexus clients in meeting their compliance needs.

As CEO Earl Foote has summed it up:

Working with Greg and his Team at WebCheck Security has been a refreshing experience that has allowed us to add a stable, responsive, value-added offering to our client relationships.  Finding a reliable pen-testing and accredited auditing partner in our local market has been challenging.  

We are an organization that prides ourselves on our white-glove, high-touch client care approach.  Greg and his team have dovetailed nicely into those ideals and take very good care of our clientele.

 Adding WebCheck’s pen-testing, auditing and consulting services to our lineup of offerings has enhanced and solidified client relationships and provided for an additional revenue stream that naturally fits into our model of cybersecurity and compliance centric solutions.”

By partnering with Webcheck Security, the MSP can offer the following services to instill that proactive mindset for your clients, and to keep up the differential advantage:

FISO Services:

Fractional Information Security Officer, or leasing a “CISO”, ensures the company has governance, prioritized cyber alignment with business risks and objectives, and the business model. The FISO can attend vendor and client meetings where an understanding of security posture must be discussed. FISOs can also serve to augment or fill Risk and Compliance Officer roles, ensuring that corporations are adequately prepared for annual SOC 2, PCI, HIPAA, NIST, HITRUST, ISO 27001 or other audits or compliance. 

Penetration Testing:

This is the only sure-fire way to know what the unknown vulnerabilities, gaps, and weaknesses are in your client’s IT and Network Infrastructure.  In many ways, this is like conducting an angiogram on the heart.  You simply do not know where the blockages lie in the coronary arteries until you inject dye into them.  The Webcheck team is made up of top-notch Pen Testers, with years of experience.  Not only do they have the technical knowledge to quickly ascertain what is wrong, but they also have the needed business acumen to convey solutions to the client so that it is very easy to understand, and that can be deployed in just a matter of a few hours.  

Data Privacy:

Let’s face it, this is a hot button topic that is never going away.  It is going to be around for a long time to come. Now, more than ever before, consumers across the United States and even the European Union, have the powers to get answers as to what is being done with Personal Identifiable Information (PII) datasets.  This has been primarily brought on by the recent passages of both the GDPR and the CCPA.  Not only can consumers ask questions, but businesses can face audits at a whim and face some very hefty fines and penalties if they are not found to be in compliance.  Organizations of all types want to know how they can avoid all of this. Many MSPs really do not offer these compliance services, but at Webcheck Security, we can offer this to you! This will give you a huge differential advantage amongst other MSPs when it comes to your cybersecurity offerings.  

Digital Forensics:

After a Cyberattack has occurred, one of the first questions that gets asked is:  “How did this happen???”  This can only be truly answered by conducting a deep dive analysis, and this is where Digital Forensics comes into play.  Many MSPs do not offer these kinds of investigative services, but at Webcheck Security we offer them, and can also extend this to your practice as well.  We do, not only the investigative piece, but we also help you to write up a report for your client. This report answers not only how exactly the breach precipitated in the first place, but steps that they can take to help mitigate the possibilities of it happening again.

The move to the Cloud:

As mentioned at the very beginning of this article, with the advent of the Remote Workforce, many businesses are now starting to deploy their entire IT and Network Infrastructures into leading Cloud platforms such as those of the AWS and Microsoft Azure.  Many MSPs today help their clients migrate their current On Prem assets here, but where they often fail is that they neglect to make sure all is secure.  The fallacy in this thinking is the Cloud providers will do all of this. While they do offer a huge plethora of security tools that your client can use, the bottom line is that they are not accountable for anything that may go wrong. It is your client’s ultimate responsibility to do this!!!  This is yet one more area in which MSPs have not filled in their piece of their Cybersecurity pie. At Webcheck Security, we can offer this huge slice to you, by conducting quarterly security assessments of your client’s Cloud deployments.

In Summary, don’t miss the wave! IT Providers and MSPs can find solid partners to deliver the cyber services which they don’t. Some of it, such as recurring FISO services, can also provide a monthly billing opportunity add value and great “relationship cement” or stickiness with customers. 

23 views0 comments
Fill out this form and tell us how we may serve you!