Posts made by Fredtx

@IRJ

I did not find any logs that show the files being removed. I did find logs that show when AVG reported the disk space was less than what it was that morning. It appears Scan Reports are not enabled by default though, which is a setting you must enable. This one was not. I also found we have a 3rd instance of these happening to another customer. The tech removed AVG with the removal tool. Then, boom. Files are all gone. We are trying to mitigate the problem in our lab. Hopefully we find out something.

@IRJ said in AVG deleting data:

Are you seeing logs to confirm AVG is actually deleting the files?

It's assumed it's AVG from the team based on these 2 instances. This kind of got handed over to me to investigate what the root cause might be. I ran MB and Mbam to see if it's a possible virus, but nothing. I'm searching through the logs in the program data folder to see if there's anything eye opening.

I know AVG is not a very good product. However, we use the antivirus for several of our customers. We found 2 cases where AVG completely removed most, if not all files from a drive. It appears to leave the directories, but deleted most of the files in the directories. Looks like the files get deleted when it's either installed/removed, and is rebooted afterwards. After reboot, files are gone. Happened for a workstation and a server, which were 2 different customers. Any thoughts or a similar experience?

Stop Windows Update service. Delete everything in the Software Distribution directory. Start back WU service. Try again.

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

So many different MSPs, but they all shared one tool?

It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

What agent was it? Knowing which program was compromised is a big deal, those agents are hosted by the vendor 99% of the time.

I was told it was Connect Wise.

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

So many different MSPs, but they all shared one tool?

It was only one MSP (PM Consultants) who’s agent spread the infection to their own customers. Their customers called our support desperate for help.

@WLS-ITGuy said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

If it was a vulnerability in the agent wouldn't that fall on the responsibility of the MSP's software vendor?

Good point. I also wonder if they were using 2 way authentication as it provides another layer of security.

@scottalanmiller said in Wide ransomware virus infection sourced from 3rd party IT's remote agents.:

@Fredtx how did it get determined that it was their agents that did it and not just a coincidence or something?

We received several support calls from the whole Oregon area and that was one of the common denominators for all the computers that were infected with that variant. I for one hand did not work with the customer, but that's what our techs saw and found. Tbh, I'm trying to understand how that could happen when most of the ransomware cases involves a self executable file.

Huge crisis for PM Consultants as several of their customers were infected with ransomware through their agents. Hope they have a good lawyer.

https://tdn.com/news/local/local-dental-offices-hit-by-malware-forced-to-cancel-appointments/article_d4a6fc1e-f4c4-5ef0-9974-3b7bee11bab8.html

Thanks everyone for y'alls input as I value the knowledge. This all makes perfect sense. I was just chatting with my colleague's about these details and they are making sense of it too.

@DustinB3403

I should have been a little more specific. This customer once had a physical Watchguard router, which will now be a virtual Watchguard hosted on their hypervisor via Hyper-V. I never really hear about virtual router implementations, which is why I'm a little confused why our group decided to implement this way of routing their traffic. I imagine it's cost saving, since you would only have to pay for the license and not the hardware from Watchguard.

We have decided to implement virtual firewalls, which will be hosted by a Windows Server 2016 via Hyper-V. The hypervisor will also host the DB, DC. However, the firewall will be configured with it's own dedicated NIC on the hypervisor. We're having some discussions on the pros and cons? One of them would be there would be a single point of failure if the hypervisor were to go down, they would then lose internet. Any other pros and cons that you know of? Would it be more secure this way?

Email can be a very private application that users use on a daily basis. Would it be ethical or even legal if upper management were to make a request to have all emails forwarded to them for a specific user? I feel like that would be invading a users privacy, but also feel all the data (emails) belong to the company and they can access as desired. Any thoughts on this?

Drinking a NEIPA made with strawberries called Queen To Be from Turning Point Brewery from Bedford, TX. Delicious

@scottalanmiller I've been drinking the NEIPA's (New England Style IPA) lately. It's very good and doesn't have extreme bitterness like most traditional IPA's do.

@scottalanmiller How was that IPA? I found a local brewery in Bedford, TX called Turning Point Beer. They have some awesome NEIPA's.

Yellow Rose Smash IPA made by Lone Pint Brewery from Magnolia, TX.

I was 26 and working in a warehouse (been in different warehouse jobs since I was 18). My work computer's OS was corrupted and bogged down (XP) and I had to ship it to corp to get it reloaded. I was fascinated how it was completely restored. I spoke to the IT guy on the phone about what he did to fix it. I told him I wanted to learn how to do that. He gave me the fundamentals on what to study. I checked ITT tech out and gladly ditched them due to the cost. Took courses at a local community college (Paid by my company), started doing computer repair on the side, including anything my manager had me do internally. Our company was outsourcing our work to Germany and was soon to close down, and our IT guy said I should apply for an IT job. I said I can't, because I don't have experience. He said what you've been doing is experience, put it on your resume. I did, and got a help desk position in a fortune 500 company. I've been in my company for 3 years and have advanced my tech and communication skills tremendously. So glad I didn't go to ITT tech!

@scottalanmiller said in Is Spectrum's modem really bridged?:

This means that management is clueless and is working from "security theater." They don't understand what happened and instead of securing the system are trying to make a show of "changing things" without really securing anything.

A lot of it is politics and liability reasons. There's a lot of limits of what we "can" and "can't" do when it comes to providing solutions for our customers. One of the reasons why I'm here in this community is to look at things from "outside" the box and hopefully utilize the knowledge I gain from a group of IT professionals and implement it in my current job or somewhere else where ever the rabbit hole takes me (red pill )

@scottalanmiller said in Is Spectrum's modem really bridged?:

@Fredtx said in Is Spectrum's modem really bridged?:

@scottalanmiller

Define hacked? How would they hack RDP but not a VPN, since RDP has a VPN already. Not that RDP is infallible, but there is no known public vulnerability to its security, and any that it would have would affect many VPNs that share technology with it.

I would say hacking is when an unauthorized user gains access to computer,network. In this case, there was a successful brute force attack. While I understand there is many other security mistakes that allowed this to happen, but the fact is they gained access from a port forwarding rule to the server that someone set up for the customer so they didnt have to use a vpn. Instead the customer used RDP to external IP with the specified port. Per management, no one is allowed to open ports for rdp on any customers router. So I’m just trying to find a work around.