Cloud Firewall:Best practices to defend against worms from C&C servers

Impact of worms

The following issues may occur due to worm attacks:

• Service interruption: Worms may carry out malicious operations, such as modifying configurations or terminating services, on compromised servers. This may cause risks, such as server breakdown or service interruption.

• Information theft: Worms that aim to steal information compress data on compromised servers and send the compressed data to attackers. This may cause data breaches and resource abuse.

• Regulatory control: When worms spread over a network, worms send a large number of packets. This may trigger regulatory control on IP addresses, which results in service interruption. For example, IP addresses may be blocked.

• Economic or data loss: Ransomware worms encrypt files on compromised servers for ransom, which can cause economic or data loss.

Solution provided by Cloud Firewall

Cloud Firewall provides layered defense against the attack chains of worms and can detect and intercept a variety of worms. Cloud Firewall also dynamically updates and expands its capabilities to detect and intercept new worms based on threat intelligence from the cloud.

The following list describes common worms:

• DDG: spreads by exploiting Redis vulnerabilities and by launching brute-force attacks. This worm uses the computing resources on compromised servers to mine cryptocurrency.

• WannaCry: spreads by exploiting Windows system vulnerabilities and compromises servers for ransom.

• BillGates: spreads by exploiting application vulnerabilities and by launching brute-force attacks. This worm builds a botnet of compromised servers to launch DDoS attacks.

Case: DDG worm

DDG is an active worm that spreads by exploiting Redis vulnerabilities and by launching brute-force attacks. Compromised servers are added to a botnet to mine cryptocurrency.

Impact scope of DDG

• Servers that use weak SSH passwords

• Redis or other database servers for which specific vulnerabilities exist

Major impact of DDG

• Service interruption: DDG mines cryptocurrency on compromised servers, during which a large number of computing resources on the servers are occupied. This may affect service availability or cause service interruption.

• Regulatory control: When DDG spreads over a network, DDG sends a large number of packets. This may trigger regulatory control on IP addresses, which results in service interruption. For example, IP addresses may be blocked.

Defense against the DDG attack chain

Cloud Firewall detects and defends against the DDG attack chain in real time. This way, worms are blocked and are prevented from spreading.

Cloud Firewall provides the following intrusion prevention features:

• Whitelist: Cloud Firewall trusts the source and destination IP addresses that you specify in the whitelist and does not block the traffic of these IP addresses.

• Threat intelligence: Cloud Firewall scans your servers for threat intelligence and blocks malicious behavior from C&C servers based on the threat intelligence.

• Basic protection: Cloud Firewall detects malware and intercepts the requests sent to or received from C&C servers or backdoors.

• Virtual patching: Cloud Firewall provides virtual patches to defend your services against popular high-risk application vulnerabilities in real time.

Procedure

1. Log on to the Cloud Firewall console.

2. In the left-side navigation pane, choose Prevention Configuration > IPS Configuration.

3. On the Internet Border tab, select Block-Loose for Threat Engine Mode.

   

4. Click Whitelist and add trusted source IP addresses, destination IP addresses, or address books of both inbound and outbound traffic to a specific whitelist.

5. Turn on the switches on the Basic Protection, Virtual Patching, and Threat Intelligence tabs.