Thought leadership. threat analysis, news and alerts.
Twitter recently shed a light on the cyberattack that compromised the accounts of a number of its high-profile customer base.
In the blog post “An update on our security incident”, Twitter said that the cyber incident that happened on July 15, 2020 targeted a small number of employees through a “phone spear phishing attack”. Twitter didn’t give details about how the attackers carried out the phone spear phishing attack.
Twitter, however, described the aftermath of the phone spear phishing attack. The company said that while not all of the Twitter employees that were targeted by the phone spear phishing attack had permissions to use Twitter’s account management tools, the “attackers” used the credentials gathered from the phone spear phishing attack to access the company’s internal systems and gain information about its processes.
Knowledge of the company’s internal systems and processes, Twitter said, enabled the attackers to target additional employees who did have access to the platform’s account support tools. Armed with credentials from employees that had access to the platform’s account support tools, Twitter said, the attackers targeted 130 Twitter accounts. Out of the 130 Twitter accounts, the company said, the attackers tweeted from 45 accounts, accessed the Direct Message (DM) inbox of 36 accounts, and downloaded the Twitter data of 7 accounts.
The phone spear phishing attack on Twitter compromised multiple high-profile verified accounts of personalities, including that of Bill Gates, Elon Musk and Jeff Bezos. Verified accounts of tech giants such as Apple and Uber as well as verified accounts of cryptocurrency exchanges such as Binance and Coinbase were also compromised.
Compromised verified accounts were made part of a cryptocurrency scam in which readers were called on to send bitcoin to a particular address with the promise that twice the amount of bitcoin would be returned. As of August 3, 2020, a total of 399 transferees sent bitcoin to the address mentioned in the compromised Twitter accounts. The total amount sent reached nearly 12.87 bitcoin (equivalent to USD 144,213).
As of July 30, 2020 (date of a case filed by the U.S. Department of Justice against one of the alleged perpetrators of the Twitter hack), not one of those that sent bitcoin to the above-mentioned address got their bitcoin doubled nor their bitcoin returned. Last July 31st, the U.S. Department of Justice announced that 3 cases had been filed against 3 individuals for their alleged roles in the Twitter hack.
Details of the alleged phone spear phishing attack are still not available despite the cases filed as the alleged mastermind of the Twitter hack is a minor. In the U.S., cases against minors aren’t available to the public.
Phone spear phishing attack isn’t something new. Phishing attack, in general, refers to a cyberattack that tricks victims into giving information to criminals. Spear phishing, meanwhile, refers to a phishing campaign that targets specific individuals or specific organizations.
Traditionally, spear phishing attacks are conducted via emails. With the adoption of the Voice over Internet Protocol (VoIP) – a technology that allows users to make voice calls over the internet instead of a regular (or analog) phone line, phone phishing, also known as vishing, proliferate.
It’s rare to hear about phone phishing because such are reported under the category of phishing which includes traditional email phishing. In a typical email phishing, an attacker sends a target an email that masquerades as coming from a legitimate source.
This malicious email contains a malicious link or attachment. Clicking on this malicious link or attachment could lead to the compromise of the user’s computer or stealing of sensitive data.
In the early 2000s, the Federal Bureau of Investigation (FBI) cited two examples of vishing. In one version of a vishing scam, a target receives a typical email, similar to the traditional email phishing scam. But instead of directing the target to a malicious link, the target is given a phone number (a VoIP account) to call and ask to provide certain information over the given phone number.
The phone number is usually that of a fake customer service. The target that calls the customer service is then directed to a series of voice-prompted menus that ask for passwords and other sensitive information.
According to the FBI, another version of vishing directly contacts the target by phone (VoIP account as well) instead of an initial email. The call can come from a recorded message directing the target to take action to protect his or her account. In this case, the attacker already has some personal information about the target. This gives the target a false sense of security.
Vishing via VoIP, the FBI said, has some advantages over traditional phishing tricks due to the following reasons:
Preventive and Mitigating Measures Against Vishing
Always treat a phone call asking for sensitive information with a healthy dose of skepticism. Verify whether the call is legitimate by hanging up the phone and calling the customer service using the number provided by the organization.
Threat Focus: WastedLocker Ransomware
Garmin, an American multinational company that markets GPS navigation and wireless devices and applications, has reported a global outage on its systems since last July 23.
Last July 23, Garmin announced that it was experiencing an outage that affected Garmin Connect – a service that syncs users' activity and data to the cloud and other devices. Garmin also announced that the outage affected the company's call centers, cutting off the company's ability to respond to any calls, emails and online chats.
Last July 26, Garmin followed up its July 23 announcement. The statement said the company "has no indication that this outage has affected your data, including activity, payment or other personal information."
flyGarmin, Garmin's service that offers navigational software to pilots, in a separate statement said that last July 23 it also experienced a similar outage in which users couldn't access flyGarmin's website and call centers. flyGarmin specified that its Connext services, in particular, weather, data from the on-board Central Maintenance Computer (CMC), position reports were down; and Garmin Pilot apps, in particular, flight plan filing (unless connected to FltPlan, account syncing, database concierge) were down.
Based on its July 26 update, flyGarmin said that its website and mobile app are now operational, and that customer support can handle limited calls, but emails and chat supports are still unavailable.
While Garmin remains silent on what caused the global outage of its systems, BleepingComputer and TechCrunch reported that sources familiar with the Garmin outage investigation and company employees point to the direction that Garmin fell victim to WastedLocker ransomware.
A Garmin employee told BleepingComputer that they first learned of the attack when they arrived at their office last Thursday morning. As devices were being encrypted, employees were told to shut down any computer on the network, including computers used by remote workers that were connected via virtual private network (VPN), to prevent additional devices from being encrypted. As shown by the photo sent by a Garmin employee to BleepingComputer, the ".garminwasted" extension was appended to the file name of every encrypted file.
WastedLocker ransomware was first tracked in the wild in May of this year. This ransomware was named after the filename it creates which includes an abbreviation of the victim’s name and the word "wasted".
One of the known methods used by the group behind the WastedLocker ransomware is the use of fake software update that shows up on the users' computer screen when visiting certain legitimate websites. Malicious code is inserted by the group behind the WastedLocker ransomware on vulnerable websites, prompting unsuspecting users to click on the fake software updates that show up on their trusted websites.
Once a user clicks on this fake software update, the WastedLocker ransomware activates CobaltStrike – a commercial penetration testing tool that can be used by ethical security researchers as well as by malicious actors. This commercial penetration testing tool uses tools such as Metasploit and Mimikatz.
Metasploit is an open-source tool for probing vulnerabilities on networks and servers. It can easily be customized and used with most operating systems.
Mimikatz, meanwhile, is another open-source tool that gives out passwords as well as hashes and PINs from memory. This tool makes it easy for attackers to conduct post-exploitation lateral movement within a victim's network.
After exploring the weak spots and access credentials, the WastedLocker ransomware is then dropped into the victim's network or server. With WastedLocker ransomware, it isn't possible to get backup copy on the affected computer as this malicious software deletes shadow copies – the default backups made by Windows operating systems.
Security researchers, including those from Malwarebytes and Fox-IT, named Evil Corp Group as the group behind WastedLocker ransomware. Most of today's ransomware groups openly admit that they steal victims' data prior to encrypting files. These ransomware groups publish or auction the data belonging to victims that are unwilling to pay the ransom.
According to Malwarebytes, the group behind the WastedLocker ransomware "does not exfiltrate stolen data and publish or auction the data that belong to 'clients' that are unwilling to pay the ransom".
Fox-IT, meanwhile, said that the group behind WastedLocker ransomware “has not appeared to have engaged in extensive information stealing or threatened to publish information about victims”. "We assess that the probable reason for not leaking victim information is the unwanted attention this would draw from law enforcement and the public," Fox-IT said.
The group behind WastedLocker ransomware demands ransom payment ranging from US$500,000 to over $10 million in Bitcoin. One of the sources of BleepingComputer said that the ransom demand in exchange for decryption keys that could unlock the encrypted files of Garmin is priced at US$10 million.
In December 2019, the U.S. Treasury Department, sanctioned Evil Corp by way of prohibiting U.S. persons in dealing with the group. The U.S. Treasury Department said that "U.S. persons are generally prohibited from engaging in transactions with them [Evil Corp]." Engagement, in this case, could be mean that US individuals or organizations are prohibited in engaging with Evil Corp, such as via ransom payment.
The sanction of the U.S. Treasury Department’ came after leaders and members of the Evil Corp were charged for developing and distributing the malicious software (malware) called "Dridex". The U.S. Treasury Department said that Dridex infected computers and harvested login credentials from hundreds of banks and financial institutions in over 40 countries, causing more than US$100 million in theft.
Twitter Attributes Latest Hack to Its Systems to Social Engineering
Last July 15th, verified Twitter accounts, including that of Amazon CEO Jeff Bezos and Former U.S. President Barack Obama, tweeted similar content, saying that they've decided to give back to their community by giving back twice the Bitcoin amount (limited to US $50 million) for every Bitcoin that will be sent to a particular Bitcoin address.
The tweets were later removed – a confirmation that the tweets were part of a scam and that the involved verified Twitter accounts were, in fact, hacked. A total of 393 transactions sent varying amounts of Bitcoin to the indicated Bitcoin address. Whoever orchestrated the campaign earned 12.8 Bitcoins, valued at US $117,473 as of July 18, 2020.
How Twitter Was Hacked?
In a blog post dated July 18, 2020, Twitter attributed the hacking of the 130 verified Twitter accounts to social engineering. "At this time, we believe attackers targeted certain Twitter employees through a social engineering scheme," Twitter said.
The company, however, didn't elaborate how the social engineering was carried out by attackers. Twitter defined social engineering as the "intentional manipulation of people into performing certain actions and divulging confidential information."
According to Twitter, the intentional manipulation of a small number of Twitter employees enabled the attackers to access the company's internal systems using the credentials of the targeted Twitter employees, and "getting through" the company's two-factor authentication (2FA) protection.
Twitter said the attackers were able to view personal information including phone numbers and email addresses – information that were accessible to some of the targeted employees. Out of the 130 hacked verified accounts, Twitter added, 45 of those accounts, the attackers were able to login to the account, send tweets and initiate a password reset.
In accounts taken over by the attackers, the company said that the attackers may have been able to view additional information. The company also added that the attackers attempted to sell some of the hacked accounts.
The July 15th cyber incident at Twitter isn't the first hacking incident that the company experienced. Nearly a year ago, the Twitter account of its CEO Jack Dorsey was hacked.
After taking over Dorsey's Twitter account @jack, attackers fired off nearly two dozen tweets and retweets. "The phone number associated with the account was compromised due to a security oversight by the mobile provider," Twitter said in a statement. "This allowed an unauthorized person to compose and send tweets via text message from the phone number."
The above-mentioned statement from Twitter on how its CEO's account was hacked describes a typical SIM swap attack – a type of cyberattack in which a mobile phone company employee switches a victim’s phone number to a new phone number that's under the attacker’s control.
This type of attack is carried out in two ways. One method is by calling a customer help line of the mobile phone company and pretend to be the intended victim. The other method is by paying off phone company employees to do the phone number switches. There have been reports that attackers paid off phone company employees to do the phone number switching for as low as US $100.
SIM swap plays a big role in an attack that tries to bypass text message-based 2-factor authentication, an authentication method that requires additional authentication, that is, on top of the usual username and password requirement, a user can only login to an account by providing a one-time code – a code that's sent to the phone number provided by a user. In a SIM swap attack, by changing the target's phone number to the phone number controlled by the attacker, the one-time code is sent to the new phone number controlled by the attacker.
In September 2019, the U.S. Federal Bureau of Investigation (FBI) warned its partner organizations about SIM swapping. According to the FBI, between 2018 and 2019, the most common tactic used by attackers in circumventing the 2-factor authentication was through SIM swapping.
In 2019, a report came out that Twitter left its internal systems exposed to outsiders by failing to apply the latest security update of a particular software. This time, however, bug bounty hunters found the vulnerability and responsively disclosed the vulnerability to Twitter.
In a blog post dated September 2, 2019, security researchers at DEVCORE reported that they were able to perform on Twitter's internal systems remote code execution – the ability to access someone else's computing device and make changes to it regardless of where this computing device is geographically located. The researchers said they initially gained access to Twitter's internal system by exploiting an unpatched Pulse Secure VPN used by the company.
The security researchers at DEVCORE are the same researchers that discovered the remote code execution vulnerability in Pulse Secure VPN products and reported this vulnerability to the software vendor Pulse Secure. The same researchers also discovered and reported the security vulnerabilities in the VPN products of OpenVPN and Fortinet.
"During our research, we found a new attack vector to take over all the clients [computers or software that accesses a service made available by a server]," security researchers at DEVCORE said. "It’s the 'logon script' feature. It appears in almost EVERY SSL VPNs, such as OpenVPN, Fortinet, Pulse Secure… and more. It can execute corresponding scripts to mount the network filesystem or change the routing table once the VPN connection established. Due to this 'hacker-friendly' feature, once we got the admin privilege, we can leverage this feature to infect all the VPN clients!"
The researchers also reported that they bypassed the 2-factor authentication as Twitter enabled the Pulse Secure VPN's roaming session feature, which allows a session from multiple IP locations. "Due to this 'convenient' [roaming session] feature, we can just download the session database and forge our cookies to log into their system!"
Prior to going public, the security researchers at DEVCORE reported to Twitter their findings via the company's bug bounty program.
Social engineering is a significant risk for most organizations and individuals alike. This is why we’ve created a blog post with 52 cybersecurity tips for businesses and individuals to help mitigate key risks.
How DDoS Threat Landscape Has Evolved Over Time
Through the years, distributed denial-of-service (DDoS) – a form of cyberattack originating from multiple systems and overwhelming one specific service or website using malicious data or requests – has evolved and grown stronger and more prevalent.
Evolution of the DDoS Threat Landscape
The Morris Worm
DDoS threat has been around ever since humanity decided to interconnect computers. The malicious software dubbed as “Morris worm”, which was unleashed prior to the invention of the World Wide Web, is considered by some as the first DDoS attack.
Morris worm replicated a copy of itself and propagated itself at a remarkable speed to computers belonging to a number of the prestigious colleges and public and private research centers that made up the ARPANET – an early prototype for the internet. On November 2, 1988, in just 24 hours, the Morris worm affected an estimated 6,000 of the approximately 60,000 computers that were then connected to ARPANET.
The unleashing of the Morris worm resulted in slowing to a crawl vital military and university functions and delayed emails for days. The creator of the Morris worm, then 23-year-old Cornell University graduate student Robert Tappan Morris unleashed out the worm by exploiting security vulnerabilities in a specific version of the Unix operating system. The worm was also unleashed by attempting to break into user accounts on an infected machine using brute force attacks, that is, guessing weak passwords similar to modern-day brute force attacks.
MafiaBoy DDoS Attack
While not the first DDoS attack in the World Wide Web era, the DDoS attacks carried out by MafiaBoy, then 15-year old Michael Calce from Montreal, Canada, were notable as this teenager launched a series of high-profile DDoS attacks in February 2000 against large commercial websites, including eBay, Amazon and E*Trade. In carrying out his DDoS attacks, Calce modified the code written by another hacker. Calce compromised nearly 200 university networks and brought this under his control to launch DDoS attacks against specific targets.
In the book "Mafiaboy: A Portrait of the Hacker as a Young Man", Calce wrote that he scanned the internet for university-owned servers withsecurity weaknesses that he could exploit. "Once I found at least one, I ran a program I had found called Hunter to hijack that computer's connection."
In the age of Internet of Things (IoT), the DDoS attacks carried out Mirai stand out. Mirai is a malicious software (malware) that compromises poorly secured IoT devices such as wireless routers and security cameras into a botnet to conduct large-scale DDoS attacks. A botnet refers to a network of compromised computers coordinating as one to carry out instructions at the direction of their master – a malicious threat actor.
On September 30, 2016, Mirai source code was leaked online by one of its authors, Paras Jha. The Mirai source code was later used by different malicious actors in launching DDoS attacks.
Mirai exploits the habit of IoT users of not changing the default login details. At its height, nearly 400,000 IoT devices were hijacked by Mirai for DDoS attacks.
One notable DDoS attack utilizing the Mirai source code was the DDoS attack on internet infrastructure services provider Dyn DNS (now Oracle DYN) in October 2016. The DDoS attack on this internet infrastructure, which enslaved 100,000 devices including IP cameras and printers, disrupted the services of major websites such as Amazon, Netflix, Reddit, Spotify and Twitter.
Memcached-Based DDoS Attacks
In February 2018, DDoS attackers used a new attack method that exploited a lesser number of devices but produced a bigger punch. GitHub reported on February 28, 2018 that GitHub.com was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a DDoS attack. The DDoS attack on GitHub peaked at 1.35 Tbps – then setting the record of the largest DDoS attack.
In analyzing the DDoS attack on GitHub, Cloudflare reported that the attack on GitHub exploited 5,729 memcached servers that were inadvertently made accessible on the internet. Memcached is an open-source distributed memory caching system for speeding up applications.
"Launching such an attack [by exploiting Memcached] is easy," Cloudflare said. "First the attacker implants a large payload on an exposed memcached server. Then, the attacker spoofs the 'get' request message with target Source IP. In practice, we've seen a 15 byte request result in a 750kB response (that's a 51,200x amplification)."
With nearly 100,000 Memcached servers exposed to the internet, Cloudflare said at that time that it's expecting to see much larger attacks in the future.
Days after the GitHub attack, NetScout reported an even larger DDoS attack, victimizing a US-based service provider. This time peaking at 1.7Tbps. "The attack utilized a Memcached ... Reflection & Amplification vector to accomplish such a massive attack," NetScout said.
CLDAP-Based DDoS Attack
In the 1st quarter of 2020, Amazon reported that in February of this year, it detected and mitigated a DDoS attack targeting an AWS customer. The DDoS attack, Amazon said, peaked at 2.3 Tbps and caused three days of “elevated threat".
According to Amazon, the DDoS attack on one of its AWS customers exploited Connection-less Lightweight Directory Access Protocol (CLDAP) web servers. CLDAP is used to connect, search, and modify internet-shared directories. DDoS attackers have made CLDAPexploitation as part of their arsenal since 2016.
Imperva's 2019 Global DDoS Threat Landscape Report found that large-scale DDoS attacks were outside of the norm. "Overall, we saw attacks that were smaller, shorter, and more persistent," Imperva said. "While this trend may be indicative of attackers’ attempts to wreak havoc before a mitigation service kicks in, it’s no match for Imperva, where time to mitigation is near zero."
Many companies that call us have fallen victim to a DDoS attack, and paid ransom to cybercriminals to stop the attacks and resume normal business operations.
Protect your website, web applications and your network today and avoid costly business interruptions.
Using state of the art technology, our team will mitigate a DDoS attack in just 10-seconds, protecting your revenues, your assets and your reputation.
‘Wiping & Ransom’ Attack Targets Cloud Data Stored in MongoDB Databases
Data stored in the cloud isn't off limits to cybercriminals. A new report showed that a malicious actor held for ransom nearly half of all MongoDB databases exposed online.
A recent ZDNet report showed that a malicious actor has uploaded ransom notes on 22,900 MongoDB databases left exposed online without a password. This nearly 23,000 MongoDB databases represents nearly 47% of all MongoDB databases exposed online.
MongoDB is a document database in which documents can be searched by their field’s key, making this type of database flexible. This database can be deployed, operated and scaled in the cloud via cloud hosting services.
The report showed that the attacker scanned the internet using an automated script to search for exposed MongoDB databases; contents of the exposed databases were then wiped out; and victims were asked to pay 0.015 bitcoin (approximately USD 136 as of July 4, 2020).
The attacker then gave victims 2 days to pay the ransom to get back their wiped data and further threatened to leak victims' data in case of non-payment of the ransom. The attacker also threatened victims that the data leak will be reported to the local General Data Protection Regulation (GDPR) enforcement authority.
Under GDPR, organizations that are found to have failed to protect customers’ private data and such failure lead to a data breach could receive a hefty fine from local enforcement authority. In July 2019, UK’s Information Commissioner’s Office (ICO) announced its intention to fine British Airways £183.39m under GDPR for data breach. In July 2019 also the ICO similarly announced its intention to fine Marriott International, Inc. more than £99 million under GDPR for data breach.
Victor Gevers, a security researcher at the GDI Foundation, told ZDNet that the initial attacks didn't include the data wiping step. The wiping feature, Gevers said, was later added to the malicious actor's arsenal in attacking MongoDB databases. The ZDNet report said that the series of attacks on MongoDB databases started back in December 2016.
In a January 2017 blog post, Andreas Nilsson, Director of Product Security at MongoDB, acknowledged the attacks on unsecured MongoDB databases running openly on the internet. Said attacks, Nilsson said, erased database content and demanded from victims to pay ransom before the content can be restored.
In September 2017, Davi Ottenheimer, who leads the Product Security at MongoDB, in a blog post said that the company is aware of a new wave of attacks searching for misconfigured and unmaintained MongoDB databases. Ottenheimer said that the compromised MongoDB databases were left unsecured and connected to the internet with no password on their administrator account. This new wave of attacks, Ottenheimer said, doesn't indicate a new risk, just new targets.
"This [wiping and ransom of MongoDB databases] is not ransomware. Database does not get encrypted. It only gets replaced," Gevers told Bleeping Computer. "This is someone who does [this] manually or with a simple Python script."
According to Gevers, thousands of MongoDB databases are left exposed without a password online as these MongoDB instances used the old version of the MongoDB software in which the default configuration left the database open to external connections via the internet. "The most open and vulnerable MongoDBs can be found on the AWS platform because this is the most favorite place for organizations who want to work in a devops way," Gevers said. "About 78% of all these hosts were running known vulnerable versions."
How to Secure Data Stored in the Cloud
Unsecured and misconfigured data stored in the cloud isn't limited to MongoDB databases. In February 2018, BBC reported that security researchers have posted "friendly warnings" to users of Amazon's cloud data storage service whose private content has been made public to correct their settings that exposed data. "Please fix this before a bad guy finds it," one message left by security researcher said.
Here are some of the cybersecurity best practices in securing MongoDB databases deployed in the cloud via cloud hosting services and other data stored in different cloud platforms:
Like any online accounts, MongoDB databases deployed in the cloud and other data stored in the cloud via other cloud platforms need strong authentication methods. At the very least, protect the database with strong authentication method such as a strong password. These days cyberattacks often start with simple internet scanning. It’s important to protect cloud databases at its basic level with a strong password. It's also important to add extra layer of protection via multi-factor authentication.
The principle of least privilege is a security concept that limits access to the bare minimum to perform a task. For instance, a user is granted access only to specific database resources and operations and outside these defined role assignments, the user has no access to the other components of the database.
Use Firewall to control inbound and outbound traffic to your organization's databases. Use IP whitelisting to allow access only from trusted IP addresses.
It's important to keep a backup copy of the critical data stored in the cloud offline in case something happens beyond your organization's control that could prevent access to data stored in the cloud.
It's also important to audit data stored in the cloud, keeping track of the access and changes made to settings and data. A reliable audit system records these access and changes which can later on be used for forensic analysis and to make proper adjustments and controls.
Ontario and BC Privacy Commissioners Find LifeLabs Failed to Protect Personal Health Information of Millions of Canadians
Ontario and BC Privacy Commissioners Find LifeLabs Failed to Protect Personal Health Information of Millions of Canadians
A joint investigation by the Information and Privacy Commissioners of Ontario and British Columbia (BC) has found that Canadian laboratory testing company LifeLabs failed to protect the personal health information of millions of Canadians resulting in a data breach in 2019.
In a statement, the Information and Privacy Commissioners of Ontario and BC said the two offices found that LifeLabs failed to take reasonable steps to protect the personal health information in its electronic systems; failed to have adequate information technology security policies in place; and collected more personal health information than was reasonably necessary. LifeLabs is the largest provider of general health diagnostic and specialty laboratory testing services in Canada. It conducts over 100 million laboratory tests annually and supports 20 million patient visits annually. Its website is visited by more than 2.3 million Canadians to access their laboratory results each year.
According to the Information and Privacy Commissioners of Ontario and BC, on November 1, 2019, LifeLabs reported a cyberattack on their computer systems to the two offices. The cyberattack affected approximately 15 million LifeLab customers, including name, address, email, customer logins and passwords, health card numbers, and laboratory test results. Affected customers were mostly from Ontario and British Columbia.
The two offices issued the following orders to LifeLabs: improve specific practices regarding information technology security; put in place written information practices and policies with respect to information technology security; and cease collecting specified information and to securely dispose of the records of that information which it has collected.
“Our investigation revealed that LifeLabs failed to take necessary precautions to adequately protect the personal health information of millions of Canadians, in violation of Ontario’s health privacy law," Brian Beamish, Information and Privacy Commissioner of Ontario, said in a statement. "This breach should serve as a reminder to organizations, big and small, that they have a duty to be vigilant against these types of attacks."
“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm,” Michael McEvoy, Information and Privacy Commissioner of British Columbia, said in a statement. “The orders made are aimed at making sure this doesn’t happen again. This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”
Last March 25, the Ontario government amended its health privacy law, making it the first province in Canada to give the Information and Privacy Commissioner the authority to levy monetary penalties against those who violate Ontario's Personal Health Information Protection Act (PHIPA).
According to the Ontario and B.C. privacy commissioners, to date, they still can't release the full report of their findings as LifeLabs asserted that the information that it provided to the commissioners is privileged or otherwise confidential. The privacy commissioners said they intend to publish the full report unless Lifelabs takes court action.
LifeLabs, for its part, said it's reviewing the report’s findings of the Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner of British Columbia. "We cannot change what happened, but we assure you that we have made every effort to provide our customers with service they can rely upon," LifeLabs said.
According to LifeLabs, one of the changes made as a result of the cyberattack on its IT systems is the appointed of a Chief Information Security Officer (CISO), Chief Privacy Officer and Chief Information Officer. The company added that it has enhanced and accelerated its Information Security Management program with an initial $50 million investment to achieve ISO 27001 certification – a gold standard in information security management.
Stealing of Data and Ransom Demand
According to the Information and Privacy Commissioners of Ontario and BC, LifeLabs told the two offices in November 2019 that the cyberattacker or cyberattackers on LifeLabs penetrated the company’s systems, extracted data and demanded a "ransom".
In December 2019, Charles Brown, LifeLabs' president and CEO, in a statement, admitted to "retrieving the data by making a payment". "We did this [paying the ransom] in collaboration with experts familiar with cyber-attacks and negotiations with cyber criminals...."
To date, based on the statements of the Information and Privacy Commissioners of Ontario and BC as well as LifeLabs, there’s no mention of the word "ransomware". Due to this lack of information, the cyberattack on LifeLabs may or may not be a ransomware attack.
What is clear though is that the cyberattack on LifeLabs involved stealing of data, ransom demand, and in this case, a ransom payment. There are currently over a dozen ransomware groups that openly admit that they don't merely demand ransom to decrypt (unlock) encrypted (lock) files, but they also steal data and leverage this stolen data in case the ransomware victim refuses to pay ransom for the purpose of decryption.
Several months ago, the ransomware called "Maze" started the trend of naming and shaming ransomware victims that refuse to pay ransom for the purpose of decrypting the encrypted files. The group behind the Maze ransomware created a website that names ransomware victims that refuse to pay ransom and further threatens victims that continued refusal to pay ransom will result in the publication of the data stolen prior to the data encryption.
The group behind the ransomware called "REvil", also known by the name "Sodinokibi", recently created an e-bay-like auction site, auctioning the files of ransomware victims that continued to refuse to pay ransom. The REvil ransomware group auctioned the stolen files of a Canadian agricultural production company, one of its ramsomware victims that continue to refuse to pay ransom. The group offered 3 databases and 22,000 files stolen from the agricultural company to the successful bidder.
No organization is immune. Dealing with cyberattack and its consequences is not a matter of IF but a matter of WHEN. Get a head start by identifying and mitigate key IT risks today. Schedule a free assessment today or call 1.888.900.DRIZ (3749)
Amazon Records 2.3 Tbps DDoS Attack, Largest To Date
Amazon recently revealed that it detected and mitigated the largest distributed denial-of-service (DDoS) attack to date, targeting one of Amazon Web Services (AWS) customers.
In the "AWS Shield Threat Landscape Report – Q1 2020", Amazon said its threat protection service called "AWS Shield" detected and mitigated a DDoS attack in one of AWS customers with a previously unseen volume of 2.3 Tbps (terabytes per second). TBps refers to a data transmission rate equivalent to 1,000 gigabytes or 1,000,000,000,000 bytes per second.
In March 2018, NETSCOUT Arbor reported that it detected and mitigated the previous record holder for the largest DDoS attack which peaked at 1.7 Tbps, an attack targeted at a customer of a U.S. based service provider. The 1.7 Tbps DDoS attack came just heels after the previous record holder of the largest DDoS attack – an attack that specifically targeted GitHub in February 2018.
The AWS DDoS Attack
In a DDoS attack, multiple computers act as one unit to attack one target. Attackers often hijack and take control of vulnerable computers for the purpose of DDoS attacks by taking advantage of the security vulnerabilities or misconfigurations on these computers.
According to Amazon, the DDoS attack that targeted one of the company's AWS customers "caused 3 days of elevated threat during a single week in February 2020 before subsiding". Amazon said that the unnamed DDoS attacker or attackers utilized an amplification technique that takes advantage of the Connectionless Lightweight Directory Access Protocol (CLDAP) in launching the DDoS attack.
CLDAP is a cross-platform protocol and often used on Microsoft Active Directory networks to retrieve server information. From October 2016 to January 2017, Akamai reported that it detected and mitigated a total of 50 CLDAP reflection attacks, 33 of which exclusively used CLDAP reflection.
On January 7, 2017, Akamai said it detected and mitigated the largest DDoS attack using CLDAP reflection as the sole vector at the time, reaching peak bandwidth of 24 gigabytes per second (GBps), and peak packets per second of 2 million packets per second. Akamai added that the CLDAP protocol allows DDoS attacks to amplify 56 to 70 times.
"The query payload is only 52 bytes ...," Akamai said regarding thisJanuary 7, 2017 CLDAP reflection DDoS attack. "This means that, the Base Amplification Factor (baf) for the attack data payload of 3,662 bytes, and a query payload of 52 bytes, was 70x, although only one host was revealed to exhibit that response size. Post attack analysis showed that the average amplification during this attack was 56.89x."
The DDoS attack detected and mitigated by NETSCOUT Arbor and the DDoS attack on GitHub in 2018, meanwhile, were launched by taking advantage of internet-exposed Memcached protocol – a general-purpose distributed memory-caching system. Attack vectors of the topmost DDoS attacks are often used by DDoS-for-hire services in launching DDoS attacks.
In the case of the DDoS attack on GitHub, the amplification factor reached up to 51 times, which means that for each byte sent by the DDoS attacker, up to 51KB is sent toward the target. At the time of the GitHub DDoS attack, Shodan – a search engine that allows users to find specific types of computers connected to the internet using filters – reported 88,000 internet-exposed memcached servers.
In 2018, DDoS-for-hire services took advantage of the close to 100,000 memcached servers exposed to the internet. Since 2016 also, DDoS-for-hire services have been taking advantage of exposed CLDAP protocol.
In taking advantage of vulnerable computers with higher amplification or reflection factor, significant attack bandwidth can be produced with fewer compromised computers. Taking advantage of servers using CLDAP protocol and memcached protocol for reflection/amplification DDoS attacks work the same by sending spoofed requests to a vulnerable server, which then responds with a larger amount of data than the initial spoofed request, amplifying the volume of traffic.
Preventive and Mitigating Measures Against DDoS Attacks
DDoS attacks that are taking advantage of the CLDAP protocol start with servers that are exposed to the internet with port 389 open and listening. DDoS attackers simply scan the internet for these open port 389 and add these to a list of amplifiers or reflectors.
Don't be a part of the bigger DDoS reflection/amplification problem. If your organization doesn't need the CLDAP protocol, close this DDoS amplification egress by not exposing this protocol to the internet, that is, by blocking port 389. In the case of DDoS attacks taking advantage of exposed memcached servers, one of the prevented measures in preventing attackers in hijacking memcached servers for DDoS attacks is by disabling UDP.
Most often, however, DDoS attacks don’t reach the terabyte. According to Amazon, most of the DDoS events involving CLDAP protocol in the first quarter of 2020 was 43 Gbps.
While many DDoS attacks are non-terabyte attacks, such attacks still disrupt normal business operations and denying legitimate users access to victims’ IT infrastructure. Imperva’s 2019 Global DDoS Threat Landscape Report showed that most DDoS attacks were short, with 51% lasting less than 15 minutes. While most DDoS attacks were short, Imperva reported that the vast majority of DDoS attacks were persistent and aimed at the same targets. “Attackers either launched DDoS assaults in short streaks – two-thirds of targets were attacked up to five times – or were ultra-persistent, with a quarter of targets attacked 10 times or more,” Imperva reported.
Cyberattack Surface Widens As World Sees Increase in Remote Work
With much of the world now working remotely and likely to remain this way after the COVID-19 pandemic, the attack surface that could be exploited by cyberattackers has widened, a new study showed.
A new study by RiskIQ showed that with much of the global economy being run from homes, attackers now have far more access points to probe and exploit. Attack surface, as defined in the study, refers to everything that needs defending, starting from inside the corporate network and extending all the way to the internet and into the homes of workers working from home. RiskIQ identified the following attack areas:
Web-Based Attack Surface
Across the internet in just over two weeks, RiskIQ observed 2,959,498 new domains (equivalent to 211,392 per day) and 772,786,941 new unique hosts to the web (equivalent to 55,199,067 per day). New domains, also known as new websites, and new unique hosts to the web, according to RiskIQ, represent as possible targets for threat actors.
RiskIQ found that 2,480 of the Alexa top 10,000 domains were running at least one potentially vulnerable web component, and 8,121 potentially vulnerable web components in total were found in the Alexa top 10,000.
To highlight the attack surface faced by organizations, RiskIQ conducted a study on the companies that comprise the FTSE-30 – a group of 30 large-cap organizations in the UK. RiskIQ found that on average, each FTSE-30 organization has 324 expired certs, 25 SHA-1 certs, 743, potential test sites, 28 insecure login forms, 385 total insecure forms, 46 web frameworks with known vulnerabilities, 80 PHP 5.x instances with end of life (EOL) end of the year, and 664 web servers at release levels with known vulnerabilities.
In addition, last March, with the spike of online shopping due to COVID-1, RiskIQ reported that it detected a 30% increase in Magecart skimmers – a type of cyberattack that involves digital credit card theft by skimming online payment forms.
Modern websites are made up of common features such as underlying operating systems, frameworks, third-party applications, plugins, and trackers. "This commonality of approach is attractive to malicious actors, as a successful exploit written for a vulnerability or exposure on one site can be reused across many sites," RiskIQ said.
A recent report from Verizon Data Breach Report, showed that external-facing web applications, in which network security tools have no visibility, were exploited the most by cyberattackers.
Remote Access Attack Surface
According to RiskIQ, the rush to stand up new systems outside the firewall to enable a remote workforce has expanded attack surfaces quicker, with virtual private network (VPN) usage surged 112% over just six weeks, and a 26.11% increase in Microsoft Remote Access Gateway instances, peaking around March 20 when stay-at-home orders took full effect.
RiskIQ found that on average, each FTSE-30 organization has 45 mail servers, 7,790 cloud-hosted apps (Amazon and Azure), 26 potentially vulnerable Citrix Netscaler instances, 8 potentially vulnerable Palo Alto GlobalProtect instances, 9 potentially vulnerable Pulse Connect instances, 25 potentially vulnerable Fortinet instances, and 1,464 remote access service instances.
Mobile Attack Surface
There's more to mobile apps than Apple and Google Play Mobile App Stores as there are hundreds of online stores in which threat actors sell their mobile apps. RiskIQ said malicious actors compromise legitimate apps and launch fake apps in other app store ecosystem and the open internet.
In 2019, RiskIQ found 170,796 blacklisted mobile apps across 120 mobile app stores and the open internet. Eighty-six percent of the blacklisted apps, RiskIQ said, claimed the READ_SMS permission, which allows the app to read messages and can be used for nefarious activities such as circumventing two-factor authentication.
Social Engineering Attack Surface
Social engineering refers to the impersonation of domains, subdomains, landing pages, websites, mobile apps, and social media profiles to trick employees and consumers in installing malicious software (malware) or into giving up login credentials and other personal information.
In the first quarter of 2020, RiskIQ identified 21,496 phishing domains impersonating 478 unique brands. For the same period, it also identified 720,188 instances of domain infringement across 170 unique brands. RiskIQ noted that 317,000 new websites related to “COVID-19” or “coronavirus” in the two weeks between March 9 and 23.
Cybersecurity Best Practices in Securing Your Organization's Attack Surface
Traditional cybersecurity measure uses a firewall that acts as a barrier between a trusted internal network and untrusted external network such as the internet. The COVID-19 pandemic and the resulting government-mandated stay-at-home measure leaving organizations no option but to allow workers to work from home, has widened the attack surface as the boundaries of what are inside the firewall and what are outside the firewall are no longer clear.
Here are some cybersecurity best practices in securing your organization's attack surface:
Whether it's for the web, mobile or operating systems, all software used for these platforms should be kept up to date. Failure to apply the latest software update leaves this attack surface vulnerable for attack.
Malicious actors can simply probe into your organization's vulnerable internet-connected assets by conducting a simple internet scan. It's important to conduct a regular full inventory of these internet-connected assets, determining, for instance, what assets need software update.
Early detection of social engineering attempts that impersonate your organization's domains, subdomains, landing pages, websites, mobile apps, and social media profiles that target your employees and customers and letting them know about these social engineering attempts is one of the effective measures in disrupting
REvil Ransomware Group Resorts to Auctioning Stolen Data
It's now a known fact that ransomware groups steal data prior to encrypting files and demanding ransom from victims.
The group behind the ransomware called "REvil", also known by the name "Sodinokibi", has recently flaunted its data-stealing capability by auctioning the stolen data of one of its ransomware victims that refuses to pay ransom.
On the dark web, the group behind the REvil ransomware created an e-bay-like auction site, auctioning the files of one of its victims that continued to refuse to pay ransom: a Canadian agricultural production company. The newly created auction site of REvil says that a successful bidder will receive 3 databases and 22,000 files stolen from the agricultural company.
The minimum deposit is set at USD$5,000 in virtual currency Monero, and the starting bidding price is USD$50,000. To date, the Canadian agricultural production company hasn't acknowledged the ransomware attack and the related stolen data.
Ransomware: More than Encryption
Ransomware is a type of malicious software (malware) that encrypts victims' computers or files, rendering these computers or files inaccessible to legitimate users. In a ransomware attack, a ransom note is shown on the victim’s computer screen that the only way to access the computer or files again is by paying a ransom, typically in the form of virtual currency.
In the past, ransomware victims aren't hesitant to acknowledge ransomware attacks. Often though in the victims' cyber incident reports and press releases, they assure affected clients or costumers that there's no need to worry as there's no evidence of data exfiltration.
The ransomware called "Maze" openly exposed the data exfiltration process that comes along in a ransomware attack. Maze ransomware is the first ransomware that publishes online the names of the victims that refused to acknowledge the ransomware attack on their systems and/or continues to refuse to pay the ransom.
The group behind Maze ransomware threatens the "shamed" victims that continued refusal to pay the ransom will result in the publication of the data stolen prior to the data encryption. Publication of stolen data led one of the victims of Maze ransomware to file a case in court against the group behind Maze ransomware.
Close to a dozen of other ransomware groups, including REvil, followed Maze's tactic of naming ransomware victims and threatening to publish victims' stolen data – an open acknowledgment that these ransomware groups steal data prior to encrypting files.
Microsoft Threat Protection Intelligence Team, in the blog post “Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk", said that “while only a few of these [ransomware] groups gained notoriety for selling data, almost all of them were observed viewing and exfiltrating data during these attacks, even if they have not advertised or sold yet.”
Getting to Know REvil Ransomware
REvil Ransomware first appeared in the wild in April 2019. Exploiting software vulnerabilities, brute-forcing RDP access and using third-party software are some of the known strategies used by the group behind the REvil ransomware in gaining access to victims’ networks and eventually drop the ransomware.
Researchers at Cisco reported that the group behind the REvil ransomware has been exploiting CVE-2019-2725 since at least April 17, 2019 in installing the ransomware. CVE-2019-2725 is a security vulnerability in Oracle WebLogic. Oracle first patched this vulnerability on April 26, 2019. "This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack," researchers at Cisco said.
Researchers at McAfee Labs, meanwhile, reported that the group behind REvil ransomware initially gains access to victims' networks by brute-forcing RDP access in installing the ransomware. Remote Desktop Protocol (RDP) is a proprietary protocol developed by Microsoft that allows a user to access Windows workstations or servers over the internet.
In a related report, McAfee Labs reported that the number of RDP ports exposed to the internet has grown from roughly three million in January 2020 to more than four and a half million in March. "RDP ports are often exposed to the Internet, which makes them particularly interesting for attackers," researchers at McAfee Labs said. "In fact, accessing an RDP box can allow an attacker access to an entire network, which can generally be used as an entry point for spreading malware, or other criminal activities."
Kaspersky Lab, meanwhile, reported that since the beginning of March 2020, the number of Bruteforce.Generic.RDP attacks has rocketed across almost the entire planet. In a brute force attack, attackers systematically try all possible username and password combinations until the correct combination is found.
Aside from exploiting software security vulnerabilities, brute-forcing RDP access, the group behind the REvil ransomware has also been known to install on the victims' networks the ransomware by using third-party software. In August 2019, the mayor of Keene, Texas revealed that the group behind the REvil ransomware managed to install the ransomware on the municipality’s network through a software that a third-party IT company used to manage the municipality’s network.
While the motive behind this new tactic of auctioning ransomware victims' stolen data isn't yet clear, the timing of the launching of this new tactic amid the on-going COVID-19 pandemic and the resulting government-mandated home quarantine could mean that ransomware victims are refusing to pay ransom as they could've hardened their backup systems or that victims are hard-pressed in paying out ransomware attackers due to the economic fallout resulting in the on-going pandemic. Falling in the wrong hands, the auctioned stolen files could be used against victims and the victims’ customers.
Cybercriminals are not playing by rules and are winning in most cases. Protect your organization today by engaging with our expert team. Connect with us today.
Modern Threats Organizations Face in the Cloud
COVID-19 has made remote working the new normal. A recent report from McAfee showed that as more people worked remotely as a result of the COVID-19-induced shelter-in-place order, the use of collaboration cloud services has grown, replacing the now empty office computer desks and conference rooms.
The New Normal
Twitter recently announced that its employees can work from home forever. "The past few months have proven we can make that [work from home setup] work," Jennifer Christie, Vice President for People at Twitter. "So if our employees are in a role and situation that enables them to work from home and they want to continue to do so forever, we will make that happen."
In Canada, a report from Statistics Canada showed that workers in industries where close contact with others is less necessary tended to do their job from home in April of this year and have experienced relatively fewer employment losses since February of this year and may find it easier to resume full activity through continuing work from home.
Collaboration Cloud Services Security Risks
As collaboration cloud services adoption increases, McAfee reported that the amount of threats from external actors targeting cloud collaboration services also increases. In the "Cloud Adoption and Risk Report", McAfee reported that from January to April 2020, overall cloud service usage increased by 50% across all industries.
The report also highlighted that for the same period, the use of collaboration cloud services has more than doubled, with Zoom (+350%), Microsoft Teams (+300%), and Slack (+200%) seeing some of the huge gains. While Zoom hugged the limelight in recent months, the report showed that Cisco Webex – another collaboration cloud service offering web conferencing and videoconferencing applications, experienced a 600% increase in usage during the same period.
The McAfee report found that from January to April 2020, the number of threats from external actors targeting cloud services increased by 630%, with most of the attacks concentrated on collaboration cloud services. McAfee defines external threats into two categories: excessive usage from anomalous location and suspicious superhuman.
Excessive Usage from Anomalous Location
McAfee defines excessive usage from anomalous location as a login attempt from a location that hasn't been previously detected, and the initialization of high-volume data access and/or privileged access activity. Suspicious superhuman, meanwhile, is defined as a login attempt from more than one distant locations that's impossible to travel to within a given period of time, for instance, a user attempts to log into Microsoft Office 365 in Singapore and same user logs into Slack in the U.S. five minutes later.
The McAfee report said it derived its data from "aggregated and anonymized" cloud usage data from more than 30 million McAfee MVISION Cloud users worldwide from January to April 2020. Compared to external threats, the report showed that the number of internal threats flatlined. Most of the attacks on the cloud are external, the report said, targeting cloud accounts directly.
Spraying Cloud Accounts
According to the report the excessive usage from anomalous location and suspicious superhuman are likely opportunistic "spraying" attacks. In spraying attacks, attackers use past stolen credentials in guessing the correct username and password combination.
Spraying attacks rely on the human weakness of reusing usernames and passwords. Attackers have easy access to these past stolen credentials. In January 2019, a total of 2.2 billion unique usernames and associated passwords was distributed for free on hacker forums and torrent sites.
Reliance on the Traditional Username and Password
Even prior to the onset of the COVID-19 pandemic, many organizations had put in place a safety net in the way workers access corporate cloud services, particularly collaboration cloud services, through virtual private network (VPN). In today's new normal, the work from home setup, has brought about the increased usage of VPN in allowing remote workers to access corporate networks and corporate collaboration cloud tools such as Microsoft Office 365.
One of the reasons cited by McAfee in the "Cloud Adoption and Risk Report" for the continued reliance of the traditional username and password authentication when accessing collaboration cloud services is the ease of use of this traditional authentication method. "In reality, employees will do whatever is easiest and fastest," McAfee said. "They will turn off their VPN and access applications in the cloud directly."
Cybersecurity Best Practices in Protecting Collaboration Cloud Services
Here are some of the best practices in protecting collaboration cloud services from external threats:
The use of multi-factor authentication, an authentication method that grants a user access to a computer or a collaboration cloud service only after successfully presenting two or more proof, such that, in addition to the usual logging of username and password, an additional proof is necessary to gain access.
In the blog post "One simple action you can take to prevent 99.9 percent of attacks on your accounts", Melanie Maynes Senior Product Marketing Manager, Microsoft Security said that 99.9% of attacks can be blocked with multi-factor authentication.
It's important, however, to supplement multi-factor authentication with other security measures as there have been documented cases whereby multi-factor authentication can be bypassed.
One of the security measures in protecting your cloud's data is by limiting users' access to sensitive data. Privilege access to sensitive data that isn't required to the remote workers' line of work is a risk to your organization's online security. Remote workers especially those using their personal devices to access corporate collaboration cloud tools should be given only conditional access to sensitive data in the cloud.
Steve E. Driz, I.S.P., ITCP