Modern Threats Organizations Face in the Cloud

COVID-19 has made remote working the new normal. A recent report from McAfee showed that as more people worked remotely as a result of the COVID-19-induced shelter-in-place order, the use of collaboration cloud services has grown, replacing the now empty office computer desks and conference rooms.

The New Normal

Twitter recently announced that its employees can work from home forever. "The past few months have proven we can make that [work from home setup] work," Jennifer Christie, Vice President for People at Twitter. "So if our employees are in a role and situation that enables them to work from home and they want to continue to do so forever, we will make that happen."

In Canada, a report from Statistics Canada showed that workers in industries where close contact with others is less necessary tended to do their job from home in April of this year and have experienced relatively fewer employment losses since February of this year and may find it easier to resume full activity through continuing work from home.

Collaboration Cloud Services Security Risks

As collaboration cloud services adoption increases, McAfee reported that the amount of threats from external actors targeting cloud collaboration services also increases. In the "Cloud Adoption and Risk Report", McAfee reported that from January to April 2020, overall cloud service usage increased by 50% across all industries.

The report also highlighted that for the same period, the use of collaboration cloud services has more than doubled, with Zoom (+350%), Microsoft Teams (+300%), and Slack (+200%) seeing some of the huge gains. While Zoom hugged the limelight in recent months, the report showed that Cisco Webex – another collaboration cloud service offering web conferencing and videoconferencing applications, experienced a 600% increase in usage during the same period.

The McAfee report found that from January to April 2020, the number of threats from external actors targeting cloud services increased by 630%, with most of the attacks concentrated on collaboration cloud services. McAfee defines external threats into two categories: excessive usage from anomalous location and suspicious superhuman.

Excessive Usage from Anomalous Location

McAfee defines excessive usage from anomalous location as a login attempt from a location that hasn't been previously detected, and the initialization of high-volume data access and/or privileged access activity. Suspicious superhuman, meanwhile, is defined as a login attempt from more than one distant locations that's impossible to travel to within a given period of time, for instance, a user attempts to log into Microsoft Office 365 in Singapore and same user logs into Slack in the U.S. five minutes later.

The McAfee report said it derived its data from "aggregated and anonymized" cloud usage data from more than 30 million McAfee MVISION Cloud users worldwide from January to April 2020. Compared to external threats, the report showed that the number of internal threats flatlined. Most of the attacks on the cloud are external, the report said, targeting cloud accounts directly.

Spraying Cloud Accounts

According to the report the excessive usage from anomalous location and suspicious superhuman are likely opportunistic "spraying" attacks. In spraying attacks, attackers use past stolen credentials in guessing the correct username and password combination.

Spraying attacks rely on the human weakness of reusing usernames and passwords. Attackers have easy access to these past stolen credentials. In January 2019, a total of 2.2 billion unique usernames and associated passwords was distributed for free on hacker forums and torrent sites.

Reliance on the Traditional Username and Password

Even prior to the onset of the COVID-19 pandemic, many organizations had put in place a safety net in the way workers access corporate cloud services, particularly collaboration cloud services, through virtual private network (VPN). In today's new normal, the work from home setup, has brought about the increased usage of VPN in allowing remote workers to access corporate networks and corporate collaboration cloud tools such as Microsoft Office 365.

One of the reasons cited by McAfee in the "Cloud Adoption and Risk Report" for the continued reliance of the traditional username and password authentication when accessing collaboration cloud services is the ease of use of this traditional authentication method. "In reality, employees will do whatever is easiest and fastest," McAfee said. "They will turn off their VPN and access applications in the cloud directly."

Cybersecurity Best Practices in Protecting Collaboration Cloud Services

Here are some of the best practices in protecting collaboration cloud services from external threats:

1. Use Multi-Factor Authentication

The use of multi-factor authentication, an authentication method that grants a user access to a computer or a collaboration cloud service only after successfully presenting two or more proof, such that, in addition to the usual logging of username and password, an additional proof is necessary to gain access.

In the blog post "One simple action you can take to prevent 99.9 percent of attacks on your accounts", Melanie Maynes Senior Product Marketing Manager, Microsoft Security said that 99.9% of attacks can be blocked with multi-factor authentication.

It's important, however, to supplement multi-factor authentication with other security measures as there have been documented cases whereby multi-factor authentication can be bypassed.

2. Limit Access to Sensitive Data

One of the security measures in protecting your cloud's data is by limiting users' access to sensitive data. Privilege access to sensitive data that isn't required to the remote workers' line of work is a risk to your organization's online security. Remote workers especially those using their personal devices to access corporate collaboration cloud tools should be given only conditional access to sensitive data in the cloud.

Still Performing Old-school Vulnerability Assessments? Here’s What You’re Missing

Businesses live or die based on their IT infrastructure. No company can afford to underestimate the danger that a single network breach or hardware failure can cause. We’re talking about major downtime, disrupted productivity, missed targets, and unhappy clients turning to your competitors for faster solutions.

Vulnerability assessments are crucial to identify and mitigate IT risks. Innovators leverage cutting-edge technology to deliver assessments that protect companies against potential issues on a daily basis. But if you’re still performing old-school vulnerability assessments, you could be making your business more susceptible to problems than it has to be.

Here’s what you’re missing.

A proactive approach to mitigating risks

One of the most important reasons old-school vulnerability assessments are so dangerous is that system changes can render them irrelevant within a matter of hours. For businesses which still conduct annual assessments of their IT infrastructure, there’s a real danger that severe risks can be missed during those intervening months.

This encompasses different areas. First and foremost, there are cybersecurity threats to consider.

Your current security measures may become outdated between assessments and leave your business vulnerable to breaches by hackers. Research shows that in 60 percent of cases, vulnerabilities allowing unauthorized access could be fixed with a readily-available patch. On average, data breaches cost as much as $3.92 million on average.

Cybersecurity is one area of IT infrastructures which you must take seriously. Hackers’ methods evolve at a startling rate, forcing organizations to remain vigilant and take a proactive approach to their defenses.

Cutting-edge monitoring is ongoing. The latest security technologies mimic hackers’ processes and techniques to identify where action is required to combat breaches. This enables organizations to recognize the flaws of their current security and which steps are necessary to fix them.

Furthermore, cybersecurity vendors you work with are continuously evaluated to pinpoint when they fail to comply with your business’s security policies or when security levels change.

Old-school assessments just can’t live up to this level of insight and awareness. So much can change in the period between one check and another.

Third-party vendor monitoring

So much of modern business relies on third-party vendors. Businesses of all sizes utilize cloud-based solutions for everything from customer service and team communications to accounting. And that’s great, because quality vendors help organizations to streamline operations and automate time-consuming tasks.

But companies place a lot of trust in vendors to provide a safe, secure, efficient standard of service at all times. The best suppliers are committed to doing just that. But sometimes, some may fall short of expectations.

Running irregular assessments of suppliers’ activities and services means you may be unaware of any oversights or failures. For example, a supplier may have implemented changes that mean it no longer aligns with your internal security policies, but you have no idea of this because so many months have passed since you last checked.

Furthermore, you want to rest assured that all suppliers your business works with comply with official regulations and standards (such as GDPR or CCPA). Any failures here can leave you facing legal difficulties and potentially high costs.

The latest solutions enable you to create security and compliance questionnaires to find out how third-party vendors follow regulatory measures. They also help you to determine how suppliers align with your own policies. On top of all this, innovative solutions reveal gaps in security to suppliers to help them deliver a higher standard of service.

As a result, you can make better decisions about the brands you work with and avoid unnecessary legal challenges that can be so damaging to your credibility.

A heightened awareness of technical issues

Cybersecurity is far from the only danger an inefficient IT setup brings. If your hardware is outdated and overdue an upgrade, you could be at risk of technical failures. This is especially problematic if you store data on-site and never take advantage of cloud backup. You would be unable to recover crucial information and work in the aftermath of a disaster, such as a fire, flood, theft, etc.

And that brings all manner of problems. Employee, client, and financial data may all be exposed. Workflows would be heavily affected, reducing productivity and customer satisfaction. Significant financial impact could leave your business unable to keep operating as required. 

Ongoing vulnerability assessments can determine how suitable your hardware and applications are for your business purposes. Old-school assessments conducted once or twice a year might not bring relevant issues to the surface until it’s too late. Leverage the latest assessment methods and technologies to protect your company against the risk of technical failures.

Understanding human error

Sadly, the people driving businesses are capable of making mistakes. This can be as simple as forgetting to update a password for a tool regularly or deleting a valuable field of data. But whatever the specifics, human error can make a sizable impact on a company’s security and performance.

In Canada’s legal and financial sectors, human error is cited as the biggest cause of data breaches, and a single mistake could open the door for hackers to gain unauthorized access to your network.

New vulnerability assessment solutions can incorporate human behavior to help recognize possible flaws, and help businesses take action to reduce their risk. For example, software and processes which have the potential to be confusing to users may be revised. Alternatively, training can be implemented to educate staff on software for greater peace of mind.

Old-school vulnerability assessments simply don’t offer the comprehensive insights which successful businesses need today. It’s not enough to check systems occasionally and trust them to work. Companies must take advantage of real-time data and detailed overviews to understand what risks they face in the digital age.

At The Driz Group, our expert team offers ongoing vulnerability assessments, penetration testing and third-party risk assessment as a service to identify issues with your infrastructure and protect your data accesses by third-party suppliers. This helps to remediate core IT risks and achieve maximum efficiency.

To book your own free web application and external network vulnerability assessment, get in touch now!

Lessons from the First Computer Pandemic: Love Bug

Twenty years ago, the world's first computer pandemic called the "Love Bug", also known as "ILOVEYOU" virus, wreaked havoc worldwide.

On May 4, 2000, in just a span of 24 hours, the Love Bug affected an estimated 45 million computers worldwide, causing an estimated US$10 billion in damages.

Tracking Down the Creator of ILOVEYOU Virus

BBC technology reporter Geoff White tracked down the creator of the ILOVEYOU virus working in a mobile phone repair shop inside a shopping mall in Manila. Onel de Guzman, now 44, admitted to White that he solely created the ILOVEYOU virus.

de Guzman told White that he unleashed the virus to steal passwords so he could access the internet without paying. He claims that he never intended the virus to spread globally and that he regrets the damage that the virus had caused. de Guzman was never charged with a crime as at the time when he unleashed the virus, the Philippines had no laws criminalizing malicious use of computers.

How the ILOVEYOU Virus Caused a Computer Pandemic

The ILOVEYOU virus arrives on the victim's computer via Outlook software. At the time, Outlook was the common means of sending and receiving emails.

The email's subject simply contains "ILOVEYOU", while the email's body contains these few words: "kindly check the attached LOVELETTER coming from me". The email contains an attachment named "LOVE-LETTER-FOR-YOU.TXT". "I figured out that many people want a boyfriend, they want each other, they want love, so I called it that," de Guzman said.

Once an email receiver clicks on the attached document, the virus makes copies of itself to the Windows System directory and to the Windows directory. It also adds itself to the registry for it to be executed when the system is restarted.

It also replaces the Internet Explorer home page with a link that downloads the program called "WIN-BUGSFIX.exe". This downloaded file is also added to the registry for this program to be executed once the system is restarted.

The downloaded file from the web is a password-stealing malicious software (malware) that calls the WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to this email address: mailme@super.net.ph.

This virus spreads to other victims' computers via Outlook. The same email that arrives on the original victim's computer is mass emailed to everyone in the victim's Outlook address book. This virus spreads also via mIRC whenever another person joins an IRC channel where the infected user currently is logged in.

Other than stealing passwords and spreading itself, this virus performs the most destruction function: overwriting files. This virus looks for particular file types from all folders in all local and remote drives and overwrites them.

Similar to modern-day ransomware – malware that prevents victims' from accessing their computers or files, the ILOVEYOU virus denies victims access to their files. Unlike ransomware, where in some cases, the decryption keys given by attackers after ransom payment work in unlocking in locked files, in the ILOVEYOU virus, there's no way to unlock these files.

Many organizations lost a lot of data because of this overwrite function. The mass emailing function of the virus also overloaded many mail systems around the world.

Will There Be Another Computer Pandemic?

Time will tell if there'll be another computer pandemic.

If there'll be one it would be a bit different from de Guzman's creation. An attacker aiming to use a mass emailing virus via Outlook and other mail client software needs to take an extra step to run malicious attachments as current mail client software programs are more cautious in running script files unlike in the days when the ILOVEYOU virus was unleashed.

To date, the damage caused by the ILOVEYOU virus is unprecedented. The virus successfully played on mankind's need to be loved. In today's environment, where many are connected to the internet, another virus could turn into a computer pandemic, exploiting another of mankind's other needs.

The ILOVEYOU virus has taught the online world one thing: Next time, back up your files. Having a working back up prepares your organization for the next computer pandemic similar to the ILOVEYOU virus that overwrites or destroys victims' files.

There's also a need to protect these backups from attackers. In recent months, ransomware attackers have been known to go after victims' backups.

The group behind the ransomware called "DoppelPaymer" published on their leak site the admin username and password for a non-paying ransomware victim who used the Veeam cloud backup software. The group behind the ransomware called "eCh0raix" also went after QNAP NAS backup devices.

Protect your organization's backup devices by keeping it offline. If there's a need to connect these backup devices online, make sure to use strong authentication methods such as multi-factor authentication and to keep the backup device firmware up to date.

It’s also important to follow the time-tested 3-2-1 rule:

3: Keep 3 copies of any important file: 1 primary and 2 backups.

2: Keep the files on 2 different media types to protect against different types of hazards.

1: Store 1 copy offsite (for example, cloud backup).

Another attack scenario could come from a silent operator. The ILOVEYOU virus and the different shades of ransomware are overtly noticeable attacks. The next big thing or even one that we haven't noticed yet, could be one that silently lurks in millions of computers worldwide.

Security Risks Associated with Exposed RDP

A recent report from McAfee Labs showed that since the official start of the COVID-19 pandemic in March 2020, the number of exposed RDP has increased considerably.

RDP, short for Remote Desktop Protocol (RDP), is a proprietary protocol developed by Microsoft that runs on port 3389 and allows users the ability to connect to another computer over the internet. In the blog post "Cybercriminals Actively Exploiting RDP to Target Remote Organizations", McAfee Labs said that amid the COVID-19 pandemic, organizations wanting to maintain operational continuity very likely allowed employees to access organizations’ networks remotely via RDP with minimal security checks in place, giving cyber attackers the opportunity to access these networks with ease.

According to McAfee Labs, the number of RDP ports exposed to the internet grew from approximately three million in January 2020 to more than four and a half million in March 2020. McAfee Labs derived this number of exposed RDP ports from a simple search on Shodan – a search engine that allows users to find internet-connected computers.

Exposed RDP Risks

RDP often runs on Windows server operating systems. Access to RDP box allows attackers access to an entire network.

RDP ports that are exposed to the internet are valuable to attackers as these ports allow them to enter organizations’ networks and conduct further malicious activities such as spreading malicious software (malware), including ransomware – a type of malware that encrypts computers or files, locking out legitimate users and forcing victims to pay ransom in exchange for decryption keys that will unlock these encrypted computers or files.

Other than spreading ransomware, compromised RDP ports can also be used to spread cryptominer – a type of malware that illicitly consumes the computing power of the compromised computer for the purpose of mining cryptocurrencies such as Bitcoin or Monero.

Exposed RDP ports also allow attackers to conduct malicious activities such as hiding their tracks, for instance, by compiling their tools on the compromised computer. Attackers also used exposed RDP ports in carrying out other malicious activities in the victims’ networks such as theft of personal information, proprietary information or trade secrets.

How Cyberattackers Access Exposed RDP Ports

Below are some of the tactics used by attackers to enter exposed RDP ports:

1. Use of Stolen RDP Credentials

According to McAfee Labs, it observed an increase in both the number of attacks against RDP ports and in the volume of RDP credentials (username and password combinations) sold on underground online markets. In the past, some of these RDP online shops were taken down by law enforcement agencies.

These RDP online shops sell RDP credentials at a very low cost. McAfee Labs earlier reported that the stolen RDP credential of a major international airport was sold in one of these RDP online shops for only US$10.

2. Brute Force Attack

While RDP can be secured via multi-factor authentication, many users fail to use this added security measure. Failure to protect RDP via multi-factor authentication allows attackers to stage brute force attack – a type of attack that guesses the correct password through trial and error.

Password guesses via brute force attacks aren’t so random. According to McAfee Labs, data from a law enforcement agency and RDP online shops taken down by the law enforcement agency showed that weak passwords remain one of the common points of entry.

A number of RDP ports were broken into, McAfee Labs said, using the top 10 passwords. “What is most shocking is the large number of vulnerable RDP systems that did not even have a password,” McAfee Labs said. The following are part of the top 10 passwords used by RDP attackers: 123456, 123, P@sswOrd, 1234, Password1, password, 12345, 1 and test.

3. Exploiting Security Vulnerabilities

In recent months, RDP has also been riddled with security vulnerabilities. In August 2019, Microsoft disclosed the security vulnerability known as “BlueKeep”. This security vulnerability, officially designated as CVE-2019-0708 allows an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.

Microsoft warned that BlueKeep is “wormable”, which means that it can replicate and propagate by itself to create a large-scale outbreak similar to Conficker and WannaCry. Conficker has been estimated to have impacted 10 to 12-million computer systems worldwide, while WannaCry’s damage to computer systems in just one global enterprise was estimated at $300 million.

Two other security vulnerabilities in RDP were disclosed by Microsoft in recent months: CVE-2020-0609 and CVE-2020-0610. Similar to BlueKeep, CVE-2020-0609 and CVE-2020-0610 allow an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.

According to Dustin Childs of Zero Day Initiative, while not as widespread as systems affected by Bluekeep, CVE-2020-0609 and CVE-2020-0610 present an attractive target for attackers as these vulnerabilities are wormable – at least between RDP Gateway Servers.

Best Practices in Protecting Exposed RDP Ports

Here are some of the best practices in protecting RDP ports:

• Keep Windows Operating System Up to Date
• Microsoft had issued a corresponding patch for BlueKeep, CVE-2020-0609 and CVE-2020-0610.
• Use Multi-Factor Authentication
• While multi-factor authentication can be bypassed by some attackers, still, the use of this additional level of security blocks the use of stolen RDP credentials and the use of brute force attack as knowledge of the correct username and password combination isn’t enough to authenticate a user.
• Use a firewall
• Use an RDP gateway
• Limit Domain Admin account access
• Limit the number of local admins
• Enable Network Level Authentication (NLA)
• Enable restricted Admin mode

DDoS Attacks Accelerate Amid the COVID-19 Pandemic, Reports Show

Since the start of the global COVID-19 pandemic, reports show that distributed denial of service (DDoS) attacks have accelerated.

A report from NETSCOUT Arbor showed that DDoS attack count and bandwidth have all seen significant increases since the start of the global COVID-19 pandemic. From March 11th to April 11th of 2020, NETSCOUT reported that it observed more than 864,000 DDoS attacks – the single largest number of DDoS attacks that the organization had seen over any other 31-day period to date.

The number of DDoS attacks during the March 11th to April 11th of 2020, NETSCOUT Arbor said surpassed that of the DDoS count during the December 2019 holiday period which peaked at 751,000. From November 11th of 2019 to March 11th of 2020, NETSCOUT Arbor reported that it observed an average of 735,000 DDoS attacks per month.

According to NETSCOUT Arbor, while terabit-class DDoS attacks make the headlines, the most significant DDoS-related metric goes to the sheer amount of bandwidth (bps) and throughput (pps) consumed by DDoS attacks. From March 11th to April 11th of 2020, NETSCOUT Arbor reported that it observed a whopping 1.01 pbps and 208 gpps of aggregate DDoS attack traffic. This aggregate DDoS attack traffic, NETSCOUT Arbor said represents a 14% increase in attack bps and a 31% increase in attack pps.

Imperva’s March 2020 Cyber Threat Index Report, meanwhile, revealed that for the month of March 2020, DDoS attacks on financial, food and beverage industries across multiple countries spiked amid the COVID-19 pandemic. According to Imperva, websites in the food & beverage industry experienced more attacks, with 6% increase in DDoS attacks.

DDoS attacks in the food & beverage industry in Germany, Imperva reported, spiked by 125%. Earlier, on March 19, 2020, Takeaway.com, one of the leading online food delivery marketplace that connects consumers and restaurants in several European countries, including Germany reported that one of its websites was under DDoS. Jitse Groen, Founder and CEO of Takeaway.com revealed via Twitter that the DDoS attacker or attackers demanded 2 bitcoins (valued nearly USD 14,000 at the time of the demand) for the DDoS attack to stop. The attackers also threatened to launch a DDoS attack on the company’s other website.

Imperva added that it also observed an increased volume of DDoS attacks on the financial industry globally, with 3% increase. DDoS attacks in the financial industry in Italy (+44%), UK (+21%) and Spain (+18%) were notably larger, Imperva said.

“With attacks on the rise in the food and beverage and financial services industries, companies need to employ effective security strategies to balance the new load of traffic to their websites and mitigate new risks,” Nadav Avital, head of security research at Imperva, said.

Biggest DDoS Attack Ever Recorded

On February 28, 2020, GitHub – a website that allows software developers to store and manage their software code – was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a DDoS attack.

According to GitHub, the DDoS attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. The DDoS attack peaked at 1.35Tbps via 126.9 million packets per second, GitHub said.

GitHub added that the DDoS attackers specifically used the memcached-based approach. Cloudflare describes memcached DDoS this way: “A memcached distributed denial-of-service (DDoS) attack is a type of cyber-attack in which an attacker attempts to overload a targeted victim with internet traffic. The attacker spoofs requests to a vulnerable UDP memcached server, which then floods a targeted victim with internet traffic, potentially overwhelming the victim’s resources. While the target’s internet infrastructure is overloaded, new requests cannot be processed and regular traffic is unable to access the internet resource, resulting in denial-of-service.”

DDoS Protection Amid the COVID-19 Pandemic

COVID-19 was declared by the World Health Organization (WHO) as a pandemic on March 11, 2020. Since then, quarantine sites in many parts of the world were ordered, giving the global community a new normal: staying at home. As people are mandated to stay at home, online communication has become a lifeline for many people to work, shop and study online.

With the rise of internet traffic, organizations can mistakenly believe that all traffic comes from legitimate sources. Not all internet traffic, however, come legitimate sources as an increase in internet traffic could be a sign of a DDoS attack.

Signs of a DDoS attack resemble that of a typical legitimate internet traffic, including unusually slow in opening a file or accessing a website; unavailability of a website; or inability to access a website. DDoS campaigns can last from minutes to hours, while others can go on for months and even for years.

It’s important to be able to distinguish between a legitimate traffic from a DDoS attack. At the outset, malicious traffic can be detected and identified via firewall or intrusion detection system. Signs of malicious network traffic include traffic from an unusual geographical location or suspicious IP addresses.

It’s also important to note that DDoS attacks could simply be a simple diversionary tactic used by attackers to hide their main intention of conducting other malicious activities in your organization’s network.

Speak with our experts today to mitigate the DDoS risks. Protect you most valuable assets and keep cybercriminals at bay.

Web Shell Malware Facilitates Cybercriminals' Access to Victims’ Networks, New Report Shows

A recent report from the national security agencies in Australia and the US showed that cybercriminals are increasingly using web shell malware to access victims’ networks.

In a joint advisory, Australia’s national security agency, the Australian Signals Directorate (ASD), and its counterpart in the US, the National Security Agency (NSA) said that cybercriminals have increased the use of web shell malware for computer network exploitation.

"Web shell malware can facilitate cyber attackers' access to a network where they are able to execute arbitrary system commands, enumerate system information, steal data, install additional malicious software or use the infected server to pivot further into the network," the ASD said in a separate statement. The NSA, meanwhile, said in a separate statement, “Malicious cyber actors have increasingly leveraged web shells to gain or maintain access on victim networks.” 

What Is Web Shell Malware?

Web shell malware is a type of malicious software that’s deployed by an attacker on a compromised web server – referring to a software to which web browsers connect to run web applications. A web application, meanwhile, refers to a set of code written to perform certain action or actions on a web server and display the result to a web browser.

An example of a web shell malware is China Chopper, a malware that allows attackers to execute various commands on the server, including dropping other malware. First found in the wild in 2012, this web shell malware uses a simple and short code that can be deployed on the target web server by simply typing it with no file transfer needed. Due to the malware’s simple code and ease of use, security researchers have difficulty in connecting this malware to any particular threat actor or group.

Preventive and Mitigating Measures Against Web Shell Malware?

The national security agencies in Australia and the US recommend the following preventive and mitigating measures against web shell malware:

1. Web Application Update

Web shell malware is often created by making changes to a file in a legitimate web application. Attackers are able to make malicious changes to legitimate web applications due to the failure of the users’ to apply in timely manner patches to known security vulnerabilities in web applications.

According to the national security agencies in Australia and the US, web application updates need to be prioritized as attackers sometimes target vulnerabilities in internet-facing and internal web applications within 24 hours of a patch release.

2. Early Detection Methods

Web shell malware is hard to detect using typical detection methods as malware creators hide their creation using encryption and obfuscation. “Known-Good” comparison and monitoring anomalous network traffic are some of the suggested measures.

In known-good comparison, a verified version of a web application is compared to your organization’s on-hand version of the web application. Discrepancies between the verified version and the on-hand version need to be manually reviewed.

Depending on the attacker, any of the following could be indicators of anomalous network traffic resulting from web shell malware: unusually large responses (an indicator of data exfiltration), recurring off-peak access times typically during non-working hours, and request from unlikely geographical location (an indicator of a foreign threat actor).

3. Harden Web Application Permissions

According to the national security agencies in Australia and the US, web applications shouldn’t have permission to write directly to a web accessible directory or modify web accessible code. The national security agencies said that malicious actors are unable to upload a web shell to a vulnerable web application if the web server blocks access to the web accessible directory.

In February of this year, Microsoft reported that attackers uploaded a web shell in multiple folders on the web server owned by an organization in the public sector. "DART’s [Microsoft’s Detection and Response Team] investigation showed that the attackers uploaded a web shell in multiple folders on the web server, leading to the subsequent compromise of service accounts and domain admin accounts,” Microsoft said. “This allowed the attackers to perform reconnaissance using net.exe, scan for additional target systems using nbtstat.exe, and eventually move laterally using PsExec.”

4. Use Intrusion Prevention

The use of Web Application Firewall (WAF) adds an extra layer of defence for web applications by blocking some known attacks. Attackers, however, have been known to evade this signature-based blocking, as such, this approach should only be part of the whole cybersecurity measures. WAF has also been known to block the initial compromise but is unlikely to detect web shell traffic.

5. Network Segmentation

Network segmentation refers to the practice of dividing a network into sub-networks. This practice ensures that in case a particular sub-network is compromised by attackers, the other sub-networks won’t be affected.

For instance, it’s important to put in place in one sub-network internet-facing servers. The practice of network segmentation blocks web shell propagation by preventing connections to other sub-networks. “While web shells could still affect a targeted server, network segmentation prevents attackers from chaining web shells to reach deeper into an organization’s network,” the national security agencies in Australia and the US said.

6. Harden Web Servers

Securing the configuration of your organization’s web servers can prevent the deployment of web shell malware. As additional measures to harden web servers, the national security agencies in Australia and the US recommend that access to unused ports or services should be blocked, and routine vulnerability scanning should be conducted to identify unknown weaknesses in an environment.

When Patching Isn’t Enough

While patching is one of cybersecurity’s best practices, in some cases, this best practice isn’t enough to protect your organization’s network. Such is the case of patching your organization’s Pulse Secure VPN product.

Pulse Secure VPN Patch

On April 24, 2019, VPN vendor Pulse Secure released software updates, also known as patches, addressing multiple security vulnerabilities, including a patch for the security vulnerability designated as CVE-2019-11510. This security vulnerability allows an unauthenticated remote attacker with network access via HTTPS to send a specially crafted URI to perform an arbitrary file reading vulnerability.

Because of the CVE-2019-11510 vulnerability, an attacker will then be able to view files, such as plain text cache of credentials of past VPN users. Armed with stolen credentials, an attacker can pretend to be a legitimate Pulse Secure VPN user. The following are the affected Pulse Secure VPN versions:

• Pulse Connect Secure 9.0R1 - 9.0R3.3
• Pulse Connect Secure 8.3R1 - 8.3R7
• Pulse Connect Secure 8.2R1 - 8.2R12
• Pulse Connect Secure 8.1R1 - 8.1R15
• Pulse Policy Secure 9.0R1 - 9.0R3.1
• Pulse Policy Secure 5.4R1 - 5.4R7
• Pulse Policy Secure 5.3R1 - 5.3R12
• Pulse Policy Secure 5.2R1 - 5.2R12
• Pulse Policy Secure 5.1R1 - 5.1R15

Following the release of Pulse Secure security updates, Cyber Security Centers in several countries, including Canada, US and Japan have issued alerts calling local organizations to apply in a timely manner the security updates released by Pulse Secure, including the patch for CVE-2019-11510.

Post Pulse Secure VPN Patching Exploitation

The United States’ Cybersecurity and Infrastructure Security Agency (CISA) recently issued a follow-up alert, warning organizations that those that applied the April 24, 2019 Pulse Secure VPN update could still face continued threat actor exploitation post Pulse Secure VPN patching. According to CISA, as the security vulnerability CVE-2019-11510 allows attackers to steal victim organizations’ credentials, failing to change those stolen credentials allows an attacker to move laterally through the organization’s network even after the organization has patched this vulnerability.

CISA reported it observed threat actors used connection proxies, such as Tor infrastructure and virtual private servers (VPSs), to lessen the chance of detection when they connected to victims’ networks via Pulse Secure VPN. The US Cybersecurity Agency found that once inside the victims’ networks, threat actors conducted the following malicious activities:

• Creating persistence via scheduled tasks/remote access trojans
• Amassing files for exfiltration
• Executing ransomware on the victim’s network environment

CISA added that, in one case, it observed a malicious actor attempting to sell the stolen Pulse Secure VPN credentials after 30 unsuccessful attempts to connect to a victim’s network to escalate privileges and drop ransomware. CISA also noted that this same malicious actor successfully dropped ransomware at hospitals and U.S. Government entities.

CISA further reported that malicious actors that leveraged stolen Pulse Secure VPN credentials used tools such as LogMeIn and TeamViewer. LogMeIn is a software that allows users to remotely access another computer. TeamViewer, meanwhile, is an all-in-one solution for remote support, remote access and online meetings. According to CISA, LogMeIn and TeamViewer enable malicious actors to maintain access to the victim’s network environment if they lost their primary connection, that is, via VPN access.

Preventive and Mitigating Measures Against Post Pulse Secure VPN Patching Exploitation

As many organizations encourage employees to work from home as a result of the current COVID-19 crisis, the use of VPN products has been increasing. It’s important to secure this communication line between remote workers and your organization.

Patching, from the word “patch”, is a set of changes to the source code of a software program for the purpose of fixing a known security vulnerability or to improve it.

While patching is still one of the top cybersecurity best practices, this practice alone isn’t enough especially when the exploited security vulnerability involves stolen authentication credentials. According to the US Cybersecurity Agency, organizations that have applied patches for CVE-2019-11510 may still be at risk for exploitation from compromises that occurred pre-patch.

Below are the suggested detection methods by the US Cybersecurity Agency to find out if your organization had been targeted before applying the Pulse Secure VPN patch.

• Turn on unauthenticated log requests.
• Check logs for exploit attempts. To detect exploit attempts, look in the logs for strings such as ../../../data.
• Manually review logs for unauthorized sessions, in particular, sessions originating from unexpected geo-locations.
• Run CISA’s detection tool – a tool that’s available on CISA’s GitHub page. This tool allows system administrators to triage logs (provided authenticated request logging is turned on) and automatically search for CVE-2019-11510 exploitation.

The following are the additional suggested mitigating measures against post Pulse Secure VPN patching exploitation:

• Look for software programs installed without authorization.
• Remove software programs, especially those that allow remote access not approved by your organization.
• Remove any remote access trojans – malicious software that disguised as legitimate software.
• Check scheduled tasks for scripts or executables that could allow an attacker to connect to your organization’s work stations or servers.

“If organizations find evidence of malicious, suspicious, or anomalous activity or files, they should consider reimaging the workstation or server and redeploying back into the environment,” the US Cybersecurity Agency said.

Vulnerable Remote Working Technologies to Watch Out

Mass workforce working remotely has come way too soon as a result of the COVID-19 social distancing restrictions. This sudden shift, however, gives many organizations little time to prepare.

Vulnerable Remote Working Technologies

Below are some vulnerable remote working technologies to watch out as these vulnerabilities could allow cybercriminals to gain a foothold within your organization’s network:

VPN Vulnerabilities

VPN, short for virtual private network, is particularly aimed at remote workers and workers in branch offices to access corporate networks in a secure and private manner.

In 2019, security researchers have found and disclosed several security vulnerabilities in several VPN products. While vendors of these vulnerable VPN products, within a certain period of time, released security updates – also known as patches – fixing these disclosed security vulnerabilities, some users have delayed applying these patches resulting in the active exploitation of the disclosed security vulnerabilities.

Here are examples of VPN security vulnerabilities that have been actively exploited in the wild by cyberattackers:

- CVE-2018-13382: A security vulnerability in Fortinet Fortigate VPN that could allow an unauthenticated user to change the VPN user passwords.

- CVE-2019-1579: A vulnerability in the Palo Alto GlobalProtect VPN that could allow a remote, unauthenticated actor to execute arbitrary code on the VPN server.

- CVE-2019-11510: Multiple security vulnerabilities in the Pulse Connect Secure and Pulse Policy Secure products that could allow a remote, unauthenticated actor to view cached plaintext user passwords and other sensitive information.

- CVE-2019-19781: A security vulnerability in Citrix Gateway virtual private network servers that could allow an attacker to remotely execute code without needing a login.

-VPN 2-Factor Authentication Bypass

Researchers at Fox-IT reported that a threat actor was able to gain VPN access to a victim’s network that was protected by 2-factor authentication (2FA).

“An interesting observation in one of Fox-IT’s incident response cases was that the actor steals a softtoken for RSA SecurID, which is typically generated on a separate device, such as a hardware token or mobile phone,” researchers at Fox-IT said. “In this specific case, however, victims using the software could also use a software-based token to generate 2-factor codes on their laptop. This usage scenario opens up multiple possibilities for an attacker with access to a victim’s laptop to retrieve 2-factor codes used to connect to a VPN server.”

Vulnerable Remote Working Apps

The COVID-19 crisis has turned the video-teleconferencing app a must-have. This technology allows employers and employees in different geographical locations to conduct meetings in real-time by using simultaneous audio and video transmission.

Amidst the COVID-19 crisis, the video-teleconferencing app called “Zoom” has come into the limelight, not just because of the growing number of users but because of the security threats that slowly come to light.

On March 23, 2020, security researcher known only as @_g0dmode on Twitter disclosed a security vulnerability in Zoom’s video-teleconferencing app. "#Zoom chat allows you to post links such as \\x.x.x.x\xyz to attempt to capture Net-NTLM hashes if clicked by other users," @_g0dmode said. Security researcher Matthew Hickey expounded @_g0dmode’s discovery saying that Zoom’s video-teleconferencing app can be used to steal Windows credentials of users.

RDP Vulnerabilities

Vulnerabilities in Remote Desktop Protocol (RDP) – a network communications protocol developed by Microsoft that provides remote access over port 3389 – have recently been disclosed by Microsoft.

-CVE-2019-0708: Dubbed as “Bluekeep”, this vulnerability allows an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.

- CVE-2020-0609 and CVE-2020-0610: Collectively dubbed as “BlueGate”, this vulnerability similarly allows an unauthenticated attacker to connect to the target system using RDP and sends specially crafted requests.

According to Microsoft, Bluekeep and BlueGate are pre-authentication vulnerabilities and require no user interaction. Microsoft described Bluekeep and BlueGate in the same way: “An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Cybersecurity Best Practices

The above-mentioned security vulnerabilities on their own could allow malicious actors to gain access to your organization’s networks, for instance, through ransomware lockdown. Allowing remote workers to access your organization’s networks creates a much larger attack surface for cybercriminals.

Here are some cybersecurity best practices to keep your organization’s networks and your organization’s remote workers safe online:

Keep All Software Up to Date

All the above-mentioned security vulnerabilities have available patches. Apply these patches in a timely manner to keep your organization’s networks and remote workers safe online.

Be Mindful of How Your Organization’s Data Is Handled

In early April of this year, researchers at the University of Toronto reported that Zoom – a Silicon Valley-based company that owns 3 companies in China through which nearly 700 employees are paid to develop the app – used an encryption method that isn’t recommended as “patterns present in the plaintext are preserved during encryption”. The researchers also found that some of Zoom’s video-teleconferencing traffic was being routed through China even though all participants of the video-teleconference were in North America.

Zoom, for its part, said in a statement that the routing of some of Zoom’s video-teleconferencing traffic was a mistake and apologized for the said incident.

Stay safe!

7 Pillars of Cloud Data Governance

Cloud computing is fast becoming the norm. Even before COVID-19 forced countless businesses to switch to a remote structure and allow employees to work from home via cloud-based software, more than 70 percent of Canadian companies had migrated to the cloud.

While cloud computing offers a wealth of benefits (scalability, vast storage, task automation, remote accessibility, etc.), data security is a key risk organizations must consider.

This is where cloud data governance comes in.

What is Data Governance?

Data governance helps businesses to take tighter control of information related to its own operations, customers, finances, and strategies. Poor management can leave data in the wrong hands and allow unauthorized users to take advantage of weaknesses, such as gaining access to your accounts, supplying competitors with corporate secrets, and exploiting customers.

Effective data governance lets companies leverage information to make smarter decisions, understand target audiences, identify potential security vulnerabilities, and measure overall performance. Gathering data and analyzing it properly can help businesses manage their finances, supply chains, and production processes effectively over time.

Establishing a proper data governance framework encourages teams to treat data responsibly and follow processes that prevent breaches. Data will be created, stored, and deleted according to strict guidelines. This ensures organizations comply with regulations (such as GDPR) and minimize oversights that could cause severe reputational damage.

Without data governance, companies may lose track of which data has been gathered, where it is stored, which steps are required for compliance, and more.

In short: with so much critical data now stored and analyzed in the cloud, data governance is essential for security and efficiency.

7 Pillars of Cloud Data Governance

When putting a cloud data governance framework in place, organizations must consider the following factors as fundamental pillars:

1. Define your goals and motivations

First and foremost: identify those concerns and goals motivating your business to implement a data governance strategy.

This can vary from one company to another. Security may be a core concern prompting your organization to take cloud data governance seriously, particularly with more than 28 million Canadians affected by a data breach within just 12 months.

Hackers continue to leverage increasingly sophisticated techniques to gain unauthorized access to systems, and businesses’ cybersecurity defenses must be reinforced to mitigate dangers. If security is a main driver, companies should explore how they’re at risk and the ways in which data governance reduces them.

Whatever the main drivers, they have to be clarified and discussed to justify the level of investment channeled into effective data governance. This establishes fixed goals that can drive quality decision-making from the start.

2. Establish clear roles within your team

Accountability is vital in building a cloud data governance framework. Certain individuals should be responsible for specific data assets (such as customer records) and have the knowledge to make decisions concerning utilization.

These ‘data owners’ should be chosen carefully based on their familiarity with the entities and their purpose, such as the team/person most likely to recognize an issue with the relevant data.

Data owners must be able to understand a data asset’s function and value within the business. They need the authority to greenlight actions, such as cleansing or improving the application of relevant data.

3. Bring key stakeholders up to date

Internal and external stakeholders should be aware of the current and planned status of data governance. Implementing a framework must be a well-planned, well-informed process, in which all key personnel understand why, how, and when changes are taking place.

All stakeholder needs must be considered when putting cloud data governance into effect. This includes shareholders, third-party vendors, business partners, and customers — improper collection, storage, and utilization of data in the cloud can have profound effects on them all.

4. Determine critical data elements

Critical data elements (CDEs) are classified as data which is essential for success in one or more areas of business. CDEs might contain personal information that must be protected to ensure compliance with privacy laws, such as that relating to a customer, supplier, or a product’s manufacturing process.

If any of these were to be compromised, business operations and quality could be put at risk. As a result, critical data elements should be determined when setting a cloud data governance framework in place, to keep them secure and managed properly to make the most of the information available.

5. Choose the most valuable metrics for performance tracking

Certain metrics can be utilized to measure the performance and value of data governance over time.

These may include cost reduction, data accuracy, the number of times data has to be updated to address issues, timeliness of data, and more. Monitor your chosen metrics consistently to identify potential improvement opportunities.

6. Pick your tools and technologies wisely

The right tools help to make effective data governance easier. They cultivate stronger decision-making, data management, and data quality, while automating smaller tasks for more time-efficient processes.

Popular data governance tools include Talend, Collibra, IBM, and IO-TAHOE. Choose your tools and technologies carefully to make sure they align with your business goals, processes, expectations, and budget. Again: don’t rush into a decision. Good data governance is too valuable to underestimate.

7. Keep your team educated and updated

It’s crucial that all employees and stakeholders stay updated on the value of effective cloud data governance. Regular training should be delivered in accessible programs, covering procedures, policies, data owners, technologies, and crisis responses.

This reduces the risk of mistakes or oversights caused by educational blind spots. When you first start building your data governance framework, try to identify the current level of awareness and put training programs which align with this in place.

Cloud data governance is fundamental for any company switching to cloud-based technologies. Cybersecurity and compliance are two of the most important elements to consider when putting a framework in place: errors in either can lead to serious problems with the potential to disrupt operations significantly.

To discuss our data governance, third-party risk management, compliance, and vulnerability management services, just get in touch today!