Combating the Most Common Cyber Security Risks
Hard as it may be to believe, government agencies have been found to have some of the worst cyber-security systems in the United States.
Agencies at federal, state, and local agencies were all ranked below other industries (retail, transportation etc.) in a study on U.S. cyber-security. Even NASA, considered one of the most technologically-innovative institutions in the country (if not the world), was flagged for its high vulnerability.
The U.S. Department of State was another weak performer, struggling to protect their systems from outside threats with an unsuitable set-up.
The point? If one of the most powerful governments in the world is failing to keep sensitive data out of criminals’ hands, they are risking the security of countless people on a daily basis. They cannot afford to be so lax.
The same is true of your own business, albeit on a smaller scale: allowing your enterprise to be vulnerable in today’s world is dangerous for your employees and clients alike.
What cyber threats are you most susceptible to, and how can you protect against them?
What is it?
We’ve all heard of malware, but do we know what it actually is?
This applies to various incarnations of dangerous software that can cause all manner of chaos in your computer, delivered as a virus or ransomware (in which you are ordered to pay in order to regain access to your system).
The malware can actually take over your computer, monitor your activities without your awareness, or even transfer critical information to another user with the utmost discretion.
How can you prevent it?
Make sure you use unique passwords and educate your employees to do the same. Only share sensitive data on a site which is clearly secure, with ‘https’ in their URL.
You should never download any files sent by a sender you don’t trust or recognize, and make sure data is backed up to disconnected hardware on a regular basis. This enables you to restore vital information in the event of a malware attack, without needing to pay or sacrificing critical data.
What is it?
You know to never open an attachment in an email from an unknown sender, or to be wary of telltale bad grammar. These are sure signs of a phishing scam, but some cyber-criminals are more advanced.
They may pose as someone else – such as a friend, a bank etc. – and encourage you to follow a link or open an attachment. The email may look legitimate but will contain harmful malware that could pose a serious risk to your entire business.
How can you prevent it?
The most obvious technique: be sure before you click. If there is anything remotely suspicious or odd about the email, don’t follow a link or open an attachment.
If an email from a bank or other trusted organization asks for confidential information, contact them through another channel to confirm this (though they will generally never ask for sensitive data through email anyway).
Anti-phishing toolbars can be installed on your browser, which will notify you if you enter a known phishing website. Use desktop and network firewalls to protect your system from any malicious programs, and pay attention when your browser informs you that a site is ‘not secure’ (lacking the ‘https’ in its URL bar).
SQL Injection Attack
What is it?
SQL (Structured Query Language) is a language allowing for communication between databases, and countless servers use it to manage critical data. An SQL injection is an attack aimed at these types of servers, employing malicious coding to extract data from them which would otherwise remain private.
If the server under attack carries access information (usernames, passwords), financial details (credit cards etc.), or any other highly-sensitive data, the criminal responsible will be able to access some or all of it.
How can you prevent it?
All sensitive data contained within a database should be encrypted. Passwords, financial records, and anything else which could leave your business vulnerable must be protected.
Also, don’t store such sensitive information if you don’t need it currently, and are unlikely to in the future. Leaving data that carries real value to linger in your databases could lead to problems – all of which can be avoided simply by wiping useless information.
Implement Web Application Firewall as it will automatically block and prevent SQL injection attacks.
Cross-Site Scripting (XSS)
What is it?
During an XSS attack, the cyber-criminal injects malicious code right into your website with an aim to go after your visitors through their browser.
These attacks can cause severe damage to your reputation, as your site would be responsible for endangering visitors’ sensitive data.
This is worsened if they are customers purchasing from you or providing their personal details. As a result, you might not even realize your site is infected until customers start tracing suspicious activity back to their activities on your domain.
How can you prevent it?
While web application firewall will block XSS attacks, you need to pay attention to the way in which your site accepts input data, to minimize malicious code passing through. This might mean using a number of filters in place, such as a web app firewall, that reduces the risk of an XSS attack significantly.
Another step, though somewhat more complex, is to use an alternative rendering format to raw HTML, to reject entries that might be malicious. Markdown or BBCode are alternatives to raw HTML that may help to protect against XSS attacks.
Cyber-security threats are constantly evolving, as criminals continue to find weaknesses in security protocols and exploit them. By keeping your security systems up to date and, staying abreast of the latest risks, you can maximize your business’s resistance to threats.
Never be complacent about your business’s cyber-security precautions: you should always be willing to explore new systems and processes for the good of your entire enterprise.
When you have questions concerning cybersecurity threats, get in touch with our team and we will be happy to help.
All You Need to Know about the Annabelle Ransomware Virus
Ransomware is a major security risk for individuals, businesses, organizations, and governments today.
As more and more sensitive data is stored online, cyber-criminals continue to find ways to profit from its destruction or leaking. The Annabelle virus is a recent example of how creative and damaging ransomware can be, though it ultimately poses less risk to victims than other, more severe viruses.
What is the Annabelle Ransomware Virus?
The Annabelle virus incorporates the titular character from the recent horror movies, based around a possessed doll first introduced in The Conjuring. The virus is designed to create maximum chaos in computers, by:
All of this is bad enough and can leave your system a sitting duck. However, the Annabelle ransomware virus also replaces the target computer’s master boot record with a strange loader demanding payment in exchange for the infection’s removal.
Your computer can become infected by the Annabelle virus through malware ads, tainted downloads, fraudulent updates, and emails. It basically employs the same tactics other viruses have for years.
How Does the Annabelle Ransomware Virus Work?
Once the Annabelle virus has infiltrated your Windows computer, it will start to configure when you next boot it up. The infection shuts down Task Manager, Process Hacker, Chrome, Process Explorer, Notepad, Internet Explorer, Msconfig, and other programs you might depend on every day.
Your security defenses will be deactivated too, leaving you without Windows Defender and other systems you need.
The virus creates chaos in your system, spreading through autorun.inf files. However, this is ineffective against more recent versions of Windows, as they lack the autoplay feature.
The Annabelle ransomware virus will then begin to launch its encryption phase with a static key. It encrypts all of your media, documents, and databases, adding a new extension – ‘.annabelle’.
Once all of the pieces are in place, the ransomware virus reboots your computer. You will find it now locked, with a picture of the grotesque Annabelle accompanied by a ransom note.
“How can I get my personal key? Well, you need to pay for it. You need to visit one of the special sites below & and then you need to enter your personal ID (you find it on the top) & buy it. Actually it costs exactly 0.1 Bitcoins”
What the culprits lack in good writing, they make up for in technique. The lock screen credits a creator referred to as iCoreX0812, and provides a means to reach them via Discord (a freeware VoIP app). 0.1 Bitcoin is worth just under $1000 at the time of writing, and paying the ransom would supposedly eliminate the virus from your computer.
Still, as it turns out, victims have no need to actually pay said price to decrypt their system.
Can You Remove the Annabelle Ransomware Virus?
The creator behind the Annabelle virus used a hard-coded key to develop it. As a result, it employs an identical key to infect every single computer, which enabled the resourceful Michael Gillespie to find a solution.
Gillespie is a malware security researcher and creator of ID Ransomware. He devised a special decryption tool able to restore files and remove the Annabelle virus with minimal hassle. He released this free of charge, demonstrating an altogether more positive, generous attitude than the person (or persons) behind the ransomware.
The Annabelle virus was made using Stupid Ransomware, and Gillespie updated his Stupid Decryptor tool as a solution.
Given the use of a static key, it’s believed that the creator of the ransomware was more interested in showing off their skills and causing chaos on victims’ systems rather than actually gaining any financial reward.
It’s unbelievable that someone would inflict such frustration and potential damage upon strangers just for their own amusement, but it seems to be the case. The effects of having an encrypted device could be incredibly costly and distressing, for individuals and businesses alike.
Cyber-criminals can utilize ransomware to disrupt governments or businesses, potentially costing them significant amounts of money out of maliciousness. Businesses lose more than $2K for each case of ransomware (on average), though the price of liberation can be much higher.
However, even if there was no solution for the Annabelle ransomware virus, you’re always recommended to refuse payment. Though it’s understandable that you would want to take the quickest option and take the culprit at their word, the people behind the attacks typically leave the encryption in place once they have their money, leaving victims to suffer the effects and seek their own fix.
The Annabelle virus differs from other ransomwares like Russenger and Cypher, as it used a static key. Others tend to employ algorithms creating unique decryption keys, essentially meaning that only the original developers can fix the issue.
For computers infected with a virus that cannot be decrypted, the only way to correct the problem is to restore a backup. This may still result in loss of data, which can be hugely problematic for businesses and organizations especially, but lets you start afresh.
Creating regular backups to preserve your data can help you minimize damage caused by potential ransomware, but you need to keep these on remote servers or external storage (which remain unplugged from the system itself, to avoid infection).
You can reduce your risk of falling prey to ransomware by being more careful online. Suspicious emails from questionable sources should be deleted straight away and never interacted with. Only download programs and applications from official sites, and make sure you keep your security updated for the most cutting-edge precautions.
The Annabelle ransomware virus is, thankfully, a lesser danger – but it serves as a powerful reminder to up your security game.
Dangers of Cyberattacks as a Result of Source Code Leak
This past week, someone posted the source code of Apple iPhone operating system iOS on GitHub – a repository of open source code.
There was confusion at first as to whether the code was real or not. Apple indirectly confirmed that the code was real by filing a DMCA legal notice demanding GitHub to remove the source code. DMCA, which stands for Digital Millennium Copyright Act, is a takedown request that empowers owners of copyrighted material who believe their rights under U.S. copyright law have been infringed.
The iPhone source code called “iBoot” published on GitHub, Apple said "is responsible for ensuring trusted boot operation of Apple's iOS software." The company added, “The ‘iBoot’ source code is proprietary and it includes Apple's copyright notice. It is not open-source.”
Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, told Lorenzo Franceschi-Bicchierai of Motherboard that the iBoot source code publication is the “biggest leak” in Apple's history.
A source code is a collection of computer instructions that’s written by a programmer when developing a software program. A software can either be open source or non-open source.
With an open source code, anyone can inspect or modify the code. With a non-open source code, the source code is hidden from the public and as such, only the software maker can make changes to the code.
Non-Open Source Code Leak
Apple and Microsoft are examples of companies that keep their products’ source code hidden from the public.
While most companies don’t allow outsiders to view and make modifications on their source code, they allow security researchers, also known as ethical hackers, to review their software, find security vulnerabilities and report this directly to the company to receive monetary reward, also called bounty.
Apple, through its bounty program, pays a maximum of $200,000 to someone who directly reports bugs or security vulnerabilities to the company.
Despite the takedown of the iPhone source code on GitHub, the source code has already made its way to dark web sites.
Access to non-open source code like the iBoot gives hackers a better chance of finding security vulnerabilities that could lead to cyberattacks.
EternalBlue Source Code Leak
On April 15, 2017, a hacker group calling itself the “Shadow Brokers” leaked the source of code of a number of hacking tools believed to be developed by the U.S. National Security Agency (NSA).
The source code of EternalBlue is one of those leaked by the hacker group. EternalBlue could allow remote code execution if a cyberattacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
The EternalBlue source code leak spawned devastating cyberattacks, the most notable of which was the WannaCry cyberattack. In May 2016, hundreds of thousands of computers around the world were infected with WannaCry, a malware that encrypts computer files, prevents users from accessing files and asks for ransom payment in the form of Bitcoin for the release of the decryption key to unlock the affected computer.
Adylkuzz is another malware that uses the EternalBlue source code. The purpose of Adylkuzz malware is to mine the cryptocurrency Monero. Similar to cryptocurrency Bitcoin, a Monero coin needs to be mined – a process by which a transaction is verified, added to the public ledger, known as the blockchain, and a means before a coin is released.
While cryptocurrency mining of Bitcoin can only be done on powerful computers, mining Monero can be done on regular computers and even on smartphones.
The Adylkuzz malware installs the Monero cryptocurrency miner called “cpuminer” on infected computers. Once the cpuminer is installed in a compromised computer, Monero cryptocurrency mining is conducted without the knowledge of the user. Cryptocurrency mining operation, however, will exhaust your computer CPU, resulting in slow performance.
Open Source Code Leak
With an open source code, anyone can inspect or modify the code. An open source is also known as a collaborative code. There are benefits in allowing other programmers to inspect and modify a source code. It’s a known fact that there’s not one software with a perfect source code. Allowing programmers to inspect and modify a source code can enhance and improve the code in the long run.
Linux is an example of an open source software. It’s an operating system similar to Windows and iOS. The difference between Linux and other operating systems is that it’s open source. The Linux source code is free and available to the public to view and, for users with the necessary skills, to contribute to the enhancement of the code.
While the publication of an open source code, on one hand, can be beneficial to society similar to the positive contribution of Linux, publication of an open source code with malicious intent can be detrimental to society.
Mirai Source Code Leak
The publication of the Mirai source code is an example of how a publication of a malicious open source code can be detrimental to society.
On September 30, 2016, a HackForum user by the name of “Anna-senpai” posted the source code of the malicious software called “Mirai”. The Mirai was responsible for the distributed denial of service (DDoS) attack on the website of cybersecurity journalist Brian Krebs on September 20, 2016.
On December 13, 2017, Paras Jha pleaded guilty in creating the Mirai and for conducting a series of DDoS attacks on the networks of Rutgers University between November 2014 to September 2016, which resulted in shutting down Rutgers University’s central authentication server – a gateway portal through which students, staff and faculty deliver assignments and assessments.
According to the U.S. Department of Justice, hundreds of thousands of IoT devices such as wireless cameras and routers were infected with the Mirai malware and were used "to conduct a number of powerful distributed denial-of-service, or ‘DDOS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers".
According to Imperva Incapsula, Mirai-infected IoT devices were spotted in 164 countries, appearing even in remote locations like Montenegro, Tajikistan and Somalia.
The publication of the Mirai spawned other DDoS attacks, the most notable of which was the attack on Dyn, a domain name service (DNS) provider which many websites rely upon. The DDoS attacks against Dyn resulted in temporarily shutting down popular websites like Amazon, Twitter, Netflix and even GitHub.
Dyn, in a statement, said, “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.” The company said that 100,000 IoT devices were infected with the Mirai malware to attack its DNS infrastructure.
In December 2017, the source code of the malware called “Satori”, a variant or new version of Mirai, was leaked on Pastebin. This Mirai variant particularly infects Huawei home router model HG532.
While the original Mirai malware infects IoT devices by using default usernames and passwords, Satori doesn’t need usernames and passwords. Security researchers at Qihoo 360 Netlab said, “The bot [Satori] itself now does NOT rely on loader/scanner mechanism to perform remote planting, instead, bot itself performs the scan activity. This worm-like behavior is quite significant.”
Security researchers at NewSky Security said that with the release of the full working code of the Mirai variant Satori, “we expect its usage in more cases by script kiddies and copy-paste botnet masters.”
Cybersecurity Best Practices
Here are some security best practices to protect your organization’s computers from the dangers of cyberattacks as a result of source code leak:
1. Use Supported Software
Supported software refers to a software whereby security updates are regularly issued by the software vendor.
Many fell victim to WannaCry for using Windows operating systems that Microsoft – the software vendor – no longer supports or no longer issues security updates.
A patch, also known as security update, is a piece of software code added to an existing source code that fixes security vulnerabilities.
WannaCry could have been prevented by simple patching or installing of the security update issued by Microsoft on March 14, 2017 – a month before the hacker group leaked the EternalBlue source code. Microsoft’s March 14, 2017 security update patches or fixes the security vulnerability exploited by EternalBlue. This security update was issued to supported Windows operating systems.
3. Use Latest Software Version
Many leaked source code are typically source code of older software version. Software vendors normally fix security vulnerabilities found in older software versions with the latest software version.
Interesting to note that Windows 10 proved to be resilient against Petya ransomware attack unleashed more than a month after the WannaCry attack. Similar to WannaCry, Petya exploited security vulnerabilities exploited by EternalBlue and EternalRomance – two hacking tools believed to be developed by the NSA and leaked by the hacker group Shadow Brokers.
4. Practice Network Segmentation
There are instances that security updates can’t be installed right away. One way to prevent or minimize the effects of a cyberattack is through network segmentation – a process of dividing computer network into subnetworks. With network segmentation, cyberattack on one subnetwork won’t affect the other subnetworks.
5. Have the Right DDoS Protection
Cybercriminals today don’t necessarily create their own attack tools. Some simply copy leaked source code. This is the case of DDoS-for-hire groups, a bunch of cybercriminals that offer DDoS service for a fee. There are available tools that effectively counter these DDoS attacks. Connect with us today and protect your business.
New Variant of SamSam Ransomware Targets Health Sector
Since the beginning of 2018, several organizations in the health sector have publicly acknowledged that they’ve been hit by the new variant of the ransomware called “SamSam”.
Cloud-based electronic health records (EHR) provider Allscripts, Hancock Health Hospital in Greenfield, Indiana; and Adams Memorial Hospital in Decatur, Indiana acknowledged that they’ve been a target by the new variant of SamSam ransomware.
Only Hancock Health Hospital admitted that it paid ransom money to the SamSam attackers. The hospital paid the attackers 4 Bitcoins (approximately $55,000 at the time).
“The hospital’s leadership, upon consideration of many factors, made the determination to pay the ransom of four bitcoin demanded by the attackers, in order to retrieve the private encryption keys,” Hancock Health CEO Steve Long said in a statement. “We were in a very precarious situation at the time of the attack. With the ice and snow storm at hand, coupled with the one of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients. Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.”
What is SamSam Ransomware?
SamSam, also known as Samas or Samsa, is a malicious software (malware) that’s categorized as a ransomware. Like other ransomware it encrypts files, locks out users from using their computers and from accessing files, and demands ransom payment in the form of Bitcoin to unlock the encrypted files.
Below is a sample of the ransom note of the new SamSam variant prominently displayed on the infected computer.
The original version of SamSam ransomware uses JexBoss, a tool that scours the internet for unpatched servers running Red Hat’s JBoss enterprise products. Once attackers gain entry via an unpatched server, they then use other open-sourced tools to collect information on networked computers. This open-sourced tools include the use of widely-used, weak and reuse passwords.
Once a computer is infected with SamSam ransomware, this malware proceeds to encrypt files and then demand a ransom. Once the server is infected by SamSam, all the other computers connected to the server are infected as well by the ransomware.
The first SamSam ransomware attack was first observed on March 2, 2016. On March 31, 2016, the United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC) issued a joint security alert warning about the dangers of ransomware, including SamSam or Samas.
"In early 2016, destructive ransomware variants such as … Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide,” said DHS and CCIRC.
According to Symantec, what sets the original SamSam ransomware from other ransomware is the way this malware reaches its intended targets via unpatched server-side software.
“The big takeaway here is the growing trend that criminals are directly targeting organizations in ransomware attacks,” Symantec said. “The success of these recent attacks signals a shift for cybercriminals as they seek to maximize profits by setting their sights on vulnerable businesses.”
Attackers using the older version of Samsam ransomware initially asked a payment option of 1 Bitcoin for each PC that has been infected. The ransom payment demand later went up to 1.5 Bitcoin and 1.7 Bitcoin. According to security researchers at Cisco, as of March 23, 2016, SamSam victims paid nearly 275 Bitcoins (approximately $115,000 as one Bitcoin at the time costs $418).
Cisco researchers said that one Bitcoin wallet used by attackers to receive ransom payment for the new SamSam ransomware variant started receiving payments since December 25, 2018 and received 26 Bitcoins, valued nearly $300,000 as of January 19, 2018.
According to Cisco, there’s a possibility that compromised Remote Desktop Protocol (RDP) servers have played a role in allowing the attackers of the new SamSam variant to obtain an initial foothold.
“The point of entry of the attack was a hospital server on which the Remote Desktop Protocol (RDP) service was enabled and accessible via the Internet,” Hancock Health Hospital said in a statement. “Forensic analysis determined that an administrative account setup by a vendor of the hospital was compromised and used to gain unauthorized access to a specific system managed by that vendor.”
“Given SamSam's victimology, its impacts are not just felt within the business world, they are also impacting people, especially if we consider the Healthcare sector,” Cisco researchers said. “Non-urgent surgeries can always be rescheduled but if we take as an example patients where the medical history and former medical treatment are crucial the impact may be more severe.”
Ransomware results in the following negative consequences:
Ransom payment only guarantees that the attackers get their money; it doesn’t guarantee that the encrypted files will be unlocked. File decryption also doesn’t guarantee the removal of malware infection.
How to Prevent SamSam Ransomware Attacks
1. Backup and Have a Recovery Plan
Perform and test regular data backup and employ a recovery plan that expedites the recovery process.
2. Update All Software
Keep all software up-to-date with the latest security updates or patches. Attackers are always on the lookout for vulnerable computers, especially those with unpatched software. If your organization is using JBoss enterprise products, check to see if these are running unpatched versions and if so, patch them immediately.
3. Network Segmentation
In the event that security update isn’t possible, network segmentation is a good way to stop cyberattack or limit the possible impact of a successful cyberattack to the rest of the organization's information systems.
3. Restrict Users’ Ability to Install Software
Limit the ability of users to install and run unwanted software applications. User’s restriction may prevent malware installation or limit its capability to spread through the network.
Huawei IoT Exploit Code Meant for DDoS Attack Released to the Public
Another malware code that’s meant to cause distributed denial-of-service (DDoS) has recently been made public on Pastebin website.
The publication of the code of a DDoS threat can’t be taken lightly. Whenever new cyberexploits become publicly available, cybercriminals are quick to add these to their attack arsenal.
When the Mirai malware code – another DDoS threat was made public – it unleashed unprecedented DDoS attacks.
The newly published malware code is a Mirai variant and particularly targets the vulnerability in Huawei home router model HG532. According to security researchers at NewSky Security, the newly published malware has already been used in cyberattacks, including the Satori DDoS attack.
With the release of the full working code of this Mirai variant, security researchers at NewSky Security said that “we expect its usage in more cases by script kiddies and copy-paste botnet masters.”
Considering that Huawei retains a significant share of the router market, exploitation of these IoT devices can have a significant effect. According to IDC, Huawei's total router market share increased from 18.9% in the 2nd quarter of 2016 to 25.2% in the 2nd quarter of 2017.
What is Satori?
Satori is an updated variant of the Mirai malware. It particularly exploits the vulnerability in Huawei home router model HG532. The vulnerability allows remote code execution, enabling attackers to access and make changes to Huawei home routers found in different parts of the world.
Unlike the Mirai malware which relies on default usernames and passwords to infect IoT devices, Satori doesn’t need usernames and passwords. Security researchers at Qihoo 360 Netlab said, “The bot [Satori] itself now does NOT rely on loader/scanner mechanism to perform remote planting, instead, bot itself performs the scan activity. This worm like behavior is quite significant.”
According to the security researchers at Qihoo 360 Netlab, in December 2017, the Satori malware was able to infect over 280,000 Huawei routers in just 12 hours.
In November 2017, security researchers at Check Point reported that hundreds of thousands of Satori exploits have already been found in the wild. Check Point discreetly informed Huawei about the security vulnerability and soon thereafter the company issued a security update.
“An authenticated attacker could send malicious packets to port 37215 to launch attacks,” Huawei said in acknowledging the Satori exploit. “Successful exploit could lead to the remote execution of arbitrary code.”
What is Mirai?
Satori’s code is based on Mirai malware code. In late September 2016, the hacker simply known as “Anna-senpai” made public the Mirai code.
What the original Mirai does was used the internet to search for IoT devices (including wireless cameras and routers) with weak security – particularly those with default usernames and passwords, control these devices and use them to attack targets such as other computers and websites. According to Anna-senpai, 380,000 IoT devices were infected with the Mirai malware to stage a DDoS attack against the Krebs on Security website.
Barely a month after the Mirai was published online, the DDoS attacks against Dyn happened. Dyn is a domain name service (DNS) provider which many websites rely upon. The DDoS attacks against Dyn resulted in temporarily shutting down popular websites like Amazon, Twitter and Netflix.
“We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets,” Dyn said in a statement. According to the company, 100,000 IoT devices were infected with the Mirai malware to attack its infrastructure.
In early December last year, three men, Paras Jha, Josiah White and Dalton Norman, pleaded guilty in creating and operating the Mirai malware in violation of the US Computer Fraud and Abuse Act.
“In the summer and fall of 2016, White, Jha, and Norman created a powerful botnet – a collection of computers infected with malicious software and controlled as a group without the knowledge or permission of the computers’ owners,” the US Department of Justice said in a statement.
The US Department of Justice added, “The defendants used the botnet to conduct a number of powerful distributed denial-of-service, or ‘DDOS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers.”
Jha, in particular, pleaded guilty in conducting a series of DDoS attacks against networks of Rutgers University from November 2014 to September 2016. The DDoS attack on Rutgers University, according to the Department of Defense, temporarily shut down the university’s central authentication server, which maintained the gateway portal through which students, faculty and staff deliver assignments and assessments.
According to the US Department of Justice, White, Jha and Norman’s involvement with the original Mirai ended in the fall of 2016, when Jha publicly released the source code of Mirai. The Justice Department said, “Since then, other criminal actors have used Mirai variants in a variety of other attacks.”
US Acting Assistant Attorney General Cronan said that the Mirai is a powerful reminder that “as we continue on a path of a more interconnected world, we must guard against the threats posed by cybercriminals that can quickly weaponize technological developments to cause vast and varied types of harm.”
Since the release of the Mirai code, there has also been a noticeable increase in DDoS-for-hire – a group of cybercriminals that provides paying customers with distributed denial of service (DDoS) attack service to anonymously attack any internet-connected target.
Imperva Incapsula reported that in the third quarter of 2017, majority or 90.2% of DDoS attacks were under 10 Mpps and were predominantly the result of DDoS-for-hire activity.
DDoS attacks are costly. They can make your organization’s website slow or inaccessible. They can disrupt business activities, prevent customers from accessing online accounts and bring about significant costs in remedying the DDoS effects.
Huawei recommends the following measures to circumvent or prevent your Huawei routers from being infected by Satori malware:
Contact us at The Driz Group if you want more information on how to protect your business from DDoS attacks in under an hour, with no hardware to buy, and no resources or ongoing maintenance.
Top 5 Cybersecurity Predictions in 2018
It’s the yearend. It’s the time of the year when we look back at the salient events that made a great impact in the cybersecurity world, and make predictions of what the new year will bring.
Here are the top 5 cybersecurity predictions for 2018:
1. Cryptocurrency Mining
The growth of cryptocurrency this year is unprecedented, with the total value of close to 500 billion US dollars as of December 24, 2017. While Bitcoin is the most dominant cryptocurrency in the market, other cryptocurrencies have soared as well. Cryptocurrency Monero, for instance, has a total market cap of $5.1 billion as of December 24, 2017, with one coin of Monero valued close to $335.
“Mining” is needed for many cryptocurrency coins like Bitcoin and Monero to be processed and released. In the past, Bitcoin could be mined using ordinary computers. Today, Bitcoin can only be mined using specific and high-powered computers, leaving the mining to big companies. Other cryptocurrencies, however, can be mined using ordinary computers. Monero, in particular, can be mined using ordinary computers and even using smartphones.
The people who mine cryptocurrencies called “miners” are given a fair share of the coin value for the computer use. Unscrupulous individuals who want to earn more money from cryptocurrency mining, meanwhile, are scouring the internet looking for vulnerable computers and smartphones to install malicious software (malware) capable of mining cryptocurrency like Monero.
Adylkuzz cryptocurrency malware, which was released into the wild in May 2017, infects computers using Microsoft operating system that fail to install Microsoft’s March 14, 2017 security update. Other cryptocurrency malware that proliferated this year includes Coinhive, Digmine and Loapi. Coinhive is distributed via compromised websites, Digmine via Facebook Messenger and Loapi via online advertising campaigns.
Cryptocurrency mining malware eats up most of the computing power of servers, desktops, laptops and smartphones. This results in the slow performance of computers. The Loapi malware, in particular, is so powerful that it can even melt an Android phone.
“Although attacks that attempt to embed crypto-mining malware are currently unsophisticated, we expect to see an increase in the sophistication of attacks as word gets out that this is a lucrative enterprise,” Imperva Incapsula said in the article "Top Five Trends IT Security Pros Need to Think About Going into 2018”. “We also expect these attacks to target higher-traffic websites, since the potential to profit increases greatly with higher numbers of concurrent site visitors.”
2. Business Disruption
In 2017, the world saw the devastation brought about by ransomware and distributed denial-of-service (DDoS) attacks.
Ransomware is a type of malware that restricts user access to the infected computer until a ransom is paid to unlock it. Two of the notable ransomware this year, WannaCry and NotPetya, are essentially not ransomware in the sense that the code of these two malware were written in such a way that even the attackers themselves can’t unlock the infected computers. Whether this was intentional or not, only the attackers know. But in this sense, these two malware are considered as “wiper” – meant to bring business disruption.
“The WannaCry and NotPetya ransomware outbreaks foreshadow a trend of ransomware being applied in new ways, in pursuit of new objectives, becoming less about traditional ransomware extortion and more about outright system sabotage, disruption, and damage,” researchers at McAfee said.
Another malware that brought widespread business disruption in 2017 was the Mirai botnet, a malware that infected close to 100,000 IoT devices, turned them into robots and launched DDoS attack that brought down the managed DNS platform of Dyn, which in effect, temporarily brought down 80 widely used websites like Amazon, Twitter, Tumblr, Reddit, Spotify and Netflix.
According to Imperva Incapsula, attackers in the upcoming year will probably adopt new business disruption techniques. Examples of these disruptive techniques include modifying computer configuration to cause software errors, system restarts, causing software crashes, disruption of corporate email or other infrastructure and shutting down an internal network (point-of-sale systems, web app to a database, communication between endpoints, etc.).
3. Breach by Insiders
The 2017 Cost of Data Breach Study (PDF) conducted by Ponemon and commissioned by IBM showed that 47% of data breaches were caused by malicious insiders and outsiders’ criminal attacks, 25% were due to negligent employees or contractors (human factor) and 28% were due to system glitches.
According to Imperva Incapsula, illegal cryptocurrency mining operations in corporate servers are on the rise, set up by insiders or “employees with high-level network privileges and the technical skills needed to turn their company’s computing infrastructure into a currency mint.”
4. Artificial Intelligence (AI) as a Double-Edged Sword
In 2018, AI is expected to be used by cybercriminals as a means to speed up the process of finding security vulnerabilities in commercial products like operating systems and other widely used software. On the other hand, AI is expected to be used by cyberdefenders to improve cybersecurity.
“Unfortunately, machines will work for anyone, fueling an arms race in machine-supported actions from defenders and attackers,” researchers at McAfee said. “Human-machine teaming has tremendous potential to swing the advantage back to the defenders, and our job during the next few years is to make that happen. To do that, we will have to protect machine detection and correction models from disruption, while continuing to advance our defensive capabilities faster than our adversaries can ramp up their attacks.”
In 2018, one thing is for sure: General Data Protection Regulation (GDPR) will be enforced on May 25, 2018.
GDPR is a European Union (EU) law that has an “extra-territorial” reach. Businesses that process personal data or monitor the online behavior of EU residents are still covered under this law even if they aren’t based in any of EU countries. Salient features of the law include consent requirement, right to be forgotten, transparency requirement, cybersecurity measures and data breach notification.
“In the corporate world, McAfee predicts that the May 2018 implementation of the European Union’s General Data Protection Regulation (GDPR) could play an important role in setting ground rules on the handling of both consumer data and user-generated content in the years to come,” researchers at McAfee said.
Happy 2018, and Stay Safe!
Here is how to instantly spot a phishing email
Almost daily, you receive fake emails asking for your personal information, such as user ID and password. Cyber criminals using clever ways to make you click malicious links to steal your personal information. These phishing emails can be disguised as if they came from your bank, your email provider, a government agency or even your employer. Cyber crime gangs often prey on our own cybersecurity illiteracy and laziness.
DDoS Threat Landscape in 3rd Quarter of 2017
They're getting more powerful and persistent. This is how Imperva Incapsula described the global distributed denial-of-service (DDoS) threat landscape in the 3rd quarter of 2017.
In its Global DDoS Threat Landscape Q3 2017, Imperva Incapsula defined DDoS attack as a “persistent, distributed denial of service event” against a particular IP address or domain. Imperva Incapsula considers a DDoS attack as a single attack when it’s conducted at least 60 minutes, held prior to an attack-free period and followed by another attack-free period of the same duration or longer.
“In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer,” the United States Computer Emergency Readiness Team (US-CERT) defines DDoS attack. “By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses. The attack is ‘distributed’ because the attacker is using multiple computers, including yours, to launch the denial-of-service attack.”
Imperva Incapsula identifies two types of DDoS attacks: network layer attack and application layer attack.
Network layer attack is defined as a DDoS attack that causes network saturation by consuming much of the available bandwidth. Attack under this type is measured in million packets per second (Mpps) and gigabits per second (Gbps) – referring to the amount of bandwidth it can consume per second.
Application layer attack, meanwhile, is defined as a DDoS attack for the purpose of bringing down a server by exhausting its processing resources – CPU or RAM – with a high number of requests. Attack under this type is measured in requests per second (RPS) – referring to the number of processing tasks initiated per second.
Network Layer DDoS Attacks
In terms of network layer attacks, 90.2% were under 10 Mpps, 4.8% between 10-50 Mpps, 2.1% between 50-100 Mpps and 2.9% above 100 Mpps. The largest network layer attack recorded last quarter reached 299 Gbps.
According to Imperva Incapsula, attacks under 10 Mpps were mostly the result of DDoS-for-hire activities.
On average, each network layer attack target suffered 17.7 attacks in the span of the quarter, while the most repeatedly attacked victim encountered 714 attacks in the span of the quarter.
Top Attacked Industries
The Imperva Incapsula report showed that online gambling is the number one industry targeted by network layer DDoS attackers (34.5%), followed by gaming (14.4%), internet services (10.8%), financials (10.1%), retail (5.8%), IT and software (5.8%), media and publishing (5.8%), cryptocurrency or bitcoin platforms (3.6%), transportation (2.2%) and telecom (1.4%).
The following reasons were put forward why over a third of the network layer DDoS attacks were targeted on gambling sites and related services:
The report also found that 3 out of 4 of bitcoin sites were attacked in the last quarter. The relatively high number of DDoS attacks on cryptocurrency exchanges and services observed in the 3rd quarter of 2017 was attributed to the recent staggering spike in the price of bitcoin, which more than doubled in the period of the quarter.
Top Attacked Countries
Hong Kong was the most targeted with 31% of the total global network layer DDoS attack, followed by the US (19%), Germany (12.8%), Philippines (7.6%), China (7.2%), Taiwan (7.1%), Singapore (4.4%), Malaysia (3.9%), Japan (0.8%) and Canada (0.8%).
Almost a third of the network layer DDoS attacks last quarter went to Hong Kong as a result of a large-scale campaign against a Hong Kong-based hosting service provider. Taiwan and the Philippines also made it to the top 10 list as a result of large campaigns targeting gambling websites in these countries.
Application Layer DDoS Attacks
In terms of application layer DDoS attacks, on average, each victim suffered 17.7 attacks in the span of the quarter, while the most repeatedly attacked victim encountered 714 attacks in the span of the quarter.
The US ranked as the most targeted country in terms of application layer DDoS attack (53.3%), followed by Netherlands (8.8%), Singapore (6.3%), Belgium (5%), Italy (4.4%), Germany (3.9%), Russia (3.1%), Japan (3.1%), Hong Kong (1.8%) and Australia (1.5%).
Imperva Incapsula’s global DDoS threat report for the 3rd quarter of 2017 showed that attackers use botnet – a group of malware-infected IoT devices – in carrying out DDoS attacks. These malware-infected IoT devices are remotely controlled by attackers and device owners have no knowledge that their devices are used for DDoS attacks.
In terms of attack requests, 16.9% came from China, 7.6% from Vietnam, 7.2% from Turkey, 5.7% from the US and 4% from India. Meanwhile, in terms of the number of attacking devices, 42.5% came from China, 11.1% from the US, 5.4% from Vietnam, 2.9% from India and 2.2% from Turkey.
DDoS Mitigating Measures
The main distinction between network layer DDoS attack and application layer DDoS attack is that they target different resources. A network layer DDoS attack tries to clog the network, for instance, consuming much of the available bandwidth, while application DDoS layer attempts to drain resources like CPU and memory.
As these 2 types of DDoS attacks target different resources, the attacks are also executed differently. Considering that these 2 types of DDoS attacks target different resources and are executed differently, mitigating each of these DDoS threats needs a substantially different set of security methods.
It’s also important to take into consideration the difference between Gbps and Mpps for mitigation purposes.
Gbps is defined as the measure of the total load placed on a network, also known as throughput, while Mpps is defined as a measure of the rate at which packets are delivered, also known as forwarding rate.
For instance, if your organization’s DDoS mitigation solution has the capability to handle 100 Gbps and process packets at a rate of 20 Mpps, a 50 Gbps DDoS attack at a rate of 40 Mpps can still bring down your organization’s network.
Adding a guaranteed DDoS mitigation to your application or network does not have to be complicated, and does not require an upfront investment. Connect with us today to better understand all available option, and secure your web applications and networks.
Bitcoin Popularity Gives Rise to Cryptocurrency-Themed Malware
Amidst the surge of Bitcoin’s popularity, other cryptocurrencies have also risen along with it.
As of December 4, 2017, Bitcoin is worth near $11,000. Other cryptocurrencies have also increased their value. For example, Monero cryptocurrency is now worth $201. Bitcoin was introduced in 2009 and Monero in 2014.
Contrary to popular perception, Bitcoin transactions aren’t anonymous. All Bitcoin transactions are public records and can be tracked. Monero, meanwhile, markets itself as an anonymous cryptocurrency, claiming that a single Monero coin can’t have its entire transaction history revealed.
Both Bitcoin and Monero are cryptocurrencies that need to be mined. Cryptocurrency mining is defined as the process by which transactions are verified. It’s also a means by which a cryptocurrency or digital coin is released. For their effort and use of hardware, miners are given a small share of the cryptocurrency.
In the past, anyone with a PC could mine Bitcoin. Nowadays, only those who own computers with huge computing power can mine Bitcoin. Monero, on the other hand, can be mined by just anybody with just the use ordinary desktops, laptops and even smartphones.
Candid Wuest, security researcher at Symantec, told the BBC that malicious software (malware) connected with cryptocurrency increases "tenfold". "There's been a huge spike," said Wuest, adding that this surge had been caused by the rapid rise in Bitcoin's value.
Malwarebytes' security researcher Jerome Segura, meanwhile, told the BBC that Malwarebytes blocked nearly 250 million attempts to place cryptocurrency malware on to PCs.
Adylkuzz Cryptocurrency Malware
Adylkuzz is a malware that installs the code used to mine the cryptocurrency Monero without the knowledge and consent of the computer owner.
The Monero mining code is maliciously installed by Adylkuzz into a computer by exploiting a Windows operating system vulnerability called “EternalBlue”. The ransomware WannaCry also exploited the same vulnerability in Windows operating system. Unlike WannaCry which can self-propagate on its own to infect others, Adylkuzz has no self-propagation capacity.
Monero mining – courtesy by Adylkuzz malware – operates in the background and users of compromised computers are unlikely to notice this unauthorized activity.
Cryptojacking refers to the malicious installation of crypto mining software in a website without the knowledge and consent of the owner as well as lack of knowledge and consent of website visitors.
Once CoinHive is installed in a website, the CPU power of every site visitor is used for cryptocurrency mining. CoinHive requires a unique ID to which the crypto mining income is delivered. The more computers are compromised for crypto mining, the more Monero coins the attackers get. Earned Monero coins can easily be converted to Bitcoins by selling it to a number of trading exchanges that also allow anonymity.
There’s nothing wrong with utilizing cryptocurrency mining instead of the traditional advertising in websites. What’s unacceptable is when cryptocurrency mining code is installed without the authorization of the site owner as well as without the authorization of site visitors.
Early this month, one security researcher found Coinhive mining code on 2,496 online stores. It’s presumed that the installation of this crypto mining code on these online stores were done maliciously as these store owners are less likely to earn few extra money through crypto mining.
The researcher found that 85% of the 2,496 compromised stores are linked to only 2 CoinHive accounts, while the remaining 15% of the infected stores are linked to several unique CoinHive accounts.
In September of this year, Showtime websites – showtime.com and showtimeanytime.com – were found to be running Coinhive mining code. Following public exposure, the code has since been removed.
Malwarebytes' security researcher Segura, meanwhile, discovered a technique that allows attackers to use the CPU power of every site visitor for cryptocurrency mining even if the visitor closes his or her browser.
Malwarebytes tested this discovery using the latest version of Google Chrome browser. The researchers at Malwarebytes observed the following process:
Attackers fool users into believing that the browser is closed by hiding the browser under the taskbar's clock. Resizing the taskbar will reveal this still operational browser. Below is the screencap of the hidden browser.
“Nearly two months since Coinhive’s inception, browser-based cryptomining remains highly popular, but for all the wrong reasons,” Malwarebytes said. “Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement.”
Coinhive, in a statement, said, “We're a bit saddened to see that some of our customers integrate Coinhive into their pages without disclosing to their users what's going on, let alone asking for their permission.”
How to Prevent Cryptocurrency Mining Attacks
Cryptocurrency mining is perfect for computers specifically meant for this purpose. Mining cryptocurrency, however, on desktop, laptops or smartphones on top of everyday usage has negative effects.
Crypto mining involves enormous calculations that ordinary computers aren’t meant to do. On smartphones, crypto mining can quickly deplete batteries. And across computing devices used for ordinary usage, crypto mining can decrease speed, efficiency and even damage the hardware.
Here are some tips on how to prevent cryptocurrency mining attacks:
Keep your Windows operating system up-to-date, to block, in particular, Adylkuzz malware as Microsoft already patched the vulnerability exploited by this malware.
To ensure that your browser stays close even after clicking the “x” button, run Task Manager and terminate running browser.
6 Top Things to Do in Preparation for the GDPR Implementation
May 25, 2018 – is the full implementation of the General Data Protection Regulation (GDPR).
The GDPR is a European Union (EU) law that sets out the obligations of organizations in order to protect the personal data of EU residents. The law also sets out harsh penalties in case of failure to comply.
Even if your organization isn’t based in any of the EU states, the implementation of the GPDR will still impact your organization as this law has extra-territorial scope.
This means that even if your organization is based, for instance, in Canada, this European law still applies if your organization processes personal data of EU residents. For example, if your organization offers goods or services (regardless of whether payment is made) or monitors the behavior of EU residents, your organization is covered under GDPR. And even if your organization is a small one, that is, it only employs fewer than 250 people, it’s still covered under GDPR.
The personal data referred to by the law refers to any information that can be used to identify a person either directly or indirectly, including name, email address, photo, medical information, bank details, posts on social networking websites and computer IP address.
Here are the 6 top things to do in order to prepare your organization for the upcoming implementation of GDPR:
1. Make Consent Process User-Friendly
In GDPR, your organization will no longer be allowed to use long and legalese terms and conditions to request for personal data consent.
Under the EU law, request for consent must be presented in layman’s terms and the purpose of the data processing must also be presented in clear and plain language. There must also be an easy way for customers to withdraw their consent. In the case of minors, parental consent must be given.
2. Delete Data that No Longer Serves Original Purpose
Under the GDPR, the right to erasure, also known as the right to be forgotten, is enshrined. Article 17 of the EU law provides that data should be deleted when the data no longer serves the original purpose of processing and when the data subject withdraws his or her consent. The law, however, provides that the right to be forgotten must be weighed against "the public interest in the availability of the data".
3. Implement Data Protection as Precautionary Measure, Not as an Afterthought
The GDPR calls for “privacy by design” – a concept now made into law that requires organizations to make data protection as part of the preventive measure, instead as an afterthought or reactionary measures.
The law specifically requires organizations processing personal data to implement appropriate technical and organizational measures in order to protect personal data that it processes.
Organizations, under the law, are required to hold and process only the personal data that’s necessary for the completion of its functions. The law also requires organizations to limit the access to personal data only to those who are necessary for carrying out the data processing task.
4. Be Transparent to Affected Individuals
Part of the expanded rights of EU residents under the GDPR is the right to obtain confirmation from organizations as to whether or not their data is being processed, for what purpose and where. Organizations are also required under the law to provide free digital copy of the personal data being processed to the affected individuals.
5. Determine if Your Organization Needs to Appoint a Data Protection Officer (DPO)
Appointment of a Data Protection Officer (DPO) is mandatory under GDPR only if your organization engages in large-scale systematic monitoring or large-scale processing of sensitive personal data. If your organization doesn’t engage in any of these functions, then there’s no need to appoint a DPO.
6. Be Transparent About Data Breach
Under GDPR, there will be no more concealing of data breaches. Notification is mandatory under this law in case where the data breach is likely to “result in a risk for the rights and freedoms of individuals”. This law requires that data breach notification to the concerned agency must be done within 72 hours after first having become aware of the breach. Notification to affected customers, meanwhile, has to be done “without undue delay” after first becoming aware of a data breach.
Penalties for Non-Compliance
Several factors are taken into consideration in calculating the fine under GDPR. These factors include:
The maximum fine that can be imposed for a breach of this law is 4% of the annual global turnover or €20 Million, whichever is higher. The maximum fine is imposed for the non-compliance of key provisions of GDPR such as violating the core of Privacy by Design concepts and failure to get sufficient customer consent to process data.
The penalty of 2% of the annual global turnover or €10 million, whichever is higher, meanwhile, can be imposed in case of non-compliance of technical measures such as failure to report data breach and failure to give affected individuals access to personal data being processed.
"Rapid technological developments and globalisation have brought new challenges for the protection of personal data,” the law states. “The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.”
Steve E. Driz