Thought leadership. threat analysis, news and alerts.
Why Single Factor Authentication Isn’t Enough to Protect Your Organization’s Network
Many of today’s cyberattacks have been successful, not because of advanced technology but because of one often ignored fact: the use of single factor authentication.
What Is Single Factor Authentication?
Single factor authentication is a cybersecurity measure that relies on the use of a username and password pair. While single factor authentication is commonly used in emails, this cybersecurity measure is also common as a perceived defensive measure in protecting endpoints – devices such as desktops and laptops that connect to a computer network and communicates back and forth with the network resources.
RDP Brute-Force Attacks
Single factor authentication has surprisingly been used as a defensive measure in protecting RDP, short for remote desktop protocol. RDP, a proprietary protocol developed by Microsoft, provides users with a graphical interface to connect to another computer over a network connection. In brute-forcing an RDP, a malicious actor attempts to sign in to an RDP with an administrator account by effectively guessing the correct username and password combination through a trial-and-error method. By successfully guessing the correct username and password combination, a malicious actor can gain access to a target computer and conduct further malicious activities such as stealing data, drop a ransomware or used the compromised computer for cryptocurrency mining.
In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks" published in December 2019, Microsoft Defender ATP Research Team reported that out of nearly 45,000 computers that had both RDP public IP connections and at least one network failed sign-in, the team found that, on average, several hundred computers per day had high probability of experiencing one or more RDP brute force attack attempts.
API Credential Stuffing Attacks
Threat actors also exploit the use of a single factor authentication in gaining access to the victims’ IT infrastructure such as cloud server through credential stuffing attacks. In a credential stuffing attack, an attacker uses the single factor authentication credentials stolen from other data breaches.
The difference between credential stuffing attack and brute force attack is that in credential stuffing attack, guesses are based on the stolen usernames and passwords, while in brute force attack, guesses have no bases at all, with some attempts using characters at random.
In the past 10 years, billions of username and password combinations have been stolen from different individuals and organizations around the globe. These stolen usernames and passwords are publicly made available online, while others are sold online on the dark web.
Haveibeenpwned, a site that allows internet users to check whether their personal data has been compromised by data breaches has within its records millions of user accounts. In April 2019, the group known as “GnosticPlayers” released online breached records of nearly one billion users, including usernames and passwords.
While the success rate of credential stuffing attacks is only about 0.1% – which means that for every 1,000 attempts, roughly only one will succeed, the sheer volume of stolen single authentication credentials makes credential stuffing worth it. The success rate of 0.1%, for instance, for one million attempts could lead to nearly 1,000 successful cracked accounts.
APIs, short for application programming interfaces, are favourite targets by malicious actors in their credential stuffing attacks. An API allows two systems to communicate with one another. APIs allow easy access to a third-party platform, for instance, cloud storage. From December 2017 to November 2019, Akamai reported that it observed nearly 85.5 billion credential stuffing attacks across its customer base. Out of the 85.5 billion credential stuffing attacks, Akamai said 16.5 billion of these attacks were directed against hostnames that were clearly identified as API endpoints – referring to one end of a communication channel such as a URL of a server.
Brute force attackers and credential stuffing attackers are unstoppable because systems allow users to guess as many username and password combinations without limit. While some mitigate these two types of attacks through throttling, attackers bypass throttling by staging a low and slow approach.
Akamai reported that credential stuffing attackers take advantage of the unlimited guesses by guessing tens of thousands of credentials in minutes. Microsoft Defender ATP Research Team, meanwhile, reported that RDP brute force attacks often last for 2-3 days on average, with about 90% of cases lasting for 1 week or less, and less than 5% lasting for 2 weeks or more.
Cybercriminals are able to launch millions of these brute force and credential stuffing attacks in just a short span of time through the use of internet bots – referring to software applications that run automated tasks over the internet. To automate brute force or credential stuffing attacks, botnets are used by attackers. Botnets refer to a group of hijacked computers and controlled by cybercriminals to conduct malicious activities such as brute force attacks, credential stuffing attacks and distributed denial-of-service (DDoS) attacks.
By utilizing botnets, attackers are able to launch several login attempts simultaneously. The use of botnets or group of hijacked computers makes it appear that the login attempts come from different computers from different locations. Some botnets hijacked a few thousands and some hijacked millions of computers. The use of botnets bypasses security measures such as banning IP addresses with too many failed logins.
The use of multi-factor authentication effectively blocks brute force and credential stuffing attacks. In multi-factor authentication, aside from the correct username and password combination, a user is asked to provide additional information such as access token, face ID or a fingerprint – generally, things that bots can’t provide.
While we always recommend a multi-factor authentication, in many cases, businesses don’t evaluate basic IT controls and fall victim to cyberattacks.
Connect with us today and our team will evaluate your IT controls to ensure that decision makers understand the business impact and clearly understand what they need to focus on, both long and short-term.
Growing Threat of Ransomware Reinfection
Switzerland's cybersecurity body, the Reporting and Analysis Centre for Information Assurance (MELANI), has cautioned local SMEs and large organizations against paying ransomware attackers due to the risk of ransomware reinfection.
In a recent advisory to local organizations in Switzerland, MELANI said it’s aware of cases in Switzerland and abroad where the same organizations have been victims of ransomware attacks several times within a very short period of time. Ransomware is a type of malicious software (malware) that encrypts victims’ files and forces victims to pay ransom in exchange for the decryption keys that would unlock the encrypted files.
According to MELANI, even if a ransom is paid, there’s no guarantee that the ransomware attacker will decrypt the data. Switzerland's cybersecurity body also cautioned that even when ransom payment is made, leading to the decryption of the encrypted data, the underlying infection of some ransomware will remain active. “As a result, the attackers still have full access to the affected company's network and can, for example, reinstall ransomware,” MELANI said.
Emotet and TrickBot are two of the malware cited by Switzerland's cybersecurity body that could cause ransomware reinfection on victims’ computers even after ransom payment and after decryption.
In October 2019, the Canadian Centre for Cyber Security issued an alert to organizations in Canada about the 3-in-1 infection process involving 3 malware: Emotet, TrickBot and Ryuk. According to the Canadian Centre for Cyber Security, Emotet, TrickBot and Ryuk ransomware are part of the 3-stage infection process, with Emotet as the first malware downloaded, TrickBot as the second malware downloaded, and Ryuk ransomware as the last malware deployed against victims’ networks by an organized and prolific actor or group of actors.
Emotet, first detected in 2014, is a malware that’s distributed through emails containing malicious links or attachments. Victims are tricked into clicking these malicious links or attachments as the group behind Emotet uses branding familiar to the recipients.
According to the US Cybersecurity and Infrastructure Security Agency, once Emotet is downloaded on the victim’s computer, this malware uses a credential enumerator in the form of a self-extracting RAR file. This credential enumerator, the US cybersecurity body said, containstwo components: a bypass component and a service component. The bypass component is used to find writable share drives using SMB or brute force (attempt to crack a password or username using a trial and error method) users’ accounts, including the administrator account.The service component, meanwhile, writes Emotet onto thecompromised computer’s disk.
SMB, short for Server Message Block, is a network protocol used by computers running Microsoft Windows that allows systems within the same network to share files. “Emotet’s access to SMB can result in the infection of entire domains (servers and clients),” US Cybersecurity and Infrastructure Security Agency said.
Once the attacker gains access on the victim’s network via Emotet, the Trickbot malware is then downloaded and distributed to the compromised systems.
Trickbot, first detected in 2016, is a malware that has similar capabilities as Emotet. Similar to Emotet, Trickbot can brute force users’ accounts and spread onto as many computers as possible using SMB.
Analysis of the Trickbot showed that this malware uses PowerShell Empire, a publicly available tool. Designed as a legitimate penetration testing tool in 2015, PowerShell Empire has become a favorite tool among the well-financed threat groups.
PowerShell Empire allows an attacker to escalate privileges, harvest credentials, exfiltrate information, and move laterally across the victim’s network. PowerShell Empire is difficult to detect on a network using traditional antivirus software as it operates almost entirely in memory, and it also uses PowerShell, a legitimate application. Empire also allows an attacker to install Ryuk ransomware on high-value targets.
According to the Canadian Centre for Cyber Security, Trickbot’s capabilities allow it “to map out the network and give the malicious actor a better understanding of the target, including the value of the data.”
Ryuk ransomware first appeared in 2018. On its own, this ransomware doesn’t have the ability to spread onto as many machines as possible within a network, hence the dependency on other malware such as Emotet and Trickbot.
“The Ryuk ransomware itself does not contain the ability to move laterally within a network, hence the reliance on access via a primary infection, but it does, however, have the ability to enumerate network shares and encrypt those it can access,” UK's National Cyber Security Centre said. “This, coupled with the ransomware’s use of anti-forensic recovery techniques (such as manipulating the virtual shadow copy), is a technique to make recovering from backups difficult.”
Preventive and Mitigating Measures Against Ransomware
Every so often malware programs such as Emotet, Trickbot and Ryuk are able to access victims’ networks as a result of ignoring basic cybersecurity measures. Here are some basic cybersecurity measures in order to protect your organization’s network against malware such as Emotet, Trickbot and Ryuk:
In the case of Ryuk infection, it’s important to note that cleaning up the affected computers isn’t enough as these “cleaned” computers could still be reinfected as the associate malware used by Ryuk, Emotet and Trickbot, could be lurking on networked systems that were not initially affected by the ransomware.
DDoS Attacks Are Getting Smaller, Shorter & More Persistent, Study Shows
A recent study released by Imperva showed that DDoS attacks are getting smaller, shorter and more persistent – a trend that shows that attackers are hoping to cause great damage before the activation of DDoS mitigating measures.
What Is DDoS Attack?
DDoS, short for distributed denial-of-service, is a type of cyber-attack in which multiple computers operate together as one to attack a target, for instance, a particular website.
Attackers typically use botnets to carry out DDoS attacks. A botnet is a group of internet-connected computers that are hijacked by malicious actors. These hijacked computers are then controlled by attackers as one “zombie army” to attack a chosen target.
There are two general types of DDoS attacks, the network layer attack and application layer attack. In network layer DDoS attacks, malicious actors “clog the pipelines” connecting to the target network, resulting in severe operational damages, such as account suspension. In application layer DDoS attacks, malicious actors flood a target application with seemingly innocent requests, resulting in high CPU and memory usage leading to the eventual hanging or crashing of the targeted application.
In network layer DDoS attack, the attack is measured by gigabits per second (Gbps) or packets per second (PPS), while in application layer DDoS attack, the attack is measured by requests per second (RPS). Most mid-sized websites can be crippled by 50 to 100 RPS application layer DDoS attacks, and most network infrastructures can be shut down by 20 to 40 Gbps network layer DDoS attacks.
Prevalence of DDoS Attacks
“Overall, we saw attacks that were smaller, shorter, and more persistent,” Imperva said in the company’s 2019 Global DDoS Threat Landscape Report. The company said that this trend “may be indicative of attackers’ attempts to wreak havoc before a mitigation service kicks in”.
Imperva reported that most DDoS attacks in 2019 were short, with 51% lasting less than 15 minutes. The report also showed that DDoS attacks in 2019 were conducted in short streaks, with two-thirds of targets attacked up to five times and a quarter of targets attacked 10 times or more.
Imperva added that while the norm of DDoS attacks in 2019 was small, the company recorded the largest network layer DDoS attack and application layer DDoS attack. The company said it recorded a network layer DDoS attack that reached 580 million packets per second (PPS), and a separate application layer DDoS attack which lasted for 13 days and peaked at 292,000 Requests Per Second (RPS).
According to Imperva, the top attacked industries in 2019 were games (35.92%), gambling (31.25%), computers and internet (26.51%), business (3.37%) and finance (2.95%); while the top attacked territories were India (22.57%), Taiwan (14.79%), Hong Kong (12.23%), Philippines (11.36%) and United States (8.73%). In 2019, Imperva said application layer attack requests overwhelmingly came from the Philippines and China. The company, however, noted, “Those source origination points were notedly the location of the machines used to carry out the attacks, not necessarily the location of the attackers themselves.”
The Role of Botnets
Imperva’s analysis of the largest application layer DDoS attack which lasted for 13 days and peaked at 292,000 Requests Per Second (RPS) showed that most of the IPs had the same opened ports: 2000 and 7547. The Mirai botnet has been known to target IoT devices exposed to the internet via TCP port 2000 and 7547.
The Mirai botnet was first observed in the wild in 2016. This botnet hijacked IoT devices via factory default usernames and passwords. The release of the Mirai’s source code on September 30, 2016 resulted in the development of new versions of Mirai, with some versions targeting different vendors of IoT devices and some adding new functionalities.
The DDoS attack on the domain name service (DNS) provider Dyn on October 21, 2016 was attributed to the Mirai botnet. The DDoS attack on Dyn resulted in temporarily bringing down America’s top websites such as Twitter, Netflix and Reddit.
In the 4th quarter of 2019, researchers at 360 Netlab reported 2 new botnets: Roboto and Mozi. In November 2019, 360Netlab researchers reported that Roboto attacks Linux servers via CVE-2019-15107, a security vulnerability in the Webmin remote administration application. While Roboto has DDoS capability, the researchers said, there’s no evidence yet that a DDoS attack has been launched by this botnet.
In December 2019, researchers at 360 Netlab reported that Mozi attacks IoT devices, exploiting a handful of security vulnerabilities, including CVE-2014-8361, a security vulnerability in Realtek routers that allows remote attackers to execute arbitrary code, and CVE-2018-10562, a security vulnerability in GPON routers in which the router saves ping results, enabling attackers to execute commands and retrieve their outputs.
While a typical DDoS botnet operates using a command-and-control (C2) server – a computer controlled by an attacker to send malicious commands to infected computers, both Roboto and Mozi rely on peer-to-peer (P2) networks. In P2 networks, decentralized networks of infected computers or “bots” communicate with one another, instead of communicating with a centralized command-and-control server.
The of use P2 networks by cyber criminals isn’t a new thing. For years, attackers have used P2 networks from stealing data to sending malicious commands. P2 networks have been used by attackers to evade the efforts to take down C2 servers. Authorities such as the FBI and technology companies have had success in shutting down botnets that rely on C2 servers to steal data or send malicious commands. By taking down a C2 server, the zombie army or hijacked computers are rendered useless.
Would you like to learn more and see how to protect your organization and mitigate DDoS attacks in under 10-minutes, with no hardware or software to buy or install?
Third-party Risks: A New Frontier and a Major Concern for Businesses
Outsourcing to third parties helps businesses free up time and resources, both of which can be channelled back into core business tasks.
But whether the third party provides accounting, marketing, IT support, HR/Payroll, customer service and support, or any other service, working with them carries an inherent element of risk. After all, these companies have access to sensitive data — contact details for employees and customers, payment information, login details for essential software and tools, and at times to company’s intellectual property.
And a cybersecurity breach could cause this data to fall into the hands of criminals. While most companies are well aware of this danger, too many fail to take action: 77 percent of Canadian small businesses are concerned about being hit by a cyber-attack, but 36 percent choose not to invest in effective security.
That’s a huge oversight. But it’s understandable that small businesses using third-party services for the first time overlook the need for caution when choosing a provider. Third-party risk is something of a new frontier, and technology continues to advance faster than non-experts can keep up with.
This creates a disconnect between businesses and the services they are paying for. As a result, a huge amount of trust is required, and third parties have to be transparent about how they use client data, their security measures, policies and procedures, and more.
In short: due diligence is critical when working with third parties, but what steps can businesses take to mitigate their risk?
Focus on Experienced Vendors and Don’t Cut Corners
Small and medium businesses might be tempted to go with the cheapest third-party service provider in their area. Money can be tight during the early years of building a brand, and usually for some time beyond, too.
But businesses can’t afford to cut corners when choosing vendors responsible for key services and with access to sensitive data.
Always take the time to do your due diligence and find a vendor with provable experience working with companies like your own. They should have a portfolio of satisfied clients they can discuss and be happy to provide references. Even if one of their past clients is in a different industry to your own, a positive experience should give real peace of mind and lend the vendor credibility.
Check for attestations and certifications from leading security brands on the vendor’s website. These are an excellent trust signal, and indicate the team takes its security seriously. Awards from leading publications or organizations reinforce a vendor’s credibility, too.
Make sure to look the vendor up online and search for reviews. And if negative feedback is in short supply, remember that bad reviews may not be genuine. The service provider might be willing to discuss them and share some insight into why they aren’t to be trusted.
Speak to other business-owners and try to find recommendations for reliable third parties in your area. While price is obviously a major factor in your decision, don’t compromise too much just to save a few dollars.
Check their Program for Security Risk Assessments
Take steps to determine the vendor’s approach to security risk assessments, and how regularly they conduct them.
Beware of any team which can’t tell you when they last reviewed their security set-up or what steps they would take if they discovered a data breach. They should be well aware of all potential risks, which measures are necessary to prevent them, and how to communicate these to you in a language you understand.
Reliable vendors will take immediate action to fill any gaps they notice in their cybersecurity posture during assessments. They need to know which cybersecurity attacks their system is particularly vulnerable to, and how a successful attack would disrupt their services.
It’s also vital to find out what a vendor’s plan is for informing clients about a breach, and how they mitigate dangers. This should be documented and well-defined: beware of vendors who seem to be making their plans up on the fly. You want them to be transparent, well-prepared, and in control.
Keep Track of Access
Catalog which tools and files your third-party vendors have access to. You need to know which departments or individuals have permission to use your data, and you can’t always be sure this won’t be misused (by accident or design).
Ask vendors to explain why they require access, and don’t be afraid to get a second opinion if their reasoning doesn’t ring true. A reliable team will be able to explain their requests clearly.
Make sure to check files and tools on a regular basis, to confirm everything is as it should be. Report the first sign of any discrepancies.
Build Your Own Contingency Plans Around Vendors
You need to be prepared for an attack, no matter how good your vendors are, it’s no longer a matter of “if” but a matter of “when”. And this has to go deep, too, so your entire business knows how to proceed if the worst happens.
Think about critical systems which your daily operations depend on. If they were to go down, what processes could your workforce continue to perform? What alternative systems do you have to rely on, if any?
Determining the level of damage, a cyber-attack would make on your company, and identifying ways to mitigate that, is crucial.
Next, consider the incident response readiness and the team. Which employees would be most valuable in this group? How would they be alerted to an incident and how long do you expect it to take for them to go into action?
Another important process to focus on when building your contingency plans is testing. Running experiments can help you assess the quality of your response to attacks, the length of time it would take to communicate with vendors, and how long it might take to get your systems operating again.
Try to make tests a learning process, so you can see where improvements are needed. You might find your vendor is hard to reach in a crisis, or they seem ill-equipped to provide the fast response promised. Either is a major red flag.
Third-party risks can increase businesses’ vulnerabilities to attack, but a cautious, strategic approach to choosing and monitoring vendors can help to keep you safe.
A professional security consulting service will help you understand the risks you face when working with third parties, how to manage them better, and keep your security at its best. ,
Better yet, some cybersecurity firms can help you implement an affordable and automated third-party assessment programme, including initial due diligence and on-going monitoring.
Want to schedule a free consultation and start improving your third-party cybersecurity posture? Just get in touch with our team now!
Microsoft Reports Growing Web Shell Attacks
An average of 77,000 web shell attacks are detected each month on an average of 46,000 distinct computers, this according to the latest report released by Microsoft.
What Is a Web Shell?
Web shell is a malicious code that cybercriminals implant on internet-facing servers to remotely access server functions. This malicious code allows criminals to steal data on the compromised internet-facing server or used this compromised server as a stepping stone for further attacks against their victims.
China Chopper is an example of a web shell. It was first discovered in 2012. After nearly a decade after its discovery, China Chopper remains as the most widely used web shell. Researchers at Cisco Talos Intelligence Group said that as China Chopper is widely available, it’s nearly impossible to attribute this form of attack to a particular group.
Analysis of the China Chopper by researchers at Cisco Talos showed that this web shell allows attackers to retain access to an already compromised web server using a client-side application. This client-side application, the researchers said, contains all the logic needed to control the target, making it handy for threat actors to use. The researchers added that China Chopper only targets systems that run a web server application.
Web Shell Attacks
According to Microsoft, a victim of a web shell attack – an organization in the public sector that Microsoft refused to name – enlisted the services of Microsoft’s Detection and Response Team (DART) to conduct full incident response and remediate the said attack before it could cause further damage.
DART’s investigation showed that the unnamed organization’s attackers implanted a web shell in multiple folders of the organization’s web server. This implanted web shell allowed the attackers to compromise the service accounts and domain admin accounts. DART’s investigation also showed that the initial implanted web shell allowed the attackers to look for additional target systems and install web shells on these additional targeted systems.
Threat groups ZINC, KRYPTON, and GALLIUM are known to have used web shells in their cyber-attacks. According to Microsoft, web shell attackers exploit the security vulnerabilities in web applications or web servers, including the lack of the latest security updates, as well as the lack of antivirus tools, lack of network protection, lack of proper security configuration and lack of informed security monitoring. Attacks typically happen during off-hours or weekends, when attacks are likely not immediately spotted and responded to, Microsoft said.
Security vulnerabilities referred to as CVE-2019-16759 and CVE-2019-0604 are some of those exploited by attackers, Microsoft added. Both CVE-2019-16759 and CVE-2019-0604 had been patched by their respective software vendors.
CVE-2019-16759 is a security vulnerability in vBulletin, a proprietary forum software used by more than 100,000 websites, including websites used by major companies and organizations. CVE-2019-0604, meanwhile, is a security vulnerability in Microsoft SharePoint – a web-based platform that integrates with Microsoft Office. Successful exploitation of CVE-2019-0604 allows an attacker to run malicious code in the context of the SharePoint application pool and the SharePoint server farm account.
On April 23, 2019, the Canadian Centre for Cyber Security issued an alert, warning Canadian organizations of the on-going cyber-attacks that first exploit the security vulnerability of Microsoft SharePoint, in particular, CVE-2019-0604, leading to the deployment of the China Chopper web shell. The following unpatched versions of Microsoft SharePoint are known to be affected: Microsoft SharePoint Server 2019, Microsoft SharePoint Server 2010 SP2, Microsoft SharePoint Foundation 2013 SP1 and Microsoft SharePoint Enterprise Server 2016.
"The China Chopper web shell is extensively used by hostile actors to remotely access compromised web-servers, where it provides file and directory management, along with access to a virtual terminal on the compromised device,” the Canadian Centre for Cyber Security said. “As China Chopper is just 4 Kb in size, and has an easily modifiable payload, detection and mitigation is difficult for network defenders.”
An internal confidential document from the United Nations (U.N.) dated September 20, 2019 and leaked to The New Humanitarianshowed that dozens of servers at the U.N. offices in Geneva and Vienna were illegally accessed starting in July 2019. The internal confidential document from the U.N., seen by the Associated Press, showed that the U.N. attackers were able to access the public organization’s servers by exploiting the security vulnerability of Microsoft’s SharePoint software, in particular, CVE-2019-0604 – a vulnerability that was patched by Microsoft in February and March 2019 but the U.N. failed to update its systems.
Preventive and Mitigating Measures Against Web Shell Attacks
It’s worthy to note that web shells are only deployed on the victims’ internet-facing servers after attackers find an initial loop-hole on the victims’ servers. As shown in the above-mentioned examples, initial entry of the attackers, include unpatched vBulletin (CVE-2019-16759) and unpatched SharePoint (CVE-2019-0604). It’s important, therefore, to patch all your organization’s software in a timely manner as attackers are quick to exploit unpatched software.
In the case of CVE-2019-0604 vulnerability, Microsoft’s March 12, 2019 update should be applied. In the case of CVE-2019-16759, vBulletin’s version 5.5.2/3/4 Patch Level 1 update should be applied. To mitigate vBulletin’s exposure, disable PHP, Static HTML, and Ad Module rendering setting in the administration panel.
It’s also important to practice network segmentation. In network segmentation, your organization’s network is divided into sub-networks. For instance, servers that housed your organization’s critical information and are strictly meant for on-premise use should be part of one sub-network and be kept offline. This way, if attackers manage to infect other sub-networks, this critical sub-network won’t be affected.
You don’t have to face cybercriminals alone. Our experts will help you assess the current state of your cybersecurity posture, and develop a plan to proactively mitigate cyber threats.
Contact us today and protect your most valuable digital assets and your brand’s reputation.
Steve E. Driz, I.S.P., ITCP