Thought leadership. threat analysis, news and alerts.
Modern Threats Organizations Face in the Cloud
COVID-19 has made remote working the new normal. A recent report from McAfee showed that as more people worked remotely as a result of the COVID-19-induced shelter-in-place order, the use of collaboration cloud services has grown, replacing the now empty office computer desks and conference rooms.
The New Normal
Twitter recently announced that its employees can work from home forever. "The past few months have proven we can make that [work from home setup] work," Jennifer Christie, Vice President for People at Twitter. "So if our employees are in a role and situation that enables them to work from home and they want to continue to do so forever, we will make that happen."
In Canada, a report from Statistics Canada showed that workers in industries where close contact with others is less necessary tended to do their job from home in April of this year and have experienced relatively fewer employment losses since February of this year and may find it easier to resume full activity through continuing work from home.
Collaboration Cloud Services Security Risks
As collaboration cloud services adoption increases, McAfee reported that the amount of threats from external actors targeting cloud collaboration services also increases. In the "Cloud Adoption and Risk Report", McAfee reported that from January to April 2020, overall cloud service usage increased by 50% across all industries.
The report also highlighted that for the same period, the use of collaboration cloud services has more than doubled, with Zoom (+350%), Microsoft Teams (+300%), and Slack (+200%) seeing some of the huge gains. While Zoom hugged the limelight in recent months, the report showed that Cisco Webex – another collaboration cloud service offering web conferencing and videoconferencing applications, experienced a 600% increase in usage during the same period.
The McAfee report found that from January to April 2020, the number of threats from external actors targeting cloud services increased by 630%, with most of the attacks concentrated on collaboration cloud services. McAfee defines external threats into two categories: excessive usage from anomalous location and suspicious superhuman.
Excessive Usage from Anomalous Location
McAfee defines excessive usage from anomalous location as a login attempt from a location that hasn't been previously detected, and the initialization of high-volume data access and/or privileged access activity. Suspicious superhuman, meanwhile, is defined as a login attempt from more than one distant locations that's impossible to travel to within a given period of time, for instance, a user attempts to log into Microsoft Office 365 in Singapore and same user logs into Slack in the U.S. five minutes later.
The McAfee report said it derived its data from "aggregated and anonymized" cloud usage data from more than 30 million McAfee MVISION Cloud users worldwide from January to April 2020. Compared to external threats, the report showed that the number of internal threats flatlined. Most of the attacks on the cloud are external, the report said, targeting cloud accounts directly.
Spraying Cloud Accounts
According to the report the excessive usage from anomalous location and suspicious superhuman are likely opportunistic "spraying" attacks. In spraying attacks, attackers use past stolen credentials in guessing the correct username and password combination.
Spraying attacks rely on the human weakness of reusing usernames and passwords. Attackers have easy access to these past stolen credentials. In January 2019, a total of 2.2 billion unique usernames and associated passwords was distributed for free on hacker forums and torrent sites.
Reliance on the Traditional Username and Password
Even prior to the onset of the COVID-19 pandemic, many organizations had put in place a safety net in the way workers access corporate cloud services, particularly collaboration cloud services, through virtual private network (VPN). In today's new normal, the work from home setup, has brought about the increased usage of VPN in allowing remote workers to access corporate networks and corporate collaboration cloud tools such as Microsoft Office 365.
One of the reasons cited by McAfee in the "Cloud Adoption and Risk Report" for the continued reliance of the traditional username and password authentication when accessing collaboration cloud services is the ease of use of this traditional authentication method. "In reality, employees will do whatever is easiest and fastest," McAfee said. "They will turn off their VPN and access applications in the cloud directly."
Cybersecurity Best Practices in Protecting Collaboration Cloud Services
Here are some of the best practices in protecting collaboration cloud services from external threats:
The use of multi-factor authentication, an authentication method that grants a user access to a computer or a collaboration cloud service only after successfully presenting two or more proof, such that, in addition to the usual logging of username and password, an additional proof is necessary to gain access.
In the blog post "One simple action you can take to prevent 99.9 percent of attacks on your accounts", Melanie Maynes Senior Product Marketing Manager, Microsoft Security said that 99.9% of attacks can be blocked with multi-factor authentication.
It's important, however, to supplement multi-factor authentication with other security measures as there have been documented cases whereby multi-factor authentication can be bypassed.
One of the security measures in protecting your cloud's data is by limiting users' access to sensitive data. Privilege access to sensitive data that isn't required to the remote workers' line of work is a risk to your organization's online security. Remote workers especially those using their personal devices to access corporate collaboration cloud tools should be given only conditional access to sensitive data in the cloud.
Still Performing Old-school Vulnerability Assessments? Here’s What You’re Missing
Businesses live or die based on their IT infrastructure. No company can afford to underestimate the danger that a single network breach or hardware failure can cause. We’re talking about major downtime, disrupted productivity, missed targets, and unhappy clients turning to your competitors for faster solutions.
Vulnerability assessments are crucial to identify and mitigate IT risks. Innovators leverage cutting-edge technology to deliver assessments that protect companies against potential issues on a daily basis. But if you’re still performing old-school vulnerability assessments, you could be making your business more susceptible to problems than it has to be.
Here’s what you’re missing.
A proactive approach to mitigating risks
One of the most important reasons old-school vulnerability assessments are so dangerous is that system changes can render them irrelevant within a matter of hours. For businesses which still conduct annual assessments of their IT infrastructure, there’s a real danger that severe risks can be missed during those intervening months.
This encompasses different areas. First and foremost, there are cybersecurity threats to consider.
Your current security measures may become outdated between assessments and leave your business vulnerable to breaches by hackers. Research shows that in 60 percent of cases, vulnerabilities allowing unauthorized access could be fixed with a readily-available patch. On average, data breaches cost as much as $3.92 million on average.
Cybersecurity is one area of IT infrastructures which you must take seriously. Hackers’ methods evolve at a startling rate, forcing organizations to remain vigilant and take a proactive approach to their defenses.
Cutting-edge monitoring is ongoing. The latest security technologies mimic hackers’ processes and techniques to identify where action is required to combat breaches. This enables organizations to recognize the flaws of their current security and which steps are necessary to fix them.
Furthermore, cybersecurity vendors you work with are continuously evaluated to pinpoint when they fail to comply with your business’s security policies or when security levels change.
Old-school assessments just can’t live up to this level of insight and awareness. So much can change in the period between one check and another.
Third-party vendor monitoring
So much of modern business relies on third-party vendors. Businesses of all sizes utilize cloud-based solutions for everything from customer service and team communications to accounting. And that’s great, because quality vendors help organizations to streamline operations and automate time-consuming tasks.
But companies place a lot of trust in vendors to provide a safe, secure, efficient standard of service at all times. The best suppliers are committed to doing just that. But sometimes, some may fall short of expectations.
Running irregular assessments of suppliers’ activities and services means you may be unaware of any oversights or failures. For example, a supplier may have implemented changes that mean it no longer aligns with your internal security policies, but you have no idea of this because so many months have passed since you last checked.
Furthermore, you want to rest assured that all suppliers your business works with comply with official regulations and standards (such as GDPR or CCPA). Any failures here can leave you facing legal difficulties and potentially high costs.
The latest solutions enable you to create security and compliance questionnaires to find out how third-party vendors follow regulatory measures. They also help you to determine how suppliers align with your own policies. On top of all this, innovative solutions reveal gaps in security to suppliers to help them deliver a higher standard of service.
As a result, you can make better decisions about the brands you work with and avoid unnecessary legal challenges that can be so damaging to your credibility.
A heightened awareness of technical issues
Cybersecurity is far from the only danger an inefficient IT setup brings. If your hardware is outdated and overdue an upgrade, you could be at risk of technical failures. This is especially problematic if you store data on-site and never take advantage of cloud backup. You would be unable to recover crucial information and work in the aftermath of a disaster, such as a fire, flood, theft, etc.
And that brings all manner of problems. Employee, client, and financial data may all be exposed. Workflows would be heavily affected, reducing productivity and customer satisfaction. Significant financial impact could leave your business unable to keep operating as required.
Ongoing vulnerability assessments can determine how suitable your hardware and applications are for your business purposes. Old-school assessments conducted once or twice a year might not bring relevant issues to the surface until it’s too late. Leverage the latest assessment methods and technologies to protect your company against the risk of technical failures.
Understanding human error
Sadly, the people driving businesses are capable of making mistakes. This can be as simple as forgetting to update a password for a tool regularly or deleting a valuable field of data. But whatever the specifics, human error can make a sizable impact on a company’s security and performance.
In Canada’s legal and financial sectors, human error is cited as the biggest cause of data breaches, and a single mistake could open the door for hackers to gain unauthorized access to your network.
New vulnerability assessment solutions can incorporate human behavior to help recognize possible flaws, and help businesses take action to reduce their risk. For example, software and processes which have the potential to be confusing to users may be revised. Alternatively, training can be implemented to educate staff on software for greater peace of mind.
Old-school vulnerability assessments simply don’t offer the comprehensive insights which successful businesses need today. It’s not enough to check systems occasionally and trust them to work. Companies must take advantage of real-time data and detailed overviews to understand what risks they face in the digital age.
At The Driz Group, our expert team offers ongoing vulnerability assessments, penetration testing and third-party risk assessment as a service to identify issues with your infrastructure and protect your data accesses by third-party suppliers. This helps to remediate core IT risks and achieve maximum efficiency.
Lessons from the First Computer Pandemic: Love Bug
Twenty years ago, the world's first computer pandemic called the "Love Bug", also known as "ILOVEYOU" virus, wreaked havoc worldwide.
On May 4, 2000, in just a span of 24 hours, the Love Bug affected an estimated 45 million computers worldwide, causing an estimated US$10 billion in damages.
Tracking Down the Creator of ILOVEYOU Virus
BBC technology reporter Geoff White tracked down the creator of the ILOVEYOU virus working in a mobile phone repair shop inside a shopping mall in Manila. Onel de Guzman, now 44, admitted to White that he solely created the ILOVEYOU virus.
de Guzman told White that he unleashed the virus to steal passwords so he could access the internet without paying. He claims that he never intended the virus to spread globally and that he regrets the damage that the virus had caused. de Guzman was never charged with a crime as at the time when he unleashed the virus, the Philippines had no laws criminalizing malicious use of computers.
How the ILOVEYOU Virus Caused a Computer Pandemic
The ILOVEYOU virus arrives on the victim's computer via Outlook software. At the time, Outlook was the common means of sending and receiving emails.
The email's subject simply contains "ILOVEYOU", while the email's body contains these few words: "kindly check the attached LOVELETTER coming from me". The email contains an attachment named "LOVE-LETTER-FOR-YOU.TXT". "I figured out that many people want a boyfriend, they want each other, they want love, so I called it that," de Guzman said.
Once an email receiver clicks on the attached document, the virus makes copies of itself to the Windows System directory and to the Windows directory. It also adds itself to the registry for it to be executed when the system is restarted.
It also replaces the Internet Explorer home page with a link that downloads the program called "WIN-BUGSFIX.exe". This downloaded file is also added to the registry for this program to be executed once the system is restarted.
The downloaded file from the web is a password-stealing malicious software (malware) that calls the WNetEnumCashedPasswords function and sends stolen RAS passwords and all cached Windows passwords to this email address: email@example.com.
This virus spreads to other victims' computers via Outlook. The same email that arrives on the original victim's computer is mass emailed to everyone in the victim's Outlook address book. This virus spreads also via mIRC whenever another person joins an IRC channel where the infected user currently is logged in.
Other than stealing passwords and spreading itself, this virus performs the most destruction function: overwriting files. This virus looks for particular file types from all folders in all local and remote drives and overwrites them.
Similar to modern-day ransomware – malware that prevents victims' from accessing their computers or files, the ILOVEYOU virus denies victims access to their files. Unlike ransomware, where in some cases, the decryption keys given by attackers after ransom payment work in unlocking in locked files, in the ILOVEYOU virus, there's no way to unlock these files.
Many organizations lost a lot of data because of this overwrite function. The mass emailing function of the virus also overloaded many mail systems around the world.
Will There Be Another Computer Pandemic?
Time will tell if there'll be another computer pandemic.
If there'll be one it would be a bit different from de Guzman's creation. An attacker aiming to use a mass emailing virus via Outlook and other mail client software needs to take an extra step to run malicious attachments as current mail client software programs are more cautious in running script files unlike in the days when the ILOVEYOU virus was unleashed.
To date, the damage caused by the ILOVEYOU virus is unprecedented. The virus successfully played on mankind's need to be loved. In today's environment, where many are connected to the internet, another virus could turn into a computer pandemic, exploiting another of mankind's other needs.
The ILOVEYOU virus has taught the online world one thing: Next time, back up your files. Having a working back up prepares your organization for the next computer pandemic similar to the ILOVEYOU virus that overwrites or destroys victims' files.
There's also a need to protect these backups from attackers. In recent months, ransomware attackers have been known to go after victims' backups.
The group behind the ransomware called "DoppelPaymer" published on their leak site the admin username and password for a non-paying ransomware victim who used the Veeam cloud backup software. The group behind the ransomware called "eCh0raix" also went after QNAP NAS backup devices.
Protect your organization's backup devices by keeping it offline. If there's a need to connect these backup devices online, make sure to use strong authentication methods such as multi-factor authentication and to keep the backup device firmware up to date.
It’s also important to follow the time-tested 3-2-1 rule:
3: Keep 3 copies of any important file: 1 primary and 2 backups.
2: Keep the files on 2 different media types to protect against different types of hazards.
1: Store 1 copy offsite (for example, cloud backup).
Another attack scenario could come from a silent operator. The ILOVEYOU virus and the different shades of ransomware are overtly noticeable attacks. The next big thing or even one that we haven't noticed yet, could be one that silently lurks in millions of computers worldwide.
Security Risks Associated with Exposed RDP
A recent report from McAfee Labs showed that since the official start of the COVID-19 pandemic in March 2020, the number of exposed RDP has increased considerably.
RDP, short for Remote Desktop Protocol (RDP), is a proprietary protocol developed by Microsoft that runs on port 3389 and allows users the ability to connect to another computer over the internet. In the blog post "Cybercriminals Actively Exploiting RDP to Target Remote Organizations", McAfee Labs said that amid the COVID-19 pandemic, organizations wanting to maintain operational continuity very likely allowed employees to access organizations’ networks remotely via RDP with minimal security checks in place, giving cyber attackers the opportunity to access these networks with ease.
According to McAfee Labs, the number of RDP ports exposed to the internet grew from approximately three million in January 2020 to more than four and a half million in March 2020. McAfee Labs derived this number of exposed RDP ports from a simple search on Shodan – a search engine that allows users to find internet-connected computers.
Exposed RDP Risks
RDP often runs on Windows server operating systems. Access to RDP box allows attackers access to an entire network.
RDP ports that are exposed to the internet are valuable to attackers as these ports allow them to enter organizations’ networks and conduct further malicious activities such as spreading malicious software (malware), including ransomware – a type of malware that encrypts computers or files, locking out legitimate users and forcing victims to pay ransom in exchange for decryption keys that will unlock these encrypted computers or files.
Other than spreading ransomware, compromised RDP ports can also be used to spread cryptominer – a type of malware that illicitly consumes the computing power of the compromised computer for the purpose of mining cryptocurrencies such as Bitcoin or Monero.
Exposed RDP ports also allow attackers to conduct malicious activities such as hiding their tracks, for instance, by compiling their tools on the compromised computer. Attackers also used exposed RDP ports in carrying out other malicious activities in the victims’ networks such as theft of personal information, proprietary information or trade secrets.
How Cyberattackers Access Exposed RDP Ports
Below are some of the tactics used by attackers to enter exposed RDP ports:
According to McAfee Labs, it observed an increase in both the number of attacks against RDP ports and in the volume of RDP credentials (username and password combinations) sold on underground online markets. In the past, some of these RDP online shops were taken down by law enforcement agencies.
These RDP online shops sell RDP credentials at a very low cost. McAfee Labs earlier reported that the stolen RDP credential of a major international airport was sold in one of these RDP online shops for only US$10.
While RDP can be secured via multi-factor authentication, many users fail to use this added security measure. Failure to protect RDP via multi-factor authentication allows attackers to stage brute force attack – a type of attack that guesses the correct password through trial and error.
Password guesses via brute force attacks aren’t so random. According to McAfee Labs, data from a law enforcement agency and RDP online shops taken down by the law enforcement agency showed that weak passwords remain one of the common points of entry.
A number of RDP ports were broken into, McAfee Labs said, using the top 10 passwords. “What is most shocking is the large number of vulnerable RDP systems that did not even have a password,” McAfee Labs said. The following are part of the top 10 passwords used by RDP attackers: 123456, 123, P@sswOrd, 1234, Password1, password, 12345, 1 and test.
In recent months, RDP has also been riddled with security vulnerabilities. In August 2019, Microsoft disclosed the security vulnerability known as “BlueKeep”. This security vulnerability, officially designated as CVE-2019-0708 allows an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.
Microsoft warned that BlueKeep is “wormable”, which means that it can replicate and propagate by itself to create a large-scale outbreak similar to Conficker and WannaCry. Conficker has been estimated to have impacted 10 to 12-million computer systems worldwide, while WannaCry’s damage to computer systems in just one global enterprise was estimated at $300 million.
Two other security vulnerabilities in RDP were disclosed by Microsoft in recent months: CVE-2020-0609 and CVE-2020-0610. Similar to BlueKeep, CVE-2020-0609 and CVE-2020-0610 allow an unauthenticated attacker to connect to the target system using RDP and send specially crafted requests.
According to Dustin Childs of Zero Day Initiative, while not as widespread as systems affected by Bluekeep, CVE-2020-0609 and CVE-2020-0610 present an attractive target for attackers as these vulnerabilities are wormable – at least between RDP Gateway Servers.
Best Practices in Protecting Exposed RDP Ports
Here are some of the best practices in protecting RDP ports:
DDoS Attacks Accelerate Amid the COVID-19 Pandemic, Reports Show
Since the start of the global COVID-19 pandemic, reports show that distributed denial of service (DDoS) attacks have accelerated.
A report from NETSCOUT Arbor showed that DDoS attack count and bandwidth have all seen significant increases since the start of the global COVID-19 pandemic. From March 11th to April 11th of 2020, NETSCOUT reported that it observed more than 864,000 DDoS attacks – the single largest number of DDoS attacks that the organization had seen over any other 31-day period to date.
The number of DDoS attacks during the March 11th to April 11th of 2020, NETSCOUT Arbor said surpassed that of the DDoS count during the December 2019 holiday period which peaked at 751,000. From November 11th of 2019 to March 11th of 2020, NETSCOUT Arbor reported that it observed an average of 735,000 DDoS attacks per month.
According to NETSCOUT Arbor, while terabit-class DDoS attacks make the headlines, the most significant DDoS-related metric goes to the sheer amount of bandwidth (bps) and throughput (pps) consumed by DDoS attacks. From March 11th to April 11th of 2020, NETSCOUT Arbor reported that it observed a whopping 1.01 pbps and 208 gpps of aggregate DDoS attack traffic. This aggregate DDoS attack traffic, NETSCOUT Arbor said represents a 14% increase in attack bps and a 31% increase in attack pps.
Imperva’s March 2020 Cyber Threat Index Report, meanwhile, revealed that for the month of March 2020, DDoS attacks on financial, food and beverage industries across multiple countries spiked amid the COVID-19 pandemic. According to Imperva, websites in the food & beverage industry experienced more attacks, with 6% increase in DDoS attacks.
DDoS attacks in the food & beverage industry in Germany, Imperva reported, spiked by 125%. Earlier, on March 19, 2020, Takeaway.com, one of the leading online food delivery marketplace that connects consumers and restaurants in several European countries, including Germany reported that one of its websites was under DDoS. Jitse Groen, Founder and CEO of Takeaway.com revealed via Twitter that the DDoS attacker or attackers demanded 2 bitcoins (valued nearly USD 14,000 at the time of the demand) for the DDoS attack to stop. The attackers also threatened to launch a DDoS attack on the company’s other website.
Imperva added that it also observed an increased volume of DDoS attacks on the financial industry globally, with 3% increase. DDoS attacks in the financial industry in Italy (+44%), UK (+21%) and Spain (+18%) were notably larger, Imperva said.
“With attacks on the rise in the food and beverage and financial services industries, companies need to employ effective security strategies to balance the new load of traffic to their websites and mitigate new risks,” Nadav Avital, head of security research at Imperva, said.
Biggest DDoS Attack Ever Recorded
On February 28, 2020, GitHub – a website that allows software developers to store and manage their software code – was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a DDoS attack.
According to GitHub, the DDoS attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. The DDoS attack peaked at 1.35Tbps via 126.9 million packets per second, GitHub said.
GitHub added that the DDoS attackers specifically used the memcached-based approach. Cloudflare describes memcached DDoS this way: “A memcached distributed denial-of-service (DDoS) attack is a type of cyber-attack in which an attacker attempts to overload a targeted victim with internet traffic. The attacker spoofs requests to a vulnerable UDP memcached server, which then floods a targeted victim with internet traffic, potentially overwhelming the victim’s resources. While the target’s internet infrastructure is overloaded, new requests cannot be processed and regular traffic is unable to access the internet resource, resulting in denial-of-service.”
DDoS Protection Amid the COVID-19 Pandemic
COVID-19 was declared by the World Health Organization (WHO) as a pandemic on March 11, 2020. Since then, quarantine sites in many parts of the world were ordered, giving the global community a new normal: staying at home. As people are mandated to stay at home, online communication has become a lifeline for many people to work, shop and study online.
With the rise of internet traffic, organizations can mistakenly believe that all traffic comes from legitimate sources. Not all internet traffic, however, come legitimate sources as an increase in internet traffic could be a sign of a DDoS attack.
Signs of a DDoS attack resemble that of a typical legitimate internet traffic, including unusually slow in opening a file or accessing a website; unavailability of a website; or inability to access a website. DDoS campaigns can last from minutes to hours, while others can go on for months and even for years.
It’s important to be able to distinguish between a legitimate traffic from a DDoS attack. At the outset, malicious traffic can be detected and identified via firewall or intrusion detection system. Signs of malicious network traffic include traffic from an unusual geographical location or suspicious IP addresses.
It’s also important to note that DDoS attacks could simply be a simple diversionary tactic used by attackers to hide their main intention of conducting other malicious activities in your organization’s network.
Speak with our experts today to mitigate the DDoS risks. Protect you most valuable assets and keep cybercriminals at bay.
APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.
APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities.
The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.
Recently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-19781, and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.,
A number of other mitigations will be of use in defending against the campaigns detailed in this report:
Steve E. Driz, I.S.P., ITCP