Thought leadership. threat analysis, news and alerts.
CDW Report Reveals Canadian Businesses Make Cybersecurity Top IT Priority
A new report by CDW Canada reveals almost half of businesses(47 percent) questioned have increased their expenditure on cybersecurity in the past year.
Their responses make for reassuring reading, though there is still some way to go before all of Canada’s businesses have the safeguards they need in place. With so many day-to-day operations performed online and a plethora of sensitive data stored in the cloud, effective cybersecurity should be a priority for every single company.
Other key takeaways from the survey:
That 17 percent of respondents being totally unsure whether a plan has even been drawn up or not is concerning. It’s vital for management teams to recognize the level of vulnerability they may create within their organizations in if they fail to take the appropriate action and protect their infrastructures from threats. While it’s easy to let a hectic schedule and growth overshadow any potential pitfalls, the risk is simply too big to ignore. No business can afford to be complacent or assume they are too small (or successful) to target.
What Do Canadian Businesses Consider the Biggest Cyber Threat?
The CDW report showed 24 percent of businesses questioned view the proliferation of malware a leading concern. Others were data theft (prioritized by 19 percent) and the safety of cloud storage (15 percent). All three risks have the power to cause severe problems for companies of all sizes, in all industries.
It’s good to see businesses aware of key cybersecurity hazards and being able to distinguish between them, but hackers employ increasingly sophisticated tools and tricks to infiltrate businesses’ systems, potentially even lurking undetected for weeks or months. They are able to gather critical information related to their employees, their customers, their operations, their secrets and more. Businesses affected by such covert breaches are left incredibly exposed and may be unable to actually recover if they fail to take action soon enough.
Yet not all cybersecurity dangers come from outside. Businesses must be aware of external and internal threats to their safety (and that of their customers). It may be hard to imagine someone within your organization having the audacity to endanger the security of their colleagues, employers and clients by allowing data to fall into the wrong hands — but, sadly, it does happen.
In recent weeks, Desjardins (North America’s biggest federation of credit unions) revealed that close to 3 million members’ datahad been leaked by an employee, affecting some 170,000+ businesses. Desjardins admitted it’s possible such personal details as full names, dates of birth, social insurance numbers, banking activities and email addresses were shared. It’s believed, though, that PINs, passwords and security questions were not leaked.
Tackling Internal Cybersecurity Threats
That Desjardins’ woes resulted from the actions of an employee demonstrates how vulnerable data may be even when organizations believe their system is well protected. Businesses can invest in the most cutting-edge technology and training to reinforce their safety, but if they aren’t aware of which employees may have a grudge (or simply lack the training to perform duties safely) breaches can still occur.
The Desjardins employee responsible has since been let go, but that’s unlikely to be of much comfort to the people whose sensitive information was shared without permission. This event could have an ongoing impact on Desjardins as a whole: members’ confidence may drop, prompting them to consider alternatives — potentially costing Desjardins in the long run.
Still, it’s incredibly hard for businesses to know exactly which members of their workforce could be planning to leak data or open the system up to cyberattacks, short of monitoring every single phone call, every interaction with colleagues and their every movement on the premises.
But effective training can make a positive impact and encourage a more vigilant, aware, loyal team. Educating staff on the variety of cybersecurity risks the company faces, where they originate and how they can be combated is essential. It’s vital to give them the means to share concerns with management if they believe someone may be planning to reveal sensitive information or share access details with unauthorized parties.
They may find speaking up about the people they work with every day difficult, but it’s in everyone’s best interests. After all, if a breach or attack is damaging enough, employees’ jobs may be at risk.
The Importance of the Right Training
The right training minimizes the threat of accidental cybersecurity problems. Workers may not recognize phishing scams and expose the entire network to threats, or they could download infected software. The list goes on and on. Even the smallest mistake can have lasting ramifications.
With more Canadian companies investing in their cybersecurity measures, it’s fair to assume training will improve too. But it’s not just about training: businesses have to take their security seriously, and that means equipping themselves with the most effective safeguards. A comprehensive vulnerability assessment will identify potential flaws in your system’s security, revealing how prone your company may be to attacks.
The Driz Group offers free vulnerability assessments for businesses of all sizes, helping you start on the journey to a safe, stronger cybersecurity procedure. Our Managed Cyber Security Services provide cloud-based and on-premise protection, reduce the likelihood of a data breach and fill any gaps that may be discovered. This allows you to just sit back, relax and focus on running your business while the experts keep it safe.
Want to learn more about how our Managed Cyber Security Services can help your organization? Have questions? Please don’t hesitate to contact our friendly team of expertstoday!
NASA’s Jet Propulsion Laboratory (JPL) Hacked for 10 Months
The Office of Inspector General of the National Aeronautics and Space Administration (NASA) recently revealed that the Jet Propulsion Laboratory (JPL), the center of NASA’s interplanetary robotic research efforts, was hacked for 10 months.
According to NASA's Office of Inspector General, JPL, being the center of NASA’s interplanetary robotic research efforts, maintains wide public internet-facing IT systems that support missions and networks that control spacecraft, collect and process scientific data and perform critical operational functions. Despite efforts to protect these public internet-facing IT systems, NASA's Office of Inspector General said that critical vulnerabilities remained, resulting in a cyber-attack on JPL’s network which started in April 2018.
This April 2018 attack, NASA's Office of Inspector General said, remained undetected for 10 months resulting in the exfiltration of approximately 500 megabytes of data from 23 files, 2 of which contained “International Traffic in Arms Regulations information related to the Mars Science Laboratory mission”.
How JPL’s Network Was Hacked and Lessons Learned
The April 2018 attack on JPL’s network, NASA's Office of Inspector General found, started when an unauthorized Raspberry Pi connected to its network. Raspberry Pi is a credit card-sized computer that’s capable of doing everything a desktop computer can do, from browsing the internet to playing games. The audit report showed that the malicious Raspberry Pi found its way into JPL’s network through the following series of events:
1. Incomplete and Inaccurate System Component Inventory
The report of NASA's Office of Inspector General showed that the malicious Raspberry Pi found its way into JPL’s network as JPL had incomplete and inaccurate information about the types and location of NASA system components and assets connected to its network.
One of the cybersecurity best practices, in order to prevent authorized intrusions into a network, is by having a complete and accurate inventory of all devices connected to this network. This inventory is essential in effectively monitoring, reporting and responding to cybersecurity incidents. Benefits of proper inventory of assets on the network include vetting and clearing by security officials of assets prior to connecting to the network, timely patches and tracking of valuable assets and data stored on these assets.
2. Inadequate Segmentation of Network Environment Shared with External Partners
Due to the nature of JPL’s work, its partners, including foreign space agencies, contractors and educational institutions are allowed remote access to its network for specific missions and data. Network segmentation creates barriers that attackers can’t cross as these barriers eliminate connections to other systems.
According to NASA's Office of Inspector General, the April 2018 cyber-attack exploited the lack of segmentation of JPL’s network, enabling the attacker to move between various systems connected to the network. In May 2018, NASA's Office of Inspector General said, IT security officials at the Johnson Space Center (Johnson), which handles programs such as the Orion Multi-Purpose Crew Vehicle and International Space Station, decided to temporarily disconnect from the JPL’s network due to security concerns. “Johnson officials were concerned the cyber-attackers could move laterally from the gateway into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems,” NASA's Office of Inspector General said.
3. Untimely Patch Application
Patches, also known as security updates, fix known security vulnerabilities. Attackers often exploit known security vulnerabilities with available patches, believing that certain population delays the application of these patches for days, and some even for months or years.
According to NASA's Office of Inspector General, JPL didn’t apply the patch that fixes a known software vulnerability first identified in 2017, with a critical score of 10. A security vulnerability with a critical score of 10 means that this vulnerability is at the top of the vulnerability chain. This 2017 security vulnerability, the NASA's Office of Inspector General said, was only patched in March 2019 and during the April 2018 cyber-attack, one of the JPL’s four compromised systems hadn’t been patched for the said vulnerability in a timely manner, resulting in the exfiltration of 23 files containing approximately 500 megabytes of data.
4. Delayed Response to the Attack
After detection of a cyber-attack, the next logical steps are containment and eradication. Containment strategies include performing a system shutdown, disconnecting a system from the network and identifying all attack paths. Eradication strategies, meanwhile, include assessment and analysis of exploited vulnerabilities, removal of malware and affected files, and application of security patches. “Most of these steps [containment and eradication] require sophisticated forensic expertise and tools that when not available in-house should be in place through service agreements with specialized providers,” NASA's Office of Inspector General said.
Although JPL had disabled the account targeted by the adversary and closed off the known path of attack, NASA's Office of Inspector General said the NASA Security Operations Center requested an independent assessment from the Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) to determine the extent of the attack and totally remove the adversary from JPL’s network. NASA's Office of Inspector General added that as JPL was unfamiliar with DHS’s standard engagement procedures, DHS was only able to perform scans of the entire JPL’s network 4 months after the cyber-attack was detected.
“Once DHS performed the scans, it determined there were no other attack paths and deemed the network clean; however, the delay in executing the eradication steps left NASA data and systems vulnerable to potential additional harm,” NASA's Office of Inspector General noted.
Your business may suffer the same fate if left unprotected. More importantly, to truly understand the state of your cyber defences, you must perform an IT security audit.
Call us todayand find out if your business is well protected.
Another Canadian City Falls Victim to Phishing Email, Loses Half a Million Dollars as a Result
The City of Burlington, Ontario recently revealed that it fell victim to a phishing email, resulting in the loss of the City’s funds worth half a million dollars.
In a statement, the City of Burlingtonsaid that phishing email was sent to City staff requesting for the change of the banking account information of an established City vendor. As a result of the phishing email, the City said, a single wire transfer of funds worth approximately half a million dollars was sent to the bank account controlled by an unknown attacker or attackers last May 16.
The City said it only discovered it was a victim of fraud last May 23. The cyber incident has been reported to authorities and criminal investigations are underway by the appropriate authorities, the City said.
What Is Phishing Email?
Phishing emails are malicious emails used by cyber-attackers to launch attacks against their victims. Traditional phishing email contains a malicious attachment, that is, when clicked, downloads and installs malware into the victim’s computer. Traditional phishing email may also contain a malicious link, that is, when clicked leads to a malicious website that hosts malware and from there, the malware is downloaded and installed into the victim’s computer.
In recent years, cyber-attackers have weaponized the emails to commit fraud, known as Business Email Compromise (BEC). BEC attackers target small, medium and large organizations, as well as individuals. Prior to sending the phishing emails, BEC attackers monitor and study their selected victims.
Targeted organizations and individuals are those that regularly perform wire transfer payments. In a BEC attack, an email address of a high-level employee or an executive involved with wire transfer payments are either spoofed or compromised, resulting in the loss of funds.
According to the Federal Bureau of Investigation (FBI), as of July 12, 2018, BEC became a 12 billion dollar scam. The FBI said that from October 2013 to May 2018, a total of 78,617 BEC incidents were reported worldwide, with loss to this scam amounting to US$12.5 billion.
In April this year, another Canadian city, the City of Ottawa, revealed that it fell victim to a similar attack. Based on the report released by the Office of the Auditor General of the City of Ottawa, on July 6, 2018, the City Treasurer received an email which appeared to be from the City Manager.
This email, which was later identified as a spoofed email, requested that a wire transfer in the amount of US$97,797.20 be processed for the completion of an acquisition. On the same day the spoofed email was received, with the City Treasurer’s approval, US$97,797.20 was sent to the bank account controlled by malicious actors.
The said amount was transferred from one bank account to another, with a portion of the amount ending up in one of the bank accounts monitored by the U.S. Secret Service. The City of Ottawa was contacted by the U.S. Secret Service that the funds had been seized. The City of Ottawa, through its City Solicitor, filed a petition before the U.S. Government, asserting the City’s claim on the seized funds. It’s still unclear how much would the City of Ottawa eventually recover.
Spoofed and Compromised Emails
BEC attackers trick their victims into wiring funds into bank accounts they control by spoofing or compromising email accounts belonging to persons in authority, in particular, those in charge of approving the release of funds. Email spoofing refers to the sending of an email which is made to appear as though it was sent by someone other than the actual sender.
Many BEC attackers purchase a domain name similar to the target organization’s domain in order to own an email address that closely resembles the target organization, for instance, “xocompany.com” is similar to “xoc0mpany.com”. Attackers send this spoofed email hoping that the receiver wouldn’t notice the wrong email address.
Email spoofing can also be achieved by an attacker by manipulating the visible email header. Each email contains two headers, one visible and the other one that isn’t readily visible. The visible header shows the typical "From" which contains the email address of the sender.
This visible header can be changed by the attackers, that is, it can show a correctly-spelled email address that’s familiar to the email receiver. If the email receiver checks the not readily visible header, also known as “SMTP envelope”, the real email address of the malicious sender can be seen.
BEC attackers also launch their phishing emails by compromising legitimate emails, for instance, an email address of the organization’s CEO. BEC is also known as “CEO scam” because of the growing spoofing and compromised of CEO emails.
In a compromised email, the attackers gain total access to a legitimate email account. One way an attacker gains unauthorized access to a legitimate email is through another phishing email, tricking the victim to click on the malicious attachment or link, resulting in the installation of malware into the victim’s computer.
An example of malware is the keylogger – a type of malware that records every keystroke made by a computer user, capturing information such as usernames and passwords to emails and sending these data remotely to the attackers. Armed with these stolen login details, attackers can then access the victim’s email. From this compromised email, attackers can send an email ordering a lower-ranked employee in charge of releasing funds to proceed with the bogus wire transfer.
When you need assistance protecting your business from phishing attacks, help is a phone call away. Connect with ustoday and take a step forward to better cybersecurity posture.
Hong Kong Privacy Watchdog Orders Cathay to Overhaul IT Systems Over 2018 Data Breach
Hong Kong’s Privacy Commissioner for Personal Data Stephen Kai-yi Wong has ordered Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited, collectively referred to as Cathay, to overhaul its IT systems containing personal data of its customers over the 2018 data breach which affected approximately 9.4 million passengers from different parts of the world.
On October 24, 2018, Cathay notified both the public and Hong Kong’s Privacy Commissioner for Personal Dataover the detected suspicious activity on its network on March 13, 2018. According to Cathay, approximately 9.4 million Cathay passengers, specifically those who availed the company’s frequent flyer programs Asia Miles and Marco Polo Club as well as registered users of Cathay from over 260 locations worldwide were affected by the cyber incident. The affected personal data of Cathay passengers include name, flight number and date, title, email address, membership number, address and phone number.
Customers of both Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited, also known as Cathay Dragon, were affected as Cathay Pacific managed and provided information management services to Cathay Dragon. With this set-up, personal data of Cathay Dragon’s passengers reside on Cathay Pacific’s IT System.
The “Data Breach Incident Investigation Report” publicly released by Hong Kong’s Privacy Commissioner for Personal Data – with many of the data coming from the disclosure of Cathay itself – identified three cyber incidents on Cathay systems: keylogger attack in October 2014, exploitation of a known security vulnerability attack in August 2017 and brute force attack in March 2018.
The earliest evidence of keylogger malicious software (malware) activity on the company’s system was on October 15, 2014. In keylogging, every keystroke made on a computer, such as usernames and passwords, is captured and these captured data are automatically sent to the attackers for criminal exploitation. It wasn’t known how the unknown attacker or attackers initially intrude the company’s system that led to the dropping of the keylogger malware.
Valid user account login details stolen via the keylogger malware, according to the report, enabled the attackers to move further into the company’s network and dropped additional tools to steal domain credentials.
Exploitation of Known Vulnerability Attack
The earliest evidence of suspicious activity where it was found that the attackers exploited a known vulnerability on the company’s internet facing server was on August 10, 2017. The exploitation of this known vulnerability allowed the attackers to bypass authentication and gain administrative access to the company’s internet facing server.
Exploiting the known vulnerability also allowed the attackers to move laterally inside the company’s IT system and install malware and credential harvesting tools. It wasn’t disclosed what particular vulnerability on the company’s internet facing server was exploited. It was, however, revealed that this particular security vulnerability was publicly known as early as 2007.
Brute Force Attack
The earliest evidence of brute force attack on the company’s system was on March 13, 2018 which resulted in approximately 500 staff users being locked out of their user accounts. In a brute force attack, a cyber attacker attempts to crack the correct username and password using a trial and error approach. There are currently brute force attack tools available to attackers that automate the process of guessing the correct username and password using thousands of commonly used usernames and passwords.
Even as the keylogger attack which happened in October 2014, exploitation of a known security vulnerability attack in August 2017 and brute force attack in March 2018, Cathy only informed the public and Hong Kong’s Privacy Commissioner for Personal Data about the suspicious activity on its network on October 24, 2018. In Hong Kong, however, there’s no law that mandates organizations such as Cathay to notify within a prescribed period of time the Privacy Commissioner for Personal Data and the data subjects of a data breach.
“Cathay did not take all reasonably practicable steps to protect the Affected Passengers’ personal data against unauthorised access in terms of vulnerability management, adoption of effective technical security measures and data governance, contravening DPP 4(1) of Schedule 1 to the Ordinance [Hong Kong’s Personal Data Ordinance],” Wong said.
The Commissioner, in particular, found Cathay had not taken reasonably practicable steps not to expose the administrator console port of its internet facing server which opened the door for attackers. “Cathay should have applied effective multi-factor authentication to all remote access users for accessing its IT System involving personal data,” The Commissioner said.
Data Breach Prevention
Under Hong Kong’s Personal Data Ordinance, if after an investigation, the Privacy Commissioner for Personal Data finds that a data user is contravening or has contravened a requirement under the Ordinance, the Commissioner may serve on the data user an Enforcement Notice to prevent recurrence of the lapses. The Commissioner’s Enforcement Notice directed Cathay to engage an independent data security expert to “overhaul the systems containing personal data to the effect that these systems are free from known malware and known vulnerabilities”.
The Commissioner also directed Cathay to implement effective multi-factor authentication to all remote users for accessing the company’s IT System involving personal data and to conduct a regular review of remote access privileges.
In order to prevent Cathay-like data breach, it’s also important to keep all your organization’s software, especially server operating systems up-to-date, as attackers typically try to exploit known software security vulnerabilities.
Navigating the world of cybersecurity can be difficult for many businesses, including large enterprises.
Canada’s Anti-Spam Legislation (CASL) Goes After Malware Distributors
Canada’s Anti-Spam Legislation (CASL), the federal law which took effect in 2014, proves to be more than an anti-spam legislation with the recent application of the law of going after malicious actors spreading malicious software (malware).
The Canadian Radio-television and Telecommunications Commission (CRTC), in tandem with the Royal Canadian Mounted Police (RCMP), on March 27, 2019 executed a warrant at the home of a Toronto software developer behind the remote access trojan (RAT) called “Orcus”. Remote access trojan, in general, is a type of malware that facilitates covert and unauthorized remote access, enabling a malicious actor to access someone else's computer, no matter where this computer is geographically located, and make changes to this computer without the owner’s consent.
What Is Canada’s Anti-Spam Legislation (CASL)?
Canada’s Anti-Spam Legislation (CASL), which amended the Canadian Radio-television and Telecommunications Commission Act, covers more than just spam emails. Pertinent provisions of the law include:
Section 6: It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless the person to whom the message is sent has consented to receiving it, whether the consent is express or implied.
Section 7: It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless the alteration is made with the express consent of the sender or the person to whom the message is sent; or the alteration is made in accordance with a court order.
Section 8: A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless the person has obtained the express consent of the owner or an authorized user of the computer system; or the person is acting in accordance with a court order.
Section 9: It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8.
The maximum penalty for violating CASL is $1,000,000 in the case of an individual, and $10,000,000 in case the violator is an organization.
What Is Orcus RAT?
While authorities refused to name the subject of the March 27, 2019 CRTC warrant, the person who calls himself “Armada” said in a statement that his organization called “Orcus Technologies” was the subject of the said warrant. Since early 2016, Orcus Technologies has marketed Orcus RAT as a legitimate remote administration tool – a software that gives a person full access to a computer as if the person had physical access to the device.
Armada said authorities seized numerous backup hard drives which contained a large portion of Orcus Technologies business, including user information inclusive of user names, real names and financial transactions. As a result of the seizure, Armada said Orcus RAT is no longer a “safe or secure solution to Remote Administrative needs”.
One stand out feature of the Orcus RAT is its capability to load custom plugins built by users, as well as plugins that are available from the Orcus repository. While Orcus Technologies claims that Orcus RAT is a legitimate remote administration tool, it listed on its website capabilities that are beyond the scope of a legitimate remote administration tool such as disabling the light indicator on webcams in order not to alert the target that it’s enabled; restarting the server component or triggering a Blue Screen of Death (BSOD) if someone tries to kill its process and a plugin that can be used to perform distributed denial-of-service (DDoS) attack.
Orcus RAT also features capabilities such as password retrieval and key logging that are normally not seen in legitimate remote administration tools but only seen in remote access trojans, which facilitate covert and unauthorized remote access.
One such remote access trojan, which facilitates the installation of the Orcus RAT, was unleashed in December 2017 via a phishing campaign – a type of cyber-attack that uses spam emails as a weapon. The said spam emails arrived at the email inboxes of targeted bitcoin investors offering Gunbot, a trading automation software for cryptocurrencies. These spam emails contained an attachment. Analysis by researchers at Fortinetshowed that when this attachment is clicked by the recipient, it downloads from a specific URL a file that contains the malware and embedded in this malware is the Orcus RAT.
The Orcus RAT malware in this case, Fortinet researchers said, resulted in the loss of cryptocurrency investments and more. “In our investigation of Orcus RAT, we have again proven again that its capabilities go beyond the scope of a harmless administration tool,” the researchers said. “Regardless of the developer’s claim and defense, the reality is that the application is being used in cybercrime campaigns.”
CRTC Director Neil Barratt told KrebsOnSecuritythat CASL gives authorities a leeway to get malicious actors off the networks in Canada and elsewhere as the burden of proof required in CASL is lower than a criminal conviction.
“We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada and to ultimately improve security for people here and hopefully elsewhere,” Barratt said. “We have great power in CASL and Section 9 makes it a violation to aid in the doing of a violation. And this extends quite broadly, across email service providers and various intermediaries.”
Steve E. Driz