Thought leadership. threat analysis, news and alerts.
How to Prevent Account Takeover Attacks
Account takeover attacks – accessing someone else’s online account for malicious purposes – continue to be one of the fastest-growing security threats faced by organizations today.
Account takeover happens as a result of inadvertently exposing account login details or through malicious account takeover via botnets. The account takeover of an account owned by SSL certificate issuer Comodo is an example of account takeover as a result of inadvertently exposing account login details.
Netherlands-based security researcher Jelle Ursem told TechCrunchthat Comodo’s email address and password were inadvertently left exposed in a public GitHub repository owned by a Comodo software developer. This enabled Ursem to login to Comodo’s Microsoft-hosted cloud services containing sensitive information of the company. The said account wasn’t protected with two-factor authentication. Ursem said he contacted Comodo about the exposed account.
When contacted by TechCrunch, Comodo said, “The data accessed was not manipulated in any way and within hours of being notified by the researcher, the account was locked down.” Ursem, however, told TechCrunch, “This account has already been hacked by somebody else, who has been sending out spam.”
Account Takeover Botnets
While many malicious actors are opportunistic, that is, while many abused inadvertently exposed account login details, many just don’t wait for these opportunities to come. Many of today’s malicious actors are aggressively taking over accounts through botnets.
In the Sixth Annual Fraud Attack Index, Forter found that there had been a 45% increase in account takeover attacks by the end of 2018 compared to the beginning of 2017. One of the means by which malicious actors perpetuated account takeover attacks is thorough bots, Forter found.
“Fraudsters often try to hide their activities behind these devices [bots], flying under the radar of detection for most legacy fraud prevention systems, which are simply not equipped with sophisticated enough technology to pick up on the nuances of these behavioural indicators and the personas hiding behind them,” Forter said.
Botnet, also known as bot, refers to a group of computers infected with malicious software (malware) that allows an attacker to control this group of infected computers as one army for malicious activities. Many of these botnets have been used by attackers as an army for distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining. Malicious actors are increasingly using these botnets for account takeover attacks.
An account takeover botnet works by installing a credential cracking malware on compromised computers. These infected computers are then controlled by an attacker or attackers to login into an account of banking site, social network or email. Once the correct username and password combination is cracked, the account taken over is then used by attackers to steal money (in case of a banking site), steal confidential information such as credit card information, or purchase goods and services.
Between April 7th to April 22nd this year, Impervaobserved the account takeover attacks carried out by a botnet, composed of an enslaved army of 2,500 infected computers – with a corresponding 2,500 IPs overall – that attacked more than 300 sites while active. Each day during the attack period, 800 IPs were actively attacking 30 sites with 150,000 login attempts, Imperva found.
From the victim site perspective, each site was attacked for 7 hours by 500 IPs sending 7,000 login attempts with 7,000 different login details (usernames and passwords); and from a single site perspective, each botnet-controlled IP was responsible for approximately 14 login attempts during the attack time, or approximately 2 login attempts per hour, Imperva found.
The above-mentioned method of attack is called a “low and slow” attack – whereby the botnet enslaves a lot of computers, each sending only a small number of requests, to cover-up the attack as legitimate traffic. Distributing the account takeover attacks across many infected computers or IP addresses makes these attacks go without being detected.
The usernames and passwords used in the login attempts for account takeover attacks often come from credential cracking and credential stuffing. In credential cracking, every word in the dictionary is tried to crack the correct username and password combination. In credential stuffing, the attackers exploit users’ tendency to reuse passwords across multiple sites.
Credential stuffing was cited by StubHubas the reason why a “small number” of users’ accounts had been illegally taken over by fraudsters. In the StubHub case, attackers illegally took over 1,000 StubHub users’ accounts and used these compromised accounts to buy thousands of high-value tickets, including tickets to Justin Timberlake and Elton John concerts, Yankees baseball games, U.S. Open tennis matches and Broadway shows. The account takeover attackers then resold these tickets for a profit of more than a million dollars.
Traditional security solutions have proven to be ineffective in “low and slow” account takeover attacks using botnets. By using account takeover botnets, malicious actors spread the attack via thousands of compromised computers or IPs, making them go undetected for a long period of time.
Choosing a strong username and password combination via eliminating the use of dictionary words, using a unique username and password combination for every account and the use of multi-factor authentication are some of the best cyber security practices in preventing account takeover attacks.
Malicious actors, however, are always finding creative ways to crack those unique and strong usernames and passwords and even multi-factor authentication. An automated security solution that monitors abnormal access to these accounts is one of the mitigating measures against account takeover attacks.
When you need help minimizing cybersecurity risks, our team of experts will answer the questions you have and will help you protect your data. Contact ustoday.
The Importance of Facing Up to Cybersecurity Risks
A cybersecurity emergency has been declared across Louisiana, USA, after three public school districts were struck by a malware attack.
The cybersecurity danger hit Sabine, Morehouse and Ouachita, in North Louisiana, causing widespread concern. The Governor’s Office of Homeland Security and Emergency Preparedness put its crisis action team into motion quickly to handle the attack.
Sabine School District issued a statement, addressing the nature of the cybersecurity breach and their actions to fix it:
“The Sabine Parish School System was hit with an electronic virus [...[ this virus has disabled some of our technology systems and our central office phone system.”
According to the principal of Sabine Parish’s Florien High School, a ransomware virus had infiltrated their system and caused disruptions. The alarm was raised when the school’s technology supervisor noticed ‘unusually high bandwidth usage’.
Fortunately, Jones believes no sensitive information has been exposed during the attack, though everything stored on the School District’s servers was lost. This amounts to documents from across 17 years of Jones’s hard work, including schedules, speeches and more.
Taking Action, Addressing Issues Fast
While this is certainly a challenging situation for the three school districts, it appears the end result is nowhere near as terrible as it could have been. It’s clear everyone involved took decisive action when the suspicious activity was noticed, and the proper authorities were informed.
Plans for future protection and security measures are, apparently, being devised by state officials (in coordination with the FBI). But this case indicates just how important it is to face up to cybersecurity risks and take proper action to minimize the threat to systems.
Simply hoping hackers will miss or choose to ignore your business, organization, school etc. is simply not enough. Implementing effective defenses is the best way to safeguard your critical data, client information and financial details.
If any of these, and other types of vital data, become exposed by nefarious individuals, the clean-up could be a long, time-consuming, difficult process. The worst thing you can do in the event of a breach is sweep it under the carpet and try to contain any damage without raising the alarm.
Those involved in the Louisiana case alerted the proper parties and are dealing with the situation as best they can.
Yes, acknowledging that a cybersecurity attack took place does have the potential to affect your reputation and the trust people place in you. Yet it’s far better to be transparent and admit your cybersecurity measures may not have been quite as efficient as they should be than to lie.
The Problem of Ransomware and Preparing Your Team
Ransomware is, as our regular readers may know, a common choice of cyberattack for hackers. The Louisiana case is just one example of many.
The first ransomware was distributed by a biologist (Dr. Joseph Popp) in 1991: he sent floppy disks containing PC Cyborg Trojanto researchers, in an attempt to extort money.
Ransomware has come a long way since then, but while it has evolved in various ways, the aim remains the same.
Other notorious ransomware attacks include WannaCry, which was detected more than 250,000 times across 116 countries in 2017. This was designed to take advantage of a simple software defect, encrypting hard drive files to make them inaccessible — with the attackers only unlocking them after a bitcoin payment had been made.
The issue is, of course, that agreeing to pay a ransom doesn’t actually guarantee the people responsible will stick to their end of the deal. After all, why should they? If they’re willing to disrupt your daily processes, cost you money, damage your reputation and more, there’s no reason to believe they will do as they promise.
Prevention is, as the saying goes, better than cure. And that means taking steps to prepare your team for potential cybersecurity threats in their day-to-day work.
How can you do this?
Taking Steps to Protect Your System
Implementing security measures and processes to protect your system against breaches can be daunting, especially if you have no experience or real knowledge of this area.
It’s essential that you embrace the most cutting-edge cybersecurity software available and consult with experts. Professionals specializing in security measures and reinforcing systems will be able to identify the biggest dangers you face, how to defend against them and advise your team to be more vigilant.
In terms of training your staff, there are certain things you can try.
Raise cybersecurity issues and trends in regular meetings
Keep your employees updated on the latest cybersecurity hazards and techniques: make sure they understand what suspicious activities they should be aware of when responding to emails, downloading software or visiting websites.
Try to cultivate a more vigilant workforce and boost recognition of effective ‘safety first’ procedures. Get them into the habit of questioning links, emails and other potentially-infected elements when they’re not sure how safe they are.
Find time in a day to run a test exercise for your team. Act as if a cybersecurity attack has struck your system and have staff go through the motions of responding appropriately.
Do they know what to do if they spot the warning signs of an impending threat? Can they work as a cohesive team even when they’re not completely sure what’s happening? Work to make the answer to both a firm ‘yes’.
Everyone should know what role they have in the event of a cybersecurity breach. Perhaps they’re required to do nothing but sit tight and wait for business to resume as normal. Maybe they have to take an active part in informing clients of the situation or coordinating with security experts.
Having a formal plan means everyone involved can leap into action in the event of a crisis, saving valuable time and minimizing further disruption.
Knowing how to handle cybersecurity risks and attacks is fundamental for any business, organization or institution today. If you want to know more about protecting your system and taking effective action,contact our specialistsnow!
Mirai Malware Variants Increasingly Targeting Enterprise IoT Devices
Malware variants that evolved from the original Mirai malware are increasingly targeting enterprise IoT devices, putting at risk enterprise networks from being exploited for nefarious activities such as distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining, as well as putting at risk enterprise cloud architecture from additional malware and further compromise.
Tracking the Mirai
The original Mirai malware was created by Paras Jha, Josiah White and Dalton Norman. The 3 creators of the Mirai malware in due course were arrested and sentenced by U.S. authorities. Prior to their arrest and sentencing, the source code of the Mirai malware was publicly released. The publication of the source code propelled the creation of multiple versions of Mirai to propagate in the wild.
Mirai was first observed in the wild in 2016. The Mirai malware gained notoriety when the malware was used by the still unidentified attacker or attackers in launching a distributed denial-of-service (DDoS) attack on Dyn DNS, amajor dynamic DNS provider, which resulted in the widespread internet outages across the U.S. and Europe2016.
According to the IBM X-Force researchers, since 2016, there have been 63 Mirai variants observed in the wild. The researchers said that the multiple variants of Mirai have been used to perform nefarious activities such as DDoS attacks and illicit cryptocurrency mining.
In a DDoS attack, attackers overwhelm a target, such as a website or in the case of Dyn DNS, adynamic DNS provider, with voluminous traffic, bringing the target offline and rendering it inaccessible to legitimate users. Illicit cryptocurrency mining, meanwhile, refers to the use of the computing power without the knowledge and consent of the computer owner.
The Mirai malware variants are able to perform DDoS attacks and illicit cryptocurrency mining by infecting computers with security vulnerabilities and enslaving these infected computers to form as an army, also known as botnet, and perform activities such as DDoS or cryptocurrency or other activities according to the whim of the attacker controlling the botnet. The Mirai malware is a powerful tool for malicious actors as this malware allows them to automate the process of downloading any number of malware onto a large number of IoT devices.
Owners of IoT devices typically don’t consider these devices as computers. These devices are often installed and then forgotten. Unlike other computers such as desktops or laptops, IoT devices aren’t monitored for irregular behaviour, nor updated or their login details changed.
The original malware created by Jha, White and Norman infected hundreds of thousands of IoT devices, such as routers and security cameras and controlled these infected devices to form an army or a botnet to perform illegal activities such as DDoS attacks. The creators of the original malware were able to infect hundreds of thousands of IoT devices knowing that many IoT owners don’t bother to change the factory default logins details of these devices. The original Mirai uses 61 factory default login details in infecting IoT devices.
Enterprise IoT Devices at Risk
IBM X-Force researchers, which have been tracking Mirai campaigns since 2016, said that the Mirai variants’ tactics, techniques and procedures (TTPs) are now targeting enterprise IoT devices.
“Nowadays, enterprise IoT devices are everywhere, from instruments that monitor patients in hospitals, to wireless devices in smart meters that relay information to utility companies, to robots in warehouses that constantly deliver inventory information,” IBM X-Force researchers said. “Enterprises are increasingly dependent on IoT devices to run day-to-day operations, and attackers are well-aware of the growing attack surface.”
“As IoT devices become more common among households and large organizations, Mirai and its variants will continue to evolve to adapt to the changing environments and targets of its choice,” IBM X-Force researchers added.
The researchers observed that creators of the Mirai malware variants were dropping additional malware onto the infected devices, with cryptocurrency malware leading the way. Cryptocurrency malware, which steals the computing power of infected IoT devices to generate money for the attackers, are harmful to IoT devices as these devices are prone to overheating as these devices have little computing power compared to desktop or laptop computers with central processing unit (CPU) or graphics processing unit (GPU) resources. IBM X-Force researchers also observed that creators of Mirai malware variants were dropping steganography, which hides malicious code in images that trigger the download of additional malware.
The researchers also said that the Mirai malware variants pose a threat to cloud computing as IoT devices infected with Miral malware variants that are connected to cloud architecture could allow attackers to gain access to cloud servers. Once these malicious actors gain access to cloud servers, they could drop additional malware, the IBM X-Force researchers said.
In early 2009, researchers at Palo Alto Networks' Unit 42discovered a variant of the Mirai malware targeting WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs–IoT devices used by businesses. Targeting IoT devices used by businesses, according to researchers at Palo Alto Networks' Unit 42, gives attackers a large attack surface as IoT devices used by businesses have larger bandwidth, giving the attackers greater firepower for attacks such as DDoS attacks.
As malicious actors are increasingly targeting enterprises IoT devices, it’s important to change the factory default usernames and passwords of these devices and to install the latest security update. If the IoT vendor no longer issues security updates or it isn’t possible to install security updates on these devices, it’s best to remove these devices from your organization’s network.
Get in touchwith our experts for additional threat information and to help you mitigate cybersecurity risks.
Disturbing Trend: More and More Ransomware Attack Victims Are Paying Ransom
UK's largest police forensics lab Eurofins reportedly paid ransom to ransomware attackers. The company joins the growing list of organizations that paid ransom to ransomware attackers.
The BBCrecently reported that Eurofins, UK's largest police forensics lab, paid an undisclosed amount to attackers after its computers were crippled by a ransomware attack. Eurofins Scientific, which has about 45,000 staff in more than 800 laboratories across 47 countries, is one of the global independent market leaders in testing and laboratory services for forensics. Eurofins Forensics Services, Eurofins Scientific's Forensics subsidiary which is based in the UK, is one of the primary forensic services providers to the UK police.
Last June 3, Eurofins Scientificdisclosed that during the first weekend of June 2019 (1stand 2ndJune) it fell victim to ransomware attack which caused disruption to many of its IT systems in several countries. The company said, in a statement, that from June 4th, it was able to “resume full or partial operations for a number of impacted companies and continue to do so every day”. As of June 17th, the company said, the vast majority of affected laboratories’ operations had been restored.
The ransomware involved, Eurofins Scientific said, appears to be a new ransomware variant which was “initially non-detectable by the anti-malware screen of our leading global IT security services provider at the time of the attack and required an updated version made available only hours into the attack”.
In a ransomware attack, a malicious actor or actors lock out legitimate users of IT systems or computer files through encryption (the process of converting plain texts to codes so that only people with access to a secret key, also known as decryption key, can access it). Ransomware attackers demand from their victims to pay ransom in exchange for the decryption keys that would unlock the encrypted IT systems or computer files.
Growing List of Ransomware Victims Paying Ransom
Eurofins Scientific joins the growing list of ransomware victims paying ransom. Two cities in Florida, U.S. and 2 towns in Ontario, Canada publicly admitted that they paid ransom to ransomware attackers.
Last June 17th, the City Council of the City of Riviera Beach, Florida unanimously approved the payment of ransom to ransomware attackers. A total of 65 bitcoins was paid to the ransomware attackers, equivalent to approximately $600,000 at the time of the ransom payment approval.
A few days after the ransom payment approval of the City Council of Riviera Beach City, another city in the Florida state Lake City paid its own ransomware attackers ransom. Lake City Mayor Stephen Witt told a local mediathat Lake City will pay cyber attackers USD $460,000 to get its computer system back. “I would’ve never dreamed this could’ve happened, especially in a small town like this,” the Lake City Mayor said.
Two towns in Ontario, Canada, the Town of Wasaga Beach and Town of Midland, have also publicly admitted that they paid ransom to ransomware attackers. Jocelyn Lee, Director of Finance and Treasurer of the Town of Wasaga Beach, reported to the City Council of Wasaga Beach that on April 30, 2018 the Town’s computer system was infected with a malicious software (malware) that left all of the Town’s data locked. Lee said the Town ended up paying the ransomware attackers 3 bitcoins, equivalent to $34,950 Canadian at the time of the ransom payment.
The Town of Midland, Ontario, meanwhile, in a statement said that on September 1, 2018, the Town's network was infected with ransomware. The Town said that it paid an undisclosed amount to the ransomware attackers in exchange for the decryption keys. In paying the ransom, the Town of Midland said, “Although not ideal, it is in our best interest to bring the system back online as quickly as possible.”
To date, South Korean web hosting company Nayanaholds the record of paying the most expensive ransom, totaling 397.6 bitcoins, valued USD$1.01 million at the time of the ransom payment.
Prevention & How to Recover from Ransomware Attacks
All ransomware victims that decided to pay ransom have one thing in common: They all failed to conduct regular back-up of their critical data. Organizations that diligently conduct regular back-up of critical data, in time of crisis, such as ransomware attack, can simply ignore the attackers’ ransom demand.
Paying the ransom also doesn’t guarantee that attackers will hand over the correct decryption keys that will unlock encrypted IT systems or computer files. Paying the ransom could instead encourage the attackers to launch another ransomware attack or the attackers could increase their ransom payment demand, knowing that organizations will likely consider paying the amount.
While conducting regular back-up of critical data is important, implementing cybersecurity measures that prevent ransomware attacks are equally important as well. The UK's National Cyber Security Centre (NCSC)recently issued a Ryuk Ransomware Advisory. Ryuk is a particular type of ransomware that was first observed in the wild in August 2018. It has since been responsible for multiple attacks worldwide. This ransomware, in particular, targets its victims and ransom payment is set based on the target’s perceived ability to pay.
NCSC recommends the following measures in order to prevent ransomware attacks, in particular, Ryuk ransomware attacks:
You don’t need to face cybercriminals alone. When you need help, our team of professionals is ready to assist and help you mitigate risks, recover, and proactively secure your data. Contact ustoday and stay safe.
Why Organizations Need To Secure Microsoft Office Settings
The latest discovery of a flaw in Microsoft Excel by researchers at Mimecast shows the importance of securing your organization’s Microsoft Office settings.
Researchers at recently released a proof of concept demonstrating that a flaw in Microsoft Excel could allow a malicious actor to access someone else's computer and launch a cyber-attack, no matter where this computer is located. Mimecast researchers said that Power Query, a feature in Excel that lets users integrate their spreadsheets with other data sources, such as an external database or a web page, could allow attackers to “embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened”. Mimecast researchers added, “The malicious code could be used to drop and execute malware that can compromise the user’s machine.”
According to Mimecast researchers, Power Query is a powerful tool within Microsoft Excel that if exploited, can be used to launch . In a DDE attack, a malicious actor exploits DDE – a protocol in Windows which was first introduced in 1987 and currently used by thousands of applications such as Microsoft Excel.
The researchers added that attacks that exploit Power Query are hard to detect by anti-virus or anti-malware security solutions. “Using the potential weakness in Power Query, attackers could potentially embed any malicious payload that as designed won’t be saved inside the document itself but downloaded from the web when the document is opened,” the researchers said.
Dynamic Data Exchange (DDE) Attacks
Researchers have known about DDE vulnerabilitysince 2014, finding that “by specifying some creative arguments and a magic number, it’s possible to craft a ‘link’ that hijacks the computer of whoever opens the document”.
In May 2016, researchers at SensePostdemonstrated that DDE attack can be done in Microsoft Excel. In October 2017, researchers at SensePost demonstrated that DDE attack can be done in Microsoft Word.
In November 2017, reported that the threat Group known as “APT28” slipped a malware into a malicious Word document with a subject heading that cites of a then-recent terrorist attack in New York City. McAfee said this Word document leveraged the Microsoft Office Dynamic Data Exchange (DDE) attack technique.
According to McAfee, the malicious Word document itself is blank and once the document is opened, the document contacts a control server that drops the malware called “Seduploader” onto a victim’s computer. Seduploader is a first-stage malware deployed for the purpose of conducting reconnaissance on a network before dropping a second-stage malware.
To successfully launch a DDE attack, McAfee said, an attacker only needs to convince a user to click through a few dialogs, which would evade the latest macro-based document mitigations. “DDE can be used to launch scripts and executables from the command line by inserting the DDE field in the Office document,” McAfee said.
In an email attack scenario, Microsoft, for its part, said that an attacker could exploit the DDE protocol by sending a specially crafted attached file to the user and then convincing the user to open the attached file. “The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts,” Microsoft said.
How to Mitigate Microsoft Office Settings Risk
Microsoft, in a statement to Threatpost, said that the proof of concept of the Mimecast researchers was reviewed but in order for the concept to work, a victim “would need to be socially engineered to bypass multiple security prompts prior to loading external data or executing a command from a DDE formula”. Because of this finding, Microsoft didn’t release a patch for this security vulnerability.
Microsoft issued the following mitigating measures in order to protect your organization from DDE attacks:
1. Keep Your Microsoft Office Up-to-Date
The December 12, 2017 security updatein Microsoft’s Office disables the Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word.
2. Disable DDE Protocol in Microsoft Excel
Microsoft, however, hasn’t disabled DDE in Microsoft Excel. In the security advisory "Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields", Microsoft noted that Excel, in particular, depends on the DDE feature to launch documents. "Disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry,” Microsoft said. “Data might not be completely up-to-date because it is no longer being updated automatically via live feed. To update the worksheet, the user must start the feed manually. In addition, the user will not receive prompts to remind them to manually update the worksheet.”
As early as 2007, Raymond Chen, who has been involved in the evolution of Windowsfor decades, said that "there is no technological reason for you to use DDE”. Chen, however, said that even if there’s no technological reason for you to use DDE, “you still have to be mindful of whether your actions will interfere with other people who choose to”.
3. Exercise Caution When Opening Suspicious File Attachments
As email attachments are a primary method by DDE attackers to spread malware, Microsoft recommends that users exercise caution when opening suspicious file attachments.
Steve E. Driz, I.S.P., ITCP