Thought leadership. threat analysis, news and alerts.
How to Find Out If Your Organization’s Resources Are Illicitly Used for Crypto Mining
Ukraine’s National Nuclear Energy Generating Company, also known as Energoatom, a state enterprise operating all four nuclear power plants in Ukraine disclosed that a recent search carried out inside one of Ukraine’s nuclear power plants revealed that a power plant employee had installed his own computer equipment inside the plant for cryptocurrency mining. This incident shows the danger of employees stealing their employers’ resources for cryptocurrency mining.
What Is Cryptocurrency Mining?
Cryptocurrency mining, also known as crypto mining, is the process of validating transactions and for these transactions to be added to the list of all transactions known as the blockchain. Anyone with a computer and an internet connection can become a cryptocurrency miner.
Some cryptocurrencies can be mined using small and low processing power computers such as Raspberry Pi. Other cryptocurrencies such as Bitcoin can only be mined using specialized computers with high computing power. In exchange for the computing power and electricity used for mining, miners get rewarded with cryptocurrency.
As cryptocurrency mining is power-hungry, especially the top cryptocurrencies like Bitcoin, high electricity bill is one of the obstacles why many don’t venture into this field. To remedy this high electricity bill hurdle, malicious actors illicitly steal power from their employers and even from strangers. Aside from stealing electricity, malicious actors also steal from employers or strangers computing power of computers that can process a significant amount of data faster than ordinary computers.
The illicit stealing of electricity at one of Ukraine’s nuclear power plantsisn’t the first time that an employee has been caught stealing an employer’s resources for cryptocurrency mining. In February 2018, nuclear weapons engineers at the All-Russian Research Institute of Experimental Physics were arrested for mining cryptocurrencies at the workplace.
Unlike the cryptocurrency mining at one of Ukraine’s nuclear power plants which only stole the plant’s electricity as the accused installed his own computer equipment, the crypto mining incident at the All-Russian Research Institute of Experimental Physics used not only the facility’s electricity but the office computer as well. Tatyana Zalesskaya, head of the research institute’s press service confirmed to Interfaxthat there had been an unauthorized attempt to the institute’s “computing power for personal purposes, including for the so-called mining”.
Employees aren’t the only one interested in your organization’s computer power for crypto mining, unknown external attackers are also after your organization’s computer power. Attackers steal computing power in the process called “cryptojacking”.
In cryptojacking, malicious actors, which could be either be insiders or outsiders, in order to earn cryptocurrency, install a crypto mining software into vulnerable systems, including websites, operating systems or public cloud accounts.
In February 2018, researchers at RedLockreported that Tesla was once a victim of cryptojacking. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” researchers at RedLock said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry. In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods.”
In May this year, researchers at Guardicore Labsreported that over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors were compromised for crypto mining.
Illicit crypto mining isn’t only a threat to large organizations or businesses. This type of attack also threatens small and medium-sized organizations. In late 2018, a school principal in China was fired after stealing the school’s electricity to mine cryptocurrency. The South China Morning Postreported that the fired school principal deployed inside the school 8 computers used for mining the cryptocurrency Ethereum for about a year, racking up an electricity bill of 14,700 yuan, equivalent to US$2,120.
Ways to Monitor Crypto Mining and Preventive Measures
Here are some security measures in order to monitor crypto mining activities within your organization’s premises and also ways to prevent this threat to occur in your organization:
An unusual increase of electric bill is a sign that computers operating within your organization’s premises are being used for cryptocurrency mining.
Somewhere lurking in your organization’s premises could be computers used for cryptocurrency mining and racking up your organization’s electricity bill.
If your organization’s computers are functioning a bit slower than usual, this could be a sign that your organization’s computers are being used for illicit cryptocurrency mining.
Malicious actors in recent months have learned how to be stealthy in their crytojacking activities, such as mining only cryptocurrencies that use less computer power and electricity to deflect suspicion. For instance, the crytojacking incident which compromised 50,000 servers reported by Guardicore Labs in May this year, mined a relatively new cryptocurrency called “Turtlecoin”, a cryptocurrency that can be mined even in small and low processing computers such as Raspberry Pi.
Monitoring network traffic is one of the ways in discovering this type of stealth crytojacking activities. Access to your organization's network from unknown locations and during non-working hours are telltale signs of a network compromise and possible illicit cryptocurrency mining.
Lastly, practice basic cyber hygiene such as keeping your organization’s operating systems up-to-date and using multi-factor authentication as gate-keepers to these computers and servers. In many cases, computers and servers are compromised for illicit cryptocurrency mining by the mere failure of applying the latest security update and the used of weak login details and lack of multi-factor authentication.
When you need help, contact our teamof experts to mitigate the cybersecurity risks for your organization.
Threat Actors Continue to Target Websites
The European Central Bank (ECB) shut down one of its websites following the discovery that malicious actors accessed the site without authority and infected it with malicious software (malware). This incident shows that threat actors continue to target websites.
ECB, in a statement, said that unauthorized parties had breached the Bank’s Integrated Reporting Dictionary (BIRD) website, a site purposely built to provide the banking industry with details on how to produce statistical and supervisory reports. The Bank said that contact data, including email addresses, names and position titles of 481 subscribers to the BIRD newsletter may have been stolen by the attackers.
ECB, in a statement, said that the attack on BIRD website was discovered as a result of a “regular maintenance work”. An ECB spokesman told Reutersthat the earliest evidence found of the website attack dated back to December 2018, which means that the attack had gone unnoticed for months before being discovered during maintenance work.
This isn’t the first time that ECB reported an attack on its IT infrastructure. In 2014, ECBdisclosed that an unknown attacker or attackers had breached another of the Bank’s website used for registrations for events of the Bank such as conferences and visits.
The 2014 website attack, the Bank said, led to the theft of email addresses and other contact data left by individuals registering for events at the ECB. This 2014 attack in one of the Bank’s website was only known after an anonymous email was sent to the Bank asking for financial compensation in exchange for the data stolen.
In the latest attack on one of its websites, ECB said the attackers “succeeded in injecting malware onto the external server to aid phishing activities”. In the 2014 attack, ECB said the malicious actor or actors attacked a “database serving its public website”. Beyond those phrases, not much is known in the “injection” and “database” attacks.
The Open Web Application Security Project (OWASP)lists injection attacks as the number one threat to web security. Injection attacks refer to a broad attack paths that allow attackers to gain access to the database records of vulnerable websites. In certain cases, this type of attack allows attackers to gain administrative rights to a database.
One example of an injection attack is the SQL injection, also known as SQLI, attack. SQL, which stands for Structured Query Language, is a programming language understood by databases. By inserting malicious commands from this programming language into input fields on websites such as input forms, attackers can gain access to the database records of vulnerable websites, resulting in the unauthorized access of any data available in the database.
In late 2007 and early 2008, thousands of websites were defaced as a result of SQL injection attacks. According to researchers at Microsoft, These particular SQL injection attacks didn’t exploit vulnerabilities in Windows, IIS, SQL Server, or other infrastructure code; rather, it exploited vulnerabilities in custom web applications running on this infrastructure. Thousands of websites were affected due to 2 factors: first, there was an automated tool to launch this attack, and second, this SQL attack tool spread through the use of a botnet.
SANSreported that thousands of websites were compromised in late 2007 and early 2008 as the attacker or attackers used an automated tool in search engines to find vulnerable web applications and exploiting them. “The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site,” SANS reported. SecureWorks, meanwhile, reported that the automated SQL attack tool, spread to thousands of websites as the attackers relied on a botnet – a group of computers or devices infected by the same malware and controlled by an attacker for malicious purposes such as in this case the spread of SQL attack tool.
Other than using SQL injection to attack indiscriminate websites using an automated tool and a botnet, SQL injection has also been used by attackers in targeted attacks. According to the U.S. Federal Bureau of Investigation (FBI), a malicious group obtained confidential information from Sony Pictures’ computer systems on May 27, 2011 to June 2, 2011 using an SQL injection attack against Sony Pictures’ website.
According to the UK's Information Commissioner's Office, SQL injection was also used in the TalkTalk cyber attack on the company’s website. As a result of the SQL injection attack on TalkTalk’s website, personal details of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses were stolen. The attacker also stole the bank account number and sort code of 15,656 TalkTalk’s customers.
As shown in above-mentioned examples, injection attacks on websites are highly detrimental to the affected organizations. Loss of customer trust is one potential cost of an SQL injection attack should personally identifiable information such as full names, addresses and credit card details be stolen.
One of the cyber security measures, in order to prevent injection attacks such as SQL injection attacks, is through the use of a web application firewall (WAF). A WAF is often used to filter out injection attacks such as SQL injection attacks. In filtering out SQL injection attacks, a WAF uses a list that contains signatures to address specific attack vectors. This WAF is regularly updated to provide new filtering rules for newly discovered security vulnerabilities.
At The Driz Group, we specialize in protecting your websites and web applications with instant attack mitigation and a guaranteed DDoS protection. We support all deployment types including Cloud and on-premise. Setup take several minutes and there is nothing to buy, support, or maintain.
Connect with ustoday for a free consultation and protect your websites, web applications, online reputation and mission critical data.
What Are the Biggest Mobile Cybersecurity Threats Every Business Must Know?
How many times a day do you Google something on your smartphone?
It’s second nature now. Any questions you have, any movie stars you want to look up, any local restaurants you want to check out — just grab your phone and ask.
And with more than half of worldwide internet traffic originating from phones, the popularity of mobile search shows no sign of slowing down. Particularly for businesses.
The ease, speed and convenience of mobile internet means employees can access work documents, data and software at any time. But accessing business accounts and data via your mobile device opens you up to cybersecurity threats, just like browsing on a computer.
So, what are the biggest mobile cybersecurity threats every business must know?
Malware Lurking in Websites and Apps
It’s easy to assume malware is a risk to employees going online via their desktop or laptop computers, not mobile devices.
But that’s just not the case. Malware can infect a smartphone just as it would bigger hardware and cause serious problems.
Mobile malware typically attacks smartphones through web pages, attachments or apps primed to unleash infections. Clicking a link in an email, downloading a program or installing an app could put your business’s data in danger within seconds.
It’s a simple mistake to make, especially for non-tech-savvy employees.
Infected apps may access your smartphone’s data storage, memory, internal processes and other apps. It may even run in the background without being noticed by the user, gathering information and sharing it with whoever created it.
Hands-on Device Theft
One of the most obvious and damaging cybersecurity risks is theft.
And we mean physical theft: having a phone or tablet stolen by a mugger or opportunistic criminal.
It’s not hard to imagine how this might happen. An employee is out enjoying the sunshine on their lunch break, maybe sitting in the park or outside a cafe. They put their phone down for a moment to grab a drink or open their bag.
When they look back up, the phone is gone.
This takes just seconds but can have devastating results. A hacker would be able to bypass a pin or password and get into the owner’s accounts with ease. They could access your business’s emails, banking and communications in next to no time.
Scary, isn’t it? That’s why it’s so vital that all employees take good care of their company and personal phones. Any device with data relating to the business should be secured with a pin or password, as well as the additional security measures (such as facial recognition and fingerprint scanning).
Encourage all staff to stay vigilant and be aware. If their phone is stolen, they have to admit it fast: the sooner they raise the alarm, the sooner action can be taken to protect data in the cloud.
Unsecured Wi-Fi Networks
Free, public Wi-Fi is great. Employees can take their phone or tablet to the local coffee shop and do a little work outside the office for a change of scenery. The Wi-Fi is thrown in free when you buy a drink or snack so there’s no reason to lose momentum.
But free Wi-Fi networks tend to be unsecured. And that makes anyone using them vulnerable to cybersecurity risks. Any social media interactions, emails,writing, calls and more may be available to hackers.
This is why employees must be careful when accessing Wi-Fi networks beyond their own or your business’s. If they need to wait until they’re back in the office to finish a task or make a call, a slight delay is far better than the alternative.
And this leads us nicely on to …
The Threat of Network Spoofing
Free, public Wi-Fi networks may pose a threat, but network spoofing is much more dangerous.
This involves hackers creating fake access points designed to look like legitimate Wi-Fi connections. You might see them appear on a list of Wi-Fi networks when you visit a coffee shop, bar, airport etc.
Cybercriminals give their fake networks believable names (‘Coffee Place’, ‘Airport Open Wi-Fit’ etc.) to entice oblivious users. They might ask you to set-up an account before giving you access or just let you dive right in.
One big hazard is that employees might use their standard username and password to create accounts with fake networks. And that means cybercriminals would be able to get into emails, banking accounts and anything else protected by the same details.
The entire business’s and clients’ data could be in danger because of a simple mistake.
Taking Action to Minimize Your Business’s Vulnerability
Every company wants to be safe against cybersecurity risks. Every company wants to trust its employees to handle accounts and data in a responsible way.
But it’s not so simple.
Cybercriminals use ever-more-sophisticated techniques and tools to target businesses. Employees need to be made aware of the threats they face when they’re online across all devices.
Effective training is key to help your workforce exercise caution and stay vigilant whenever they’re working or communicating on their smartphone or tablet. And make sure any company phones you hand out have been checked and utilize strict security safeguards to keep them protected.
Don’t try to handle all of your cybersecurity in-house either, especially if your business is brand new and you have little to no experience with managing data. Clients expect you to keep their information confidential and safe against leaks — if you don’t, your reputation could take a serious hit.
Work with cybersecurity specialists to assess your vulnerability and take action to defend your data. The Driz Group’s experts are here to:
Want to learn more about our managed services and how they help companies just like yours every single day? Just get in touch with our dedicated teamright now!
Decade-Old Vulnerability Found in Avaya VoIP Phones
Researchers at McAfee Advanced Threat Research have discovered a decade-old security vulnerability lurking in the Voice over Internet Protocol (VoIP) phones of Avaya, the world’s second largest VOIP phone provider.
The decade-old vulnerability present in Avaya VOIP phones, specifically 9600 Series, J100 Series and B189 Series using the H.323 firmware, according to researchers at McAfee Advanced Threat Researchallows remote code execution (RCE) – enabling an attacker to access someone else's device and make changes to it, regardless of where this device is geographically located.
The RCE vulnerability in a piece of open-source software that Avaya used, the researchers said, was likely copied and modified 10 years ago and the company failed to apply subsequent security patches. The researchers added that a malicious actor exploiting the said vulnerability could take over the normal operation of the phone, copy audio from speakerphone and “bug” the phone.
The piece of open-source software that Avaya copied bore the 2004-2007 copyright, which according to the researchers is a “big red flag” as this piece of software has an exploit that has been publicly available since 2009. The 2009 exploit demonstrated that devices using DHCP client version 4.1 and below allows remote DHCP servers to execute arbitrary code. A DHCP client, also known as dhclient, is a device that needs an IP address; while DHCP server hands out an IP address to the dhclient.
Researchers at McAfee Advanced Threat Research found that Avaya VOIP phone’s version of dhclient is vulnerable to the exploit reported in 2009. The researchers said that malicious actors could build a “weaponized version” of the exploit and threaten private networks.
The researchers reported their discovery to Avaya. In June this year, Avayaissued a patch for the affected VOIP phones.
VOIP Phones as Path to Intrusion
Early this month, researchers at Microsoft Threat Intelligence Center reported that VoIP phone is one of the devices being used by a known cyber adversary to gain initial access to corporate networks. Aside from VoIP phone, the researchers said, popular office IoT devices printer and video decoder, are also being used by this known cyber adversary in gaining an initial foothold into corporate networks.
Researchers at Microsoft Threat Intelligence Center, however, didn’t specify the brands of VOIP phone, office printer and video decoder. These office devices, according to the researchers, were compromised either as these devices were deployed without changing the default manufacturer’s login details or the latest security update hadn’t been applied.
According to Microsoft Threat Intelligence Center researchers, the known cyber adversary used these 3 popular office IoT devices as points of ingress in gaining initial foothold to a corporate network. Once inside a corporate network via these compromised IoT devices, the attacker was seen conducting a simple network scan to look for other vulnerable devices.
As the attacker moved from one vulnerable device to another, a simple shell script was dropped to establish persistence on the network. This simple shell script allowed the attacker to search for higher-privileged accounts that would grant access to higher-value data, the researchers at Microsoft Threat Intelligence Center found.
Aside from using popular office IoT devices as points of ingress in accessing high-value data, these compromised devices are also used to build a botnet – referring to a group of devices infected with a malicious software (malware) and controlled by an attacker or attackers for malicious activities, including distributed denial-of-service (DDoS) attacks. In a DDoS attack, a botnet or group of infected devices is controlled to direct their traffic to a target, overwhelming this target with too much traffic that the target can’t handle, ultimately bringing the target offline and rendering the target inaccessible to its legitimate customers.
VPNFilter is an example of a botnet. At its peak, VPNFilter infected at least 500,000 networking devices in at least 54 countries. The following are devices affected by VPNFilter: Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.
According to researchers at Cisco, VPNFilter has a self-destruct capability that can be triggered en masse via the botnet structure and has the potential of cutting off internet access for hundreds of thousands of users worldwide. The researchers are unsure why so many devices were infected with VPNFilter. Most of the infected devices, however, have known public exploits or default manufacturer’s login details hadn’t been changed.
In May 2018, the potential negative effect of VPNFilter was mitigated when the U.S. Federal Bureau of Investigation (FBI)seized a domain used as command and control (C2) by the threat group in their botnet campaign. In a botnet operation, C2 (could be a website or a public cloud account) is used to communicate or control the infected devices.
The devastating effect of a botnet was shown to the world when the Mirai botnet attacked in 2016 Dyn, a major dynamic DNS provider, resulting in the widespread internet outages across the U.S. and Europe. The earlier versions of the Mirai, including the one that attacked Dyn, infected hundreds of thousands of wireless cameras and routers and turned them as botnets. Since the publication of the source code of the Mirai in 2016, a number of Mirai versions has been observed in the wild.
Researchers at Palo Alto Networks discovered a different version of the Mirai which targeted WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs – IoT devices that are often used by businesses. Many of the Mirai variants infect IoT devices by exploiting the practice of users of not changing the default manufacturer’s login details.
Today’s IoT devices outnumber the combined number of personal computers and mobile phones. Hundreds of thousands, if not, millions of these IoT devices are, however, left without basic management.
Changing the default manufacturer’s login details and applying the latest security update are two cyber security best practices in preventing malicious actors from accessing your organization’s network. These practices also stop your organization’s IoT devices from being used as part a botnet for malicious activities such as DDoS attacks.
Capital One Data Breach Aftermath: 3 Cyber Threats that Every Organization Should be Mindful
The data breach at Capital One Financial Corporation, the data breach that affected approximately 100 million individuals in the U.S. and approximately 6 million in Canada, throws light into 3 cyber threats that every organization using the public cloud should be mindful: account takeover attack, attack on misconfigured web application firewall (WAF) and Server-Side Request Forgery (SSRF) attack.
Large enterprises like Capital One build their own web applications on top of Amazon’s cloud services to answer to their specific needs. Amazon told the New York Timesit had found no evidence of compromise on its underlying cloud services. The company added that its customers fully control the web applications that they built.
Last July 29th, the U.S. Department of Justicearrested a Seattle resident for the intrusion on the stored data of Capital One. The arrest of the Seattle resident came as an offshoot of an email sent to the official email for responsible disclosure of Capital One. The tipster wrote that someone’s GitHub account was exposing data which appeared to belong to Capital One.
In the indictment document, Joel Martini, Special Agent at the U.S. Federal Bureau of Investigation (FBI) stated that the exposed data was verified to belong to Capital One and the GitHub account was traced to belong to the accused Seattle resident, who goes with the handle “erratic” in her Twitter and Slack accounts. A review of June 26, 2019 Slack postings, FBI Special Agent Martini said, showed that Erratic claimed to be in possession of files belonging to several companies, government entities and educational institutions, and one of these files was associated with Capital One.
Capital One, in a statement, said that it had fixed the “configuration vulnerability” that was exploited in the data breach. Publicly-available data and new information, however, show that more than one cyber threats were exploited in the Capital One data breach.
1. Account Takeover
Account takeover refers to the access of someone else’s online account for malicious purposes. In the indictment, FBI Special Agent Martini stated that the file that was publicly exposed by Erratic in her GitHub account contained a list of more than 700 folders and code for three commands.
The first command, when executed, provides login details to an account that enabled access to certain storage space of Capital One at Amazon cloud service. The said account, which had the necessary permissions, was used to extract or copy Capital One’s data. The indictment didn’t mention how the accused got hold of the login details of the account used to access Capital One’s data.
2. Misconfigured Web Application Firewall (WAF)
Web application firewall (WAF) filters, monitors and blocks traffic between a web application and the internet. A properly configured WAF blacklists and/or whitelists traffic to and from a web application.
A WAF that operates based on a blacklist, also known as negative security model, blocks traffic that doesn’t meet the predetermined qualifications. A WAF that operates on a whitelist, also known as positive security model, grants entry only to traffic that has been pre-approved. Many of today’s WAF implements both negative security model and positive security model. A typical WAF also protects web applications from attacks such as SQL injection and other common attacks against web applications.
In the indictment document, FBI Special Agent Martini stated that the data breach at Capital One was a result of a misconfigured WAF. Capital One’s logs show a number of connections or attempted connections from IP addresses beginning with 46.246. Specifically, on or about March 12, 2019, Capital One’s logs show IP address beginning in 46.246 attempted to access Capital One’s cloud data. Publicly-available records show that this IP address is controlled by a company that provides VPN services.
Capital One’s logs also show IP addresses believed to be TOR exit nodes accessed Capital One’s cloud data on or about March 22, 2019. A properly configured WAF could have blacklisted IP addresses such as those belonging to the known VPN company. Conversely, a properly configured WAF could have whitelisted only IP address or addresses used by authorized personnel of Capital One. Malicious actors, however, are continually finding creative means in breaking into web applications that are shielded by properly configured WAFs.
3. Server Side Request Forgery (SSRF) Vulnerability
New information has recently been made public about the Capital One data breach. Based on new data, including information from one who is privy to details about the ongoing Capital One breach investigation, during the attack period, Capital One used ModSecurity, an open-source WAF that’s deployed along with the open-source Apache Web server.
The new report said that the Server Side Request Forgery (SSRF) vulnerability was exploited in the Capital One data breach. While ModSecurity protects web applications against many common attack categories, it doesn't protect against SSRF.
MITREdescribes SSRF in this manner: “The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly.”
In the case of the Capital One data breach, one can’t say which of the attack methods – account takeover attack, attack on misconfigured WAF or Server-Side Request Forgery (SSRF) attack – played the biggest role in the data breach. These 3 types of threats have their own specific preventive and mitigating measures that every organization using the public cloud should be mindful.
When you need to safeguard your cloud applications, our web application security expert will design the right sized solution and will mitigate common risks within minutes. Contact ustoday and avoid a major breach.
Steve E. Driz, I.S.P., ITCP