Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
How to Raise Awareness of Cybercrime in Your WorkplaceIn February 2019, the Canadian Centre of Cyber Security claimed most Canadianswould be affected by cybercrime in one form or another. This is unnerving for a number of reasons. First:it applies to all Canadians, not just business-owners. That means everyone using a computer, smartphone or tablet for any online activity could be at risk. Second:many people (sadly) lack the awareness to take proper security measures and protect their sensitive data from criminals. Third:the Canadian Centre of Cyber Security specified how ransomware attacks are one of the most common cyber-threats. And anyone who knows anything about ransomware will recognize why this is such a frightening prospect. Ransomware attacks may be triggered by opening an infected link in an email or downloading an attachment. Hackers hold your computer or entire system hostage until you either pay the money demanded or find another solution. This is terrifying enough if your home computer is affected. But in the workplace, ransomware has the potential to wreak havoc on your business — and bring it screeching to a halt. That’s why every employee should be empowered with the knowledge and tools to stay safe. Especially when more than one-fifth of Canadian companieshave been targeted by cybercriminals. What can you do to raise awareness of cybercrime in your workplace? Staying Vigilant Against Cybersecurity ThreatsOne of the first steps is encouraging staff to be vigilant. An uninformed, unprepared team can introduce an infection into your system without realizing until it’s too late. And even then, the individual responsible may still not understand what they did wrong. But a well-informed, well-prepared workforce will find recognizing potential threats far easier. A key component of this is motivating staff to report any and all suspicious activity, no matter how unnecessary it may seem. Risks should be addressed quickly to ensure no concerns are raised in vain. Employees must undergo effective education to minimize their chances of bringing harmful infections into your system. Working with cybersecurity experts and organizing training sessions will help. Emphasize the Impact Cybersecurity Breaches MakeA cybersecurity attack in the workplace doesn’t just affect the employee responsible. It affects their colleagues. It affects your clients. It affects your reputation. Prospective new customers may fear for their own data’s security when they learn your company was targeted. This is why it’s so vital to show employees the impact cybercrimes can have. They need to understand they’re part of a group and one mistake could mean serious problems for everyone involved. This is easier if your company culture already leans towards collaboration and teamwork. Otherwise, you may need to incorporate more elements of this into everyday processes. Encourage staff to consider themselves one cog in a machine. Highlight Common Cybersecurity ThreatsYou can increase awareness of cybercrimes in your business by drawing employees’ attention to the most common risks. Provide them with accessible (read: not packed with jargon or technical terms they don’t need to know) resources on:
These are just some of the most common types of cyber-attacks. Help your team understand:
You may want to bring an expert in to discuss this with employees or compile your own knowledge bank. A combination of both may even be the right choice for you. But whichever option you settle on, your workforce will be more aware of cybercrimes and know how they can reduce your business’s risk. Cultivate a Security-focused CultureWe touched on company culture briefly earlier, but now let’s delve a little deeper. Adopting a security-focused culture may reinforce your business against cybercrimes. At the very least, employees are less likely to make common mistakes that cost money down the line. Introduce checks on employee computers to ensure all their security software is up to date across the board. Make sure any tools they download, and use are clean too. And don’t forget about passwords. You may want to introduce a password policy that stipulates employees change theirs every two weeks or every month. This can make a positive difference, but only if they know how to choose strong passwords in the first place. What does this mean? Good passwords include a mix of numbers, letters, and symbols. Workers should never use the same passwords across different accounts or platforms, especially if they’re easy to guess. That’s why just using your child’s, pet’s or partner’s name is a no-no. This information may be easy to find online — and hackers could cause a data breach without much effort at all. Making your team more aware of general security in the workplace can feed into their drive to take effective precautions. Welcome their input too. What do they think can be done to increase their knowledge of cybersecurity? How would they like to see more changes introduced? Don’t be afraid to take their best ideas on board. Create a Clear Incident Response PlanIf the worst happens and your business is struck by a cyber-attack, who does what? Your employees must know what steps to take in the event of an incident. Perhaps they need to call a local expert in to help immediately. Maybe they’re required to inform clients about the potential data breach. Whatever their role, employees should know what is expected of them. Everyone should be able to work together as a team and minimize the damage as best they can. This could make a big difference to your business’s future. Want to find out how secure your business is against cybercrimes? Curious how cybersecurity professionals can help you stay safe online? Justget in touchwith our experts today and we will be happy to help. What Are Watering Hole Attacks & How to Prevent Such AttacksWatering hole attacks are becoming more and more popular as these allow malicious actors to compromise intermediary targets to gain access to their intended final targets. What Is Watering Hole Attack and How It WorksIn a watering hole attack, a malicious actor compromises a third-party service, such as a publicly available website, in order to get access to the intended final target. There are various reasons why threat actors attack third-party services instead of the intended final targets. It could be that the intended final targets have stronger cyber defences, while third-party services lack the necessary cyber defences. In watering hole attacks, threat actors study the employees of the intended final targets, such as finding out what sites these employees often visit. These sites are then analysed. Sites with weak defences are often targeted, injecting these sites with malicious software (malware) or redirecting visitors to sites controlled by the attackers, leading to the downloading of the malware when these employees visit these sites. Attackers may also nudge an employee into visiting the compromised website or the URL they control by tricking the employee to click on the malicious link contained in a phishing email. Once inside an employee’s device, threat actors then move toward the intended final target. Examples of Watering Hole AttacksThe recent disclosure by researchers at Google's Threat Analysis Groupabout a small collection of compromised websites used in watering hole attacks which ultimately targets site visitors using certain versions of iPhones highlights the growing danger of watering hole attacks. Researchers at Google's Threat Analysis Group revealed that over a period of at least two years, almost every version of iOS 10 through iOS 12 was potentially vulnerable when users visit a small collection of compromised websites. Simply visiting the compromised site, the researchers said, was enough for the exploit server to attack the vulnerable iPhones and install a malicious code that monitors the users’ activities. The researchers estimated that the compromised sites receive thousands of visitors each week. In attacking the specific versions of iPhones, researchers at Google's Threat Analysis Group said, they identified a total of 14 security vulnerabilities: 7 for the iPhone’s web browser, 5 for the kernel and 2 separate sandbox escapes. Other Cases of Legitimate Sites Used for Watering Hole AttacksIn late February and early March this year, reports came out that the website of International Civil Aviation Organization (ICAO) was used as an intermediary target for a watering hole attack where the intended final targets were ICAO members. Montreal, Canada-based ICAO is a specialized agency of the United Nations that codifies the principles and techniques of international air navigation. In November 2018, researchers at ESETreported that 21 distinct websites in Vietnam and Cambodia, including Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia and several Vietnamese newspaper websites, were used as intermediary targets in watering hole attacks. According to the researchers, the modus operandi is similar on all compromised websites in which the attackers add a small piece of malicious code on the compromised websites. While not applicable in all cases, the researchers reported that the code injected into the compromised websites checks for the visitor’s location, and only visitors from Vietnam and Cambodia actually receive the malware. The researchers added that the server controlled by the attackers can send additional payload – referring to the malware that performs the actual malicious actions. Researchers at ESET said they weren’t able to identify examples of payloads sent by the attackers as these payloads were only delivered to specific targets and it wasn’t possible to get them using a test machine. In November 2017, researchers at Volexityfound a similar set of compromised websites of individuals and organizations tied to the government, the media, human rights and civil society groups. The researchers, in these cases, found that the payloads downloaded unto the site visitor’s computer include a pop-up asking to approve OAuth access to the victim’s Google account. This tactic allows attackers to get access to the victim’s contacts and emails. The recent watering hole attacks are reminiscent of the cyber-espionage campaign called “Epic Turla”. In August 2014, Kaspersky observed 100 compromised websites for watering hole attacks. Once a computer is infected with the Epic malware, Kaspersky reported that the malware immediately connects to the command-and-control (C&C) server to deliver pre-configured series of commands for execution and custom lateral movement tools such as a keylogger – a malicious program aimed at stealing data by recording every keystroke made by a computer user. Prevention and Mitigating MeasuresHere are some cyber security measures in order to prevent or mitigate the effects of watering hole attacks:
Wikipedia and World of Warcraft Classic Targeted for DDoS AttacksDistributed denial-of-service (DDoS) again made the headlines over the weekend with the attacks on the popular online encyclopedia Wikipedia and popular online role-playing game World of Warcraft Classic. These latest incidents show that malicious actors are continually targeting vulnerable devices and online services for DDoS attacks. In a statement released last September 7, Wikimedia Foundation, said that Wikipedia was hit with a “malicious attack”, making the site inaccessible to site visitors in several countries for intermittent periods. Wikimedia Deutschland, meanwhile, outrightly called the attack as “DDoS attack”, announcing via its Twitter account that Wikimedia servers, on which Wikipedia is also hosted, are being “paralyzed by a massive and very broad DDoS attack”. According to the report by the civil society group NetBlocks, Wikipedia became intermittently unavailable as of approximately 6:00 p.m. UTC September 6, 2019 and at 1:30 a.m. UTC, the attack extended to a near-total outage in the United States and much of the world, continuing up until 2:40 a.m. UTC. Last September 7 also, Blizzard Entertainment, owner of the World of Warcraft Classic, via its Twitter account said, “Some online services continue to be impacted by a series of DDoS attacks which are resulting in high latency and disconnections.” It isn’t yet confirmed whether the DDoS attacks on Wikipedia and World of Warcraft Classic are related. A Twitter account claiming responsibility on the DDoS attacks on Wikipedia and World of Warcraft Classic was taken down by Twitter. DDoS Attacks PrevalenceWikipedia and Blizzard Entertainment are no stranger to DDoS attacks. On May 15, 2019, NetBlocksreported that Wikipedia became temporarily unavailable internationally. NetBlocks said that its global internet observatory data showed that the incident wasn’t related to filtering or blocking, and was rather likely caused by a DDoS attack. NetBlocks said that DDoS attacks are distinct from state filtering or blocking, as these attacks have broader international impact but typically last for short periods. Wikipedia is totally blocked in Turkey, is varyingly restricted in China, and was briefly filtered in Venezuela early this year. In August 2017, meanwhile, Blizzard Entertainmentreported another set of DDoS attacks on its networks. No person or group has taken responsibility for the 2017 DDoS attacks on Blizzard Entertainment and May 2019 incident on Wikipedia. Real-time gaming networks have been favorite DDoS targets by malicious actors. In August 2014, Sony’s PlayStationnetworks were taken offline as a result of a DDoS attack. The threat group called “Lizard Squad” claimed responsibility over the Sony’s PlayStation networks DDoS attack. KrebsOnSecurityreported that Lizard Squad controlled a botnet comprised of hacked home routers and commercial routers at universities and companies from around the globe. A botnet is a group of computers infected with the same malicious software (malware) and controlled by a threat actor or actors for the purpose of conducting malicious activities such as DDoS attacks. KrebsOnSecurity reported the botnet controlled by Lizard Squad group drew internet bandwidth from routers around the globe by exploiting the use of factory-default usernames and passwords. The Mirai botnet, a much bigger botnet, which at its height controlled hundreds of thousands of IoT devices such as routers and CCTV cameras, brought down a big chunk of the internet for most of the U.S. east coast as a result of the DDoS attack on Dyn, an internet infrastructure company. The recent Wikipedia DDoS attack, according to NetBlocks, is understood to have been amplified through insecure devices. Prevention and MitigationIn a DDoS attack, both the owners of computers or Internet of Things (IoT) devices and owners of targeted online services play an important role. IoT, such as routers, small as they are, are also computers. Owners of these devices, however, don’t view these devices like typical computers such as laptops, with many owners leaving these devices vulnerable to attacks by opting to use the default-factory login details. The threat of DDoS attack is real as malicious actors have the technology to control not just IoT devices but ordinary computers as well. French authorities and antivirus solution provider Avastrecently took down the botnet called “Retadup”, which controlled nearly a million computers worldwide. It isn’t yet known how the Retadup malware initially infected these nearly one million computers. In an ideal world, owners of IoT devices and internet-facing desktop or laptop computers have the responsibility to protect these computers from being used as an army for DDoS attacks by practicing basic cyber hygiene such as changing default-factory usernames and passwords and by applying the latest security updates. DDoS protection is all the more important in organizations that rely on providing online services. While your organization may have no control over the cyber hygiene of other IoT devices, desktop and laptop users, your organization can undertake cyber security measures in order to mitigate the effects of DDoS attacks. Mitigating measures against DDoS attacks are broadly categorized into do-it-yourself (DIY) methods, on-premise mitigation appliances and off-premise cloud-based solutions. DIY methods, such as manual IP blacklisting, is often a reactionary measure in response to a successful first DDoS attack that already caused hours of downtime. On-premise mitigation appliances refer to hardware appliances deployed inside a network and placed in front of protected servers. Compared to DIY methods, on-premise mitigation appliances have advanced traffic filtering capabilities such as geo-blocking, rate limiting, IP reputation and signature identification. Off-premise cloud-based solutions, meanwhile, offer virtually limitless scalability and don’t require investment in security personnel or expenses for DIY solutions and on-premise hardware. Connect with our web application securityexperts and protect your mission critical infrastructure in less than 10-minutes. French Authorities and Avast Take Down One of the World’s Biggest BotnetsFrench authoritiesand antivirus solution provider Avast have jointly taken down the Retadupbotnet, considered as one of the world’s largest botnets affecting nearly a million computers worldwide. Avast, in a blog post, announced that itscollaboration with French authorities resulted in the neutralization of the Retadup botnet, a group of computers infected with a malicious software (malware), in this case, a malware called “Retadup” and controlled by an attacker or attackers for malicious activities. As part of its threat intelligence research, Avast said it started closely monitoring the activity of the Retadup malware in March 2019. Avast found that the computers infected with the Retadupmalware and that formed part of the Retadupbotnet were mostly abused to mine the cryptocurrency called “Monero”. In cryptocurrency mining, malicious actors earn cryptocurrency by stealing the computing power of someone else’s computer. In few cases, Avast observed that Retadup was used in distributing the ransomware called “Stop”, a type of malware that’s purposely created to block legitimate users to a computer system or data until a ransom is paid. In other few cases, Avast also observed that Retadup was used in distributing Arkei, a malware that steals passwords. Avast said its research showed that Retadup’s command-and-control (C&C) infrastructurewas mostly located in France and as such,it contacted theCybercrime Fighting Center (C3N) of theFrench National Gendarmerie.C&Cinfrastructurerefers to a server or servers used to communicate and remotely control computers compromised by a malware, in this case, the Retadupmalware. As of late August, this year, Avastsaid that, in the collaboration with C3Nand with the permission from the office of the public prosecutor in France, Retadupmalware was taken down from 850,000compromised computers mostly located in Spanish-speaking countries in Latin America. RetadupHistoryRetadup malware first appeared in mid-2017 stealing information in Israeli hospitals. According to Trend Micro, the organization that first reported about this malware in June 2017, this malware is notable for its propagation and stealth capabilities. Trend Micro said the original Retadup malware infects computers via an executable file that masquerades as another file type, such as shortcut files for browser, Windows updaters and a web 3D creation tool. For example, it’s delivered on the vulnerable computer as WinddowsUpdater.zip, mimicking the legitimate updater file which is WinddowsUpdater.exe. A computer becomes infected with Retadup malware when the file that masquerades as another file type is clicked. According to Trend Micro, it’s unclear how these executable files containing the Retadup malware arrive on the computers of the victims. Once inside an infected computer, this malware then checks for specific antivirus and analytics tools. The malware self-destructs when it detects the presence of specific antivirus and analytics tools. In stealing information, Trend Micro said the original Retadup malware routinely records every keystroke made by a computer user, takes screenshots and extracts passwords from web browsers. The Retadup malware is also a worm, which means that this malware has the ability to spread itself within networks without user interaction. In September 2017,Trend Microdetected a new version of Retadup malware, this time, infecting specific industries and governments in South America and controlling these infected computers as a botnet, stealing the computing power of these infected computers to mine the cryptocurrency Monero. As of September 2017, Trend Micro said the malicious actor or actors behind Retadup botnet earned 314 Monero coins, worth US$36,000 as a result of the illicit cryptocurrency mining. Since the discovery of the Retadup malware in June 2017, this malware has evolved into different versions. Most of these versions, however, retain the original features, such as the worm capability and stealth capabilities. According to Avast, the most recent version of Retadup malware, avoids cryptocurrency mining on the infected computers when taskmgr.exe is running in order to make it harder for users to detect increased CPU usage. With the permission from the office of the public prosecutor in France and with the technical assistance of Avast, the Cybercrime Fighting Center of the French National Gendarmeriedismantled the command and control server of the Retadup malware and replaced it with a disinfection server. This disinfection server, Avast said, made it possible for the self-destruction of the Retadup malware on the infected computers forming the Retadup botnet. To date, while the Retadup botnet is neutralized as a result of the collaboration of the office of the public prosecutor in France, Avast, and the Cybercrime Fighting Center of the French National Gendarmerie, the creator or creators of Retadup, however, remain at large as no arrest or arrests have been made as a result of the operation. Threat Mitigation & PreventionBotnets are a threat to the online community. As shown by the Retadup botnet, it can wreak havoc via cryptocurrency mining, ransomware and stealing information. Other botnets, like the Mirai botnet, had in the past brought down the internet in certain parts of the world via distributed denial-of-service (DDoS) attack. Here are some cyber security measures in order to protect your organization’s computers or devices from being infected with malware and making them part of a botnet:
When you need help with threat mitigation, audits and prevention, connect with our cybersecurity experts. |
AuthorSteve E. Driz, I.S.P., ITCP Archives
November 2024
Categories
All
|
9/19/2019
0 Comments