Thought leadership. Threat analysis. Cybersecurity news and alerts.
How Does the Cybersecurity Skill Gap Affect Your Organization and What can You Do to Make it Right?
“There are only two types of companies: those that have been hacked, and those that will be.”
— Robert Mueller, FBI Director
What cybersecurity measures does your organization have in place? And who manages them?
Chances are, you’re struggling to appoint an in-house, qualified cybersecurity specialist. Research by CyberEdge Group reveals that four in five organizations are in the same boat.
This skills gap has decreased in the past couple of years, but it continues to impact different sectors in a major way. Education is the area affected most, with 87.1 percent of organizations having difficulty finding qualified experts, followed by telecommunications & tech (85.1 percent).
The lack of suitable candidates available to help organizations safeguard their systems in an age of ransomware, DDoS attacks and more is concerning. Cybercriminals continue to employ ever-more-sophisticated techniquesto disrupt businesses and organizations of different sizes, across all industries (even healthcare). Sensitive data and processes must be protected to minimize threats.
Understaffed organizations on tight budgets are especially vulnerable. 43 percent of cyberattacks target small businesses and just 14 percent of these are prepared — costing them $200,000 on average.
And it makes sense. Leading brands and massive institutions can at least invest in cutting-edge software and external consultations to set-up efficient cybersecurity defenses. Smaller ones, particularly startups and none-profits, may be unable to afford either.
Any organization without the finances for a full-time in-house IT specialist can use managed cybersecurity services to protect their system instead. A vulnerability assessment is perhaps the best place to start, to identify your biggest risks and take steps to mitigate them.
But what else can you do to tackle cybersecurity flaws in your organization when you can’t find or afford an in-house specialist?
1. Invest in quality training to make your workforce more cybersecurity-aware
Cybersecurity is a complex area. This means it’s daunting for almost anyone without qualifications or experience in IT to grasp without extensive training.
But this creates an opportunity to empower your staff with the skills, insights and practical knowledge to help your organization stay safe. Determine where your biggest vulnerabilities are and what attacks may pose the biggest risk to your operations.
For example, you might buy high-end hardware and reliable software — yet have no idea how to maximize their performance.
Alternatively, your workforce could consist of people without even basic computer skills or awareness of digital dangers. The mere mention of ransomware or malware could fly right over their heads.
Investing in cybersecurity training obviously incurs expense, but it will pay off when your organization is less susceptible to major disruptions. 60 percent of small- and medium-sized businesses close their doors within six months of being hacked. And the fallout of this can be severe when mammoth investments have been made into trying to keep an organization afloat.
You may already have an idea of which types of training will suit specific employees, based on their work experience, attitude or technical skills. But even if you don’t, taking the time to align the right knowledge upgrades with the right people will ensure organizations maximize the value of their training.
2. Make raising awareness of cybersecurity threats and trends an ongoing part of your company culture
Cybersecurity trends change as hackers’ techniques and technologies evolve. Any organizations relying on outmoded measures leave their systems more vulnerable than they need to be. That’s why it’s so important to stay in touch with the latest attacks, the ways in which they penetrate systems and how businesses deal with them.
For example, companies falling prey to a ransomware scheme may agree to pay the attacker(s) immediately out of desperation to get back on track. But there’s no guarantee that those responsible will honor their word and return your system to normal. They could take the money and leave the organization locked out of its own network.
A failure to research and keep track of the latest developments in ransomware — as well as the wider world of cybersecurity — means organizations would be more likely to hand over the cash without considering the potential fallout. As a result, it might spend thousands of dollars and still be forced to close up shop when its data remains out of reach.
Cultivate a greater awareness of cybersecurity in your organization. Share news stories, articles and updates related to the industry on a regular basis. Encourage staff to get involved with local initiatives or conferences designed to increase cybersecurity education. Offer incentives for anyone interested in growing their skill set.
Building a workforce with a deeper understanding of common cybersecurity threats, and the measures required to combat them, can make a significant difference to your organization’s safety in the future.
And don’t overlook the basics, either. Encourage staff to stay safe and remain vigilant whenever they’re online. This includes:
Another key issue to consider in your organization’s cybersecurity strategy is updating systems when employees leave, including shutting down any open sessions, something that is often overlooked by IT departments.
Change login details to stop them gaining access to sensitive data or allowing others to do so. Even workers who seem trustworthy could still go on to compromise your organization’s security, intentionally or not.
Every organization must take cybersecurity seriously. While the skill gap may make finding a qualified, experienced expert to manage your cybersecurity in-house difficult (if not impossible, depending on your budget), following the tips explored above can make a real difference.
Managed cybersecurity services are a cost-effective, simple way to identify your organization’s gaps and fill them. Reliable specialists will perform a vulnerability assessment, reduce your chances of suffering a data breach and protect cloud & on-premise environments — safeguarding your systems on all fronts.
Take action. Make a stand. Protect your organization against cyber-attacks. Contact our experts now.
Everything You Need To Know About The Recent Adobe Creative Cloud Data Breach
Adobe recently admitted that it made a mistake in configuring its cloud database, resulting in the inadvertent exposure of its Creative Cloud customer information. This latest cyber incident adds to the growing number of misconfigured cloud databases, resulting in the exposure of important customer data.
Last October 25th, Comparitech and security researcher Bob Diachenko reported that Adobe exposed its Elasticsearch database without a password or any other authentication, leaving nearly 7.5 million Adobe Creative Cloud user records open to anyone with a web browser. According to Diachenko, the Elasticsearch database of Adobe was exposed for almost a week. Comparitech and Diachenko said that Adobe secured the database on the same day it was notified about the data exposure.
Adobe, meanwhile, acknowledged that one of its “prototype environments” was “misconfigured,” which resulted in the inadvertent exposure of Creative Cloud customer information, including e-mail addresses. The company said no passwords or financial information were exposed in the said incident. “We are reviewing our development processes to help prevent a similar issue occurring in the future,” Adobe said.
Elasticsearch Database Misconfigurations
Elasticsearch is a software that allows users to index and search textual, numerical, geospatial, structured and unstructured data. This software was first released in 2010 by Elasticsearch N.V., now known as Elastic.
In January 2017, John Matherly reported that 35,000 Elasticsearch databases were exposed on the internet, with most of them deployed on Amazon Web Services (AWS) – a subsidiary of Amazon that provides on-demand cloud computing platforms. Matherly is the developer of Shodan, a search engine that allows users to find anything connected to the internet, including webcams, routers and servers.
Exposing your organization’s Elasticsearch databases to anyone with a web browser opens your organization to ransomware attacks. In January 2017, security researcher Niall Merrigan reported with the use of Shodan and "crunching some data", he found 4,000 Elasticsearch databases that fell victim to ransomware attacks.
The first report of an Elasticsearch database being hit by ransomware appeared on the official Elastic forum. In a ransomware attack on an Elasticsearch database, data indices are wiped out and replaced with a single index warning that says, “SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS….”
Exposing your organization’s Elasticsearch databases to anyone with a web browser also puts your customers at risk to targeted phishing scams. Attackers, for instance, could create phishing scams that target the Adobe Creative Cloud users whose emails were leaked.
Phishing scams weaponize emails, sending emails to random or targeted individuals, tricking email recipients to open malicious emails that contain malicious links or malicious attachments. Clicking this malicious link or malicious attachment leads to the installation of malicious software (malware) on the email recipient’s computer.
“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams,” said Comparitech and Diachenko. “Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.”
How to Secure Your Organization’s Elasticsearch Database
Elastic, the company behind Elasticsearch, said that it isn’t responsible for the exposure of sensitive data in internet-facing Elasticsearch. “Recent reports about sensitive data being exposed in Internet-facing Elasticsearch instances are not related to defects or vulnerabilities in Elastic-developed software,” Mike Paquette, security product director at Elastic, told Infosecurity Magazine. “Reports usually involve instances where individuals or organizations have actively configured their installations to allow unauthorized and authenticated users to access their data over the internet.”
Paquette added that Elasticsearch, by default, doesn’t allow outsiders snooping at Elasticsearch database. He said Elasticsearch only communicates to local addresses by default. Paquette said that in case a system administrator wants the Elasticsearch database to be accessed by unauthorized and authenticated users, it has to be configured for this to happen. He added that system administrators often configure Elasticsearch databases to be accessed by unauthorized and authenticated users during testing and then forget to change this configuration during production.
Another reason why Elasticsearch databases keep getting hacked is due to the absence of additional authentication measures such as multi-factor authentication. In the case of Elasticsearch, while its open source features are free, additional features of the software such as multi-factor authentication are available only under the Elastic license and paid subscriptions, which means that organizations have to pay up in order to avail of this extra layer of protection.
Another reason why Elasticsearch databases keep getting hacked is due to the wrong assumption that deployment of Elasticsearch database on AWS protects this database. According to AWS, security of Elasticsearch databases deployed on AWS needs extra work, such as restricting access based on source IP addresses or by locking down access even further based on job functions and roles, such that an “esadmin” has administrator power over the database; “poweruser” has access all domains, but cannot perform management functions; and “analyticsviewer” can only read data from the analytics index.
Critical information, as a rule, shouldn’t be exposed to the public internet. It’s important to practice segmentation when using Elasticsearch database and when deploying this to the public cloud such as AWS. In segmentation, critical information such as those relating to financial information is isolated from the other less sensitive information.
Concerned about cybersecurity posture of your cloud infrastructure? Contact us at firstname.lastname@example.org and we will be happy to help.
Risks & Dangers of Remote Access
Avast and NordVPN, on the same day last October 21st, disclosed a separate and unrelated unauthorized intrusion into their respective networks. While these network intrusions were unrelated, these intrusions were a result of a common cyber security weakness: remote access.
What Is Remote Access?
Remote access allows a user to access a computer or a network, despite the fact that the user has no physical access to said computer or private network. Remote access to a private network can be achieved through virtual private network (VPN) or a remote access feature of an operating system.
An example of a remote access feature of an operating system is the remote desktop protocol (RDP). In Windows operating systems, RDP allows network administrators to manage or troubleshoot computers over the internet.
VPN service providers, meanwhile, promise to offer secure and encrypted connections to its customers. In both VPN and RDP, access to private network is conducted from a remote location using a laptop, desktop computer or mobile device connected to the internet.
Unauthorized Remote Access on Avast Network
Last October 21st, Avast, in a statement, said that on September 23 of this year, it identified suspicious activity on its network. After further analysis, Avast said it found that its internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and didn’t require 2-factor authentication (2FA).
Avast said that the malicious actor had been attempting to gain access to the company’s network through its VPN as early as May 14 of this year. The company said it closed the temporary VPN profile that was accessed by a malicious actor.
As a precaution, the company suspended the upcoming releases of its product CCleaner and started checking prior CCleaner releases and verified whether malicious alterations had been made. As an added precaution, the company also re-signed a clean update of the product and provided it to users through an automatic update last October 15th.
Avast admitted in September 2017 that its product CCleaner, which it acquired from Piriform on July 18, 2017, had been compromised by malicious actors, resulting in the downloads of 2.27 million of the corrupt CCleaner version by unknowing customers.
Unauthorized Remote Access on NordVPN Network
Last October 21st, virtual private network service provider NordVPN admitted that in March 2018, one of its servers, which the company rented with a third party data center in Finland, was accessed without authority.
NordVPN said that the attacker gained access to the server by exploiting an “insecure” remote management system left by the data center provider. The virtual private network service provider said it had no knowledge the data center provider was using the remote management system.
NordVPN said it immediately terminated the contract with the third party data center and destroyed all servers that the company had been renting from the data center. The virtual private network service provider said that TLS key was taken at the same time the data center was exploited.
The company said that no user credentials have been intercepted. It also said that the TLS key “couldn’t possibly have been used to decrypt the VPN traffic of any other server.” NordVPN said that “the only possible way to abuse website traffic was by performing a personalized and complicated MiTM [man-in-the-middle] attack to intercept a single connection that tried to access nordvpn.com”.
In a man-in-the-middle attack, the attacker intercepts user traffic to steal credentials and other important information. The attacker then uses this stolen information to access the actual destination network. Preventing man-in-the-middle attacks is the reason why people use VPN in the first place.
"Intercepting TLS traffic isn't as hard as they make it seem," security researcher who uses the name “hexdefined”, one of those who analyzed the data exposed in the NordVPN breach, told Ars Technica. "There are tools to do it, and I was able to set up a Web server using their TLS key with two lines of configuration. The attacker would need to be able to intercept the victim's traffic (e.g. on public Wi-Fi)."
Preventive and Mitigating Measures
While remote management systems such as RDP and VPN have a number of benefits, their inherent weakness shouldn’t be ignored, that is, these systems provide a door to your organization’s network to the public internet. These remote management systems or these doors should be closed and opened only to authorized personnel.
One of the preventive measures in protecting these remote management systems from unauthorized entry is through the use of multi-factor authentication or 2-factor authentication. As shown in the case of the Avast data breach, using a VPN account without 2-factor authentication attracts malicious actors.
It’s important to note that there are currently tools to bypass 2-factor authentication or multi-factor authentication. For instance, security researchers at DEVCORE disclosed that they were to access the internal network of Twitter by bypassing the 2-factor authentication for the VPN used by Twitter. While the use of multi-factor authentication or 2-factor authentication isn’t the cure-all in protecting your organization’s network, this security measure decreases a number of attack surfaces.
Network segmentation, the practice of splitting your organization’s network into subnetworks, is another cyber security measures to block malicious actors. This practice ensures that if one network is breached, the others won’t be affected.
It’s also ideal not to install or disable remote management systems on the servers that housed your organization’s critical data in order not to expose this data to the public domain.
Real-Life Cases Show Some Types of 2FA Can Be Bypassed
A number of cyber incidents in the past few years have demonstrated that certain types of multi-factor authentication or two-factor authentication (2FA) can easily be bypassed.
What Is Multi-Factor of Authentication? What Is 2FA?
Multi-factor authentication is an added layer of security in which a user is required to present two or more pieces of proof in order to be granted access to a computer system or application.
Two-factor authentication (2FA) is the more popular type of multi-factor authentication. In a typical 2FA, in addition to the traditional authentication method of a combination of username and password, a user is required to present one more authentication proof. Examples of these additional authentication proofs include a one-time code that changes over time, biometrics or behavioural information such as IP address, time of day or geolocation.
3 Ways 2FA Authentication Can Be Bypassed
In the past few years, the following 3 methods have been used to bypass or circumvent certain types of 2FA authentication:
1. Sim Swap
In bypassing 2FA using the SIM swap method, an attacker convinces a customer service representative of a phone company of an intended victim to do the SIM card swap to a SIM that the attacker controls, allowing the attacker to intercept the 2FA security codes intended for the victim to access a computer system or application.
Last month, the U.S. Federal Bureau of Investigation (FBI) issued an alert to its partner organizations warning them about SIM swapping. According to the FBI, between 2018 and 2019, SIM swapping is the most common tactic used by cyber criminals in circumventing the 2-factor authentication. Victims of SIM swapping attacks, the FBI said, had their bank accounts drained and their passwords and PINs changed.
Last year, Reddit disclosed that all Reddit data from 2007 and before including account credentials and email addresses as well as email digests sent by Reddit in June 2018 were illegally accessed. The company said that the weaknesses inherent to SMS-based 2FA appeared to be the root cause of this incident. The company added that “SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept”.
Reddit, however, didn’t specify how SMS-based 2FA one-time code was intercepted. At the time of the Reddit attack, the known methods in intercepting SMS-based 2FA one-time code were through SIM swapping and mobile number port-out scams.
In port-out scams, instead of a SIM swap, an attacker impersonates an intended victim and requests that the victim’s mobile number be transferred to another mobile network provider. In both SIM swap and port-out scams, one-time codes delivered by SMS are delivered to a phone controlled by the attackers.
2. Phishing Scheme
The second method by which 2FA can be bypassed is through phishing scheme. In December 2018, researchers at Certfa Lab detected a phishing campaign in which attackers, knowing that their victims use two-step verification in their Gmail and Yahoo accounts, created phishing pages for both desktop and mobile versions of Google and Yahoo mail services.
These phishing pages ask the victims their username and password combination, as well as 2-step verification code. The attackers then enter these username and password combination and 2-step verification code into Google or Yahoo’s genuine website and hijack the email accounts of their victims.
A victim is tricked into visiting one of these phishing sites by sending a fake email alert purportedly from the email provider, stating that unauthorized individuals have tried to access their accounts. This fake email alert asks the victim to review and restrict suspicious accesses via the link – leading to the attackers’ phishing site – provided in the email.
3. Session Hijacking
The third method by which 2FA can be bypassed is through session hijacking. Among the 3 methods of bypassing 2FA, session hijacking is more technical.
A few months ago a toolkit that bypasses 2FA via session hijacking was publicly released. This toolkit uses Muraena and NecroBrowser. According to the authors of this toolkit, Muraena is a “custom target-agnostic reverse proxy solution”, while NecroBrowser takes care of the “instrumentation and session riding”. According to the FBI, Muraena tool intercepts traffic between a user and a target website which requires the usual username and password combination and 2FA code, while NecroBrowser allows cyber actors to hijack these private accounts and make changes to these accounts while maintaining access as long as possible.
Last month, security researchers at DEVCORE reported a different form of session hijacking that enabled them to access Twitter Intranet. According to the DEVCORE researchers, they were able to access Twitter Intranet by bypassing the 2FA of the SSL VPN used by the company.
“Twitter enabled the Roaming Session feature, which is used to enhances mobility and allows a session from multiple IP locations,” the DEVCORE researchers said. “Due to this ‘convenient’ feature, we can just download the session database and forge our cookies to log into their system!”
Preventive and Mitigating Measures
There’s a reason why multi-factor authentication or 2FA is widely used by organizations today. Instead of relying merely on the traditional username and password combination, multi-factor authentication provides an extra layer of security to systems or applications.
The use of multi-factor authentication can decrease numerous attack surfaces. Using multi-factor authentication, however, shouldn’t give your organization a false sense of security. As shown in the above-mentioned examples, certain types of multi-factor authentication or 2FA can be bypassed.
Hospitals in Different Parts of the World Hit by Ransomware Attacks
Michael Garron Hospital, formerly Toronto East General Hospital, recently confirmed that it was a victim of the ransomware called “Ryuk”, turning the spotlight on this ransomware and on ransomware in general.
Sarah Downey, President and CEO of Michael Garron Hospital, in a statement, said that last September 25th, the hospital became aware of a malicious software (malware), later identified as Ryuk, had infected the hospital’s servers. As a result of the ransomware attack, Downey said that “some data has been damaged” and for the first time in many years, the hospital’s clinical teams were forced to revert back to paper processes and using the telephone to call codes, access porters and check dietary orders.
The President and CEO of Michael Garron Hospital said that as a result of the attack, some of the hospital’s outpatient services were affected, with some appointments canceled and rescheduled. Downey added that the affected servers are being cleansed and it may take a few weeks for some of the hospital’s systems that are less critical to operations to be fully restored. Downey further said that the hospital hasn’t been in contact with anyone about ransom payment.
What Is a Ransomware?
Ransomware is a type of malware that’s designed to deny access to a computer system or data until a ransom is paid. In denying access to a system or data to legitimate users, attackers encrypt the system or data, turning this into a code that’s only accessible by the attackers using decryption keys.
In ransomware attacks, these decryption keys are typically handed over to the victims in exchange for a ransom payment. All too often ransomware attackers victimized organizations that can’t tolerate any downtime, making ransom payment all the more compelling.
Paying the ransom, however, doesn’t guarantee that victims can recover their encrypted systems or data as the decryption keys could simply be designed to not work at all.
What Is Ryuk Ransomware?
Ryuk ransomware was first observed in the wild in August 2018. In June 2019, UK's National Cyber Security Centre (NCSC) issued a Ryuk advisory, warning organizations globally about this ransomware.
Ryuk is often linked with two other malware: Emotet and Trickbot. Emotet was first observed in the wild in 2014, while Trickbot in 2016. In a Ryuk attack, the Emotet malware is used to drop the Trickbot malware. Trickbot, for its part, deploys hacking tools that facilitate the remote monitoring of the victim’s computer, credential harvesting and allowing the attackers to move to other computers within a network.
When ransomware opportunity is present, only then that Ryuk is deployed. It’s, therefore, possible that an organization is initially infected even without visible signs of a ransomware attack.
Prior to installing itself into the affected computer, Ryuk will first attempt to disable certain antimalware or antivirus software. Ryuk has the ability to spread to other computers within the same network as it is designed to enumerate network shares and encrypt those it can access.
According to the NCSC, it’s possible that Ryuk could be deployed through an infection chain other than using Emotet and Trickbot. NCSC added that in a Ryuk attack, it’s difficult to recover the infected computer’s backup as this malware uses anti-forensic recovery techniques such as manipulating the virtual shadow copy.
Other Cases of Ransomware Attacks
Hospitals and healthcare providers are targeted by ransomware attackers as these establishments cannot withstand IT downtime. In recent weeks, in addition to the Michael Garron Hospital, two other hospitals in Canada belonging to the Listowel Wingham Hospitals Alliance (LWHA), Listowel Memorial Hospital and Wingham and District Hospital, had been hit by ransomware.
In a statement, Listowel Wingham Hospitals Alliance said that since last September 26th its IT system has been shut down as a result of a ransomware attack. As a result of the attack, the Alliance said, “Manual and paper downtime procedures remain in place.” The Alliance hasn’t named the specific type of ransomware that hit the two hospitals.
A number of hospitals and health services in Gippsland and south-west Victoria, Australia, meanwhile, has been impacted by a ransomware attack. Victoria's Department of Premier and Cabinet, in a statement, said that the ransomware was uncovered last September 30th.
Last month, a U.S. healthcare provider Wood Ranch Medical announced that will permanently close its practice on December 17, 2019 as a direct result of a ransomware attack. Wood Ranch Medical, in a statement, said that on August 10, 2019, it suffered a ransomware attack on its computer systems. The health provider said that the ransomware, although not naming the specific type of ransomware, encrypted its servers and backup hard drives containing patients’ electronic health records.
“Unfortunately, the damage to our computer system was such that we are unable to recover the data stored there and, with our backup system encrypted as well, we cannot rebuild our medical records,” Wood Ranch Medical said. “We will be closing our practice and ceasing operations on December 17, 2019.”
Last October 1st, DCH Health System, which runs 3 hospitals: DCH Regional Medical Center in Tuscaloosa, Northport Medical Center and Fayette Medical Center, announced that it suffered a ransomware attack that impacted its systems. The specific type of ransomware wasn’t disclosed.
Last October 6th, DCH Health System said that it “obtained a decryption key from the attacker to restore access to locked systems.” The organization didn’t specify whether ransom was paid. There are reports, however, that indicate that DCH Health System paid the attacker ransom.
Organizations large and small fall victims to ransomware too often. Contact us to speak with our cybersecurity experts today to develop a solid protection and mitigation strategy reducing your stress and protecting your organization.
Steve E. Driz, I.S.P., ITCP