Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
Hard Lessons from a Ransomware AttackA regional county municipality in the province of Quebec, Canada has learned the hard lessons about cybersecurity after it suffered a paralyzing ransomware attack. Bernard Thompson, reeve of Mekinac regional county municipality, told The Canadian Pressthat the ransomware attack that paralyzed the municipality’s servers gave the municipality hard lessons in cybersecurity. “In the end, in terms of the security of our system, [the ransomware attack] was actually positive,” Thompson said. The cyberattack against Mekinac's servers highlights the importance of protecting your organization's servers against ransomware attacks. How the Mekinac Cyberattack UnfoldedThe Canadian Press reported that on September 10, this year, municipal employees, upon returning to work after a weekend break, found a ransomware notice on their working computers, informing them that their files are locked. The ransomware notices also specified that in order to unlock the files, a total of 8 Bitcoins, then equivalent to $65,000, must be paid to the attackers. The municipality’s servers were disabled for nearly 2 weeks as a result of the ransomware attack. The attack ended when the municipality negotiated and paid $30,000-worth of Bitcoin as ransom payment to unlock the locked files. “It was hard, clearly, on the moral side of things that we had to pay a bunch of bandits,” Thompson said. He said this was the road that the municipality took as choosing the other way could mean months of data re-entry, costing significantly more than $30,000. Mekinac’s ransomware attackers are still unidentified and their location not determined to date. What is a Ransomware Attack?Ransomware is a malicious software (malware) that encrypts files. Encryption is traditionally used to prevent data theft. In encryption, plaintext or any other form of data is converted from a readable format into an encoded version – a format that can only be readable if one has access to a decryption key. In a ransomware attack, attackers convert the victim’s data from a readable format into an encoded version and demand from the victim ransom payment in exchange for the decryption key. Ransomware infects computers or servers in many ways. Here are some of the ways that ransomware infects computers or servers: 1. Email-Based AttackIn the case of the Mekinac ransomware attack, the municipality’s servers were infected by a ransomware after an employee opened and clicked on a link in a malicious email sent by the attackers. It wasn’t specified, however, what particular ransomware hit the Mekinac’s servers. The ransomware called “Locky” is an example of a ransomware that’s spread via email spam campaigns. This ransomware arrives in a victim’s computer through a Microsoft Office email attachment that evades antispam filters and tricks the user to open the attachment. Once this malicious attachment is clicked, Locky encrypts computer files and then demands the victim to pay a ransom to unlock the encrypted or locked files. 2. Drive-By AttackDrive-by attack is another way by which attackers infect computers or servers. Bad rabbit ransomware is an example of a ransomware that’s distributed via drive-by attacks. In a drive-by attack, attackers insert a malicious code, in this case, a ransomware, into an insecure website. Once a user visits this compromised site, the malware may either directly download to the visitor’s computer or the visitor is redirected to another website controlled by the attackers and from there the malware is downloaded to the victim’s computer. 3. Unpatched ServersThe ransomware called “SamSam” is an example of a ransomware that infects servers when they’re in an unpatched state. An unpatched server is one that isn’t updated despite the availability of a security update. Researchers at Cisco Talos, in a blog post, wrote, “Adversaries are exploiting known vulnerabilities in unpatched JBoss servers before installing a web shell, identifying further network connected systems, and installing SamSam ransomware to encrypt files on these devices.” Lessons from Ransomware AttacksThompson, reeve of Mekinac regional county municipality, said that the ransomware attack on Mekinac’s servers taught the municipality to encrypt everything and to analyze every email. “Everything is encrypted now,” Thompson said. “Every email is analyzed before we even receive it. Every day, our system catches malicious emails trying to penetrate – but they are stopped. But the attacks keep coming.” In addition to encryption and email scanning, here are additional best practices in order to protect your organization’s servers from ransomware attacks: Back Up Important FilesBack up files that are stored in safe storages that aren’t connected to your organization’s servers give your organization assurance that if anything happens with the servers, for instance, a ransomware attack, your organization will still have other copies of the important files. This eliminates the pressure of paying ransom to attackers for the decryption key to unlock the locked files. Keep All Software Up-To-DateMake sure that all your organization’s software, specifically the server operating system, are up-to-date. Every security update or patch issued by software vendors contains fixes of security vulnerabilities that cybercriminals are quick to exploit. Implement Domain WhitelistingWhitelisting certain domains won’t prevent drive-by download attacks, but it’ll prevent secondary malicious websites from loading. Limit the Number of Users with Administrator PrivilegesA computer user with administrator privileges can install and uninstall software and change configuration settings. Limiting this privilege to a limited number of personnel limits the exposure of your organization’s servers to drive-by attacks. When your organization needs help, our experts are a phone call away. Contact ustoday to prevent ransomware attacks. New Mirai Variant Hijacks Enterprise Linux Servers for DDoS AttacksResearchers at Netscout have discovered a new variant of Mirai – a malicious software (malware) once known for hijacking hundreds of thousands of Internet of Things (IoT) devices, including wireless cameras, routers and digital video recorders, to conduct powerful distributed denial-of-service (DDoS) attacks. Instead of infecting IoT devices, researchers at Netscoutsaid that the new Mirai variant infects non-IoT devices, in particular, enterprise Linux servers running Apache Hadoop YARN, to serve as DDoS bots. The original Mirai malware, at its peak, infected hundreds of thousands of IoT devices, controlling these infected IoT devices as botnet to conduct high-impact DDoS attacks. Botnet refers to a group of computers controlled by attackers without the knowledge and consent of the owners to conduct malicious activities, including DDoS attacks. In a DDoS attack, the botnet or controlled computers act in unison, flooding the internet connection of a target, for instance, a particular website. The original Mirai first came to public attention when it launched a DDoS attack against the website of journalist Brian Krebson September 20, 2016. A few days after, on September 30, the source code of Mirai was publicly released on the English-language hacking community Hackforums by a user using the screen name “Anna-senpai”. Paras Jha, 22, the person behind Anna-senpai, pleaded guilty for co-creating Mirai. According to the U. S. Department of Justice, from December 2016 to February 2017, Jha along with his 2 college-age friends Josiah White and Dalton Norman, admitted that they successfully infected more than 100,000 IoT devices, such as home internet routers, with Mirai malware and used the hijacked IoT devices to form a powerful DDoS botnet. Since the public release of the source code of Mirai, a number of Mirai variants have been created and released into the wild. According to Netscout researchers, this latest Mirai variant “is the first time we’ve seen non-IoT Mirai in the wild”. How the Latest Mirai Variant Works?To deliver the latest Mirai variant, attackers exploit the security vulnerability of Apache Hadoop YARN. Apache Hadoop is an open source software framework that enables a cluster or group of computers to communicate and work together to store and process large amounts of data in a highly distributed manner. Meanwhile, YARN, which stands for Yet Another Resource Negotiator, is a key feature of Hadoop that helps in job scheduling of various applications and resource management in the cluster. According to Netscout researchers, the latest Mirai malware will exploit unpatched Linux servers running on Apache Hadoop YARN, and will attempt to brute-force – attacks that systematically attempt to guess the correct username and password combination – the factory default username and password of the Hadoop YARN server. DemonBot Vs. Latest Mirai VariantResearchers at Radwaredetected last month another malware called “DemonBot” that infects Hadoop clusters by leveraging YARN’s unauthenticated remote command execution. The main similarity between DemonBot and the latest Mirai variant is that both malware exploit the Hadoop YARN security vulnerability in order to infect computers. Both malware programs also turn infected computers as botnet for the purpose of launching DDoS attacks. Enterprise Linux servers running Apache Hadoop YARN infected by DemonBot and the latest Mirai variant are dangerous as these servers account for large volumes of DDoS traffic. The main difference between DemonBot and the latest Mirai variant is that DemonBot spreads only via central servers and doesn’t expose worm-like behavior exhibited by Mirai variants. Mirai’s worm-like behavior – its ability to spread itself within networks without user interaction – makes it a more dangerous malware than DemonBot. According to Radware researchers, as of late October, this year, attackers attempted to exploit the Hadoop YARN vulnerability to deliver the DemonBot at an aggregated rate of over 1 million per day. Original Mirai Vs. Latest Mirai VariantAccording to Netscout researchers, the latest Mira variant behaves much like the original Mirai. This means that both have worm-like behavior and enslaves infected computers for the purpose of launching DDoS attacks. The main difference between the original Mirai and the latest Mirai variant is that while the original Mirai runs on IoT devices, the latest Mirai variant runs on Linux servers, in particular, those running Apache Hadoop YARN. “Linux servers in datacenters have access to more bandwidth than IoT devices on residential networks, making them much more efficient DDoS bots,” researchers at Netscout said. ”A handful of well-resourced Linux servers can generate attacks that compete with a much larger IoT botnet.” According to Netscout researchers, there are tens of thousands of attempts per day to exploit the Hadoop YARN vulnerability to deliver the latest Mirai variant. PreventionThe risk of further cyberattacks is high for machines infected by malware like Mirai. To prevent attackers from hijacking your organization’s Linux servers running Apache Hadoop YARN for DDoS attacks, make sure to configure your YARN’s access control by using strong username and password combination. Also, keep all your organization’s software up-to-date and prevent brute-force attacks by implementing an account lockout policy. For instance, after a certain number of failed login attempts, the account is locked out until an administrator unlocks it. By leveraging the security vulnerability in enterprise Linux servers running Apache Hadoop YARN, attackers can generate much powerful DDoS attacks. Protect your organization’s online resources like websites from DDoS attacks by using an easy to use, cost-effective and comprehensive DDoS protection. Contact us today if you need assistance in protecting your organization’s network from malware like Mirai and protecting your organization’s online resources from DDoS attacks. How Cryptocurrency Mining Malware Evades DetectionThe recent rise of cryptocurrency mining malware is driven not just because of its high-profit potential, but also because of its ability to remain undetected in a compromised system. Early this month, Nova Scotia-based St. Francis Xavier University announced that it purposely shut down all its network systems in response to a cryptojacking attack, whereby attackers attempted to illicitly mine the cryptocurrency Bitcoin using the university’s collective computing power. The price of Bitcoin as of November 13, 2018 (8:30 AM GMT+7) is $6,370, way below the all-time high of nearly $20,000 in December 2017, but still way above the $317 price of Bitcoin way back in January 2015. Mining Bitcoin, in order to be profitable, one needs to invest in a reasonable number of powerful computers and high electricity cost. Illicit cryptocurrency mining, also known as cryptojacking, hijacks the computing power of someone else’s without their consent to mine cryptocurrency such as Bitcoin. Cryptocurrency Mining Malware Evasion TechniquesMany organizations continue with their usual IT operations without even realizing that the organization’s computers are illicitly used by cyberattackers for cryptocurrency mining. Based on the combined data of several Cyber Threat Alliance (CTA)members, from 2017 to September 2018, illicit cryptocurrency mining increased by 459%. Researchers at Trend Microrecently discovered a cryptocurrency mining malware that uses multiple techniques to evade detection. The cryptocurrency mining malware discovered by researchers at Trend Micro as Coinminer.Win32.MALXMR.TIAOODAM uses the following evasion techniques to make it harder for detection tools to discover it: First, Coinminer.Win32.MALXMR.TIAOODAM evades detection as it arrives on the victim’s computer as Microsoft Windows Installer MSI file. Windows Installer is a software program that’s used for installing and uninstalling software. Using a real Windows component, researchers at Trend Micro said, makes the cryptocurrency mining malware looks less suspicious and potentially allows it to bypass certain security filters. Second, Coinminer.Win32.MALXMR.TIAOODAM evades detection as it creates copies of the kernel file ntdll.dll and the Windows USER component user32.dll in %AppData%\Roaming\Microsoft\Windows\Template\FileZilla Server\{Random Numbers}. Researchers at Trend Micro theorized that this is done to prevent detection of the cryptocurrency mining malware’s application programming interface (API) – a set of programming instructions and standards for accessing a software application. Third, Coinminer.Win32.MALXMR.TIAOODAM evades detection as it comes with a self-destruct mechanism, a feature that deletes every file under its installation directory and removes any trace of installation in the system. Fourth, Coinminer.Win32.MALXMR.TIAOODAM evades detection as it comes with WiX, which stands for Windows Installer XML, a free software toolset for building Windows Installer packages from XML. Researchers at Trend Micro said that WiX is an added layer developed by the attackers to evade detection. Initial infection of Coinminer.Win32.MALXMR.TIAOODAM could come from emails laden with malicious attachments and malicious URLs. Early this year, attackers used multiple techniques in their cryptocurrency mining malware to evade detection, this time, in utilizing Tesla’s computing power to mine a cryptocurrency. In February this year, RedLockreported that Tesla’s Amazon Web Services (AWS) cloud account was compromised by attackers through Kubernetes – an open source software used to deploy and manage cloud-based applications and resources. RedLock said that Tesla's Kubernetes wasn’t password protected, enabling attackers to execute from the Kubernetes a cryptomining command. According to RedLock, the cryptocurrency mining malware used in the Tesla cryptojacking incident wasn’t initially detected as the attackers used the following evasion techniques: First, the attackers configured the cryptomining malware to keep the CPU usage low to evade detection. CPU, which stands for central processing unit, is the component that performs most of the processing inside a computer. Unusual high CPU usage is a sign that computers are being used for cryptocurrency mining. Illicit Bitcoin mining is typically discovered through unusual high CPU usage. It’s, however, not enough to check the CPU usage as guage for cryptocurrency mining as other cryptocurrencies have less CPU usage. Aside from the illicit mining of Bitcoin, attackers are also drawn in hijacking the computing power of others to mine the cryptocurrency Monero (valued $105 as of November 13, 2018 at 10 AM GMT+7) as this cryptocurrency uses less computing power and anonymous compared to Bitcoin. Second, attackers in the Tesla cryptojacking incident didn’t use a well-known public “mining pool” – a means by which cyrptominers share their computing power over a network and split the reward equally. By using an “unlisted” or semi-public mining pool, the attackers in the Tesla cyrptojacking incident was initially unnoticed. Third, in addition to using an unlisted mining pool, the attackers in the Tesla cyrptojacking incident hid the true IP address of their mining pool server behind CloudFlare, a free content delivery network (CDN) service, making detection even more difficult. Fourth, the attackers in the Tesla cryptojacking incident configured their cryptomining malware to listen on a non-standard port, making it difficult to detect unusual activity based on port traffic. PreventionProtecting your organization’s computers or network from cryptocurrency mining malware is important as this malware can damage your organization’s computers, negatively impact business operations and can lead to further cyberattacks. Here are some measures to prevent attackers from using your organization’s computing power for cryptocurrency mining:
11/12/2018 Why the Pentagon Data Breach is a Wake-up Call for Better Screening of Third-party VendorsWhy the Pentagon Data Breach is a Wake-up Call for Better Screening of Third-party VendorsOn October 14 2018, news of a major data breach at the Pentagonhit the headlines. This was a startling, even disturbing, reminder that even the most important, most secure institutions in the world are vulnerable when hackers identify a way into their systems. As the Department of Defense’s headquarters, the Pentagon plays a critical role in the United States military and national security: it oversees all aspects of the Air Force, Marines, Army, Coast Guard and Navy, ultimately helping to defend the country. The very notion that a global symbol of security and power would fall prey to a data breach has surprised many,but it shouldn’t have. At a time when cyber-criminals continue to employ increasingly-sophisticated techniques to disrupt business and organizations of all kinds, this incident is proof positive that proper screening of third-party vendors is critical for effective cybersecurity. What Data was Involved in The Pentagon Breach?It’s believed as many as 30,000 employees’ travel records were compromised as a result of the data breach. This includes personal details and credit-card data pertaining to civilians and military personnel: all sensitive information that could have serious financial repercussions if acted upon. The breach may have first occurred months before it was discovered, and it’s believed the actual number of people potentially affected could rise as the investigation continues. However, no classified information is said to have been compromised. How Did the Pentagon Breach Happen?The Pentagon breach was the result of workconducted by a ‘single commercial vendor’, delivering its service to a ‘very small percentage’ of the DoD’s employees. The vendor in question has remained anonymous and was, in the days after the announcement, still contracted to provide its services. News of the breach struck after the U.S. Government Accountability Office confirmed that work had been undertaken to secure the Pentagon’s networks, though its weapons system security was under closer scrutiny. They claimed they face more and more challenges in keeping weapons systems secure, due to the rise of sophisticated cyber-crime tactics. Pentagon personnel have faced similar issues before. A large attack on the federal Office of Personnel Managementin 2015 left the personal details of over 21 million individuals (including people at the Pentagon) compromised. As with this latest incident, the 2015 attack supposedly first occurred months before word of it reached the media. Who was Responsible for The Pentagon Breach?One or more attackers seized an opportunity to exploit the vendor’s access to the Pentagon’s network, ultimately stealing the travel records. Little else is known. This incident, though, is a prime example of how ambitious (or, rather, brazen) cyber-criminals are in their choice of targets. While some may focus on distributing ransomware to small businesses in exchange for payment, others are clearly setting their sights a little higher. The tools and technology available to such individuals empowers them to exploit weaknesses in even those systems that should be the most airtight in the world. While the exact circumstances surrounding the vulnerability created by the vendor remain secret, it’s no doubt the company responsible is determined to avoid such an oversight happening again. It’s also highly likely that the vendor has a strong reputation and valuable experience to have even secured the contract with the Department of Defense in the first place. This entire incident demonstrates why it’s so vital for businesses and organizations of all sizes, in all sectors, to perform thorough screening of any vendors they intend to work with. Screening Vendors, Protecting Your BusinessNo business or organization should ever start working with a vendor without checking their credentials and their background. Simply settling on the first firm on your radar may not deliver the results you expect — and any mistakes or general incompetence on their part could have major repercussions. You might not have data pertaining to thousands or even millions of civilians in your records, but you could still be risking your customers’ and employees’ privacy by choosing a sub-par team. If a data breach were to rock your company or organization, the damage could be extensive. First and foremost, those customers whose details have been compromised would be incredibly unlikely to keep working with you in the future. Fast, effective action can help to minimize the fallout and keep their finances safe from unauthorized access, but their perception of your brand would still be soured. Your reputation would be affected too, making it more difficult to build trust with new customers or affiliates. That’s not to mention the sheer disruption a breach could cause to your everyday operations, leaving you unable to deliver the services your customers expect for hours, days or longer. This equates to a potential loss of business and, sadly, income. Undertaking effective, in-depth screening of your vendors is the smart choice. Look into any reviews you can find online to learn more about the quality of service previous clients have received. Did they perform as required? Did they use the right processes and achieve the goals they set out to with respect for the client’s security needs? You may consider approaching some of these clients to get a deeper insight into their experience. Make sure to speak with prospective vendors at length, to get a better idea of how they work, what security measures they take to safeguard systems against breaches and more. You can only ask so many questions and ask for so many examples of their prior work before making your decision but doing your research will help ensure the safest choice for your business or organization. At The Driz Group, we’re committed to helping our clients stay protected and compliant, minimizing the risk of cyber-attacks using the latest, automated third-party screening technologies. Want to learn more about what we can do for you? Just get in touch! Look Back into the First Major Cyberattack: The Morris WormThirty years ago, the Morris worm, dubbed as the first major cyberattack, was unleashed into the wild, crashing or slowing to a crawl 10% or 6,000 of the 60,000 computers then connected to the “Internet”. What Is Morris Worm?Morris worm is named after its creator Robert Tappan Morris. A worm, meanwhile, refers to a type of malicious software (malware) that has the ability to spread itself within networks without user interaction. Courtdocuments showed that Morris, then a first-year graduate student at Cornell University's computer science Ph.D. program, released the worm on November 2, 1988 through a computer at the Massachusetts Institute of Technology (MIT), which Morris hacked using a Cornell University's computer. Morris worm was released into the wild a year before the world wide web came into existence. The term “Internet” then referred to a U.S. computer network, composed of connected computers from prestigious colleges, research centers, governmental and military agencies. In less than 24 hours on November 2, 1988, Morris worm infected the computers of institutions, including Harvard, Princeton, Stanford, Johns Hopkins, National Aeronautics and Space Administration (NASA) and the Lawrence Livermore National Laboratory. While the worm didn’t destroy or damage files, infected computers slowed to a crawl or ceased functioning and emails were delayed for days. The estimated cost of dealing with the Morris worm at each installation ranged from $200 to over $53,000. The worm infected computers running a specific version of the Unix operating system in 4 ways: First, via a security vulnerability in “SEND MAIL”, a computer program that transfers and receives electronic mail; Second, via a security vulnerability in the "finger demon", a computer program that allows extraction of limited information about the users of another computer; Third, via "trusted hosts" feature that allows a user with certain privileges on one computer to have equivalent privileges on another computer without using a password; and Fourth, via a program that guesses passwords using various combinations of letters tried out in rapid succession, hoping that one will be an authorized user's password. When the correct password is entered, the intruder is allowed whatever level of activity that the user is authorized to perform. Morris designed the worm to stay hidden. The worm was designed in such a way that it won’t copy itself onto a computer that already had a copy. The worm was also designed in such a way that it would be killed when a computer was shut down. Consequences of the Morris WormFor unleashing the worm into the wild, Morris became the first person convicted for violating the U.S. Computer Fraud and Abuse Act, which outlaws unauthorized access to protected computers. He was sentenced to 3 years of probation, 400 hours of community service, a fine of $10,050 and the costs of his supervision. The first major cyberattack perpetrated by the Morris worm showed how vulnerable interconnected computers had become. Just days after the Morris worm attack, the U.S. Government created the country’s first computer emergency response team under the direction of the Department of Defense. Developers also began creating intrusion detection software. On the flip side, the Morris worm inspired a new breed of malicious hackers, plaguing the digital age. In recent memory, the worm that resembles the devastation caused by Morris worm is the WannaCry worm, commonly known as WannaCry ransomware. In less than 24 hours on May 12, 2017, more than 300,000 computers in 150 countries were infected by WannaCry, each demanding a ransom payment. WannaCry is categorized as a worm as similar to the Morris worm as it has the ability to spread itself within networks without user interaction. WannaCry specifically exploited the security vulnerability in Server Message Block Protocol (SMB protocol) in some versions of Microsoft Windows. SMB protocol allows users to access files, printers and other resources on a network. PreventionHere are some cybersecurity measures to protect your organization’s computers or networks from worms similar to WannaCry and Morris worms: Implement Network SegmentationIn network segmentation, vital computers that housed critical information and operations are separated or disconnected from computers connected to vulnerable systems like the public internet. Network segmentation ensures that when internet-facing computers are infected by a worm, these vital computers aren’t affected. Keep All Software Up-to-DateMake sure that software security updates are installed as timely as possible, not months or years after the release dates of the security updates. Cyberattackers have automated the process of scanning the internet for finding vulnerable computers – those that fail to install security updates. This was the case for WannaCry victims as they failed to install the security update issued by Microsoft months before the WannaCry cyberattack. Refrain from Using Legacy Hardware and SoftwareThe term “legacy” refers to old and outdated computer hardware or software. Similar to computers that fail to timely install security updates, legacy hardware and software programs are similarly targetted by cyberattackers as these legacy hardware and software programs no longer receive security update from their vendors. Some versions of the Microsoft Windows (Windows XP, Windows 8, and Windows Server 2003 operating systems) were targeted by WannaCry attackers as well as during the attack these software programs were no longer supported by Microsoft. A day after the WannaCry attack, however, Microsoft released security updates for Windows XP, Windows 8, and Windows Server 2003. Protecting computers or networks from worms and other malicious software is important in order to prevent data breaches. Under Canada’s Digital Privacy Act, starting November 1 this year, private organizations are mandated to notify the Privacy Commissioner of Canada and the affected individual “as soon as feasible” in the event that a data breach poses a “real risk of significant harm” to any individual. When you need help assessing and mitigating the cybersecurity risks, contact out team of expertsand minimize the likelihood of a data breach. |
AuthorSteve E. Driz, I.S.P., ITCP Archives
September 2024
Categories
All
|
11/30/2018
0 Comments