1.888.900.DRIZ (3749)
The Driz Group
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog
  • Managed Services
    • SME CyberShield
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Careers
    • Subsidiaries
  • Contact
    • Newsletter
  • How WAF Works
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

11/29/2020

0 Comments

How to prevent ransomware attacks: Best practices guide

 
Picture

How to prevent ransomware attacks: Best practices guide

Ransomware attacks are becoming common. The city of Saint John in New Brunswick recently fell victim to a ransomware attack.

What Is Ransomware Attack?

Ransomware attack is a type of cyberattack in which victims’ files are locked and held for ransom. In a ransomware attack, an attacker promises that in exchange for a ransom payment, the key or keys that would unlock the lock files would be released.

Ransom payment isn’t a guarantee that your organization will get back your files as some keys given by attackers don’t work by design or through errors in coding. Today’s ransomware attackers demand two ransom payments, one for unlocking the locked files, and another ransom payment to prevent them from publishing stolen data. This second ransom payment shows that today’s ransomware attackers, not just lock victims’ files but also steal data.

City of Saint John Ransomware Attack

A few weeks ago, the city of Saint John in New Brunswick fell victim to a ransomware attack. Last November 17, Don Darling, the Mayor of the city of Saint John, confirmed that the city’s IT system was hit by ransomware.

To protect the city’s IT system, the Mayor of Saint John said the city’s website, servers, and email system have been disabled. Due to the nature of the attack, the Mayor said the city won’t comment on the ransom demand. Saint John city manager John Collin, meanwhile, said that as of November 17, there was no indication that personal information was accessed or transferred in the ransomware attack.

Weeks after the ransomware attack, the Saint John city manager said that the city departments' phone lines, email to most city hall employees, and online payments are still unavailable. Saint John city manager said that taking the systems offline was an "immediate and proactive" response to contain the attack. "Our network will be back online only once we are sure that it is safe to do so," he said.

In the case of the city of Saint John, it wasn’t revealed how the ransomware attacker or attackers’ initially compromised the city’s IT system.

Exposure via Third-Party Software

The recent ransomware attack on the city of Saint John isn’t the first time that the city fell victim to a cyberattack.

In December 2018, Stas Alforov, director of research and development for Gemini Advisory, said the firm discovered nearly 300,000 payment records in underground marketplaces that specialize in the sale of compromised payment card data. According to Alforov, the payment records were stolen from 46 confirmed compromised US locations and one Canadian location, with 6,000 payment records from Canada. That one Canadian location is the city of Saint John.

Alforov said the breach of nearly 300,000 payment records is part of the larger hacking operation conducted by the same hacking group. Analysis of the card data, Alforov said, found that payment records have likely been stolen from municipal government services that used the software called “Click2Gov,” a payment software primarily used by local governments to receive various payments.

In the case of the city of Saint John, the Click2Gov payment software was used for paying parking tickets through the city's website. Alforov told Huffington Post Canada that he received a call from the city of Saint John after the publication of his report. The city, he said, wasn't aware of the data breach. Alforov added that the city’s parking ticket payment system appeared to have been breach back in September 2017.

To date, there’s no information on whether the past data breach on the city of Saint John’s parking ticket system is related to the recent ransomware attack.

Other victims of ransomware attacks such as the city of Keene, Texas, were able to establish the link between the compromised third-party software and the resulting ransomware attack. In August 2019, Keene Mayor Gary Heinrich told NPR that ransomware attackers compromised the software used by the city. This software, the mayor said, was managed by a third-party company. Said software was also used by close to two dozen local governments in Texas, which also fell to a collective ransomware attack.

"They got into our software provider, the guys who run our IT systems," Heinrich said. "Well, just about everything we do at City Hall is impacted.”

The ransomware attack on the local governments of Texas, including the City of Keene, showed a gateway by which ransomware attackers initially compromise their victims, that is, through third-party software.

Cybersecurity Best Practices

Here are some of the best cybersecurity practices against ransomware attacks:

Properly Vet Third-Party Software

Third-party software, which your organization has no control over the source code, should be properly vetted in the cybersecurity area.

Keep All Software Up to Date

Apply in a timely manner software updates, also known as patches, that are released by software vendors. These patches not only contain feature upgrades but also updates fixing known security vulnerabilities.

Ransomware attackers have been known to initially compromise victims by exploiting a known security vulnerability, in which the software vendor already released a patch but the software users failed to apply the patch in a timely manner.

Practice the 3-2-1 Backup Rule

The 3-2-1 backup rule is your organization’s best defense against the first type of ransom demand: ransom demand to unlock files. The 3-2-1 backup rule states that three backup copies should be kept, two in different formats, and one of these copies should be kept offsite.

This isn’t, however, the answer to the second type of ransom demand: ransom demand to prevent stolen data publication.

When you need help, our team of cybersecurity and IT experts is a phone call away. Connect with us today, and take a proactive approach to cybersecurity.

0 Comments

11/22/2020

0 Comments

Upcoming Holiday Shopping Season Brings New Level of Cybercrime Threats to Online Retailers

 
cybercrime threat to online retailers

Upcoming Holiday Shopping Season Brings New Level of Cybercrime Threats to Online Retailers

Online shopping this holiday season is projected to be unprecedented, with many people staying at home and opting to shop online as a result of the COVID-19 mandatory lockdown or due to self-imposed lockdown.

The expected online shopping surge creates a perfect stage for cybercrimes.

Shift to Online Shopping

Statistics Canada reported that from February 2020 to May 2020, retail e-commerce sales soured by 99.3%. The record gain in e-commerce, however, resulted in a record decline in retail sales.

Statistics Canada reported that for the same period, the total retail sales fell by 17.9%. The impact of COVID-19, Statistics Canada said, is best highlighted using the April 2020 data, with a 26.4% decline in retail sales compared to the April 2019 data.

A survey conducted by Deloitte showed that 47% of Canadian consumers said they’ve been shopping online more often since the COVID-19 crisis began. The survey further showed that the same number of Canadian consumers (47%) will likely head online to find gifts and other items this holiday season, with the remaining 53% to head to traditional retails stores. While the number of those who intend to do their shopping in the traditional way is few points higher than those who intend to shop online this holiday season, this data is high enough as 69% of holiday shoppers shopped in the retails stores during the holiday season in 2019.

“A lot has changed since the 2019 outlook,” Deloitte said. “COVID-19 has changed how Canadians live, work, and shop, and it has turbocharged the fundamental shifts in consumer behaviour that were already underway.”

Imperva, meanwhile, reported that from March 1 to March 22, 2020, retail websites’ traffic worldwide soured by as much as 28% on a weekly average.

Holiday Season Cybercrime Threats

A new report from Imperva showed that the upcoming holiday shopping season will present online retailers with a new level of traffic, at the same time, never seen before level of cybercrime threats. According to Imperva, online retailers will face the following cybercrime threats this holiday season:

Bad Bots Attacks

According to Imperva, bad bots, as a group, is a top threat to online retailers, before and during the pandemic. A bad bot refers to a software application that runs automated tasks over the internet.

As opposed to a good bot which runs automated tasks over the internet for legitimate purposes, the purpose of a bad bot is malicious. Bad bots interact with software applications in the same way as legitimate users would, making them indistinguishable from legitimate users.

An example of a bad bot is a bot that interacts with a website’s login interface, attempting to “brute-force” its way by attempting to login using the trial and error method in guessing the correct username and password combination. Aside from brute-force attacks, bad bots are used for competitive data mining, personal and financial data harvesting, and more.

API Attacks

According to Imperva, API attacks are attractive targets due to the sensitive payment data they hold. The volume of attacks on retailers’ APIs far exceeded average levels this year, Imperva said.

API, short for An Application Programming Interface, is a software intermediary that allows other software applications to communicate with one another. A website API, for instance, connects between applications such as databases.

DDoS Attacks

According to Imperva, retail sites experienced an average of eight application layer DDoS attacks a month, with a significant spike in April 2020 as lockdowns resulted in the demand for online shopping. DDoS, short for distributed denial of service, refers to a cyberattack that attempts to make an online service, such as a website, unavailable to legitimate users.

DDoS uses bad bots. In DDoS attacks, bad bots are organized into a botnet – referring to hijacked computers that are controlled by attackers to conduct malicious activities such as DDoS attacks. Application layer DDoS, meanwhile, is a type of DDoS attack comprised of malicious requests with the end goal of crashing the web server.

Client-Side Attacks

According to Imperva, retail sites are vulnerable to client-side attacks as many of these sites are built on frameworks using a number of third-party code. Client-side refers to anything that’s displayed or takes place on the client – end user – using a browser. This includes what the user sees on the site’s online form.

The attack on Ticketmaster is an example of a client-side attack. In June 2018, Ticketmaster made public that they had been compromised and that attackers stole customer information. RiskIQ, the company that discovered the attack, reported that Ticketmaster wasn’t directly compromised but the site’s third-party supplier known as Inbenta was. According to RiskIQ, attackers either added or replaced Inbenta’s code used for Ticketmaster with a malicious one.

A client-side attack also directly compromises the website itself. Such was the case in the British Airways website client-side attack. The attack was discovered by RiskIQ.

According to RiskIQ, a malicious code was found in British Airways’ baggage claim page where customers were required to enter their personally identifiable information. The malicious code then sent the information entered to a URL that looked like it belonged to British Airways. Upon closer inspection, however, the URL wasn’t owned by British Airways.

It’s still unknown how the malicious code got into the British Airways’ site in the first place.

Worried about your website or web application and looking to better protect it? Contact us today to see how to mitigate the risks quickly and efficiently.

0 Comments

11/15/2020

0 Comments

Increased Cybercrime Threat to Canadian Healthcare Organizations

 
Cybercrime Threat to Canadian Healthcare Organizations

Increased Cybercrime Threat to Canadian Healthcare Organizations

In recent months, threat actors have launched cyberattacks against organizations in the healthcare sector, including those based in Canada, according to the latest report released by Microsoft.

In the blog post "Cyberattacks targeting health care must stop," Tom Burt, Corporate Vice President for Customer Security and Trust at Microsoft, said that the targets include organizations in the health sector in Canada, France, India, South Korea and the United States. Burt identified three threat groups and gave these threat groups codename: Strontium, Zinc and Cerium.

According to Burt, Strontium uses password spray and brute force login attempts to steal login credentials. “These are attacks [password spray and brute force login attempts] that aim to break into people’s accounts using thousands or millions of rapid attempts,” Burt said.

Password spray refers to a cyberattack that uses a small number of common passwords to brute force large numbers of accounts. Brute force attack, meanwhile, refers to a cyberattack that uses the trial-and-error method in guessing the correct username and password combination.

According to the Corporate Vice President for Customer Security and Trust at Microsoft, Zinc and Cerium use spear-phishing lures for credential theft. Spear-phishing is a cyberattack in which a threat actor, masquerading as a trusted individual or entity, tricks targeted individuals into clicking a bogus email, text message or instant message.

In the case of the threat actor Zinc, the Corporate Vice President for Customer Security and Trust at Microsoft said the spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters, while threat actor Cerium engaged in spear-phishing email lures using Covid-19 themes while masquerading as World Health Organization representatives.

Ransomware Attacks in the Healthcare Sector

The Canadian, Australian, the U.S. and UK Governments, meanwhile, issued separate alerts warning about the increased ransomware activity targeting the healthcare sector. Ransomware is a type of cyberattack that uses a malicious software (malware) that encrypts victims’ files, locking out victims of these files.

In traditional ransomware attacks, attackers demand from the victims ransom in exchange for the keys that would unlock the encrypted files. Modern-day ransomware attackers not just demand ransom to unlock the encrypted files, they also demand ransom in exchange for not publishing the stolen files gathered during the ransomware attack.

In September of this year, the University Hospital Düsseldorf in Germany reported a ransomware attack. The attack rendered 30 servers used by the hospital inoperable, forcing the hospital to turn away patients even those with life-threatening conditions.

According to German authorities, a patient with a life-threatening condition was turned away and sent to another hospital some 20 miles away and died as a result of the treatment delay. This is the first reported death as a result of a cyberattack.

Threat Actors Tool Evolution

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued the alert “Ransomware Activity Targeting the Healthcare and Public Health Sector,” warning that threat actors targeting the U.S. healthcare sector use the malware called “BazarLoader,” often leading to ransomware attacks, data theft, and the disruption of healthcare services.

In a recent alert “Renewed Cyber Threats to Canadian Health Organizations,” the Canadian Centre for Cyber Security (Cyber Centre) said threat actors targeting the Canadian healthcare sector have been observed using the BazarLoader malware for initial compromise on victims’ networks for the eventual deployment of the ransomware called “Conti,” believed to be the successor of Ryuk ransomware. The Cyber Centre said that the BazarLoader malware is typically deployed via a phishing email.

Phishing, in general, doesn’t have a particular target as its aim is to victimize whoever takes the bait. Opposite to phishing is spear-phishing which targets certain individuals or organizations.

The BazarLoader malware, the Canadian Centre for Cyber Security said, provides a backdoor through which additional malware is introduced to the victim’s network. Once inside the victim’s network, the Cyber Centre said, the malware called “Anchor” is used to maintain a presence on the network. Anchor is comprised of a framework of tools that allows the covert uploading of malicious tools, and, once done, to remove any evidence of malicious activity.

The Australian Cyber Security Centre, meanwhile, issued its own alert "SDBBot Targeting Health Sector," warning that it has observed increased targeting activity against the Australian health sector by threat actors using the SDBBot Remote Access Tool for the eventual deployment of ransomware called “Clop.”

SDBBot has three components: 1) an installer that allows threat actors to establish persistence on the victim’s network; 2) a loader that downloads additional components; and 3) the remote access tool itself allows threat actors full control of compromised computers, remotely. Once inside the victims’ networks, threat actors also use SDBBot to move within the victims’ networks and steal data.

Cybersecurity Best Practices

Below are some of the cybersecurity best practices to mitigate the risks:

  • Keep all operating systems, software and firmware up to date.
  • Regularly change passwords to network systems and accounts and use multi-factor authentication if possible.
  • Disable remote access/Remote Desktop Protocol (RDP) ports if not needed and monitor remote access/RDP logs when used.
  • Practice network segmentation. Critical data shouldn’t be kept on the same server for mundane day-to-day data.
  • Implement the 3-2-1 rule in backing up critical data. This rule states that three copies of critical data should be kept, with two copies kept in different types of storage media, and one copy should be kept offline.

Is your organization at risk? Let us help you evaluate your controls quickly and efficiently.

Email us today at [email protected] and sleep better at night knowing that your business is well protected against cybercriminals.

0 Comments

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    March 2025
    February 2025
    January 2025
    November 2024
    October 2024
    September 2024
    July 2024
    June 2024
    April 2024
    March 2024
    February 2024
    January 2024
    December 2023
    November 2023
    October 2023
    September 2023
    August 2023
    July 2023
    June 2023
    May 2023
    April 2023
    March 2023
    February 2023
    January 2023
    December 2022
    June 2022
    February 2022
    December 2021
    November 2021
    October 2021
    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    AI Security
    Artificial Intelligence
    ATP
    Awareness Training
    Blockchain
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Awareness
    Cybercrime
    Cyber Espionage
    Cyber Insurance
    Cyber Security
    Cybersecurity
    Cybersecurity Audit
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Cybersecurity Tips
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    Data Privacy
    DDoS
    Email Security
    Endpoint Protection
    Fraud
    GDPR
    Hacking
    Impersonation Scams
    Incident Management
    Insider Threat
    IoT
    Machine Learning
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Supply-Chain Attack
    Third Party Risk
    Third-Party Risk
    VCISO
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

Picture

1.888.900.DRIZ (3749)

Managed Services

Picture
SME CyberShield
​Web Application Security
​Virtual CISO
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
Privacy Policy | CASL

About us

Picture
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
​
Jobs

Resources & Tools

Picture
​Incident Management Playbook
Sophos authorized partner logo
Picture
© 2025 Driz Group Inc. All rights reserved.
Photo from GotCredit