Thought leadership. threat analysis, news and alerts.
Valuable Lessons from Recent Cyber Extortions
The recent data breach at LifeLabs, which affected nearly half of Canada’s population, and the recent data breach at the City of Pensacola highlight the growing danger of cyber extortions.
What Is Cyber Extortion?
Extortion – the act of using threats to gain something from someone – has been given a new form in the cyber world.
In the case of the data breach at LifeLabs, cybercriminals gained access to the company’s computer systems, stole data and thereafter demanded ransom payment from the company in exchange for the stolen data. In a joint statement, the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia said, “LifeLabs advised our offices that cyber criminals penetrated the company's systems, extracting data and demanding a ransom.”
"Retrieving the data by making a payment," said Charles Brown, President and CEO of LifeLabs, was one of the several measures taken by the company to protect customer information.
The recent cyber extortion at the City of Pensacola, meanwhile, involved a headline-grabbing method: ransomware – a malicious software (malware) that encrypts computer files, locks out users and demands from victims ransom payment in exchange for the decryption keys that would unlock the encrypted files. The group behind the ransomware called “Maze” claimed responsibility for the ransomware attack at the City of Pensacola. The group demanded that the City pay $1 million ransom to decrypt the encrypted files.
Ten percent or 2GB of the data stolen before encrypting the computer files of the City was recently published online by the group behind Maze ransomware. When asked by BleepingComputer if the group intends to release the rest of the stolen data, the group said, "It depends".
The group behind Maze ransomware similarly published online 10% or 700 MB of data stolen from another victim, the Allied Universal after the victim failed to pay the group’s demand of 300 bitcoins then valued at nearly $2.3 million. The group told BleepingComputer that the rest of the stolen data will be leaked online if the increased ransom of $3.8 million won’t be paid.
How Cyber Extortion Works?
How the attackers penetrated the LifeLabs’ computer systems, how the data was extracted data and how the ransom demand was made haven’t been made public. For Maze ransomware, however, there’s a handful of data online.
Security researcher Jérôme Segura first observed in May of this year Maze ransomware in the wild initially infecting victims’ computers via the Fallout exploit kit through a fake cryptocurrency exchange site. Fallout exploit kit exploits the security vulnerabilities in Microsoft Windows and Adobe Flash Player. In October of this year, security researcher JAMESWT observed Maze ransomware infecting victims in Italy through a phishing campaign that tricks victims into opening the attached document in an email pretending to be from the Italian Revenue Agency.
Researchers from Cisco Talos reported that they’ve also observed Maze ransomware in the wild. In a Maze ransomeware attack, the researchers said that after obtaining access to a network, CobaltStrike is used. CobaltStrike is a commercial penetration testing tool that markets itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike uses well-known tools, including Mimikatz – a tool that’s capable of obtaining plaintext Windows account logins and passwords.
According to Cisco Talos researchers, once the adversary behind Maze ransomware has access to the victim’s network, at least a week is spent moving around the network and gathering data along the way. The researchers added that the gathered data is extracted by using “PowerShell to dump large amounts of data via FTP out of the network”. After data extraction, Maze ransomware is then deployed on the compromised computers, the researchers at Cisco Talos said.
The researchers at Cisco Talos added that the observed Maze ransomware attacks also involved interactive logins via Windows Remote Desktop Protocol and remote PowerShell execution achieved via Windows Management Instrumentation Command-Line (WMIC).
In its 2020 Threats Predictions Report, McAfee Labs said that for 2020, it predicts that targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks, with the first stage of attack involving a crippling ransomware attack and the second stage of attack involving the threat to disclose the data stolen before the ransomware attack.
Preventive and Mitigating Measures Against Cyber Extortion
While having a working backup system is still a must to protect your organization’s sensitive data, as shown in the recent cyber extortions, brushing off cyber-attacks through better backup systems will prove to be not enough in 2020 as attackers are aiming for data theft and leveraging this stolen data to get what they want.
Here are some of the preventive and mitigating measures against cyber extortion:
- Keep All Software Up to Date
Keeping all your organization’s software up to date stops attackers at their tracks as the latest software security updates typically fix security vulnerabilities.
- Apply the Principle of Least Privilege
The principle of least privilege promotes minimal user privileges on computers based on user’s job necessities. For instance, if the user’s work isn’t IT-related, his or her computer access shouldn’t allow administrative rights, referring to the right to install software, change the operating systems configuration settings and other higher-level access.
- Disable Windows Remote Desktop Protocol (RDP)
There have been many document cases whereby Windows Remote Desktop Protocol (RDP) had been used by attackers as a gateway to their victims’ networks. It’s advisable to disable RDP when this service isn’t used.
- Keep Backups Offline
Over the past few months, attackers have specifically targeted backup systems. It’s advisable to keep your organization’s backup systems offline.
Cyber extortions has become a new norm and many organizations have already fell victim. Connect with our team of cybersecurity experts today to understand you weakest links better and mitigate the risk of cyber extortion.
LifeLabs Reveals It Paid Ransom in Exchange for Stolen Data
LifeLabs, the largest provider of general diagnostic and specialty laboratory testing services in Canada, has announced that it paid an undisclosed amount of ransom in exchange for the stolen data of 15 million customers.
Charles Brown, President and CEO of LifeLabs, in a statement, said that the company’s computer systems were illegally accessed resulting in the theft of data belonging to approximately 15 million customers. Stolen data includes name, address, email, login, passwords, date of birth and health card number. The vast majority of the affected customers are from Ontario and British Columbia.
Brown added that laboratory test results of 85,000 customers from Ontario for the period 2016 or earlier were part of the stolen data. The President and CEO of LifeLabs further said that health card information of customers for the period of 2016 or earlier was also stolen.
"Retrieving the data by making a payment,” Brown said was one of the measures that the company took in order to protect customer information. “Personally, I want to say I am sorry that this happened,” he said.
While the President and CEO of LifeLabs said that risk to customers in connection with this cyber attack is “low and that they have not seen any public disclosure of customer data,” he called on affected customers to avail of the company’s one free year of protection that includes dark web monitoring and identity theft insurance.
How the LifeLabs Data Breach Unfolded?
The President and CEO of LifeLabs said that the data breach was discovered as a result of "proactive surveillance” and added that the company “fixed the system issues” related to the cyber-attack.
In a joint statement, the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) said that LifeLabsinformed the two offices on November 1, 2019 about the data breach. The IPC and OIPC said that they will conduct a joint investigation into the data breach at LifeLabs. Among the things to be investigated, the two offices said, will include the scope of the breach and the circumstances leading to it.
“They advised us that cyber criminals penetrated the company's systems, extracting data and demanding a ransom,” IPC and OIPC said in a joint statement. “LifeLabs paid the ransom to secure the data.”
"An attack of this scale is extremely troubling,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant."
“I am deeply concerned about this matter,” said Michael McEvoy, Information, and Privacy Commissioner for British Columbia. “The breach of sensitive personal health information can be devastating to those who are affected."
While ransom or payment was made, there was no mention that the attack was due to a ransomware – a type of malicious software (malware) that encrypts data and the group or individual behind the malware then demands ransom payment in exchange for decryption key or keys that would unlock the encrypted files.
Cyber Attackers New Modus Operandi
While cyber attackers have been known to steal data from their victims, there’s a scarcity of information showing victims paying ransom in order to get back the stolen data. The latest cyber incident at LifeLabs shows an alarming cyber-attack trend, that is, penetrating the victim's systems, extracting data and then demanding a ransom.
Ransomware attackers, meanwhile, over the past few weeks have openly employed a new tactic in order to force their victims to pay ransom: threatening ransomware victims that failure to pay the ransom will result in the publication of stolen data. This latest modus operandi by ransomware attackers confirms what has been widely known in the cyber security community that ransomware attackers don’t merely encrypt data but they also have ways to snoop and even steal data prior to the data encryption.
In late November of this year, the group behind the ransomware called “Maze” published online the stolen data from one of its victims, Allied Universal after Allied failed to pay 300 bitcoins, then valued nearly $2.3 million USD, within the period set by the malicious group. The group behind the Maze ransomware told BleepingComputer, “We gave them time to think until this day, but it seems they [Allied Universal] abandoned payment process.”
The group behind the Maze ransomware further said that before encrypting any of the victims’ files, these files are first exfiltrated or stolen to serve as further leverage for the victims to pay the ransom.
The group behind the ransomware called “REvil”, also known as Sodinokibi ransomware, recently announced in a hacker forum that it will also leak online the stolen data from ransomware victims who refuse to pay ransom. Other than leaking the stolen data online, the group behind REvil ransomware also said the stolen data from ransomware victims who refuse to pay could be sold.
Maze ransomware initially infects victims’ computers via phishing campaigns or via Fallout exploit kit – a hacking tool that exploits the security vulnerabilities in Adobe Flash Player and Microsoft Windows. REvil ransomware, meanwhile, also initially infects victims’ computers via phishing campaigns and exploit kits, as well as by exploiting a security vulnerability in Oracle’s WebLogic server and by brute-forcing Remote Desktop Protocol (RDP) access.
Ransomware Attacks Now Targeting Your Backups
Backups have traditionally been regarded as the last line of defence against ransomware attacks. Over the past few months, however, backups have been specifically targeted by ransomware attacks.
In the "IT threat evolution Q3 2019" report, Kaspersky researchers found that ransomware attacks on backups, specifically NAS backups, are gaining ground.
What Is NAS?
NAS, short for network attached storage, is a storage and backup system that consists of one or more hard drives. This storage and backup system can be connected to home or office network or the internet. In case a NAS device is connected to the internet, data stored on this device can be accessed using a web browser or mobile app.
Ransomware Targeting NAS
Researchers at Anomali in July of this year reported about eCh0raix, a ransomware that specifically targets QNAP network attached storage (NAS) devices. According to the researchers, the source code of eCh0raix has less than 400 lines, with functionalities that are typical to a ransomware, including checking if data in the infected system has already been encrypted, going through the file system for files to encrypt, encrypting the files, and producing the ransom note.
Researchers at Anomali noted that eCh0raix ransomware isn’t designed for mass distribution as the samples with a hardcoded public key appear to be compiled for the target with a unique key for each target.QNAP Systems, the manufacturer of QNAP network attached storage (NAS) devices, for its part, acknowledged that QNAP devices using weak passwords and outdated QTS firmware are vulnerable to eCh0raixransomware.
In July of this year, another NAS device manufacturer Synologyreported that several of Synology NAS devices were under ransomware attacks as a result of brute-forcing administrator login details. In a brute-force attack, a malicious actor submits a number of passwords in the hope of eventually guessing the correct one.
According to Synology, its investigation related to the ransomware attacks found that the attacks were due to dictionary attacks – the use of words in the dictionary in brute-forcing login details – instead of specific system vulnerabilities. Synology added that the large-scale ransomware attacks were targeted at various NAS models from different NAS vendors. Ken Lee, Manager of Security Incident Response Team at Synology, said that NAS attackers used “botnet addresses to hide their real source IP”.
Just last month, another NAS device manufacturer D-Linkacknowledged that the following D-Link network attached storage (NAS) models are vulnerable to a different ransomware called “Cr1ptT0r” ransomware: DNS-320 Ax/Bx, DNS-325, DNS-320L, DNS-327L, DNS-323 Ax/Bx/Cx, DNS-345, DNS-343 and DNS-340L. According to D-Link, Cr1ptT0r encrypts stored information and then demands payment to decrypt the information.
According to Kaspersky researchers, the growing ransomware attacks on NAS devices involve attackers scanning the internet for internet-connected NAS devices. Kaspersky researchers said that a number of NAS devices have vulnerabilities in the firmware, which enables attackers via an exploit to install on the compromised device a Trojan – a type of malicious software (malware) that’s often disguised as legitimate software – that encrypts all data on the NAS device. “This is a particularly dangerous attack, since in many cases the NAS is used to store backups, and such devices are generally perceived by their owners as a reliable means of storage, and the mere possibility of an infection can come as a shock,” Kaspersky researchers said.
Preventive and Mitigating Measures
Here are some of the preventive and mitigating measures against ransomware attacks targeting NAS backups:
Manufacturers of NAS devices, QNAP Systems, Synology and D-Link, asked users to apply the latest software or firmware version.
In the case of D-Link NAS devices, D-Link said that DNS-320 Ax/Bx, DNS-323 Ax/Bx, DNS-325 Ax and DNS-345 Ax have passed their end of service date, which means that these models are no longer supported by the company through customer support and no longer receive software or firmware updates. For the said models that have passed their end of service date, D-Link asked users to "remove the Internet access of NAS on your router by disabling the port forwarding and DMZ setting".
One thing is common to these NAS ransomware attacks: They victimized only those devices that are connected to the internet. To protect backups from this type of ransomware, it’s important to disable internet connection to these devices.
Generally, an internet-connected NAS device can only be accessed via a web or mobile app interface and this interface is protected by an authentication page, where a user has to authenticate oneself before logging in. As acknowledged by NAS manufacturers, some users use weak passwords, making it easy for attackers to brute-force or guess the passwords.
When there’s a need for these NAS devices to be accessible via the internet, it’s important to use strong passwords and, if possible, to use multi-factor authentication to add another layer of defence.
Here are some of the additional defences to protect backups from ransomware attacks:
As shown in the number of ransomware attacks in recent months, this type of cyber-attack doesn’t seem to slow down.
Organizations that have shown to be financially capable of paying ransom, including government agencies, as well as organizations in the healthcare and education sectors are particularly targeted by this attack.
You don’t have to be a victim of a ransomware attack. Stop cybercriminals before they get the leverage.
Speak with our cybersecurity experts today and stop worrying about ransomware.
Cross-Site Scripting: Still One of the Biggest Cyber Threats
Cross-site scripting, also known as XSS, is one of the most dangerous software errors that threatens websites and applications, even the likes of Gmail.
Security researcher Michał Bentkowski of Securitum recently discovered a cross-site scripting vulnerability in Gmail’s AMP4Email, also known as “dynamic email”. Launched in July 2019, Gmail’s dynamic email allows users to take action directly from within the message itself, such as RSVP to an event, filling out a questionnaire or browsinga catalog.
Allowing dynamic content in Gmail, Google knows it opens itself to security vulnerabilities such as cross-site scripting – a security vulnerability that allows malicious actors to add malicious code into trusted websites or applications. While Google takes a number of precautionary measures against cross-site scripting, Bentkowski discovered that Gmail’s dynamic email didn’t block the specific code HTML id attribute, thereby opening the email service vulnerable to cross-site scripting.
Bentkowski said he reported the cross-site scripting vulnerability to Google on August 15, 2019. According to Bentkowski, Google replied that “the bug is awesome, thanks for reporting”. Bentkowski added that on October 12, 2019, he received a confirmation from Google that the bug was fixed.
What Is Cross-Site Scripting?
Cross-site scripting vulnerability is so widespread that it’s ranked second in the 2019 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors. According to CWE, which is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), ranking for the top most dangerous software errors is based on the data from Common Vulnerabilities and Exposures (CVE) data and data from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD).
The NVD data, in particular, covered the period from the years 2017 and 2018, which consisted of nearly 25,000 CVEs. Based on the NVD count, out of the 25,000 CVEs for the years covered, 3,430 CVEs were cross-site scripting vulnerabilities.
Cross-site scripting is a security vulnerability found in web pages or applications that accept user input. This includes login page, check-out page and, in the case of the Gmail case, Gmail’s AMP4Email or dynamic email.
While users typically place legitimate inputs such as usernames and passwords in login pages, credit card details in check-out pages or RSVP to an event in the case of Gmail’s dynamic email, these fields that accept user input could be exploited by malicious actors, giving them opportunity to insert malicious code into an otherwise trusted website or application.
In the case of Gmail’s dynamic email, there’s no report that malicious actors were able to exploit the said cross-site scripting vulnerability.
Security engineers at Microsoft were the first ones to coin the term cross-site scripting back in December 1999. In December 2009, in commemorating the 10th year anniversary of coining the word, security engineers at Microsoft, in the blog post “Happy 10th birthday Cross-Site Scripting!”, wrote, “Let's hope that ten years from now we'll be celebrating the death, not the birth, of Cross-Site Scripting!”
As shown in the latest ranking in the most dangerous software errors, cross-site scripting appears to be far from dead. Microsoft itself recently patch a cross-site scripting vulnerability on its Microsoft Outlook for Android software. The company said that the cross-site scripting vulnerability allows an attacker to “run scripts in the security context of the current user”.
Cross-site scripting has recently been put back into the headlines by Magecart – the umbrella term given to cybercriminal groups that steal credit card details from unsecured payment forms on websites. Magecart has been linked to the data breach at British Airways and the recent data breach at Macy’s.
Researchers at RiskIQ reported that Magecart breached British Airways baggage claim information page by just inserting 22 lines of code, enabling the attackers to grab personal and financial details entered by customers and sent the data stolen to the server controlled by the attackers. A security researcher, meanwhile, who wishes to remain anonymous, told BleepingComputer that the recent data breach at Macy's website was caused by the alteration of https://www[dot]macys[dot]com/js/min/common/util/ClientSideErrorLog[dot]js script, enabling the attackers to grab data entered by customers in the company’s website, in particular, checkout page and wallet page.
Preventive and Mitigating Measures Against Cross-Site Scripting
Attempts in the past have been made to stop cross-site scripting. One such attempt was XSS Auditor, a feature added to Google Chrome v4 in 2010.
XSS Auditor aims to detect XSS vulnerabilities while the browser is processing the code of websites. It uses a blocklist to identify suspicious code. In July of this year, Google security engineer Thomas Sepez announced the retirement of XSS Auditor.
Google senior security engineer Eduardo Vela Nava first proposed the retirement of XSS Auditor in October 2018. “We haven't found any evidence the XSSAuditor stops any XSS, and instead we have been experiencing difficulty explaining to developers at scale, why they should fix the bugs even when the browser says the attack was stopped,” Nava said. “In the past 3 months, we surveyed all internal XSS bugs that triggered the XSSAuditor and were able to find bypasses to all of them.”
As shown in the above examples, cross-site scripting vulnerability is a menace to websites and applications.
This holiday season – the time of the year when online shopping and other transactions are at its peak, it’s important to sanitize your organization’s website and applications to protect it from cross-site scripting.
When you need to protect your website and web applications against XSS and other common attacks, our team of experts is a phone call away and ready to protect your web applications in just minutes.
Under denial of service attack with ransom demands? Don’t pay! We will stop the DDoS attacks in a few minutes, for good.
Call today (888) 900-3749 or connect with us online.
Steve E. Driz, I.S.P., ITCP