Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
Did you know that the amount of money lost to cyberattacks in the US rose to a record $4.2 billion in 2020 and there were 800,000 cybercrime complaints made to the FBI? Phishing was the most common way used by cybercriminals to get confidential data from unsuspecting recipients. Are you worried about the different cyberattacks that businesses have to watch out for? Do you want to learn about this cybersecurity threat so you can protect yourself and your business better? Keep reading to find out more. 1. Phishing AttackThe weakest link when it comes to your business's cybersecurity is your employees. They are vulnerable to many different kinds of cyberattacks, the most common of these being phishing attacks. In this attack, cybercriminals trick your employees into revealing their login credentials. They might send an email with a malicious link in it, which when clicked asks them for their login details. If the employee is tricked into it, the cybercriminals can get access to their important accounts. It's a cheap and efficient way for cybercriminals to get lots of sensitive and confidential data from people. This can leave your organization vulnerable to losing customers and future business because your reputation is degraded and negatively affected. That's why people are always told never to click links in an email that seems suspicious and to never give out any sensitive or confidential information in an email. 2. Malware-Based AttackUsing a common delivery method like email, cybercriminals will install malware on the person's computer which will allow them access to the login details and other important data on the user's system. This kind of attack uses your weak link, i.e. employees, yet again. That's why training and informing your employees about various security threats is so crucial. Sometimes the cybercriminals will select their targets carefully from the employee roster at an organization, but other times, they will send an email en masse and see what they get back. 3. Attacks Through Uploading FilesThis file upload attack is used commonly on websites that allow users to upload files, like contact form attachments, social media posts, profile photos, etc. This allows cybercriminals to write a huge chunk of malicious code onto your server and get access to your entire website. The problem is most websites have this file upload option on them, such as code in a user profile or contact form. No website seems safe from this vulnerability. 4. Outdated And Vulnerable SoftwareSofware technology comes with a short life cycle and it needs constant updating, patches, and upgrades to ensure that it runs safely. And is also compatible with other software. It's important to ensure all the software your employees are updated and upgraded regularly. Attacks on outdated software or those that haven't been patched happen primarily by attacks through SQL injection and brute force. So if you have a WordPress site, ensure that you update it to the latest version as soon as it's available to keep it safe from cyberattacks. 5. Password AttacksThe most common password used in the world in 2021 is still 123456! That leads to a situation where your sensitive accounts, databases, and servers are easily vulnerable to cybercriminals. Even if you are using a complicated password for your login credentials, cybercriminals can use a bot to randomly generate passwords. They try logging into your account using those passwords until they get the correct one. That's called brute force attack. Another way a cybercriminal can guess your password and get at your account is a dictionary attack where they analytically enter words in a dictionary as a password until they get the right one. Password spraying is where they use the few common passwords most people use and get access to your account that way. That's why it's so important to choose a complicated password that's 8 characters or longer with alphanumeric characters and symbols. Also, prompt your employees to change their password at least every six months. And make it mandatory so they can't log in without changing their password. This way they won't procrastinate on this very important task. 6. DNS SpoofingHow do you know you are going to the right website when you click on a particular link? You just assume you are, since you trust the internet and everything that happens on it (or most things that happen on it). But through DNS spoofing, a cybercriminal submits false information into a DNS cache. This returns incorrect responses on a DNS query and lands the user on the wrong website. In this manner, the user submits their login information and other sensitive information to the wrong website, giving access to such important data to a cybercriminal. 7. Accidental Exposure Of Sensitive DataUnfortunately, most people aren't too careful with their sensitive data. They leave it out in the 'open', making it vulnerable to data breaches, and unauthorized access to cybercriminals. It's akin to leaving your laptop in a cafe and walking over to the bathroom to wash your hands. And being surprised when your laptop isn't anywhere to be found when you come back. Ensure that anything that's publicly accessible doesn't contain any sensitive information on it. This includes files on public servers, error messages, database tables, and log files. All information online is vulnerable to a cyberattack and must be treated as such. Cyberattacks Are Getting More Insidious As Time Goes OnCybercriminals are becoming savvier and more dangerous as time goes on. They manipulate both online data and offline people to get access to sensitive information. If you are worried about cyberattacks and feel vulnerable to such security threats, putting your head in the sand won't help. Speak to a cybersecurity cybersecurity experts at The Driz Group today.. We can help you build a solid plan for your business and employees to protect yourself from cyber threats of all kinds. We are informed of all the latest to do with cybersecurity and will keep your system safe from all emerging threats. Our emergency response team is available 24/7 to protect you and your business. Emerging Threat: Blockchain-Enabled BotnetGoogle, together with Internet infrastructure providers and hosting providers, recently disrupted the operation of a blockchain-enabled botnet, taking down the operation’s servers – for now. In partnership with Internet infrastructure providers and hosting providers such as Cloudflare, Google said it has taken down the servers of the Glupteba botnet. Glupteba BotnetGlupteba is a malicious software (malware) that has been around for less than a decade. Through the years, this malware uses many common cybercrime tricks. Similar to other malware, Glupteba is a zombie malware, also known as bot (short for software robot), that can be controlled remotely. The group being Glupteba also operates a botnet – a group of computer devices each infected with the Glupteba malware and hijacked to carry out various scams and cyberattacks. In the blog post “New action to combat cyber crime”, Royal Hansen, Vice President for Security at Google, and Halimah DeLaine Prado, Google General Counsel, said Glupteba botnet currently hijacked approximately one million Windows devices worldwide, and at times, grows at a rate of thousands of new devices per day. “Botnets are a real threat to Internet users, and require the efforts of industry and law enforcement to deter them,” Hansen and Prado said. In another blog post “Disrupting the Glupteba operation”, security researchers Shane Huntley and Luca Nagy from Google Threat Analysis Group said that individuals operating the Glupteba botnet offered multiple online services, including selling access to virtual machines loaded with stolen credentials, proxy access, and selling credit card numbers to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads. Computer devices that form part of the Glupteba botnet are also used for unauthorized cryptocurrency mining, enabling the group behind this malware to earn cryptocoins, while owners of hijacked computer devices unknowingly pay the high electric bills resulting from the cryptocurrency mining. Glupteba malware distributes itself automatically across victims’ networks via two different variants of the ETERNALBLUE exploit – a Windows exploit used in the 2017 WannaCry ransomware attack. ETERNALBLUE exploits outdated computer devices. Glupteba has also been known to exploit unprotected and outdated popular home and small business routers. The group behind Glupteba often hides its zombie malware behind pirated software. Computer devices, even those patched against ETERNALBLUE, are attacked by Glupteba malware via pirated software from well-known piracy sites. Blockchain-Enabled BotnetWhile Glupteba has been known to use many common cybercrime tricks, it’s known for using the Bitcoin blockchain for its malicious activities. Just like in the Cold War era when spies communicated using the “Personals” section in a print newspaper, the group behind the Glupteba botnet communicates using the Bitcoin blockchain. “Glupteba uses the fact that the Bitcoin transactions are recorded on the Bitcoin blockchain, which is a public record of transactions available from a multitude of sources that are unexceptionably accessible from most networks,” security researcher Paul Ducklin from SophosLabs said in the write-up "Glupteba – the malware that gets secret messages from the Bitcoin blockchain". Ducklin from SophosLabs added, “Bitcoin ‘transactions’ don’t actually have to be about money – they can include a field called RETURN, also known as OP_RETURN, that is effectively a comment of up to 80 characters.” Security researchers from SophosLabs decrypted the secret message “venoco___ol.com” in one of the Bitcoin wallets used by the group behind Glupteba. This secret message means that the new command-and-control server used by the Glupteba is moved to venoco___ol.com. “The current command-and-control servers used by the crooks, known as C2 servers or C&Cs, might get found out and blocked or killed off at any moment, so zombie malware often includes a method for using an otherwise innocent source of data for updates,” Ducklin added. “After all, to tell a bot to switch from one C&C server to another, you typically don’t need to send out much more than new domain name or IP number, and there are lots of public messaging systems that make it easy to share short snippets of data like that.” Security researchers Huntley and Nagy from Google Threat Analysis Group said that the group behind Glupteba is likely to attempt to regain control of the Glupteba botnet by using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain. Royal Hansen, Vice President for Security at Google, and Halimah DeLaine Prado, Google General Counsel, meanwhile, admitted that taking down the command and control infrastructure of Glupteba isn’t the end game for the group behind Glupteba. Before the U.S. District Court for the Southern District of New York, Google filed the first lawsuit against a blockchain-enabled botnet, in particular, suing two named individuals and 15 unidentified individuals. “However, due to Glupteba’s sophisticated architecture and the recent actions that its organizers have taken to maintain the botnet, scale its operations, and conduct widespread criminal activity, we have also decided to take legal action against its operators, which we believe will make it harder for them to take advantage of unsuspecting users,” Hansen and Prado said. Best Practices to Mitigate the Risks Here are some of the cybersecurity best practices to protect your organization’s computer devices from being hijacked as part of a botnet like the Glupteba botnet:
Top Cloud Security Threat: Unauthorized Cryptocurrency MiningGoogle's Cybersecurity Action Team recently published a report naming unauthorized cryptocurrency mining, also known as cryptojacking, as the top threat to Google Cloud Platform. What Is Cryptocurrency Mining?Cryptocurrency mining refers to the process of creating a new coin. Aside from creating new coins, cryptocurrency mining also refers to validating cryptocurrency transactions. In many countries, cryptocurrency mining is legal. With the rise of cryptocurrency prices, malicious actors are stealing computing resources such as cloud resources from Google Cloud Platform. The skyrocketing value of cryptocurrencies like Bitcoin has prompted threat actors to shift their focus from stealing data to stealing compute power in organizations’ public cloud environments. Aside from mining Bitcoin, threat actors also mine other cryptocurrencies that are particularly developed to evade transaction tracing. Crytopjacking PrevalenceAccording to Google's Cybersecurity Action Team, out of 50 recently compromised Google Cloud Platform instances, 86% were used to perform cryptocurrency mining. Unauthorized cryptocurrency mining, specifically, cloud resources is nothing new. In February 2018, RedLock reported that Tesla was once a victim of unauthorized cryptocurrency mining. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” RedLock said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.” Google's Cybersecurity Action Team, meanwhile, said that compromised Google Cloud Platform instances were compromised through the following:
Google's Cybersecurity Action Team also found that in 58% of situations, the cryptocurrency mining software was downloaded to the system within 22 seconds of being compromised. “This suggests that the initial attacks and subsequent downloads were scripted events not requiring human intervention,” Google's Cybersecurity Action Team said. “The ability to manually intervene in these situations to prevent exploitation is nearly impossible..” Scanning ActivitiesThreat actors easily find vulnerable internet-facing applications and exposed cloud accounts through the process called scanning. Google's Cybersecurity Action Team reported that the shortest amount of time between deploying a vulnerable Cloud instance exposed to the internet and its compromise was as little as 30 minutes, with 40% of instances, the time to compromise was under eight hours. “This suggests that the public IP address space is routinely scanned for vulnerable Cloud instances,” Google's Cybersecurity Action Team said. An earlier study conducted by researchers from Palo Alto Networks' Unit 42 found that vulnerable internet-exposed applications are compromised in just 24 hours. Between July 2021 and August 2021, Unit 42 researchers set up 320 honeypots (network-attached computers purposely set up to lure threat actors) to verify how fast threat actors compromise four vulnerable internet-exposed applications. These four apps were purposely configured with weak passwords. Palo Alto Networks' Unit 42 researchers found that 80% of the 320 honeypots were compromised in just 24 hours and all of the honeypots were compromised within a week. For these honeypots, Palo Alto Networks' Unit 42 researchers applied firewall policies to block IPs from known network scanners. Unit 42 researchers found that applying firewall policies to block IPs from known network scanners doesn’t work as 85% of the attacker IPs were observed only on a single day. The researchers identified a daily average of 75,000 unique scanner IP addresses globally. According to Google's Cybersecurity Action Team, Google Cloud customers with non-secure Cloud instances will likely be detected and attacked in a relatively short period of time. “Given that most instances were used for cryptocurrency mining rather than exfiltration of data, Google analysts concluded the Google Cloud IP address range was scanned rather than particular Google Cloud customers being targeted,” Google Team said. Unauthorized Cryptocurrency Mining Risk MitigationUnauthorized cryptocurrency mining of cloud resources is bad for business. Cryptocurrency mining is resource-intensive. With unauthorized cryptocurrency mining, threat actors earn money while your organization unknowingly ends up paying the rented cloud computing bill. In the case of unauthorized cryptocurrency mining done on your organization’s internet-exposed networks, negative impacts include the substantial increase in electrical consumption and an increase in the wear and tear on the hardware. Here are some of the cybersecurity best practices to protect your organization’s internet-exposed networks and cloud accounts:
Monitor cloud configurations, network traffic, and suspicious user behavior via automated solutions. It’s important to have automated solutions. As shown by Google's Cybersecurity Action Team’s report, cryptocurrency mining software is downloaded to the system within 22 seconds of being compromised, making human intervention impossible. Contact us today to assess your cybersecurity posture and mitigate the risks. |
AuthorSteve E. Driz, I.S.P., ITCP Archives
November 2024
Categories
All
|
12/30/2021
0 Comments