Weak Cyber Hygiene Practices Behind Successful Cloud Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert detailing the weak cyber hygiene practices behind successful cyberattacks against various organizations’ cloud environments.

In the alert "Strengthening Security Configurations to Defend Against Attackers Targeting Cloud Services," CISA said that based on data derived exclusively from several of its incident response engagements, it’s aware of several recent successful cyberattacks against various organizations’ cloud environments.

“Despite the use of security tools, affected organizations typically had weak cyber hygiene practices that allowed threat actors to conduct successful attacks,” CISA said.

Weak Cyber Hygiene Practices

According to CISA, successful cyberattacks against various organizations’ cloud environments frequently occur when victim organizations’ allowed employees to work from home and used a mixture of personal devices and corporate laptops to access organizations’ cloud environments.

Here are some of the weak cyber hygiene practices behind successful cyberattacks against various organizations’ cloud environments based on CISA’s alert:

Phishing Attacks

CISA said threat actors are using phishing emails to harvest credentials for users’ cloud service accounts. In phishing emails, threat actors weaponize the traditional emails for cyberattacks.

These phishing emails, CISA said, contain malicious links that appear on a first glance as legitimate links to file hosting service account login. Login details entered on these malicious links were then stolen by threat actors and used to login to victims’ legitimate file hosting service accounts. From these hijacked legitimate file hosting service accounts, threat actors then sent emails from the victims’ accounts to steal login details for other accounts within the organization, CISA said. 

Open Port 80

The CISA alert found that threat actors are exploiting open port 80. According to the agency, open port 80 was exploited even though an organization’s terminal server was located within a firewall.

Due to remote work posture, CISA said the terminal server was configured with port 80 open to allow remote employees to access it, leaving the organization’s network vulnerable.

The agency added that this open port 80 was exploited by launching brute force attacks. In brute force attacks, threat actors use the trial-and-error method to guess the correct username and password combination.

MFA Bypass via Pass-the-Cookie Attack 

According to CISA, threat actors successfully signed into a cloud account with proper multi-factor authentication (MFA). “In this case, CISA believes the threat actors may have used browser cookies to defeat MFA with a ‘pass-the-cookie’ attack,” the agency said.

Authentication cookies are commonly used by cloud-based services to avoid frequently asking users to re-enter their credentials. Cookies are often valid for an extended period of time, even when the cloud-based service isn’t actively used.

“After the cookie is obtained through Steal Web Session Cookie, the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active,” MITRE said. “Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.”

Taking Advantage of Keyword Search Rule and Email Forwarding Rule

After gaining access into victims’ cloud service accounts, CISA said threat actors take advantage of keyword search rule and email forwarding rule.

Keyword search and email forwarding are two features found in many cloud service accounts. These features can be applied manually or automatically. While these two features are handy, these two pose a security risk due to the potential disclosure of information.

According to CISA, threat actors modified existing automated keyword search rules to search victims’ email messages for several finance-related keywords. The agency added that threat actors modified existing automated email forwarding rules and forward the emails to the threat actors’ accounts.

Mitigating Measures to Strengthen Cloud Security Practices

Here are some of the recommended mitigating measures to strengthen cloud security practices:

Phishing Scams Education

Train employees about phishing emails by making them aware how these emails are being delivered.

Secure Over-all Network from Open Port 80 

One way to mitigate the adverse effect of an open port 80 is by implementing network segmentation. In network segmentation, your organization’s network is divided into sub-networks so that in case one sub-network is compromised the other sub-networks won’t be affected.

Mitigating Measures Against Pass-the-Cookie Attacks

Mitigating measures against pass-the-cookie attacks includes MFA that uses the target login domain as part of the negotiation protocol. Software configuration is another mitigating measure against pass-the-cookie attacks. In software configuration, browsers are configured to regularly delete persistent cookies.

Mitigating Measures Against Exploitation of Keyword Search Rule and Email Forwarding Rule

Mitigating measures against exploitation of keyword search rule and email forwarding rule include routinely reviewing these rules for any signs of malicious changes.

In the case of Microsoft 365, outbound spam filter policies are available to control automatic forwarding to external recipients. One of the available outbound spam filter policies is the “Off” option which disables automatic external forwarding and will result in a non-delivery report to the sender.

Implement Zero Trust Security Strategy

Zero Trust assumes that no one should be trusted by default within and outside the network. Zero trust security strategy includes the principle of least privilege and the principle of explicit verification.

In implementing the principle of least privilege, right access at the right time is only given to those who need it. Explicit verification, meanwhile, includes MFA that requires users using new devices and from new locations to respond to an MFA challenge.

Ransomware Attacks on Healthcare Organizations Globally Increase by 45%, Study Shows

A recent report from Check Point showed that since November 2020, ransomware attacks targeting healthcare organizations globally has increased by 45%.

In the report "Attacks targeting healthcare organizations spike globally as COVID-19 cases rise again," Check Point said that the spike in the ransomware attacks targeting healthcare organizations globally more than double the overall increase in cyberattacks across all industry sectors worldwide seen during the same period. According to Check Point, the main ransomware variant used in the ransomware attacks was Ryuk, followed by Sodinokibi.

What Is Ransomware?

Ransomware is a type of malicious software (malware) that blocks victims from assessing their computer systems or files and demands from the victims ransom payment for victims to re-gain access to the computer systems or files. Ransomware attackers also demand a separate ransom payment in exchange for the non-publication of data stolen in the course of the ransomware attack.

Ryuk and Sodinokibi Ransomware

Ryuk ransomware is a cyber threat that has been targeting organizations, specifically hospitals, businesses, and government institutions since 2018. This ransomware was first observed in the wild in August 2018.

Code comparison analysis of Ryuk ransomware and Hermes ransomware showed that both are generally equal, giving credence to the theory that the developer of Ryuk has access to the Hermes source code. Hermes ransomware was responsible for the money heist of a Taiwanese bank in October 2017.

Hermes is called a “pseudo-ransomware” – referring to ransomware that uses a ransomware attack as a cover to distract its main goal: stealing money. In the money heist of a Taiwanese bank in 2017, the Hermes ransomware attack was perfectly timed at the time when money was stolen from the bank.

The group behind Ryuk ransomware demands that the ransom payment should be in the form of the cryptocurrency bitcoin. After tracing bitcoin transactions for the known addresses attributable to Ryuk, researchers from HYAS and Advanced Intelligence reported that the group behind Ryuk earned more than $150,000,000.

“Ryuk receives a significant amount of their ransom payments from a well-known broker that makes payments on behalf of the ransomware victims,” researchers from HYAS and Advanced Intelligence said. “These payments sometimes amount to millions of dollars and typically run in the hundreds of thousands range.”

Sodinokibi, also known as REvil, meanwhile, is a type of ransomware that was first observed in April 2019. Code comparison analysis of Sodinokibi and another ransomware called “GandCrab” showed that the two shared a lot of similarities, indicating the developer of Sodinokibi had access to the GandCrab source code.

Ransomware Similarities

Both Ryuk and Sodinokibi encrypt important files in the compromised computer, locking out users from their files. These two demand a ransom to decrypt or unlock these files.

It’s now a known fact that during the course of the ransomware attack, Ryuk and Sodinokibi also steal victims’ files before encrypting them. Stolen data is then used for “double-extortion” attempt, that is, in addition to ransom payment to unlock the locked files, attackers demand from victims to pay another ransomware payment for the stolen files, threatening victims that failure to pay this second ransom payment would lead to the publication of the stolen files.

In November 2020, K12 Inc., now known as Stride, Inc., a company that provides online education, admitted that it was a victim of a ransomware attack. Open-sourced reports showed that Ryuk ransomware hit K12 Inc.

In a statement, K12 Inc. said, “We have already worked with our cyber insurance provider to make a payment to the ransomware attacker, as a proactive and preventive step to ensure that the information obtained by the attacker from our systems will not be released on the Internet or otherwise disclosed.”

Ryuk and Sodinokibi are part of the ransomware families called “Ransomware-as-a-Service (RaaS)”. In RaaS, one group maintains the ransomware code, and another group, known as affiliates, spreads the ransomware.

Cybersecurity Best Practices Against Ransomware Attacks

Both Ryuk and Sodinokibi are commonly spread via very targeted means such as RDP and spear phishing.

RDP, short for Remote Desktop Protocol, is a proprietary protocol developed by Microsoft which provides Windows user to connect to another Windows computer. In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks," Microsoft Defender Security Research Team said that RDP is an attractive target for threat actors as this presents a simple and effective way to gain access to a network, and conduct many follow-on activities such as ransomware attack.

Microsoft Defender Security Research Team said that threat actors often gain access to RDP through brute-force attack – referring to the trial-and-error method of guessing the correct username and password combination. Spear phishing, meanwhile, weaponizes an email against specific and well-researched targets. A spear-phishing email masquerades as coming from a trustworthy source.

Traditional spear-phishing emails attached malicious documents, for instance, a zip file. Modern-day spear-phishing emails come with malicious documents that are hosted on legitimate sites such as Dropbox, OneDrive, or Google Drive.

To protect RDP from brute-force attacks and ultimately ransomware attacks, use strong passwords, multi-factor authentication, virtual private networks (VPNs), and other security protections. Spear phishing prevention, meanwhile, includes phishing simulation tests, and an established process for users to report suspicious emails to the IT security team.

It’s also important to implement the 3-2-1 backup rule and network segmentation in case attackers breach your organization’s network.

The 3-2-1 backup rule means that at least 3 copies of critical data must be kept, with 2 copies in different media and one copy offsite. Network segmentation, meanwhile, refers to the practice of dividing your organization’s network into sub-networks so that in case something happens to one sub-network, the other sub-networks won’t be affected. 

A Lookback of the Cybersecurity Threats in 2020

The world dramatically changed in 2020. The abrupt work from home shift to anything online such as online shopping opened up a plethora of cybersecurity threats at a scale never seen before.

Most Notable Cybersecurity Threats in 2020

Here are some of the notable cybersecurity threats in 2020:

1. Threats Associated with Collaboration Apps

The work from home shift gave rise to the demand for collaboration tools such as Microsoft Teams, Slack, and Zoom. In 2020, threat actors turned their attention to these collaboration tools.

In 2020, the term “Zoombombing” was coined. This term refers to uninvited threat actors viewing Zoom meetings or sharing pornographic images and content.

Last year, threat actors leveraged association to Microsoft Teams – referring to the communication platform developed by Microsoft which features chat, videoconferencing, and file storage. In October 2020, Abnormal Security reported that up to 50,000 emails were observed spoofing employee emails and impersonating Microsoft Teams.

“The email pretends to be a Microsoft Teams notification email notifying the recipient that they have received messages and their teammates are trying to reach them,” Abnormal Security said. “The link landing page also looks convincingly like a Microsoft login page with the start of the URL containing ‘microsftteams’, lending further credence.”

2. Remote-Working Tools Exploitation

An IBM study released in June 2020 showed that 83% of employees were provided little to no ability to work from home prior to the sudden work from home shift. The IBM study further found that 53% of employees used their personal laptops and computers for business operations, while 61% also said their employer hasn't provided tools to properly secure those devices.

In 2020, threat actors actively exploited remote-working services such as virtual private network (VPN) services. In addition to masking internet protocol (IP) address so that online actions are virtually untraceable, VPN services promise secure and encrypted connections.

Security researchers, however, discovered security vulnerabilities in many VPN services. Even as VPN service vendors released patches fixing these security loopholes, many users delay the application of these patches, leading threat actors to exploit these unpatched security vulnerabilities.

In April 2020, the Canadian Centre for Cyber Security and U.S. Cybersecurity and Infrastructure Security Agency issued separate alerts warning organizations about the continued exploitation of the security vulnerability in Pulse Secure VPN, in particular, CVE-2019-11510 – a security vulnerability that allows a remote, unauthenticated attacker to compromise a vulnerable Pulse Secure VPN server, allowing an attacker to gain access to all active users and their plain-text credentials.

3. E-Commerce Threats

Among the effects of the lockdown measures in 2020 has been a huge spike in e-commerce business. Imperva reported that web traffic to retail sites spiked by as much as 28% on the weekly average. In “The State of Security within E-commerce,” Imperva reported that among the cyber threats faced by e-commerce businesses in 2020 were DDoS attacks and bad bots.

DDoS, short for distributed denial-of-service, refers to a cyberattack that attempts to disrupt the normal traffic of online resources such as websites, overwhelming the target or its surrounding infrastructure with a flood of internet traffic. DDoS attacks are launched by hijacking multiple computer systems, including Internet of Things (IoT), as sources of attack traffic.

According to Imperva, it monitored an average of eight application layer DDoS attacks a month against retail sites as lockdown measures led to an increase in demand for online shopping.

Bad bots, meanwhile, refer to software applications that run automated tasks over the internet for malicious purposes, for example, automatically scanning websites for software vulnerabilities and exploiting these vulnerabilities. According to Imperva, bad bots are the top threat to online retailers before and during the imposition of the lockdown measures.

4. Supply Chain Attack on SolarWinds

Year 2020 ends with one of the biggest cyberattacks: the supply chain attack on SolarWinds. On December 13, 2020, SolarWinds admitted that it fell victim to a supply chain attack.

In a supply chain attack, a threat actor gains access to your organization’s IT systems via an outside partner or third party that has access to your organization’s systems and data. According to SolarWinds, a threat actor gained access to its Orion Platform software source code and inserted the malicious software (malware) called “Sunburst.”

This malware ended up in the Orion Platform software update, specifically for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. According to SolarWinds, if present and activated, the Sunburst malware could potentially allow an attacker to compromise the server on which the Orion Platform software runs.

Open-source reports showed that the U.S. Treasury Department and other U.S. Government Departments had been compromised. Microsoft recently admitted that the SolarWinds supply chain attack also affected its own systems. Microsoft said that it found no evidence of access to production services or customer data, or its systems being used to attack others.

Microsoft, however, said that the SolarWinds attackers were able to view Microsoft's source code but had been unable to modify any code or engineering systems. “At Microsoft, we have an inner source approach – the use of open source software development best practices and an open source-like culture – to making source code viewable within Microsoft,” the company said. “This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.”

Extent of the Supply Chain Attack on SolarWinds Orion Platform Software 

In the past few days, details about the supply chain attack on the SolarWinds Orion Platform software have slowly unfolded, highlighting the dangers of this type of cyberattack.

What Is a Supply Chain Attack?

Supply chain attack is a type of cyberattack in which attackers maliciously change the source code of a software with the goal of compromising the end users of the said software.

In a statement, SolarWinds said it was a victim of a supply chain attack in which a still unknown attacker inserted a malicious software (malware) dubbed as “Sunburst” within SolarWinds Orion Platform software. According to SolarWinds, versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 of its Orion Platform software were compromised with the Sunburst malware.

Customers of SolarWinds that downloaded and installed the company’s Orion Platform software versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are at risk. If present and activated, the Sunburst malware, according to SolarWinds, “could potentially allow an attacker to compromise the server on which the Orion products run.”

The effects of a compromised server hosting the Sunburst malware is far and wide as SolarWinds Orion Platform software is specifically meant as a centralized monitoring and management software to keep track of all IT resources, including servers, workstations, mobile devices, and IoT devices.

Cybersecurity firm FireEye first discovered the Sunburst malware. The company is also responsible for naming this malware as “Sunburst.” Microsoft, meanwhile, refers to this malware as “Solorigate.” FireEye and Microsoft both admitted that they have been part of the victims of the supply chain attack on SolarWinds Orion Platform software.

Microsoft, in a statement, said: “Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”

In the case of FireEye, the attacker stole the company’s “Red Team assessment tools.” According to FireEye, the stolen Red Team assessment tools are used to test its customers’ security.

“These tools [Red Team assessment tools] mimic the behavior of many cyber threat actors and enable FireEye to provide essential diagnostic security services to our customers,” FireEye said. “None of the tools contain zero-day exploits.”

Sunburst/Solorigate Malware

According to FireEye, the Sunburst malware campaign may have started as early as Spring 2020 and is currently ongoing. In analyzing the Sunburst malware, FireEye said that after this malware is installed on the victim’s server, it stays dormant for up to two weeks. After this dormant period, the malware retrieves and executes commands, called “Jobs,” enabling transfer files, execute files, profile the system, reboot the machine, and disable system services.

FireEye added that the Sunburst malware hides its network traffic as the Orion Improvement Program (OIP) protocol “stores reconnaissance results within legitimate plugin configuration files,” allowing this malware to blend in with legitimate SolarWinds activity.

According to FireEye, victims of Sunburst malware include government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. “We anticipate there are additional victims in other countries and verticals,” FireEye said.

In analyzing the Solorigate malware, Microsoft said that the malicious code inserted into SolarWinds Orion Platform software consists of nearly 4,000 lines of code. “The fact that the compromised file is digitally signed suggests the attackers were able to access the company’s software development or distribution pipeline,” said Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center in the blog post "Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers."

“Evidence suggests that as early as October 2019, these attackers have been testing their ability to insert code by adding empty classes,” Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center added. “Therefore, insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build, which would include digitally signing the compiled code. As a result, the DLL containing the malicious code is also digitally signed, which enhances its ability to run privileged actions – and keep a low profile.”

Mitigating Measures Against Supply Chain Attack

In the case of the SolarWinds Orion Platform software supply chain attack, it’s important to apply the update released by SolarWinds. The company offers more details on how to apply the update here.

In case the Sunburst/Solorigate malware is suspected to be inside your organization’s network, it’s important to isolate and block internet access to IT infrastructure where SolarWinds software was installed for further review and investigation.

If isolation isn’t possible, the following mitigating measures should be taken:

• Block connectivity to endpoints from SolarWinds servers, especially those that contained critical data or those considered as crown jewel assets of your organization.
• Restrict the scope of accounts that have local administrator privileged on SolarWinds servers.
• Block internet access from servers or other endpoints with SolarWinds software.
• Change login details for accounts that have access to SolarWinds servers or infrastructure.
• Review network device configurations for unauthorized modifications.

Lessons Learned Four Years After Dyn DDoS Attack

One of the perpetrators of the massive distributed denial-of-service (DDoS) attack that brought down the domain name system (DNS) provider Dyn and major websites pleaded guilty.

In a statement, the U.S. Department of Justice said that on October 21, 2016, the individual, who was a minor at the time, pleaded guilty to creating, in collaboration with other individuals, a botnet that launched several DDoS attacks and impacted the DNS provider Dyn (now owned by Oracle), as a result, taking offline for several hours a number of websites, including the websites of Sony, Spotify, Amazon, Twitter, PayPal, and Netflix.

What Is a DDoS Attack?

A DDoS attack is a type of cyberattack that overwhelms an online resource, such as a website with malicious traffic, taking down the website offline, making it unavailable to legitimate site visitors.

In overwhelming an online resource or online platform with malicious traffic, attackers use a botnet. A botnet refers to hijacked computers, including Internet of Things (IoT), and controlled by the attackers to perform malicious activities including DDoS attacks.

Based on court documents, in September and October of 2016, the attackers, including the one who recently pleaded guilty, created a botnet, which was a variant of the botnet called “Mirai,” in launching the DDoS attacks that resulted in taking down Dyn. The Mirai-variant botnet hijacked IoT devices including video cameras and recorders and turned them into “zombie robots” in launching the DDoS attacks.

"We saw both attack and legitimate traffic coming from millions of IPs across all geographies,” Scott Hilton, Dyn EVP of Product, said in a statement about the attack. “It appears the malicious attacks were sourced from at least one botnet, with the retry storm providing a false indicator of a significantly larger set of endpoints than we now know it to be. We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”

Role of Domain Name System (DNS) Resolver

Domain Name System (DNS) is one of the infrastructural services that most modern websites critically rely on when servicing web requests.

In searching the internet, users type into the web browsers words such as espn.com. Web browsers interact with Internet Protocol (IP) addresses – referring to addresses that are too complex for users to memorize such as 192.168.1.1 (in IPv4), or more complex IP addresses 2400:cb00:2048:1::c629:d7a2 (in IPv6).

What DNS does is convert these domain names, for instance, espn.com into IP addresses so that web browsers can load the web content. This eliminates the need for users to memorize complex IP addresses. DNS resolver like Dyn, meanwhile, initiates the process that leads to a domain name being translated into the necessary IP address.

DNS resolvers, also known as DNS providers, aren’t immune to cyber risks such as DDoS attacks as shown in the Mirai-Dyn incident. The Mirai-Dyn incident also showed that the reliance on a single third-party DNS resolver like Dyn led to taking offline the websites relying solely on a single DNS resolver.

In the study "Analyzing Third Party Service Dependencies in Modern Web

Services: Have We Learned from the Mirai-Dyn Incident," a team of Carnegie Mellon University researchers found that despite the highly publicized Dyn outage, for the period of 2016 to 2020, 89% of the Alexa top-100K websites critically depend on third-party DNS providers, that is, if these DNS providers go down, for instance through DDoS attacks, these websites could suffer service disruption.

The Carnegie Mellon University study also found third-party critical dependencies are higher for lower-ranked websites. The Carnegie Mellon University researchers added, “Moreover, we observe that redundancy decreases with popularity; i.e., more popular websites care more about availability as compared to less popular ones.”

The DDoS attack on Dyn in 2016 showed that third-party DNS providers aren’t immune to cyber risks such as DDoS attacks that are faced by small organizations.

One lesson out of the DDoS attack on Dyn in 2016 is the need to have a backup DNS resolver or provider. Twitter, for instance, added redundancy or backup by deploying a private DNS in addition to Dyn (now Oracle). Only a few organizations, however, can do what Twitter did as many can’t afford a private DNS infrastructure.

According to Carnegie Mellon University researchers, only a small fraction of websites have DNS infrastructure backup due to the following reasons:

• Configuring for multiple providers can be non-trivial;
• Using multiple DNS providers requires provider support; and
• Only a limited number of DNS providers support or encourage backup.

DDoS Protection

DNS Amplification DDoS attack hit Dyn in 2016. Since DNS is UDP based, it opens the door to IP spoofing and amplification attack. In IP spoofing, attackers falsify the source IP header to mask their identity. UDP-based DNS also allows for an attack amplification technique in which 1Mbps of attack traffic can end up becoming 100Mbps reflected on the victim.

DDoS protection is available against DNS Amplification DDoS attacks. Imperva’s DDoS Protection for DNS is the first destination for all DNS queries. “Acting as a secure proxy, Imperva prevents illegal DNS queries from reaching your server while masking it from direct-to-IP network layer attacks,” Imperva said in a statement.

Canada’s Proposed Privacy Law Aims to Impose Stronger Fine of Up to 5% of Global Revenue or $25 Million

The federal government of Canada, through the Office of the Minister of Innovation, Science and Industry, has proposed a new privacy law for the private sector that aims to impose a stronger fine on organizations that remiss in protecting the privacy of Canadians.

The new proposed privacy law called the “Consumer Privacy Protection Act (CPPA),” also known as the Digital Charter Implementation Act, 2020, aims to impose administrative fines of up to 3% of global revenue or $10 million, whichever is higher, for non-compliant organizations. This new proposed privacy law also aims to impose fines for certain serious violations of the proposed law of up to 5% of global revenue or $25 million, whichever is higher.

Section 57, paragraph 3 of the Digital Charter Implementation Act, 2020 states that “security safeguards must protect personal information against, among other things, loss, theft and unauthorized access, disclosure, copying, use and modification.”

"The COVID-19 pandemic has accelerated the digital transformation, which is changing how Canadians work, access information, access services, and connect with their loved ones,” said Navdeep Bains, Minister of Innovation, Science, and Industry. “This transformation is making concerns about privacy, and how companies handle Canadians’ data, more important than ever. As Canadians increasingly rely on technology, we need a system where they know how their data is used and where they have control over how it is handled.”

Right to be Forgotten

The new proposed privacy law has its own version of the principle of "Right to be Forgotten." This right, also known as the right to erasure, gives individuals the right to ask organizations to delete their personal data.

The Digital Charter Implementation Act, 2020 gives Canadians the ability to demand that their personal information on platforms, including social media platforms, be permanently deleted in case when consent is withdrawn or when information is no longer necessary.

Canada’s Major Data Breach

In November 2019, LifeLabs, Canada’s largest provider of general diagnostic and specialty laboratory testing services, informed the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) that cybercriminals gained entry into the company’s systems, extracted data and demanded a ransom. LifeLabs informed the IPC and OIPC that the data breach affected systems that contained information of approximately 15 million LifeLabs customers (nearly half of Canada’s total population), including names, physical addresses, email addresses, customer usernames and passwords, health card numbers, and lab tests. The vast majority of these affected customers are from British Columbia and Ontario.

A joint investigation conducted by IPC and OIPC found that LifeLabs failed to protect the personal information of millions of Canadians resulting in a significant data breach in 2019. According to the two offices, LifeLabs failed to take the following reasonable steps:

• Protect the personal health information in its electronic systems;
• Adequate information technology security policies in place; and
• Collected more personal health information than was reasonably necessary.

The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia both ordered LifeLabs to implement a number of cybersecurity measures to address the company’s shortcomings. Despite their findings, however, the two offices didn’t impose financial penalties on LifeLabs as there’s no law that allows them to.

“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm,” said Michael McEvoy, Information and Privacy Commissioner of British Columbia. “This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”

In a separate statement, LifeLabs said that as a result of the cyberattack, it took several measures, including retrieving the data by “making a payment.” The company, however, didn’t mention how much it paid to the attackers.

The company also didn’t mention ransomware. While the LifeLabs cyberattack has the markings of a ransomware attack, it isn’t confirmed whether the attack was a ransomware attack. 

Traditionally, ransomware attacks encrypt victims’ files, locking out victims from these files. Ransomware attackers then demand ransom from victims in exchange for the decryption keys that would unlock the locked files. Majority of today’s ransomware attackers also demand an additional ransom payment in exchange for the non-publication of the stolen data gathered during the ransomware attack.

Personal Health Information Protection Act (PHIPA)

On March 25, 2020, the Ontario government amended the Personal Health Information Protection Act (PHIPA), Ontario’s health privacy law. Once implemented, Ontario will be the first Canadian province to levy monetary penalties against individuals and companies that contravene the province’s health privacy law.

The amendment to PHIPA doubles the maximum fines for an offense to $200,000 for individuals and $1,000,000 for corporations. The amendment also mandates that an individual be imprisoned up to a year for an offense.

“Perhaps most significantly, once regulations are in place, my office [Information and Privacy Commissioner of Ontario] will be given the power to levy monetary penalties against those who contravene our health privacy law, including for breaches, such as those resulting from abandoned records,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “Privacy commissioners across the country have been calling for the power to impose administrative penalties, and Ontario will be the first to enshrine it into legislation.”

How to prevent ransomware attacks: Best practices guide

Ransomware attacks are becoming common. The city of Saint John in New Brunswick recently fell victim to a ransomware attack.

What Is Ransomware Attack?

Ransomware attack is a type of cyberattack in which victims’ files are locked and held for ransom. In a ransomware attack, an attacker promises that in exchange for a ransom payment, the key or keys that would unlock the lock files would be released.

Ransom payment isn’t a guarantee that your organization will get back your files as some keys given by attackers don’t work by design or through errors in coding. Today’s ransomware attackers demand two ransom payments, one for unlocking the locked files, and another ransom payment to prevent them from publishing stolen data. This second ransom payment shows that today’s ransomware attackers, not just lock victims’ files but also steal data.

City of Saint John Ransomware Attack

A few weeks ago, the city of Saint John in New Brunswick fell victim to a ransomware attack. Last November 17, Don Darling, the Mayor of the city of Saint John, confirmed that the city’s IT system was hit by ransomware.

To protect the city’s IT system, the Mayor of Saint John said the city’s website, servers, and email system have been disabled. Due to the nature of the attack, the Mayor said the city won’t comment on the ransom demand. Saint John city manager John Collin, meanwhile, said that as of November 17, there was no indication that personal information was accessed or transferred in the ransomware attack.

Weeks after the ransomware attack, the Saint John city manager said that the city departments' phone lines, email to most city hall employees, and online payments are still unavailable. Saint John city manager said that taking the systems offline was an "immediate and proactive" response to contain the attack. "Our network will be back online only once we are sure that it is safe to do so," he said.

In the case of the city of Saint John, it wasn’t revealed how the ransomware attacker or attackers’ initially compromised the city’s IT system.

Exposure via Third-Party Software

The recent ransomware attack on the city of Saint John isn’t the first time that the city fell victim to a cyberattack.

In December 2018, Stas Alforov, director of research and development for Gemini Advisory, said the firm discovered nearly 300,000 payment records in underground marketplaces that specialize in the sale of compromised payment card data. According to Alforov, the payment records were stolen from 46 confirmed compromised US locations and one Canadian location, with 6,000 payment records from Canada. That one Canadian location is the city of Saint John.

Alforov said the breach of nearly 300,000 payment records is part of the larger hacking operation conducted by the same hacking group. Analysis of the card data, Alforov said, found that payment records have likely been stolen from municipal government services that used the software called “Click2Gov,” a payment software primarily used by local governments to receive various payments.

In the case of the city of Saint John, the Click2Gov payment software was used for paying parking tickets through the city's website. Alforov told Huffington Post Canada that he received a call from the city of Saint John after the publication of his report. The city, he said, wasn't aware of the data breach. Alforov added that the city’s parking ticket payment system appeared to have been breach back in September 2017.

To date, there’s no information on whether the past data breach on the city of Saint John’s parking ticket system is related to the recent ransomware attack.

Other victims of ransomware attacks such as the city of Keene, Texas, were able to establish the link between the compromised third-party software and the resulting ransomware attack. In August 2019, Keene Mayor Gary Heinrich told NPR that ransomware attackers compromised the software used by the city. This software, the mayor said, was managed by a third-party company. Said software was also used by close to two dozen local governments in Texas, which also fell to a collective ransomware attack.

"They got into our software provider, the guys who run our IT systems," Heinrich said. "Well, just about everything we do at City Hall is impacted.”

The ransomware attack on the local governments of Texas, including the City of Keene, showed a gateway by which ransomware attackers initially compromise their victims, that is, through third-party software.

Cybersecurity Best Practices

Here are some of the best cybersecurity practices against ransomware attacks:

Properly Vet Third-Party Software

Third-party software, which your organization has no control over the source code, should be properly vetted in the cybersecurity area.

Keep All Software Up to Date

Apply in a timely manner software updates, also known as patches, that are released by software vendors. These patches not only contain feature upgrades but also updates fixing known security vulnerabilities.

Ransomware attackers have been known to initially compromise victims by exploiting a known security vulnerability, in which the software vendor already released a patch but the software users failed to apply the patch in a timely manner.

Practice the 3-2-1 Backup Rule

The 3-2-1 backup rule is your organization’s best defense against the first type of ransom demand: ransom demand to unlock files. The 3-2-1 backup rule states that three backup copies should be kept, two in different formats, and one of these copies should be kept offsite.

This isn’t, however, the answer to the second type of ransom demand: ransom demand to prevent stolen data publication.

When you need help, our team of cybersecurity and IT experts is a phone call away. Connect with us today, and take a proactive approach to cybersecurity.

Upcoming Holiday Shopping Season Brings New Level of Cybercrime Threats to Online Retailers

Online shopping this holiday season is projected to be unprecedented, with many people staying at home and opting to shop online as a result of the COVID-19 mandatory lockdown or due to self-imposed lockdown.

The expected online shopping surge creates a perfect stage for cybercrimes.

Shift to Online Shopping

Statistics Canada reported that from February 2020 to May 2020, retail e-commerce sales soured by 99.3%. The record gain in e-commerce, however, resulted in a record decline in retail sales.

Statistics Canada reported that for the same period, the total retail sales fell by 17.9%. The impact of COVID-19, Statistics Canada said, is best highlighted using the April 2020 data, with a 26.4% decline in retail sales compared to the April 2019 data.

A survey conducted by Deloitte showed that 47% of Canadian consumers said they’ve been shopping online more often since the COVID-19 crisis began. The survey further showed that the same number of Canadian consumers (47%) will likely head online to find gifts and other items this holiday season, with the remaining 53% to head to traditional retails stores. While the number of those who intend to do their shopping in the traditional way is few points higher than those who intend to shop online this holiday season, this data is high enough as 69% of holiday shoppers shopped in the retails stores during the holiday season in 2019.

“A lot has changed since the 2019 outlook,” Deloitte said. “COVID-19 has changed how Canadians live, work, and shop, and it has turbocharged the fundamental shifts in consumer behaviour that were already underway.”

Imperva, meanwhile, reported that from March 1 to March 22, 2020, retail websites’ traffic worldwide soured by as much as 28% on a weekly average.

Holiday Season Cybercrime Threats

A new report from Imperva showed that the upcoming holiday shopping season will present online retailers with a new level of traffic, at the same time, never seen before level of cybercrime threats. According to Imperva, online retailers will face the following cybercrime threats this holiday season:

Bad Bots Attacks

According to Imperva, bad bots, as a group, is a top threat to online retailers, before and during the pandemic. A bad bot refers to a software application that runs automated tasks over the internet.

As opposed to a good bot which runs automated tasks over the internet for legitimate purposes, the purpose of a bad bot is malicious. Bad bots interact with software applications in the same way as legitimate users would, making them indistinguishable from legitimate users.

An example of a bad bot is a bot that interacts with a website’s login interface, attempting to “brute-force” its way by attempting to login using the trial and error method in guessing the correct username and password combination. Aside from brute-force attacks, bad bots are used for competitive data mining, personal and financial data harvesting, and more.

API Attacks

According to Imperva, API attacks are attractive targets due to the sensitive payment data they hold. The volume of attacks on retailers’ APIs far exceeded average levels this year, Imperva said.

API, short for An Application Programming Interface, is a software intermediary that allows other software applications to communicate with one another. A website API, for instance, connects between applications such as databases.

DDoS Attacks

According to Imperva, retail sites experienced an average of eight application layer DDoS attacks a month, with a significant spike in April 2020 as lockdowns resulted in the demand for online shopping. DDoS, short for distributed denial of service, refers to a cyberattack that attempts to make an online service, such as a website, unavailable to legitimate users.

DDoS uses bad bots. In DDoS attacks, bad bots are organized into a botnet – referring to hijacked computers that are controlled by attackers to conduct malicious activities such as DDoS attacks. Application layer DDoS, meanwhile, is a type of DDoS attack comprised of malicious requests with the end goal of crashing the web server.

Client-Side Attacks

According to Imperva, retail sites are vulnerable to client-side attacks as many of these sites are built on frameworks using a number of third-party code. Client-side refers to anything that’s displayed or takes place on the client – end user – using a browser. This includes what the user sees on the site’s online form.

The attack on Ticketmaster is an example of a client-side attack. In June 2018, Ticketmaster made public that they had been compromised and that attackers stole customer information. RiskIQ, the company that discovered the attack, reported that Ticketmaster wasn’t directly compromised but the site’s third-party supplier known as Inbenta was. According to RiskIQ, attackers either added or replaced Inbenta’s code used for Ticketmaster with a malicious one.

A client-side attack also directly compromises the website itself. Such was the case in the British Airways website client-side attack. The attack was discovered by RiskIQ.

According to RiskIQ, a malicious code was found in British Airways’ baggage claim page where customers were required to enter their personally identifiable information. The malicious code then sent the information entered to a URL that looked like it belonged to British Airways. Upon closer inspection, however, the URL wasn’t owned by British Airways.

It’s still unknown how the malicious code got into the British Airways’ site in the first place.

Worried about your website or web application and looking to better protect it? Contact us today to see how to mitigate the risks quickly and efficiently.

Increased Cybercrime Threat to Canadian Healthcare Organizations

In recent months, threat actors have launched cyberattacks against organizations in the healthcare sector, including those based in Canada, according to the latest report released by Microsoft.

In the blog post "Cyberattacks targeting health care must stop," Tom Burt, Corporate Vice President for Customer Security and Trust at Microsoft, said that the targets include organizations in the health sector in Canada, France, India, South Korea and the United States. Burt identified three threat groups and gave these threat groups codename: Strontium, Zinc and Cerium.

According to Burt, Strontium uses password spray and brute force login attempts to steal login credentials. “These are attacks [password spray and brute force login attempts] that aim to break into people’s accounts using thousands or millions of rapid attempts,” Burt said.

Password spray refers to a cyberattack that uses a small number of common passwords to brute force large numbers of accounts. Brute force attack, meanwhile, refers to a cyberattack that uses the trial-and-error method in guessing the correct username and password combination.

According to the Corporate Vice President for Customer Security and Trust at Microsoft, Zinc and Cerium use spear-phishing lures for credential theft. Spear-phishing is a cyberattack in which a threat actor, masquerading as a trusted individual or entity, tricks targeted individuals into clicking a bogus email, text message or instant message.

In the case of the threat actor Zinc, the Corporate Vice President for Customer Security and Trust at Microsoft said the spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters, while threat actor Cerium engaged in spear-phishing email lures using Covid-19 themes while masquerading as World Health Organization representatives.

Ransomware Attacks in the Healthcare Sector

The Canadian, Australian, the U.S. and UK Governments, meanwhile, issued separate alerts warning about the increased ransomware activity targeting the healthcare sector. Ransomware is a type of cyberattack that uses a malicious software (malware) that encrypts victims’ files, locking out victims of these files.

In traditional ransomware attacks, attackers demand from the victims ransom in exchange for the keys that would unlock the encrypted files. Modern-day ransomware attackers not just demand ransom to unlock the encrypted files, they also demand ransom in exchange for not publishing the stolen files gathered during the ransomware attack.

In September of this year, the University Hospital Düsseldorf in Germany reported a ransomware attack. The attack rendered 30 servers used by the hospital inoperable, forcing the hospital to turn away patients even those with life-threatening conditions.

According to German authorities, a patient with a life-threatening condition was turned away and sent to another hospital some 20 miles away and died as a result of the treatment delay. This is the first reported death as a result of a cyberattack.

Threat Actors Tool Evolution

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued the alert “Ransomware Activity Targeting the Healthcare and Public Health Sector,” warning that threat actors targeting the U.S. healthcare sector use the malware called “BazarLoader,” often leading to ransomware attacks, data theft, and the disruption of healthcare services.

In a recent alert “Renewed Cyber Threats to Canadian Health Organizations,” the Canadian Centre for Cyber Security (Cyber Centre) said threat actors targeting the Canadian healthcare sector have been observed using the BazarLoader malware for initial compromise on victims’ networks for the eventual deployment of the ransomware called “Conti,” believed to be the successor of Ryuk ransomware. The Cyber Centre said that the BazarLoader malware is typically deployed via a phishing email.

Phishing, in general, doesn’t have a particular target as its aim is to victimize whoever takes the bait. Opposite to phishing is spear-phishing which targets certain individuals or organizations.

The BazarLoader malware, the Canadian Centre for Cyber Security said, provides a backdoor through which additional malware is introduced to the victim’s network. Once inside the victim’s network, the Cyber Centre said, the malware called “Anchor” is used to maintain a presence on the network. Anchor is comprised of a framework of tools that allows the covert uploading of malicious tools, and, once done, to remove any evidence of malicious activity.

The Australian Cyber Security Centre, meanwhile, issued its own alert "SDBBot Targeting Health Sector," warning that it has observed increased targeting activity against the Australian health sector by threat actors using the SDBBot Remote Access Tool for the eventual deployment of ransomware called “Clop.”

SDBBot has three components: 1) an installer that allows threat actors to establish persistence on the victim’s network; 2) a loader that downloads additional components; and 3) the remote access tool itself allows threat actors full control of compromised computers, remotely. Once inside the victims’ networks, threat actors also use SDBBot to move within the victims’ networks and steal data.

Cybersecurity Best Practices

Below are some of the cybersecurity best practices to mitigate the risks:

• Keep all operating systems, software and firmware up to date.
• Regularly change passwords to network systems and accounts and use multi-factor authentication if possible.
• Disable remote access/Remote Desktop Protocol (RDP) ports if not needed and monitor remote access/RDP logs when used.
• Practice network segmentation. Critical data shouldn’t be kept on the same server for mundane day-to-day data.
• Implement the 3-2-1 rule in backing up critical data. This rule states that three copies of critical data should be kept, with two copies kept in different types of storage media, and one copy should be kept offline.

Is your organization at risk? Let us help you evaluate your controls quickly and efficiently.

Email us today at security@drizgroup.com and sleep better at night knowing that your business is well protected against cybercriminals.

Canadian Centre for Cyber Security Warns About the Continued Exploitation of Multiple Vulnerabilities 

The Government of Canada, through the Canadian Centre for Cyber Security, has warned that threat actors are exploiting multiple known vulnerabilities present in information systems in Canada.

According to the Canadian Centre for Cyber Security (Cyber Centre), as information systems and the networks linking them are critical components in today’s interconnected world and relied upon by governments, small businesses and individuals worldwide, the need to secure them is of utmost importance. The Cyber Centre’s warning is similar to the U.S. Government’s warning, through the National Security Agency (NSA), that threat actors are targeting U.S. information systems such as unpatched remote access services, security appliances and application servers.

"The Cyber Centre continues to receive reports of persistent exploitation of known vulnerabilities," the Cyber Centre said. “While manufacturers work hard to provide updates for vulnerabilities, these updates are not always applied in a timely manner by consumers.”

Target Vulnerabilities

Among the vulnerabilities that are being actively exploited by threat actors according to the Cyber Centre and NSA are the following:

This vulnerability, designated as CVE-2020-1472 and commonly known as ZeroLogon, is described by Microsoft as an elevation of privilege vulnerability that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC) – Microsoft Windows’ core authentication component of Active Directory that provides authentication for user and computer accounts.

“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD [Active Directory],” Tom Tervoort, Senior Security Specialist at Secura and the one who discovered the Netlogon vulnerability, said in the whitepaper “ZeroLogon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472).” “It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain.”

ADC is described by Citrix as a networking appliance whose function is to “improve the performance, security and resiliency of applications delivered over the web.” Designated as CVE-2019-19781, this security vulnerability in Citrix ADC, if exploited, could allow an unauthenticated attacker to perform remote code execution – the ability of an attacker to access or make changes to another computer, regardless of where the attacker’s computer is geographically located.

In July of this year, the Canadian Centre for Cyber Security reported that several computer networks in Canada were compromised and, in each case, a threat actor was able to compromise infrastructure exposed to the internet because the software running on an exposed server wasn’t patched to the latest version or properly secured via two-factor authentication. According to the Cyber Centre, prior to the successful compromise of vulnerable and improperly secured servers and network access devices, intensive reconnaissance-style scanning of target networks is often conducted by malicious actors. In some cases, malicious software (malware) was installed and compromised infrastructure may have been used in attempts to compromise other networks and/or other organizations.

Cybersecurity Best Practices

While it’s important to keep all software and firmware up to date, this alone isn’t the whole solution in keeping your organization safe from attackers.

Rare Cases of Multiple Patches

Microsoft is addressing the CVE-2020-1472 vulnerability via a two-part patch rollout. The first patch was released on August 11, 2020 and the last patch will be released in the first quarter of 2021.

What should be done before the arrival of the second part of the patch? Aside from applying the August 11th patch, according to Microsoft, the following steps should be taken:

1. (a) Monitor for warning events and (b) act on each event.
2. (a) Once all warning events have been addressed, full protection can be enabled by deploying DC enforcement mode. (b) All warnings should be resolved before the February 9, 2021 enforcement phase update.

False Sense of Security

It’s important to note that patching alone doesn’t fix a successful network compromise conducted via vulnerability exploitation. For instance, applying the patch for CVE-2019-19781 vulnerability, released by Citrix in January 2020, isn’t enough to fix a network compromised via CVE-2019-19781 exploitation.

In July 2020, Fox-IT reported that back in January 2020, just a few days after the release of the CVE-2019-19781 patch, a total of 1,030 compromised servers were identified, including those owned by Governmental organizations and Fortune 500 companies.

“However, of perhaps more concern was that, of these compromised devices, 54% had been patched against CVE-2019-19781, thus providing their administrators with a false sense of security,” Fox-IT said. “This is because although the devices were indeed patched, any backdoor installed by an attacker prior to this would not have been removed by simply installing the vendor’s patch.”

CVE-2019-19781 also showcased how attackers compete to remain in the networks that they’ve compromised, also known as "hacker turf war." Some threat actors applied the CVE-2019-19781 patch themselves to block other threat actors in what is known as “adversary patching.”

If for some reason your organization has failed to apply a critical patch in a timely manner, expect that credentials, accounts and software have been changed prior to the application of the patch and expect that patching won't alleviate the situation.