Thought leadership. threat analysis, news and alerts.
Why TajMahal Is the Most Alarming Malware to Date
The discovery of the malware called “TajMahal” is alarming, not because it attacked a certain diplomatic organization but because of the high number of malicious acts that it can do, totaling 80, and the malware’s stealth capability, evading discovery for nearly 5 years.
Researchers at Kaspersky Labrecently revealed that a diplomatic organization belonging to a Central Asian country, a type of organization that’s often subject to cyber-attack due to its line of work, was a victim of the malicious software (malware) TajMahal. This malware, the researchers said, remained undetected in the diplomatic organization’s network for nearly 5 years, with the first known legitimate sample timestamp from August 2013 and the last one from April 2018. The first confirmed date when TajMahal samples were seen on a victim’s machine is in August 2014. The researchers said they first discovered the malware on the victim’s machine in the autumn of 2018.
Old and New Hacking Tools
According to Kaspersky Lab researchers, TajMahal malware comes in two packages, one package is named “Tokyo” and the other “Yokohama”. Tokyo and Yokohama, the researchers said, share the same code base found on all infected computers of the said diplomatic organization. The Tokyo package facilitates the first stage of the malware infection, while the Yokohama package facilitates the deployment of the staggering 80 malicious cyber activities.
The Tokyo package uses PowerShell script, an old and tested strategy used by cyber attackers. McAfee Labsreport found that PowerShell attacks increased between 2016 and 2017, and IBM X-Forcealso noted the growth of PowerShell attacks from October 2017 to October 2018.
PowerShell is a legitimate tool used by system administrators in simplifying and automating the management of Microsoft Windows and Windows Server. Malicious actors, meanwhile, use PowerShell to hide their malicious code as the code is executed directly from the computer memory, making the attack fileless and thus stealthier than other types of attacks. PowerShell also allows remote access – the ability to access a computer from anywhere in the world so long as the computer is connected to the internet.
Yokohama, meanwhile, unleashes payloads – the portion of the malware which performs malicious actions, of which 80 of them were uncovered by Kaspersky Lab researchers. Old hacking techniques that form part of the Yokohama package include keylogging and audio, screen and webcam grabbing. In keylogging, every keystroke made by a computer user is recorded and sent to the malicious actors. In audio, screen and webcam grabbing, screenshots, audio or video, for instance, from VoIP audio or video calls, are covertly recorded and the sent to malicious actors.
Aside from the slew of time-tested hacking tools, Yokohama package, in particular, and TajMahal in general, packed the following new hacking capabilities:
Intercepting documents from print queue and stealing data from CD burnt and USB stick are particularly alarming as documents that are typically printed or copied to a CD or USB stick are sensitive and important. Any data stolen by the malware, whether text, audio, video or image, is then sent to the command and control server, a computer controlled by the attackers in the form of an XML file called "TajMahal" – the origin of the name of the malware.
According to the researchers at Kaspersky Lab, it’s not known how the TajMahal malware initially infected the diplomatic organization belonging to a Central Asian country. It isn’t also known is who is the individual or groups behind the TajMahal malware as this malware bears no resemblance with other known malware, which means that the attacker or attackers created this malware using new code base to evade detection. Anti-malware solutions typically block malware that bears small resemblance with other known malware.
To date, the only known victim of the TajMahal malware is the diplomatic organization. According to the researchers at Kaspersky Lab, it’s unlikely that the attackers went all that trouble of creating a new malware just for one victim, and that the likely theory is that there are other victims that have yet to be identified. The researchers said that this theory is supported by the fact that they “couldn’t see how one of the files in the VFS was used by the malware, opening the door to the possibility of additional versions of the malware that have yet to be detected”.
TajMahal malware is a type of malware that shows the characteristics of an advanced persistent threat (APT), a cyberattack in which the attacker or attackers gain unauthorized access to a network and remain undetected for a prolonged period. The usual suspects of APT attacks are nation-state actors – individuals who have the “license to hack” on behalf of a particular nation or state to gain access to valuable data or intelligence and can create cyber incidents that have international significance.
In recent years, however, common cyber criminals, those whose motive is simply for profit, have gotten hold of the APT tools used by nation-state actors, making these APT tools part of their arsenal in attacking, not just large organizations but also small and medium-sized organizations – attacks that rendered these organizations vulnerable.
For instance, the APT hacking tool called “EternalBlue” has joined a long line of reliable favorites of common cyber criminals. EternalBlue is one of the hacking tools leaked publicly in 2017 by the group known as “Shadow Brokers”. This hacking tool is believed to be created by the U.S. National Security Agency (NSA) for its surveillance activities. A month before the public release of EternalBlue, Microsoft issued a security update, fixing the vulnerability exploited by EternalBlue.
This particular security update, however, wasn’t timely installed on hundreds of thousands of computers worldwide, leading to the successful unleashing of WannaCry, a malware that uses the EternalBlue hacking tool in exploiting the vulnerabilities in the Windows SMBv1 server (patched by Microsoft a month earlier), remotely encrypting files and locking users out of their own files and spreading it to other computers within a network without user interaction. Since the EternalBlue leak, many malware integrated the EternalBlue feature.
Combating malware and ATP threats has become a daily reality for many organizations. It requires specialized skills and resources. When your organization needs help, our cybersecurity experts a phone call away. Contact ustoday.
Magento SQL Injection Flaw Puts E-Commerce Sites at Risk
Magento, an Adobe-owned company that promotes its e-commerce platform to have more than $155 billion in gross merchandise transaction volume annually, has called on online stores using its platform to install the company’s latest update as protection from a host of critical flaws.
Last March 26, Magentoannounced that it fixed 37 security vulnerabilities on its e-commerce platform. Out of the 37 vulnerabilities fixed by Magento through its security update, 4 vulnerabilities have a base score range between 9 to 9.8. Under the v3.0 standards of the Common Vulnerability Scoring System, base scores from 9 to 10 are considered as “critical.”
Out of the 37 vulnerabilities fixed by Magento through its latest security update, one vulnerability called PRODSECBUG-2198 stands out, not only because it’s one of the 4 vulnerabilities labeled as critical, but also because the exploit of this vulnerability is now out in the wild. Armed with this publicly available exploit, any day now PRODSECBUG-2198 vulnerability could be exploited by malicious actors.
PRODSECBUG-2198 bug is a SQL injection vulnerability found in Magento Open Source prior to 184.108.40.206, and Magento Commerce prior to 220.127.116.11, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1. According to Magento, PRODSECBUG-2198 bug, also known as “SQL Injection vulnerability through an unauthenticated user” allows an unauthenticated user to execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.
According to Charles Fol of Ambionics, the one who reported the PRODSECBUG-2198 bug way back in November 2018, in a blog postsaid that the bug involves a minor mistake in the small piece of code of Magento. “This mistake, albeit minor, is very impactful …,” Fol said. “Surprisingly enough, this piece of code has been present since Magento 1.x !”
Ambionics also posted on GitHuba proof of concept on how the discovered mistake in the small piece of Magento code can be exploited. The publication of this proof of concept means that online stores using the Magento platform that haven’t installed the latest Magento update are at risk of this particular exploit.
The risk of SQL injection vulnerability through an unauthenticated user has a far-reaching effect.
What Is SQL Injection?
SQL, which stands for Structured Query Language, is a standard programming language for accessing databases. SQL injection, meanwhile, is one of the most common web hacking techniques. This form of attack was ranked by the Open Web Application Security Project (OWASP)in 2017 as the number one threat to web applications.
“Injection flaws, such as SQL … occur when untrusted data is sent to an interpreter as part of a command or query,” OWASP said. “The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.”
SQL injection was first documentedin 1998 by Jeff Forristal, also known by the alias Rain Forrest Puppy, now the CTO of mobile security vendor Bluebox Security. For years, many cyberattacks had been made possible through SQL injection. The cyberattacks on Sony in 2011 and TalkTalk in 2015 are some of the notable cyberattacks that used SQL injection as a weapon.
According to the Federal Bureau of Investigation (FBI), the cyberattack on Sony Pictures Entertainment between May 27, 2011 to June 2, 2011 in which attackers obtained confidential information from Sony Pictures’ computer systems was done using an SQL injection attack against Sony’s website.
In October 2016, UK’s Information Commissioner Office (ICO)fined TalkTalk for £400,000 (the company though settled the case for £320,000) for a cyber incident in October 2015 which led to the illegal accessed of personal data of 156,959 customers including their names, addresses, dates of birth, phone numbers, email addresses, as well as bank account details of 15,656 customers.
“The attack [October 2015 cyber incident on TalkTalk] was an SQL injection attack, a common type of cyber attack that has been well-understood … and for which known defences exist,” ICO said. “The investigation found there had been two previous SQL injection attacks on 17 July 2015 and between 2-3 September 2015 but TalkTalk did not take any action due to a lack of monitoring of the webpages.”
Specific to Magento’s PRODSECBUG-2198 bug, online stores using the Magento platform, specifically Magento Open Source prior to 18.104.22.168, and Magento Commerce prior to 22.214.171.124, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 need to install the company’s latest update to prevent SQL injection attacks.
In general, e-commerce sites, regardless of the platform used, are attractive targets to hackers due to the fact that personal and payment information is required to complete a sale. SQL injection is a common weapon used by cyber attackers to compromise these e-commerce sites. Here are some security best practices that will harden your e-commerce site against SQL injection attacks:
Preventing SQL injections attacks is easy, as long as you engage application security experts that understand your cybersecurity challenges and business goals delivering the right solution that works for you.
Contact ustoday and protect your web application against common threats in minutes without the need for capital investment or IT support.
Cybersecurity Training Tips for Every Business
As a business-owner or manager, you want to believe your employees are the best at what they do.
You trust them to work hard. To take their role seriously. To follow standard policies and safeguard the security of your company.
But, sadly, employees can — and do — make serious mistakes. One tiny accident or oversight may lead to costly cyber-attacks that disrupt your operations, chase clients away to your competitors and damage your reputation for years to come.
And don’t assume being a small business means you’re not a valuable target for hackers — 43 percent of cyber attacksare aimed at enterprises like yours.
That’s why effective cybersecurity training is paramount for your workforce. Yet actually finding programs that deliver the right education in an engaging way can be difficult. You don’t want to send your employees on a course only to discover they failed to absorb anything they were taught.
We’ve put together four great cybersecurity training tips to help you protect your business from attacks.
#1. Identify Your Business’s Weakest Points
Every company or organization has its weak points, no matter how high-profile it is or how impenetrable it should be.
For example, FEMA (Federal Emergency Management Agency) recently leaked the personal and banking detailsof more than two million people affected by major hurricanes. This was due to the actions of an outside contractor, with a small program error sharing important data.
One would expect FEMA to have processes in place to safeguard against such simple-yet-devastating mistakes, yet this major breach still occurred.
Avoid the same (or similar) errors happening in your business by evaluating your current cybersecurity setup. Ask questions, such as:
Determine which aspects of your employees’ work demands the most attention. This makes finding or devising the most effective training easier. You’ll also know what cybersecurity experts can do to reinforce your systems.
#2. Embrace Interactive Exercises
Simply sitting employees in a conference room and lecturing them on cybersecurity may not be enough on its own. We all know how easily the mind wanders when it’s not stimulated for long periods. But you can make training more engaging and easier to absorb by hosting interactive training exercises, simulating an actual cyber-attack.
One way to do this is to distribute a fake phishing email to your entire workforce and note how people react. Hopefully, the majority of your employees will recognize the signs and take the appropriate action (deletion, reporting it to a supervisor etc.).
But if even one person clicks on a link or downloads an attachment, they could be starting your business along a dangerous road.
Obviously, in an exercise there would be no actual hazard, but keep the scenario as realistic as possible — don’t tell employees about it until after the fact. You’ll be able to gauge which employees or departments are up to speed on external threats, making it easier to determine who training should be aimed at.
You can try other exercises too. For example, consider a ransomware attack in which workers become locked out of certain programs and see how well they follow standard procedure. Can they still perform aspects of their job without access to all their usual tools? How do they notify clients of the issue?
Knowing how your team copes in any cybersecurity crisis is vital. You don’t want to realize you’ve made serious strategic mistakes during the real thing.
#3. Make Training a Regular Part of the Job
Cultivate a cybersecurity-focused company culture. Make sure all employees at all levels understand the importance of being aware and vigilant every single day.
Small training sessions or exercises here and there can make a lasting impact with employees. They’re likely to find a quick 20-minute quiz on common signs of a phishing scam much easier to digest than a five-hour block of training in a stuffy office.
Encourage group training and collaboration too. Your workforce should focus on what they’re being told and take it onboard if they’re able to get involved with others: their minds could wander during long lectures or presentations, but not so much when they’re actively interacting with their colleagues.
#4. Create Reward Schemes and Incentivize Vigilance
Another effective way to make cybersecurity training more impactful is to implement a reward scheme.
Workers may feel more motivated to stay alert and watch out for potential cybersecurity threats if they know they’ll receive a tangible reward for extra efforts. Bringing a reward program into your business can encourage everyone to embrace a stricter cybersecurity policy.
Survey your workforce first to discover which rewards would make the best incentives, within reason. For example, if someone were to spot a malicious email and raised the alarm, they could be given a bonus in their next salary or a ticket to their favorite sports team’s next game.
This may only be a minor expense for the business but will save a huge amount of money down the line.
This program could include more than just spotting potential attacks, too. Consider rewarding employees for attending training and completing quizzes afterward, motivating them to pay close attention.
How to Protect Your Business
Cybersecurity training is paramount for all businesses in all industries. Any employees using a computer or device with internet access must be made aware of the potential risks they face, and effective training will do just that.
But investing in weak training that fails to engage your workers is a waste of everyone’s time and money. Follow the tips explored above and bring in cybersecurity experts to help you get your company protected against common threats.
Remember: your clients’ data, finances and routines could all be affected by an error on your part. Their trust is worth the cost of good training.
At The Driz Group, we can help you understand where you’re going wrong and protect your business. How? Contact us today!
Top 5 Business Benefits of Cybersecurity Services
Businesses today are more digitalized and connected than ever. Transactions using computers are now preferred over papers and pens and emails are preferred over snail mails.
Businesses have increasingly relied on this digitalized and connected ecosystem – and so does threat actors. This digitalized and interconnected ecosystem has exposed businesses to vulnerabilities, making cybersecurity services – a combination of human expertise and cutting-edge technology – more important than ever.
Here are the top 5 business benefits of cybersecurity services:
1. Predict Cyber Threats
As businesses transition from papers and pens to computers, new security challenges have opened up for businesses. An effective and sound cybersecurity service has the insight or intelligence on the threats faced by businesses such as knowing that digital documents such as personally identifiable information and intellectual properties have become attractive targets of cybercriminals.
An effective cybersecurity officerhas the foresight to separate a business network that houses sensitive staff and customer data from the network that houses non-sensitive data, predicting that in the event of a comprise in the non-sensitive data network, the sensitive or critical network won’t be affected or accessed by attackers.
2. Block Cyber Threats
An effective cybersecurity service helps block cyber threats from ever getting through your organization’s IT systems. As businesses transition from snail mails to emails, attackers have weaponized the business emails to conduct fraud.
Spoofed emails of CEOs, emails that appear that they come from legitimate CEOs though, in fact, they come from attackers, have tricked a number of finance personnel worldwide in releasing corporate funds to scammers in a cybercrime called Business E-mail Compromise (BEC). The Federal Bureau of Investigation (FBI)in June 2018 release a public alert warning businesses about BEC, which at the time of the alert already victimized over 78,000 businesses worldwide and resulted in the combined total loss of over $12 billion.
In a BEC attack, attackers may spoof email accounts, for instance, do slight variations on legitimate addresses such as from john.kelly@abc_company.com to email@example.com, fooling the email receiver into thinking that the email is authentic. An effective email filtering system can prevent this form of attack from happening by blocking emails with extensions that are similar to the company email. For example, legitimate email of abc_company.com would flag spoof email of abc-company.com.
3. Detect Cyber Threats & Respond
Predictive and blocking cybersecurity measures aren’t enough defenses as cybercriminals are getting more creative and effective each day. There’s always a possibility that no matter how hardy your organization’s predictive and blocking systems are, an anomaly may happen, allowing an attacker or attackers to get inside your organization’s network.
Verizon’s 2018 Data Breach Investigations Reportfound that illegal remote point-of-sale (POS) intrusions often occur in the accommodation and food services industry and weren’t discovered for months in 96% of cases. Businesses only discovered about these intrusions after being informed by law enforcement or through Common Point of Purchase (CPP).
Even Tesla wasn’t spared when attackers used the tech giant’s computing resources to mine cryptocurrency. Tesla also knew about the illegal use of its computing resources for cryptocurrency mining when RedLockdiscovered the intrusion and informed Tesla about it.
In the case of the Tesla intrusion, an effective cybersecurity service could have detected the illegal cryptocurrency mining on Tesla’s resources by monitoring network traffic and correlating it with configuration data, RedLock found.
4. Cybersecurity Services Save Money
An effective cybersecurity service saves businesses an enormous amount of money. The 2018 Cost of Data Breach Study: Global Overviewcommissioned by IBM and conducted by Ponemon Institute found that Canada has the highest data breach direct costs at $81 per compromised record. Direct costs in the study refer to the expense outlay to accomplish a given activity such as engaging forensic experts, hiring a law firm, or offering victims identity protection services.
The study also found that Canada has the highest data breach detection and escalation costs, referring to forensic and investigative activities, assessment and audit services, crisis team management, and communications to executive management and board of directors.
5. Enable Businesses to Gain Access to Cutting-Edge Tools and Top Security Talent
There are 3 types of managed cybersecurity services:
Traditional cybersecurity services refer to on-premise services, requiring in-house manpower and capitalization for cutting-edge hardware and software tools.
In a cloud solution, cybersecurity is managed through cloud-based console and tools, without the need for additional hardware.
In outsourced model, an external third-party cybersecurity service provider, also known as Managed Service Provider (MSP), takes care of everything. Each of these services has its own benefits and budgetary impacts.
In the case of traditional or on-premise cybersecurity services, budget isn’t limited to trained and skilled in-house cybersecurity staff, but also to the growing IT infrastructure complexity. The growing volume of devices, for instance, that need to be secured is a key challenge for businesses.
Cloud-based security service allows your organization to manage multiple endpoints, file servers and mobile devices remotely, from anywhere. In an outsourced or third-party cybersecurity service, your organization, regardless of its size, gains access to the best security talent with greater scalability and continuity.
Hiring and retaining top IT and cybersecurity talent puts a pressure on your organization. Get expert advice when you need it most.
Connect with ustoday to get started.
52 Cybersecurity Tips for Personal or Business Application You Need in 2019
Looking for quality cybersecurity tips?
Here are 52 cybersecurity tips that you can apply to improve your online safety whether you’re using the Internet for personal or business purpose.
Cybersecurity Tip #1: Cyberattack isn’t a matter of if, but when
Yes, there are people and businesses who have deeper pockets than you or have more interesting data than you. This doesn’t mean cybercriminals don’t find you attractive.
Most of cyberattacks aren’t targeted for the rich and famous. Cybercriminals simply automate their attacks and victims are hit not by how deep their pockets or how famous they are but by how weak their cyber defenses are. Don’t be an easy target.
Cybersecurity Tip #2: Malware 101
Malware comes from the words malicious and software. A malicious software is one that’s maliciously injected by cyber criminals into your desktop, laptop, smartphone, tablet or internet of things (IoT) devices like wi-fi router, CCTV camera or smart TV.
Cyber criminals have found and are continuously finding creative means to deliver malware into computers using website, ads and email to name a few, causing damage to the devices, stealing data and committing other cybercrimes.
Cybersecurity Tip #3: Don’t trust public charging stations
You’re long away from home or from the office and your smartphone’s battery is about to die. You spot a public charging station.
Hold up, public charging stations are ripe places for the cyberattack called “juice jacking” – a form of cyberattack that compromises public charging stations, stealing all the data on a smartphone that connects to it or installing a malware into the smartphone.
Charge your phone before you go out or get your own portable charger, also known as a power bank.
Cybersecurity Tip #4: Use 2-Factor Authentication
Who can blame you if you use the name of your dog as your password or use the monumental 12356789 password? There are just too many passwords to remember, from email accounts, bank accounts to your Netflix account.
While it isn’t advisable to use easily hacked passwords like 12356789, it’s best to use 2-factor authentication for your sensitive accounts like your primary emails.
The 2-factor authentication ensures that you're the only person who can access your account, even if someone knows your password. It will add a second step to your login process sending a verification code to your mobile that hackers won’t have access to. It’s easy to setup with virtually every online service.
Cybersecurity Tip #5: Never use a public computer to input your private data
In public spaces like airports and hotels, public computers are offered to guests to use free of charge.
While these public computers are beneficial to search for something, these public computers shouldn’t be used, for instance, to shop online where you’ve to input your private data or even check personal or work email.
The public computer that you’re using can be tampered with a keylogger – a malware that records every keystroke made by a computer user. Your passwords and other confidential information can be accessed this way and then used by cybercriminals to steal your information and your identity.
Cybersecurity Tip #6: Use an antivirus or a complete endpoint protection software
An antivirus won’t protect you from all malware in this world but it’s a cyber defense that you should have to improve your online safety. A complete endpoint protection on the other hand will provide a better protection against most online threats.
There are many options to choose from and since it’s a commodity, annual subscription prices are generally very affordable.
Cybersecurity Tip #7: Delete old, unnecessary apps
Similar to cleaning out your closet regularly, same thing has to be done with your laptop, smartphone and tablet apps.
Old apps, especially those that are unsupported – software that’s no longer updated by the software maker – make your devices vulnerable to cyberattacks.
Cybercriminals are particularly making malware that attacks old and unsupported software and apps to steal your personal information and evade your privacy.
Cybersecurity Tip #8: Keep all your software up-to-date
If there’s an available update for any of your software, install the update as soon as possible!
A software update means that the software vendor found security vulnerability in the software and provides a patch – piece of software code that fixes the security vulnerability.
The security update may interrupt your normal usage of your device, but this is a small price to pay compared to being a victim of a cyberattack as a result of failing timely to update your software.
Cybersecurity Tip #9: Stay away from websites without “HTTPS”
What does “HTTPS” even mean?
A website address that starts with “https” is a sign that whatever you input in the website is encrypted – a process that jumbles the data (for instance, credit card details) that you’ve input in the website into some incoherent form so that this data can’t be read by cybercriminals when data travels online.
Cybersecurity Tip #10: Don’t overshare
Your social media accounts are filled with photos of your furry family member. There’s no harm in sharing these photos.
Don’t overshare the details of your other family members like full names or dates of birth. Any of this data could be the secret answer in resetting your online account passwords without your knowledge.
Cybersecurity Tip #11: Protect your primary emails as if your life depended on them
Your online existence depends on your primary emails. Your online bank accounts are attached to your primary emails.
When your primary emails are compromised, this could lead to the compromise of your other important online accounts. So, protect them as if your life depended on them (really). Protect them with strong passwords that are not based on a dictionary words and use 2-factor authentication. Remember, “Linda123” is a weak password that could and will be easily guessed by cybercriminals.
Cybersecurity Tip #12: Free your primary emails from spam emails
Similar to the origin of the word “spam” – canned meat that clogs your arteries, spam emails are similarly harmful to your online health or security.
A spam email is an unsolicited email, a copy of which is sent to hundreds of thousands, if not, millions of recipients. Majority of malware – malicious software - is delivered through spam emails.
Never open an unsolicited email even when the subject line is catches your attention. Delete it automatically.
Cybersecurity Tip #13: Watch out for fake ads
Who can resist a 70% off sale? Not many. But if this is an online advertisement, be wary of it. Cybercriminals are getting their hands on what appears to be legitimate online advertisements but are, in fact, fake ones.
Known as malvertisement, from the words malware and advertisement, these fake ads install malware on your device once you click on it.
Use an adblocker to protect your devices from malvertisements.
Cybersecurity Tip #14: Download an app from official sources
Want to learn a new language? There’s an app for that. Almost everything nowadays has an app.
Only download an app from the official website or from official app stores including Apple and Google.
Cybersecurity Tip #15: Scan apps for malware
Not all apps from official app stores, Apple or Google, are free from malware. While these official app stores make it a point to screen out apps with malware, some malicious apps aren’t screened out.
Use an antivirus or endpoint protection software that screens apps prior to installing into your device.
Cybersecurity Tip #16: Fish out phishing emails
A phishing email is an email that looks like it comes from a trusted source, but it isn’t. Cybercriminals use phishing emails to gain your trust for you to reveal sensitive data or convince you to do something.
For instance, you may receive an email that looks like it comes from your bank, asking you to reveal your account login details. A close scrutiny though reveals that the email address of your bank is slightly modified to fool you into thinking that it’s a legitimate email from your bank.
Never throw away caution whenever an email asks for your sensitive data. Remember that login details are your personal information. Your bank will never ask for your login details via email or over the phone.
Cybersecurity Tip #17: Monitor your email activity log
If you’ve a Google email account, you can monitor who have access to it – what browsers, devices, IP addresses they are using and when they accessed it.
You can terminate unwanted access to your email account with a single click.
Cybersecurity Tip #18: Be careful what you click
Something pops-up in your computer screen: a box where there’s a “Download Now” button to download the latest version of Adobe Flash.
But you don’t even know what an Adobe Flash is. Never click on pop-ups like this. Cybercriminals lure victims to click on pop-ups like this in order to install malicious software on your computer that would allow them to use it against other computer users like you.
Cybersecurity Tip #19: Put a tape over your laptop's camera
Mark Zuckerberg does it, so should you – put a tape over your laptop's camera, that is.
A malicious software can turn your laptop, smartphone or tablet camera into a spy camera. Better be safe than sorry by putting a tape over that camera.
Cybersecurity Tip #20: Have more than one email account
Never rely on one email account. Create different emails for different purposes.
For instance, the email account that links to your Netflix account should not be the same as the email account you use for your bank account.
Cybersecurity Tip #21: Never trust an email attachment, even from a friend
You’ve just received an email from a friend with the subject line "ILOVEYOU". You’ve scrutinized the email address and indeed it’s from a friend – one that you’re fond of.
Your friend’s email says, "kindly check the attached LOVELETTER coming from me." Should you open the attachment?
In 2000, millions of email recipients opened an email with the subject line "ILOVEYOU" and downloaded the attachment assuming that it was a love letter. What was downloaded was, in fact, a malware that wiped out all computer files.
So, even if the email address appears to be from a friend, never open an attachment. An email address nowadays can be spoofed.
To be safe, directly contact your friend to verify if he or she indeed sent the email. Don’t use the Reply button. Create a new email using the email address that you’ve saved in your contacts.
Cybersecurity Tip #22: Don’t forget to do a factory data reset
Feeling generous or running out of cash? Your laptops, smartphones and tablets are valuable products to giveaway or earn cash.
Before selling or giving them away, don’t forget to do a factory data reset or even “sterilize” your device using specialized tools. This will delete all your personal data like email details, sites that you’ve visited and photos and videos that you’ve taken.
Cybersecurity Tip #23: Stay away from USBs and external hard drives
Anything that’s plugged into your laptop like USBs and external hard-drives is a potential source of malicious software.
As such, stay away from them or find excuses not to use them, especially if they come from untrusted source. If you must use them, first disable the auto-run option and use an antivirus to scan the content.
Never plugin any USB thumb-drives that you find on the street, at the mall or at the airport. Cyber criminals use this clever technique to infect your computer with malware.
Cybersecurity Tip #24: Avoid public wi-fi
Almost all coffee shops and retail locations nowadays have public Wi-Fi. Know that whatever you access online by using a public Wi-Fi can be read or tracked by others.
You can better protect yourself buy using an inexpensive VPN service or ask your company’s IT for a recommendation when away from the office.
Cybersecurity Tip #25: Use a burner phone if you want to be reckless online
If you want to visit sites that are notoriously unsafe, or you want to download an app that you’re not sure it’s safe, then a burner phone is a must.
A burner phone should be a separate phone. Your primary phone is one that you use for sensitive information like your primary emails and bank accounts.
With your burner phone, no sensitive data should be entered. As no sensitive data is at stake, you can do whatever you want on this phone.
Cybersecurity Tip #26: Slow performance of a device is a sign of a cyberattack
Ever wondered why your laptop, smartphone or tablet is running slow? This could be a sign that your device is has been hacked and/or tempered with.
Slow performance is one of the signs that a device is infected with a malicious software.
Cybersecurity Tip #27: Watch your back from disgruntled employees
Some people can’t seem to move on. This is the case mostly by fired employees.
Make sure that before firing someone, his or her access to your organization’s data must first be disabled.
Cybersecurity Tip #28: Never re-used a password
The name of your dog as a password for all your online accounts isn’t advisable.
Cybercriminals have long discovered that people re-used their passwords. Stolen passwords are sold in the online black market as these are used to access other online accounts.
Cybersecurity Tip #29: Use a separate credit or debit card for online shopping
Trust no one online. This should be the case every time you shop online. The risk of cyberattack on your most trusted online store can’t be dismissed.
Don’t give cyber criminals the opportunity to access your hard-earned money. Get a separate credit or debit card solely for online shopping use. Only put in the amount that you’ll use and only leave the required minimum balance.
Cybersecurity Tip #30: Never turn on out of office or vacation reply
Excited about your upcoming tropical vacation? Don’t turn on that out of office or vacation reply.
In your personal or office email, there’s an option to turn on the out of office or vacation reply. When this feature is turned on, every time people email you, they’ll receive an automatic email reply that you won’t be able to reply to them right away.
While this is mindful to legitimate email senders, this is a security risk. Criminals may take your absence as an opportunity to attack your office or your home. Fortunately, some email providers allow restricting the out of office replies to your contacts only.
Cybersecurity Tip #31: Never reveal your real location
It’s tempting to post on social media those lovely vacations photos immediately right after they’re taken or to go live via Facebook to share the beautiful scenery where you’re vacationing.
Revealing your exact whereabouts via social media postings is a cybersecurity risk. Criminals may take advantage of your absence and may do something sinister in your office or home.
The delayed postings of your vacation photos and videos will bring the same reaction from your frenemies. They’ll either love or hate you more.
Cybersecurity Tip #32: Turn off your geo-location
Turning on geo-location in your Google, Facebook, Instagram and other social media accounts can tip criminals of your exact whereabouts.
Always turn this off to protect your privacy.
Cybersecurity Tip #33: Never use the following abused passwords
A Google and UC study revealed that passwords listed below are the most commonly used and abused passwords:
Cybersecurity Tip #34: Mind your IoT devices
IoT devices like your wi-fi router, CCTV camera and smart TV are computers too. Protect them like your other devices such as laptops and smartphones as IoT devices are similarly targeted by cybercriminals.
Your insecure IoT device can be used by cybercriminals to form a botnet – a group of insecure IoT devices that are infected with malware and controlled by a cybercriminal or a group of cybercriminals to conduct cybercrimes such as spreading spam emails.
Changing the default passwords to stronger passwords and keeping the software of your IoT devices up-to-date are two of the best cybersecurity practices to protect your IoT devices from cyber criminals.
Cybersecurity Tip #35: Cybercriminals may be making money out of using your computers
Your desktop, laptop, smartphone, tablet and IoT are money-making machines for cybercriminals who are engaged in the cyberattack called cryptocurrency mining.
A number of cryptocurrencies, including Bitcoin, need to be mined. Cryptocurrency mining refers to the process by which transactions are verified and also a means of releasing a new digital coin.
In the past, ordinary computers were used to mine Bitcoin. Today, to mine Bitcoin, one needs a specialized and powerful computer. Other cryptocurrencies like Monero, however, can be mined using ordinary computers and even small devices such as smartphones and IoT devices.
The computational power of your devices may be small but when they are combined with thousands, if not, millions of other devices, the resulting computing power is enormous.
According to a security company Avast, more than 15,000 IoT devices would be needed to mine $1,000-worth of Monero coins in just 4 days.
The thing about cryptocurrency mining attack is that this is done without the knowledge of the IoT device owner. High energy bills, poor device performance and a shortened device lifespan are signs that your IoT devices are used by cybercriminals for cryptocurrency mining.
Using strong passwords and keeping the software of your IoT devices up-to-date are 2 of the effective means to protect your devices from cryptocurrency mining.
Cybersecurity Tip #36: Your IoT devices can be used for DDoS attack
In a distributed denial-of-service (DDoS) attack, an attacker may take advantage of the weak security of your IoT device like your CCTV camera, inject a malicious software into it, control it and send huge amounts of data to a website, making a website unusually slow or making it inaccessible to visitors.
Protect your IoT devices from being used for DDoS attacks by changing the default password to a stronger one and keep the IoT’s software up-to-date.
Cybersecurity Tip #37: Backup important data
Have an extra copy or copies of your important data or use a secure online storage. This way, if anything happens to your laptop, smartphone or tablet with your important data on it, you’ve something to fall back on.
Cybersecurity Tip #38: Prevent ransomware
Real-life crimes are mirrored online. In a ransomware attack, a cyber attacker injects a malicious software in your desktop, laptop, smartphone or tablet, encrypts all the files, locking you out of your device and asks a ransom payment from you to unlock the device.
Keeping all your software, especially your operating system, up-to-date is one of the effective means to prevent ransomware attacks. Backing up your important data ensures that ransomware attacks won’t have an effect on you as you can simply ignore the ransom threat as you’ve another copy of the data.
Cybersecurity Tip #39: To pay or not to pay in case of a ransomware attack
If you’ve a backup copy of the data that ransomware criminals are holding hostage, then there’s no point in paying the ransom.
Backing up your data is, therefore, very important so that ransomware criminals won’t have any leverage on you.
Dilemma often comes from ransomware attack victims who haven’t backed up their data. Paying the criminals, however, doesn’t guarantee that you’ll get your data back.
The software code of infamous WannaCry ransomware, for instance, was written in such a way that even the criminals themselves can’t unlock the locked data even if the victims pay ransom.
Cybersecurity Tip #40: Install adblocker
Many online ads install malware on your computer.
To prevent malicious ads from appearing on web pages, install an adblocker – software that blocks online advertisements from appearing on web pages that you visit.
Cybersecurity Tip #41: Don’t be a victim of social engineering
Social engineering is a form of manipulation that convinces you to ignore normal security procedures.
In your personal life, you may receive a call from someone pretending to be from your bank, asking for your bank login details.
At work, you may receive a call and an email from someone pretending to be from your company’s supplier, asking you to transfer money to the supplier’s new bank account.
In both situations, you’re asked to do something that’s not within the normal security procedures. Your bank wouldn’t call you to ask for your login details. And company protocols for money transfer to a new bank account are more exhaustive than a mere phone call or simple email.
The scam at the office is what is called business email compromise (BEC) scam. It’s a form of social engineering where scammers try to convince you, especially if your work at the office is related to finance, to ignore normal office security procedures.
BEC scammers see to it that your boss is out in the office when the scam happens. Scammers will call you, email you, pretend that they represent your regular supplier and convince you to make money transfer to the new bank account of the supplier.
The scammers may send a spoof email that looks like it comes from your boss, convincing you to release money to the new bank account.
The best way to avoid being a victim of the BEC scam is to verify the authenticity of the money transfer request by talking face-to-face to your CEO or by speaking to him or her directly on the phone.
Cybersecurity Tip #42: Legitimate website may be a carrier of malware
A legitimate website doesn’t mean it’s a safe site. Cyber criminals are using insecure sites to spread malware through a cyberattack called drive-by attack.
The attack is called “drive-by” as this requires no action from the victim, other than visiting a website.
Criminals may plant the malware on the site visited by the victim or the criminals may redirect the victim to another site and from there infects the computer of the visitor with a malware.
Typical victims of drive-by attacks are computers with outdated software. To prevent drive-by attacks, it’s important then to keep all your software up-to-date by installing updates as soon as it becomes available.
Cybersecurity Tip #43: Delete potentially unwanted apps
Potentially unwanted apps (PUA) are software that you haven’t intentionally downloaded. They’re just downloaded along with an app that you intentionally downloaded.
These unwanted apps could display pop-ups, install browser extensions and even change your current browser. They may be harmless at first, but once cyber criminals get hold of them, they could become malicious overtime.
One way to prevent unwanted apps from entering your computer is by going to advanced setting whenever you download an app. In the advanced setting, uncheck the apps that you don’t want to be installed on your computer. In case you’ve missed this advanced feature, delete these unwanted apps manually.
Cybersecurity Tip #44: Stay off-grid
Whenever you aren’t using your laptop, smartphone or tablet, disconnect your device from the internet.
Whenever you notice that a cyberattack is about to happen through unwanted pop-up ads or a rogue email, disconnect your computer from the internet immediately and use your end point protection software to scan your device.
Cybersecurity Tip #45: Exercise caution when visiting notorious sites
Torrent sites (include porn sites to the list) are notorious for being hotbeds for drive-by attacks.
Stay away from sites like these. If you need to visit these notorious sites, use a burner phone, one that’s cheap and can easily be discarded.
Cybersecurity Tip #46: Use your laptop as standard user, not as administrator
In your operating system, in Windows 10 for instance, you’ve the option to run your computer as a standard user or as an administrator.
As a standard user, you can perform common daily tasks like surfing the internet, checking emails and running software programs. As an administrator, you can add, remove software and even reset the PC to factory setting.
Setting your PC to standard user ensures that you won’t unintentionally add or delete software. Only set your PC to administrator mode if you need to make conscious clean-up of the existing apps on your PC. Setting your PC to standard user will also minimize the risks of malicious installation of malware into your PC.
Have a Guest account on your computer? If you really need it, make sure you use a strong account password.
Cybersecurity Tip #47: No one could address ALL cybersecurity issues
If someone tells you that he has an all-in-one fix to all cybersecurity problems, know that he’s blowing smoke.
Fifty-two cybersecurity tips are particularly listed here as there are more than one solution to preventing cyberattacks and data breaches.
Cybersecurity Tip #48: Not all hackers are bad
Every day hackers, the good ones and the bad ones are always looking for security vulnerabilities on widely-used software programs.
Good hackers, also known as white hat hackers or ethical hackers, regularly test software programs for security vulnerabilities. Once a white hat hacker discovers any security vulnerability on a particular software, this is then reported directly to the software maker in order for the software maker to issue a security update fixing the newly discovered security vulnerability.
Software makers like Google, Apple and Microsoft give monetary rewards to white hat hackers for their discovery and for directly reporting the security vulnerability.
Many software companies are also employing in-house hackers to test the security vulnerabilities of their software products.
Bad hackers, also known as black hat hackers, regularly test widely-used software for security vulnerabilities. Once they discover it, they don’t report this to the software maker and instead use it for personal gains like launching cyberattacks using the newly discovered security vulnerability or selling via online black market the information or the malicious software created specifically to exploit the newly discovered security vulnerability.
Like in the real world, there are gray areas. Same thing in the world of hacking, there are gray hat hackers. They are often a mix of white and black hat hackers. Gray hat hackers often search for security vulnerabilities for widely-used software. Once they discover a vulnerability, they’ll contact the software owner, demand a payment for the discovery or for the security fix if they’ve one. If the software maker doesn’t pay up, a gray hat hacker threatens the software maker to expose the security vulnerability to the public.
Cybersecurity Tip #49: Stay away from anything that’s free online
Like in real life, nothing is free. Stay away from free apps, free antivirus, free VPN (virtual private network), free Wi-Fi.
Free stuff online almost always has a caveat, that is, free service for stealing your data, for instance. Remember Facebook’s data breaches? Well, after all it’s a free service.
Cybersecurity Tip #50: Do your own research in choosing any software, internet service provider or any online services
Always do your own research when it comes to choosing anything that connects your primary devices like your main laptop and main smartphone to the internet.
Your main laptop and main smartphone are devices where you access your sensitive information like your important emails, bank accounts and other important accounts.
It’s, therefore, essential that you spend time choosing the most trusted, credible software, internet service provider and other online services. A simple online search will tell you whether such online service is credible or not. If you have a friend or a family member who works in cybersecurity or IT fields, always ask for their opinion.
Cybersecurity Tip #51: What to do in case of a cyberattack?
In case of a cyberattack, your immediate reaction should be to go off the grid. Immediately disconnect your computer from the internet. Then use an uninfected device, another laptop or another smartphone to change your passwords and activate 2-factor authentication of your primary emails and important accounts like bank accounts.
What to do with the attacked device? Conduct a full scan of the device and if possible perform a factory reset.
A full scan will aid you in discovering and deleting hidden malware, while the factory reset will erase all the data, including the malware injected into your device. The problem with factory reset though is that it’ll erase even your important data.
This is why it’s a good practice to backup all your important files so that if anything happens you can still have access to your important data despite the failure of one device.
There are plenty of online services that will sync your data and will keep it safe in the Cloud. Check with your IT prior to installing anything on your work computer or company issues mobile device. You could be violating company’s policy.
Cybersecurity Tip #52: Cybercrime is a growing business
Here are few numbers:
$16 Million-worth of ransom payment was paid by nearly 20,000 ransomware victimsduring a 2-year period, a study conducted by researchers from Princeton University, New York University, University of California, San Diego, Google and Chainalysis showed.
3 Billion was lost to BEC scammers from January 2015 to February 2017, according to the Federal Bureau of Investigation (FBI).
POS Malware Continues to Target Small and Medium-Sized Businesses
Two organizations, Flashpoint and Cisco Talos, recently revealed that point-of-sale (POS) malware continues to be a threat to small and medium-sized businesses.
What Is a Point-of-Sale (POS) Malware?
A point-of-sale (POS) malware is a malicious software that particularly targets POS, a system used for credit card transaction for payment of goods or services. Attackers may install a POS malware physically by tampering the PIN entry device pads or swapping out devices, an attack known as payment card skimming.
Another way of installing the POS malware is through remote installation, that is, the installation of a malware on environments where card-present retail transactions are conducted using a different computer stationed in another location. This present blog post covers the remote POS intrusion.
The goal of a POS malware is to obtain credit card details from customers. Stolen credit card details are typically sold by cyber criminals on the dark web. Buyers use these stolen credit card details to commit credit card fraud – unauthorized charges on someone else’s credit card.
Flashpoint researchers reported that the POS malware called DMSniff has been actively used by cyber criminals since at least 2016 against small and medium-sized businesses in the restaurant and entertainment industries. Similar to other POS malware, DMSniff harvests credit card details. Flashpoint researchers said the DMSniff malware was previously only sold privately.
One feature of DMSniff that’s rarely seen in POS malware, Flashpoint researchers noted is the use of domain generation algorithm (DGA), a feature that creates lists of command-and-control domains or webpages on the fly. Command-and-control domains are important to cyber criminals as malware typically receive commands and send stolen data via these domains.
To cripple the effectiveness of a malware, that is, preventing the malware to receive commands or share stolen data, law enforcement or hosting providers take down these malware command-and-control domains. With domain generation algorithm, attackers can create lists of command-and-control domains on the fly in case one domain is taken down. In addition, domain generation algorithm also bypasses weak blocking mechanisms.
Cisco Talos researchers, meanwhile, reported about the proliferation of the new POS malware called GlitchPOS. The sale of this malware opened a few weeks ago in one of the crimeware forums. This malware later turned up for sale in another crimeware forum. The author of the GlitchPOS malware even created a video, showing how this malware harvests credit card details.
Like other POS malware, the main purpose of GlitchPOS is to steal credit card details from the memory of the infected system. Unlike DMSniff, with its advanced domain generation algorithm feature, GlitchPOS contains few functions, such as connecting to the command-and-control server to do the following tasks: register the infected systems, exfiltrate credit card numbers from the memory of the infected system, update the "encryption" key and clean itself. Online services such as Dropbox and Google Drive are at times used by cyber criminals as command-and-control servers.
Verizon’s 2018 Data Breach Investigations Reportfound that the accommodation and food services industry was the hardest sector in terms of remote POS intrusion in 2018, with remote POS breaches 40 times more likely to occur on the accommodation and food services industry compared to other industries.
The 2018 Verizon report added that remote POS intrusions weren’t discovered for months in 96% of cases. They were only discovered via external sources such as detection as a Common Point of Purchase (CPP) or by law enforcement.
In February this year, North Country Business Products (NCBP), a Minnesota-based provider of point-of-sale products, disclosed that nearly 140 of its customers, mostly bars, restaurants, and coffee shops all over the US, have had POS systems infected with malware.
Causes of Remote POS Intrusions
Here are some of the common causes of remote POS intrusions:
SSH Brute Forcing & Common Exploit Scanners
In the case of DMSniff malware, Flashpoint researchers suspected (with low confidence) that the initial infection could either be SSH brute forcing or common exploit scanners.
In SSH brute forcing, an attacker tries every possible password combination until it cracks the password of SSH, also known as Secure Shell or Secure Socket Shell, a network protocol that gives users, particularly system administrators, a means to access a computer over the internet. Common exploit scanners, meanwhile, are automated tools that are used to test applications and networks against known and new security vulnerabilities.
Supply Chain Attack
Supplier of point-of-sale products North Country Business Products revealed that POS systems of its nearly 140 business clients were infected with POS malware as cyber criminals compromised its IT system and later on planted POS malware on the network of some of its customers.
Lack of Trained Security Staff
Verizon’s 2018 Data Breach Investigations Report, meanwhile, said that businesses in the accommodation and food services industry rely almost exclusively on payment cards for their existence. Despite this reliance, this industry, in particular, restaurants are small organizations that typically don’t have trained security staff.
Good security controls and training will minimize the likelihood of a data breach for your business.
When you need help of experienced cybersecurity professionals, our team is a phone call away. Contact ustoday and protect your business.
Why is Segregation of Duties Between IT and Cybersecurity Critical for Your Business?
Neglecting your cybersecurity means neglecting your business’s future.
It’s that simple. Every company has to take effective action to minimize its risk of a data breach, leveraging the latest, most effective measures to combat hackers. Software specialists Citrix is just one of the latest brands to come under attack: it’s believed as much as 10TB may have been stolen.
Furthermore, the criminals are said to have gained access to the system through ‘password spraying’, or simply guessing weak, common passwords.
It’s paramount to ensure your business is protected and prepared to deal with any serious cyberattack sent your way. One key aspect of safeguarding your company is Segregation of Duties between IT and cybersecurity. What does that mean and how do you do it?
Segregation of Duties (or SoD) revolves around keeping multiple people involved with achieving a specific goal, whatever the task at hand may be. Though it started as a process to minimize the danger of mistakes or fraudulent activities, SoD has evolved into an important security issue.
All tasks covered require authorization from two parties to prove integrity and defend against breaches. All individuals involved in undertaking a process of any size would have to be in agreement before the task can be completed.
Segregation of Duties is so important because it takes absolute power out of the hands of any one person within your company, offering greater peace of mind and caution. SoD spreads the privileges for everyone’s benefit and makes cybercriminals’ ‘work’ a little harder
Key Benefits of Segregation of Duties
Segregation of Duties offers businesses numerous compelling benefits, including the following:
Reduce the risk of inside attacks
You trust your employees to work with your system every day. You expect them to be respectful, careful and loyal. You put your faith in them to help steer your company toward success.
And yet, inside attacks are a sad reality of cybersecurity breaches. Not only can an issue caused from the inside be more difficult to detect until it’s too late, but it can be particularly devastating on an emotional level if the attack was intentional.
Dealing with a mistake is one thing. But knowing that an employee you paid and supported facilitated an attack can leave you, and their colleagues, struggling to trust others in the future.
Oversights may cause accidental inside attacks too. This may be down to an employee downloading an attachment from a suspicious email, failing to follow standard practice when making company payments or something equally minor.
Segregation of Duties takes care of all this. For example, if one worker is preparing to download a new tool but requires another’s agreement first, they may discover a security risk before any harm is done.
This reduces the danger of genuine accidents caused by ignorance and acts as a deterrent for insiders looking to sabotage the business.
Should any attacks take place, it’s far easier to determine which party must have been responsible just by addressing those individuals with access. This is much more difficult when everyone in the company uses every aspect of the system without restraint.
Less power is up for grabs
Imagine if a hacker manages to gain access to your system by cracking an employee’s login details. Imagine if said employee has full access to every tool, every database, every service — a criminal could basically take control of your business and cause monumental damage before they’re shut down.
With Segregation of Duties, you can minimize the power any hacker would wield should they find a way into your network. Accounts are shared between a small group of people and only they have authorized entry. Any sign of unexpected activity within those accounts would indicate a potential issue.
Furthermore, all aspects of your company which require a different set of credentials to enter would be secure. This allows you to focus your attention on the problem areas rather than addressing the entire company.
Accounts and credentials are easier to manage
Businesses implementing SoD can manage access and credentials more easily in the event of a crisis.
Specifically, creating new logins for a compromised account is much easier with just two people to update. It’s a convenient, faster process with less room for error.
Segregation of Duties Between IT and Cybersecurity
Segregation of Duties between your IT department and cybersecurity specialists is vital for increasing your reinforcing business’s defense against hackers.
Your IT team may be experienced, well-trained and qualified, but they have to make sure they’re up-to-date on the latest risks, techniques and solutions in cybersecurity. Without this knowledge, they’re more likely to make mistakes when updating systems, maintaining your network or working with vendors.
Again, SoD means making sure your IT specialists are accountable and have to run their intentions by someone else. The smallest oversight could end up causing massive disruptions and effectively shut your business down on a temporary (or possibly permanent) basis.
Segregation of Duties demands a responsible approach: keep track of which individuals have access to specific accounts and which are authorized to perform certain tasks. Make sure to limit any crossover that could cause problems, such as putting the same person in two or three teams. This may lead to a conflict of interest and questionable choices.
Working with experienced cybersecurity experts is crucial for companies of all sizes, across all industries. Businesses have to take charge of their own protection and implement strategies designed to limit the damage a single attack is capable of.
All companies must stay organized and plan ahead when implementing a SoD strategy. Cybersecurity professionals can advise you on the major threats your business faces and how best to protect against them.
Cybersecurity experts will help you understand what that involves, how to implement Segregation of Duties and combat even the most creative cybercriminals.
Want to learn what The Driz Group can do for your company? Please don’t hesitate to reach out to our dedicated teamnow.
What Is Password Spray Attack and How to Prevent It
VPN provider Citrix, whose clientele includes more than 400,000 organizations including 98% of the Fortune 500 companies, recently disclosed that cybercriminals gained access and downloaded business documents from its internal network.
According to the Federal Bureau of Investigation (FBI), the one that informed Citrixabout the illegal intrusion, the attackers likely used a tactic known as password spray to gain a foothold with limited access to Citrix’ network and worked to circumvent additional layers of security.
What Is Password Spray Attack?
Password spray is a type of cyberattack that attempts to access a large number of usernames (accounts) using commonly used passwords. This type of attack is also known as low-and-slow method as an attacker or attackers at first attempt to login using a single commonly used password for a number of usernames. If the first password is incorrect for all the usernames, the attackers will then use a different password, giving sufficient time in between different password guessing so as not to trigger any time-based account lockout thresholds.
Attackers, for instance, can easily get all usernames of a certain organization using the toolMailsniperand then attempt to login using at first the commonly used password “P@$$w0rd” on all of the usernames, and if this password fails, after a sufficient time interval, use another commonly used password “Password1” and so on.
Password spray is a stealth form of cyberattack, evading most detection techniques. On the part of the legitimate user or the organization, login attempts that are part of password spray attacks are seen as isolated failed login.
On the part of the attackers, password spray attack is a numbers game. Even though commonly used passwords are used only by 0.5-1.0% of accounts, one successful attempt for every thousand accounts attacked is enough as this one successful attempt has a multiplying effect. Successful access to one account allows attackers to harvest further information.
A study conducted by the UK National Cyber Security Center (NCSC)showed that 75% of the participants’ organizations (UK-based) had accounts with passwords that featured in the top 1,000 passwords, and 87% had accounts with passwords that featured in the top 10,000.
"This data suggests that password spraying attacks are likely to have some success against these organizations, and many other organizations across the UK,” NCSC said. “Whilst account lockout policies may limit attackers to trying (for example) 10 passwords against a single account per day, the account lockout counters usually reset over time. This allows persistent attackers to try more passwords, and they can (and do) end up trying hundreds or even thousands of common passwords.”
The recent cyberattack on Citrix via password spray attack shows that cybercriminals are increasingly using this form of cyberattack against organizations worldwide. In March 2018, the U.S. Department of Homeland Security (DHS) and the FBI released a joint alertwarning the public against the growing threat of password spray attacks.
Passwords aren’t just used in emails. They’re also used in single sign-on (SSO) or web-based applications with federated authentication method. According to DHS and FBI, victims of password spray attacks often use SSO or web-based applications with federated authentication method. DHS and FBI added that the vast majority of known password spray victims share some of the following characteristics:
In March 2018, theFBIannounced the hacking-related charges against nine Iranians. The FBI said the accused conducted a 4-year campaign that compromised nearly 144 U.S.-based universities and 176 foreign universities in 21 countries. In addition to the compromised universities, the FBI said 50 U.S. and foreign private companies, the states of Hawaii and Indiana and the United Nations were compromised by the accused as well.
Over 30 terabytes of academic data and intellectual property, equivalent to 3 times the amount of data contained in the print collection of the Library of Congress, were stolen by the accused, the FBI said.
According to the FBI, the accused compromised their victims through password spray attacks. “They were flying under the radar,” said the FBI agent who investigated the case, “and the magnitude of their effort was remarkable.”
How to Prevent Password Spray Attacks
While password spray attacks can go undetected by security networks, there are, however, indicators of this type of cyberattack. Indicators of password spray attacks include the rise in attempted logins against the enterprise SSO portal or web-based application, and employee logins from IP addresses resolving to locations not consistent with their normal locations.
Here are some measures aimed at deterring password spray attacks:
Using MFA in all active, internet facing protocols is one way to deter password spray attacks. So long as there are passwords, attackers would forever guess them. MFA is a means to distinguish between a legitimate account owner and the attacker.
Banning commonly used passwords is another means to deter password spray attacks. Every password creation, change or reset should run through a banned password checker, containing a list of words that no one should ever have in their password.
Password spray attacks exist because of passwords. When passwords aren’t used at all, there would be no passwords that the attackers have to guess. Instead of passwords, use non-password-based authentication methods.
For instance, Windows Server 2016 enables completely password-free access based on strong cryptographic keys tied to both the user and the device.
Decade-Old Qbot Banking Malware Makes a Comeback
The decade-old Qbot banking malicious software (malware) has made a comeback, this time exploiting a tool that already exists on targeted computers: BITSAdmin.
Researchers at Varonisrevealed that thousands of computers around the globe have been compromised and under active control by a new variant of the Qbot malware, this time leveraging BITSAdmin, a common administration tool. The researchers said they found 2,726 unique victim IP addresses infected with this new variant of Qbot.
The researchers added that the number of victims is likely much larger as many organizations use port address translation that hides internal IP addresses. Majority of the Qbot malware victims, Varonis researchers said were located in the U.S., but victims were also found in Canada, the U.K., France, Brazil, Germany, South Africa, Russia, China and India.
What Is Qbot?
Qbot, also known as Qakbot or Pinkslipbot, is a malware that was first observed in the wild in 2007. Through the years, this malware has morphed into various versions due in part to the fact that the source code of this malware is publicly available. The various versions of Qbot retain the primary purpose of this malware, that is, to steal online banking account information from compromised computers.
According to Microsoft, over the years, cybercriminals behind Qbot have improved the Qbot code, enabling this malware to better “evade detection, stay under the radar longer, and increase the chances of spreading to other potential victims.”
Various versions of Qbot, including the latest version observed by Varonis, steal online banking account information from compromised computers through keylogging and hooking.
In keylogging, every keystroke that the victim enters is automatically captured and sent to the Qbot attackers. Hooking, also known as code hooking, modifies the behavior of a computer program. For instance, antivirus programs use hooking once it discovers the presence of a malware. On the flip side, cyberattackers use hooking as well, for instance, altering the behavior of a computer program or a browser, which can lead to exfiltration of passwords and cookies (referring to the text file that a web browser stores on a user's computer).
Another common feature of Qbot variants is the worm-like capability or the ability to spread across an organization’s network and infect other systems without user interaction. According to Microsoft, Qbot "can drop copies in other machines in the network using Server Message Block (SMB) and then use remote execution to activate.” SMB is a Microsoft Windows protocol for sharing files over a network.
Another common feature of Qbot variants is the initial infection process. Like many other cyberattacks, Qbot initially arrives on the victim's computer through malicious email campaigns, containing a malicious attachment and/or link.
What Is BITSAdmin?
BITS in the term “BITSAdmin” stands for Background Intelligent Transfer Service (BITS). BITS is a component of Microsoft Windows operating systems which facilitates updates and other applications to operate in the background without interrupting other networked applications.
Cybercriminals have learned to abuse BITS by using this legitimate administration tool for downloading, executing and even cleaning up after running malicious code. The interface to create and manage BITS jobs or tasks is accessible through PowerShell, a tool capable of executing code from memory and providing administrative access directly to a device's core, and BITSAdmin tool, a tool that can be used to create download or upload BITS jobs and monitor their progress.
In the past, cybercriminals behind Qbot have used PowerShell to download and run the Mimikatz, another malware that steals credentials, allowing attackers to move rapidly across a network once they have established an initial foothold.
Researchers at Varonis reported that the latest Qbot, uses BITSAdmin, another common administration tool in Windows operating systems, to download Qbot’s loader – a component that executes the core malware.
The abuse of legitimate administration tools such as PowerShell and the BITSAdmin are examples of “living off the land” cyberattack techniques that exploit tools that already exist on targeted computers. Exploiting these common administration tools makes detection difficult.
One probable explanation why the cyberattackers behind the latest variant of Qbot use the administration tool BITSAdmin, instead of PowerShell, is that PowerShell is now closely monitored on enterprise systems. A recent study conducted by IBMshowed that more than half or 57% of cyberattacks exploit tools that already exist on targeted computers. The IBM study highlighted that the administration tool that’s often exploited by cyberattackers is PowerShell.
Cyberattackers that abuse PowerShell and BITSAdmin have first to execute their malicious code on the targeted computer. The initial infection of PowerShell and BITSAdmin-based attacks is often phishing attacks, attacks that use malicious emails that contain malicious attachments and/or links.
In the case of the latest variant of Qbot, Varonis researchers said the first infection was likely carried out via a phishing email that tricked the victim into running a malicious file. Cybersecurity best practices for mitigating phishing attacks also apply for mitigating PowerShell and BITSAdmin-based attacks. These mitigating measures include deleting any suspicious emails, especially those containing suspicious links and/or attachments, and avoiding enabling macros in Microsoft Office.
Disabling all BITS functionality, meanwhile, as a preventive measure is a tricky business as this will likely have unintentional side effects, such as preventing legitimate software patching and updating. Some of the mitigating measures that are specific to BITSAdmin-based attacks include modifying host firewall rules and other network controls to only allow legitimate BITS traffic, and monitoring usage of the BITSAdmin tool, including the command options “Transfer”, “Create”, “AddFile”, “SetNotifyFlags”, “SetNotifyCmdLine”, “SetMinRetryDelay” and “Resume”.
Trend Shows Cybercriminals Are Turning to Formjacking
A newly released global cyberthreat trend shows that cybercriminals are turning to formjacking as a new get-rich-quick scheme.
In the recently released Internet Security Threat Report, Symantec reported that on average, more than 4,800 unique websites are compromised with formjacking every month. According to Symantec, formjacking has increased dramatically since mid-August 2018. By the end of 2018, Symantec said it detected 3.7 million formjacking attacks, with nearly a third of all detections occurring during November and December – the busiest online shopping period.
Symantec said that while any organization, regardless of size and location, which processes payments online is a potential victim of formjacking, small and medium-sized retailers are, by and large, the most widely compromised by formjacking attackers.
What Is Formjacking?
Formjacking is a type of cyberattack that injects malicious code into website forms. This malicious code allows attackers to steal credit card details and other personal and financial information that are entered into the compromised forms as information is automatically sent to attackers. Stolen information could be used by attackers to perform payment card fraud or attackers could sell these details to other cybercriminals.
According to Symantec, attackers need only 10 stolen credit cards from each of the more than 4,800 compromised websites each month to earn up to $2.2 million per month considering that the current value for each card is $45 in underground selling forums.
How Are Formjacking Attacks Carried Out?
In recent months, two methods of formjacking attacks were observed: supply chain attack and redirection chain.
Supply Chain Attack
One of the ways by which formjacking attackers gain access to a website and change the code on its checkout page is through supply chain attack. In a supply chain attack, attackers gain access to a large organization’s website and change the code on its checkout page by exploiting the security vulnerabilities in a smaller business used by the larger company to provide different services.
The Ticketmaster formjacking case is an example of a formjacking attack carried out by means of a supply chain attack. In the Ticketmaster case, attackers injected malicious code into Ticketmaster’s checkout pages after compromising a chatbot used by Ticketmaster for customer support. This malicious code enabled the Ticketmaster attackers to capture payment card data and other information from customers and send them to their servers.
The chatbot used by Ticketmaster for customer support was hosted by Inbenta, an external third-party supplier to Ticketmaster. Inbenta chief executive Jordi Torras toldZDNetthat attackers exploited a number of vulnerabilities of Inbenta’s servers and in the process altered the chatbot code.
The Ticketmaster formjacking case, therefore, wasn’t directly an attack against Ticketmaster but an attack on a third-party supplier Inbenta. It’s worthy to note that supply chain attack was also used in the NotPetya attack in 2017 in which MEDoc, a tax and accounting software package, was used for the initial insertion of NotPetya malware into corporate networks.
Supply chain attacks show that cybersecurity hygiene shouldn’t only be implemented within an organization’s internal IT systems but also for third-party software and applications.
Redirection chain as a means of carrying out a formjacking attack is a new technique used by attackers in late 2018. In a redirection chain attack, a user that uses a checkout page of an online retailer is redirected to the checkout page of another online retailer which is injected with formjacking code. When this user enters payment information, the information is sent both to the retailer as well as to the attackers.
In December 2018, Symantecreported that it detected a checkout page of a retail store in Paris which was injected with a formjacking code. The injected formjacking code, Symantec said, collects the payment information entered by customers and posts it to the domain google-analyitics.org.
Symantec observed that popular online retailers’ checkout pages from different countries, such as the U.S., Japan, Australia, and Germany redirected to this one Paris checkout page. “This created an interesting redirection chain as customers of all these websites were being infected by formjacking at the same time,” Symantec said.
Symantec added that to make matters worse, the formjacking code in the above-mentioned redirection chain attack comes with Firebug, a debugging tool that prevents security researchers from analyzing the malicious code.
Formjacking attacks are becoming sophisticated and stealthy as shown in the above-mentioned examples. Users of compromised checkout pages may not realize they’re victims of formjacking as compromised checkout pages generally continue to operate as normal.
Here are some cybersecurity measures in order to prevent formjacking attacks:
Don’t have cybersecurity resources or dedicated CISO? Contact us today to mitigate IT risks, fast.
Steve E. Driz