Thought leadership. threat analysis, news and alerts.
Threat Actors Continue to Target Websites
The European Central Bank (ECB) shut down one of its websites following the discovery that malicious actors accessed the site without authority and infected it with malicious software (malware). This incident shows that threat actors continue to target websites.
ECB, in a statement, said that unauthorized parties had breached the Bank’s Integrated Reporting Dictionary (BIRD) website, a site purposely built to provide the banking industry with details on how to produce statistical and supervisory reports. The Bank said that contact data, including email addresses, names and position titles of 481 subscribers to the BIRD newsletter may have been stolen by the attackers.
ECB, in a statement, said that the attack on BIRD website was discovered as a result of a “regular maintenance work”. An ECB spokesman told Reutersthat the earliest evidence found of the website attack dated back to December 2018, which means that the attack had gone unnoticed for months before being discovered during maintenance work.
This isn’t the first time that ECB reported an attack on its IT infrastructure. In 2014, ECBdisclosed that an unknown attacker or attackers had breached another of the Bank’s website used for registrations for events of the Bank such as conferences and visits.
The 2014 website attack, the Bank said, led to the theft of email addresses and other contact data left by individuals registering for events at the ECB. This 2014 attack in one of the Bank’s website was only known after an anonymous email was sent to the Bank asking for financial compensation in exchange for the data stolen.
In the latest attack on one of its websites, ECB said the attackers “succeeded in injecting malware onto the external server to aid phishing activities”. In the 2014 attack, ECB said the malicious actor or actors attacked a “database serving its public website”. Beyond those phrases, not much is known in the “injection” and “database” attacks.
The Open Web Application Security Project (OWASP)lists injection attacks as the number one threat to web security. Injection attacks refer to a broad attack paths that allow attackers to gain access to the database records of vulnerable websites. In certain cases, this type of attack allows attackers to gain administrative rights to a database.
One example of an injection attack is the SQL injection, also known as SQLI, attack. SQL, which stands for Structured Query Language, is a programming language understood by databases. By inserting malicious commands from this programming language into input fields on websites such as input forms, attackers can gain access to the database records of vulnerable websites, resulting in the unauthorized access of any data available in the database.
In late 2007 and early 2008, thousands of websites were defaced as a result of SQL injection attacks. According to researchers at Microsoft, These particular SQL injection attacks didn’t exploit vulnerabilities in Windows, IIS, SQL Server, or other infrastructure code; rather, it exploited vulnerabilities in custom web applications running on this infrastructure. Thousands of websites were affected due to 2 factors: first, there was an automated tool to launch this attack, and second, this SQL attack tool spread through the use of a botnet.
SANSreported that thousands of websites were compromised in late 2007 and early 2008 as the attacker or attackers used an automated tool in search engines to find vulnerable web applications and exploiting them. “The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site,” SANS reported. SecureWorks, meanwhile, reported that the automated SQL attack tool, spread to thousands of websites as the attackers relied on a botnet – a group of computers or devices infected by the same malware and controlled by an attacker for malicious purposes such as in this case the spread of SQL attack tool.
Other than using SQL injection to attack indiscriminate websites using an automated tool and a botnet, SQL injection has also been used by attackers in targeted attacks. According to the U.S. Federal Bureau of Investigation (FBI), a malicious group obtained confidential information from Sony Pictures’ computer systems on May 27, 2011 to June 2, 2011 using an SQL injection attack against Sony Pictures’ website.
According to the UK's Information Commissioner's Office, SQL injection was also used in the TalkTalk cyber attack on the company’s website. As a result of the SQL injection attack on TalkTalk’s website, personal details of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses were stolen. The attacker also stole the bank account number and sort code of 15,656 TalkTalk’s customers.
As shown in above-mentioned examples, injection attacks on websites are highly detrimental to the affected organizations. Loss of customer trust is one potential cost of an SQL injection attack should personally identifiable information such as full names, addresses and credit card details be stolen.
One of the cyber security measures, in order to prevent injection attacks such as SQL injection attacks, is through the use of a web application firewall (WAF). A WAF is often used to filter out injection attacks such as SQL injection attacks. In filtering out SQL injection attacks, a WAF uses a list that contains signatures to address specific attack vectors. This WAF is regularly updated to provide new filtering rules for newly discovered security vulnerabilities.
At The Driz Group, we specialize in protecting your websites and web applications with instant attack mitigation and a guaranteed DDoS protection. We support all deployment types including Cloud and on-premise. Setup take several minutes and there is nothing to buy, support, or maintain.
Connect with ustoday for a free consultation and protect your websites, web applications, online reputation and mission critical data.
What Are the Biggest Mobile Cybersecurity Threats Every Business Must Know?
How many times a day do you Google something on your smartphone?
It’s second nature now. Any questions you have, any movie stars you want to look up, any local restaurants you want to check out — just grab your phone and ask.
And with more than half of worldwide internet traffic originating from phones, the popularity of mobile search shows no sign of slowing down. Particularly for businesses.
The ease, speed and convenience of mobile internet means employees can access work documents, data and software at any time. But accessing business accounts and data via your mobile device opens you up to cybersecurity threats, just like browsing on a computer.
So, what are the biggest mobile cybersecurity threats every business must know?
Malware Lurking in Websites and Apps
It’s easy to assume malware is a risk to employees going online via their desktop or laptop computers, not mobile devices.
But that’s just not the case. Malware can infect a smartphone just as it would bigger hardware and cause serious problems.
Mobile malware typically attacks smartphones through web pages, attachments or apps primed to unleash infections. Clicking a link in an email, downloading a program or installing an app could put your business’s data in danger within seconds.
It’s a simple mistake to make, especially for non-tech-savvy employees.
Infected apps may access your smartphone’s data storage, memory, internal processes and other apps. It may even run in the background without being noticed by the user, gathering information and sharing it with whoever created it.
Hands-on Device Theft
One of the most obvious and damaging cybersecurity risks is theft.
And we mean physical theft: having a phone or tablet stolen by a mugger or opportunistic criminal.
It’s not hard to imagine how this might happen. An employee is out enjoying the sunshine on their lunch break, maybe sitting in the park or outside a cafe. They put their phone down for a moment to grab a drink or open their bag.
When they look back up, the phone is gone.
This takes just seconds but can have devastating results. A hacker would be able to bypass a pin or password and get into the owner’s accounts with ease. They could access your business’s emails, banking and communications in next to no time.
Scary, isn’t it? That’s why it’s so vital that all employees take good care of their company and personal phones. Any device with data relating to the business should be secured with a pin or password, as well as the additional security measures (such as facial recognition and fingerprint scanning).
Encourage all staff to stay vigilant and be aware. If their phone is stolen, they have to admit it fast: the sooner they raise the alarm, the sooner action can be taken to protect data in the cloud.
Unsecured Wi-Fi Networks
Free, public Wi-Fi is great. Employees can take their phone or tablet to the local coffee shop and do a little work outside the office for a change of scenery. The Wi-Fi is thrown in free when you buy a drink or snack so there’s no reason to lose momentum.
But free Wi-Fi networks tend to be unsecured. And that makes anyone using them vulnerable to cybersecurity risks. Any social media interactions, emails,writing, calls and more may be available to hackers.
This is why employees must be careful when accessing Wi-Fi networks beyond their own or your business’s. If they need to wait until they’re back in the office to finish a task or make a call, a slight delay is far better than the alternative.
And this leads us nicely on to …
The Threat of Network Spoofing
Free, public Wi-Fi networks may pose a threat, but network spoofing is much more dangerous.
This involves hackers creating fake access points designed to look like legitimate Wi-Fi connections. You might see them appear on a list of Wi-Fi networks when you visit a coffee shop, bar, airport etc.
Cybercriminals give their fake networks believable names (‘Coffee Place’, ‘Airport Open Wi-Fit’ etc.) to entice oblivious users. They might ask you to set-up an account before giving you access or just let you dive right in.
One big hazard is that employees might use their standard username and password to create accounts with fake networks. And that means cybercriminals would be able to get into emails, banking accounts and anything else protected by the same details.
The entire business’s and clients’ data could be in danger because of a simple mistake.
Taking Action to Minimize Your Business’s Vulnerability
Every company wants to be safe against cybersecurity risks. Every company wants to trust its employees to handle accounts and data in a responsible way.
But it’s not so simple.
Cybercriminals use ever-more-sophisticated techniques and tools to target businesses. Employees need to be made aware of the threats they face when they’re online across all devices.
Effective training is key to help your workforce exercise caution and stay vigilant whenever they’re working or communicating on their smartphone or tablet. And make sure any company phones you hand out have been checked and utilize strict security safeguards to keep them protected.
Don’t try to handle all of your cybersecurity in-house either, especially if your business is brand new and you have little to no experience with managing data. Clients expect you to keep their information confidential and safe against leaks — if you don’t, your reputation could take a serious hit.
Work with cybersecurity specialists to assess your vulnerability and take action to defend your data. The Driz Group’s experts are here to:
Want to learn more about our managed services and how they help companies just like yours every single day? Just get in touch with our dedicated teamright now!
Decade-Old Vulnerability Found in Avaya VoIP Phones
Researchers at McAfee Advanced Threat Research have discovered a decade-old security vulnerability lurking in the Voice over Internet Protocol (VoIP) phones of Avaya, the world’s second largest VOIP phone provider.
The decade-old vulnerability present in Avaya VOIP phones, specifically 9600 Series, J100 Series and B189 Series using the H.323 firmware, according to researchers at McAfee Advanced Threat Researchallows remote code execution (RCE) – enabling an attacker to access someone else's device and make changes to it, regardless of where this device is geographically located.
The RCE vulnerability in a piece of open-source software that Avaya used, the researchers said, was likely copied and modified 10 years ago and the company failed to apply subsequent security patches. The researchers added that a malicious actor exploiting the said vulnerability could take over the normal operation of the phone, copy audio from speakerphone and “bug” the phone.
The piece of open-source software that Avaya copied bore the 2004-2007 copyright, which according to the researchers is a “big red flag” as this piece of software has an exploit that has been publicly available since 2009. The 2009 exploit demonstrated that devices using DHCP client version 4.1 and below allows remote DHCP servers to execute arbitrary code. A DHCP client, also known as dhclient, is a device that needs an IP address; while DHCP server hands out an IP address to the dhclient.
Researchers at McAfee Advanced Threat Research found that Avaya VOIP phone’s version of dhclient is vulnerable to the exploit reported in 2009. The researchers said that malicious actors could build a “weaponized version” of the exploit and threaten private networks.
The researchers reported their discovery to Avaya. In June this year, Avayaissued a patch for the affected VOIP phones.
VOIP Phones as Path to Intrusion
Early this month, researchers at Microsoft Threat Intelligence Center reported that VoIP phone is one of the devices being used by a known cyber adversary to gain initial access to corporate networks. Aside from VoIP phone, the researchers said, popular office IoT devices printer and video decoder, are also being used by this known cyber adversary in gaining an initial foothold into corporate networks.
Researchers at Microsoft Threat Intelligence Center, however, didn’t specify the brands of VOIP phone, office printer and video decoder. These office devices, according to the researchers, were compromised either as these devices were deployed without changing the default manufacturer’s login details or the latest security update hadn’t been applied.
According to Microsoft Threat Intelligence Center researchers, the known cyber adversary used these 3 popular office IoT devices as points of ingress in gaining initial foothold to a corporate network. Once inside a corporate network via these compromised IoT devices, the attacker was seen conducting a simple network scan to look for other vulnerable devices.
As the attacker moved from one vulnerable device to another, a simple shell script was dropped to establish persistence on the network. This simple shell script allowed the attacker to search for higher-privileged accounts that would grant access to higher-value data, the researchers at Microsoft Threat Intelligence Center found.
Aside from using popular office IoT devices as points of ingress in accessing high-value data, these compromised devices are also used to build a botnet – referring to a group of devices infected with a malicious software (malware) and controlled by an attacker or attackers for malicious activities, including distributed denial-of-service (DDoS) attacks. In a DDoS attack, a botnet or group of infected devices is controlled to direct their traffic to a target, overwhelming this target with too much traffic that the target can’t handle, ultimately bringing the target offline and rendering the target inaccessible to its legitimate customers.
VPNFilter is an example of a botnet. At its peak, VPNFilter infected at least 500,000 networking devices in at least 54 countries. The following are devices affected by VPNFilter: Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.
According to researchers at Cisco, VPNFilter has a self-destruct capability that can be triggered en masse via the botnet structure and has the potential of cutting off internet access for hundreds of thousands of users worldwide. The researchers are unsure why so many devices were infected with VPNFilter. Most of the infected devices, however, have known public exploits or default manufacturer’s login details hadn’t been changed.
In May 2018, the potential negative effect of VPNFilter was mitigated when the U.S. Federal Bureau of Investigation (FBI)seized a domain used as command and control (C2) by the threat group in their botnet campaign. In a botnet operation, C2 (could be a website or a public cloud account) is used to communicate or control the infected devices.
The devastating effect of a botnet was shown to the world when the Mirai botnet attacked in 2016 Dyn, a major dynamic DNS provider, resulting in the widespread internet outages across the U.S. and Europe. The earlier versions of the Mirai, including the one that attacked Dyn, infected hundreds of thousands of wireless cameras and routers and turned them as botnets. Since the publication of the source code of the Mirai in 2016, a number of Mirai versions has been observed in the wild.
Researchers at Palo Alto Networks discovered a different version of the Mirai which targeted WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs – IoT devices that are often used by businesses. Many of the Mirai variants infect IoT devices by exploiting the practice of users of not changing the default manufacturer’s login details.
Today’s IoT devices outnumber the combined number of personal computers and mobile phones. Hundreds of thousands, if not, millions of these IoT devices are, however, left without basic management.
Changing the default manufacturer’s login details and applying the latest security update are two cyber security best practices in preventing malicious actors from accessing your organization’s network. These practices also stop your organization’s IoT devices from being used as part a botnet for malicious activities such as DDoS attacks.
Capital One Data Breach Aftermath: 3 Cyber Threats that Every Organization Should be Mindful
The data breach at Capital One Financial Corporation, the data breach that affected approximately 100 million individuals in the U.S. and approximately 6 million in Canada, throws light into 3 cyber threats that every organization using the public cloud should be mindful: account takeover attack, attack on misconfigured web application firewall (WAF) and Server-Side Request Forgery (SSRF) attack.
Large enterprises like Capital One build their own web applications on top of Amazon’s cloud services to answer to their specific needs. Amazon told the New York Timesit had found no evidence of compromise on its underlying cloud services. The company added that its customers fully control the web applications that they built.
Last July 29th, the U.S. Department of Justicearrested a Seattle resident for the intrusion on the stored data of Capital One. The arrest of the Seattle resident came as an offshoot of an email sent to the official email for responsible disclosure of Capital One. The tipster wrote that someone’s GitHub account was exposing data which appeared to belong to Capital One.
In the indictment document, Joel Martini, Special Agent at the U.S. Federal Bureau of Investigation (FBI) stated that the exposed data was verified to belong to Capital One and the GitHub account was traced to belong to the accused Seattle resident, who goes with the handle “erratic” in her Twitter and Slack accounts. A review of June 26, 2019 Slack postings, FBI Special Agent Martini said, showed that Erratic claimed to be in possession of files belonging to several companies, government entities and educational institutions, and one of these files was associated with Capital One.
Capital One, in a statement, said that it had fixed the “configuration vulnerability” that was exploited in the data breach. Publicly-available data and new information, however, show that more than one cyber threats were exploited in the Capital One data breach.
1. Account Takeover
Account takeover refers to the access of someone else’s online account for malicious purposes. In the indictment, FBI Special Agent Martini stated that the file that was publicly exposed by Erratic in her GitHub account contained a list of more than 700 folders and code for three commands.
The first command, when executed, provides login details to an account that enabled access to certain storage space of Capital One at Amazon cloud service. The said account, which had the necessary permissions, was used to extract or copy Capital One’s data. The indictment didn’t mention how the accused got hold of the login details of the account used to access Capital One’s data.
2. Misconfigured Web Application Firewall (WAF)
Web application firewall (WAF) filters, monitors and blocks traffic between a web application and the internet. A properly configured WAF blacklists and/or whitelists traffic to and from a web application.
A WAF that operates based on a blacklist, also known as negative security model, blocks traffic that doesn’t meet the predetermined qualifications. A WAF that operates on a whitelist, also known as positive security model, grants entry only to traffic that has been pre-approved. Many of today’s WAF implements both negative security model and positive security model. A typical WAF also protects web applications from attacks such as SQL injection and other common attacks against web applications.
In the indictment document, FBI Special Agent Martini stated that the data breach at Capital One was a result of a misconfigured WAF. Capital One’s logs show a number of connections or attempted connections from IP addresses beginning with 46.246. Specifically, on or about March 12, 2019, Capital One’s logs show IP address beginning in 46.246 attempted to access Capital One’s cloud data. Publicly-available records show that this IP address is controlled by a company that provides VPN services.
Capital One’s logs also show IP addresses believed to be TOR exit nodes accessed Capital One’s cloud data on or about March 22, 2019. A properly configured WAF could have blacklisted IP addresses such as those belonging to the known VPN company. Conversely, a properly configured WAF could have whitelisted only IP address or addresses used by authorized personnel of Capital One. Malicious actors, however, are continually finding creative means in breaking into web applications that are shielded by properly configured WAFs.
3. Server Side Request Forgery (SSRF) Vulnerability
New information has recently been made public about the Capital One data breach. Based on new data, including information from one who is privy to details about the ongoing Capital One breach investigation, during the attack period, Capital One used ModSecurity, an open-source WAF that’s deployed along with the open-source Apache Web server.
The new report said that the Server Side Request Forgery (SSRF) vulnerability was exploited in the Capital One data breach. While ModSecurity protects web applications against many common attack categories, it doesn't protect against SSRF.
MITREdescribes SSRF in this manner: “The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly.”
In the case of the Capital One data breach, one can’t say which of the attack methods – account takeover attack, attack on misconfigured WAF or Server-Side Request Forgery (SSRF) attack – played the biggest role in the data breach. These 3 types of threats have their own specific preventive and mitigating measures that every organization using the public cloud should be mindful.
When you need to safeguard your cloud applications, our web application security expert will design the right sized solution and will mitigate common risks within minutes. Contact ustoday and avoid a major breach.
How to Prevent Account Takeover Attacks
Account takeover attacks – accessing someone else’s online account for malicious purposes – continue to be one of the fastest-growing security threats faced by organizations today.
Account takeover happens as a result of inadvertently exposing account login details or through malicious account takeover via botnets. The account takeover of an account owned by SSL certificate issuer Comodo is an example of account takeover as a result of inadvertently exposing account login details.
Netherlands-based security researcher Jelle Ursem told TechCrunchthat Comodo’s email address and password were inadvertently left exposed in a public GitHub repository owned by a Comodo software developer. This enabled Ursem to login to Comodo’s Microsoft-hosted cloud services containing sensitive information of the company. The said account wasn’t protected with two-factor authentication. Ursem said he contacted Comodo about the exposed account.
When contacted by TechCrunch, Comodo said, “The data accessed was not manipulated in any way and within hours of being notified by the researcher, the account was locked down.” Ursem, however, told TechCrunch, “This account has already been hacked by somebody else, who has been sending out spam.”
Account Takeover Botnets
While many malicious actors are opportunistic, that is, while many abused inadvertently exposed account login details, many just don’t wait for these opportunities to come. Many of today’s malicious actors are aggressively taking over accounts through botnets.
In the Sixth Annual Fraud Attack Index, Forter found that there had been a 45% increase in account takeover attacks by the end of 2018 compared to the beginning of 2017. One of the means by which malicious actors perpetuated account takeover attacks is thorough bots, Forter found.
“Fraudsters often try to hide their activities behind these devices [bots], flying under the radar of detection for most legacy fraud prevention systems, which are simply not equipped with sophisticated enough technology to pick up on the nuances of these behavioural indicators and the personas hiding behind them,” Forter said.
Botnet, also known as bot, refers to a group of computers infected with malicious software (malware) that allows an attacker to control this group of infected computers as one army for malicious activities. Many of these botnets have been used by attackers as an army for distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining. Malicious actors are increasingly using these botnets for account takeover attacks.
An account takeover botnet works by installing a credential cracking malware on compromised computers. These infected computers are then controlled by an attacker or attackers to login into an account of banking site, social network or email. Once the correct username and password combination is cracked, the account taken over is then used by attackers to steal money (in case of a banking site), steal confidential information such as credit card information, or purchase goods and services.
Between April 7th to April 22nd this year, Impervaobserved the account takeover attacks carried out by a botnet, composed of an enslaved army of 2,500 infected computers – with a corresponding 2,500 IPs overall – that attacked more than 300 sites while active. Each day during the attack period, 800 IPs were actively attacking 30 sites with 150,000 login attempts, Imperva found.
From the victim site perspective, each site was attacked for 7 hours by 500 IPs sending 7,000 login attempts with 7,000 different login details (usernames and passwords); and from a single site perspective, each botnet-controlled IP was responsible for approximately 14 login attempts during the attack time, or approximately 2 login attempts per hour, Imperva found.
The above-mentioned method of attack is called a “low and slow” attack – whereby the botnet enslaves a lot of computers, each sending only a small number of requests, to cover-up the attack as legitimate traffic. Distributing the account takeover attacks across many infected computers or IP addresses makes these attacks go without being detected.
The usernames and passwords used in the login attempts for account takeover attacks often come from credential cracking and credential stuffing. In credential cracking, every word in the dictionary is tried to crack the correct username and password combination. In credential stuffing, the attackers exploit users’ tendency to reuse passwords across multiple sites.
Credential stuffing was cited by StubHubas the reason why a “small number” of users’ accounts had been illegally taken over by fraudsters. In the StubHub case, attackers illegally took over 1,000 StubHub users’ accounts and used these compromised accounts to buy thousands of high-value tickets, including tickets to Justin Timberlake and Elton John concerts, Yankees baseball games, U.S. Open tennis matches and Broadway shows. The account takeover attackers then resold these tickets for a profit of more than a million dollars.
Traditional security solutions have proven to be ineffective in “low and slow” account takeover attacks using botnets. By using account takeover botnets, malicious actors spread the attack via thousands of compromised computers or IPs, making them go undetected for a long period of time.
Choosing a strong username and password combination via eliminating the use of dictionary words, using a unique username and password combination for every account and the use of multi-factor authentication are some of the best cyber security practices in preventing account takeover attacks.
Malicious actors, however, are always finding creative ways to crack those unique and strong usernames and passwords and even multi-factor authentication. An automated security solution that monitors abnormal access to these accounts is one of the mitigating measures against account takeover attacks.
When you need help minimizing cybersecurity risks, our team of experts will answer the questions you have and will help you protect your data. Contact ustoday.
The Importance of Facing Up to Cybersecurity Risks
A cybersecurity emergency has been declared across Louisiana, USA, after three public school districts were struck by a malware attack.
The cybersecurity danger hit Sabine, Morehouse and Ouachita, in North Louisiana, causing widespread concern. The Governor’s Office of Homeland Security and Emergency Preparedness put its crisis action team into motion quickly to handle the attack.
Sabine School District issued a statement, addressing the nature of the cybersecurity breach and their actions to fix it:
“The Sabine Parish School System was hit with an electronic virus [...[ this virus has disabled some of our technology systems and our central office phone system.”
According to the principal of Sabine Parish’s Florien High School, a ransomware virus had infiltrated their system and caused disruptions. The alarm was raised when the school’s technology supervisor noticed ‘unusually high bandwidth usage’.
Fortunately, Jones believes no sensitive information has been exposed during the attack, though everything stored on the School District’s servers was lost. This amounts to documents from across 17 years of Jones’s hard work, including schedules, speeches and more.
Taking Action, Addressing Issues Fast
While this is certainly a challenging situation for the three school districts, it appears the end result is nowhere near as terrible as it could have been. It’s clear everyone involved took decisive action when the suspicious activity was noticed, and the proper authorities were informed.
Plans for future protection and security measures are, apparently, being devised by state officials (in coordination with the FBI). But this case indicates just how important it is to face up to cybersecurity risks and take proper action to minimize the threat to systems.
Simply hoping hackers will miss or choose to ignore your business, organization, school etc. is simply not enough. Implementing effective defenses is the best way to safeguard your critical data, client information and financial details.
If any of these, and other types of vital data, become exposed by nefarious individuals, the clean-up could be a long, time-consuming, difficult process. The worst thing you can do in the event of a breach is sweep it under the carpet and try to contain any damage without raising the alarm.
Those involved in the Louisiana case alerted the proper parties and are dealing with the situation as best they can.
Yes, acknowledging that a cybersecurity attack took place does have the potential to affect your reputation and the trust people place in you. Yet it’s far better to be transparent and admit your cybersecurity measures may not have been quite as efficient as they should be than to lie.
The Problem of Ransomware and Preparing Your Team
Ransomware is, as our regular readers may know, a common choice of cyberattack for hackers. The Louisiana case is just one example of many.
The first ransomware was distributed by a biologist (Dr. Joseph Popp) in 1991: he sent floppy disks containing PC Cyborg Trojanto researchers, in an attempt to extort money.
Ransomware has come a long way since then, but while it has evolved in various ways, the aim remains the same.
Other notorious ransomware attacks include WannaCry, which was detected more than 250,000 times across 116 countries in 2017. This was designed to take advantage of a simple software defect, encrypting hard drive files to make them inaccessible — with the attackers only unlocking them after a bitcoin payment had been made.
The issue is, of course, that agreeing to pay a ransom doesn’t actually guarantee the people responsible will stick to their end of the deal. After all, why should they? If they’re willing to disrupt your daily processes, cost you money, damage your reputation and more, there’s no reason to believe they will do as they promise.
Prevention is, as the saying goes, better than cure. And that means taking steps to prepare your team for potential cybersecurity threats in their day-to-day work.
How can you do this?
Taking Steps to Protect Your System
Implementing security measures and processes to protect your system against breaches can be daunting, especially if you have no experience or real knowledge of this area.
It’s essential that you embrace the most cutting-edge cybersecurity software available and consult with experts. Professionals specializing in security measures and reinforcing systems will be able to identify the biggest dangers you face, how to defend against them and advise your team to be more vigilant.
In terms of training your staff, there are certain things you can try.
Raise cybersecurity issues and trends in regular meetings
Keep your employees updated on the latest cybersecurity hazards and techniques: make sure they understand what suspicious activities they should be aware of when responding to emails, downloading software or visiting websites.
Try to cultivate a more vigilant workforce and boost recognition of effective ‘safety first’ procedures. Get them into the habit of questioning links, emails and other potentially-infected elements when they’re not sure how safe they are.
Find time in a day to run a test exercise for your team. Act as if a cybersecurity attack has struck your system and have staff go through the motions of responding appropriately.
Do they know what to do if they spot the warning signs of an impending threat? Can they work as a cohesive team even when they’re not completely sure what’s happening? Work to make the answer to both a firm ‘yes’.
Everyone should know what role they have in the event of a cybersecurity breach. Perhaps they’re required to do nothing but sit tight and wait for business to resume as normal. Maybe they have to take an active part in informing clients of the situation or coordinating with security experts.
Having a formal plan means everyone involved can leap into action in the event of a crisis, saving valuable time and minimizing further disruption.
Knowing how to handle cybersecurity risks and attacks is fundamental for any business, organization or institution today. If you want to know more about protecting your system and taking effective action,contact our specialistsnow!
Mirai Malware Variants Increasingly Targeting Enterprise IoT Devices
Malware variants that evolved from the original Mirai malware are increasingly targeting enterprise IoT devices, putting at risk enterprise networks from being exploited for nefarious activities such as distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining, as well as putting at risk enterprise cloud architecture from additional malware and further compromise.
Tracking the Mirai
The original Mirai malware was created by Paras Jha, Josiah White and Dalton Norman. The 3 creators of the Mirai malware in due course were arrested and sentenced by U.S. authorities. Prior to their arrest and sentencing, the source code of the Mirai malware was publicly released. The publication of the source code propelled the creation of multiple versions of Mirai to propagate in the wild.
Mirai was first observed in the wild in 2016. The Mirai malware gained notoriety when the malware was used by the still unidentified attacker or attackers in launching a distributed denial-of-service (DDoS) attack on Dyn DNS, amajor dynamic DNS provider, which resulted in the widespread internet outages across the U.S. and Europe2016.
According to the IBM X-Force researchers, since 2016, there have been 63 Mirai variants observed in the wild. The researchers said that the multiple variants of Mirai have been used to perform nefarious activities such as DDoS attacks and illicit cryptocurrency mining.
In a DDoS attack, attackers overwhelm a target, such as a website or in the case of Dyn DNS, adynamic DNS provider, with voluminous traffic, bringing the target offline and rendering it inaccessible to legitimate users. Illicit cryptocurrency mining, meanwhile, refers to the use of the computing power without the knowledge and consent of the computer owner.
The Mirai malware variants are able to perform DDoS attacks and illicit cryptocurrency mining by infecting computers with security vulnerabilities and enslaving these infected computers to form as an army, also known as botnet, and perform activities such as DDoS or cryptocurrency or other activities according to the whim of the attacker controlling the botnet. The Mirai malware is a powerful tool for malicious actors as this malware allows them to automate the process of downloading any number of malware onto a large number of IoT devices.
Owners of IoT devices typically don’t consider these devices as computers. These devices are often installed and then forgotten. Unlike other computers such as desktops or laptops, IoT devices aren’t monitored for irregular behaviour, nor updated or their login details changed.
The original malware created by Jha, White and Norman infected hundreds of thousands of IoT devices, such as routers and security cameras and controlled these infected devices to form an army or a botnet to perform illegal activities such as DDoS attacks. The creators of the original malware were able to infect hundreds of thousands of IoT devices knowing that many IoT owners don’t bother to change the factory default logins details of these devices. The original Mirai uses 61 factory default login details in infecting IoT devices.
Enterprise IoT Devices at Risk
IBM X-Force researchers, which have been tracking Mirai campaigns since 2016, said that the Mirai variants’ tactics, techniques and procedures (TTPs) are now targeting enterprise IoT devices.
“Nowadays, enterprise IoT devices are everywhere, from instruments that monitor patients in hospitals, to wireless devices in smart meters that relay information to utility companies, to robots in warehouses that constantly deliver inventory information,” IBM X-Force researchers said. “Enterprises are increasingly dependent on IoT devices to run day-to-day operations, and attackers are well-aware of the growing attack surface.”
“As IoT devices become more common among households and large organizations, Mirai and its variants will continue to evolve to adapt to the changing environments and targets of its choice,” IBM X-Force researchers added.
The researchers observed that creators of the Mirai malware variants were dropping additional malware onto the infected devices, with cryptocurrency malware leading the way. Cryptocurrency malware, which steals the computing power of infected IoT devices to generate money for the attackers, are harmful to IoT devices as these devices are prone to overheating as these devices have little computing power compared to desktop or laptop computers with central processing unit (CPU) or graphics processing unit (GPU) resources. IBM X-Force researchers also observed that creators of Mirai malware variants were dropping steganography, which hides malicious code in images that trigger the download of additional malware.
The researchers also said that the Mirai malware variants pose a threat to cloud computing as IoT devices infected with Miral malware variants that are connected to cloud architecture could allow attackers to gain access to cloud servers. Once these malicious actors gain access to cloud servers, they could drop additional malware, the IBM X-Force researchers said.
In early 2009, researchers at Palo Alto Networks' Unit 42discovered a variant of the Mirai malware targeting WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs–IoT devices used by businesses. Targeting IoT devices used by businesses, according to researchers at Palo Alto Networks' Unit 42, gives attackers a large attack surface as IoT devices used by businesses have larger bandwidth, giving the attackers greater firepower for attacks such as DDoS attacks.
As malicious actors are increasingly targeting enterprises IoT devices, it’s important to change the factory default usernames and passwords of these devices and to install the latest security update. If the IoT vendor no longer issues security updates or it isn’t possible to install security updates on these devices, it’s best to remove these devices from your organization’s network.
Get in touchwith our experts for additional threat information and to help you mitigate cybersecurity risks.
Disturbing Trend: More and More Ransomware Attack Victims Are Paying Ransom
UK's largest police forensics lab Eurofins reportedly paid ransom to ransomware attackers. The company joins the growing list of organizations that paid ransom to ransomware attackers.
The BBCrecently reported that Eurofins, UK's largest police forensics lab, paid an undisclosed amount to attackers after its computers were crippled by a ransomware attack. Eurofins Scientific, which has about 45,000 staff in more than 800 laboratories across 47 countries, is one of the global independent market leaders in testing and laboratory services for forensics. Eurofins Forensics Services, Eurofins Scientific's Forensics subsidiary which is based in the UK, is one of the primary forensic services providers to the UK police.
Last June 3, Eurofins Scientificdisclosed that during the first weekend of June 2019 (1stand 2ndJune) it fell victim to ransomware attack which caused disruption to many of its IT systems in several countries. The company said, in a statement, that from June 4th, it was able to “resume full or partial operations for a number of impacted companies and continue to do so every day”. As of June 17th, the company said, the vast majority of affected laboratories’ operations had been restored.
The ransomware involved, Eurofins Scientific said, appears to be a new ransomware variant which was “initially non-detectable by the anti-malware screen of our leading global IT security services provider at the time of the attack and required an updated version made available only hours into the attack”.
In a ransomware attack, a malicious actor or actors lock out legitimate users of IT systems or computer files through encryption (the process of converting plain texts to codes so that only people with access to a secret key, also known as decryption key, can access it). Ransomware attackers demand from their victims to pay ransom in exchange for the decryption keys that would unlock the encrypted IT systems or computer files.
Growing List of Ransomware Victims Paying Ransom
Eurofins Scientific joins the growing list of ransomware victims paying ransom. Two cities in Florida, U.S. and 2 towns in Ontario, Canada publicly admitted that they paid ransom to ransomware attackers.
Last June 17th, the City Council of the City of Riviera Beach, Florida unanimously approved the payment of ransom to ransomware attackers. A total of 65 bitcoins was paid to the ransomware attackers, equivalent to approximately $600,000 at the time of the ransom payment approval.
A few days after the ransom payment approval of the City Council of Riviera Beach City, another city in the Florida state Lake City paid its own ransomware attackers ransom. Lake City Mayor Stephen Witt told a local mediathat Lake City will pay cyber attackers USD $460,000 to get its computer system back. “I would’ve never dreamed this could’ve happened, especially in a small town like this,” the Lake City Mayor said.
Two towns in Ontario, Canada, the Town of Wasaga Beach and Town of Midland, have also publicly admitted that they paid ransom to ransomware attackers. Jocelyn Lee, Director of Finance and Treasurer of the Town of Wasaga Beach, reported to the City Council of Wasaga Beach that on April 30, 2018 the Town’s computer system was infected with a malicious software (malware) that left all of the Town’s data locked. Lee said the Town ended up paying the ransomware attackers 3 bitcoins, equivalent to $34,950 Canadian at the time of the ransom payment.
The Town of Midland, Ontario, meanwhile, in a statement said that on September 1, 2018, the Town's network was infected with ransomware. The Town said that it paid an undisclosed amount to the ransomware attackers in exchange for the decryption keys. In paying the ransom, the Town of Midland said, “Although not ideal, it is in our best interest to bring the system back online as quickly as possible.”
To date, South Korean web hosting company Nayanaholds the record of paying the most expensive ransom, totaling 397.6 bitcoins, valued USD$1.01 million at the time of the ransom payment.
Prevention & How to Recover from Ransomware Attacks
All ransomware victims that decided to pay ransom have one thing in common: They all failed to conduct regular back-up of their critical data. Organizations that diligently conduct regular back-up of critical data, in time of crisis, such as ransomware attack, can simply ignore the attackers’ ransom demand.
Paying the ransom also doesn’t guarantee that attackers will hand over the correct decryption keys that will unlock encrypted IT systems or computer files. Paying the ransom could instead encourage the attackers to launch another ransomware attack or the attackers could increase their ransom payment demand, knowing that organizations will likely consider paying the amount.
While conducting regular back-up of critical data is important, implementing cybersecurity measures that prevent ransomware attacks are equally important as well. The UK's National Cyber Security Centre (NCSC)recently issued a Ryuk Ransomware Advisory. Ryuk is a particular type of ransomware that was first observed in the wild in August 2018. It has since been responsible for multiple attacks worldwide. This ransomware, in particular, targets its victims and ransom payment is set based on the target’s perceived ability to pay.
NCSC recommends the following measures in order to prevent ransomware attacks, in particular, Ryuk ransomware attacks:
You don’t need to face cybercriminals alone. When you need help, our team of professionals is ready to assist and help you mitigate risks, recover, and proactively secure your data. Contact ustoday and stay safe.
Why Organizations Need To Secure Microsoft Office Settings
The latest discovery of a flaw in Microsoft Excel by researchers at Mimecast shows the importance of securing your organization’s Microsoft Office settings.
Researchers at recently released a proof of concept demonstrating that a flaw in Microsoft Excel could allow a malicious actor to access someone else's computer and launch a cyber-attack, no matter where this computer is located. Mimecast researchers said that Power Query, a feature in Excel that lets users integrate their spreadsheets with other data sources, such as an external database or a web page, could allow attackers to “embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened”. Mimecast researchers added, “The malicious code could be used to drop and execute malware that can compromise the user’s machine.”
According to Mimecast researchers, Power Query is a powerful tool within Microsoft Excel that if exploited, can be used to launch . In a DDE attack, a malicious actor exploits DDE – a protocol in Windows which was first introduced in 1987 and currently used by thousands of applications such as Microsoft Excel.
The researchers added that attacks that exploit Power Query are hard to detect by anti-virus or anti-malware security solutions. “Using the potential weakness in Power Query, attackers could potentially embed any malicious payload that as designed won’t be saved inside the document itself but downloaded from the web when the document is opened,” the researchers said.
Dynamic Data Exchange (DDE) Attacks
Researchers have known about DDE vulnerabilitysince 2014, finding that “by specifying some creative arguments and a magic number, it’s possible to craft a ‘link’ that hijacks the computer of whoever opens the document”.
In May 2016, researchers at SensePostdemonstrated that DDE attack can be done in Microsoft Excel. In October 2017, researchers at SensePost demonstrated that DDE attack can be done in Microsoft Word.
In November 2017, reported that the threat Group known as “APT28” slipped a malware into a malicious Word document with a subject heading that cites of a then-recent terrorist attack in New York City. McAfee said this Word document leveraged the Microsoft Office Dynamic Data Exchange (DDE) attack technique.
According to McAfee, the malicious Word document itself is blank and once the document is opened, the document contacts a control server that drops the malware called “Seduploader” onto a victim’s computer. Seduploader is a first-stage malware deployed for the purpose of conducting reconnaissance on a network before dropping a second-stage malware.
To successfully launch a DDE attack, McAfee said, an attacker only needs to convince a user to click through a few dialogs, which would evade the latest macro-based document mitigations. “DDE can be used to launch scripts and executables from the command line by inserting the DDE field in the Office document,” McAfee said.
In an email attack scenario, Microsoft, for its part, said that an attacker could exploit the DDE protocol by sending a specially crafted attached file to the user and then convincing the user to open the attached file. “The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts,” Microsoft said.
How to Mitigate Microsoft Office Settings Risk
Microsoft, in a statement to Threatpost, said that the proof of concept of the Mimecast researchers was reviewed but in order for the concept to work, a victim “would need to be socially engineered to bypass multiple security prompts prior to loading external data or executing a command from a DDE formula”. Because of this finding, Microsoft didn’t release a patch for this security vulnerability.
Microsoft issued the following mitigating measures in order to protect your organization from DDE attacks:
1. Keep Your Microsoft Office Up-to-Date
The December 12, 2017 security updatein Microsoft’s Office disables the Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word.
2. Disable DDE Protocol in Microsoft Excel
Microsoft, however, hasn’t disabled DDE in Microsoft Excel. In the security advisory "Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields", Microsoft noted that Excel, in particular, depends on the DDE feature to launch documents. "Disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry,” Microsoft said. “Data might not be completely up-to-date because it is no longer being updated automatically via live feed. To update the worksheet, the user must start the feed manually. In addition, the user will not receive prompts to remind them to manually update the worksheet.”
As early as 2007, Raymond Chen, who has been involved in the evolution of Windowsfor decades, said that "there is no technological reason for you to use DDE”. Chen, however, said that even if there’s no technological reason for you to use DDE, “you still have to be mindful of whether your actions will interfere with other people who choose to”.
3. Exercise Caution When Opening Suspicious File Attachments
As email attachments are a primary method by DDE attackers to spread malware, Microsoft recommends that users exercise caution when opening suspicious file attachments.
CDW Report Reveals Canadian Businesses Make Cybersecurity Top IT Priority
A new report by CDW Canada reveals almost half of businesses(47 percent) questioned have increased their expenditure on cybersecurity in the past year.
Their responses make for reassuring reading, though there is still some way to go before all of Canada’s businesses have the safeguards they need in place. With so many day-to-day operations performed online and a plethora of sensitive data stored in the cloud, effective cybersecurity should be a priority for every single company.
Other key takeaways from the survey:
That 17 percent of respondents being totally unsure whether a plan has even been drawn up or not is concerning. It’s vital for management teams to recognize the level of vulnerability they may create within their organizations in if they fail to take the appropriate action and protect their infrastructures from threats. While it’s easy to let a hectic schedule and growth overshadow any potential pitfalls, the risk is simply too big to ignore. No business can afford to be complacent or assume they are too small (or successful) to target.
What Do Canadian Businesses Consider the Biggest Cyber Threat?
The CDW report showed 24 percent of businesses questioned view the proliferation of malware a leading concern. Others were data theft (prioritized by 19 percent) and the safety of cloud storage (15 percent). All three risks have the power to cause severe problems for companies of all sizes, in all industries.
It’s good to see businesses aware of key cybersecurity hazards and being able to distinguish between them, but hackers employ increasingly sophisticated tools and tricks to infiltrate businesses’ systems, potentially even lurking undetected for weeks or months. They are able to gather critical information related to their employees, their customers, their operations, their secrets and more. Businesses affected by such covert breaches are left incredibly exposed and may be unable to actually recover if they fail to take action soon enough.
Yet not all cybersecurity dangers come from outside. Businesses must be aware of external and internal threats to their safety (and that of their customers). It may be hard to imagine someone within your organization having the audacity to endanger the security of their colleagues, employers and clients by allowing data to fall into the wrong hands — but, sadly, it does happen.
In recent weeks, Desjardins (North America’s biggest federation of credit unions) revealed that close to 3 million members’ datahad been leaked by an employee, affecting some 170,000+ businesses. Desjardins admitted it’s possible such personal details as full names, dates of birth, social insurance numbers, banking activities and email addresses were shared. It’s believed, though, that PINs, passwords and security questions were not leaked.
Tackling Internal Cybersecurity Threats
That Desjardins’ woes resulted from the actions of an employee demonstrates how vulnerable data may be even when organizations believe their system is well protected. Businesses can invest in the most cutting-edge technology and training to reinforce their safety, but if they aren’t aware of which employees may have a grudge (or simply lack the training to perform duties safely) breaches can still occur.
The Desjardins employee responsible has since been let go, but that’s unlikely to be of much comfort to the people whose sensitive information was shared without permission. This event could have an ongoing impact on Desjardins as a whole: members’ confidence may drop, prompting them to consider alternatives — potentially costing Desjardins in the long run.
Still, it’s incredibly hard for businesses to know exactly which members of their workforce could be planning to leak data or open the system up to cyberattacks, short of monitoring every single phone call, every interaction with colleagues and their every movement on the premises.
But effective training can make a positive impact and encourage a more vigilant, aware, loyal team. Educating staff on the variety of cybersecurity risks the company faces, where they originate and how they can be combated is essential. It’s vital to give them the means to share concerns with management if they believe someone may be planning to reveal sensitive information or share access details with unauthorized parties.
They may find speaking up about the people they work with every day difficult, but it’s in everyone’s best interests. After all, if a breach or attack is damaging enough, employees’ jobs may be at risk.
The Importance of the Right Training
The right training minimizes the threat of accidental cybersecurity problems. Workers may not recognize phishing scams and expose the entire network to threats, or they could download infected software. The list goes on and on. Even the smallest mistake can have lasting ramifications.
With more Canadian companies investing in their cybersecurity measures, it’s fair to assume training will improve too. But it’s not just about training: businesses have to take their security seriously, and that means equipping themselves with the most effective safeguards. A comprehensive vulnerability assessment will identify potential flaws in your system’s security, revealing how prone your company may be to attacks.
The Driz Group offers free vulnerability assessments for businesses of all sizes, helping you start on the journey to a safe, stronger cybersecurity procedure. Our Managed Cyber Security Services provide cloud-based and on-premise protection, reduce the likelihood of a data breach and fill any gaps that may be discovered. This allows you to just sit back, relax and focus on running your business while the experts keep it safe.
Want to learn more about how our Managed Cyber Security Services can help your organization? Have questions? Please don’t hesitate to contact our friendly team of expertstoday!
Steve E. Driz