Thought leadership. threat analysis, news and alerts.
Real-Life Cases Show Some Types of 2FA Can Be Bypassed
A number of cyber incidents in the past few years have demonstrated that certain types of multi-factor authentication or two-factor authentication (2FA) can easily be bypassed.
What Is Multi-Factor of Authentication? What Is 2FA?
Multi-factor authentication is an added layer of security in which a user is required to present two or more pieces of proof in order to be granted access to a computer system or application.
Two-factor authentication (2FA) is the more popular type of multi-factor authentication. In a typical 2FA, in addition to the traditional authentication method of a combination of username and password, a user is required to present one more authentication proof. Examples of these additional authentication proofs include a one-time code that changes over time, biometrics or behavioural information such as IP address, time of day or geolocation.
3 Ways 2FA Authentication Can Be Bypassed
In the past few years, the following 3 methods have been used to bypass or circumvent certain types of 2FA authentication:
1. Sim Swap
In bypassing 2FA using the SIM swap method, an attacker convinces a customer service representative of a phone company of an intended victim to do the SIM card swap to a SIM that the attacker controls, allowing the attacker to intercept the 2FA security codes intended for the victim to access a computer system or application.
Last month, the U.S. Federal Bureau of Investigation (FBI) issued an alert to its partner organizations warning them about SIM swapping. According to the FBI, between 2018 and 2019, SIM swapping is the most common tactic used by cyber criminals in circumventing the 2-factor authentication. Victims of SIM swapping attacks, the FBI said, had their bank accounts drained and their passwords and PINs changed.
Last year, Reddit disclosed that all Reddit data from 2007 and before including account credentials and email addresses as well as email digests sent by Reddit in June 2018 were illegally accessed. The company said that the weaknesses inherent to SMS-based 2FA appeared to be the root cause of this incident. The company added that “SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept”.
Reddit, however, didn’t specify how SMS-based 2FA one-time code was intercepted. At the time of the Reddit attack, the known methods in intercepting SMS-based 2FA one-time code were through SIM swapping and mobile number port-out scams.
In port-out scams, instead of a SIM swap, an attacker impersonates an intended victim and requests that the victim’s mobile number be transferred to another mobile network provider. In both SIM swap and port-out scams, one-time codes delivered by SMS are delivered to a phone controlled by the attackers.
2. Phishing Scheme
The second method by which 2FA can be bypassed is through phishing scheme. In December 2018, researchers at Certfa Lab detected a phishing campaign in which attackers, knowing that their victims use two-step verification in their Gmail and Yahoo accounts, created phishing pages for both desktop and mobile versions of Google and Yahoo mail services.
These phishing pages ask the victims their username and password combination, as well as 2-step verification code. The attackers then enter these username and password combination and 2-step verification code into Google or Yahoo’s genuine website and hijack the email accounts of their victims.
A victim is tricked into visiting one of these phishing sites by sending a fake email alert purportedly from the email provider, stating that unauthorized individuals have tried to access their accounts. This fake email alert asks the victim to review and restrict suspicious accesses via the link – leading to the attackers’ phishing site – provided in the email.
3. Session Hijacking
The third method by which 2FA can be bypassed is through session hijacking. Among the 3 methods of bypassing 2FA, session hijacking is more technical.
A few months ago a toolkit that bypasses 2FA via session hijacking was publicly released. This toolkit uses Muraena and NecroBrowser. According to the authors of this toolkit, Muraena is a “custom target-agnostic reverse proxy solution”, while NecroBrowser takes care of the “instrumentation and session riding”. According to the FBI, Muraena tool intercepts traffic between a user and a target website which requires the usual username and password combination and 2FA code, while NecroBrowser allows cyber actors to hijack these private accounts and make changes to these accounts while maintaining access as long as possible.
Last month, security researchers at DEVCORE reported a different form of session hijacking that enabled them to access Twitter Intranet. According to the DEVCORE researchers, they were able to access Twitter Intranet by bypassing the 2FA of the SSL VPN used by the company.
“Twitter enabled the Roaming Session feature, which is used to enhances mobility and allows a session from multiple IP locations,” the DEVCORE researchers said. “Due to this ‘convenient’ feature, we can just download the session database and forge our cookies to log into their system!”
Preventive and Mitigating Measures
There’s a reason why multi-factor authentication or 2FA is widely used by organizations today. Instead of relying merely on the traditional username and password combination, multi-factor authentication provides an extra layer of security to systems or applications.
The use of multi-factor authentication can decrease numerous attack surfaces. Using multi-factor authentication, however, shouldn’t give your organization a false sense of security. As shown in the above-mentioned examples, certain types of multi-factor authentication or 2FA can be bypassed.
Hospitals in Different Parts of the World Hit by Ransomware Attacks
Michael Garron Hospital, formerly Toronto East General Hospital, recently confirmed that it was a victim of the ransomware called “Ryuk”, turning the spotlight on this ransomware and on ransomware in general.
Sarah Downey, President and CEO of Michael Garron Hospital, in a statement, said that last September 25th, the hospital became aware of a malicious software (malware), later identified as Ryuk, had infected the hospital’s servers. As a result of the ransomware attack, Downey said that “some data has been damaged” and for the first time in many years, the hospital’s clinical teams were forced to revert back to paper processes and using the telephone to call codes, access porters and check dietary orders.
The President and CEO of Michael Garron Hospital said that as a result of the attack, some of the hospital’s outpatient services were affected, with some appointments canceled and rescheduled. Downey added that the affected servers are being cleansed and it may take a few weeks for some of the hospital’s systems that are less critical to operations to be fully restored. Downey further said that the hospital hasn’t been in contact with anyone about ransom payment.
What Is a Ransomware?
Ransomware is a type of malware that’s designed to deny access to a computer system or data until a ransom is paid. In denying access to a system or data to legitimate users, attackers encrypt the system or data, turning this into a code that’s only accessible by the attackers using decryption keys.
In ransomware attacks, these decryption keys are typically handed over to the victims in exchange for a ransom payment. All too often ransomware attackers victimized organizations that can’t tolerate any downtime, making ransom payment all the more compelling.
Paying the ransom, however, doesn’t guarantee that victims can recover their encrypted systems or data as the decryption keys could simply be designed to not work at all.
What Is Ryuk Ransomware?
Ryuk ransomware was first observed in the wild in August 2018. In June 2019, UK's National Cyber Security Centre (NCSC) issued a Ryuk advisory, warning organizations globally about this ransomware.
Ryuk is often linked with two other malware: Emotet and Trickbot. Emotet was first observed in the wild in 2014, while Trickbot in 2016. In a Ryuk attack, the Emotet malware is used to drop the Trickbot malware. Trickbot, for its part, deploys hacking tools that facilitate the remote monitoring of the victim’s computer, credential harvesting and allowing the attackers to move to other computers within a network.
When ransomware opportunity is present, only then that Ryuk is deployed. It’s, therefore, possible that an organization is initially infected even without visible signs of a ransomware attack.
Prior to installing itself into the affected computer, Ryuk will first attempt to disable certain antimalware or antivirus software. Ryuk has the ability to spread to other computers within the same network as it is designed to enumerate network shares and encrypt those it can access.
According to the NCSC, it’s possible that Ryuk could be deployed through an infection chain other than using Emotet and Trickbot. NCSC added that in a Ryuk attack, it’s difficult to recover the infected computer’s backup as this malware uses anti-forensic recovery techniques such as manipulating the virtual shadow copy.
Other Cases of Ransomware Attacks
Hospitals and healthcare providers are targeted by ransomware attackers as these establishments cannot withstand IT downtime. In recent weeks, in addition to the Michael Garron Hospital, two other hospitals in Canada belonging to the Listowel Wingham Hospitals Alliance (LWHA), Listowel Memorial Hospital and Wingham and District Hospital, had been hit by ransomware.
In a statement, Listowel Wingham Hospitals Alliance said that since last September 26th its IT system has been shut down as a result of a ransomware attack. As a result of the attack, the Alliance said, “Manual and paper downtime procedures remain in place.” The Alliance hasn’t named the specific type of ransomware that hit the two hospitals.
A number of hospitals and health services in Gippsland and south-west Victoria, Australia, meanwhile, has been impacted by a ransomware attack. Victoria's Department of Premier and Cabinet, in a statement, said that the ransomware was uncovered last September 30th.
Last month, a U.S. healthcare provider Wood Ranch Medical announced that will permanently close its practice on December 17, 2019 as a direct result of a ransomware attack. Wood Ranch Medical, in a statement, said that on August 10, 2019, it suffered a ransomware attack on its computer systems. The health provider said that the ransomware, although not naming the specific type of ransomware, encrypted its servers and backup hard drives containing patients’ electronic health records.
“Unfortunately, the damage to our computer system was such that we are unable to recover the data stored there and, with our backup system encrypted as well, we cannot rebuild our medical records,” Wood Ranch Medical said. “We will be closing our practice and ceasing operations on December 17, 2019.”
Last October 1st, DCH Health System, which runs 3 hospitals: DCH Regional Medical Center in Tuscaloosa, Northport Medical Center and Fayette Medical Center, announced that it suffered a ransomware attack that impacted its systems. The specific type of ransomware wasn’t disclosed.
Last October 6th, DCH Health System said that it “obtained a decryption key from the attacker to restore access to locked systems.” The organization didn’t specify whether ransom was paid. There are reports, however, that indicate that DCH Health System paid the attacker ransom.
Organizations large and small fall victims to ransomware too often. Contact us to speak with our cybersecurity experts today to develop a solid protection and mitigation strategy reducing your stress and protecting your organization.
How to Raise Awareness of Cybercrime in Your Workplace
In February 2019, the Canadian Centre of Cyber Security claimed most Canadianswould be affected by cybercrime in one form or another.
This is unnerving for a number of reasons.
First:it applies to all Canadians, not just business-owners. That means everyone using a computer, smartphone or tablet for any online activity could be at risk.
Second:many people (sadly) lack the awareness to take proper security measures and protect their sensitive data from criminals.
Third:the Canadian Centre of Cyber Security specified how ransomware attacks are one of the most common cyber-threats. And anyone who knows anything about ransomware will recognize why this is such a frightening prospect.
Ransomware attacks may be triggered by opening an infected link in an email or downloading an attachment. Hackers hold your computer or entire system hostage until you either pay the money demanded or find another solution.
This is terrifying enough if your home computer is affected. But in the workplace, ransomware has the potential to wreak havoc on your business — and bring it screeching to a halt.
That’s why every employee should be empowered with the knowledge and tools to stay safe. Especially when more than one-fifth of Canadian companieshave been targeted by cybercriminals.
What can you do to raise awareness of cybercrime in your workplace?
Staying Vigilant Against Cybersecurity Threats
One of the first steps is encouraging staff to be vigilant.
An uninformed, unprepared team can introduce an infection into your system without realizing until it’s too late. And even then, the individual responsible may still not understand what they did wrong.
But a well-informed, well-prepared workforce will find recognizing potential threats far easier.
A key component of this is motivating staff to report any and all suspicious activity, no matter how unnecessary it may seem. Risks should be addressed quickly to ensure no concerns are raised in vain.
Employees must undergo effective education to minimize their chances of bringing harmful infections into your system. Working with cybersecurity experts and organizing training sessions will help.
Emphasize the Impact Cybersecurity Breaches Make
A cybersecurity attack in the workplace doesn’t just affect the employee responsible.
It affects their colleagues. It affects your clients. It affects your reputation. Prospective new customers may fear for their own data’s security when they learn your company was targeted.
This is why it’s so vital to show employees the impact cybercrimes can have. They need to understand they’re part of a group and one mistake could mean serious problems for everyone involved.
This is easier if your company culture already leans towards collaboration and teamwork. Otherwise, you may need to incorporate more elements of this into everyday processes. Encourage staff to consider themselves one cog in a machine.
Highlight Common Cybersecurity Threats
You can increase awareness of cybercrimes in your business by drawing employees’ attention to the most common risks.
Provide them with accessible (read: not packed with jargon or technical terms they don’t need to know) resources on:
These are just some of the most common types of cyber-attacks. Help your team understand:
You may want to bring an expert in to discuss this with employees or compile your own knowledge bank. A combination of both may even be the right choice for you.
But whichever option you settle on, your workforce will be more aware of cybercrimes and know how they can reduce your business’s risk.
Cultivate a Security-focused Culture
We touched on company culture briefly earlier, but now let’s delve a little deeper.
Adopting a security-focused culture may reinforce your business against cybercrimes. At the very least, employees are less likely to make common mistakes that cost money down the line.
Introduce checks on employee computers to ensure all their security software is up to date across the board. Make sure any tools they download, and use are clean too.
And don’t forget about passwords. You may want to introduce a password policy that stipulates employees change theirs every two weeks or every month.
This can make a positive difference, but only if they know how to choose strong passwords in the first place.
What does this mean? Good passwords include a mix of numbers, letters, and symbols. Workers should never use the same passwords across different accounts or platforms, especially if they’re easy to guess.
That’s why just using your child’s, pet’s or partner’s name is a no-no. This information may be easy to find online — and hackers could cause a data breach without much effort at all.
Making your team more aware of general security in the workplace can feed into their drive to take effective precautions. Welcome their input too.
What do they think can be done to increase their knowledge of cybersecurity? How would they like to see more changes introduced? Don’t be afraid to take their best ideas on board.
Create a Clear Incident Response Plan
If the worst happens and your business is struck by a cyber-attack, who does what?
Your employees must know what steps to take in the event of an incident. Perhaps they need to call a local expert in to help immediately. Maybe they’re required to inform clients about the potential data breach.
Whatever their role, employees should know what is expected of them. Everyone should be able to work together as a team and minimize the damage as best they can. This could make a big difference to your business’s future.
Want to find out how secure your business is against cybercrimes? Curious how cybersecurity professionals can help you stay safe online?
Justget in touchwith our experts today and we will be happy to help.
What Are Watering Hole Attacks & How to Prevent Such Attacks
Watering hole attacks are becoming more and more popular as these allow malicious actors to compromise intermediary targets to gain access to their intended final targets.
What Is Watering Hole Attack and How It Works
In a watering hole attack, a malicious actor compromises a third-party service, such as a publicly available website, in order to get access to the intended final target. There are various reasons why threat actors attack third-party services instead of the intended final targets. It could be that the intended final targets have stronger cyber defences, while third-party services lack the necessary cyber defences.
In watering hole attacks, threat actors study the employees of the intended final targets, such as finding out what sites these employees often visit. These sites are then analysed.
Sites with weak defences are often targeted, injecting these sites with malicious software (malware) or redirecting visitors to sites controlled by the attackers, leading to the downloading of the malware when these employees visit these sites. Attackers may also nudge an employee into visiting the compromised website or the URL they control by tricking the employee to click on the malicious link contained in a phishing email.
Once inside an employee’s device, threat actors then move toward the intended final target.
Examples of Watering Hole Attacks
The recent disclosure by researchers at Google's Threat Analysis Groupabout a small collection of compromised websites used in watering hole attacks which ultimately targets site visitors using certain versions of iPhones highlights the growing danger of watering hole attacks.
Researchers at Google's Threat Analysis Group revealed that over a period of at least two years, almost every version of iOS 10 through iOS 12 was potentially vulnerable when users visit a small collection of compromised websites. Simply visiting the compromised site, the researchers said, was enough for the exploit server to attack the vulnerable iPhones and install a malicious code that monitors the users’ activities.
The researchers estimated that the compromised sites receive thousands of visitors each week. In attacking the specific versions of iPhones, researchers at Google's Threat Analysis Group said, they identified a total of 14 security vulnerabilities: 7 for the iPhone’s web browser, 5 for the kernel and 2 separate sandbox escapes.
Other Cases of Legitimate Sites Used for Watering Hole Attacks
In late February and early March this year, reports came out that the website of International Civil Aviation Organization (ICAO) was used as an intermediary target for a watering hole attack where the intended final targets were ICAO members. Montreal, Canada-based ICAO is a specialized agency of the United Nations that codifies the principles and techniques of international air navigation.
In November 2018, researchers at ESETreported that 21 distinct websites in Vietnam and Cambodia, including Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia and several Vietnamese newspaper websites, were used as intermediary targets in watering hole attacks.
According to the researchers, the modus operandi is similar on all compromised websites in which the attackers add a small piece of malicious code on the compromised websites. While not applicable in all cases, the researchers reported that the code injected into the compromised websites checks for the visitor’s location, and only visitors from Vietnam and Cambodia actually receive the malware. The researchers added that the server controlled by the attackers can send additional payload – referring to the malware that performs the actual malicious actions.
Researchers at ESET said they weren’t able to identify examples of payloads sent by the attackers as these payloads were only delivered to specific targets and it wasn’t possible to get them using a test machine. In November 2017, researchers at Volexityfound a similar set of compromised websites of individuals and organizations tied to the government, the media, human rights and civil society groups. The researchers, in these cases, found that the payloads downloaded unto the site visitor’s computer include a pop-up asking to approve OAuth access to the victim’s Google account. This tactic allows attackers to get access to the victim’s contacts and emails.
The recent watering hole attacks are reminiscent of the cyber-espionage campaign called “Epic Turla”. In August 2014, Kaspersky observed 100 compromised websites for watering hole attacks.
Once a computer is infected with the Epic malware, Kaspersky reported that the malware immediately connects to the command-and-control (C&C) server to deliver pre-configured series of commands for execution and custom lateral movement tools such as a keylogger – a malicious program aimed at stealing data by recording every keystroke made by a computer user.
Prevention and Mitigating Measures
Here are some cyber security measures in order to prevent or mitigate the effects of watering hole attacks:
Wikipedia and World of Warcraft Classic Targeted for DDoS Attacks
Distributed denial-of-service (DDoS) again made the headlines over the weekend with the attacks on the popular online encyclopedia Wikipedia and popular online role-playing game World of Warcraft Classic. These latest incidents show that malicious actors are continually targeting vulnerable devices and online services for DDoS attacks.
In a statement released last September 7, Wikimedia Foundation, said that Wikipedia was hit with a “malicious attack”, making the site inaccessible to site visitors in several countries for intermittent periods. Wikimedia Deutschland, meanwhile, outrightly called the attack as “DDoS attack”, announcing via its Twitter account that Wikimedia servers, on which Wikipedia is also hosted, are being “paralyzed by a massive and very broad DDoS attack”.
According to the report by the civil society group NetBlocks, Wikipedia became intermittently unavailable as of approximately 6:00 p.m. UTC September 6, 2019 and at 1:30 a.m. UTC, the attack extended to a near-total outage in the United States and much of the world, continuing up until 2:40 a.m. UTC.
Last September 7 also, Blizzard Entertainment, owner of the World of Warcraft Classic, via its Twitter account said, “Some online services continue to be impacted by a series of DDoS attacks which are resulting in high latency and disconnections.”
It isn’t yet confirmed whether the DDoS attacks on Wikipedia and World of Warcraft Classic are related. A Twitter account claiming responsibility on the DDoS attacks on Wikipedia and World of Warcraft Classic was taken down by Twitter.
DDoS Attacks Prevalence
Wikipedia and Blizzard Entertainment are no stranger to DDoS attacks. On May 15, 2019, NetBlocksreported that Wikipedia became temporarily unavailable internationally. NetBlocks said that its global internet observatory data showed that the incident wasn’t related to filtering or blocking, and was rather likely caused by a DDoS attack.
NetBlocks said that DDoS attacks are distinct from state filtering or blocking, as these attacks have broader international impact but typically last for short periods. Wikipedia is totally blocked in Turkey, is varyingly restricted in China, and was briefly filtered in Venezuela early this year.
In August 2017, meanwhile, Blizzard Entertainmentreported another set of DDoS attacks on its networks. No person or group has taken responsibility for the 2017 DDoS attacks on Blizzard Entertainment and May 2019 incident on Wikipedia.
Real-time gaming networks have been favorite DDoS targets by malicious actors. In August 2014, Sony’s PlayStationnetworks were taken offline as a result of a DDoS attack. The threat group called “Lizard Squad” claimed responsibility over the Sony’s PlayStation networks DDoS attack.
KrebsOnSecurityreported that Lizard Squad controlled a botnet comprised of hacked home routers and commercial routers at universities and companies from around the globe. A botnet is a group of computers infected with the same malicious software (malware) and controlled by a threat actor or actors for the purpose of conducting malicious activities such as DDoS attacks. KrebsOnSecurity reported the botnet controlled by Lizard Squad group drew internet bandwidth from routers around the globe by exploiting the use of factory-default usernames and passwords.
The Mirai botnet, a much bigger botnet, which at its height controlled hundreds of thousands of IoT devices such as routers and CCTV cameras, brought down a big chunk of the internet for most of the U.S. east coast as a result of the DDoS attack on Dyn, an internet infrastructure company.
The recent Wikipedia DDoS attack, according to NetBlocks, is understood to have been amplified through insecure devices.
Prevention and Mitigation
In a DDoS attack, both the owners of computers or Internet of Things (IoT) devices and owners of targeted online services play an important role. IoT, such as routers, small as they are, are also computers. Owners of these devices, however, don’t view these devices like typical computers such as laptops, with many owners leaving these devices vulnerable to attacks by opting to use the default-factory login details.
The threat of DDoS attack is real as malicious actors have the technology to control not just IoT devices but ordinary computers as well. French authorities and antivirus solution provider Avastrecently took down the botnet called “Retadup”, which controlled nearly a million computers worldwide. It isn’t yet known how the Retadup malware initially infected these nearly one million computers.
In an ideal world, owners of IoT devices and internet-facing desktop or laptop computers have the responsibility to protect these computers from being used as an army for DDoS attacks by practicing basic cyber hygiene such as changing default-factory usernames and passwords and by applying the latest security updates.
DDoS protection is all the more important in organizations that rely on providing online services. While your organization may have no control over the cyber hygiene of other IoT devices, desktop and laptop users, your organization can undertake cyber security measures in order to mitigate the effects of DDoS attacks.
Mitigating measures against DDoS attacks are broadly categorized into do-it-yourself (DIY) methods, on-premise mitigation appliances and off-premise cloud-based solutions. DIY methods, such as manual IP blacklisting, is often a reactionary measure in response to a successful first DDoS attack that already caused hours of downtime.
On-premise mitigation appliances refer to hardware appliances deployed inside a network and placed in front of protected servers. Compared to DIY methods, on-premise mitigation appliances have advanced traffic filtering capabilities such as geo-blocking, rate limiting, IP reputation and signature identification.
Off-premise cloud-based solutions, meanwhile, offer virtually limitless scalability and don’t require investment in security personnel or expenses for DIY solutions and on-premise hardware.
Connect with our web application securityexperts and protect your mission critical infrastructure in less than 10-minutes.
French Authorities and Avast Take Down One of the World’s Biggest Botnets
French authoritiesand antivirus solution provider Avast have jointly taken down the Retadupbotnet, considered as one of the world’s largest botnets affecting nearly a million computers worldwide.
Avast, in a blog post, announced that itscollaboration with French authorities resulted in the neutralization of the Retadup botnet, a group of computers infected with a malicious software (malware), in this case, a malware called “Retadup” and controlled by an attacker or attackers for malicious activities. As part of its threat intelligence research, Avast said it started closely monitoring the activity of the Retadup malware in March 2019.
Avast found that the computers infected with the Retadupmalware and that formed part of the Retadupbotnet were mostly abused to mine the cryptocurrency called “Monero”. In cryptocurrency mining, malicious actors earn cryptocurrency by stealing the computing power of someone else’s computer.
In few cases, Avast observed that Retadup was used in distributing the ransomware called “Stop”, a type of malware that’s purposely created to block legitimate users to a computer system or data until a ransom is paid. In other few cases, Avast also observed that Retadup was used in distributing Arkei, a malware that steals passwords.
Avast said its research showed that Retadup’s command-and-control (C&C) infrastructurewas mostly located in France and as such,it contacted theCybercrime Fighting Center (C3N) of theFrench National Gendarmerie.C&Cinfrastructurerefers to a server or servers used to communicate and remotely control computers compromised by a malware, in this case, the Retadupmalware.
As of late August, this year, Avastsaid that, in the collaboration with C3Nand with the permission from the office of the public prosecutor in France, Retadupmalware was taken down from 850,000compromised computers mostly located in Spanish-speaking countries in Latin America.
Retadup malware first appeared in mid-2017 stealing information in Israeli hospitals. According to Trend Micro, the organization that first reported about this malware in June 2017, this malware is notable for its propagation and stealth capabilities.
Trend Micro said the original Retadup malware infects computers via an executable file that masquerades as another file type, such as shortcut files for browser, Windows updaters and a web 3D creation tool. For example, it’s delivered on the vulnerable computer as WinddowsUpdater.zip, mimicking the legitimate updater file which is WinddowsUpdater.exe.
A computer becomes infected with Retadup malware when the file that masquerades as another file type is clicked. According to Trend Micro, it’s unclear how these executable files containing the Retadup malware arrive on the computers of the victims.
Once inside an infected computer, this malware then checks for specific antivirus and analytics tools. The malware self-destructs when it detects the presence of specific antivirus and analytics tools.
In stealing information, Trend Micro said the original Retadup malware routinely records every keystroke made by a computer user, takes screenshots and extracts passwords from web browsers. The Retadup malware is also a worm, which means that this malware has the ability to spread itself within networks without user interaction.
In September 2017,Trend Microdetected a new version of Retadup malware, this time, infecting specific industries and governments in South America and controlling these infected computers as a botnet, stealing the computing power of these infected computers to mine the cryptocurrency Monero. As of September 2017, Trend Micro said the malicious actor or actors behind Retadup botnet earned 314 Monero coins, worth US$36,000 as a result of the illicit cryptocurrency mining.
Since the discovery of the Retadup malware in June 2017, this malware has evolved into different versions. Most of these versions, however, retain the original features, such as the worm capability and stealth capabilities. According to Avast, the most recent version of Retadup malware, avoids cryptocurrency mining on the infected computers when taskmgr.exe is running in order to make it harder for users to detect increased CPU usage.
With the permission from the office of the public prosecutor in France and with the technical assistance of Avast, the Cybercrime Fighting Center of the French National Gendarmeriedismantled the command and control server of the Retadup malware and replaced it with a disinfection server. This disinfection server, Avast said, made it possible for the self-destruction of the Retadup malware on the infected computers forming the Retadup botnet.
To date, while the Retadup botnet is neutralized as a result of the collaboration of the office of the public prosecutor in France, Avast, and the Cybercrime Fighting Center of the French National Gendarmerie, the creator or creators of Retadup, however, remain at large as no arrest or arrests have been made as a result of the operation.
Threat Mitigation & Prevention
Botnets are a threat to the online community. As shown by the Retadup botnet, it can wreak havoc via cryptocurrency mining, ransomware and stealing information. Other botnets, like the Mirai botnet, had in the past brought down the internet in certain parts of the world via distributed denial-of-service (DDoS) attack.
Here are some cyber security measures in order to protect your organization’s computers or devices from being infected with malware and making them part of a botnet:
When you need help with threat mitigation, audits and prevention, connect with our cybersecurity experts.
How to Find Out If Your Organization’s Resources Are Illicitly Used for Crypto Mining
Ukraine’s National Nuclear Energy Generating Company, also known as Energoatom, a state enterprise operating all four nuclear power plants in Ukraine disclosed that a recent search carried out inside one of Ukraine’s nuclear power plants revealed that a power plant employee had installed his own computer equipment inside the plant for cryptocurrency mining. This incident shows the danger of employees stealing their employers’ resources for cryptocurrency mining.
What Is Cryptocurrency Mining?
Cryptocurrency mining, also known as crypto mining, is the process of validating transactions and for these transactions to be added to the list of all transactions known as the blockchain. Anyone with a computer and an internet connection can become a cryptocurrency miner.
Some cryptocurrencies can be mined using small and low processing power computers such as Raspberry Pi. Other cryptocurrencies such as Bitcoin can only be mined using specialized computers with high computing power. In exchange for the computing power and electricity used for mining, miners get rewarded with cryptocurrency.
As cryptocurrency mining is power-hungry, especially the top cryptocurrencies like Bitcoin, high electricity bill is one of the obstacles why many don’t venture into this field. To remedy this high electricity bill hurdle, malicious actors illicitly steal power from their employers and even from strangers. Aside from stealing electricity, malicious actors also steal from employers or strangers computing power of computers that can process a significant amount of data faster than ordinary computers.
The illicit stealing of electricity at one of Ukraine’s nuclear power plantsisn’t the first time that an employee has been caught stealing an employer’s resources for cryptocurrency mining. In February 2018, nuclear weapons engineers at the All-Russian Research Institute of Experimental Physics were arrested for mining cryptocurrencies at the workplace.
Unlike the cryptocurrency mining at one of Ukraine’s nuclear power plants which only stole the plant’s electricity as the accused installed his own computer equipment, the crypto mining incident at the All-Russian Research Institute of Experimental Physics used not only the facility’s electricity but the office computer as well. Tatyana Zalesskaya, head of the research institute’s press service confirmed to Interfaxthat there had been an unauthorized attempt to the institute’s “computing power for personal purposes, including for the so-called mining”.
Employees aren’t the only one interested in your organization’s computer power for crypto mining, unknown external attackers are also after your organization’s computer power. Attackers steal computing power in the process called “cryptojacking”.
In cryptojacking, malicious actors, which could be either be insiders or outsiders, in order to earn cryptocurrency, install a crypto mining software into vulnerable systems, including websites, operating systems or public cloud accounts.
In February 2018, researchers at RedLockreported that Tesla was once a victim of cryptojacking. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” researchers at RedLock said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry. In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods.”
In May this year, researchers at Guardicore Labsreported that over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors were compromised for crypto mining.
Illicit crypto mining isn’t only a threat to large organizations or businesses. This type of attack also threatens small and medium-sized organizations. In late 2018, a school principal in China was fired after stealing the school’s electricity to mine cryptocurrency. The South China Morning Postreported that the fired school principal deployed inside the school 8 computers used for mining the cryptocurrency Ethereum for about a year, racking up an electricity bill of 14,700 yuan, equivalent to US$2,120.
Ways to Monitor Crypto Mining and Preventive Measures
Here are some security measures in order to monitor crypto mining activities within your organization’s premises and also ways to prevent this threat to occur in your organization:
An unusual increase of electric bill is a sign that computers operating within your organization’s premises are being used for cryptocurrency mining.
Somewhere lurking in your organization’s premises could be computers used for cryptocurrency mining and racking up your organization’s electricity bill.
If your organization’s computers are functioning a bit slower than usual, this could be a sign that your organization’s computers are being used for illicit cryptocurrency mining.
Malicious actors in recent months have learned how to be stealthy in their crytojacking activities, such as mining only cryptocurrencies that use less computer power and electricity to deflect suspicion. For instance, the crytojacking incident which compromised 50,000 servers reported by Guardicore Labs in May this year, mined a relatively new cryptocurrency called “Turtlecoin”, a cryptocurrency that can be mined even in small and low processing computers such as Raspberry Pi.
Monitoring network traffic is one of the ways in discovering this type of stealth crytojacking activities. Access to your organization's network from unknown locations and during non-working hours are telltale signs of a network compromise and possible illicit cryptocurrency mining.
Lastly, practice basic cyber hygiene such as keeping your organization’s operating systems up-to-date and using multi-factor authentication as gate-keepers to these computers and servers. In many cases, computers and servers are compromised for illicit cryptocurrency mining by the mere failure of applying the latest security update and the used of weak login details and lack of multi-factor authentication.
When you need help, contact our teamof experts to mitigate the cybersecurity risks for your organization.
Threat Actors Continue to Target Websites
The European Central Bank (ECB) shut down one of its websites following the discovery that malicious actors accessed the site without authority and infected it with malicious software (malware). This incident shows that threat actors continue to target websites.
ECB, in a statement, said that unauthorized parties had breached the Bank’s Integrated Reporting Dictionary (BIRD) website, a site purposely built to provide the banking industry with details on how to produce statistical and supervisory reports. The Bank said that contact data, including email addresses, names and position titles of 481 subscribers to the BIRD newsletter may have been stolen by the attackers.
ECB, in a statement, said that the attack on BIRD website was discovered as a result of a “regular maintenance work”. An ECB spokesman told Reutersthat the earliest evidence found of the website attack dated back to December 2018, which means that the attack had gone unnoticed for months before being discovered during maintenance work.
This isn’t the first time that ECB reported an attack on its IT infrastructure. In 2014, ECBdisclosed that an unknown attacker or attackers had breached another of the Bank’s website used for registrations for events of the Bank such as conferences and visits.
The 2014 website attack, the Bank said, led to the theft of email addresses and other contact data left by individuals registering for events at the ECB. This 2014 attack in one of the Bank’s website was only known after an anonymous email was sent to the Bank asking for financial compensation in exchange for the data stolen.
In the latest attack on one of its websites, ECB said the attackers “succeeded in injecting malware onto the external server to aid phishing activities”. In the 2014 attack, ECB said the malicious actor or actors attacked a “database serving its public website”. Beyond those phrases, not much is known in the “injection” and “database” attacks.
The Open Web Application Security Project (OWASP)lists injection attacks as the number one threat to web security. Injection attacks refer to a broad attack paths that allow attackers to gain access to the database records of vulnerable websites. In certain cases, this type of attack allows attackers to gain administrative rights to a database.
One example of an injection attack is the SQL injection, also known as SQLI, attack. SQL, which stands for Structured Query Language, is a programming language understood by databases. By inserting malicious commands from this programming language into input fields on websites such as input forms, attackers can gain access to the database records of vulnerable websites, resulting in the unauthorized access of any data available in the database.
In late 2007 and early 2008, thousands of websites were defaced as a result of SQL injection attacks. According to researchers at Microsoft, These particular SQL injection attacks didn’t exploit vulnerabilities in Windows, IIS, SQL Server, or other infrastructure code; rather, it exploited vulnerabilities in custom web applications running on this infrastructure. Thousands of websites were affected due to 2 factors: first, there was an automated tool to launch this attack, and second, this SQL attack tool spread through the use of a botnet.
SANSreported that thousands of websites were compromised in late 2007 and early 2008 as the attacker or attackers used an automated tool in search engines to find vulnerable web applications and exploiting them. “The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site,” SANS reported. SecureWorks, meanwhile, reported that the automated SQL attack tool, spread to thousands of websites as the attackers relied on a botnet – a group of computers or devices infected by the same malware and controlled by an attacker for malicious purposes such as in this case the spread of SQL attack tool.
Other than using SQL injection to attack indiscriminate websites using an automated tool and a botnet, SQL injection has also been used by attackers in targeted attacks. According to the U.S. Federal Bureau of Investigation (FBI), a malicious group obtained confidential information from Sony Pictures’ computer systems on May 27, 2011 to June 2, 2011 using an SQL injection attack against Sony Pictures’ website.
According to the UK's Information Commissioner's Office, SQL injection was also used in the TalkTalk cyber attack on the company’s website. As a result of the SQL injection attack on TalkTalk’s website, personal details of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses were stolen. The attacker also stole the bank account number and sort code of 15,656 TalkTalk’s customers.
As shown in above-mentioned examples, injection attacks on websites are highly detrimental to the affected organizations. Loss of customer trust is one potential cost of an SQL injection attack should personally identifiable information such as full names, addresses and credit card details be stolen.
One of the cyber security measures, in order to prevent injection attacks such as SQL injection attacks, is through the use of a web application firewall (WAF). A WAF is often used to filter out injection attacks such as SQL injection attacks. In filtering out SQL injection attacks, a WAF uses a list that contains signatures to address specific attack vectors. This WAF is regularly updated to provide new filtering rules for newly discovered security vulnerabilities.
At The Driz Group, we specialize in protecting your websites and web applications with instant attack mitigation and a guaranteed DDoS protection. We support all deployment types including Cloud and on-premise. Setup take several minutes and there is nothing to buy, support, or maintain.
Connect with ustoday for a free consultation and protect your websites, web applications, online reputation and mission critical data.
What Are the Biggest Mobile Cybersecurity Threats Every Business Must Know?
How many times a day do you Google something on your smartphone?
It’s second nature now. Any questions you have, any movie stars you want to look up, any local restaurants you want to check out — just grab your phone and ask.
And with more than half of worldwide internet traffic originating from phones, the popularity of mobile search shows no sign of slowing down. Particularly for businesses.
The ease, speed and convenience of mobile internet means employees can access work documents, data and software at any time. But accessing business accounts and data via your mobile device opens you up to cybersecurity threats, just like browsing on a computer.
So, what are the biggest mobile cybersecurity threats every business must know?
Malware Lurking in Websites and Apps
It’s easy to assume malware is a risk to employees going online via their desktop or laptop computers, not mobile devices.
But that’s just not the case. Malware can infect a smartphone just as it would bigger hardware and cause serious problems.
Mobile malware typically attacks smartphones through web pages, attachments or apps primed to unleash infections. Clicking a link in an email, downloading a program or installing an app could put your business’s data in danger within seconds.
It’s a simple mistake to make, especially for non-tech-savvy employees.
Infected apps may access your smartphone’s data storage, memory, internal processes and other apps. It may even run in the background without being noticed by the user, gathering information and sharing it with whoever created it.
Hands-on Device Theft
One of the most obvious and damaging cybersecurity risks is theft.
And we mean physical theft: having a phone or tablet stolen by a mugger or opportunistic criminal.
It’s not hard to imagine how this might happen. An employee is out enjoying the sunshine on their lunch break, maybe sitting in the park or outside a cafe. They put their phone down for a moment to grab a drink or open their bag.
When they look back up, the phone is gone.
This takes just seconds but can have devastating results. A hacker would be able to bypass a pin or password and get into the owner’s accounts with ease. They could access your business’s emails, banking and communications in next to no time.
Scary, isn’t it? That’s why it’s so vital that all employees take good care of their company and personal phones. Any device with data relating to the business should be secured with a pin or password, as well as the additional security measures (such as facial recognition and fingerprint scanning).
Encourage all staff to stay vigilant and be aware. If their phone is stolen, they have to admit it fast: the sooner they raise the alarm, the sooner action can be taken to protect data in the cloud.
Unsecured Wi-Fi Networks
Free, public Wi-Fi is great. Employees can take their phone or tablet to the local coffee shop and do a little work outside the office for a change of scenery. The Wi-Fi is thrown in free when you buy a drink or snack so there’s no reason to lose momentum.
But free Wi-Fi networks tend to be unsecured. And that makes anyone using them vulnerable to cybersecurity risks. Any social media interactions, emails,writing, calls and more may be available to hackers.
This is why employees must be careful when accessing Wi-Fi networks beyond their own or your business’s. If they need to wait until they’re back in the office to finish a task or make a call, a slight delay is far better than the alternative.
And this leads us nicely on to …
The Threat of Network Spoofing
Free, public Wi-Fi networks may pose a threat, but network spoofing is much more dangerous.
This involves hackers creating fake access points designed to look like legitimate Wi-Fi connections. You might see them appear on a list of Wi-Fi networks when you visit a coffee shop, bar, airport etc.
Cybercriminals give their fake networks believable names (‘Coffee Place’, ‘Airport Open Wi-Fit’ etc.) to entice oblivious users. They might ask you to set-up an account before giving you access or just let you dive right in.
One big hazard is that employees might use their standard username and password to create accounts with fake networks. And that means cybercriminals would be able to get into emails, banking accounts and anything else protected by the same details.
The entire business’s and clients’ data could be in danger because of a simple mistake.
Taking Action to Minimize Your Business’s Vulnerability
Every company wants to be safe against cybersecurity risks. Every company wants to trust its employees to handle accounts and data in a responsible way.
But it’s not so simple.
Cybercriminals use ever-more-sophisticated techniques and tools to target businesses. Employees need to be made aware of the threats they face when they’re online across all devices.
Effective training is key to help your workforce exercise caution and stay vigilant whenever they’re working or communicating on their smartphone or tablet. And make sure any company phones you hand out have been checked and utilize strict security safeguards to keep them protected.
Don’t try to handle all of your cybersecurity in-house either, especially if your business is brand new and you have little to no experience with managing data. Clients expect you to keep their information confidential and safe against leaks — if you don’t, your reputation could take a serious hit.
Work with cybersecurity specialists to assess your vulnerability and take action to defend your data. The Driz Group’s experts are here to:
Want to learn more about our managed services and how they help companies just like yours every single day? Just get in touch with our dedicated teamright now!
Decade-Old Vulnerability Found in Avaya VoIP Phones
Researchers at McAfee Advanced Threat Research have discovered a decade-old security vulnerability lurking in the Voice over Internet Protocol (VoIP) phones of Avaya, the world’s second largest VOIP phone provider.
The decade-old vulnerability present in Avaya VOIP phones, specifically 9600 Series, J100 Series and B189 Series using the H.323 firmware, according to researchers at McAfee Advanced Threat Researchallows remote code execution (RCE) – enabling an attacker to access someone else's device and make changes to it, regardless of where this device is geographically located.
The RCE vulnerability in a piece of open-source software that Avaya used, the researchers said, was likely copied and modified 10 years ago and the company failed to apply subsequent security patches. The researchers added that a malicious actor exploiting the said vulnerability could take over the normal operation of the phone, copy audio from speakerphone and “bug” the phone.
The piece of open-source software that Avaya copied bore the 2004-2007 copyright, which according to the researchers is a “big red flag” as this piece of software has an exploit that has been publicly available since 2009. The 2009 exploit demonstrated that devices using DHCP client version 4.1 and below allows remote DHCP servers to execute arbitrary code. A DHCP client, also known as dhclient, is a device that needs an IP address; while DHCP server hands out an IP address to the dhclient.
Researchers at McAfee Advanced Threat Research found that Avaya VOIP phone’s version of dhclient is vulnerable to the exploit reported in 2009. The researchers said that malicious actors could build a “weaponized version” of the exploit and threaten private networks.
The researchers reported their discovery to Avaya. In June this year, Avayaissued a patch for the affected VOIP phones.
VOIP Phones as Path to Intrusion
Early this month, researchers at Microsoft Threat Intelligence Center reported that VoIP phone is one of the devices being used by a known cyber adversary to gain initial access to corporate networks. Aside from VoIP phone, the researchers said, popular office IoT devices printer and video decoder, are also being used by this known cyber adversary in gaining an initial foothold into corporate networks.
Researchers at Microsoft Threat Intelligence Center, however, didn’t specify the brands of VOIP phone, office printer and video decoder. These office devices, according to the researchers, were compromised either as these devices were deployed without changing the default manufacturer’s login details or the latest security update hadn’t been applied.
According to Microsoft Threat Intelligence Center researchers, the known cyber adversary used these 3 popular office IoT devices as points of ingress in gaining initial foothold to a corporate network. Once inside a corporate network via these compromised IoT devices, the attacker was seen conducting a simple network scan to look for other vulnerable devices.
As the attacker moved from one vulnerable device to another, a simple shell script was dropped to establish persistence on the network. This simple shell script allowed the attacker to search for higher-privileged accounts that would grant access to higher-value data, the researchers at Microsoft Threat Intelligence Center found.
Aside from using popular office IoT devices as points of ingress in accessing high-value data, these compromised devices are also used to build a botnet – referring to a group of devices infected with a malicious software (malware) and controlled by an attacker or attackers for malicious activities, including distributed denial-of-service (DDoS) attacks. In a DDoS attack, a botnet or group of infected devices is controlled to direct their traffic to a target, overwhelming this target with too much traffic that the target can’t handle, ultimately bringing the target offline and rendering the target inaccessible to its legitimate customers.
VPNFilter is an example of a botnet. At its peak, VPNFilter infected at least 500,000 networking devices in at least 54 countries. The following are devices affected by VPNFilter: Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices.
According to researchers at Cisco, VPNFilter has a self-destruct capability that can be triggered en masse via the botnet structure and has the potential of cutting off internet access for hundreds of thousands of users worldwide. The researchers are unsure why so many devices were infected with VPNFilter. Most of the infected devices, however, have known public exploits or default manufacturer’s login details hadn’t been changed.
In May 2018, the potential negative effect of VPNFilter was mitigated when the U.S. Federal Bureau of Investigation (FBI)seized a domain used as command and control (C2) by the threat group in their botnet campaign. In a botnet operation, C2 (could be a website or a public cloud account) is used to communicate or control the infected devices.
The devastating effect of a botnet was shown to the world when the Mirai botnet attacked in 2016 Dyn, a major dynamic DNS provider, resulting in the widespread internet outages across the U.S. and Europe. The earlier versions of the Mirai, including the one that attacked Dyn, infected hundreds of thousands of wireless cameras and routers and turned them as botnets. Since the publication of the source code of the Mirai in 2016, a number of Mirai versions has been observed in the wild.
Researchers at Palo Alto Networks discovered a different version of the Mirai which targeted WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs – IoT devices that are often used by businesses. Many of the Mirai variants infect IoT devices by exploiting the practice of users of not changing the default manufacturer’s login details.
Today’s IoT devices outnumber the combined number of personal computers and mobile phones. Hundreds of thousands, if not, millions of these IoT devices are, however, left without basic management.
Changing the default manufacturer’s login details and applying the latest security update are two cyber security best practices in preventing malicious actors from accessing your organization’s network. These practices also stop your organization’s IoT devices from being used as part a botnet for malicious activities such as DDoS attacks.
Steve E. Driz, I.S.P., ITCP