Thought leadership. threat analysis, news and alerts.
NASA’s Jet Propulsion Laboratory (JPL) Hacked for 10 Months
The Office of Inspector General of the National Aeronautics and Space Administration (NASA) recently revealed that the Jet Propulsion Laboratory (JPL), the center of NASA’s interplanetary robotic research efforts, was hacked for 10 months.
According to NASA's Office of Inspector General, JPL, being the center of NASA’s interplanetary robotic research efforts, maintains wide public internet-facing IT systems that support missions and networks that control spacecraft, collect and process scientific data and perform critical operational functions. Despite efforts to protect these public internet-facing IT systems, NASA's Office of Inspector General said that critical vulnerabilities remained, resulting in a cyber-attack on JPL’s network which started in April 2018.
This April 2018 attack, NASA's Office of Inspector General said, remained undetected for 10 months resulting in the exfiltration of approximately 500 megabytes of data from 23 files, 2 of which contained “International Traffic in Arms Regulations information related to the Mars Science Laboratory mission”.
How JPL’s Network Was Hacked and Lessons Learned
The April 2018 attack on JPL’s network, NASA's Office of Inspector General found, started when an unauthorized Raspberry Pi connected to its network. Raspberry Pi is a credit card-sized computer that’s capable of doing everything a desktop computer can do, from browsing the internet to playing games. The audit report showed that the malicious Raspberry Pi found its way into JPL’s network through the following series of events:
1. Incomplete and Inaccurate System Component Inventory
The report of NASA's Office of Inspector General showed that the malicious Raspberry Pi found its way into JPL’s network as JPL had incomplete and inaccurate information about the types and location of NASA system components and assets connected to its network.
One of the cybersecurity best practices, in order to prevent authorized intrusions into a network, is by having a complete and accurate inventory of all devices connected to this network. This inventory is essential in effectively monitoring, reporting and responding to cybersecurity incidents. Benefits of proper inventory of assets on the network include vetting and clearing by security officials of assets prior to connecting to the network, timely patches and tracking of valuable assets and data stored on these assets.
2. Inadequate Segmentation of Network Environment Shared with External Partners
Due to the nature of JPL’s work, its partners, including foreign space agencies, contractors and educational institutions are allowed remote access to its network for specific missions and data. Network segmentation creates barriers that attackers can’t cross as these barriers eliminate connections to other systems.
According to NASA's Office of Inspector General, the April 2018 cyber-attack exploited the lack of segmentation of JPL’s network, enabling the attacker to move between various systems connected to the network. In May 2018, NASA's Office of Inspector General said, IT security officials at the Johnson Space Center (Johnson), which handles programs such as the Orion Multi-Purpose Crew Vehicle and International Space Station, decided to temporarily disconnect from the JPL’s network due to security concerns. “Johnson officials were concerned the cyber-attackers could move laterally from the gateway into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems,” NASA's Office of Inspector General said.
3. Untimely Patch Application
Patches, also known as security updates, fix known security vulnerabilities. Attackers often exploit known security vulnerabilities with available patches, believing that certain population delays the application of these patches for days, and some even for months or years.
According to NASA's Office of Inspector General, JPL didn’t apply the patch that fixes a known software vulnerability first identified in 2017, with a critical score of 10. A security vulnerability with a critical score of 10 means that this vulnerability is at the top of the vulnerability chain. This 2017 security vulnerability, the NASA's Office of Inspector General said, was only patched in March 2019 and during the April 2018 cyber-attack, one of the JPL’s four compromised systems hadn’t been patched for the said vulnerability in a timely manner, resulting in the exfiltration of 23 files containing approximately 500 megabytes of data.
4. Delayed Response to the Attack
After detection of a cyber-attack, the next logical steps are containment and eradication. Containment strategies include performing a system shutdown, disconnecting a system from the network and identifying all attack paths. Eradication strategies, meanwhile, include assessment and analysis of exploited vulnerabilities, removal of malware and affected files, and application of security patches. “Most of these steps [containment and eradication] require sophisticated forensic expertise and tools that when not available in-house should be in place through service agreements with specialized providers,” NASA's Office of Inspector General said.
Although JPL had disabled the account targeted by the adversary and closed off the known path of attack, NASA's Office of Inspector General said the NASA Security Operations Center requested an independent assessment from the Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) to determine the extent of the attack and totally remove the adversary from JPL’s network. NASA's Office of Inspector General added that as JPL was unfamiliar with DHS’s standard engagement procedures, DHS was only able to perform scans of the entire JPL’s network 4 months after the cyber-attack was detected.
“Once DHS performed the scans, it determined there were no other attack paths and deemed the network clean; however, the delay in executing the eradication steps left NASA data and systems vulnerable to potential additional harm,” NASA's Office of Inspector General noted.
Your business may suffer the same fate if left unprotected. More importantly, to truly understand the state of your cyber defences, you must perform an IT security audit.
Call us todayand find out if your business is well protected.
Another Canadian City Falls Victim to Phishing Email, Loses Half a Million Dollars as a Result
The City of Burlington, Ontario recently revealed that it fell victim to a phishing email, resulting in the loss of the City’s funds worth half a million dollars.
In a statement, the City of Burlingtonsaid that phishing email was sent to City staff requesting for the change of the banking account information of an established City vendor. As a result of the phishing email, the City said, a single wire transfer of funds worth approximately half a million dollars was sent to the bank account controlled by an unknown attacker or attackers last May 16.
The City said it only discovered it was a victim of fraud last May 23. The cyber incident has been reported to authorities and criminal investigations are underway by the appropriate authorities, the City said.
What Is Phishing Email?
Phishing emails are malicious emails used by cyber-attackers to launch attacks against their victims. Traditional phishing email contains a malicious attachment, that is, when clicked, downloads and installs malware into the victim’s computer. Traditional phishing email may also contain a malicious link, that is, when clicked leads to a malicious website that hosts malware and from there, the malware is downloaded and installed into the victim’s computer.
In recent years, cyber-attackers have weaponized the emails to commit fraud, known as Business Email Compromise (BEC). BEC attackers target small, medium and large organizations, as well as individuals. Prior to sending the phishing emails, BEC attackers monitor and study their selected victims.
Targeted organizations and individuals are those that regularly perform wire transfer payments. In a BEC attack, an email address of a high-level employee or an executive involved with wire transfer payments are either spoofed or compromised, resulting in the loss of funds.
According to the Federal Bureau of Investigation (FBI), as of July 12, 2018, BEC became a 12 billion dollar scam. The FBI said that from October 2013 to May 2018, a total of 78,617 BEC incidents were reported worldwide, with loss to this scam amounting to US$12.5 billion.
In April this year, another Canadian city, the City of Ottawa, revealed that it fell victim to a similar attack. Based on the report released by the Office of the Auditor General of the City of Ottawa, on July 6, 2018, the City Treasurer received an email which appeared to be from the City Manager.
This email, which was later identified as a spoofed email, requested that a wire transfer in the amount of US$97,797.20 be processed for the completion of an acquisition. On the same day the spoofed email was received, with the City Treasurer’s approval, US$97,797.20 was sent to the bank account controlled by malicious actors.
The said amount was transferred from one bank account to another, with a portion of the amount ending up in one of the bank accounts monitored by the U.S. Secret Service. The City of Ottawa was contacted by the U.S. Secret Service that the funds had been seized. The City of Ottawa, through its City Solicitor, filed a petition before the U.S. Government, asserting the City’s claim on the seized funds. It’s still unclear how much would the City of Ottawa eventually recover.
Spoofed and Compromised Emails
BEC attackers trick their victims into wiring funds into bank accounts they control by spoofing or compromising email accounts belonging to persons in authority, in particular, those in charge of approving the release of funds. Email spoofing refers to the sending of an email which is made to appear as though it was sent by someone other than the actual sender.
Many BEC attackers purchase a domain name similar to the target organization’s domain in order to own an email address that closely resembles the target organization, for instance, “xocompany.com” is similar to “xoc0mpany.com”. Attackers send this spoofed email hoping that the receiver wouldn’t notice the wrong email address.
Email spoofing can also be achieved by an attacker by manipulating the visible email header. Each email contains two headers, one visible and the other one that isn’t readily visible. The visible header shows the typical "From" which contains the email address of the sender.
This visible header can be changed by the attackers, that is, it can show a correctly-spelled email address that’s familiar to the email receiver. If the email receiver checks the not readily visible header, also known as “SMTP envelope”, the real email address of the malicious sender can be seen.
BEC attackers also launch their phishing emails by compromising legitimate emails, for instance, an email address of the organization’s CEO. BEC is also known as “CEO scam” because of the growing spoofing and compromised of CEO emails.
In a compromised email, the attackers gain total access to a legitimate email account. One way an attacker gains unauthorized access to a legitimate email is through another phishing email, tricking the victim to click on the malicious attachment or link, resulting in the installation of malware into the victim’s computer.
An example of malware is the keylogger – a type of malware that records every keystroke made by a computer user, capturing information such as usernames and passwords to emails and sending these data remotely to the attackers. Armed with these stolen login details, attackers can then access the victim’s email. From this compromised email, attackers can send an email ordering a lower-ranked employee in charge of releasing funds to proceed with the bogus wire transfer.
When you need assistance protecting your business from phishing attacks, help is a phone call away. Connect with ustoday and take a step forward to better cybersecurity posture.
Hong Kong Privacy Watchdog Orders Cathay to Overhaul IT Systems Over 2018 Data Breach
Hong Kong’s Privacy Commissioner for Personal Data Stephen Kai-yi Wong has ordered Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited, collectively referred to as Cathay, to overhaul its IT systems containing personal data of its customers over the 2018 data breach which affected approximately 9.4 million passengers from different parts of the world.
On October 24, 2018, Cathay notified both the public and Hong Kong’s Privacy Commissioner for Personal Dataover the detected suspicious activity on its network on March 13, 2018. According to Cathay, approximately 9.4 million Cathay passengers, specifically those who availed the company’s frequent flyer programs Asia Miles and Marco Polo Club as well as registered users of Cathay from over 260 locations worldwide were affected by the cyber incident. The affected personal data of Cathay passengers include name, flight number and date, title, email address, membership number, address and phone number.
Customers of both Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited, also known as Cathay Dragon, were affected as Cathay Pacific managed and provided information management services to Cathay Dragon. With this set-up, personal data of Cathay Dragon’s passengers reside on Cathay Pacific’s IT System.
The “Data Breach Incident Investigation Report” publicly released by Hong Kong’s Privacy Commissioner for Personal Data – with many of the data coming from the disclosure of Cathay itself – identified three cyber incidents on Cathay systems: keylogger attack in October 2014, exploitation of a known security vulnerability attack in August 2017 and brute force attack in March 2018.
The earliest evidence of keylogger malicious software (malware) activity on the company’s system was on October 15, 2014. In keylogging, every keystroke made on a computer, such as usernames and passwords, is captured and these captured data are automatically sent to the attackers for criminal exploitation. It wasn’t known how the unknown attacker or attackers initially intrude the company’s system that led to the dropping of the keylogger malware.
Valid user account login details stolen via the keylogger malware, according to the report, enabled the attackers to move further into the company’s network and dropped additional tools to steal domain credentials.
Exploitation of Known Vulnerability Attack
The earliest evidence of suspicious activity where it was found that the attackers exploited a known vulnerability on the company’s internet facing server was on August 10, 2017. The exploitation of this known vulnerability allowed the attackers to bypass authentication and gain administrative access to the company’s internet facing server.
Exploiting the known vulnerability also allowed the attackers to move laterally inside the company’s IT system and install malware and credential harvesting tools. It wasn’t disclosed what particular vulnerability on the company’s internet facing server was exploited. It was, however, revealed that this particular security vulnerability was publicly known as early as 2007.
Brute Force Attack
The earliest evidence of brute force attack on the company’s system was on March 13, 2018 which resulted in approximately 500 staff users being locked out of their user accounts. In a brute force attack, a cyber attacker attempts to crack the correct username and password using a trial and error approach. There are currently brute force attack tools available to attackers that automate the process of guessing the correct username and password using thousands of commonly used usernames and passwords.
Even as the keylogger attack which happened in October 2014, exploitation of a known security vulnerability attack in August 2017 and brute force attack in March 2018, Cathy only informed the public and Hong Kong’s Privacy Commissioner for Personal Data about the suspicious activity on its network on October 24, 2018. In Hong Kong, however, there’s no law that mandates organizations such as Cathay to notify within a prescribed period of time the Privacy Commissioner for Personal Data and the data subjects of a data breach.
“Cathay did not take all reasonably practicable steps to protect the Affected Passengers’ personal data against unauthorised access in terms of vulnerability management, adoption of effective technical security measures and data governance, contravening DPP 4(1) of Schedule 1 to the Ordinance [Hong Kong’s Personal Data Ordinance],” Wong said.
The Commissioner, in particular, found Cathay had not taken reasonably practicable steps not to expose the administrator console port of its internet facing server which opened the door for attackers. “Cathay should have applied effective multi-factor authentication to all remote access users for accessing its IT System involving personal data,” The Commissioner said.
Data Breach Prevention
Under Hong Kong’s Personal Data Ordinance, if after an investigation, the Privacy Commissioner for Personal Data finds that a data user is contravening or has contravened a requirement under the Ordinance, the Commissioner may serve on the data user an Enforcement Notice to prevent recurrence of the lapses. The Commissioner’s Enforcement Notice directed Cathay to engage an independent data security expert to “overhaul the systems containing personal data to the effect that these systems are free from known malware and known vulnerabilities”.
The Commissioner also directed Cathay to implement effective multi-factor authentication to all remote users for accessing the company’s IT System involving personal data and to conduct a regular review of remote access privileges.
In order to prevent Cathay-like data breach, it’s also important to keep all your organization’s software, especially server operating systems up-to-date, as attackers typically try to exploit known software security vulnerabilities.
Navigating the world of cybersecurity can be difficult for many businesses, including large enterprises.
Canada’s Anti-Spam Legislation (CASL) Goes After Malware Distributors
Canada’s Anti-Spam Legislation (CASL), the federal law which took effect in 2014, proves to be more than an anti-spam legislation with the recent application of the law of going after malicious actors spreading malicious software (malware).
The Canadian Radio-television and Telecommunications Commission (CRTC), in tandem with the Royal Canadian Mounted Police (RCMP), on March 27, 2019 executed a warrant at the home of a Toronto software developer behind the remote access trojan (RAT) called “Orcus”. Remote access trojan, in general, is a type of malware that facilitates covert and unauthorized remote access, enabling a malicious actor to access someone else's computer, no matter where this computer is geographically located, and make changes to this computer without the owner’s consent.
What Is Canada’s Anti-Spam Legislation (CASL)?
Canada’s Anti-Spam Legislation (CASL), which amended the Canadian Radio-television and Telecommunications Commission Act, covers more than just spam emails. Pertinent provisions of the law include:
Section 6: It is prohibited to send or cause or permit to be sent to an electronic address a commercial electronic message unless the person to whom the message is sent has consented to receiving it, whether the consent is express or implied.
Section 7: It is prohibited, in the course of a commercial activity, to alter or cause to be altered the transmission data in an electronic message so that the message is delivered to a destination other than or in addition to that specified by the sender, unless the alteration is made with the express consent of the sender or the person to whom the message is sent; or the alteration is made in accordance with a court order.
Section 8: A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person’s computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless the person has obtained the express consent of the owner or an authorized user of the computer system; or the person is acting in accordance with a court order.
Section 9: It is prohibited to aid, induce, procure or cause to be procured the doing of any act contrary to any of sections 6 to 8.
The maximum penalty for violating CASL is $1,000,000 in the case of an individual, and $10,000,000 in case the violator is an organization.
What Is Orcus RAT?
While authorities refused to name the subject of the March 27, 2019 CRTC warrant, the person who calls himself “Armada” said in a statement that his organization called “Orcus Technologies” was the subject of the said warrant. Since early 2016, Orcus Technologies has marketed Orcus RAT as a legitimate remote administration tool – a software that gives a person full access to a computer as if the person had physical access to the device.
Armada said authorities seized numerous backup hard drives which contained a large portion of Orcus Technologies business, including user information inclusive of user names, real names and financial transactions. As a result of the seizure, Armada said Orcus RAT is no longer a “safe or secure solution to Remote Administrative needs”.
One stand out feature of the Orcus RAT is its capability to load custom plugins built by users, as well as plugins that are available from the Orcus repository. While Orcus Technologies claims that Orcus RAT is a legitimate remote administration tool, it listed on its website capabilities that are beyond the scope of a legitimate remote administration tool such as disabling the light indicator on webcams in order not to alert the target that it’s enabled; restarting the server component or triggering a Blue Screen of Death (BSOD) if someone tries to kill its process and a plugin that can be used to perform distributed denial-of-service (DDoS) attack.
Orcus RAT also features capabilities such as password retrieval and key logging that are normally not seen in legitimate remote administration tools but only seen in remote access trojans, which facilitate covert and unauthorized remote access.
One such remote access trojan, which facilitates the installation of the Orcus RAT, was unleashed in December 2017 via a phishing campaign – a type of cyber-attack that uses spam emails as a weapon. The said spam emails arrived at the email inboxes of targeted bitcoin investors offering Gunbot, a trading automation software for cryptocurrencies. These spam emails contained an attachment. Analysis by researchers at Fortinetshowed that when this attachment is clicked by the recipient, it downloads from a specific URL a file that contains the malware and embedded in this malware is the Orcus RAT.
The Orcus RAT malware in this case, Fortinet researchers said, resulted in the loss of cryptocurrency investments and more. “In our investigation of Orcus RAT, we have again proven again that its capabilities go beyond the scope of a harmless administration tool,” the researchers said. “Regardless of the developer’s claim and defense, the reality is that the application is being used in cybercrime campaigns.”
CRTC Director Neil Barratt told KrebsOnSecuritythat CASL gives authorities a leeway to get malicious actors off the networks in Canada and elsewhere as the burden of proof required in CASL is lower than a criminal conviction.
“We’re dealing with a lower burden of proof than a criminal conviction, and CASL gives us a little more leeway to get bad actors off our networks in Canada and to ultimately improve security for people here and hopefully elsewhere,” Barratt said. “We have great power in CASL and Section 9 makes it a violation to aid in the doing of a violation. And this extends quite broadly, across email service providers and various intermediaries.”
Malicious Email Campaigns Geo-Targets Canadian Organizations, Report Says
Canadian organizations are increasingly becoming the targets of cyber-attackers as shown in the recent discovery of nearly 100 malicious email campaigns specifically targeting organizations based in Canada.
In the report "Beyond 'North America' - Threat actors target Canada specifically" researchers at Proofpoint reported that between the period of January 1, 2019 to May 1, 2019, threat actors conducted nearly 100 malicious email campaigns specifically targeting Canadian organizations or were customized for Canadian audiences.
Malicious Email Campaigns
Malicious email campaign, also known as phishing scam, is a type of cyber-attack that uses emails as a weapon. Phishing emails contain malicious attachments or malicious links.
Downloading this malicious attachment or clicking this malicious link could lead to compromise. Victims are tricked into opening the malicious email and downloading this malicious attachment or clicking this malicious link as threat actors use branding familiar to the recipients.
In the recent malicious email campaigns detected by Proofpoint researchers, the top affected organizations in Canada include financial services, energy/utilities, manufacturing, healthcare and technology. The researchers also observed that some of the malicious emails sent were customized for the French-speaking recipients in Canada.
In the nearly 100 malicious email campaigns specifically targeting Canadian organizations, Proofpoint researchers also observed that the threat actors tricked the victims into opening the malicious email or downloading the malicious attachment or clicking the malicious link by stealing the branding of several notable Canadian companies and agencies including national banks, major shipping and logistics organizations and government agencies.
“Emotet in particular, with its frequent region-specific email campaigns, is bringing new attention to geo-targeting in Canada …,” Proofpoint researchers said.
The first version of the malicious software (malware) Emotet, which was first observed in 2014 targeting German and Austrian victims, functioned as a banking trojan – a type of malware designed to steal financial data.
Since then, Emotet has evolved into a powerful malware, with its ability to continuously evolve and update its capabilities for various online criminal activities from information stealing to distributed denial-of-service (DDoS) attacks. In recent years, instead of delivering its own banking trojan, Emotet has delivered third-party banking trojans such as Qbot, The Trick, IcedID and Gootkit.
In 2018, the United States Computer Emergency Readiness Team (US-CERT)issued an alert, warning about the dangers of Emotet. "Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” US-CERT said. “Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”
One of the reasons why Emotet continues to be among the most costly and destructive malware is its worm-like capability, that is, the ability to spread from computer to computer without any human action.
Emotet has been known to spread from computer to computer without any human interaction by accessing Server Message Block (SMB), an internet standard protocol that Windows uses to share files, printers and serial ports. “Emotet’s access to SMB can result in the infection of entire domains (servers and clients),” US-CERT said.
Emotet is also capable of spreading its own phishing email without human interaction through the use of Outlook scraper, a tool that’s used to scrape names and email addresses from the victim’s Outlook accounts and uses this names and email addresses to send out additional phishing emails from the compromised accounts.
According to Proofpoint researchers, the threat actor called “TA542” is the primary actor behind Emotet. Proofpoint researchers said that this threat actor is known to use the latest version of Emotet and develops malicious emails specific to given regions in the world.
"TA542 typically distributes high volume email campaigns consisting of hundreds of thousands or even millions of messages targeting all industries,” Proofpoint researchers said. “TA542 is currently one of the most prolific actors in the entire threat landscape. With TA542’s international reach and high volume campaign strategy, we expect Emotet use to continue to grow in the upcoming quarters.”
Even as Emotet has evolved in terms of capabilities, one thing remains constant with this malware: delivery is always via malicious email. As the delivery is always via malicious email, it’s important to protect your organization’s email system from this threat through the following mitigating measures:
Here are additional cyber-security measures in order to block or mitigate the effects of Emotet:
Timely identification and mitigation of IT risks can save your business from suffering costly consequences. Call us todayand we will show you how to better protectyour staff and your sensitive information against targeted attacks.
How Much Does Cybercrime Cost Canadian Companies?
Cybercrime continues to pose a real risk to businesses of all sizes, across all industries. Attackers have ever-more-sophisticated tools and techniques at their disposal, empowering them to launch bold hacks — with potentially devastating results.
We all want to believe we’ve taken the necessary steps to build a safe, secure business that’s strong enough to resist cyber-attacks. We all want to trust our team is informed and educated enough to avoid opening the doors for viruses to simply walk into our systems. But, sadly, that’s not always the case.
Businesses worldwide have a shared responsibility — to their clients and employees — to take precautions against cybercrime. When personal and financial details are leaked by attackers, people and businesses alike can suffer. Research reveals the average price paid by Canadian firms in 2018 amounts to a staggering US$9.25 millionper business.
This is an astonishing sum of money for any company, even those operating at an international or global level. Let’s take a closer look at which types of attacks were most common, what the biggest vulnerabilities are and more.
The Most Common Cybersecurity Risks Facing Canadian Businesses
Cybercrime comes in many forms, but the most prevalent throughout 2018 was the malware-based attack. Individual companies in Canada lost over US$2 million on average to these, and the number of malware-based attacks actually grew by 11 percent from the previous year.
That’s sobering news for any company taking a lax approach to its cybersecurity. Malware can infect your system and cause major disruptions with surprising ease: all it takes is one unaware employee downloading a suspicious attachment from an unsecure website or email. Your entire business could be affected for days or weeks, costing you valuable time and money.
As well as malware-based cybercrimes, ransomware became even more of a danger to Canadian companies in 2018, growing by 15 percent. This is a particularly unnerving type of attack, essentially locking certain key aspects of your business’s system until you agree to pay the amount of money (typically, a cryptocurrency) demanded.
The risk of ransomware
Ransomware may bring your working processes to a halt or, to a lesser extent, cause severe delays. Clients may become frustrated and concerned by your system’s vulnerabilities, choosing to take their business elsewhere. They could spread the word of your security flaws to acquaintances, relating their own stories either privately or publicly.
This can affect your reputation enough to leave prospective new clients wondering how safe their data will be in your hands. Winning their trust and demonstrating how you plan to handle any similar incidents in the future would be a sizeable challenge, particularly when you’re in a competitive industry.
Around 70 percent of ransomware attacks of 2018 were launched against small businesses, while the average sum of money demanded was more than $110,000 — a huge amount for any small firm. But that’s not the highest price asked for: one ransomware attack saw the victim faced with a charge of over $8 million. And one client actually paid just under $1 million to regain access to their entire system.
Some of these figures are mind-boggling, especially when even the biggest brands have so many overheads to consider. While global companies may appear to have millions of dollars to sacrifice when struck by a ransomware attack, they have many people depending on them — employee salaries, products, services and more all must be taken into account.
Enough of a powerful hit may have a domino effect, causing significant ripples to occur for a long time after. Sadly, though, one of the areas most commonly hit by ransomware attacks was healthcare. Loss of data and resources here could mean the difference between life and death in some cases.
Another form of cybercrime increasing in popularity during 2018 was phishing, with a 16 percent riseon 2017’s numbers. These involve cybercriminals posing as businesses or reliable individuals to fool victims into sharing critical information like passwords, credit card details and similar.
Research reveals an incredible 85 percent of firms questioned have come into contact with this type of cyberattack.
One of 2018’s prominent phishing scams focused on the World Cup. Targets received emails claiming they were the lucky winners of tickets, offering the chance to become part of the excitement in Russia. For dedicated soccer fans with little to no awareness of phishing scams, such a scheme is easy to fall for, leading you to hand over crucial information in the hopes of watching a game.
However, anyone opening attachments, clicking on links or providing their details in exchange for said tickets would be in for a nasty surprise.
Taking Steps to Protect Your Business Against Cybercrime
The prevalence of cybercrime highlights just how important a proper cybersecurity program is for every single company. Simply taking the stance of assuming your business faces no risk because there are bigger targets is impractical, not to say dangerous. Just one powerful attack could cause lasting problems your team is simply unprepared for.
Taking precautions to strengthen your business’s cybersecurity plans and procedures is vital to minimize your risk of falling prey to hackers. Work with professionals to secure your system and safeguard against breaches — this offers valuable peace of mind, leaving you (and your team) free to focus on core responsibilities.
Effective training for each employee with access to any device is paramount too. It only takes one simple mistake to bring a vulnerable system to its knees, and an uninformed worker may well have no idea what constitutes a threat. There are various solutions to protect your business and build a security-savvy team with the skills to identify dangers.
Want to learn more about your cybersecurity options? Please don’t hesitate to get in touchwith The Driz Group’s experts now!
How to Protect Your Organization’s Computers from WannaCry-Like Cyber-Attack
Microsoft recently took an unusual step of rolling out a patch for Windows operating systems that are out of support in an effort to stop a WannaCry-like cyber-attack.
This is the second time in just over 2 years that the technology giant rolled out a patch for Windows operating systems that are out of support. The previous unprecedented patch was rolled out at the height of the WannaCry cyber-attack on May 12, 2017.
According to Microsoft, the latest patch, which was released on May 14, 2019, fixes the security vulnerability in out-of-support versions of Windows, specifically Windows 2003 and Windows XP; as well as versions of Windows that still receive support from Microsoft, specifically Windows 7, Windows Server 2008 R2 and Windows Server 2008.
Failure to apply the May 14, 2019 patch renders the above-mentioned out-of-support and in-support versions of Windows vulnerable to WannaCry-like cyber-attack, this according to Simon Pope, Director of Incident Response at Microsoft Security Response Center (MSRC).
What Is WannaCry?
WannaCry is a malicious software (malware) that wreaked havoc in more than 300,000 computers in over 150 countries in less than 24 hours on May 12, 2017. Once a computer becomes infected with WannaCry, this malware encrypts files on the computer's hard drive, making it impossible for legitimate users to access them, and demands a ransom payment in exchange of the decryption keys that supposedly would unlock the encrypted files.
After infecting one computer, the WannaCry malware spreads itself through the network, infecting other vulnerable devices, without the need for further action from the users. Attempts on the part of the WannaCry victims to unlock the encrypted files by paying the ransom was a useless endeavour as the source code of this malware was written in such a way that it isn’t possible to determine who paid the ransom and who didn’t, as such, there’s no way to decrypt on a per-user basis.
Two months, specifically on March 14, 2017, prior to the WannaCry cyber-attack, Microsoft released a patch that fixes the security vulnerability exploited by WannaCry. The patch, however, wasn’t made available to Windows operating systems that were out of support, specifically Windows XP, Windows 8 and Windows Server 2003. At the height of the WannaCry cyber-attack on May 12, 2017, Microsoft took an unusual step of rolling out a patch for these 3 out-of-support versions of Windows.
The WannaCry malware was able to infect hundreds of thousands of computers in less than 24 hours as a result of these two features: remote code execution and worm capabilities.
Remote code execution is the ability of a malicious actor to access someone else's computer and make malicious changes to this computer regardless of the geographical location of this device. Worm capability, meanwhile, refers to the capability of a malware to spread itself through the network, infecting other vulnerable devices, without user interaction.
The May 14, 2019 patch released by Microsoft fixes the security vulnerability labelled CVE-2019-0708. Similar the WannaCry malware, security vulnerability CVE-2019-0708 exhibits remote code execution and worm capabilities.
Pope, Director of Incident Response at Microsoft Security Response Center (MSRC), said in a blog post, that while there’s no evidence that this security vulnerability has been exploited in the wild, it’s highly likely that malicious actors will write an exploit for this vulnerability and include it into their malware.
The security vulnerability, Pope said, is “wormable”, which means that “any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
WannaCry, in particular, infects vulnerable Windows operating systems via Server Message Block 1.0 (SMBv1) server – a protocol that enables Windows systems to share files, printers and serial ports. In vulnerability CVE-2019-0708, remote code execution and worm capabilities are made possible via Remote Desktop Protocol (RDP) – a proprietary protocol developed by Microsoft which allows users to access another computer over a network connection. “The Remote Desktop Protocol (RDP) itself is not vulnerable,” Pope said. “This vulnerability is pre-authentication ….”
Many malware in the past were able to bypass anti-malware and other security defences via RDP. Malicious actors gain access to compromised devices by stealing or brute forcing RDP credentials.
In early 2019, authorities shut down xDedic Marketplace, a website involved in the illicit sale of RDP credentials. According to authorities, RDP login details of tens of thousands of compromised servers owned by unknowing companies and private individuals were sold on the xDedic platform for amounts ranging from $6 to more than $10,000 each.
The top preventive measure in order to protect your organization’s computers from WannaCry and WannaCry-like cyber-attack is by keeping all software and, in particular, operating system software up-to-date.
It’s worthy to note that even though it has been a long time since the major WannaCry attack, organizations continue to be victimized by this malware. Months after the major WannaCry attack, US aircraft maker Boeingfell victim to WannaCry. In March 2018, Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, sent out an alert to his colleagues that the WannaCry malware was “metastasizing rapidly” out of Boeing’s North Charleston production plant and could potentially “spread to airplane software”. Linda Mills, head of communications for Boeing Commercial Airplanes, in a statement said, “The vulnerability was limited to a few machines.”
As an added protection to your organization’s computers, it’s best to disable Windows protocols that are often exploited by malicious actors. Specific to WannaCry malware, disable SMB protocol and for the security vulnerability CVE-2019-0708, disable RDP.
Connect with our cyber security expertstoday to learn more about common threats and prevent cyberattacks.
Retargeted Attacks Continue to Rise
Once a target, always a target. This seems to be the case in the City of Baltimore in Maryland as the City recently suffered another cyber-attack – the second attack in just over a year.
Last May 7, Baltimore Mayor Bernard Jack Young announcedthat the City’s network was infected with a ransomware. As a precaution, he said the City shut down the majority of its servers. While the City’s essential services such as police and fire departments are operational, the ransomware infection and the resulting shutting down of the majority of the servers resulted in network outage, email outage and phone outage with nearly every other department of the City affected.
Just over a year ago, in March 2018, the City of Baltimore suffered another cyber-attack. The 2018 attack was, however, limited to Baltimore's computer network that supports emergency calls. The attack forced the staff to resort to manual operations to handle calls.
Baltimore Chief Information Officer and Chief Digital Officer Frank Johnson told Ars Technicathat the 2018 cyber-attack which brought down Baltimore's computer-aided dispatch (CAD) system was caused by a ransomware. It wasn’t revealed what was the exact type of ransomware that hit Baltimore’s CAD system.
The point of entry of the ransomware was, however, partially identified. According to Johnson, the Baltimore City Information Technology office determined that "the vulnerability was the result of an internal change to the firewall by a technician who was troubleshooting an unrelated communication issue within the CAD System”.
In a press conference, Baltimore Chief Information Officer and Chief Digital Officer Johnson said that the recent cyber attack on Baltimore’s system was caused by the “very aggressive RobinHood ransomware".
Ransomware is a type of malicious software (malware) that locks out computer users by encrypting computer systems or files and demands from victims ransom payment in exchange for the decryption keys that would unlock the encrypted computer systems or files.
RobinHood ransomware is a fairly new malware. In early April last month, the RobinHood ransomware similarly infected the network of the City of Greenville, South Carolina, which prompted the City to shut down the majority of its servers.
In late April last month, security researcher Vitali Kremez reverse engineered a sample of the RobinHood ransomware. Kremez told BleepingComputerthat on execution, this malware stops 181 Windows services associated with antivirus and other software that could keep files open and prevent their encryption. This ransomware also doesn’t spread within the network, which means that every infected computer is individually targeted.
Kremez, meanwhile, told Ars Technica that the RobinHood ransomware attacker or attackers need administrative-level access to a system on the network “due to the way the ransomware interacts with C:\Windows\Temp directory”. It’s still unknown how the RobinHood ransomware gains access to a network and the computers connected toit.
The Robinhood ransomware drops its ransom note on the desktop, informing victims that 3 bitcoins must be paid to get the decryption key of one computer or alternatively send 13 bitcoins for the decryption keys of an entire infected system. The ransom note also states that the cost of payment increases “$10,000 each day after the fourth day.” The value of 1 bitcoin as of May 11, 2019 4PM GMT+7 is $6,312.
Prevalence of Retargeted Cyber Attacks
A study conducted by FireEye Mandiantfound that organizations that have been breached before are much more likely to be targeted again. In 2017, FireEye Mandiant reported that 56% of victims of at least one significant cyber-attack were targeted again by the same or similarly motivated attack group. In 2018, this number has continued to climb, increasing to 64%, FireEye Mandiant reported.
The top 5 retargeted industries in 2018 were finance (18%), education (13%), health (11%), pharmaceutical (9%), retail and hospitality (7%), and telecommunications (7%).
The FireEye Mandiant report further found that in 2018 organizations in the Asia-Pacific (APAC) region were far more likely to succumb to retargeted attacks, with 78% of APAC organizations fell victim to another attack. The said report also found that for the same period, 63% of organizations in the Americas fell victim to another attack. The report also found that for the same period, 57% of the organizations in Europe, Middle East, and Africa (EMEA) fell victim to another attack.
"This data further substantiates the fact that if you’ve been breached, you are much more likely to be targeted again and possibly suffer another breach," FireEye Mandiant said.
How to Prevent Retargeted Attacks
Configuring ordinary workstations not to install software and establishing a separate device or devices exclusively for administrative tasks (for installing and removing software and changing configuration settings) are two preventive measures in reducing the odds of malicious actors gaining access into your organization’s network.
Configuring ordinary workstations not to install software is a proactive means of preventing accidental installation of malicious software by unwittingly downloading malicious attachments or clicking on malicious links contained inside malicious emails.
Devices exclusively used for administrative tasks, meanwhile, should be secured through the following:
When you need help preventing cyberattacks and protecting your network and computers against ransomware, connect with our teamand get right advise at the right time.
Why Local Government Offices Are Targeted by Cyber Attackers and How to Prevent Such Attacks
In recent months, a concerning number of local governments in Ontario, Canada have openly admitted that they have been victims of cyber-attacks. What could have caused these attacks? And what can be done to prevent these attacks?
Town of Wasaga Beach
The Town of Wasaga Beach,Ontario admitted that on April 30, 2018, several of its servers were illegally accessed and infected with a ransomware – a type of malicious software (malware) that encrypts computer systems and files, locking out users and demands ransom payment in exchange for the keys that would decrypt or unlock the computer systems and files.
It took the Town of Wasaga Beach approximately 7 weeks to fully recover from the ransomware attack and as a result, the Town lost hundreds of thousands of Canadian dollars, with 3 bitcoin, valued at $34,950 Canadian at the time of payment, paid to the ransomware attackers and bulk of the cost went into the internal productivity losses totaling $251,759 Canadian.
Town of Midland
The Town of Midland, Ontario admitted that on September 1, 2018 its network was illegally accessed and infected with ransomware. Six days after the ransomware attack, on September 6, 2018, the Town of Midland announced that it initiated the process of paying the ransom demanded by the attackers. It wasn’t specified though how much was paid to the attackers.
In exchange for the decryption keys, the Town said that it “initiated the process to pay the ransom.” The Town added, “Although not ideal, it is in our best interest to bring the system back online as quickly as possible.”
City of Stratford
The City of Stratford, Ontario admitted that on April 14, this year, its computer systems were illegally accessed and infected with an unspecified virus – a type of malware that spreads by attaching itself to legitimate computer files and programs and distributed via infected flash drives, emails or websites. This unspecified virus, the City said encrypted computer systems and files and locked out users.
“We have now begun methodically unlocking and decrypting our systems,” the City said. “This is a thorough process that takes days, not hours.”
A computer virus that locks computer users out through encryption and requires decryption to unlock is typical of a ransomware. Decryption key or keys used to unlock the systems or files are given out by ransomware attackers. In the case of the City of Stratford, it wasn’t specified whether or not ransom was paid to the attackers.
City of Ottawa
On April 8, 2019, it was revealed that the City of Ottawa, Ontario fell victim to a common fraud scheme called “Business Email Compromise (BEC)” scam. The City's Office of the Auditor General reported that US$97,797 was transferred to an account of a phony supplier as a result of the BEC scam – a cyber attack that targets organizations that conduct wire transfers for its suppliers. In a BEC scam, email accounts of executives or high-level employees are either spoofed or compromised for the purpose of fraudulent wire transfers, resulting in hundreds of thousands of dollars in losses.
“On July 6, 2018, the General Manager, Corporate Services and City Treasurer (the ‘City Treasurer’), received an email (the ‘Email’) apparently from the City Manager,” the Office of the Auditor General said. “The Email, which was later identified as a spoofed email, requested that a wire transfer in the amount of US$97,797.20 (the ‘Funds’) be processed for the completion of an acquisition. With the City Treasurer’s approval, later that day the request was processed, and the Funds were issued.”
A portion of the City’s funds ended up in a bank account that the U.S. Secret Service monitored and seized. It’s unclear how much, if any, might eventually be recovered by the City of Ottawa from this seized bank account.
Local governments are targeted by cyber criminals as these government organizations are repositories of trove of sensitive data from government licenses to government contracts. The fact that local governments have the financial capability to pay also makes them attractive targets to cyber criminals. And the willingness of some local governments to pay attackers compounded this growing problem.
The growing number of cyber attacks, in particular, ransomware attacks against local government offices within Ontario prompted the Ontario Provincial Police(OPP) to issue a ransomware alert. As to the question of paying attackers ransom, the OPP said, “The OPP does not support paying ransomware attackers, as it only encourages further criminal activity, and there is no guarantee that payment will restore the encrypted data.”
Here are some cybersecurity best practices in order to prevent or mitigate the effects of cyber attacks:
Mind the Emails
Many of today’s cyber criminals use emails as a means to infiltrate the IT systems of organizations. Many of ransomware attacks are carried out by malicious emails, containing malicious attachments or malicious links. Clicking a malicious attachment or clicking a malicious link could allow the installation of malicious software on your organization’s system.
BEC scammers, meanwhile, rely mainly on emails as their means to perpetuate their fraudulent act. In both ransomware and BEC scams, attackers use emails as their weapon.
It’s, therefore, important to have an automated email solution that could identify and block emails with malicious attachments or links as well as identify and block spoofed or compromised emails. It’s also important to train your organization’s staff to identify and block malicious and fraudulent emails.
Backup Important Files
Organizations that entertain the idea of negotiating with cyber attackers are those that have weak back-up systems. If your organization regularly back-up your important files, there’s no reason for your organization to negotiate or pay the attackers for the locked or stolen data.
Control Access Before Bad Actors Do
Leaving your door wide open invites bad actors. Like in real life, leaving your organization’s devices, networks or cloud accounts wide open similarly invites malicious actors. Controlling access to these devices, networks or cloud accounts controls the threat both from insiders and outsiders.
Misconfiguration, in general, is the configuration of digital system’s settings in such a way that the system behaves contrary to what it’s expected to do. Repercussions resulting in misconfigurations include exposure of sensitive data or could allow attackers to gain privileged access – the ability to perform an action with security consequences.
Misconfiguration happens because these digital systems themselves allow the sharing of data to the public or they allow privileged access. For instance, current cloud service providers allow clients to either configure or set stored data in the cloud to be shared to the public. Server operating systems, meanwhile, can be configured to allow certain individuals to have privileged access. Misconfiguration, therefore, is an internal problem that originates from within the IT infrastructure of any organization.
In recent months, security researchers have discovered troves of sensitive data stored in the cloud easily accessible to the general public. Researchers at UpGuardrecently discovered that two partners of Facebook, Mexico-based media company Cultura Colectiva and the now defunct “At the Pool” misconfigured their cloud accounts, exposing a total of hundreds of millions of Facebook customer data. According to UpGuard, the exposed customer data were each stored in Cultura Colectiva and At the Pool’s respective Amazon Simple Storage Service (Amazon S3) bucket configured to allow public download of files.
“Amazon customers own and fully control their data,” Amazon said in response to the exposure of millions of Facebook customer data. “While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content. As is the case on premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting access as intended.”
In February 2018, researchers at RedLockdiscovered that malicious actors accessed Tesla’s Kubernetes – a tool for managing a network of virtual machines – console as this wasn’t password protected. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry,” RedLock researchers said. As a result of the data exposure, the malicious actors performed cryptocurrency mining from within one of Tesla’s Kubernetes pods.
According to Gartner, through 2020, 99% of firewall breaches will be caused, not by flaws but by simple firewall misconfigurations. A firewall is a network security device that monitors outgoing and incoming network traffic and decides whether to block or allow certain traffic based on a defined set of security rules. Firewalls are often configured with an open policy, that is, allowing from any source to any destination as system administrators at the outset don’t know what they want to block or allow, and never get around changing this configuration, leaving the network exposed to attackers.
A case in point in the value of effective firewall configuration is the 2017 case in which a malware infiltrated the North Carolina transmission plant’s computer networkvia email. The malware spread through the plant’s network, stopping production as users were locked out from their computers. According to the plant’s information technology manager, while data on some computers were lost, the malware was blocked by a firewall when it tried to exit the plant’s network.
Another ransomware incident in 2017, this time in the Northern Lincolnshire and Goole NHS Foundation Trustwas attributed to the “misconfiguration of the firewall”. The ransomware took a Northern Lincolnshire and Goole NHS Foundation Trust hospital offline for four days and resulted in the cancellation of 2,800 patient appointments.
Best Practices & Prevention
Here are some cybersecurity measures in order to prevent or mitigate the effects of misconfigurations:
Apply the Principle of “Least Privilege”
Least privilege is the concept and practice of restricting access to accounts and computing processes only to certain individuals based on their job necessities. Restricting a certain group in your organization from installing and running software application can prevent a malware from infecting your organization's network, for instance, in case this malware is unwittingly downloaded by one of your organization’s staff onto his or her computer workstation.
The Microsoft Vulnerabilities Report 2019, an analysis of Microsoft security updates in 2018 conducted by BeyondTrust, showed that of the 189 critical vulnerabilities discovered last year, 154 or 81% of the vulnerabilities could have been prevented if administrator rights had been removed.
Administrator rights, also known as admin rights, means that a user has privileges to perform virtually all functions within an operating system on a computer. These privileges include the installation of software and hardware, installation of updates and configuring or changing system settings.
Regularly Update Firewall Configuration
Regularly update your organization’s firewall to block data from certain locations, applications or ports, while at the same time allowing certain relevant and necessary data through.
Monitor for Suspicious User Behavior
Another way to prevent or mitigate the effects of misconfiguration is by monitoring suspicious user behavior. In monitoring suspicious user behavior, your organization needs to have a baseline normal user data. From this baseline data, suspicious behavior can then be detected, such as geolocation-based anomalies, time-based anomalies and event-based anomalies.
The best way to evaluate your current access controls is to perform an independent IT audit. Most IT and business executives are surprised by the results and are able to take an immediate action moving toward better security controls.
Reduce the IT risks today by speaking with one of our cybersecurity experts. Connect with ustoday.
Steve E. Driz