Researchers Warn Windows EFS Could be Abused by Ransomware Attackers

Researchers at Safebreach Labs have warned that EFS, a feature in Microsoft Windows, could be abused for ransomware attacks.

What Is EFS?

EFS, short for Encrypted File System, is a feature on Windows operating system, starting with Windows 2000, for its business users. This feature allows users to encrypt specific folders and files. In encryption, data is converted into secret code, allowing only authorized users to access the specific folders and files and, in theory, denying access to unauthorized users.

EFS shouldn’t be confused with another encryption feature on Microsoft Windows called “BitLocker”. While EFS encrypts specific folders and files, BitLocker is a full disk encryption feature.

In EFS, to access the encrypted specific folders and files, an authorized user doesn’t need to provide a password as access is via the user’s account password. In BitLocker, to access the BitLocker-encrypted drive, a user needs to type the password or plug in a USB key or have BitLocker use Trusted Platform Module (TPM) if the Windows operating system has one.

Proof of Concept of Ransomware Attack Scenario Exploiting Windows EFS

Ransomware is a type of malicious software (malware) that encrypts victims’ computers or data, denying legitimate users access to their computers or data. In ransomware attacks, attackers demand from their victims to pay ransom in exchange for the decryption keys that, in theory, unlock the encrypted computers or data. Recent ransomware attacks, meanwhile, steal computer files prior to encryption and threaten the publication of these stolen files for victims who refuse to pay the ransom.

Researchers at Safebreach Labs recently disclosed that they’ve developed a proof-of-concept of a ransomware that abuses Windows EFS. The EFS-based ransomware developed by Safebreach Labs encrypts files, rendering these files unreadable to users and even to the Windows operating system. Safebreach Labs said that the encrypted files can only be made readable using the ransomware attacker’s decryption key and have the EFS-based ransomware restore the encrypted files into their original position, and only then that the Windows operating system can once again read the user files.

Safebreach Labs said that EFS-based ransomware is an “alarming concept and a possible new threat in the ransomware horizon” due to the following reasons:

1. In EFS-based ransomware, files are encrypted at the NTFS driver level which goes unnoticed by file-system filter drivers.

2. EFS-based ransomware doesn’t need administrator rights and works using limited user accounts.

3. EFS-based ransomware doesn’t need human interaction.

Safebreach Labs said that EFS-based ransomware works on Windows 10 64-bit versions 1803, 1809 and 1903, and should also work on Windows 32-bit operating systems, and on earlier versions of Windows such as Windows 8.x, Windows 7 and Windows Vista.

Safebreach Labs said it tested its EFS-based ransomware on 3 anti-ransomware solutions from well-known vendors, and all 3 anti-ransomware solutions failed to protect against this new threat. Thereafter, Safebreach Labs notified 17 major anti-malware and anti-ransomware vendors for Windows endpoints and provided them with the EFS-based ransomware proof-of-concept. Safebreach Labs also found that many of these major anti-malware and anti-ransomware vendors for Windows endpoints failed to protect against this threat.

Prevention and Mitigating Measures Against EFS-Based Ransomware

Below are some of the responses of the major anti-malware and anti-ransomware vendors for Windows endpoints that were notified by Safebreach Labs regarding the EFS-based ransomware.

Avast/AVG email to Safebreach Labs dated September 26, 2019: “We implemented a workaround for version 19.8.”

Bitdefender email to Safebreach Labs dated January 10, 2020: “As of today, the fix started rolling out on Bitdefender Antivirus, Bitdefender Total Security and Bitdefender Internet Security on version 24.0.14.85. On Bitdefender Free Edition the fix is in reporting mode only, being necessary for fine tuning in the future.”

Check Point email to Safebreach Labs dated January 20, 2020: “Check Point has resolved the issue and the fix is currently available with the latest Corporate Endpoint Client E82.30 and will be available in the latest release of Zone Alarm Anti-Ransomware in the next couple of days.”

McAfee email to Safebreach Labs dated January 17, 2020: “McAfee released protection against the sample code provided by the reporter in the Anti-Virus (AV) DATs released on 10th January. This covers both our Enterprise and Consumer products. The AV DATs are automatically updated and Customers can check the version of the DATs through the product User Interface.

“Enterprise Customers using MVision EDR have a detection rule available from 10th January which will trigger when some variations of this Proof of Concept are executed. Through EDR the administrator can scan their machines for other instances of the malware and then block execution or delete the malware. Enterprise Customers using ENS can configure an Endpoint Protection Access Protection rule which will prevent the sample deleting the keys it generates to encrypt the files. By preventing the deletion of the keys the files remain accessible to that user. Other users on the same machine would not have access to the files.”

Microsoft email to Safebreach Labs dated October 7, 2019: "Microsoft considers Controlled Folder Access a defense-in-depth feature. We assessed this submittal to be a moderate class defense in depth issue, which does not meet the Microsoft Security Servicing Criteria for Windows (https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria?rtc=1). Microsoft may consider addressing this in a future product".

In the absence of a Windows update, according to Safebreach Labs, one of the workarounds against EFS-based ransomware is by turning off EFS on the affected Windows operating system. The cybersecurity research lab, however, said that turning off EFS can disable legitimate encryption of the operating system.

Ransomware attacks are becoming more and more prominent. Turn to our experts to mitigate the ransomware infection risks and protect your organization. Contact us today for a no-obligation consultation.

Windows 7 Support to End Soon. What’s at Risk?

Windows 7, an operating system released by Microsoft more than 10 years ago, will reach its end of life on January 14, 2020.

While Windows 7 can still be used after the operating system's end of life, using this outdated operating system puts your organization’s computers vulnerable to security risks.

Security Risks of Using Outdated Operating System

According to Microsoft, the end of life of Windows 7 means that after January 14, 2020, technical assistance and software updates from Windows Update that help protect computers will no longer be available. "If you continue to use Windows 7 after support has ended on January 14, 2020, your PC will still work, but it may become more vulnerable to security risks,” Microsoft said in its advisory.

Software programs like operating systems are never made perfect. Somewhere along the way, someone will find a vulnerability or a bug that must be fixed. As such, operating system vendors like Microsoft regularly, and as the need arise, issue security updates to fix newly discovered security vulnerabilities. In 2018 alone, Microsoft patched hundreds of security vulnerabilities on its operating systems, including Windows 7 and Windows 10.

With the end of life of Windows 7, newly discovered security vulnerabilities will no longer be fixed by Microsoft, putting your organization’s at risk of cyber-attacks.

WannaCry Cyber-Attack

The WannaCry attack which infected hundreds of thousands of computers in just a matter of 24 hours on May 12, 2017 gave the world a hard lesson on the risk of using outdated operating systems. WannaCry is categorized as a ransomware – a type of malicious software (malware) that stops users from using their computers or accessing their data.

WannaCry had shaken the online world due to its worm capabilities, that is, this malware spreads through the network, infecting other vulnerable computers, without the need for any user involvement. WannaCry exploits the security vulnerability referred to as CVE-2017-0145. This security vulnerability exists in the way that the Server Message Block 1.0 (SMBv1) handles certain requests. SMBv1 is the old version of the Server Message Block protocol that Windows operating systems use for file sharing on a local network. “An attacker who successfully exploited the vulnerability [CVE-2017-0145] could gain the ability to execute code on the target server,” Microsoft said.

Microsoft issued a security fix for CVE-2017-0145 on March 14, 2017 – months before the WannaCry attack on May 12, 2017. The company issued a security update to fix CVE-2017-0145 for operating systems that still received the company’s support, including Windows 7, Windows 10, Windows 8.1, Windows Server 2008, Windows Server 2012, Windows Server 2016 and Windows Vista.

No security update was issued to fix the security vulnerability CVE-2017-0145 for operating systems that reached its end of life, including Windows XP, Windows 8, and Windows Server 2003. At the time of the WannaCry attack on May 12, 2017, these outdated operating systems were vulnerable as they were defenceless without the security update.

It’s worthy to note that WannaCry infected Windows 7 the most despite the fact that at the time of the attack, this operating system was still supported by Microsoft with a readily available security fix issued months before the attack.

Costin Raiu, Director of Global Research and Analysis Team at Kaspersky Lab said that 98% of the computers infected by WannaCry used Windows 7 as the operating system. “ #WannaCry infection distribution by the Windows version. Worst hit - Windows 7 x64,” Raiu said.

Migration to Latest Operating System

A study conducted by Kaspersky Lab showed that even as newer versions of operating systems are available, nearly 41% still use either an unsupported or approaching end of support operating system. The study also showed that 40% of very small businesses (VSBs) and 48% of small, medium-sized businesses (SMBs) and enterprises still rely on unsupported or approaching end of support operating system.

Even as operating system vendors stop in supporting customers via security updates, cyber attackers never stop digging up new security vulnerabilities, knowing full well that any security vulnerabilities discovered won’t be fixed by the vendors.

Using Windows 7 after its end of life on January 14, 2020 also makes this operating system incompatible with other software such as Office 365 ProPlus. On the flip side, many organizations delay their migration to the latest operating systems as custom-made applications are incompatible to the latest operating systems. Migration cost is also another reason why many organizations delay migration from outdated operating systems to newer operating systems.

Leaving your organization’s outdated operating system exposed to the internet leaves it open to cyber-attacks. The cost of a cyber-attack may even be higher than the cost of migrating to a newer operating system.

If the migration to a newer operating system needs to be delayed for a little longer, computers using outdated operating systems should be taken offline to keep them away from the reach of malicious actors.

It’s also important to practice network segmentation, especially when using outdated operating systems. Network segmentation controls how traffic flows across the network.

In network segmentation, your organization’s network is divided into smaller parts or sub-network, ensuring that in case of a compromise in one sub-network, the other sub-networks won’t be affected. It’s advisable to keep computers using outdated operating systems in a separate sub-network.

Connect with our team of experts today to learn more and mitigate IT and cybersecurity risks for your business.

Valuable Lessons from Recent Cyber Extortions

The recent data breach at LifeLabs, which affected nearly half of Canada’s population, and the recent data breach at the City of Pensacola highlight the growing danger of cyber extortions.

What Is Cyber Extortion?

Extortion – the act of using threats to gain something from someone – has been given a new form in the cyber world.

In the case of the data breach at LifeLabs, cybercriminals gained access to the company’s computer systems, stole data and thereafter demanded ransom payment from the company in exchange for the stolen data. In a joint statement, the Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia said, “LifeLabs advised our offices that cyber criminals penetrated the company's systems, extracting data and demanding a ransom.”

"Retrieving the data by making a payment," said Charles Brown, President and CEO of LifeLabs, was one of the several measures taken by the company to protect customer information.

The recent cyber extortion at the City of Pensacola, meanwhile, involved a headline-grabbing method: ransomware – a malicious software (malware) that encrypts computer files, locks out users and demands from victims ransom payment in exchange for the decryption keys that would unlock the encrypted files. The group behind the ransomware called “Maze” claimed responsibility for the ransomware attack at the City of Pensacola. The group demanded that the City pay $1 million ransom to decrypt the encrypted files.

Ten percent or 2GB of the data stolen before encrypting the computer files of the City was recently published online by the group behind Maze ransomware. When asked by BleepingComputer if the group intends to release the rest of the stolen data, the group said, "It depends".

The group behind Maze ransomware similarly published online 10% or 700 MB of data stolen from another victim, the Allied Universal after the victim failed to pay the group’s demand of 300 bitcoins then valued at nearly $2.3 million. The group told BleepingComputer that the rest of the stolen data will be leaked online if the increased ransom of $3.8 million won’t be paid.

How Cyber Extortion Works?

How the attackers penetrated the LifeLabs’ computer systems, how the data was extracted data and how the ransom demand was made haven’t been made public. For Maze ransomware, however, there’s a handful of data online.

Security researcher Jérôme Segura first observed in May of this year Maze ransomware in the wild initially infecting victims’ computers via the Fallout exploit kit through a fake cryptocurrency exchange site. Fallout exploit kit exploits the security vulnerabilities in Microsoft Windows and Adobe Flash Player. In October of this year, security researcher JAMESWT observed Maze ransomware infecting victims in Italy through a phishing campaign that tricks victims into opening the attached document in an email pretending to be from the Italian Revenue Agency.

Researchers from Cisco Talos reported that they’ve also observed Maze ransomware in the wild. In a Maze ransomeware attack, the researchers said that after obtaining access to a network, CobaltStrike is used. CobaltStrike is a commercial penetration testing tool that markets itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike uses well-known tools, including Mimikatz – a tool that’s capable of obtaining plaintext Windows account logins and passwords.

According to Cisco Talos researchers, once the adversary behind Maze ransomware has access to the victim’s network, at least a week is spent moving around the network and gathering data along the way. The researchers added that the gathered data is extracted by using “PowerShell to dump large amounts of data via FTP out of the network”. After data extraction, Maze ransomware is then deployed on the compromised computers, the researchers at Cisco Talos said.

The researchers at Cisco Talos added that the observed Maze ransomware attacks also involved interactive logins via Windows Remote Desktop Protocol and remote PowerShell execution achieved via Windows Management Instrumentation Command-Line (WMIC).

In its 2020 Threats Predictions Report, McAfee Labs said that for 2020, it predicts that targeted penetration of corporate networks will continue to grow and ultimately give way to two-stage extortion attacks, with the first stage of attack involving a crippling ransomware attack and the second stage of attack involving the threat to disclose the data stolen before the ransomware attack.

Preventive and Mitigating Measures Against Cyber Extortion

While having a working backup system is still a must to protect your organization’s sensitive data, as shown in the recent cyber extortions, brushing off cyber-attacks through better backup systems will prove to be not enough in 2020 as attackers are aiming for data theft and leveraging this stolen data to get what they want.

Here are some of the preventive and mitigating measures against cyber extortion:

- Keep All Software Up to Date

Keeping all your organization’s software up to date stops attackers at their tracks as the latest software security updates typically fix security vulnerabilities.

- Apply the Principle of Least Privilege

The principle of least privilege promotes minimal user privileges on computers based on user’s job necessities. For instance, if the user’s work isn’t IT-related, his or her computer access shouldn’t allow administrative rights, referring to the right to install software, change the operating systems configuration settings and other higher-level access.

- Disable Windows Remote Desktop Protocol (RDP)

There have been many document cases whereby Windows Remote Desktop Protocol (RDP) had been used by attackers as a gateway to their victims’ networks. It’s advisable to disable RDP when this service isn’t used.

- Keep Backups Offline

Over the past few months, attackers have specifically targeted backup systems. It’s advisable to keep your organization’s backup systems offline.

Cyber extortions has become a new norm and many organizations have already fell victim. Connect with our team of cybersecurity experts today to understand you weakest links better and mitigate the risk of cyber extortion.

LifeLabs Reveals It Paid Ransom in Exchange for Stolen Data

LifeLabs, the largest provider of general diagnostic and specialty laboratory testing services in Canada, has announced that it paid an undisclosed amount of ransom in exchange for the stolen data of 15 million customers.

Charles Brown, President and CEO of LifeLabs, in a statement, said that the company’s computer systems were illegally accessed resulting in the theft of data belonging to approximately 15 million customers. Stolen data includes name, address, email, login, passwords, date of birth and health card number. The vast majority of the affected customers are from Ontario and British Columbia.

Brown added that laboratory test results of 85,000 customers from Ontario for the period 2016 or earlier were part of the stolen data. The President and CEO of LifeLabs further said that health card information of customers for the period of 2016 or earlier was also stolen.

"Retrieving the data by making a payment,” Brown said was one of the measures that the company took in order to protect customer information. “Personally, I want to say I am sorry that this happened,” he said.

While the President and CEO of LifeLabs said that risk to customers in connection with this cyber attack is “low and that they have not seen any public disclosure of customer data,” he called on affected customers to avail of the company’s one free year of protection that includes dark web monitoring and identity theft insurance.

How the LifeLabs Data Breach Unfolded?

The President and CEO of LifeLabs said that the data breach was discovered as a result of "proactive surveillance” and added that the company “fixed the system issues” related to the cyber-attack.

In a joint statement, the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) said that LifeLabsinformed the two offices on November 1, 2019 about the data breach. The IPC and OIPC said that they will conduct a joint investigation into the data breach at LifeLabs. Among the things to be investigated, the two offices said, will include the scope of the breach and the circumstances leading to it.

“They advised us that cyber criminals penetrated the company's systems, extracting data and demanding a ransom,” IPC and OIPC said in a joint statement. “LifeLabs paid the ransom to secure the data.”

"An attack of this scale is extremely troubling,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “I know it will be very distressing to those who may have been affected. This should serve as a reminder to all institutions, large and small, to be vigilant."

“I am deeply concerned about this matter,” said Michael McEvoy, Information, and Privacy Commissioner for British Columbia. “The breach of sensitive personal health information can be devastating to those who are affected."

While ransom or payment was made, there was no mention that the attack was due to a ransomware – a type of malicious software (malware) that encrypts data and the group or individual behind the malware then demands ransom payment in exchange for decryption key or keys that would unlock the encrypted files.

Cyber Attackers New Modus Operandi

While cyber attackers have been known to steal data from their victims, there’s a scarcity of information showing victims paying ransom in order to get back the stolen data. The latest cyber incident at LifeLabs shows an alarming cyber-attack trend, that is, penetrating the victim's systems, extracting data and then demanding a ransom.

Ransomware attackers, meanwhile, over the past few weeks have openly employed a new tactic in order to force their victims to pay ransom: threatening ransomware victims that failure to pay the ransom will result in the publication of stolen data. This latest modus operandi by ransomware attackers confirms what has been widely known in the cyber security community that ransomware attackers don’t merely encrypt data but they also have ways to snoop and even steal data prior to the data encryption.

In late November of this year, the group behind the ransomware called “Maze” published online the stolen data from one of its victims, Allied Universal after Allied failed to pay 300 bitcoins, then valued nearly $2.3 million USD, within the period set by the malicious group. The group behind the Maze ransomware told BleepingComputer, “We gave them time to think until this day, but it seems they [Allied Universal] abandoned payment process.”

The group behind the Maze ransomware further said that before encrypting any of the victims’ files, these files are first exfiltrated or stolen to serve as further leverage for the victims to pay the ransom.

The group behind the ransomware called “REvil”, also known as Sodinokibi ransomware, recently announced in a hacker forum that it will also leak online the stolen data from ransomware victims who refuse to pay ransom. Other than leaking the stolen data online, the group behind REvil ransomware also said the stolen data from ransomware victims who refuse to pay could be sold.

Maze ransomware initially infects victims’ computers via phishing campaigns or via Fallout exploit kit – a hacking tool that exploits the security vulnerabilities in Adobe Flash Player and Microsoft Windows. REvil ransomware, meanwhile, also initially infects victims’ computers via phishing campaigns and exploit kits, as well as by exploiting a security vulnerability in Oracle’s WebLogic server and by brute-forcing Remote Desktop Protocol (RDP) access.

Ransomware Attacks Now Targeting Your Backups

Backups have traditionally been regarded as the last line of defence against ransomware attacks. Over the past few months, however, backups have been specifically targeted by ransomware attacks.

In the "IT threat evolution Q3 2019" report, Kaspersky researchers found that ransomware attacks on backups, specifically NAS backups, are gaining ground.

What Is NAS?

NAS, short for network attached storage, is a storage and backup system that consists of one or more hard drives. This storage and backup system can be connected to home or office network or the internet. In case a NAS device is connected to the internet, data stored on this device can be accessed using a web browser or mobile app.

Ransomware Targeting NAS

Researchers at Anomali in July of this year reported about eCh0raix, a ransomware that specifically targets QNAP network attached storage (NAS) devices. According to the researchers, the source code of eCh0raix has less than 400 lines, with functionalities that are typical to a ransomware, including checking if data in the infected system has already been encrypted, going through the file system for files to encrypt, encrypting the files, and producing the ransom note.

Researchers at Anomali noted that eCh0raix ransomware isn’t designed for mass distribution as the samples with a hardcoded public key appear to be compiled for the target with a unique key for each target.QNAP Systems, the manufacturer of QNAP network attached storage (NAS) devices, for its part, acknowledged that QNAP devices using weak passwords and outdated QTS firmware are vulnerable to eCh0raixransomware.

In July of this year, another NAS device manufacturer Synologyreported that several of Synology NAS devices were under ransomware attacks as a result of brute-forcing administrator login details. In a brute-force attack, a malicious actor submits a number of passwords in the hope of eventually guessing the correct one.

According to Synology, its investigation related to the ransomware attacks found that the attacks were due to dictionary attacks – the use of words in the dictionary in brute-forcing login details – instead of specific system vulnerabilities. Synology added that the large-scale ransomware attacks were targeted at various NAS models from different NAS vendors. Ken Lee, Manager of Security Incident Response Team at Synology, said that NAS attackers used “botnet addresses to hide their real source IP”.

Just last month, another NAS device manufacturer D-Linkacknowledged that the following D-Link network attached storage (NAS) models are vulnerable to a different ransomware called “Cr1ptT0r” ransomware: DNS-320 Ax/Bx, DNS-325, DNS-320L, DNS-327L, DNS-323 Ax/Bx/Cx, DNS-345, DNS-343 and DNS-340L. According to D-Link, Cr1ptT0r encrypts stored information and then demands payment to decrypt the information.

According to Kaspersky researchers, the growing ransomware attacks on NAS devices involve attackers scanning the internet for internet-connected NAS devices. Kaspersky researchers said that a number of NAS devices have vulnerabilities in the firmware, which enables attackers via an exploit to install on the compromised device a Trojan – a type of malicious software (malware) that’s often disguised as legitimate software – that encrypts all data on the NAS device. “This is a particularly dangerous attack, since in many cases the NAS is used to store backups, and such devices are generally perceived by their owners as a reliable means of storage, and the mere possibility of an infection can come as a shock,” Kaspersky researchers said.

Preventive and Mitigating Measures

Here are some of the preventive and mitigating measures against ransomware attacks targeting NAS backups:

1. Use Up-to-Date Backup Device

Manufacturers of NAS devices, QNAP Systems, Synology and D-Link, asked users to apply the latest software or firmware version.

In the case of D-Link NAS devices, D-Link said that DNS-320 Ax/Bx, DNS-323 Ax/Bx, DNS-325 Ax and DNS-345 Ax have passed their end of service date, which means that these models are no longer supported by the company through customer support and no longer receive software or firmware updates. For the said models that have passed their end of service date, D-Link asked users to "remove the Internet access of NAS on your router by disabling the port forwarding and DMZ setting".

2. Keep Backups Offline

One thing is common to these NAS ransomware attacks: They victimized only those devices that are connected to the internet. To protect backups from this type of ransomware, it’s important to disable internet connection to these devices.

3. Harden Defences If the Backup Needs to be Connected to the Internet

Generally, an internet-connected NAS device can only be accessed via a web or mobile app interface and this interface is protected by an authentication page, where a user has to authenticate oneself before logging in. As acknowledged by NAS manufacturers, some users use weak passwords, making it easy for attackers to brute-force or guess the passwords.

When there’s a need for these NAS devices to be accessible via the internet, it’s important to use strong passwords and, if possible, to use multi-factor authentication to add another layer of defence.

4. Additional Defences

Here are some of the additional defences to protect backups from ransomware attacks:

• Disable SSH and Telnet services if they aren’t use
• Avoid using default port numbers 443 and 8080
• Enable Auto Block to block IP addresses with too many failed login attempts
• Use Firewall

As shown in the number of ransomware attacks in recent months, this type of cyber-attack doesn’t seem to slow down.

Organizations that have shown to be financially capable of paying ransom, including government agencies, as well as organizations in the healthcare and education sectors are particularly targeted by this attack.

You don’t have to be a victim of a ransomware attack. Stop cybercriminals before they get the leverage.

Speak with our cybersecurity experts today and stop worrying about ransomware.

Cross-Site Scripting: Still One of the Biggest Cyber Threats

Cross-site scripting, also known as XSS, is one of the most dangerous software errors that threatens websites and applications, even the likes of Gmail.

Security researcher Michał Bentkowski of Securitum recently discovered a cross-site scripting vulnerability in Gmail’s AMP4Email, also known as “dynamic email”. Launched in July 2019, Gmail’s dynamic email allows users to take action directly from within the message itself, such as RSVP to an event, filling out a questionnaire or browsinga catalog.

Allowing dynamic content in Gmail, Google knows it opens itself to security vulnerabilities such as cross-site scripting – a security vulnerability that allows malicious actors to add malicious code into trusted websites or applications. While Google takes a number of precautionary measures against cross-site scripting, Bentkowski discovered that Gmail’s dynamic email didn’t block the specific code HTML id attribute, thereby opening the email service vulnerable to cross-site scripting.

Bentkowski said he reported the cross-site scripting vulnerability to Google on August 15, 2019. According to Bentkowski, Google replied that “the bug is awesome, thanks for reporting”. Bentkowski added that on October 12, 2019, he received a confirmation from Google that the bug was fixed.

What Is Cross-Site Scripting?

Cross-site scripting vulnerability is so widespread that it’s ranked second in the 2019 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors. According to CWE, which is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), ranking for the top most dangerous software errors is based on the data from Common Vulnerabilities and Exposures (CVE) data and data from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD).

The NVD data, in particular, covered the period from the years 2017 and 2018, which consisted of nearly 25,000 CVEs. Based on the NVD count, out of the 25,000 CVEs for the years covered, 3,430 CVEs were cross-site scripting vulnerabilities.

Cross-site scripting is a security vulnerability found in web pages or applications that accept user input. This includes login page, check-out page and, in the case of the Gmail case, Gmail’s AMP4Email or dynamic email.

While users typically place legitimate inputs such as usernames and passwords in login pages, credit card details in check-out pages or RSVP to an event in the case of Gmail’s dynamic email, these fields that accept user input could be exploited by malicious actors, giving them opportunity to insert malicious code into an otherwise trusted website or application.

In the case of Gmail’s dynamic email, there’s no report that malicious actors were able to exploit the said cross-site scripting vulnerability.

Security engineers at Microsoft were the first ones to coin the term cross-site scripting back in December 1999. In December 2009, in commemorating the 10th year anniversary of coining the word, security engineers at Microsoft, in the blog post “Happy 10th birthday Cross-Site Scripting!”, wrote, “Let's hope that ten years from now we'll be celebrating the death, not the birth, of Cross-Site Scripting!”

As shown in the latest ranking in the most dangerous software errors, cross-site scripting appears to be far from dead. Microsoft itself recently patch a cross-site scripting vulnerability on its Microsoft Outlook for Android software. The company said that the cross-site scripting vulnerability allows an attacker to “run scripts in the security context of the current user”. 

Magecart

Cross-site scripting has recently been put back into the headlines by Magecart – the umbrella term given to cybercriminal groups that steal credit card details from unsecured payment forms on websites. Magecart has been linked to the data breach at British Airways and the recent data breach at Macy’s.

Researchers at RiskIQ reported that Magecart breached British Airways baggage claim information page by just inserting 22 lines of code, enabling the attackers to grab personal and financial details entered by customers and sent the data stolen to the server controlled by the attackers. A security researcher, meanwhile, who wishes to remain anonymous, told BleepingComputer that the recent data breach at Macy's website was caused by the alteration of https://www[dot]macys[dot]com/js/min/common/util/ClientSideErrorLog[dot]js script, enabling the attackers to grab data entered by customers in the company’s website, in particular, checkout page and wallet page.

Preventive and Mitigating Measures Against Cross-Site Scripting

Attempts in the past have been made to stop cross-site scripting. One such attempt was XSS Auditor, a feature added to Google Chrome v4 in 2010.

XSS Auditor aims to detect XSS vulnerabilities while the browser is processing the code of websites. It uses a blocklist to identify suspicious code. In July of this year, Google security engineer Thomas Sepez announced the retirement of XSS Auditor.

Google senior security engineer Eduardo Vela Nava first proposed the retirement of XSS Auditor in October 2018. “We haven't found any evidence the XSSAuditor stops any XSS, and instead we have been experiencing difficulty explaining to developers at scale, why they should fix the bugs even when the browser says the attack was stopped,” Nava said. “In the past 3 months, we surveyed all internal XSS bugs that triggered the XSSAuditor and were able to find bypasses to all of them.”

As shown in the above examples, cross-site scripting vulnerability is a menace to websites and applications.

This holiday season – the time of the year when online shopping and other transactions are at its peak, it’s important to sanitize your organization’s website and applications to protect it from cross-site scripting.

When you need to protect your website and web applications against XSS and other common attacks, our team of experts is a phone call away and ready to protect your web applications in just minutes.

Under denial of service attack with ransom demands? Don’t pay! We will stop the DDoS attacks in a few minutes, for good.

Call today (888) 900-3749 or connect with us online.

Healthcare Sector Breach Reports Rise After Mandatory Reporting Implementation

The Office of the Information and Privacy Commissioner of Alberta recently released an annual report, covering the period of April 1, 2018 to March 31, 2019, showing a 407% increase in healthcare sector data breaches. The spike of healthcare sector data breach reports was similarly seen in Ontario.

The period covered by the annual report includes only seven months of mandatory breach reporting in the healthcare sector in Alberta. Alberta’s Health Information Act took effect on August 31, 2018, mandating the more than 54,900 health information custodians in the province, including Alberta Health, Alberta Health Services, Covenant Health, nursing homes, physicians, registered nurses, pharmacists, optometrists, opticians, chiropractors, podiatrists, midwives, dentists, denturists and dental hygienists to notify an individual affected by a privacy breach as well as notify the Information and Privacy Commissioner of Alberta and the Minister of Health.

The Alberta law also provides penalty provisions in case the health information custodian fails to report a breach or fails to take reasonable steps in maintaining safeguards to protect health information.

The Office of the Information and Privacy Commissioner of Alberta reported that a total of 674 breaches were reported under Alberta’s Health Information Act during the period of April 1, 2018 to March 31, 2019, representing a 407% increase compared to the reported average of 130 healthcare sector data breaches for the last few years.

In the report written by Jill Clayton, Information and Privacy Commissioner of Alberta, many of the healthcare sector data breaches are relatively easy to address, requiring only the health information custodians to notify the affected individuals and to take preventive steps to prevent similar events from re-occurring in the future. A significant number of these cases, Clayton said, are much more serious, involving law violation and affecting hundreds to thousands of Albertans. A significant number of these cases, Clayton said, often becomes offense investigations and can result in significant court-imposed fines for offending parties.

The Information and Privacy Commissioner of Alberta said that active offense investigations have risen from 5-6 at any one time to over 20 as of September 30, 2019, with nearly 70 healthcare sector data breaches flagged as potential offenses. Since Alberta’s Health Information Act took effect on August 31, 2018, the Commissioner said there have been 10 convictions for knowingly accessing health information under the said Alberta law.

The Commissioner also reported that since the Health Information Act took effect, more snooping breaches – unauthorized access to health information by authorized users of health information systems – have been reported. “Cyberattacks were also reported more frequently, which is a concern that will need to be monitored,” the Information and Privacy Commissioner of Alberta said.

Healthcare Sector Data Breach Reports in Ontario

The spike of healthcare sector data breach reports was similarly seen in Ontario. In late 2017 Ontario’s Personal Health Information Protection Act took effect, requiring health information custodians, including hospitals, pharmacies, doctors’ offices, and dental clinics to report health privacy breaches to the Information and Privacy Commissioner of Ontario.

In the period covering the first full year of the mandatory healthcare sector breach reporting, from January 1 to December 31, 2018, the Information and Privacy Commissioner of Ontario reported that self-reported breaches in the healthcare sector rose from 322 in 2017 to 506 in 2018. Out of the 506 breaches reported, 120 were snooping incidents, 15 were ransomware and other cyberattacks, while the remaining 371 were due to lost, stolen or misdirected health information, records not properly secured and other collection, use and disclosure issues.

According to the Information and Privacy Commissioner of Ontario, the rise in snooping incidents wasn’t indicative of the rise of snooping incidents, but rather health information custodians have better methods of detection, such as the use of using data analytics to monitor and audit health information systems for unauthorized access and other types of health privacy breaches. The Information and Privacy Commissioner of Ontario also noted that the rise of self-reported breaches in the healthcare sector rose as health information custodians are now required to report breaches, unlike in previous years where it was only recommended to do so.

Cyber Attacks: A Growing Concern in Health Care

In the 2018 Annual Report for the Information and Privacy Commissioner of Ontario to the Legislative Assembly of Ontario, Commissioner Brian Beamish said that in 2018, Ontario’s health care sector was a prime target of ransomware and other cyber-attacks, with victims ranging from local health integration networks to long-term care facilities.

In June 2018, CarePartners, a home care service provider to Ontario's Local Health Integration Networks (LHINs) and an Ontario-based community health care agency, reported a data breach to the Information and Privacy Commissioner of Ontario. “The cyber-attack breached CarePartners' computer system and as a result patient and employee information held in that system, including personal health and financial information, has been inappropriately accessed by the perpetrators,” CarePartners said in a statement. The health care agency, however, didn’t specify the extent of the data breach in the public statement.

Commissioner Beamish said that cyber-attacks, in particular ransomware attacks, underscored the importance of the following:

1. Employee training and awareness of the serious threat posed by ransomware;
2. Tangible benefits of regular data backups of electronic files; and
3. Significant value of antivirus software that helps prevent, detect and remove malware through regular, real-time scans.

In the area of snooping or unauthorized access to health information by authorized users of health information systems, Commissioner Beamish said artificial intelligence can be used to curb unauthorized access. "When deployed properly, technology that identifies anomalous behaviour is a valuable tool for health information custodians, to not only detect and deter unauthorized snooping but to immediately identify and respond to cybersecurity threats,” Commissioner Beamish said.

Healthcare organizations are a prime target for cybercriminals. Let us help you protect patient information and mitigate IT security related risks.

Contact us today to get started.

Recent DDoS Attacks Leverage TCP Amplification

A recent report from Radware showed that attackers over the past month have been leveraging TCP amplification in launching distributed denial-of-service (DDoS) attacks.

What Is TCP Amplification?

TCP amplification is one of the lesser-known ways attackers perform DDoS attacks. In a DDoS attack, multiple computers are operating together to attack a particular target, for instance, a website.

TCP is a set of rules that’s applied whenever computers connected to the internet try to communicate with one another, enabling them to transmit and receive data. With TCP, connection is only established with a three-way-handshake, also known as SYN, SYN-ACK, and ACK. During the three-way-handshake, the IP addresses of both communication parties are verified via random sequence numbers.

1. SYN (Synchronize)

This first handshake happens when computer X, for instance, sends a message containing a random sequence number to another computer, let’s call this computer Z.

2. SYN-ACK (Synchronize-Acknowledge)

This second handshake happens when computer Z responds via an acknowledgment number and a random sequence number.

3. ACK (Acknowledge)

This third handshake happens when computer X completes the connection setup by sending a final acknowledgment to computer Z via a sequence number and acknowledgment number.

Amplification DDoS attack, meanwhile, refers to an attack in which an attacker doesn’t directly send traffic to the ultimate target but rather sends spoofed network packets to a large number of devices, also known as reflectors or amplifiers. Attackers often use amplifiers that send back responses that are significantly larger than the requests, resulting in an increased or amplified attack volume. TCP was initially thought to be immune from amplification attacks due to its three-way-handshake.

TCP’s vulnerability to amplification attacks was reported back in 2014. In the paper “Exit from Hell? Reducing the Impact of Amplification DDoS Attacks”, researchers at Ruhr-University Bochum demonstrated that even with the three-way-handshake TCP is still vulnerable to amplification DDoS attacks. According to the researchers, TCP is vulnerable to amplification DDoS attacks as SYN/ACK segments are resent until connection is successfully established, connection times out, or connection is manually closed.

Resending of SYN/ACK segments, the researchers said, overloads the capacity of the victim’s network. “In face of amplification attacks, this is problematic, as the client’s IP address is not validated until the handshake is complete,” the researchers said.

In this 2014 study, the researchers showed that hundreds of thousands of devices, mostly business and consumer routing devices, were vulnerable to be abused for amplification DDoS attacks as these devices repeatedly sent up to 20 SYN/ACK packets in response.

In the follow-up paper "Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks", researchers at Ruhr-University Bochum identified thousands of TCP-based protocols that allow amplification of factor 50 times and higher. In this follow-up paper, the researchers also identified more than 4.8 million devices vulnerable to an average amplification factor of 112 times. They also identified thousands of devices that can be abused for amplification up to a factor of almost 80,000 times, reflecting more than 5,000 packets within 60 seconds and causing a serious impact on a victim’s network.

From the viewpoint of the attackers, the researchers said, abusing TCP brings multiple benefits as there are millions of potential TCP amplifiers out there and fixing them is an “infeasible operation”. According to the researchers, the root cause of the amplification DDoS attacks is IP address spoofing which "enables attackers to specify arbitrary targets that are flooded with reflected traffic”.

TCP Amplification Attacks + Carpet Bombing

Radware reported that last month, European sports gambling website Eurobet experienced TCP amplification attacks that lasted for nearly 30 days. Radware also reported that last month, Turkish financial services company Garanti experienced TCP amplification attacks.

In the case of TCP amplification attacks on Garanti, Radware said, "In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of AS12903 (Garanti Bilisim Teknolojisi ve Ticaret TR.A.S.) were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.”

According to Radware, TCP amplification attacks are combined with a technique called “carpet bombing”. Carpet bombing attack is a type of DDoS attack where instead of focusing the attack on a single IP, random IP addresses of the victim’s network are attacked. Radware reported that over the last few months, carpet bombing has been used in a number of attacks against South African internet service providers (ISPs).

Impacts, Preventive and Mitigating Measures

By leveraging carpet bombing technique, attackers increase the attack surface; and by leveraging TCP amplification, attackers increase the hit rate onto the victim’s services. For now, however, carpet bombing has been predominantly used against ISPs.

While the recent TCP amplification attacks targeted large organizations, the victims of these attacks also include small organizations and homeowners who owned devices used for the TCP amplification attacks. As the main targets of TCP amplification attacks were overwhelmed by traffic and suffered outages as a consequence, the devices used in the TCP amplification attacks – those that processed the spoofed requests and legitimate replies from the main target of the DDoS – also experienced spikes in traffic, resulting in outages.

IP blacklisting is one of the options in preventing DDoS attacks. In the case of TCP amplification attacks that rely on IP address spoofing, IP blacklisting has some pros and cons.

One of the disadvantages of IP blacklisting in TCP amplification attacks is that legitimate users could be affected by this blacklisting as malicious actors could mimic their IP address.

Speak with our expert team today and prevent and mitigate denial of service attacks with iron-clad guarantees. No equipment to purchase, install or maintain.

Schedule a consultation today and protect your organization.

Data Breach Reports Skyrocket After Implementation of Canada’s Privacy Law

 

The recent report from the Office of the Privacy Commissioner of Canada showed that data breach reports in Canada skyrocketed after the implementation of the mandatory data breach reporting required under the country’s privacy law.

Mandatory Data Breach Reporting

On November 1, 2018, organizations across Canada became subject to the mandatory data breach reporting under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Prior to the mandatory data breach reporting, data breach reporting was done on a voluntary basis.

Organizations subject to PIPEDA are required to report to the Office of the Privacy Commissioner of Canada any data breaches that pose a real risk of significant harm to an individual or individuals. The law also requires that the affected individual or individuals should be notified and records of all data breaches should be kept within the organization.

The Numbers After One Year of Implementation

Last November 1st, one year after the implementation of the mandatory data breach reporting, the Office of the Privacy Commissioner of Canada reported that breach reporting “skyrocket”, increasing six times the volume that the office had received during the same period one year earlier. According to the Office of the Privacy Commissioner of Canada, from November 1, 2018 to October 31, 2019, a total of 680 breaches were reported to the office, affecting over 28 million Canadians.

The Office of the Privacy Commissioner of Canada said that while some of those reports involved well-known corporate names, a significant volume came from small and medium-sized businesses.

Fifty-eight percent or 397 of the reported breaches, which made up the majority of reported breaches, involved unauthorized access, the Office of the Privacy Commissioner of Canada said. Key factors behind breaches resulting from unauthorized access were social engineering hacks and malicious insiders.

According to the Office of the Privacy Commissioner of Canada, more than one in five or 147 data breaches reported over the past year involved accidental disclosure, which includes sending critical information to the wrong person as a result of incorrect email or postal address or accidental exposure.

The Office said roughly one in four of the reported breaches involved social engineering attacks such as phishing and impersonation. In phishing attacks, attackers send malicious emails containing malicious links or attachments. Once this malicious link or attachment is clicked, it installs malicious software (malware) on the email receiver’s computer.

Impersonation

In impersonation, the tactic used in business email compromise (BEC) scams, fraudsters convince employees at an organization that they are someone. In a BEC scam, a fraudster impersonates via a spoofed email, for instance, a CEO and convinces an employee of an organization to release a certain amount to a bank account controlled by the fraudster.

According to the Office of the Privacy Commissioner of Canada, it observed a growing impersonation scam in the telecommunications industry. In the tactic known as SIM swap, an impersonator convinces a customer service representative of a telecommunication company into believing that he or she is an account holder. Successfully convincing a customer service representative, enables the impersonator to make changes to the account, including the change of a phone number to be assigned to a new SIM card controlled by the impersonator, allowing the impersonator to access other accounts.

In related information, the U.S. Federal Bureau of Investigation (FBI) recently issued an alert to its partner organizations warning them about SIM swap. According to the FBI, between 2018 and 2019, SIM swap is the most common tactic used by malicious actors in bypassing the two-factor authentication (2FA), which resulted in draining the bank accounts of the victims and passwords and PINs changed.

Notable Reported Breaches

The reported breaches at the financial cooperative Desjardins and financial holding company Capital One are two of the notable breaches over the past year as these two breaches affected millions of Canadians. The Desjardins data breach, which was initially announced in June 2019, affected 4.2 million Canadians; while the Capital One data breach, which was initially announced in July 2019, affected 6 million Canadians.

Desjardins attributed the data breach to one suspect, a former employee; while Capital One attributed the data breach to a “specific configuration vulnerability” in its public cloud infrastructure – a vulnerability that was exploited by one suspect, a former employee of the public cloud infrastructure, the Amazon Web Services (AWS).

Amazon, for its part, said in a statement, “AWS was not compromised in any way and functioned as designed.” The company added that the Capital One data breach, which also affected 100 million individuals in the United States, wasn’t a result of a vulnerability in the cloud server itself, but by a misconfiguration of firewall settings on a web application, managed on the cloud server by Capital One.

Preventive and Mitigating Measures Against Data Breaches

The Office of the Privacy Commissioner of Canada offers the following cyber security measures in order to prevent or mitigate the effects of a data breach:

• "Know what personal information you have, where it is, and what you are doing with it. When and where do you collect personal information? Where does that information go? Who can access it, and what do they do with it? You must understand your data before you can protect it!

• "Know your vulnerabilities. Conduct risk and vulnerability assessments and/or penetration tests within your organization to ensure that threats to privacy are identified. Don’t just focus on technical vulnerabilities, though. Are third parties collecting personal information on your behalf without appropriate safeguards? Are your employees aware of risks and their privacy responsibilities? Over the last year, the OPC [Office of the Privacy Commissioner] has seen each of these scenarios lead to a breach. Identify your organizations’ weak points before a breach identifies them for you!

• "Be aware of breaches in your industry. Attackers will often re-use the same attacks against multiple organizations. Pay attention to alerts and other information from your industry association and other sources of industry news. Don’t be the next vulnerable target!”

How Does the Cybersecurity Skill Gap Affect Your Organization and What can You Do to Make it Right?

“There are only two types of companies: those that have been hacked, and those that will be.”

— Robert Mueller, FBI Director

What cybersecurity measures does your organization have in place? And who manages them?

Chances are, you’re struggling to appoint an in-house, qualified cybersecurity specialist. Research by CyberEdge Group reveals that four in five organizations are in the same boat.

This skills gap has decreased in the past couple of years, but it continues to impact different sectors in a major way. Education is the area affected most, with 87.1 percent of organizations having difficulty finding qualified experts, followed by telecommunications & tech (85.1 percent).

The lack of suitable candidates available to help organizations safeguard their systems in an age of ransomware, DDoS attacks and more is concerning. Cybercriminals continue to employ ever-more-sophisticated techniquesto disrupt businesses and organizations of different sizes, across all industries (even healthcare). Sensitive data and processes must be protected to minimize threats.

Understaffed organizations on tight budgets are especially vulnerable. 43 percent of cyberattacks target small businesses and just 14 percent of these are prepared — costing them $200,000 on average.

And it makes sense. Leading brands and massive institutions can at least invest in cutting-edge software and external consultations to set-up efficient cybersecurity defenses. Smaller ones, particularly startups and none-profits, may be unable to afford either.

Any organization without the finances for a full-time in-house IT specialist can use managed cybersecurity services to protect their system instead. A vulnerability assessment is perhaps the best place to start, to identify your biggest risks and take steps to mitigate them.

But what else can you do to tackle cybersecurity flaws in your organization when you can’t find or afford an in-house specialist?

1. Invest in quality training to make your workforce more cybersecurity-aware

Cybersecurity is a complex area. This means it’s daunting for almost anyone without qualifications or experience in IT to grasp without extensive training.

But this creates an opportunity to empower your staff with the skills, insights and practical knowledge to help your organization stay safe. Determine where your biggest vulnerabilities are and what attacks may pose the biggest risk to your operations.

For example, you might buy high-end hardware and reliable software — yet have no idea how to maximize their performance.

Alternatively, your workforce could consist of people without even basic computer skills or awareness of digital dangers. The mere mention of ransomware or malware could fly right over their heads.

Investing in cybersecurity training obviously incurs expense, but it will pay off when your organization is less susceptible to major disruptions. 60 percent of small- and medium-sized businesses close their doors within six months of being hacked. And the fallout of this can be severe when mammoth investments have been made into trying to keep an organization afloat.

You may already have an idea of which types of training will suit specific employees, based on their work experience, attitude or technical skills. But even if you don’t, taking the time to align the right knowledge upgrades with the right people will ensure organizations maximize the value of their training.

2. Make raising awareness of cybersecurity threats and trends an ongoing part of your company culture

Cybersecurity trends change as hackers’ techniques and technologies evolve. Any organizations relying on outmoded measures leave their systems more vulnerable than they need to be. That’s why it’s so important to stay in touch with the latest attacks, the ways in which they penetrate systems and how businesses deal with them.

For example, companies falling prey to a ransomware scheme may agree to pay the attacker(s) immediately out of desperation to get back on track. But there’s no guarantee that those responsible will honor their word and return your system to normal. They could take the money and leave the organization locked out of its own network.

A failure to research and keep track of the latest developments in ransomware — as well as the wider world of cybersecurity — means organizations would be more likely to hand over the cash without considering the potential fallout. As a result, it might spend thousands of dollars and still be forced to close up shop when its data remains out of reach.

Cultivate a greater awareness of cybersecurity in your organization. Share news stories, articles and updates related to the industry on a regular basis. Encourage staff to get involved with local initiatives or conferences designed to increase cybersecurity education. Offer incentives for anyone interested in growing their skill set.

Building a workforce with a deeper understanding of common cybersecurity threats, and the measures required to combat them, can make a significant difference to your organization’s safety in the future.

And don’t overlook the basics, either. Encourage staff to stay safe and remain vigilant whenever they’re online. This includes:

• Updating passwords and making them as hard to crack as possible
• Being wary of downloading attachments or clicking links in suspicious emails
• Only sharing access or files with verified contacts
• Making sure web application security is up to date

Another key issue to consider in your organization’s cybersecurity strategy is updating systems when employees leave, including shutting down any open sessions, something that is often overlooked by IT departments.

Change login details to stop them gaining access to sensitive data or allowing others to do so. Even workers who seem trustworthy could still go on to compromise your organization’s security, intentionally or not.

Every organization must take cybersecurity seriously. While the skill gap may make finding a qualified, experienced expert to manage your cybersecurity in-house difficult (if not impossible, depending on your budget), following the tips explored above can make a real difference.

Managed cybersecurity services are a cost-effective, simple way to identify your organization’s gaps and fill them. Reliable specialists will perform a vulnerability assessment, reduce your chances of suffering a data breach and protect cloud & on-premise environments — safeguarding your systems on all fronts.

Take action. Make a stand. Protect your organization against cyber-attacks. Contact our experts now.