What Is Password Spray Attack and How to Prevent It

VPN provider Citrix, whose clientele includes more than 400,000 organizations including 98% of the Fortune 500 companies, recently disclosed that cybercriminals gained access and downloaded business documents from its internal network.

According to the Federal Bureau of Investigation (FBI), the one that informed Citrixabout the illegal intrusion, the attackers likely used a tactic known as password spray to gain a foothold with limited access to Citrix’ network and worked to circumvent additional layers of security.

What Is Password Spray Attack?

Password spray is a type of cyberattack that attempts to access a large number of usernames (accounts) using commonly used passwords. This type of attack is also known as low-and-slow method as an attacker or attackers at first attempt to login using a single commonly used password for a number of usernames. If the first password is incorrect for all the usernames, the attackers will then use a different password, giving sufficient time in between different password guessing so as not to trigger any time-based account lockout thresholds.

Attackers, for instance, can easily get all usernames of a certain organization using the toolMailsniperand then attempt to login using at first the commonly used password “P@$$w0rd” on all of the usernames, and if this password fails, after a sufficient time interval, use another commonly used password “Password1” and so on.

Password spray is a stealth form of cyberattack, evading most detection techniques. On the part of the legitimate user or the organization, login attempts that are part of password spray attacks are seen as isolated failed login.

On the part of the attackers, password spray attack is a numbers game. Even though commonly used passwords are used only by 0.5-1.0% of accounts, one successful attempt for every thousand accounts attacked is enough as this one successful attempt has a multiplying effect. Successful access to one account allows attackers to harvest further information.

A study conducted by the UK National Cyber Security Center (NCSC)showed that 75% of the participants’ organizations (UK-based) had accounts with passwords that featured in the top 1,000 passwords, and 87% had accounts with passwords that featured in the top 10,000.

"This data suggests that password spraying attacks are likely to have some success against these organizations, and many other organizations across the UK,” NCSC said. “Whilst account lockout policies may limit attackers to trying (for example) 10 passwords against a single account per day, the account lockout counters usually reset over time. This allows persistent attackers to try more passwords, and they can (and do) end up trying hundreds or even thousands of common passwords.”

Prevalence

The recent cyberattack on Citrix via password spray attack shows that cybercriminals are increasingly using this form of cyberattack against organizations worldwide. In March 2018, the U.S. Department of Homeland Security (DHS) and the FBI released a joint alertwarning the public against the growing threat of password spray attacks.

Passwords aren’t just used in emails. They’re also used in single sign-on (SSO) or web-based applications with federated authentication method. According to DHS and FBI, victims of password spray attacks often use SSO or web-based applications with federated authentication method. DHS and FBI added that the vast majority of known password spray victims share some of the following characteristics:

• Lack of multifactor authentication (MFA)
• Allow easy-to-guess passwords (“P@$$w0rd” or “Password1”)
• Use inbox synchronization, allowing email to be pulled from cloud environments to remote devices
• Allow email forwarding to be setup at the user level

In March 2018, theFBIannounced the hacking-related charges against nine Iranians. The FBI said the accused conducted a 4-year campaign that compromised nearly 144 U.S.-based universities and 176 foreign universities in 21 countries. In addition to the compromised universities, the FBI said 50 U.S. and foreign private companies, the states of Hawaii and Indiana and the United Nations were compromised by the accused as well.

Over 30 terabytes of academic data and intellectual property, equivalent to 3 times the amount of data contained in the print collection of the Library of Congress, were stolen by the accused, the FBI said.

According to the FBI, the accused compromised their victims through password spray attacks. “They were flying under the radar,” said the FBI agent who investigated the case, “and the magnitude of their effort was remarkable.”

How to Prevent Password Spray Attacks

While password spray attacks can go undetected by security networks, there are, however, indicators of this type of cyberattack. Indicators of password spray attacks include the rise in attempted logins against the enterprise SSO portal or web-based application, and employee logins from IP addresses resolving to locations not consistent with their normal locations.

Here are some measures aimed at deterring password spray attacks:

1. Use Multifactor Authentication (MFA)

Using MFA in all active, internet facing protocols is one way to deter password spray attacks. So long as there are passwords, attackers would forever guess them. MFA is a means to distinguish between a legitimate account owner and the attacker.

2. Ban Commonly Used Passwords

Banning commonly used passwords is another means to deter password spray attacks. Every password creation, change or reset should run through a banned password checker, containing a list of words that no one should ever have in their password.

3. Use Non-Password-Based Access Methods

Password spray attacks exist because of passwords. When passwords aren’t used at all, there would be no passwords that the attackers have to guess. Instead of passwords, use non-password-based authentication methods.

For instance, Windows Server 2016 enables completely password-free access based on strong cryptographic keys tied to both the user and the device.

Decade-Old Qbot Banking Malware Makes a Comeback 

The decade-old Qbot banking malicious software (malware) has made a comeback, this time exploiting a tool that already exists on targeted computers: BITSAdmin.

Researchers at Varonisrevealed that thousands of computers around the globe have been compromised and under active control by a new variant of the Qbot malware, this time leveraging BITSAdmin, a common administration tool. The researchers said they found 2,726 unique victim IP addresses infected with this new variant of Qbot.

The researchers added that the number of victims is likely much larger as many organizations use port address translation that hides internal IP addresses. Majority of the Qbot malware victims, Varonis researchers said were located in the U.S., but victims were also found in Canada, the U.K., France, Brazil, Germany, South Africa, Russia, China and India.

What Is Qbot?

Qbot, also known as Qakbot or Pinkslipbot, is a malware that was first observed in the wild in 2007. Through the years, this malware has morphed into various versions due in part to the fact that the source code of this malware is publicly available. The various versions of Qbot retain the primary purpose of this malware, that is, to steal online banking account information from compromised computers.

According to Microsoft, over the years, cybercriminals behind Qbot have improved the Qbot code, enabling this malware to better “evade detection, stay under the radar longer, and increase the chances of spreading to other potential victims.”

Various versions of Qbot, including the latest version observed by Varonis, steal online banking account information from compromised computers through keylogging and hooking.

In keylogging, every keystroke that the victim enters is automatically captured and sent to the Qbot attackers. Hooking, also known as code hooking, modifies the behavior of a computer program. For instance, antivirus programs use hooking once it discovers the presence of a malware. On the flip side, cyberattackers use hooking as well, for instance, altering the behavior of a computer program or a browser, which can lead to exfiltration of passwords and cookies (referring to the text file that a web browser stores on a user's computer).

Another common feature of Qbot variants is the worm-like capability or the ability to spread across an organization’s network and infect other systems without user interaction. According to Microsoft, Qbot "can drop copies in other machines in the network using Server Message Block (SMB) and then use remote execution to activate.” SMB is a Microsoft Windows protocol for sharing files over a network.

Another common feature of Qbot variants is the initial infection process. Like many other cyberattacks, Qbot initially arrives on the victim's computer through malicious email campaigns, containing a malicious attachment and/or link.

What Is BITSAdmin?

BITS in the term “BITSAdmin” stands for Background Intelligent Transfer Service (BITS). BITS is a component of Microsoft Windows operating systems which facilitates updates and other applications to operate in the background without interrupting other networked applications.

Cybercriminals have learned to abuse BITS by using this legitimate administration tool for downloading, executing and even cleaning up after running malicious code. The interface to create and manage BITS jobs or tasks is accessible through PowerShell, a tool capable of executing code from memory and providing administrative access directly to a device's core, and BITSAdmin tool, a tool that can be used to create download or upload BITS jobs and monitor their progress.

In the past, cybercriminals behind Qbot have used PowerShell to download and run the Mimikatz, another malware that steals credentials, allowing attackers to move rapidly across a network once they have established an initial foothold.

Researchers at Varonis reported that the latest Qbot, uses BITSAdmin, another common administration tool in Windows operating systems, to download Qbot’s loader – a component that executes the core malware.

The abuse of legitimate administration tools such as PowerShell and the BITSAdmin are examples of “living off the land” cyberattack techniques that exploit tools that already exist on targeted computers. Exploiting these common administration tools makes detection difficult.

One probable explanation why the cyberattackers behind the latest variant of Qbot use the administration tool BITSAdmin, instead of PowerShell, is that PowerShell is now closely monitored on enterprise systems. A recent study conducted by IBMshowed that more than half or 57% of cyberattacks exploit tools that already exist on targeted computers. The IBM study highlighted that the administration tool that’s often exploited by cyberattackers is PowerShell.

Prevention

Cyberattackers that abuse PowerShell and BITSAdmin have first to execute their malicious code on the targeted computer. The initial infection of PowerShell and BITSAdmin-based attacks is often phishing attacks, attacks that use malicious emails that contain malicious attachments and/or links. 

In the case of the latest variant of Qbot, Varonis researchers said the first infection was likely carried out via a phishing email that tricked the victim into running a malicious file. Cybersecurity best practices for mitigating phishing attacks also apply for mitigating PowerShell and BITSAdmin-based attacks. These mitigating measures include deleting any suspicious emails, especially those containing suspicious links and/or attachments, and avoiding enabling macros in Microsoft Office.

Disabling all BITS functionality, meanwhile, as a preventive measure is a tricky business as this will likely have unintentional side effects, such as preventing legitimate software patching and updating. Some of the mitigating measures that are specific to BITSAdmin-based attacks include modifying host firewall rules and other network controls to only allow legitimate BITS traffic, and monitoring usage of the BITSAdmin tool, including the command options “Transfer”, “Create”, “AddFile”, “SetNotifyFlags”, “SetNotifyCmdLine”, “SetMinRetryDelay” and “Resume”.

Trend Shows Cybercriminals Are Turning to Formjacking

A newly released global cyberthreat trend shows that cybercriminals are turning to formjacking as a new get-rich-quick scheme.

In the recently released Internet Security Threat Report, Symantec reported that on average, more than 4,800 unique websites are compromised with formjacking every month. According to Symantec, formjacking has increased dramatically since mid-August 2018. By the end of 2018, Symantec said it detected 3.7 million formjacking attacks, with nearly a third of all detections occurring during November and December – the busiest online shopping period.

Symantec said that while any organization, regardless of size and location, which processes payments online is a potential victim of formjacking, small and medium-sized retailers are, by and large, the most widely compromised by formjacking attackers.

What Is Formjacking?

Formjacking is a type of cyberattack that injects malicious code into website forms. This malicious code allows attackers to steal credit card details and other personal and financial information that are entered into the compromised forms as information is automatically sent to attackers. Stolen information could be used by attackers to perform payment card fraud or attackers could sell these details to other cybercriminals.

According to Symantec, attackers need only 10 stolen credit cards from each of the more than 4,800 compromised websites each month to earn up to $2.2 million per month considering that the current value for each card is $45 in underground selling forums.

How Are Formjacking Attacks Carried Out?

In recent months, two methods of formjacking attacks were observed: supply chain attack and redirection chain.

Supply Chain Attack

One of the ways by which formjacking attackers gain access to a website and change the code on its checkout page is through supply chain attack. In a supply chain attack, attackers gain access to a large organization’s website and change the code on its checkout page by exploiting the security vulnerabilities in a smaller business used by the larger company to provide different services.

The Ticketmaster formjacking case is an example of a formjacking attack carried out by means of a supply chain attack. In the Ticketmaster case, attackers injected malicious code into Ticketmaster’s checkout pages after compromising a chatbot used by Ticketmaster for customer support. This malicious code enabled the Ticketmaster attackers to capture payment card data and other information from customers and send them to their servers.

The chatbot used by Ticketmaster for customer support was hosted by Inbenta, an external third-party supplier to Ticketmaster. Inbenta chief executive Jordi Torras toldZDNetthat attackers exploited a number of vulnerabilities of Inbenta’s servers and in the process altered the chatbot code.

"It has been confirmed that the source of the data breach was a single piece of JavaScript code, that was customized by Inbenta to meet Ticketmaster's particular requirements," Jordi Torras said. "The JavaScript we created specifically for Ticketmaster was used on a payments page, which is not what we built it for. Had we known that script would have been used in that way, we would have advised against it, as it poses a security threat."

The Ticketmaster formjacking case, therefore, wasn’t directly an attack against Ticketmaster but an attack on a third-party supplier Inbenta. It’s worthy to note that supply chain attack was also used in the NotPetya attack in 2017 in which MEDoc, a tax and accounting software package, was used for the initial insertion of NotPetya malware into corporate networks.

Supply chain attacks show that cybersecurity hygiene shouldn’t only be implemented within an organization’s internal IT systems but also for third-party software and applications.

Redirection Chain

Redirection chain as a means of carrying out a formjacking attack is a new technique used by attackers in late 2018. In a redirection chain attack, a user that uses a checkout page of an online retailer is redirected to the checkout page of another online retailer which is injected with formjacking code. When this user enters payment information, the information is sent both to the retailer as well as to the attackers. 

In December 2018, Symantecreported that it detected a checkout page of a retail store in Paris which was injected with a formjacking code. The injected formjacking code, Symantec said, collects the payment information entered by customers and posts it to the domain google-analyitics.org.

Symantec observed that popular online retailers’ checkout pages from different countries, such as the U.S., Japan, Australia, and Germany redirected to this one Paris checkout page. “This created an interesting redirection chain as customers of all these websites were being infected by formjacking at the same time,” Symantec said.

Symantec added that to make matters worse, the formjacking code in the above-mentioned redirection chain attack comes with Firebug, a debugging tool that prevents security researchers from analyzing the malicious code.

Prevention

Formjacking attacks are becoming sophisticated and stealthy as shown in the above-mentioned examples. Users of compromised checkout pages may not realize they’re victims of formjacking as compromised checkout pages generally continue to operate as normal.

Here are some cybersecurity measures in order to prevent formjacking attacks:

• Test new updates of third-party software in small test environments in order to detect any malicious code.
• Monitor all system activities to block malicious application before any damage can be done.
• Use Subresource Integrity (SRI), a security feature that enables browsers to verify that resources they retrieve are delivered without unexpected manipulation.

Don’t have cybersecurity resources or dedicated CISO? Contact us today to mitigate IT risks, fast.

Why Small Businesses are at Risk of Cyberattacks

Launching a small business is hard work. It takes months of planning, research, marketing and strategizing. It demands commitment, sweat, possibly even tears.

But once you have that enterprise up and running, the realization that you’ve carved your own niche in a highly-competitive marketplace makes it all worth it.

Imagine you’ve gone through this process. Imagine you’ve invested all your energy, resources and money into building a small business. Imagine you’re feeling confident in your brand and excited for what the future holds.

Now, imagine how devastated you’d feel if your company was attacked by a cybercriminal.

Sadly, it’s a common occurrence — and expensive. Research shows 43 percent of cyberattacks target small businessesand data hacks can cost in excess of $250,000in extreme cases.

A large-scale cyberattack can leave your small business facing real financial difficulties, expose your valuable data and prompt your clients to wonder how safe their information is in your hands.

Needless to say, this chain reaction can have a crushing impact on your small business. It could cause extensive disruptions to your workflow, triggering delays and adding friction to your client relationships.

So, why do hackers target small businesses? And what can you do to help safeguard your growing enterprise from their attacks?

A Complacent Approach to Cybersecurity

One reason hackers tend to target small businesses is complacency.

Not every emerging company falls into this camp, of course — some do take a strict approach to securing their network. However, it’s not uncommon to find small-business owners believing themselves to be ‘too small’ for hackers to target.

This mindset can be dangerous. It’s the very thing hackers will bank on to gain access to your system.

A Lack of Investment

Another issue is the lack of funds to finance high-quality cybersecurity solutions — and that’s understandable. After all, you have so much to cover already. Salaries. Rent. Equipment. The list goes on and on.

But cybersecurity must be a priority for your small business. Never underestimate hackers’ ruthlessness: a company without the money to pay for effective safeguards or a real grasp of how vulnerable they are is an ideal target. Criminals see an ill-informed, ill-prepared enterprise as low-hanging fruit.

Don’t make their ‘work’ easier. Don’t give them any obvious vulnerabilities to exploit.

Small Businesses are More Likely to Pay Ransoms

Ransomware has been a growing threat to companies of all sizes in the past year or so. Hackers essentially lock businesses out of their own systems (or, at least, parts of it) and demand money in exchange for their freedom.

Businesses don’t have to pay up to get full access again, as experts can help. However, small companies who may be a little less educated on the topic will believe handing the money over is the only way out of the situation.

They could also feel as if being unable to continue on track will put them out of business.

Untrained Staff Fall Prey to Phishing Scams

Hackers see small businesses as ripe targets as their staff may not be aware of common malware attacks and phishing scams. They may not recognize the warning signs of, say, infected email attachments or dangerous links.

This can open the door to data breaches, ransomware and more. Any employees responsible would no doubt feel incredibly guilty as their colleagues and clients face the consequences of their mistake.

But it’s not just their fault: it’s down to small businesses to make sure proper education and training is in place to maximize workers’ knowledge, boost vigilance and minimize threat levels.

How can Small Businesses Protect Themselves Against Cyberattacks?

As a small-business owner, there are multiple steps you can take to protect your company, your employees and your clients from possible cybersecurity risks.

Implement a strict password strategy

We all have numerous passwords for online accounts. Maybe you have one or two for your banking. Perhaps a few more for streaming services (Netflix, Hulu etc.). You’ll probably have others for social networks too (Facebook, Twitter, Instagram, WhatsApp to name just a few).

It’s hard to keep track of these. That’s why so many of us use the same single password for every account — and that’s dangerous. Because if a hacker cracks it, they’ll have access to everything else too.

You can’t afford to make the same mistake with your business’s security. Make sure your team members understand just how important unique passwords are for the tools they use on a daily basis. They should create passwords including a mix of lowercase and uppercase characters, numbers and symbols.

This takes more time and can feel like a hassle, but it’s well worth it for added peace of mind. Make sure to change passwords once or twice a month, if not more often.

Invest in expert training

Consider bringing a cybersecurity expert into your business to train your employees on effective steps they can take to minimize their risk of exposing data to criminals.

This can make a big difference and empower workers with the confidence to remain vigilant at all times. If every member of the team knows how to identify a potential threat and take action to avoid it, your small business will be much safer against cyberattacks.

Be careful with authorizations

Sadly, cyberattacks may not originate from outside your business — they could be the work of an employee.

This may be an individual with a grudge or simply someone who’s incompetent. Whatever the reason, internal threats can be prevented by reviewing your authorization strategy.

Take care to only grant your most trustworthy, reliable employees access to sensitive data. Monitor your team’s activities and update your cybersecurity measures on a regular basis.

Every small business must take cyberattacks seriously. Never assume you’re not at risk just because there are so many bigger targets to aim for — this complacency and lack of preparation could be a hacker’s way in.

Trust our experts to provide all the help you need with your small business’s cybersecurity.

Contact us todayto discuss your options with a member of our team and subscribe to our newsletter for the latest essential updates.

Can Your Organization Survive a Cyberattack that Permanently Destroys Data?

Financial gain, either short-term or long-term, is often the motive of most cyber criminals. Some cyber criminals, however, aren’t after financial gain, but rather, they’re simply out to cause as much damage as possible.

The recent cyberattack at email service provider VFEmail shows an unconventional motive of simple destruction. Milwaukee-based VFEmail, founded in 2001, provides email service to businesses and individuals.

The first hints of the cyberattack on VFEmail came out last February 11, when the company’s Twitteraccount issued a series of tweets about the attack, starting with a tweet that said, “This is not looking good. All externally facing systems, of differing OS's and remote authentication, in multiple data centers are down.”

By 5 PM on February 11, the company declared on its website, “We have suffered catastrophic destruction at the hands of a hacker.” The company added that the attacker destroyed nearly two decades' worth of emails of all data in the US, both primary and backup systems.

The company further said that the attacker hasn’t asked for ransom. “Just attack and destroy," the company said. When asked about the identity of the attacker, VFEmail owner Rick Romero tweetedit could be "someone who had data they didn't want found or I really pissed off."

This recent cyber incident isn’t the first time that cyber criminals have targeted VFEmail. In a blog postdated November 4, 2015, Romero shared that a group of hackers threatened to launch a distributed denial-of-service (DDoS) on his email service if he doesn’t pay 5 Bitcoins.

True enough, after refusing to pay the ransom, VFEmail’s email service was disrupted by a DDoS attack prompting Romero to expose the group's extortion campaign. In 2017, the company’s email service was once again disrupted by a series of DDoS attacks, prompting the company to change to a new hosting provider. In 2018, the company’s email service was once again disrupted by a DDoS attack.

It isn’t clear what actually caused the latest cyberattack on VFEmail. What’s clear though is that the company’s nearly two decades' worth of emails of all data in the US, both primary and backup systems, are lost forever. 

Other Cases of Disruptive Cyberattacks

WannaCry and NotPetya

WannaCry and NotPetya are two examples of cyberattacks that were meant mainly to destroy. At the height of WannaCry attack on May 12, 2017, an estimated 300,000 computers in 150 countries were infected by WannaCry malicious software (malware). Six weeks after the WannaCry attack, NotPetya malware was launched although it didn’t have as much impact as WannaCry.

Both WannaCry and NotPetya exhibit the characteristics of a ransomware, a type of malware that’s designed to deny legitimate users access to computer files by encrypting these files. Similar to other ransomware, WannaCry and NotPetya attackers also demanded ransom from their victims, assuring them that once ransom is paid, the decryption key that would unlock the encrypted files would be given.

While exhibiting the characteristics of a ransomware, both WannaCry and NotPetya were later found to be wipers – malware whose sole purpose was to destroy. Both WannaCry and NotPetya are considered as wipers, not ransomware, as despite paying ransom to the attackers, the attackers wouldn’t be able to give the correct decryption key as they themselves have no way of determining who paid the ransom and who didn’t. 

Shamoon

Shamoon is another malware whose main purpose is destruction. In December 2018, Italian oil services firm Saipemreported that its servers based in the Middle East, India, Aberdeen and, in a limited way, Italy were infected by a variant of Shamoon malware. As typical effects of the Shamoon malware, Saipem said in a statement, the infection resulted in the "cancellation of data and infrastructures." Days after the statement, the company’s head of digital and innovation, Mauro Piasere, told Reutersthat the attack crippled between 300 and 400 servers and up to 100 personal computers out of a total of about 4,000 Saipem machines.

According to Symantec, the latest version of Shamoon is far more destructive than the original Shamoon as the latest version has a new, second piece of wiping malware called “Trojan.Filerase,” a malware that deletes and overwrites files on the infected computer; while the original Shamoon malware itself erases the master boot record of the computer, rendering the computer unusable.

Because of the Filerase malware in the latest Shamoon version, Symantec said, recovery becomes impossible, compared to the older version of Shamoon in which the “files on the hard disk may be forensically recoverable.”

Prevention

Here are some cybersecurity best practices in order to help prevent or minimize the effects of destructive cyberattacks – attacks that are meant to destroy:

Keep All Software Up-to-Date

Installing the latest patch or security update in a timely manner is one of the ways to keep destructive attacks at bay. Patches or security updates fix known security vulnerabilities that are likely to be exploited by cyber criminals.

Back-up Important Data

Similar to safeguarding your organization’s data from natural disasters, including fire and flood, having a back-up of important data will enable your organization to bounce back from a debilitating destructive cyberattack.

Practice Network Segmentation

It’s also important to practice network segmentation – the process of dividing your organization’s network into subnetworks. Network segmentation ensures that in case an attacker is able to infiltrate one of your organization’s network, the other networks won’t be affected.

How Advanced Persistent Threat (APT) Attacks Work

The final report of the Committee of Inquiry (COI), the body tasked to investigate Singapore's worst cyber-attack in its history, concluded that an unnamed Advanced Persistent Threat (APT) group was behind the country’s worst-ever cyber-attack.

“The attacker was a skilled and sophisticated actor bearing the characteristics of an Advanced Persistent Threat group,” COI said in its final report.

COI was tasked with looking into Singapore’s worst-ever cyber-attack: the data breach on Singapore Health Services Private Limited (SingHealth). The COI report(PDF) released to the public last January 10th is a redacted version of the final report, barring sensitive information that could further harm SingHealth.

The unnamed Advanced Persistent Threat group, the COI said, illegally accessed SingHealth’s database and illegally removed personally identifiable information of 1.5 million patients, including their names, addresses, genders, races, and dates of birth between the period of June 27, 2018 to July 4, 2018. Out of the 1.5 million affected patients, nearly 159,000 of these patients also had their outpatient dispensed medication records exfiltrated. The personal and outpatient medication data of Singapore’s Prime Minister were part of the illegally accessed and removed data.

What Is an Advanced Persistent Threat (APT) Attack?

An Advanced Persistent Threat (APT), as the name suggests, is a threat that’s “advanced”, which means that sophisticated hacking techniques are used to gain access to a system, and this threat is “persistent”, which means that the attacker or attackers remain inside the compromised system for a prolonged period of time, resulting in destructive consequences.

APT attacks on nation states, such as the attack on SingHealth, and large corporations are often highlighted. APT attackers are, however, increasingly launching APT attacks on smaller organizations that make up the supply chain in order to gain access to large organizations. APT attackers gain ongoing access to a system through the following series of events:

1. Initial Access

Attackers could gain initial access to a system through various means. It could be through a known software vulnerability that’s left unpatched. In unpatched security vulnerability, a software security update is available but for whatever reasons this update hasn’t been installed.

Attackers could also gain access to a system through phishing attacks – cyber-attacks that use an email as a weapon. In a phishing attack, the victim is tricked into clicking a link or downloading an attachment inside an email masquerading as coming from a legitimate entity.

In the case of the SingHealth cyber-attack, the COI said, “The attacker gained initial access to SingHealth’s IT network around 23 August 2017, infecting front-end workstations, most likely through phishing attacks.”

2. Establishing Footholds

Once the attackers gain initial access to the system, they then attempt to establish a foothold or footholds in the system. In establishing a foothold in the system, attackers typically implant a malicious software (malware) into the system to scan and move around the system undetected.

In the case of the SingHealth cyber-attack, the COI said the attacker used a “suite of advanced, customized, and stealthy malware” to stealthy move within the system and to find and exploit various vulnerabilities in SingHealth’s system. According to COI, a number of security vulnerabilities in the SingHealth network were identified in a penetration test in early 2017, which may have been exploited by the attacker. At the time of the cyber-attack, COI said a number of these vulnerabilities remained.

3. Intensifying Access

Attackers intensify their access within a system by gaining administrator rights – the highest level of permission that’s granted to a computer user.

In the case of the SingHealth cyber-attack, the COI said the group responsible for the SingHealth data breach gained administrative access to SingHealth’s servers as the said servers weren’t protected with 2-factor authentication (2FA), enabling the attacker to access the servers through other means that didn’t require 2FA.

4. Stop, Look and Remain

APT attackers are a patient bunch. These attackers are willing to wait for days, months and even years to achieve their goal, for instance, to remove critical data, only at the right moment.

In the case of the SingHealth cyber-attack, the COI said that while the group responsible for the SingHealth data breach was able to infiltrate SingHealth’s servers for months, it was only on June 26, 2018 that the group obtained credentials to the SingHealth’s database containing trove of patients’ data, and then started to remove the trove of data from June 27, 2018 until July 4, 2018.

On July 4, 2018, an administrator at Integrated Health Information Systems Private Limited (IHiS) noticed the suspicious activities and then worked with other IT administrators to terminate the exfiltration of data. IHiS was responsible for implementing cyber security measures and also responsible for security incident response and reporting at SingHealth.

Prior to the July 4, 2018 discovery, COI said, IHiS’ IT administrators first noticed the unauthorized logins into SingHealth’s servers and failed attempts at accessing the patients’ database on June 11, 12, 13, and 26, last year.

Prevention

Two major findings by the COI in the SingHealth cyber-attack stand out:

First, remediating the security vulnerabilities identified in early 2017 penetration test would have made it more difficult for the attacker to achieve its objectives.

Second, while the attacker operated in a stealthy manner, it wasn’t silent as the IHiS’ staff, in fact, noticed unauthorized activities prior to the actual data exfiltration. Recognizing these unauthorized activities as signs that a cyber-attack was going on and taking appropriate action could have prevented the actual data exfiltration.

Contact ustoday if you need assistance in protecting your organization from Advanced Persistent Threat (APT) attacks.

Cyber Attack Disrupts Operations of Major U.S. Newspapers

Cyber criminals ended 2018 with a high-profile cyber attack, this time, attacking Tribune Publishing’s network, resulting in the disruption of the news production and printing process of some of the major newspapers in the U.S. 

The Los Angeles Timesreported that what was first thought as a server outage at Tribune Publishing’s network was later identified as a cyber attack. Tribune Publishing once owned Los Angeles Times and San Diego Union-Tribune. These 2 newspapers were later sold to a Los Angeles biotech entrepreneur. Despite the sale, these 2 newspapers still share Tribune Publishing’s printing networks.

As a result of the cyber attack at Tribune Publishing, the distribution of the December 29^thprint edition of these 2 newspapers was delayed. The distribution of the December 29^thprint edition of The New York Times and The Wall Street Journal newspapers was also delayed as these two major newspapers share the use of Los Angeles Times’ Olympic printing plant – as the name implies, also used by the Los Angeles Times.

The cyber attack on Tribune Publishing also disrupted production of other Tribune Publishing newspapers. Tribune Publishing currently owns Chicago Tribune, New York Daily News, The Baltimore Sun, Orlando Sentinel, South Florida's Sun-Sentinel, Virginia’s Daily Press and The Virginian-Pilot, The Morning Call of Lehigh Valley, Pennsylvania, and the Hartford Courant.

Chicago Tribune, for its part, reported that its December 29^thprint edition was published without paid death notices and classified ads as a result of the cyber incident at Tribune Publishing.

Marisa Kollias, Tribune Publishing spokeswoman, said in a statement that by December 30th, production and delivery were back on track at all concerned newspapers. She didn’t, however, address the details about the cyber attack itself.

“We acted promptly to secure the environment while ... creating workarounds to ensure we could print our newspapers,” Kollias said. “The personal data of our subscribers, online users, and advertising clients has not been compromised.”

While authorities and Tribune Publishing are silent about the cause of the cyber attack and whether the attacker or attackers asked for a ransom, the Los Angeles Times and Chicago Tribune reported that several individuals with knowledge of the situation said the cyber attack bore the signature of Ryuk ransomware.

What Is Ryuk Ransomware?

Ryuk is a malicious software (malware) that’s categorized as a ransomware. In a ransomware attack, all or selected files in a computer infected by the ransomware are encrypted – the process of converting plaintext or any other type of data into encoded version, denying legitimate users access to these files.

Ransomware victims are informed of the file encryption via a notice shown on the monitor of the infected computer. This notice also functions as a ransom notice. Ransomware is characterized by the fact that victims are asked to pay ransom, typically in the form of cryptocurrency like Bitcoin (also referred as BTC) in the promise that once ransom is paid, a decryption key to unlock the encrypted files would be given. 

Ryuk was first reported by security researchers at Check Pointon August 20, 2018. The researchers said that 2 weeks prior to August 20th, Ryuk perpetrator or perpetrators attacked various organizations worldwide, earning the attackers over $640,000 in just a span of 2 weeks.

Check Point researchers said Ryuk’s early attacks encrypted hundreds of personal computers, storage and data centers in each infected organization. Some organizations paid large ransom in order to retrieve their files. The highest recorded payment was 50 BTC, then priced nearly $320,000.

According to Check Point researchers, Ryuk is a highly targeted attack, which requires “extensive network mapping, hacking and credential collection” prior to each operation. In addition to encrypting files in the local drives, Ryuk also encrypts network resources.

Analysis of Ryuk conducted by Check Point researchers showed that this ransomware is similar in many ways with another ransomware called “Hermes”. The attack at Far Eastern International Bank (FEIB) in Taiwan in October 2017 brought Hermes into public attention. While Hermes exhibited typical characteristics of a ransomware in the FEIB attack, it acted as a diversion only as the attackers’ ultimate goal was to steal money. The FEIB attackers stole $60 million in a sophisticated SWIFT attack, but the total amount stolen was later retrieved. Unlike Hermes, Ryuk functions not as a diversionary tactic but as the main act.

Here are some similarities in Hermes and Ryuk that led the Check Point researchers to conclude that whoever wrote the Ryuk source code had access to the Hermes source code (to date, the source codes of Ryuk and Hermes aren’t publicly available):

Similarity in Encryption Logic

The encryption logic in both Hermes and Ryuk is similar in structure.

Whitelisting of Similar Folders

Both Hermes and Ryuk encrypt every file and directory except “Windows”, “Mozilla”, “Chrome”, “RecycleBin” and “Ahnlab”. One explanation why attackers want victims to access search engines like Chrome and Mozilla is to allow victims to search online what the ransom note means.

Prevention

Here are some best security practices in order to prevent or minimize the effects of ransomware attacks like Ryuk: 

Implement Network Segmentation

Network segmentation is the practice of splitting a corporate network into subnetworks. This practice ensures that if one subnetwork is infected with a malware like Ryuk, the other subnetworks won’t be infected. In addition to improving security, network segmentation also boosts efficiency.

Back-Up Critical Files

These are the main reasons why organizations are willing to pay an exceptionally large amount of ransom to cyber attackers: a) victims want to retrieve their files back as these files are important to their existence, and b) victims have no copies of these critical files. Organizations that practice regular back-up of critical files can afford not to pay ransom to attackers.

Contact us today if you need assistance in protecting your organization’s resources from ransomware attacks.

Top 3 Cyber Security Predictions in 2019

Cyber-attacks are becoming more common and have become a looming threat not just to large enterprises but also to small and medium-sized organizations.

Here are our top 3 cyber security predictions for the year 2019:

1. Cloud Attack Threat

There’s a looming threat in the cloud as this is where the data is heading.

A study conducted by LogicMonitor(PDF) predicted that majority of IT workloads will move to the cloud by 2020, with workloads running in public clouds will reach 41% in 2020, while workloads running on-premises will fall to 27% and the balance will run on private or hybrid clouds.

Another study conducted by Gartnerpredicted cloud computing to be a $300 billion business by 2021. According to Gartner, organizations increasingly adopt cloud services as these have been proven to provide speed, agility and cut cost that digital business requires.

There’s, however, a flipside to the positive contributions of cloud computing. The 2nd quarter of 2018 study conducted by Gartner revealed that organizations continue to struggle with cloud security, with an estimated $400 billion lost to cyber theft and fraud worldwide.

Expanding cloud services as part of an organization’s digital initiatives is indeed needed, but these initiatives should be matched with a sound cloud security strategy as cyber criminals know that there’s money in the cloud.

There are many attack surfaces in the cloud that attackers could easily exploit. For instance, in early 2018, RedLockreported that attackers illicitly used the cloud computing resources of Tesla to mine a cryptocurrency. According to Redlock, attackers were able to gain access to Tesla’s cloud computing resources as Tesla openly exposed its Kubernetes – an open-source platform for managing cloud workloads and services – without password protection. Tesla’s exposed Kubernetes, Redlock said, contained the credentials of Tesla’s Amazon Web Service account.

In cryptocurrency mining, those who allow their computers to be used for mining digital coins are financially compensated for the computer and electricity usage. Cryptocurrency mining is legal in most countries but legality ends when this is done without the knowledge and consent of the owner of the computing resource – a cyber crime called “cryptojacking”. Since the most popular cryptocurrency Bitcoin reached an all-time high price of nearly $20,000 in late 2017, there has been a dramatic rise of cryptojacking.

2. Botnet Threat

Connecting almost every computing devices, including servers and Internet of Things (IoT) devices such as routers and security cameras, exposes online resources such as websites to botnet attacks.

Botnet, which originates from the words “robot” and “network”, refers to a group of malware-infected computers that’s remotely controlled by an attacker or attackers to conduct malicious activities such as a distributed denial-of-service (DDoS) attack. In a DDoS attack, fake traffic originating from malware-infected devices is directed against a target website, rendering the target website inaccessible to legitimate users.

In recent years, cyber attackers have tweaked in a number of ways the source code of the infamous malicious software called “Mirai”. At its peak in 2016, the Mirai malware infected hundreds of thousands of IoT devices worldwide and turned them as a “network of robots” to conduct malicious activities, including DDoS attacks.

In October 2016, the Mirai botnet almost brought down the internet when it attacked Dyn, a domain name service (DNS) provider. As a result of the attack on Dyn, 80 popular websites, including Twitter, Amazon, Reddit, Spotify and Netflix temporarily became inaccessible to the public.

A notable Mirai variant was recently discovered by researchers at Netscout. While the original Mirai infected IoT devices and turned them as part of a botnet, the Mirai variant discovered by Netscout researchers infected enterprise Linux servers and turned these compromised servers as part of a botnet. Turning hundreds of thousands or millions of IoT devices and a handful of enterprise servers as part of a DDoS botnet could bring down the internet or render many websites inaccessible to the public.

It’s important to note that the Mirai and other Mirai variant infections are preventable. The original Mirai infected hundreds of thousands of IoT devices by simply logging to these devices using default or factory username and password combinations. A mere change of default or factory username and password renders the original Mirai useless.

The recent Mirai variant discovered by Netscout researchers, on the other hand, infiltrated servers that were unpatched and through brute-force – systematic attempt to guess the correct username and password combination. Patching, that is, the timely installation of a security update, and the use of complex passwords could render this recent Mirai variant useless.

3. Shortage of Cyber Security Skills

While it’s widely known that there’s a shortage of cyber security professionals, what isn’t known is how dire the situation is.

A study conducted by (ISC)2revealed that the shortage of cyber security professionals around the world has never been more acute, placing the shortage of cyber security professionals at 2.93 million, with roughly 500,000 of these positions located in North America, 2.15 million positions located in Asia-Pacific and the balance located in other parts of the world.

“The lack of skilled cybersecurity personnel is doing more than putting companies at risk; it’s affecting the job satisfaction of their existing staff,” the (ISC)2 report said.

Happy New Year and stay safe!

Email-Borne Threats Still Bypass Current Security System, Study Shows

Despite the advancement in current email security systems, a new study reveals that these security systems still miss a significant number of email-borne threats.

In the 3rd quarter of 2018, Mimecastretested 80 million emails that were considered “safe” by current email security systems. The Mimecast study found that out of the 80 million emails deemed to be “safe”, 42,350 emails were found to be impersonation attacks, 17,403 contained malicious software (malware) attachments, 16,581 emails contained dangerous file types and 205,363 malicious URLs were found.

Impersonation attacks refer to emails that attempt to impersonate a trusted individual or company in order to gain access to corporate finances or data.

Dangerous files, meanwhile, refer to files such as .jsp, .exe, .dll and .src – files that allow a program to run on a computer, exposing the computer to further cyber attacks. According to Mimecast, dangerous files bypassed current email security systems at an increased rate, showing a 25% increase from the last quarterly test. 

How Prevalent Are Email-Borne Threats? 

In the first half of 2018, over half-a-billion emails were analyzed by FireEye. It found that less than a third or 32% of email traffic was considered “clean” and delivered to an inbox. FireEye’s analysis found that 1 in every 101 emails had malicious intent.

FireEye further found that majority or 90% of the blocked emails contained no malware – 81% of which considered as phishing attacks and 19% considered as impersonation attacks.

Cyber criminals see the advantages of leveraging emails as a means to wage cyber-attacks as emails continue to be the preferred form of communication worldwide despite the growth of other technologies such as social networking, instant messaging and chat. Email also maintains its dominance as it’s an integral part of the overall internet experience. An email address is required if you want to use a social networking site or for your bank’s online service.

According to The Radicati Group(PDF), over half of the world population uses email in 2018, with the number of worldwide email users expected to top 3.8 billion in 2018 and expected to grow to over 4.2 billion by the end of 2022.

The following trends in email-borne threats were observed by FireEye and The Radicati Group:

Blended Attacks

The most common form of email-borne threat is the blended attack – a form of attack that combines an email and web access to deliver a malware to an

organization’s internal network. In blended attack, the email itself doesn’t contain a malware. The email only facilitates the delivery of the malware as it contains a link that when clicked goes directly to a malicious website and from there the malware is downloaded, then infecting the

organization’s internal network.

Impersonation Attacks Have Gone Mainstream

The cyber-attack called “business email compromise”, also known as BEC or CEO fraud, is an example of an impersonation attack.

In impersonation or BEC attack, an attacker or attackers send a bogus email purportedly from the CEO to a targeted employee, typically one who has access to company finances. Through the bogus email, the attackers request the targeted employee to make an urgent money transfer, usually to a trusted vendor’s new bank account.

Many profit and nonprofit organizations had been duped by BEC scammers in recent years. According to the Federal Bureau of Investigation (FBI), BEC scammers, between October 2013 and May 2018, defrauded different organizations worldwide of almost $12.5 million.

Email Attack Schedule

Malware-based attacks most likely occur during Mondays and Wednesdays. During Thursdays, malware-less attacks most likely happen. Impersonation attacks, meanwhile, most likely occur during Fridays.

One example of the malware-less email is the impersonation email, an email that spoofs domains or uses lookalike domains. Another example of a malware-less malicious email is the blended email, whereby the email contains a link to a malicious URL. An additional example of a malware-less malicious email is one that contains a dangerous file such as an .exe file.

One explanation why impersonation emails are sent during Fridays is that impersonation emails typically are bogus emails from an organization’s CEO. During Fridays, especially late Friday afternoon, it’s typically difficult to call or talk in person with the boss – a situation favored by scammers to buy time to trick a targeted employee.

How to Prevent Email Attacks?

Here are some security measures in order to block or detect email-borne threats:

Staff Training

In email-based attack, it only takes one click to infect your organization’s internal network. And your weakest link for this particular type of cyber-attack is your staff. Staff training isn’t just a one-shot deal. It needs to be continuous as well as effective.

It’s particularly important to train executives and employees dealing with finances to be vigilant against email-borne threats as they’re targeted by criminals, especially in BEC attacks. One way to train your organization's staff is by sending test emails to check their resilience against email-borne threats.

Use an Advanced Email Security Tools

Traditional email security tools only block emails that contain malware. An advanced email security tool, in addition to blocking emails laden with malware, blocks malicious emails containing spoofs domains, lookalike domains, emails containing malicious URLs and emails containing dangerous files.

Contact us today if you need assistance in protecting your organization’s network from email-borne threats.

Hard Lessons from a Ransomware Attack

A regional county municipality in the province of Quebec, Canada has learned the hard lessons about cybersecurity after it suffered a paralyzing ransomware attack.

Bernard Thompson, reeve of Mekinac regional county municipality, told The Canadian Pressthat the ransomware attack that paralyzed the municipality’s servers gave the municipality hard lessons in cybersecurity. “In the end, in terms of the security of our system, [the ransomware attack] was actually positive,” Thompson said.

The cyberattack against Mekinac's servers highlights the importance of protecting your organization's servers against ransomware attacks.

How the Mekinac Cyberattack Unfolded

The Canadian Press reported that on September 10, this year, municipal employees, upon returning to work after a weekend break, found a ransomware notice on their working computers, informing them that their files are locked. The ransomware notices also specified that in order to unlock the files, a total of 8 Bitcoins, then equivalent to $65,000, must be paid to the attackers.

The municipality’s servers were disabled for nearly 2 weeks as a result of the ransomware attack. The attack ended when the municipality negotiated and paid $30,000-worth of Bitcoin as ransom payment to unlock the locked files.

“It was hard, clearly, on the moral side of things that we had to pay a bunch of bandits,” Thompson said. He said this was the road that the municipality took as choosing the other way could mean months of data re-entry, costing significantly more than $30,000.

Mekinac’s ransomware attackers are still unidentified and their location not determined to date.

What is a Ransomware Attack?

Ransomware is a malicious software (malware) that encrypts files. Encryption is traditionally used to prevent data theft. In encryption, plaintext or any other form of data is converted from a readable format into an encoded version – a format that can only be readable if one has access to a decryption key.

In a ransomware attack, attackers convert the victim’s data from a readable format into an encoded version and demand from the victim ransom payment in exchange for the decryption key.

Ransomware infects computers or servers in many ways. Here are some of the ways that ransomware infects computers or servers:

1. Email-Based Attack

In the case of the Mekinac ransomware attack, the municipality’s servers were infected by a ransomware after an employee opened and clicked on a link in a malicious email sent by the attackers. It wasn’t specified, however, what particular ransomware hit the Mekinac’s servers.

The ransomware called “Locky” is an example of a ransomware that’s spread via email spam campaigns. This ransomware arrives in a victim’s computer through a Microsoft Office email attachment that evades antispam filters and tricks the user to open the attachment. Once this malicious attachment is clicked, Locky encrypts computer files and then demands the victim to pay a ransom to unlock the encrypted or locked files.

2. Drive-By Attack

Drive-by attack is another way by which attackers infect computers or servers. Bad rabbit ransomware is an example of a ransomware that’s distributed via drive-by attacks.

In a drive-by attack, attackers insert a malicious code, in this case, a ransomware, into an insecure website. Once a user visits this compromised site, the malware may either directly download to the visitor’s computer or the visitor is redirected to another website controlled by the attackers and from there the malware is downloaded to the victim’s computer.

3. Unpatched Servers

The ransomware called “SamSam” is an example of a ransomware that infects servers when they’re in an unpatched state. An unpatched server is one that isn’t updated despite the availability of a security update.

Researchers at Cisco Talos, in a blog post, wrote, “Adversaries are exploiting known vulnerabilities in unpatched JBoss servers before installing a web shell, identifying further network connected systems, and installing SamSam ransomware to encrypt files on these devices.”

Lessons from Ransomware Attacks

Thompson, reeve of Mekinac regional county municipality, said that the ransomware attack on Mekinac’s servers taught the municipality to encrypt everything and to analyze every email. “Everything is encrypted now,” Thompson said. “Every email is analyzed before we even receive it. Every day, our system catches malicious emails trying to penetrate – but they are stopped. But the attacks keep coming.” 

In addition to encryption and email scanning, here are additional best practices in order to protect your organization’s servers from ransomware attacks:

Back Up Important Files

Back up files that are stored in safe storages that aren’t connected to your organization’s servers give your organization assurance that if anything happens with the servers, for instance, a ransomware attack, your organization will still have other copies of the important files. This eliminates the pressure of paying ransom to attackers for the decryption key to unlock the locked files.

Keep All Software Up-To-Date

Make sure that all your organization’s software, specifically the server operating system, are up-to-date. Every security update or patch issued by software vendors contains fixes of security vulnerabilities that cybercriminals are quick to exploit.

Implement Domain Whitelisting

Whitelisting certain domains won’t prevent drive-by download attacks, but it’ll prevent secondary malicious websites from loading.

Limit the Number of Users with Administrator Privileges

A computer user with administrator privileges can install and uninstall software and change configuration settings. Limiting this privilege to a limited number of personnel limits the exposure of your organization’s servers to drive-by attacks.

When your organization needs help, our experts are a phone call away. Contact ustoday to prevent ransomware attacks.