Thought leadership. threat analysis, news and alerts.
What Are Watering Hole Attacks & How to Prevent Such Attacks
Watering hole attacks are becoming more and more popular as these allow malicious actors to compromise intermediary targets to gain access to their intended final targets.
What Is Watering Hole Attack and How It Works
In a watering hole attack, a malicious actor compromises a third-party service, such as a publicly available website, in order to get access to the intended final target. There are various reasons why threat actors attack third-party services instead of the intended final targets. It could be that the intended final targets have stronger cyber defences, while third-party services lack the necessary cyber defences.
In watering hole attacks, threat actors study the employees of the intended final targets, such as finding out what sites these employees often visit. These sites are then analysed.
Sites with weak defences are often targeted, injecting these sites with malicious software (malware) or redirecting visitors to sites controlled by the attackers, leading to the downloading of the malware when these employees visit these sites. Attackers may also nudge an employee into visiting the compromised website or the URL they control by tricking the employee to click on the malicious link contained in a phishing email.
Once inside an employee’s device, threat actors then move toward the intended final target.
Examples of Watering Hole Attacks
The recent disclosure by researchers at Google's Threat Analysis Groupabout a small collection of compromised websites used in watering hole attacks which ultimately targets site visitors using certain versions of iPhones highlights the growing danger of watering hole attacks.
Researchers at Google's Threat Analysis Group revealed that over a period of at least two years, almost every version of iOS 10 through iOS 12 was potentially vulnerable when users visit a small collection of compromised websites. Simply visiting the compromised site, the researchers said, was enough for the exploit server to attack the vulnerable iPhones and install a malicious code that monitors the users’ activities.
The researchers estimated that the compromised sites receive thousands of visitors each week. In attacking the specific versions of iPhones, researchers at Google's Threat Analysis Group said, they identified a total of 14 security vulnerabilities: 7 for the iPhone’s web browser, 5 for the kernel and 2 separate sandbox escapes.
Other Cases of Legitimate Sites Used for Watering Hole Attacks
In late February and early March this year, reports came out that the website of International Civil Aviation Organization (ICAO) was used as an intermediary target for a watering hole attack where the intended final targets were ICAO members. Montreal, Canada-based ICAO is a specialized agency of the United Nations that codifies the principles and techniques of international air navigation.
In November 2018, researchers at ESETreported that 21 distinct websites in Vietnam and Cambodia, including Ministry of Defense of Cambodia, the Ministry of Foreign Affairs and International Cooperation of Cambodia and several Vietnamese newspaper websites, were used as intermediary targets in watering hole attacks.
According to the researchers, the modus operandi is similar on all compromised websites in which the attackers add a small piece of malicious code on the compromised websites. While not applicable in all cases, the researchers reported that the code injected into the compromised websites checks for the visitor’s location, and only visitors from Vietnam and Cambodia actually receive the malware. The researchers added that the server controlled by the attackers can send additional payload – referring to the malware that performs the actual malicious actions.
Researchers at ESET said they weren’t able to identify examples of payloads sent by the attackers as these payloads were only delivered to specific targets and it wasn’t possible to get them using a test machine. In November 2017, researchers at Volexityfound a similar set of compromised websites of individuals and organizations tied to the government, the media, human rights and civil society groups. The researchers, in these cases, found that the payloads downloaded unto the site visitor’s computer include a pop-up asking to approve OAuth access to the victim’s Google account. This tactic allows attackers to get access to the victim’s contacts and emails.
The recent watering hole attacks are reminiscent of the cyber-espionage campaign called “Epic Turla”. In August 2014, Kaspersky observed 100 compromised websites for watering hole attacks.
Once a computer is infected with the Epic malware, Kaspersky reported that the malware immediately connects to the command-and-control (C&C) server to deliver pre-configured series of commands for execution and custom lateral movement tools such as a keylogger – a malicious program aimed at stealing data by recording every keystroke made by a computer user.
Prevention and Mitigating Measures
Here are some cyber security measures in order to prevent or mitigate the effects of watering hole attacks:
How to Find Out If Your Organization’s Resources Are Illicitly Used for Crypto Mining
Ukraine’s National Nuclear Energy Generating Company, also known as Energoatom, a state enterprise operating all four nuclear power plants in Ukraine disclosed that a recent search carried out inside one of Ukraine’s nuclear power plants revealed that a power plant employee had installed his own computer equipment inside the plant for cryptocurrency mining. This incident shows the danger of employees stealing their employers’ resources for cryptocurrency mining.
What Is Cryptocurrency Mining?
Cryptocurrency mining, also known as crypto mining, is the process of validating transactions and for these transactions to be added to the list of all transactions known as the blockchain. Anyone with a computer and an internet connection can become a cryptocurrency miner.
Some cryptocurrencies can be mined using small and low processing power computers such as Raspberry Pi. Other cryptocurrencies such as Bitcoin can only be mined using specialized computers with high computing power. In exchange for the computing power and electricity used for mining, miners get rewarded with cryptocurrency.
As cryptocurrency mining is power-hungry, especially the top cryptocurrencies like Bitcoin, high electricity bill is one of the obstacles why many don’t venture into this field. To remedy this high electricity bill hurdle, malicious actors illicitly steal power from their employers and even from strangers. Aside from stealing electricity, malicious actors also steal from employers or strangers computing power of computers that can process a significant amount of data faster than ordinary computers.
The illicit stealing of electricity at one of Ukraine’s nuclear power plantsisn’t the first time that an employee has been caught stealing an employer’s resources for cryptocurrency mining. In February 2018, nuclear weapons engineers at the All-Russian Research Institute of Experimental Physics were arrested for mining cryptocurrencies at the workplace.
Unlike the cryptocurrency mining at one of Ukraine’s nuclear power plants which only stole the plant’s electricity as the accused installed his own computer equipment, the crypto mining incident at the All-Russian Research Institute of Experimental Physics used not only the facility’s electricity but the office computer as well. Tatyana Zalesskaya, head of the research institute’s press service confirmed to Interfaxthat there had been an unauthorized attempt to the institute’s “computing power for personal purposes, including for the so-called mining”.
Employees aren’t the only one interested in your organization’s computer power for crypto mining, unknown external attackers are also after your organization’s computer power. Attackers steal computing power in the process called “cryptojacking”.
In cryptojacking, malicious actors, which could be either be insiders or outsiders, in order to earn cryptocurrency, install a crypto mining software into vulnerable systems, including websites, operating systems or public cloud accounts.
In February 2018, researchers at RedLockreported that Tesla was once a victim of cryptojacking. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” researchers at RedLock said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry. In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods.”
In May this year, researchers at Guardicore Labsreported that over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors were compromised for crypto mining.
Illicit crypto mining isn’t only a threat to large organizations or businesses. This type of attack also threatens small and medium-sized organizations. In late 2018, a school principal in China was fired after stealing the school’s electricity to mine cryptocurrency. The South China Morning Postreported that the fired school principal deployed inside the school 8 computers used for mining the cryptocurrency Ethereum for about a year, racking up an electricity bill of 14,700 yuan, equivalent to US$2,120.
Ways to Monitor Crypto Mining and Preventive Measures
Here are some security measures in order to monitor crypto mining activities within your organization’s premises and also ways to prevent this threat to occur in your organization:
An unusual increase of electric bill is a sign that computers operating within your organization’s premises are being used for cryptocurrency mining.
Somewhere lurking in your organization’s premises could be computers used for cryptocurrency mining and racking up your organization’s electricity bill.
If your organization’s computers are functioning a bit slower than usual, this could be a sign that your organization’s computers are being used for illicit cryptocurrency mining.
Malicious actors in recent months have learned how to be stealthy in their crytojacking activities, such as mining only cryptocurrencies that use less computer power and electricity to deflect suspicion. For instance, the crytojacking incident which compromised 50,000 servers reported by Guardicore Labs in May this year, mined a relatively new cryptocurrency called “Turtlecoin”, a cryptocurrency that can be mined even in small and low processing computers such as Raspberry Pi.
Monitoring network traffic is one of the ways in discovering this type of stealth crytojacking activities. Access to your organization's network from unknown locations and during non-working hours are telltale signs of a network compromise and possible illicit cryptocurrency mining.
Lastly, practice basic cyber hygiene such as keeping your organization’s operating systems up-to-date and using multi-factor authentication as gate-keepers to these computers and servers. In many cases, computers and servers are compromised for illicit cryptocurrency mining by the mere failure of applying the latest security update and the used of weak login details and lack of multi-factor authentication.
When you need help, contact our teamof experts to mitigate the cybersecurity risks for your organization.
Threat Actors Continue to Target Websites
The European Central Bank (ECB) shut down one of its websites following the discovery that malicious actors accessed the site without authority and infected it with malicious software (malware). This incident shows that threat actors continue to target websites.
ECB, in a statement, said that unauthorized parties had breached the Bank’s Integrated Reporting Dictionary (BIRD) website, a site purposely built to provide the banking industry with details on how to produce statistical and supervisory reports. The Bank said that contact data, including email addresses, names and position titles of 481 subscribers to the BIRD newsletter may have been stolen by the attackers.
ECB, in a statement, said that the attack on BIRD website was discovered as a result of a “regular maintenance work”. An ECB spokesman told Reutersthat the earliest evidence found of the website attack dated back to December 2018, which means that the attack had gone unnoticed for months before being discovered during maintenance work.
This isn’t the first time that ECB reported an attack on its IT infrastructure. In 2014, ECBdisclosed that an unknown attacker or attackers had breached another of the Bank’s website used for registrations for events of the Bank such as conferences and visits.
The 2014 website attack, the Bank said, led to the theft of email addresses and other contact data left by individuals registering for events at the ECB. This 2014 attack in one of the Bank’s website was only known after an anonymous email was sent to the Bank asking for financial compensation in exchange for the data stolen.
In the latest attack on one of its websites, ECB said the attackers “succeeded in injecting malware onto the external server to aid phishing activities”. In the 2014 attack, ECB said the malicious actor or actors attacked a “database serving its public website”. Beyond those phrases, not much is known in the “injection” and “database” attacks.
The Open Web Application Security Project (OWASP)lists injection attacks as the number one threat to web security. Injection attacks refer to a broad attack paths that allow attackers to gain access to the database records of vulnerable websites. In certain cases, this type of attack allows attackers to gain administrative rights to a database.
One example of an injection attack is the SQL injection, also known as SQLI, attack. SQL, which stands for Structured Query Language, is a programming language understood by databases. By inserting malicious commands from this programming language into input fields on websites such as input forms, attackers can gain access to the database records of vulnerable websites, resulting in the unauthorized access of any data available in the database.
In late 2007 and early 2008, thousands of websites were defaced as a result of SQL injection attacks. According to researchers at Microsoft, These particular SQL injection attacks didn’t exploit vulnerabilities in Windows, IIS, SQL Server, or other infrastructure code; rather, it exploited vulnerabilities in custom web applications running on this infrastructure. Thousands of websites were affected due to 2 factors: first, there was an automated tool to launch this attack, and second, this SQL attack tool spread through the use of a botnet.
SANSreported that thousands of websites were compromised in late 2007 and early 2008 as the attacker or attackers used an automated tool in search engines to find vulnerable web applications and exploiting them. “The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site,” SANS reported. SecureWorks, meanwhile, reported that the automated SQL attack tool, spread to thousands of websites as the attackers relied on a botnet – a group of computers or devices infected by the same malware and controlled by an attacker for malicious purposes such as in this case the spread of SQL attack tool.
Other than using SQL injection to attack indiscriminate websites using an automated tool and a botnet, SQL injection has also been used by attackers in targeted attacks. According to the U.S. Federal Bureau of Investigation (FBI), a malicious group obtained confidential information from Sony Pictures’ computer systems on May 27, 2011 to June 2, 2011 using an SQL injection attack against Sony Pictures’ website.
According to the UK's Information Commissioner's Office, SQL injection was also used in the TalkTalk cyber attack on the company’s website. As a result of the SQL injection attack on TalkTalk’s website, personal details of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses were stolen. The attacker also stole the bank account number and sort code of 15,656 TalkTalk’s customers.
As shown in above-mentioned examples, injection attacks on websites are highly detrimental to the affected organizations. Loss of customer trust is one potential cost of an SQL injection attack should personally identifiable information such as full names, addresses and credit card details be stolen.
One of the cyber security measures, in order to prevent injection attacks such as SQL injection attacks, is through the use of a web application firewall (WAF). A WAF is often used to filter out injection attacks such as SQL injection attacks. In filtering out SQL injection attacks, a WAF uses a list that contains signatures to address specific attack vectors. This WAF is regularly updated to provide new filtering rules for newly discovered security vulnerabilities.
At The Driz Group, we specialize in protecting your websites and web applications with instant attack mitigation and a guaranteed DDoS protection. We support all deployment types including Cloud and on-premise. Setup take several minutes and there is nothing to buy, support, or maintain.
Connect with ustoday for a free consultation and protect your websites, web applications, online reputation and mission critical data.
How to Prevent Account Takeover Attacks
Account takeover attacks – accessing someone else’s online account for malicious purposes – continue to be one of the fastest-growing security threats faced by organizations today.
Account takeover happens as a result of inadvertently exposing account login details or through malicious account takeover via botnets. The account takeover of an account owned by SSL certificate issuer Comodo is an example of account takeover as a result of inadvertently exposing account login details.
Netherlands-based security researcher Jelle Ursem told TechCrunchthat Comodo’s email address and password were inadvertently left exposed in a public GitHub repository owned by a Comodo software developer. This enabled Ursem to login to Comodo’s Microsoft-hosted cloud services containing sensitive information of the company. The said account wasn’t protected with two-factor authentication. Ursem said he contacted Comodo about the exposed account.
When contacted by TechCrunch, Comodo said, “The data accessed was not manipulated in any way and within hours of being notified by the researcher, the account was locked down.” Ursem, however, told TechCrunch, “This account has already been hacked by somebody else, who has been sending out spam.”
Account Takeover Botnets
While many malicious actors are opportunistic, that is, while many abused inadvertently exposed account login details, many just don’t wait for these opportunities to come. Many of today’s malicious actors are aggressively taking over accounts through botnets.
In the Sixth Annual Fraud Attack Index, Forter found that there had been a 45% increase in account takeover attacks by the end of 2018 compared to the beginning of 2017. One of the means by which malicious actors perpetuated account takeover attacks is thorough bots, Forter found.
“Fraudsters often try to hide their activities behind these devices [bots], flying under the radar of detection for most legacy fraud prevention systems, which are simply not equipped with sophisticated enough technology to pick up on the nuances of these behavioural indicators and the personas hiding behind them,” Forter said.
Botnet, also known as bot, refers to a group of computers infected with malicious software (malware) that allows an attacker to control this group of infected computers as one army for malicious activities. Many of these botnets have been used by attackers as an army for distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining. Malicious actors are increasingly using these botnets for account takeover attacks.
An account takeover botnet works by installing a credential cracking malware on compromised computers. These infected computers are then controlled by an attacker or attackers to login into an account of banking site, social network or email. Once the correct username and password combination is cracked, the account taken over is then used by attackers to steal money (in case of a banking site), steal confidential information such as credit card information, or purchase goods and services.
Between April 7th to April 22nd this year, Impervaobserved the account takeover attacks carried out by a botnet, composed of an enslaved army of 2,500 infected computers – with a corresponding 2,500 IPs overall – that attacked more than 300 sites while active. Each day during the attack period, 800 IPs were actively attacking 30 sites with 150,000 login attempts, Imperva found.
From the victim site perspective, each site was attacked for 7 hours by 500 IPs sending 7,000 login attempts with 7,000 different login details (usernames and passwords); and from a single site perspective, each botnet-controlled IP was responsible for approximately 14 login attempts during the attack time, or approximately 2 login attempts per hour, Imperva found.
The above-mentioned method of attack is called a “low and slow” attack – whereby the botnet enslaves a lot of computers, each sending only a small number of requests, to cover-up the attack as legitimate traffic. Distributing the account takeover attacks across many infected computers or IP addresses makes these attacks go without being detected.
The usernames and passwords used in the login attempts for account takeover attacks often come from credential cracking and credential stuffing. In credential cracking, every word in the dictionary is tried to crack the correct username and password combination. In credential stuffing, the attackers exploit users’ tendency to reuse passwords across multiple sites.
Credential stuffing was cited by StubHubas the reason why a “small number” of users’ accounts had been illegally taken over by fraudsters. In the StubHub case, attackers illegally took over 1,000 StubHub users’ accounts and used these compromised accounts to buy thousands of high-value tickets, including tickets to Justin Timberlake and Elton John concerts, Yankees baseball games, U.S. Open tennis matches and Broadway shows. The account takeover attackers then resold these tickets for a profit of more than a million dollars.
Traditional security solutions have proven to be ineffective in “low and slow” account takeover attacks using botnets. By using account takeover botnets, malicious actors spread the attack via thousands of compromised computers or IPs, making them go undetected for a long period of time.
Choosing a strong username and password combination via eliminating the use of dictionary words, using a unique username and password combination for every account and the use of multi-factor authentication are some of the best cyber security practices in preventing account takeover attacks.
Malicious actors, however, are always finding creative ways to crack those unique and strong usernames and passwords and even multi-factor authentication. An automated security solution that monitors abnormal access to these accounts is one of the mitigating measures against account takeover attacks.
When you need help minimizing cybersecurity risks, our team of experts will answer the questions you have and will help you protect your data. Contact ustoday.
Why Organizations Need To Secure Microsoft Office Settings
The latest discovery of a flaw in Microsoft Excel by researchers at Mimecast shows the importance of securing your organization’s Microsoft Office settings.
Researchers at recently released a proof of concept demonstrating that a flaw in Microsoft Excel could allow a malicious actor to access someone else's computer and launch a cyber-attack, no matter where this computer is located. Mimecast researchers said that Power Query, a feature in Excel that lets users integrate their spreadsheets with other data sources, such as an external database or a web page, could allow attackers to “embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened”. Mimecast researchers added, “The malicious code could be used to drop and execute malware that can compromise the user’s machine.”
According to Mimecast researchers, Power Query is a powerful tool within Microsoft Excel that if exploited, can be used to launch . In a DDE attack, a malicious actor exploits DDE – a protocol in Windows which was first introduced in 1987 and currently used by thousands of applications such as Microsoft Excel.
The researchers added that attacks that exploit Power Query are hard to detect by anti-virus or anti-malware security solutions. “Using the potential weakness in Power Query, attackers could potentially embed any malicious payload that as designed won’t be saved inside the document itself but downloaded from the web when the document is opened,” the researchers said.
Dynamic Data Exchange (DDE) Attacks
Researchers have known about DDE vulnerabilitysince 2014, finding that “by specifying some creative arguments and a magic number, it’s possible to craft a ‘link’ that hijacks the computer of whoever opens the document”.
In May 2016, researchers at SensePostdemonstrated that DDE attack can be done in Microsoft Excel. In October 2017, researchers at SensePost demonstrated that DDE attack can be done in Microsoft Word.
In November 2017, reported that the threat Group known as “APT28” slipped a malware into a malicious Word document with a subject heading that cites of a then-recent terrorist attack in New York City. McAfee said this Word document leveraged the Microsoft Office Dynamic Data Exchange (DDE) attack technique.
According to McAfee, the malicious Word document itself is blank and once the document is opened, the document contacts a control server that drops the malware called “Seduploader” onto a victim’s computer. Seduploader is a first-stage malware deployed for the purpose of conducting reconnaissance on a network before dropping a second-stage malware.
To successfully launch a DDE attack, McAfee said, an attacker only needs to convince a user to click through a few dialogs, which would evade the latest macro-based document mitigations. “DDE can be used to launch scripts and executables from the command line by inserting the DDE field in the Office document,” McAfee said.
In an email attack scenario, Microsoft, for its part, said that an attacker could exploit the DDE protocol by sending a specially crafted attached file to the user and then convincing the user to open the attached file. “The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts,” Microsoft said.
How to Mitigate Microsoft Office Settings Risk
Microsoft, in a statement to Threatpost, said that the proof of concept of the Mimecast researchers was reviewed but in order for the concept to work, a victim “would need to be socially engineered to bypass multiple security prompts prior to loading external data or executing a command from a DDE formula”. Because of this finding, Microsoft didn’t release a patch for this security vulnerability.
Microsoft issued the following mitigating measures in order to protect your organization from DDE attacks:
1. Keep Your Microsoft Office Up-to-Date
The December 12, 2017 security updatein Microsoft’s Office disables the Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word.
2. Disable DDE Protocol in Microsoft Excel
Microsoft, however, hasn’t disabled DDE in Microsoft Excel. In the security advisory "Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields", Microsoft noted that Excel, in particular, depends on the DDE feature to launch documents. "Disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry,” Microsoft said. “Data might not be completely up-to-date because it is no longer being updated automatically via live feed. To update the worksheet, the user must start the feed manually. In addition, the user will not receive prompts to remind them to manually update the worksheet.”
As early as 2007, Raymond Chen, who has been involved in the evolution of Windowsfor decades, said that "there is no technological reason for you to use DDE”. Chen, however, said that even if there’s no technological reason for you to use DDE, “you still have to be mindful of whether your actions will interfere with other people who choose to”.
3. Exercise Caution When Opening Suspicious File Attachments
As email attachments are a primary method by DDE attackers to spread malware, Microsoft recommends that users exercise caution when opening suspicious file attachments.
NASA’s Jet Propulsion Laboratory (JPL) Hacked for 10 Months
The Office of Inspector General of the National Aeronautics and Space Administration (NASA) recently revealed that the Jet Propulsion Laboratory (JPL), the center of NASA’s interplanetary robotic research efforts, was hacked for 10 months.
According to NASA's Office of Inspector General, JPL, being the center of NASA’s interplanetary robotic research efforts, maintains wide public internet-facing IT systems that support missions and networks that control spacecraft, collect and process scientific data and perform critical operational functions. Despite efforts to protect these public internet-facing IT systems, NASA's Office of Inspector General said that critical vulnerabilities remained, resulting in a cyber-attack on JPL’s network which started in April 2018.
This April 2018 attack, NASA's Office of Inspector General said, remained undetected for 10 months resulting in the exfiltration of approximately 500 megabytes of data from 23 files, 2 of which contained “International Traffic in Arms Regulations information related to the Mars Science Laboratory mission”.
How JPL’s Network Was Hacked and Lessons Learned
The April 2018 attack on JPL’s network, NASA's Office of Inspector General found, started when an unauthorized Raspberry Pi connected to its network. Raspberry Pi is a credit card-sized computer that’s capable of doing everything a desktop computer can do, from browsing the internet to playing games. The audit report showed that the malicious Raspberry Pi found its way into JPL’s network through the following series of events:
1. Incomplete and Inaccurate System Component Inventory
The report of NASA's Office of Inspector General showed that the malicious Raspberry Pi found its way into JPL’s network as JPL had incomplete and inaccurate information about the types and location of NASA system components and assets connected to its network.
One of the cybersecurity best practices, in order to prevent authorized intrusions into a network, is by having a complete and accurate inventory of all devices connected to this network. This inventory is essential in effectively monitoring, reporting and responding to cybersecurity incidents. Benefits of proper inventory of assets on the network include vetting and clearing by security officials of assets prior to connecting to the network, timely patches and tracking of valuable assets and data stored on these assets.
2. Inadequate Segmentation of Network Environment Shared with External Partners
Due to the nature of JPL’s work, its partners, including foreign space agencies, contractors and educational institutions are allowed remote access to its network for specific missions and data. Network segmentation creates barriers that attackers can’t cross as these barriers eliminate connections to other systems.
According to NASA's Office of Inspector General, the April 2018 cyber-attack exploited the lack of segmentation of JPL’s network, enabling the attacker to move between various systems connected to the network. In May 2018, NASA's Office of Inspector General said, IT security officials at the Johnson Space Center (Johnson), which handles programs such as the Orion Multi-Purpose Crew Vehicle and International Space Station, decided to temporarily disconnect from the JPL’s network due to security concerns. “Johnson officials were concerned the cyber-attackers could move laterally from the gateway into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems,” NASA's Office of Inspector General said.
3. Untimely Patch Application
Patches, also known as security updates, fix known security vulnerabilities. Attackers often exploit known security vulnerabilities with available patches, believing that certain population delays the application of these patches for days, and some even for months or years.
According to NASA's Office of Inspector General, JPL didn’t apply the patch that fixes a known software vulnerability first identified in 2017, with a critical score of 10. A security vulnerability with a critical score of 10 means that this vulnerability is at the top of the vulnerability chain. This 2017 security vulnerability, the NASA's Office of Inspector General said, was only patched in March 2019 and during the April 2018 cyber-attack, one of the JPL’s four compromised systems hadn’t been patched for the said vulnerability in a timely manner, resulting in the exfiltration of 23 files containing approximately 500 megabytes of data.
4. Delayed Response to the Attack
After detection of a cyber-attack, the next logical steps are containment and eradication. Containment strategies include performing a system shutdown, disconnecting a system from the network and identifying all attack paths. Eradication strategies, meanwhile, include assessment and analysis of exploited vulnerabilities, removal of malware and affected files, and application of security patches. “Most of these steps [containment and eradication] require sophisticated forensic expertise and tools that when not available in-house should be in place through service agreements with specialized providers,” NASA's Office of Inspector General said.
Although JPL had disabled the account targeted by the adversary and closed off the known path of attack, NASA's Office of Inspector General said the NASA Security Operations Center requested an independent assessment from the Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) to determine the extent of the attack and totally remove the adversary from JPL’s network. NASA's Office of Inspector General added that as JPL was unfamiliar with DHS’s standard engagement procedures, DHS was only able to perform scans of the entire JPL’s network 4 months after the cyber-attack was detected.
“Once DHS performed the scans, it determined there were no other attack paths and deemed the network clean; however, the delay in executing the eradication steps left NASA data and systems vulnerable to potential additional harm,” NASA's Office of Inspector General noted.
Your business may suffer the same fate if left unprotected. More importantly, to truly understand the state of your cyber defences, you must perform an IT security audit.
Call us todayand find out if your business is well protected.
Hong Kong Privacy Watchdog Orders Cathay to Overhaul IT Systems Over 2018 Data Breach
Hong Kong’s Privacy Commissioner for Personal Data Stephen Kai-yi Wong has ordered Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited, collectively referred to as Cathay, to overhaul its IT systems containing personal data of its customers over the 2018 data breach which affected approximately 9.4 million passengers from different parts of the world.
On October 24, 2018, Cathay notified both the public and Hong Kong’s Privacy Commissioner for Personal Dataover the detected suspicious activity on its network on March 13, 2018. According to Cathay, approximately 9.4 million Cathay passengers, specifically those who availed the company’s frequent flyer programs Asia Miles and Marco Polo Club as well as registered users of Cathay from over 260 locations worldwide were affected by the cyber incident. The affected personal data of Cathay passengers include name, flight number and date, title, email address, membership number, address and phone number.
Customers of both Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited, also known as Cathay Dragon, were affected as Cathay Pacific managed and provided information management services to Cathay Dragon. With this set-up, personal data of Cathay Dragon’s passengers reside on Cathay Pacific’s IT System.
The “Data Breach Incident Investigation Report” publicly released by Hong Kong’s Privacy Commissioner for Personal Data – with many of the data coming from the disclosure of Cathay itself – identified three cyber incidents on Cathay systems: keylogger attack in October 2014, exploitation of a known security vulnerability attack in August 2017 and brute force attack in March 2018.
The earliest evidence of keylogger malicious software (malware) activity on the company’s system was on October 15, 2014. In keylogging, every keystroke made on a computer, such as usernames and passwords, is captured and these captured data are automatically sent to the attackers for criminal exploitation. It wasn’t known how the unknown attacker or attackers initially intrude the company’s system that led to the dropping of the keylogger malware.
Valid user account login details stolen via the keylogger malware, according to the report, enabled the attackers to move further into the company’s network and dropped additional tools to steal domain credentials.
Exploitation of Known Vulnerability Attack
The earliest evidence of suspicious activity where it was found that the attackers exploited a known vulnerability on the company’s internet facing server was on August 10, 2017. The exploitation of this known vulnerability allowed the attackers to bypass authentication and gain administrative access to the company’s internet facing server.
Exploiting the known vulnerability also allowed the attackers to move laterally inside the company’s IT system and install malware and credential harvesting tools. It wasn’t disclosed what particular vulnerability on the company’s internet facing server was exploited. It was, however, revealed that this particular security vulnerability was publicly known as early as 2007.
Brute Force Attack
The earliest evidence of brute force attack on the company’s system was on March 13, 2018 which resulted in approximately 500 staff users being locked out of their user accounts. In a brute force attack, a cyber attacker attempts to crack the correct username and password using a trial and error approach. There are currently brute force attack tools available to attackers that automate the process of guessing the correct username and password using thousands of commonly used usernames and passwords.
Even as the keylogger attack which happened in October 2014, exploitation of a known security vulnerability attack in August 2017 and brute force attack in March 2018, Cathy only informed the public and Hong Kong’s Privacy Commissioner for Personal Data about the suspicious activity on its network on October 24, 2018. In Hong Kong, however, there’s no law that mandates organizations such as Cathay to notify within a prescribed period of time the Privacy Commissioner for Personal Data and the data subjects of a data breach.
“Cathay did not take all reasonably practicable steps to protect the Affected Passengers’ personal data against unauthorised access in terms of vulnerability management, adoption of effective technical security measures and data governance, contravening DPP 4(1) of Schedule 1 to the Ordinance [Hong Kong’s Personal Data Ordinance],” Wong said.
The Commissioner, in particular, found Cathay had not taken reasonably practicable steps not to expose the administrator console port of its internet facing server which opened the door for attackers. “Cathay should have applied effective multi-factor authentication to all remote access users for accessing its IT System involving personal data,” The Commissioner said.
Data Breach Prevention
Under Hong Kong’s Personal Data Ordinance, if after an investigation, the Privacy Commissioner for Personal Data finds that a data user is contravening or has contravened a requirement under the Ordinance, the Commissioner may serve on the data user an Enforcement Notice to prevent recurrence of the lapses. The Commissioner’s Enforcement Notice directed Cathay to engage an independent data security expert to “overhaul the systems containing personal data to the effect that these systems are free from known malware and known vulnerabilities”.
The Commissioner also directed Cathay to implement effective multi-factor authentication to all remote users for accessing the company’s IT System involving personal data and to conduct a regular review of remote access privileges.
In order to prevent Cathay-like data breach, it’s also important to keep all your organization’s software, especially server operating systems up-to-date, as attackers typically try to exploit known software security vulnerabilities.
Navigating the world of cybersecurity can be difficult for many businesses, including large enterprises.
Malicious Email Campaigns Geo-Targets Canadian Organizations, Report Says
Canadian organizations are increasingly becoming the targets of cyber-attackers as shown in the recent discovery of nearly 100 malicious email campaigns specifically targeting organizations based in Canada.
In the report "Beyond 'North America' - Threat actors target Canada specifically" researchers at Proofpoint reported that between the period of January 1, 2019 to May 1, 2019, threat actors conducted nearly 100 malicious email campaigns specifically targeting Canadian organizations or were customized for Canadian audiences.
Malicious Email Campaigns
Malicious email campaign, also known as phishing scam, is a type of cyber-attack that uses emails as a weapon. Phishing emails contain malicious attachments or malicious links.
Downloading this malicious attachment or clicking this malicious link could lead to compromise. Victims are tricked into opening the malicious email and downloading this malicious attachment or clicking this malicious link as threat actors use branding familiar to the recipients.
In the recent malicious email campaigns detected by Proofpoint researchers, the top affected organizations in Canada include financial services, energy/utilities, manufacturing, healthcare and technology. The researchers also observed that some of the malicious emails sent were customized for the French-speaking recipients in Canada.
In the nearly 100 malicious email campaigns specifically targeting Canadian organizations, Proofpoint researchers also observed that the threat actors tricked the victims into opening the malicious email or downloading the malicious attachment or clicking the malicious link by stealing the branding of several notable Canadian companies and agencies including national banks, major shipping and logistics organizations and government agencies.
“Emotet in particular, with its frequent region-specific email campaigns, is bringing new attention to geo-targeting in Canada …,” Proofpoint researchers said.
The first version of the malicious software (malware) Emotet, which was first observed in 2014 targeting German and Austrian victims, functioned as a banking trojan – a type of malware designed to steal financial data.
Since then, Emotet has evolved into a powerful malware, with its ability to continuously evolve and update its capabilities for various online criminal activities from information stealing to distributed denial-of-service (DDoS) attacks. In recent years, instead of delivering its own banking trojan, Emotet has delivered third-party banking trojans such as Qbot, The Trick, IcedID and Gootkit.
In 2018, the United States Computer Emergency Readiness Team (US-CERT)issued an alert, warning about the dangers of Emotet. "Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” US-CERT said. “Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”
One of the reasons why Emotet continues to be among the most costly and destructive malware is its worm-like capability, that is, the ability to spread from computer to computer without any human action.
Emotet has been known to spread from computer to computer without any human interaction by accessing Server Message Block (SMB), an internet standard protocol that Windows uses to share files, printers and serial ports. “Emotet’s access to SMB can result in the infection of entire domains (servers and clients),” US-CERT said.
Emotet is also capable of spreading its own phishing email without human interaction through the use of Outlook scraper, a tool that’s used to scrape names and email addresses from the victim’s Outlook accounts and uses this names and email addresses to send out additional phishing emails from the compromised accounts.
According to Proofpoint researchers, the threat actor called “TA542” is the primary actor behind Emotet. Proofpoint researchers said that this threat actor is known to use the latest version of Emotet and develops malicious emails specific to given regions in the world.
"TA542 typically distributes high volume email campaigns consisting of hundreds of thousands or even millions of messages targeting all industries,” Proofpoint researchers said. “TA542 is currently one of the most prolific actors in the entire threat landscape. With TA542’s international reach and high volume campaign strategy, we expect Emotet use to continue to grow in the upcoming quarters.”
Even as Emotet has evolved in terms of capabilities, one thing remains constant with this malware: delivery is always via malicious email. As the delivery is always via malicious email, it’s important to protect your organization’s email system from this threat through the following mitigating measures:
Here are additional cyber-security measures in order to block or mitigate the effects of Emotet:
Timely identification and mitigation of IT risks can save your business from suffering costly consequences. Call us todayand we will show you how to better protectyour staff and your sensitive information against targeted attacks.
How to Protect Your Organization’s Computers from WannaCry-Like Cyber-Attack
Microsoft recently took an unusual step of rolling out a patch for Windows operating systems that are out of support in an effort to stop a WannaCry-like cyber-attack.
This is the second time in just over 2 years that the technology giant rolled out a patch for Windows operating systems that are out of support. The previous unprecedented patch was rolled out at the height of the WannaCry cyber-attack on May 12, 2017.
According to Microsoft, the latest patch, which was released on May 14, 2019, fixes the security vulnerability in out-of-support versions of Windows, specifically Windows 2003 and Windows XP; as well as versions of Windows that still receive support from Microsoft, specifically Windows 7, Windows Server 2008 R2 and Windows Server 2008.
Failure to apply the May 14, 2019 patch renders the above-mentioned out-of-support and in-support versions of Windows vulnerable to WannaCry-like cyber-attack, this according to Simon Pope, Director of Incident Response at Microsoft Security Response Center (MSRC).
What Is WannaCry?
WannaCry is a malicious software (malware) that wreaked havoc in more than 300,000 computers in over 150 countries in less than 24 hours on May 12, 2017. Once a computer becomes infected with WannaCry, this malware encrypts files on the computer's hard drive, making it impossible for legitimate users to access them, and demands a ransom payment in exchange of the decryption keys that supposedly would unlock the encrypted files.
After infecting one computer, the WannaCry malware spreads itself through the network, infecting other vulnerable devices, without the need for further action from the users. Attempts on the part of the WannaCry victims to unlock the encrypted files by paying the ransom was a useless endeavour as the source code of this malware was written in such a way that it isn’t possible to determine who paid the ransom and who didn’t, as such, there’s no way to decrypt on a per-user basis.
Two months, specifically on March 14, 2017, prior to the WannaCry cyber-attack, Microsoft released a patch that fixes the security vulnerability exploited by WannaCry. The patch, however, wasn’t made available to Windows operating systems that were out of support, specifically Windows XP, Windows 8 and Windows Server 2003. At the height of the WannaCry cyber-attack on May 12, 2017, Microsoft took an unusual step of rolling out a patch for these 3 out-of-support versions of Windows.
The WannaCry malware was able to infect hundreds of thousands of computers in less than 24 hours as a result of these two features: remote code execution and worm capabilities.
Remote code execution is the ability of a malicious actor to access someone else's computer and make malicious changes to this computer regardless of the geographical location of this device. Worm capability, meanwhile, refers to the capability of a malware to spread itself through the network, infecting other vulnerable devices, without user interaction.
The May 14, 2019 patch released by Microsoft fixes the security vulnerability labelled CVE-2019-0708. Similar the WannaCry malware, security vulnerability CVE-2019-0708 exhibits remote code execution and worm capabilities.
Pope, Director of Incident Response at Microsoft Security Response Center (MSRC), said in a blog post, that while there’s no evidence that this security vulnerability has been exploited in the wild, it’s highly likely that malicious actors will write an exploit for this vulnerability and include it into their malware.
The security vulnerability, Pope said, is “wormable”, which means that “any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
WannaCry, in particular, infects vulnerable Windows operating systems via Server Message Block 1.0 (SMBv1) server – a protocol that enables Windows systems to share files, printers and serial ports. In vulnerability CVE-2019-0708, remote code execution and worm capabilities are made possible via Remote Desktop Protocol (RDP) – a proprietary protocol developed by Microsoft which allows users to access another computer over a network connection. “The Remote Desktop Protocol (RDP) itself is not vulnerable,” Pope said. “This vulnerability is pre-authentication ….”
Many malware in the past were able to bypass anti-malware and other security defences via RDP. Malicious actors gain access to compromised devices by stealing or brute forcing RDP credentials.
In early 2019, authorities shut down xDedic Marketplace, a website involved in the illicit sale of RDP credentials. According to authorities, RDP login details of tens of thousands of compromised servers owned by unknowing companies and private individuals were sold on the xDedic platform for amounts ranging from $6 to more than $10,000 each.
The top preventive measure in order to protect your organization’s computers from WannaCry and WannaCry-like cyber-attack is by keeping all software and, in particular, operating system software up-to-date.
It’s worthy to note that even though it has been a long time since the major WannaCry attack, organizations continue to be victimized by this malware. Months after the major WannaCry attack, US aircraft maker Boeingfell victim to WannaCry. In March 2018, Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, sent out an alert to his colleagues that the WannaCry malware was “metastasizing rapidly” out of Boeing’s North Charleston production plant and could potentially “spread to airplane software”. Linda Mills, head of communications for Boeing Commercial Airplanes, in a statement said, “The vulnerability was limited to a few machines.”
As an added protection to your organization’s computers, it’s best to disable Windows protocols that are often exploited by malicious actors. Specific to WannaCry malware, disable SMB protocol and for the security vulnerability CVE-2019-0708, disable RDP.
Connect with our cyber security expertstoday to learn more about common threats and prevent cyberattacks.
Retargeted Attacks Continue to Rise
Once a target, always a target. This seems to be the case in the City of Baltimore in Maryland as the City recently suffered another cyber-attack – the second attack in just over a year.
Last May 7, Baltimore Mayor Bernard Jack Young announcedthat the City’s network was infected with a ransomware. As a precaution, he said the City shut down the majority of its servers. While the City’s essential services such as police and fire departments are operational, the ransomware infection and the resulting shutting down of the majority of the servers resulted in network outage, email outage and phone outage with nearly every other department of the City affected.
Just over a year ago, in March 2018, the City of Baltimore suffered another cyber-attack. The 2018 attack was, however, limited to Baltimore's computer network that supports emergency calls. The attack forced the staff to resort to manual operations to handle calls.
Baltimore Chief Information Officer and Chief Digital Officer Frank Johnson told Ars Technicathat the 2018 cyber-attack which brought down Baltimore's computer-aided dispatch (CAD) system was caused by a ransomware. It wasn’t revealed what was the exact type of ransomware that hit Baltimore’s CAD system.
The point of entry of the ransomware was, however, partially identified. According to Johnson, the Baltimore City Information Technology office determined that "the vulnerability was the result of an internal change to the firewall by a technician who was troubleshooting an unrelated communication issue within the CAD System”.
In a press conference, Baltimore Chief Information Officer and Chief Digital Officer Johnson said that the recent cyber attack on Baltimore’s system was caused by the “very aggressive RobinHood ransomware".
Ransomware is a type of malicious software (malware) that locks out computer users by encrypting computer systems or files and demands from victims ransom payment in exchange for the decryption keys that would unlock the encrypted computer systems or files.
RobinHood ransomware is a fairly new malware. In early April last month, the RobinHood ransomware similarly infected the network of the City of Greenville, South Carolina, which prompted the City to shut down the majority of its servers.
In late April last month, security researcher Vitali Kremez reverse engineered a sample of the RobinHood ransomware. Kremez told BleepingComputerthat on execution, this malware stops 181 Windows services associated with antivirus and other software that could keep files open and prevent their encryption. This ransomware also doesn’t spread within the network, which means that every infected computer is individually targeted.
Kremez, meanwhile, told Ars Technica that the RobinHood ransomware attacker or attackers need administrative-level access to a system on the network “due to the way the ransomware interacts with C:\Windows\Temp directory”. It’s still unknown how the RobinHood ransomware gains access to a network and the computers connected toit.
The Robinhood ransomware drops its ransom note on the desktop, informing victims that 3 bitcoins must be paid to get the decryption key of one computer or alternatively send 13 bitcoins for the decryption keys of an entire infected system. The ransom note also states that the cost of payment increases “$10,000 each day after the fourth day.” The value of 1 bitcoin as of May 11, 2019 4PM GMT+7 is $6,312.
Prevalence of Retargeted Cyber Attacks
A study conducted by FireEye Mandiantfound that organizations that have been breached before are much more likely to be targeted again. In 2017, FireEye Mandiant reported that 56% of victims of at least one significant cyber-attack were targeted again by the same or similarly motivated attack group. In 2018, this number has continued to climb, increasing to 64%, FireEye Mandiant reported.
The top 5 retargeted industries in 2018 were finance (18%), education (13%), health (11%), pharmaceutical (9%), retail and hospitality (7%), and telecommunications (7%).
The FireEye Mandiant report further found that in 2018 organizations in the Asia-Pacific (APAC) region were far more likely to succumb to retargeted attacks, with 78% of APAC organizations fell victim to another attack. The said report also found that for the same period, 63% of organizations in the Americas fell victim to another attack. The report also found that for the same period, 57% of the organizations in Europe, Middle East, and Africa (EMEA) fell victim to another attack.
"This data further substantiates the fact that if you’ve been breached, you are much more likely to be targeted again and possibly suffer another breach," FireEye Mandiant said.
How to Prevent Retargeted Attacks
Configuring ordinary workstations not to install software and establishing a separate device or devices exclusively for administrative tasks (for installing and removing software and changing configuration settings) are two preventive measures in reducing the odds of malicious actors gaining access into your organization’s network.
Configuring ordinary workstations not to install software is a proactive means of preventing accidental installation of malicious software by unwittingly downloading malicious attachments or clicking on malicious links contained inside malicious emails.
Devices exclusively used for administrative tasks, meanwhile, should be secured through the following:
When you need help preventing cyberattacks and protecting your network and computers against ransomware, connect with our teamand get right advise at the right time.
Steve E. Driz, I.S.P., ITCP