Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
DDoS Attacks: Protecting Your Business from Critical DisruptionIn March 2018, developer platform GitHub was struck by the most powerful DDoS (distributed denial-of-service) attack ever recorded. How big? 1.35 terabits of traffic was hitting GitHubeach second. Still, GitHub was not without its defenses. Within 10 minutes of the attack starting, GitHub’s DDoS mitigation service stepped in to combat it. They routed all incoming and outgoing traffic and scrubbed data, blocking all malicious packets responsible. Such decisive action paid off. The attack ended eight minutes after the service took over, and GitHub was able to get back on track after just five minutes of downtime. If GitHub had been without such a fast, effective response, the outcome of the attack might have been much worse. A DDoS attack is a fairly cold-blooded attempt to disrupt a server, service or network’s standard operation by bombarding it with excessive traffic. They incorporate a number of compromised computer systems to mount the attack, essentially overwhelming the target system and affecting genuine traffic. GitHub had been targeted before, with an attack lasting for six days in 2015. A company or organization’s website can be severely affected by a DDoS attack, potentially costing them lots of money in lost business. In fact, the average cost of a DDoS attack for businesses rose to more than $2.5 millionin 2017. Research highlights just how common DDoS disruptions are for many companies. A staggering 849 of 1,010 enterprises questioned had been hit by a DDoS attack. DDoS disruption was estimated to cost target businesses as much as $100,000 per hour. These figures make for disturbing reading, especially for smaller companies on a much tighter budget than their larger competitors. Still, even for global corporations, the risk of a DDoS attack can be incredibly troubling: after all, they may have more to lose. Effective cybersecurity and preparation have never been more vital. Every cent available must be channeled into reinforcing your business against potential threats. Still, this is easier said than done: cybercrime and security can be daunting. To help you understand how best to defend yourself against DDoS attacks, we have explored some of the most effective options below: Get to know the symptomsRecognizing the signs of an incoming DDoS attack can make a significant difference to how you handle it. There is no real warning for a DDoS attack, though. While some hackers may issue threats, there will generally be nothing other than the assault itself. As you might not browse your own website much on a day to day basis, it may not be until customers begin complaining about its performance than the warning bells start to sound. However, certain other clues will tip you off:
The earlier you’re able to spot the warning signs, the sooner you can start to act. Have a planEvery business should have a plan in place for a potential DDoS attack. Once you confirm that your system has been targeted, you can jump to your plan and follow it. Being prepared helps to reduce the likelihood of panic or making mistakes that exacerbate the disruption. Make sure all key players from each department are alerted to the situation and understand how best to handle it at their end. If everyone can work together and focus on damage limitation, you’re more likely to come out of the DDoS attack with minimal impact. Companies that have no preparations for dealing with such a situation could waste valuable time trying to make sense of it. Know how to prioritizeYou will only have limited access to your system during a DDoS attack. Make sure you focus on keeping the most high-value services and applications running to preserve as much ‘normal’ function as possible. Again, this comes down to planning. You should have an immediate idea which areas can be let go and which must be the priority. Pay attention to your network securityConducting security audits on your network on a regular basis is an effective way to keep your system protected. Take a close look at the strength of passwords (particularly for the most vulnerable areas), review which employees have access to key data, and run comprehensive checks on software. Do you have the most up to date versions? Have any known security risks come to light with an application you’re using? A network security audit may not be enough in itself to defend your business against a DDoS attack, but it can play a large part in the process. Incorporate this into ongoing workplace routines: make sure it becomes a habit and is never overlooked. Letting your system go without the proper audits and preparations can leave it vulnerable to attack. Being complacent and assuming your business will escape the attention of cybercriminals is never a smart move. Turn to the professionalsYour system security is paramount to keeping your business up and running. Not only does your entire flow of service depend on effective protection, so too does your customers’ experience. Lengthy downtime can leave buyers with little choice but to start looking elsewhere if you cannot meet their needs. On top of this, they may wonder how safe their personal and financial data are within your company. Hiring a professional cybersecurity firmto defend your system against DDoS attacks can help to take the strain. You will be free to focus on other areas of running your business while the experts handle the heavy lifting. Are you concerned about your company’s vulnerability to DDoS attacks? What steps have you taken to safeguard your system? Share your thoughts and ideas below and contact ustoday to protect your organization. What is Remote Code Execution Attack & How to Prevent this Type of CyberattackMicrosoft recently rolled out its latest security update, fixing 50 security vulnerabilities. Out of the 50 security vulnerabilities fixed by Microsoft in its June 12thsecurity update, 14 security vulnerabilities allow remote code execution. What is Remote Code Execution?Remote code execution (RCE) refers to the ability of a cyberattacker to access and make changes to a computer owned by another, without authority and regardless of where the computer is geographically located. RCE allows an attacker to take over a computer or a server by running arbitrary malicious software (malware). "RCE (remote code execution) vulnerabilities are one of the most dangerous of its kind as attackers may execute malicious code in the vulnerable server," Impervasaid. Remote Code Execution Example #1: Microsoft Excel Remote Code Execution VulnerabilityOne example of a remote code execution vulnerability is the CVE-2018-8248vulnerability – one of the security vulnerabilities fixed by Microsoft in its June 12thsecurity update. The CVE-2018-8248 vulnerability, also known as “Microsoft Excel Remote Code Execution Vulnerability”, allows an attacker to run a malware on the vulnerable computer. The CVE-2018-8248 attacker could take full control of the compromised computer if the owner of the compromised computer logs on to the computer with administrative user rights. In taking full control of the compromised computer, the attacker could view, change or delete data; install programs; or create new accounts with full user rights. According to Microsoft, the delivery method in exploiting the CVE-2018-8248 vulnerability could be in the form of a malicious email with an attachment that contains a specially crafted file with an infected version of Microsoft Excel. Another delivery method in exploiting the CVE-2018-8248 vulnerability is in the form of a web-based attack scenario, whereby an attacker could host a website or compromised website that accepts or hosts user-provided content containing a specially crafted file designed to exploit the CVE-2018-8248 vulnerability. In the 2 scenarios, malicious email and web-based attack, the attacker has to convince users to click on the attachment or a link to open the specially crafted file. To date, there’s no report that CVE-2018-8248 vulnerability has been exploited into the wild. Remote Code Execution Example #2: Microsoft Windows SMB VulnerabilityOn May 12, 2017, hundreds of thousands of computers worldwide were infected by WannaCry, a malware that encrypts computer files, locking out computer users and asks for ransom payment to decrypt or unlock the computer files. WannaCry, as it turns out, is a malware that allows remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block (SMB) – a protocol used for sharing access to files, printers and other resources on a network. Unlike other remote code execution attacks which leverage on malicious emails and web-based attacks as delivery methods, WannaCry’s delivery method was scanning the internet for vulnerable SMB ports and using one of the alleged U.S. National Security Agency (NSA) spying tools called “EternalBlue”, which takes advantage of the vulnerability in Microsoft’s SMB. Once an attacker detects SMB vulnerability, the DoublePulsar (another alleged NSA spying tool) is then used by an attacker to allow for the installation of the WannaCry malware. EternalBlue and DoublePulsar are 2 of the spying tools allegedly used by the NSA that were leaked in April 2017 by a group of hackers who called themselves Shadow Brokers. According to Microsoft, the security vulnerabilities exposed by Shadow Brokers were fixed by the security update released by the company in March 2017 – a month before Shadow Brokers publicly released the alleged NSA spying tools. Researchers at Renditionreported that in late April and the first few days of May 2017 – several days after Microsoft issued a security update fixing the security vulnerabilities exposed by Shadow Brokers, more than 148,000 computers were compromised by EternalBlue and DoublePulsar. Hundreds of thousands of computers were infected by WannaCry as many compromised machines were used as servers and because of the worm or self-propagating capability of this malware. As a result, computers connected to the infected servers were also infected by the WannaCry malware. Remote Code Execution Attacks and Cryptocurrency MiningAt the height of the cryptocurrency boom in December 2017, Imperva reported that cryptocurrency mining drove almost 90% of all remote code execution attacks. Imperva said 88% of all remote code execution attacks in December 2017 sent a request to an external source to try to download a cryptocurrency mining malware. “These attacks try to exploit vulnerabilities in the web application source code, mainly remote code execution vulnerabilities, in order to download and run different crypto-mining malware on the infected server,” Imperva said. “The malware usually uses all CPU computing power, preventing the CPU from doing other tasks and effectively denies service to the application’s users.” PreventionTimely patching or timely installation of software update ranks as the top cybersecurity measure in preventing remote code execution attacks. For instance, to prevent remote code execution via CVE-2018-8248 vulnerability, Microsoft’s June 12, 2018 security update has to be installed. In the case of WannaCry cyberattack, remote code execution via the exploitation of Microsoft Windows SMB vulnerability could have been prevented if only Microsoft’s March 2017 security update had been timely applied. To prevent attackers trying to infect vulnerable servers with cryptocurrency mining malware, the initial attack must be blocked. As an initial attack, cybercriminals typically exploit remote code execution vulnerabilities to launch their malware, similar to what WannaCry attackers did. If your organization is using computers or servers that are known to be using software that’s vulnerable to remote code execution, the latest vendor patch to mitigate this particular cyberattack should be timely applied. As a rule of thumb, to significantly minimize the risk, your company must collect, analyze and act on the most recent threat intelligence. Your IT team must be equipped with the best tool to apply patches timely thus mitigating the risk of a data breach. Better yet, workstation and server patching can and should be automated to prevent remote code execution and other cyberattacks. Call us todayor send an emailto speak with our security experts about processes and technology to help your organization mitigate IT and cybersecurity risks. How to Avoid Being a Victim of Email-Based RansomwareThe latest version of the ransomware called “GandCrab” is an example of how cyber attackers bait their ransomware victims through email spam campaign. Last month, security researchers at Fortinet observed a surge in an email spam campaign delivering the latest version of GandCrab ransomware. GandCrab ransomware is a malicious software (malware) that encrypts files on the compromised computers, locks out users and demands a payment to decrypt or unlock the files. How Ransomware Victims Are Baited via Email Spam CampaignThe latest version of GandCrab ransomware works by employing spam emails. While these spam emails don’t target specific individuals, it targets specific countries as emails in the US are the primary recipients of this spam campaign, followed by emails in the UK and emails in Canada. Receivers of these spam emails are tricked into opening these malicious emails as the attackers use these subjects commonly used by people working in an organization:
The spam emails all contain a Javascript attachment with the filename format DOC (Numbers).zip. When this attachment is opened, it downloads the latest version of Gandcrab ransomware from a malicious website. Once the malware is downloaded to a compromised computer, all the files in the computer are then encrypted, preventing the user to access the files and a ransom note is posted on the computer screen. This ransom note directs the user to a site using the TOR browser – a browser designed to protect privacy and anonymity. Once accessed, this site tells the victim that files on the compromised computer have been encrypted. The victim is asked to pay USD 800 within a certain period. If payment isn't done within the allowed period, the cost of decrypting the files is doubled. GandCrab Ransomware Earlier VersionsThe first version of GandCrab ransomware first appeared in the wild on January 30, 2018. This early version of GandCrab ransomware was distributed as well via spam emails purporting to be invoices. The early version of GandCrab ransomware was also distributed via malicious advertisements (malvertisements) linked to malicious websites where the downloading of the GandCrab ransomware is then initiated. Similar to the latest version of GandCrab, the first version spread into the wild and encrypts the files on the compromised computer. Instead of asking ransom payment in the form of US dollars, the first version of GandCrab asks for a ransom payment in the form of Dash cryptocurrency – the first time this cryptocurrency has been used in a ransomware campaign. In the past, ransomware attackers preferred cryptocurrencies Bitcoin and Monero as ransom payment. According to Europol, European Union’s law enforcement agency, GandCrab ransomware is run as an affiliate program or ransomware-as-a-service. Anyone who wants to join the GandCrab affiliate program pays 30% to 40% of the ransom revenues to its creator and in return gets a full-featured web panel and technical support. According to Check Point, as of March 13, 2018, GandCrab has infected over 50,000 computer systems and received an equivalent of USD 300,000 to USD 600,000 in ransom payments. A tool to decrypt files encrypted by GandCrab (version 1)was developed by a combined effort of the Romanian authorities, Bitdefender and Europol and made available to the public for free. According to Check Point, the decryptor tool wasn’t a result of a cryptographic breakthrough. It was, however, borne out of the law enforcement arm’s access to the ransomware’s master server, enabling the law enforcement arm to recover all private keys that had been used to perform the encryption made by GandCrab (version 1), evident with the decryptor tool’s dependence on an available victim ID. Developers of GandCrab, however, regular modify the ransomware, making the decryption tool developed by the Romanian authorities, Bitdefender and Europol useless as it won't bring the files back. Paying the ransom for the latest version of GandCrab is, therefore, not advisable as this doesn’t guarantee that the attackers have the capability or any intention to decrypt files. Social Engineering Feature of GandCrab RansomwareAs can be gleaned from the different versions of GandCrab ransomware, social engineering is employed. Social engineering cyberattack happens when an attacker uses a typical form of human interaction to obtain information about an organization or to compromise the organization’s computer systems. Today’s human interaction now involves technology. Many human interactions now happen via email exchanges – a form of online communication that withstands even with the advent of new forms of communications like instant messaging, social networking and online chat. GandCrab isn't the only ransomware that relies on spam emails for its distribution. Other notorious ransomware like Spora and Locky are also distributed through spam emails. For instance, on August 28th last year, in just a matter of 24 hours, over 23 million spam emails were sent carrying the Locky ransomware. Interesting to note that these 3 ransomware GandCrab, Spora and Locky tricked their victims into opening email attachments laden with ransomware by using the subject “Invoice”. PreventionHere are some of the best practices on how to avoid being a victim of email-based ransomware like GandCrab:
Reaper IoT Botnet Threatens to Take Down WebsitesReaper IoT botnet, considered as more powerful than the Mirai botnet, is spreading worldwide and threatens to take down websites. According to Check Point researchers, the Reaper botnet already infected one million IoT devices worldwide. "So far we estimate over a million organizations have already been affected worldwide, including the US, Australia and everywhere in between, and the number is only increasing," Check Point researchers said. Researchers at Qihoo 360 Netlab, meanwhile, reported that the number of “vulnerable devices in one c2 queue waiting to be infected” reached over 2 million. IoT botnet refers to internet-connected smart devices which are infected by one malware and is controlled by a cyber criminal from a remote location. It’s typically used by cyber criminals to launch a distributed denial-of-service (DDoS) attack. “In a distributed denial-of-service (DDoS) attack, an attacker may use your computer to attack another computer,” the United States Computer Emergency Readiness Team (US-CERT) defines DDoS attack. “By taking advantage of security vulnerabilities or weaknesses, an attacker could take control of your computer. He or she could then force your computer to send huge amounts of data to a website or send spam to particular email addresses.” Infecting millions of IoT devices with a malware is a time-consuming task. Cyber criminals found a way to automate this task by creating a botnet – an army of infected IoT devices. The Reaper malware, as well as the Mirai malware, is spread by the IoT devices themselves. After infecting a particular IoT device, this infected device starts to look for other devices to infect. The Mirai botnet in October 2016 brought down major websites – including Twitter, Spotify and Reddit – by launching a DDoS attack against the DNS infrastructure of New Hampshire-based company Dyn. Many major websites rely on Dyn’s internet infrastructure. Reaper Botnet versus Mira BotnetWhile the Reaper botnet shares similar characteristics with Mirai, it differs in many ways with the Mirai botnet. On September 30, 2016, the attacker known as “Anna-senpai” publicly released the source code of Mirai. According to Check Point and Qihoo 360 Netlab researchers, Reaper borrows some of the source code of Mirai, but this new botnet is significantly different from Mirai in several key behaviors. Here are some of the differences between Reaper and Mirai: 1. Number of Affected IoT DevicesThe first difference between the Reaper botnet and Mirai botnet is in terms of the number of affected IoT devices. Mirai affected about 500,000 IoT devices, while Reaper has infected over a million IoT devices. 2. Means of Infecting IoT DevicesMirai was able to infect hundreds of thousands of IoT devices by exploiting the lax attitude of IoT users of not changing the factory or default login and password details. By using default login and password details, Mirai attackers were able to infect a massive number of IoT devices. On the hand, Reaper’s means of infecting IoT are by exploiting several IoT vulnerabilities which the devices’ manufacturers may or may not have issued security updates or patches. Reaper attackers can, therefore, infect IoT devices even if a strong password is used as the means of entry to the device is by exploiting known software vulnerabilities. According to Check Point researchers, the Reaper, for instance, infects unpatched wireless IP cameras by exploiting the “CVE-2017-8225” vulnerability. 3. Botnet CapabilitiesMirai already showed what it can do: It brought down major websites worldwide even for just a few hours. For Reaper, it’s still unclear what it wants to do. As of this writing, Reaper’s creator or creators just want (based on the code they wrote) to infect as many IoT devices without yet writing the command to attack any internet infrastructure or websites. "It is too early to guess the intentions of the threat actors behind it, but with previous Botnet DDoS attacks essentially taking down the Internet, it is vital that organizations make proper preparations and defense mechanisms are put in place before an attack strikes," Check Point researchers said. The sheer number of infected IoT devices by Reaper – more than twice the number of Mirai’s victims – show how powerful and devastating Reaper can do when used as a means to launch a DDoS attack. Gartner projected that 8.4 billion IoT devices will be in use worldwide in 2017 and will reach 20.4 billion by 2020. Examples of IoT devices include security systems (alarm systems, surveillance cameras), automation devices (devices that control lighting, heating and cooling, electricity), smart appliances (refrigerators, vacuums, stoves) and wearables (fitness trackers, clothing, watches). "As more businesses and homeowners use Internet-connected devices to enhance company efficiency or lifestyle conveniences, their connection to the Internet provides new vulnerabilities for malicious cyber actors to exploit," the US Federal Bureau of Investigation (FBI) said. "Once an IoT device is compromised, cyber criminals can facilitate attacks on other systems or networks, send spam e-mails, steal personal information, interfere with physical safety, and leverage compromised devices for participation in distributed denial of service (DDoS) attacks." How to Block Reaper IoT BotnetIn most cases, owners of infected IoT devices are unaware that their devices are infected and are used for criminal activities, such as launching a DDoS attack. IoT users who fail to change their devices’ default login and password details, as well as by failing to apply security updates, are part of the problem for “blindly” contributing to cyber criminal activities like DDoS attacks. Here are the top cyber security measures to stop attackers from infecting your IoT devices and turned it into a botnet: 1. Timely Apply Security Updates of IoT SoftwareAlways apply in a timely manner all security updates issued by your IoT manufacturer. 2. Use Strong PasswordWhile the sophisticated malware like the Reaper can bypass strong password, it still pays to use a strong password to ward off less sophisticated malware. 3. Isolate IoT devices on their own protected networks.4. Block traffic from unauthorized IP addresses by configuring network firewalls.5. Turn off IoT devices when not in use.6. When buying an IoT device, look for manufacturers that offer software updates.Whole Foods Becomes the Latest Victim of a Cyber Attack
Whole Foods, the supermarket chain recently acquired by Amazon, becomes the latest victim of a cyber attack.
The supermarket chain officially acknowledged that the cyber attack potentially compromised its customers’ credit card details. The data breach, according to Whole Foods, affected only the point of sale system used in taprooms (bars) and restaurants located within some of the Whole Foods stores. As of November 2016, The Mercury News reported that 180 of Whole Foods’ 464 stores had bars and restaurants. In its official statement, Whole Foods stressed that Whole Foods’ bars and restaurants use a different point of sale system from the company’s supermarket point of sale system. The company said that payment cards used at the supermarket point of sale system were not affected. It added that the Amazon systems, which acquired the supermarket chain last month, don’t connect to the Whole Foods’ bars and restaurants system. As such, transactions on Amazon.com haven’t been affected. Whole Foods’ public statement didn’t reveal how many customers may have been affected, how many bars and restaurants may have been involved or when the data breach was discovered. The Whole Foods data breach came just heels after the Sonic Drive-in cyber security breach. The American drive-in fast-food restaurant chain, with over 3,500 restaurants in 45 US states, confirmed that there's been some “unusual activity” on credit cards used at some of its restaurants. Similar to Whole Foods, the company didn’t disclose how many credit cards were potentially affected or when the data breach took place. Krebs on Security reported that Sonic Drive-In cyber security breach may have impacted millions of credit and debit cards. “The first hints of a breach at Oklahoma City-based Sonic came last week when I began hearing from sources at multiple financial institutions who noticed a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic,” Krebs on Security wrote. About 5 million credit and debit card details recently put up for sale on the underground online site Joker’s Stash has been tied to a breach at Sonic Drive-In, according to Krebs on Security. “I should note that it remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs on Security said. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.” Cyber criminals typically steal credit card details from merchants that accept cards by hacking into their point of sale systems. What is Point of Sale
Point of sale, also known as POS, is a system used by merchants where customers pay for goods or services. The POS system consists of hardware and software. The POS hardware refers to the device used to swipe a credit or debit card and the computer or mobile device attached to it. The POS software refers to the computer program that instructs the hardware what to do with the data it captures.
Through the years, there have been a number of vulnerabilities identified in the POS system. The vulnerability of the POS system was highlighted with the arrest and conviction of Albert Gonzalez, leader of the group that stole more than 90 million card records from retailers. The Gonzalez group took advantage of the lack of point to point encryption of POS system. If you pay using your credit card at a POS terminal, your credit card data housed in the card’s magnetic stripe is read, passed through a series of systems and networks before reaching the store’s payment processor. In 2005, credit card details transmitted over a public network from a POS device are required to be encrypted using network-level encryption, for example, the Secure Sockets Layer (SSL). Within the internal network of the store, however, credit card details weren’t required to be encrypted except when stored. The Gonzalez group took advantage of this lack of point to point encryption at the internal network level by installing network-sniffing tools that allowed him and his group to steal over 90 million card details. As a result of the Gonzalez group’s criminal activities, many stores today use POS system with encryption even at the internal network level. Through the years though, POS attackers have honed their skills and a number of POS attack methods have been developed. Big companies like Target Corporation succumbed to POS attackers. In May of this year, 47 US states and the District of Columbia have reached a $18.5 million settlement with Target that resolves the states' investigation into the company's 2013 data breach, which affected more than 41 million customer payment card accounts. How to Prevent POS Attacks?
Customers’ credit card data in the POS system passes through the following:
In each of these stages, customers’ credit card data becomes vulnerable to POS attackers. On the terminal level, attackers can insert hardware like skimmers or firmware to steal credit card details. As data passes from terminal to cash register or cash register to central payment processing server, the data may be stolen using network traffic sniffing tools like the one used by the Gonzales group. From the terminal to the internet exchange, there can be exposure of the encryption key. Credit card details may also be stolen via RAM scrapping malware from the cash register level or at the central payment processing server level. From terminal to internet exchange, mitigation strategy includes a firewall. At the cash register level or central payment processing server level, mitigating strategy includes endpoint security software. From cash register to central payment processing server, mitigating strategies include data encryption and the use of SSL. From terminal to internet exchange, mitigating strategy includes security information and event management (SIEM). Network segmentation is also one of the mitigating strategies to counter POS attacks. The network segmentation of the Whole Foods’ bars and restaurants from Whole Foods supermarket and Amazon.com has prevented attacks on the other two Amazon assets. Target, meanwhile, in the 2013 data breach didn’t implement network segmentation. When you need help protecting your missing critical applications and infrastructure, give us a call to speak with one of our cyber security and compliance experts. Wall Street’s Top Regulator Discloses Own Data Breach
The US Securities and Exchange Commission (SEC) – Wall Street’s top regulator – is the latest entity that publicly acknowledged that it was a victim of a cyber attack.
SEC Chairman Jay Clayton, who took office in May of this year, admitted that in August 2017, the Commission learned that a hacking incident detected way back in 2016 “may have provided the basis for illicit gain through trading”. “Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” said Chairman Clayton. “We must be vigilant. We also must recognize – in both the public and private sectors, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.” This recent cyber attack disclosure came just two weeks after the massive data breach at credit monitoring company Equifax, affecting 143 million Americans – almost all of the adults in the US, and affecting 100,000 Canadians and 400,000 UK residents. This recent SEC hacking incident puts the Commission in an uneasy position given that it’s the government body that’s responsible for enforcing securities laws, issuing rules and regulations and ensuring that securities markets are fair, honest and provide protection for investors. The Commission, in particular, has the power to fine private entities for failing to safeguard customer information. In June 2016, Morgan Stanley Smith Barney LLC paid a $1 million SEC fine over stolen customer data. The Morgan Stanley case originated from the act of then-employee who accessed and transferred the data of nearly 730,000 accounts to his personal server, which was then eventually hacked by third parties. The Commission found Morgan Stanley violated Regulation S-P, a regulation that requires registered investment companies, broker-dealers and investment advisers to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information." Morgan Stanley agreed to settle the charges without denying or admitting the SEC findings. In September 2015, a St. Louis-based investment adviser firm paid a $75,000 SEC fine for failing to establish the needed cyber security policies and procedures, resulting in a data breach that compromised the personally identifiable information (PII) of nearly 100,000 individuals, including thousands of the clients of the firm. SEC, in its decision, said the firm “failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.” Patch, Patch, Patch
According to SEC Chairman Clayton, hackers exploited the software vulnerability of the Commission’s corporate filing system known as “EDGAR”, short for electronic data gathering, analysis and retrieval. The software vulnerability was patched after discovery, the SEC Chairman said.
The Commission’s EDGAR system, performs automated collection, validation, indexing, acceptance and forwarding of data submitted by companies and others required to file certain information with the Commission. The system, in particular, receives, stores and transmits nonpublic information, including data which relates to the operations of credit rating agencies, issuers, investment advisers, broker-dealers, clearing agencies, investment companies, municipal advisors, self-regulatory organizations ("SROs") and alternative trading systems ("ATSs"). What is a Patch
A patch is a piece of code that’s added into a software program to fix a defect also known as software bug, including a security vulnerability. Patches are created and released by software creators after defects or security vulnerabilities are discovered. If a patch isn’t applied in a timely manner or if a software creator no longer offers a patch, cyber criminals can exploit a known vulnerability.
The Common Vulnerabilities and Exposures (CVE), an international industry standard, lists and assigns names to all known cyber security vulnerabilities. The United States Computer Emergency Readiness Team (US-CERT) provides an up-to-date list of known vulnerabilities and patches. “Federal agencies consistently fail to apply critical security patches on their systems in a timely manner, sometimes doing so years after the patch becomes available,” Gregory Wilshusen, Director for Information Security Issues, said in a written statement before the Subcommittee on Research and Technology, Committee on Science, Space, and Technology, House of Representatives in February 2017. “We also consistently identify instances where agencies use software that is no longer supported by their vendors. These shortcomings often place agency systems and information at significant risk of compromise, since many successful cyberattacks exploit known vulnerabilities associated with software products. Using vendor-supported and patched software will help to reduce this risk.” The 2 major cyber attacks in 2017 – WannaCry and Equifax data breach – exploited known vulnerabilities in computers that were unpatched. WannaCry ransomware, which affected thousands of computers worldwide in May of this year, exploited the vulnerability in Microsoft Windows. This particular vulnerability could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. Microsoft, for its part, released a patch or security update for this known vulnerability in March 2017 – two months before WannaCry was released into the wild. For the Equifax data breach, the identified cause was the vulnerability in the Apache Struts in the US online dispute portal web application of Equifax. According to Equifax, the data breach happened from May 13, 2017 to July 30, 2017. The Apache Software Foundation, a not-for-profit corporation that manages and provides patches for Apache Struts, released 4 patches for 4 known vulnerabilities from March 2017 to July 2017. Even as cyber vulnerabilities are made public and patches are released, many organizations still fall victim to cyber attacks for failing to simply apply the available patches. According to the Apache Software Foundation, majority of the breaches that came to its attention are “caused by failure to update software components that are known to be vulnerable for months or even years.” Days after the patch for CVE-2017-5638 – a critical vulnerability in Apache Struts that allows attackers to take almost complete control of web servers used by banks and government agencies – was made available to the public, security researchers still noticed a spike of attacks exploiting this vulnerability. Patching known vulnerabilities in a timely manner is important as cyber criminals are quick to make use of newly published cyber security vulnerabilities, using them to launch cyber attacks within days. Monitoring and managing vulnerabilities and threats is only effective when done regularly. Identifying security vulnerabilities is an onerous task generally assigned to your company's IT department. We can save you time and money by proactively scanning your infrastructure and networks, helping you prevent a data breach. Connect with us today to learn more and protect your business. Apache Struts Vulnerability: There’s More to It Than Patching
Equifax claimed in its latest announcement that the vulnerability in the Apache Struts in its US online dispute portal web application caused the massive data breach affecting 143 million Americans – almost all of the adults in the US.
What is Apache Struts?
Apache Struts is an open-source framework for developing web applications in the Java programming language. It’s used by a significant number of organizations for developing publicly-accessible web applications like airline booking systems and internet banking applications.
The Apache Software Foundation, a not-for-profit corporation, manages, provides organizational, legal and financial support for the Apache open-source software projects, including Apache Struts. According to Equifax, the data breach that harvested names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million US citizens occurred from May 13, 2017 to July 30, 2017. During this period, hackers also accessed credit card numbers for nearly 209,000 US customers, certain dispute materials with personal identifying information for almost 182,000 US customers and personal information for certain Canadian and UK residents. From March 2017 to September 2017, security researchers have identified several critical vulnerabilities in Apache Struts. These include:
Notable Apache Struts Vulnerability #1: CVE-2017-5638
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts that particularly affects the Jakarta Multipart parser. Hackers exploiting this vulnerability can attack a web application, take full control of the web server and inject it with commands of their choice.
Nick Biasini, threat researcher at Cisco Talos, said they observed and blocked several attacks exploiting this vulnerability in Apache Struts. According to Biasini, one type of attack exploiting this vulnerability initially stops the firewall protecting the server and ultimately downloads and executes malware of their choice. Notable Apache Struts Vulnerability #2: CVE-2017-9805
CVE-2017-9805 is another critical remote code execution vulnerability in Apache Struts. All web apps using the popular REST plugin of Apache Struts are particularly vulnerable. Security researchers at lgtm discovered this vulnerability. If this vulnerability is exploited, hackers can run malicious code on the app server, either take full control of the machine or launch further attacks.
“This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications,” Man Yue Mo, one of the lgtm security researchers who discovered this vulnerability, said. “Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser.” Citing analyst Fintan Ryan at RedMonk, lgtm noted that at least 65% of the Fortune 100 companies are actively using web apps built with the Apache Struts framework. Common Patching Versus Web App Patching
All of the above-mentioned vulnerabilities in Apache Struts have already been patched by the Apache Software Foundation. Many organizations, however, still haven’t patched their vulnerable web apps.
While most vulnerability fixes require only downloading a patch, installing it and rebooting a machine, fixing an Apache Struts vulnerability is different as it needs each web app to be recompiled using a patched version. In fixing an Apache Struts vulnerability, the web app code will have to be changed as opposed to just applying the vendor patch. In addition to the complexity of patching a web app, organizations also have problems in getting trusted and skilled personnel to patch the web apps since most of the original web app developers have moved on to other projects or to other companies. The time element between waiting for the right personnel to patch the web app and waiting for the code modification is critical. One of the preventive measures that your organization can use is virtual patching. “Instead of leaving a web application exposed to attack while attempting to modify the code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you’re able to patch them,” Imperva said. Additional Preventive Measures
The Apache Software Foundation said in a statement, “We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework.”
The not-for-profit organization, however, said that majority of the breaches that came to the organization’s attention are “caused by failure to update software components that are known to be vulnerable for months or even years.” The Apache Software Foundation offers the following additional recommendations to prevent data breaches arising from Apache Struts vulnerabilities: “1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions. “2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. “3. Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities. “4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources. “5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.” Massive Locky Ransomware Campaign Attempts to Infect Millions of Computers in 24 Hours
Locky is the first ransomware to make $1 million per month based on a Google-led study (PDF). After lying low in the first half of 2017, this notable ransomware made a massive comeback last August 28th, unleashing 23 million malicious emails in just 24 hours.
"In the past 24 hours we have seen over 23 million messages sent in this [Locky Ransomware] attack, making it one of the largest malware campaigns that we have seen in the latter half of 2017," researchers at AppRiver said. How the Latest Locky Ransomware Works Millions of workers who returned to work on Monday, August 28th, received an email with subject lines “please print”, “documents”, “photo”, “images”, “scans” and “pictures”.
Each email comes with a ZIP attachment containing a Visual Basic Script (VBS) file. Once opened, this VBS file initiates the downloading of the latest version of Locky ransomware. All the files on the infected computer are then encrypted –conversion of computer data into ciphertext, a data form that can only be read using a decryption secret key or password. After the data encryption, victims are instructed to install the TOR browser and provided with a .onion, also known as dark web site. Below is the screencap of the dark web site.
The dark web site shows a victim how to purchase Bitcoins. It also tells the victim to send .5 Bitcoin – equivalent to a staggering $2,381 – to a certain Bitcoin address as payment to supposedly unlock the encrypted files.
The latest Locky strain was reported last August 17th this year by researchers at Fortinet. The latest strain uses “.lukitus”, which means “locking” in Finnish, as the extension for the encrypted files. Rommel Joven, one of the Fortinet researchers who discovered the latest Locky variant, tweeted last August 17th that this variant is the second modification of Locky in over a week. Last August 14th, Fortinet researchers identified the predecessor of the Lukitus Locky variant called "Diablo6", named after the “.diablo6” extension to its encrypted files. “It’s still too early to say if this campaign signals the start of Locky diving back into the ransomware race or if it is just testing the waters," Fortinet researchers said about the Diablo6 Locky variant. This variant similarly spreads through spam emails – each containing a VBS attachment. Once clicked, the VBS file downloads the Locky variant from a compromised URL or webpage. History of Locky Ransomware
Locky ransomware was first distributed into the wild in early February 2016. Based on the Google-led study, Locky was the highest grossing ransomware in 2016, earning a total of $7.8 million.
Locky’s notoriety rose when it victimized an American hospital in early February 2016. The hospital publicly acknowledged (PDF) that it was a victim of a malware that locked access to certain hospital computers by encrypting the files and demanding ransom payment worth 40 Bitcoins (equivalent to $17,000 at that time) for the decryption key. The hospital said that it paid $17,000 as it was the “quickest and most efficient way to restore our systems and administrative functions”. According to Fortinet researchers, from February 19, 2016 to September 15, 2016, Locky's total hits reached 36,314,789, mostly affecting computer users in the U.S., France, Japan, Kuwait, Taiwan and Argentina. Modifications of Locky ransomware aren’t limited to the Lukitus and Diablo6 variants. In its more than a year existence into the wild, creators of Locky ransomware periodically make changes to this malicious software. Aside from “.lukitus”, “.diablo6”, Locky’s creators also used “.locky”, “.zepto” and “.odin” as names of extension to its encrypted files. Different variants of Locky were spread in 2 ways: 1) spam emails and 2) compromised websites. Spam Emails
One of the main paths of Locky infection is through spam email campaigns. The following are some of the subject lines used in spam emails to the spread the Locky ransomware:
An email with the subject line "Scanned image from MX-2600N” may look innocent enough. But the use of such subject line is a product of a sophisticated campaign – a plan to mislead many employees into clicking the spam email. The term “MX-2600N” is actually the most popular model of Sharp scanner/printer that’s used by many offices. Many employees use this model to scan documents and email them to themselves or other people. So, when they see an email with the subject “MX-2600N”, they’re tricked into thinking that they’re opening an email that they’ve sent to themselves. According to Fortinet researchers, Locky’s spam email campaigns in the past contained the following attachments:
Compromised Websites
The other attack path used by Locky ransomware is via compromised websites that redirect to Nuclear or Neutrino Exploit Kit. Unlike in a malicious email campaign whereby the victim has to open an email and click on the attachment, an exploit kit like Nuclear or Neutrino doesn’t require added action from the end user. An exploit kit works like a ghost while a potential victim is browsing a compromised website. In the case of Locky ransomware, the exploit kit acts as the distributor of the malware to the victim’s computer.
How to Prevent Locky Ransomware Attacks
Here are some of the ways to block Locky ransomware attacks:
1. Use Up-to-Date Browser and Software “Using up-to-date browser and software remains to be the most effective mitigation against exploit kits,” Microsoft said. “Upgrading to the latest versions and enabling automatic updates means patches are applied as soon as they are released. 2. Exercise Caution When Opening Emails and Attachments Be wary about opening emails from unknown senders. When in doubt about an email, ignore it, delete it and never open attachments or click on URLs.
When you need help protecting your infrastructure and your data, connect with our team and we will be more than happy to help.
Counting the Cost of a Cyber Attack: Litigation CostIn the last 12 months, Canada has seen high-profile data breach class action lawsuit settlements. These data breach lawsuit settlements highlight the added cost of a cyber attack: cost of defense and a judgment or settlement.Case #1: Lozanski v. The Home Depot
The Lozanski v. The Home Depot case rose from the data breach at Home Depot of Canada between the period of April 11, 2014 and September 13, 2014. Between this period, Home Depot’s payment card system was hacked by criminal intruders using custom-built malicious software.
After detecting the data breach on September 9, 2014, Home Depot notified the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta, the Office of the Information and Privacy Commissioner of British Columbia and the Commission d'accès à l'information du Québec about the data breach. On September 16, 2014, Home Depot published notices of the data breach in The Globe and Mail and in La Presse. In the newspaper notices, the company confirmed the data breach. In the said newspaper notices, the company announced that it eliminated the malicious software that was responsible for the data breach. It also announced in the same newspaper notices that customers affected by the data breach will get free credit monitoring and identity theft insurance. On September 21, 2014, Home Depot emailed its more than 500,000 Canadian customers, notifying them that payment card information of some customers might have been compromised. On November 6, 2014, the company also emailed 58,605 Canadian customers, advising them that their email addresses may have been stolen in the data breach. A class action was filed against Home Depot as a result of the data breach. On April 25, 2016, the parties signed a settlement agreement. The agreement specifies two major points: 1) Home Depot denies any wrongdoing; and 2) The class action members will release their claims against Home Depot. On August 29, 2016, Justice Perell of the Ontario Superior Court of Justice approved the Home Depot settlement agreement, awarding the data breach victims the total amount of $400,000 and approving the counsel fee of $120,000 despite the following findings: “The case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behavior modification.” Case #2: Drew v. Walmart Canada
Ms. Drew in the Drew v. Walmart Canada case was a client of Walmart’s online photo center website. She provided Walmart’s photo center website her name, address, telephone number and credit card information.
On July 15, 2015 and October 30, 2015, Walmart informed Ms. Drew via email that “third parties” were able to access Walmart’s customers’ personal and financial information. As a result of the data breach, Ms. Drew initiated a class action against Walmart. While Walmart made no admission of liability, in a settlement agreement, it agreed to the following:
Justice Perell of the Ontario Superior Court of Justice in the decision dated May 30, 2017 approved the above-mentioned costs that Walmart agreed to shoulder in the settlement agreement. Landmark Case: Jones v. Tsige
While the Jones v. Tsige can’t be categorized as a high profile case, the ruling of this case may have sparked other litigation cases as a result of invasions of privacy. The Jones v. Tsige case, decided by the Ontario Court of Appeal in 2012, resulted in “a number of awards have been made in other cases based on common law and statutory tort claims for invasions of privacy, including situations where there was no economic harm,” lawyer Alex Cameron said in the article "Cybersecurity in Canada: Trends and Legal Risks 2017” published on the Ontario Bar Association website.
In the Jones v. Tsige case, the defendant used her workplace computer to access at least 174 times the private banking records of her spouse's ex-wife. The Ontario Court of Appeal ruled that even if the dependent didn’t publish, distribute or record the private banking records, she’s still liable for “moral” damages amounting to $10,000. “The defendant committed the tort of intrusion upon seclusion when she repeatedly examined the plaintiff's private bank records,” Ontario Court of Appeal said. “Proof of harm to a recognized economic interest is not an element of the cause of action.” Imran Ahmad, partner at Miller Thomson LLP, in the paper “Cybersecurity in Canada: What to Expect in 2017” (PDF) wrote, “At common law, Canadian courts, recognizing the rapid pace at which technology is evolving, have been receptive to recognizing new torts advanced resulting in cybersecurity and privacy breaches (e.g., intrusion upon seclusion, disclosure of private facts, etc.) that are being advanced by plaintiffs’ counsel.” Imran added, “We anticipate this trend to continue and to see the existing torts being further tested by the courts.” Cases under Canada’s Digital Privacy Act
According to privacy lawyers David Fraser and David Wallace, violations under the Digital Privacy Act “once they take effect, can lead to quasi-criminal liability (it’s not a criminal offence but it’s subject to a penalty that’s similar to a criminal offence, although the court procedures are less complicated) for both organizations and for directors personally.”
The Digital Privacy Act amends Canada’s Personal Information and Protection of Electronic Documents Act (PIPEDA). Under the Digital Privacy Act, Canadian organizations are required to notify individuals and organizations of all breaches of security safeguards that create a “real risk of significant harm” and to report the incident to the Office of the Privacy Commissioner of Canada. Effects of Petya Cyber Attack Still Linger
Even as weeks have passed since the Petya ransomware attack, its negative effects still linger.
Operational and Financial Costs of Petya Cyber Attack
At the height of Petya’s global attack last June 27, Nuance – a company that offers transcription service to doctors – publicly acknowledged that certain systems within its network were affected by the global malware incident.
Bloomberg reported that nearly four weeks after the ransomware attack, many doctors still can’t use Nuance's transcription service. According to Bloomberg, hospital systems, including Beth Israel Deaconess in Boston, still can’t use Nuance’s transcription platform – one that allows doctors to dictate notes from a telephone. This forces doctors to revert to the old ways of making notes using a pen and paper. The company told Reuters that it expects within two weeks to have its transcription platform service restored to substantially all clients. Nearly 50% of Nuance’s $1.95 billion in revenue in 2016 came from its health-care and transcription business, Bloomberg reported. As a result of the malware attack, Nuance expects an adjusted 3rd quarter revenue of $494 million to $498 million, short of the $509.8 million revenue that analysts expect, Reuters reported. TNT Express, a small-package ground delivery and freight transportation company acquired by FedEx in May 2016, is another company that experienced disruption in its operation even after weeks of the Petya ransomware attack. FedEx publicly acknowledged last June 28 that TNT’s worldwide operations were significantly affected by the Petya cyber attack. According to FedEx, as of July 17, all TNT hubs, depots and facilities are operational. FedEx, however, said that customers are still experiencing widespread service and invoicing delays as a significant portion of TNT’s operations and customer service functions reverted to manual processes. “We cannot estimate when TNT services will be fully restored,” FedEx said in a statement. The courier company added, “Given the recent timing and magnitude of the attack, in addition to our initial focus on restoring TNT operations and customer service functions, we are still evaluating the financial impact of the attack, but it is likely that it will be material.” FedEx further said that while the company can’t yet quantify the amounts, it has experienced loss of revenue as a result of decreased volumes at TNT, remediation of affected systems and incremental costs associated with the implementation of contingency plans. FedEx added that it doesn’t have cyber or other insurance in place to cover the cost of the attack. While FedEx still can’t quantify the cost of Petya cyber attack, other multinational companies like Saint-Gobain, Reckitt Benckiser Group and Mondelēz International were able to put a price on the June 27th ransomware attack. Saint-Gobain, a French multinational corporation that produces a variety of construction and high-performance materials, said that based on its preliminary assessment, Petya’s financial effect on the company’s first half sales is limited to about 1%. Reckitt Benckiser Group, a British multinational consumer goods company, for its part, said in a statement that Petya’s disruption meant that the company’s revenue growth in the second quarter would be down by 2%. Reckitt’s act of putting a price on cyber attack is a revelation in itself, Bloomberg said, as the company has just spent $18 billion in cash in acquiring baby formula producer Mead Johnson Nutrition Co. For its part, Mondelēz International, a snacking company with 2016 net revenues of almost $26 billion, in a statement said, “Our preliminary estimate of the revenue impact of this event is a negative 300 basis points on our second quarter growth rate.” “Any time there is a cyberattack and a company is exposed to that threat, that presents both reputational risk as well as the risk from disruption,” Bloomberg Intelligence analyst Mandeep Singh said. “Since a lot of the deals get signed toward the end of the quarter, the timing of it could have impacted certain deal closures.” Secondary Effects of Cyber Attacks
Cyber attacks result in a number of potentially significant secondary effects. The following are 4 of the secondary effects of cyber attacks:
1. Property Damage and Loss of Life Cyber attack may affect life-critical functions or databases. Affected remote surgery may result in loss of life; critical SCADA alarm systems may damage properties. 2. Reputational loss Companies may voluntarily acknowledge or acknowledge out of necessity cyber attacks – when pressured by social media revelations from customers, third party revelation or as a disclosure requirement by certain governments. The practice of companies of sending apology notes to clients may have a negative effect on the company’s reputation. When customers can’t access your company’s site or when your automated processes are disrupted, this automatically impacts the company. Stock prices are typically volatile after a cyber attack. Nuance shares, according to Bloomberg, have dropped almost 8 percent since June 27, when Petya ransomware attack began. 3. Litigation Cost When a cyber attack disrupts your services and this, in turn, causes the disruption of the services of your customers, these may lead to a costly litigation. In the case of data breach, affected customers may sue your company for the breach. Ruby Corp., formerly known as Avid Life Media – the parent company of the dating site Ashley Madison, said that it will pay $11.2 million to settle a case brought on behalf of nearly 37 million Ashley Madison users whose personal details were exposed in a July 2015 data breach, CNBC reported. 4. Cost of Additional Security Controls Another consequence of a cyber attack is the cost of additional security controls. The data breach on Ashley Madison prompted Ruby Corp. to spend millions of dollars to improve user privacy and security, according to CNBC. After a data breach, affected companies typically don’t just patch the specific vulnerability, they implement additional security controls such as:
Cyber risk is becoming more and more of a reality for many businesses in the 21st century. In the World Economic Forum’s Global Risks Report 2016, cyber attack was ranked in 11th position in both likelihood and impact. Our team can help your business evaluate the cyber risks and recommend cyber defence strategy. Connect with us today and protect your business. |
AuthorSteve E. Driz, I.S.P., ITCP Archives
April 2024
Categories
All
|
7/12/2018
0 Comments