Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
Beware of DDoS-for-HireDistributed-denial-of-service (DDoS) attacks have become a public menace.DDoS was once a tool used by hactivists to further their social or political ends. In recent years, DDoS has become a toll for purely financial gain and for utter destruction. DDoS-for-hire services, also known as stressers or booters, have grown in recent years. One DDoS-for-hire organization offers its DDoS service for a monthly fee of $7. A simple online search using the keyword “stressers” or “booters” will yield a number of organizations offering DDoS services for a fee. One DDoS mobile app even showed up on Google Play but this one was immediately pulled out. Many of these DDoS-for-hire services openly advertise their services on the guise of offering a legitimate DDoS service. The reality is that it’s not illegal to conduct a DDoS attack or stress test on a website, for instance, to test the capacity of the site to receive high volume of traffic or to test how to deflect unwanted volume of traffic. The question of legitimacy comes on whether or not the owner of the website authorizes the stress test. According to the FBI, the hiring of stresser or booter service to carry out a DDoS attack to take down a website is punishable under the US law called “Computer Fraud and Abuse Act” and this may result in any one or a combination of the following: seizure of computers and other electronic devices, arrest and criminal prosecution, significant prison sentence, penalty or fine. “Booter and stresser services are a form of DDoS-for-hire – advertised in forum communications and available on Dark Web marketplaces – offering malicious actors the ability to anonymously attack any Internet-connected target,” the FBI said. “These services are obtained through a monetary transaction, usually in the form of online payment services and virtual currency.” What Can a DDoS-for-Hire Service Actually Do?To understand what a DDoS-for-hire service can actually do, let’s take a look at the Gammel case and the Dyn case. Gammel CaseThe Gammel case is the first Minnesota case to address the DDoS-for-hire cybercrime. In April of this year, in a criminal complaint filed before the US District Court of Minnesota, the Federal Bureau of Investigation (FBI) alleged that Gammel, a former employee of Washburn Computer Group – a Minnesota-based company – paid several DDoS-for-hire services to bring down 3 websites of Washburn in a more than one-year-long DDoS campaign. According to the FBI, the first 2 websites of Washburn were knocked down several times as a result of the DDoS attacks paid by Gammel. The FBI also alleged that the 3rd website – the one that replaced the 2 other sites of Washburn – was knocked down several times as well a result of the DDoS orchestrated by Gammel. Washburn claimed that the DDoS attacks resulted in a minimum of $15,000 in loss. In the criminal complaint, the FBI defined DDoS attack as "an attempt to make a machine or network resource unavailable to its intended users, such as by temporarily or indefinitely interrupting or suspending services of a host connected to the Internet, usually by shutting down a website or websites connected to target of the DDoS attack.” Dyn CaseThe DDoS attacks against Dyn – a domain name service (DNS) provider to which many websites rely on – was considered as one of the largest. Because of the DDoS attacks against Dyn, 80 widely used websites like Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix were rendered temporarily inaccessible to the public. “The [Dyn] attack used a booter service and was attributed to infected Internet of Things (IoT) devices like routers, digital video recorders, and Webcams/security cameras to execute the DDoS attack,” the FBI said. According to the FBI source, the DNS provider lost approximately 8% of its customers following the DDoS attacks. How a DDoS Attack Works?In the Dyn case, the company itself confirmed that the Mirai botnet was the primary source of DDoS attacks although it won't comment about the motivation or the identity of the attackers. According to Dyn, on October 21, 2016, it observed a high volume of traffic on 2 occasions in its Managed DNS platform in the Asia Pacific, South America, Eastern Europe and US-West regions. The company said that the 2 major DDoS attacks on its Managed DNS platform involved 100,000 compromised IoT devices originating from different parts of the globe that were infected by the Mirai botnet. The Mirai botnet works by infecting IoT devices with weak security – those that use default usernames and passwords – and turned them into bots or robots that can be ordered around, in this case, to conduct DDoS attacks. The effects of malicious and unauthorized DDoS attacks are immediate. They render targeted websites inaccessible or slow. As experienced by Washburn and Dyn, DDoS attacks proved to be costly and can cause businesses to lose customers. Availability of DDoS ToolsThe danger of DDoS attacks is the tools for this cybermenace aren’t just available from the DDoS-for-hire services themselves but from public sources. For instance, one can conduct a DDoS attack on his or her own using the Mirai botnet as the source code of this was made available in September of this year to the public by someone who calls himself or herself “Anna-senpai”. DDoS tools are also evolving. Just days after the online publication of the Mirai source code, a new DDoS tool called “Reaper” emerged. This DDoS tool hasn’t attacked yet as it’s still in the process of infecting vulnerable IoT devices. The stark difference between the 2 DDoS tools is that while the Mirai infected 100,000 IoT devices, the Reaper has infected over half a million IoT devices. This means that this new botnet is much more powerful. While it’s cheap to hire malicious cyberactors to conduct DDoS attacks, it’s equally affordable to hire professionals to prevent DDoS attacks. Contact us today if your company is currently burdened by this cybermenace or if your organization simply wants to be proactive in stopping DDoS attacks. How to Prevent Account Takeover or HijackingA new study conducted by Google and University of California (UC) delved into the question which among these three cyberattacks – phishing, keylogging and third-party data breach – most likely results in account takeover or hijacking. From March 2016 to March 2017, researchers at Google and UC examined 12.4 million potential victims of phishing kits, 788,000 potential victims of keyloggers and 1.9 billion usernames and passwords exposed via third-party data breaches traded on the black market. The Google and UC study found that victims of phishing kits are more likely to have their account taken over by cybercriminals as these kits harvest the same information that Google uses in verifying every time a user logs into his or her email account. Details that are harvested by phishing kits include the victim's secret questions, geolocation, phone numbers and device identifiers. The study found that accounts of victims of phishing are 400 times more likely to be successfully hijacked compared to a random Google user. The likelihood of account takeover is far lesser for keylogger victims (40 times likely to be hijacked) and third-party data breach victims (10 times). Researchers found 25,000 blackhat tools used for phishing and keylogging. “We find that the risk of a full email takeover depends significantly on how attackers first acquire a victim’s (re-used) credentials,” the researchers wrote in their paper “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials”. “Using Google as a case study, we observe only 7% of victims in third party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims.” Once an account is taken over, the attacker can download all of the victim’s private data; remotely wipe the victim’s data and backups; impersonate the victim; reset the victim’s passwords and use this hijacked account as a stepping stone to access the victim’s other online accounts. Third-Party Data BreachMost of the 1.9 billion usernames and passwords exposed via third-party data breaches in the Google and UC study came from MySpace, Badoo, Adobe, LinkedIn, VK, Tumblr and Dropbox. The study revealed that the passwords listed below are the most commonly used passwords by victims of phishing, keylogging and third-party data breach:
These data leaks which date back to 2012–2014 appeared in public blackhat forums, paste sites and sites like leakedsources.com, leakbase.pw and breachalarm.com – sites that charge those who would like to find out if their accounts are compromised. Victims of third-party data breach were mostly from the US (39%), India (8%) and Brazil (2.6%). The importance of an account, in particular, an email address and its login details can’t be undermined. “As the digital footprint of Internet users expands to encompass social networks, financial records, and data stored in the cloud, often a single account underpins the security of this entire identity – an email address,” the researchers said. Phishing KitThe phishing kit referred to in the Google and UC study refers to prepackaged fake login page for a popular site like Gmail, Yahoo and online banking. Phishing kits are often uploaded to compromised websites and automatically harvest credentials of victims. Researchers found that phishing kit variants were uploaded to fake login pages of Yahoo, Hotmail, Gmail, Workspace Webmail, Dropbox, Google Drive, Docusign, ZoomInfo, Office 365 and AOL. The study showed that the most popular phishing kit that utilized fake login pages for popular email providers – Yahoo, Hotmail, AOL and Gmail – generated 1,448,890 stolen credentials. Based on the last sign-in to email accounts receiving stolen credentials, the top 3 phishing kit users are those from Nigeria (41%), United States (11%) and Morocco (7.6%). Victims of phishing were mostly from the US (50%), South Africa (4%) and Canada (3%). Google in a blog post said, “By ranking the relative risk to users, we found that phishing posed the greatest threat, followed by keyloggers, and finally third-party breaches.” Of the three forms of cyberattacks – phishing, keylogging and third-party data reach, phishing is the most destructive as this doesn’t only yield a password, but other sensitive data that Google itself may ask when verifying an account of a holder such as IP address, location, phone numbers and device model. KeyloggerKeylogger is a malicious software that tracks and records every keystroke entry you make on your computer and often without your knowledge or permission. Attackers use keyloggers to capture sensitive data like financial information or passwords, which are then sent to third parties for criminal use. Keyloggers can steal your on-device passwords, harvest clipboard content, screenshot your online activities and monitor your keystrokes. Based on the study, the top 10 keylogger families are the following: HawkEye, Cyborg Logger, Predator Pain, Limitless Stealer, iSpy Keylogger, Olympic Vision, Unknown Logger, Saint Andrew’s, Infinity Logger and Redpill Spy. HawkEye, in particular, sent over 400,000 snooping reports to 470 emails believed to be managed by attackers. The top keylogger users based on the last sign-in to email accounts receiving stolen credentials came from Nigeria (11%), Brazil (7.8%) and Senegal (7.3%). Victims of keyloggers were mostly from Brazil (18%), India (10%) and US (8%). Preventive MeasuresHere are some of the ways to stop account takeover or hijacking:
Attackers have already known our “1234567” and “password” passwords. It’s time to use less obvious passwords. Cybersecurity, however, needs to move beyond strong passwords.
To ward off attackers, many online businesses today safeguard their accounts through two-factor authentication. Two-factor authentication is when you use something you know, for example a password, and also something you have, for example a smartphone, whereby after entering your password, you either received an SMS with an additional code, or will use an app to get the code to finalize the logon process. In addition, some online software providers and social networks already force a multi-step authentication. For instance, when Google detects that you logged in into your account from a different device or different location, it will ask additional information only you would know, before granting access. As shown by the destructive nature of phishing, even a two-way factor authentication isn’t enough to ward off attackers as they can harvest sensitive information that Google itself may require when verifying an account.
Contact us today to learn more about how to protect your enterprise accounts from takeover or hijacking.
Major Accounting Firm Deloitte Admits It Suffered Cyber Attack
Deloitte, one of the world’s “big four” accountancy firms, admitted that it suffered a cyber attack. The company, however, downplayed the cyber attack saying that "only very few clients were impacted" and "no disruption" to client businesses happened.
Deloitte’s clients include 80% of the Fortune 500 companies and more than 6,000 private and middle market companies. British news outlet The Guardian and cyber security journalist Brian Krebs have come out with a different take on Deloitte’s cyber attack. Sources told the British news outlet that an estimated 5 million emails have been accessed by the hackers in the Deloitte cyber attack. A source close to the Deloitte cyber attack investigation, meanwhile, told Krebs that the Deloitte hacking incident involved the compromise of all administrator accounts at the company as well as the company’s entire internal email system. “In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information,” Nick Hopkins of The Guardian wrote. “Some emails had attachments with sensitive security and design details.” The Guardian reported that Deloitte discovered the hack in March of this year but the hackers may have had access to the company’s systems since October or November 2016. This hacking period was confirmed by Krebs who said that the Deloitte hacking dates back to at least the fall of 2016. “Deloitte has sought to downplay the incident, saying it impacted ‘very few’ clients,” Brian Krebs wrote. “But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.” “As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators,” Deloitte said in a statement. “The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers. A source told Krebs that Deloitte “does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.” Cause of the Cyber Attack
Sometime in October 2016, Deloitte may have sense that something was wrong as the company sent out an email to all its employees in the US calling for a mandatory password reset. The notice includes an advice to pick complex passwords and a warning that employees who fail to change their passwords or personal identification numbers (PINs) by Oct. 17, 2016 wouldn’t be able to access email or other Deloitte applications.
According to The Guardian, Deloitte’s global email server was compromised through an “administrator’s account” – an account that has unrestricted access to all aspects of the email server. The administrator’s account required only a single password and didn’t have 2-step verification, sources of The Guardian said. By relying only on a password – single factor authentication, Deloitte’s email system became highly vulnerable to cyber attack. Hackers nowadays find is easy to hack emails using only a single factor of authentication or a password due to the following reasons:
Prior to the massive hack at Equifax where personal identifiable information like names, Social Security numbers, birth dates, addresses of 143 million Americans, 100,000 Canadians and 400,000 UK residents were stolen, Equifax was a victim of an earlier hacking incident. On May 15 of this year, the Counsel for TALX Corporation – a wholly owned subsidiary of Equifax – informed the Attorney General of New Hampshire about a hacking incident that harvested W-2 tax forms of the employees of the corporate clients of TALX. According to the Counsel for TALX, hackers gained access to the website of TALX and harvested W-2 tax forms of customers by successfully answering personal questions used to reset “PlNs” or passwords to access the website. “Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected,” the Counsel for TALX said. “It’s pretty unbelievable that a company like Equifax would only protect such sensitive data with just a PIN,” Avivah Litan, a fraud analyst with Gartner, told Krebs, in reaction to the TALX-Equifax data breach. “That’s so 1990s.” What is a 2-Step Verification
Many companies like Google, Facebook and Apple have adopted the 2-step verification, also known as two-factor authentication.
The 2-step verification is one of the security measures to help keep bad guys out. An example of the 2-step verification is that of Gmail where you'll be asked to enter your password as usual. In addition to the password, you'll be asked for something else. A code will be sent to your smartphone via text, voice call or mobile app. You can sign in using this code. You can also sign in using a USB security key – a small device that connects to your computer. Can the 2-step verification totally keep the bad guys away? The two-factor authentication offers more protection than logging into an email account without it. This added layer of security can stop certain group of hackers. It can’t, however, stop other sophisticated cyber attacks. The USB security key is considered as more secure compared to the code sent via smartphone. There’s, however, the danger of this device being lost or stolen. Cyber criminals, in the past, have infected mobile devices to steal 2-step verification security codes. Your organization’s entire internal email system could be full of sensitive information. Protecting your company’s email system goes beyond a password – single factor authentication. Email security also goes beyond the two-factor authentication. Contact us today if you need further protection for your organization’s internal email system. How to improve healthcare cyber securityScope of Hacking Health Care Records
The hacking of health care records at the NHS and HPMC aren’t isolated cases. Prior to the widely published WannaCry ransomware attack, other cyber attacks had already wreaked havoc in the health care industry. Protenus reported that in 2016, the U.S. health care industry suffered one breach per day, affecting more than 27 million patient records.
For the month of April 2017 alone, the U.S. Department of Health and Human Services, Office for Civil Rights reported 12 hacking incidents on hospitals and medical doctors’ offices, affecting 171,564 patient records. The biggest hacking incident last month that was reported to the U.S. Department of Health and Human Services happened at Harrisburg Gastroenterology Health Care Center, affecting 93,323 patient records. The patient information potentially accessed at Harrisburg Gastroenterology includes names of patients, demographic information, social security numbers, health insurance information, diagnostic information and clinical information. Last May 18th, Neeley-Nemeth Barton Oaks Dental Group reported to the U.S. Department of Health and Human Services that its computer system was hacked, affecting 17,090 patient records. Symantec's Global Ransomware and Business Special Report showed that from January 2015 to April 2016, Canada ranked third (16%) in terms of ransomware infections, next only to the United States (23%) and "Other Regions" (19%). Verizon’s 2017 Data Breach Investigations Report showed that breaches in healthcare organizations came second (15%), next to data breaches in financial organizations (24%). In 2017, ransomware was ranked by Verizon as the number five most commonly used crimeware. “For the attacker, holding files for ransom is fast, low risk and easily monetizable – especially with Bitcoin to collect anonymous payment,” the Verizon report said. 5 Reasons Why Hacking of Health Care Records is Skyrocketing
Hospitals and medical doctors’ offices have become targets for ransomware attacks due to the following reasons:
1. Medical Records are Irreplaceable Medical doctors’ offices and hospitals have irreplaceable digital documents that increase every hour, from appointments with patients to viewing imaging. 2. Willingness to Pay Compared to other sectors, the medical sector appears to be more than willing to pay ransom for the fast recovery of their data. 3. Confidential Nature of the Documents Medical doctors’ offices and hospitals’ records carry with them an abundance of confidential information about patients such as social security details, insurance details, birth dates, addresses, medical history and current medical situation. These confidential data can be sold to other opportunistic individuals or organizations at $10 per patient – an amount 10 times higher than what criminals earn from selling credit card details. 4. Loss of Reputation Hacking exposes organizations their weakness. As such, many hospitals and medical doctors’ offices would rather pay and keep quiet than face the consequence of loss of reputation. 5. Vulnerable Software Many medical doctors’ offices and hospitals use proprietary software. Cyber criminals exploit the vulnerabilities of these proprietary software solutions. In the case of the NHS WannaCry ransomware attack, the vulnerability of the operating system Windows XP was exploited. At the height of the WannaCry attack, NHS confirmed that 4.7% of the organizations’ computers still use Windows XP – an operating system released by Microsoft in 2001. 3 Effective Ways to Prevent Cyber Attacks on Medical Doctors’ Offices
Below are 3 preventive measures to stop cyber criminals from getting hold of your patients’ confidential data:
1. Backup data One of the effective means to prevent cyber attacks, specifically ransomware attacks, is by backing up your data. Ransomware attackers have an advantage over their victims by encrypting valuable computer files and preventing victims to access these valuable files. If you’ve backup copies, it would be easy to bring back these files. It’s important to make sure that these backup files are properly protected. Storing them offline is one alternative so that cyber criminals can’t access them. Another option is to use cloud services. These cloud services keep previous versions of files, enabling you to roll back to the unencrypted form. 2. Exercise digital hygiene Preventing cyber attacks on medical doctors’ offices is similar to other disease prevention: hygiene is essential. In the medical office set-up, digital hygiene refers to maintaining one’s computer hardware and software solutions as secured as possible. Examples of digital hygiene include updating your hardware systems, installing the latest patches or software security updates, and not clicking unfamiliar links or files in emails. Hundreds of thousands, if not millions, of computers were unharmed by WannaCry ransomware by simply using the latest operating system and installing the latest patch or security update. 3. Contain the infection Containing a malware is much like containing an infectious disease outbreak. In such a case, a rapid response such as isolating the infected computers can make a difference. Many ransomwares like WannaCry have a worm component that’s capable of spreading itself within computer networks without the need for user interaction. In handling the WannaCry ransomware attack, Spain’s Computer Emergency Response Team CCN-CERT, for instance, recommended isolating from the network or turning off as appropriate computers without support or patch. Contact us today if you want to protect your hospital or medical office from cyber attacks. 5 Signs You've Suffered An Online HackAre you unknowingly leaving your company's system vulnerable to external attacks? From a low of 18% in 2011, the number of online hacks targeting small businesses has risen to 43% in 2016. And this figure is expected to rise in the next couple of years. It's safe to say, therefore, that no business or industry is invincible when it comes to these malicious attacks. Figuring out if you've been a victim of an online hack or not is not so straightforward. But there are a couple of tell-tale signs which you can rely on when having doubts about the security status of your system. Let's dive right in. 1. A drop in website performanceIf keeping tabs on your website's technical performance is not part of the routine checks you carry out, it's about time you made it a priority. This is a proven way of picking up on slow or broken processes which could point to an online hack. For example, It should take an average of 4 seconds or less for a client to checkout of an e-commerce website. If it's taking longer than usual, this could point to a system breach. It's advisable to get a free vulnerability assessment just to be sure this is not a hacking attempt. 2. Does your antivirus appear disabled?If you notice your system's antivirus has been disabled without your knowledge or consent, this is a sign of a much bigger problem. When hackers infiltrate your system, you'll be unable to re-enable the antivirus. Disabling the antivirus is a common tactic used by hackers to maintain control and access to your system. 3. Server log activities you can't explain point to an online hackHave you noticed suspicious activity in your server and website logs lately? Keeping track of your server logs is an advanced way of detecting hackers trying to gain access to your system. Keep an eye out for these two common warning signs in your server logs:
4. Getting redirected online searches is a bad signSome hackers get paid if they can maliciously redirect internet searches to a different website without the user's knowledge. You'll end up getting blacklisted for unknowingly sending users to malware-infested sites. And that's not all. Users being re-directed to other sites means lost revenue for your business and damage to your reputation. 5. You can't explain the origin of new browser toolbarsThe main source of unwanted toolbars on your web browser is free online software which comes attached with ''crapware''. Simply put, crapware is a kind of software you don't need in your system and which gets installed against your will. Crapware is common in pre-installed programs or self-starting applications which alter your search engine settings. Pro tip: If you suspect your system has been compromised by an online hack, it's advisable to restore your system to the best-known state before proceeding with further safety measures. The current wave of cybercrime we're witnessing is worrying, to say the least. Security managers, therefore, need a more proactive approach to keep online hacks at bay. And being on the lookout for these signs is a step in the right direction. You can connect with us round the clock if you suspect your system has been hacked or is under attack. Keeping your online presence safe is our core business!
|
AuthorSteve E. Driz, I.S.P., ITCP Archives
September 2024
Categories
All
|
11/18/2017
0 Comments