Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
French Authorities and Avast Take Down One of the World’s Biggest BotnetsFrench authoritiesand antivirus solution provider Avast have jointly taken down the Retadupbotnet, considered as one of the world’s largest botnets affecting nearly a million computers worldwide. Avast, in a blog post, announced that itscollaboration with French authorities resulted in the neutralization of the Retadup botnet, a group of computers infected with a malicious software (malware), in this case, a malware called “Retadup” and controlled by an attacker or attackers for malicious activities. As part of its threat intelligence research, Avast said it started closely monitoring the activity of the Retadup malware in March 2019. Avast found that the computers infected with the Retadupmalware and that formed part of the Retadupbotnet were mostly abused to mine the cryptocurrency called “Monero”. In cryptocurrency mining, malicious actors earn cryptocurrency by stealing the computing power of someone else’s computer. In few cases, Avast observed that Retadup was used in distributing the ransomware called “Stop”, a type of malware that’s purposely created to block legitimate users to a computer system or data until a ransom is paid. In other few cases, Avast also observed that Retadup was used in distributing Arkei, a malware that steals passwords. Avast said its research showed that Retadup’s command-and-control (C&C) infrastructurewas mostly located in France and as such,it contacted theCybercrime Fighting Center (C3N) of theFrench National Gendarmerie.C&Cinfrastructurerefers to a server or servers used to communicate and remotely control computers compromised by a malware, in this case, the Retadupmalware. As of late August, this year, Avastsaid that, in the collaboration with C3Nand with the permission from the office of the public prosecutor in France, Retadupmalware was taken down from 850,000compromised computers mostly located in Spanish-speaking countries in Latin America. RetadupHistoryRetadup malware first appeared in mid-2017 stealing information in Israeli hospitals. According to Trend Micro, the organization that first reported about this malware in June 2017, this malware is notable for its propagation and stealth capabilities. Trend Micro said the original Retadup malware infects computers via an executable file that masquerades as another file type, such as shortcut files for browser, Windows updaters and a web 3D creation tool. For example, it’s delivered on the vulnerable computer as WinddowsUpdater.zip, mimicking the legitimate updater file which is WinddowsUpdater.exe. A computer becomes infected with Retadup malware when the file that masquerades as another file type is clicked. According to Trend Micro, it’s unclear how these executable files containing the Retadup malware arrive on the computers of the victims. Once inside an infected computer, this malware then checks for specific antivirus and analytics tools. The malware self-destructs when it detects the presence of specific antivirus and analytics tools. In stealing information, Trend Micro said the original Retadup malware routinely records every keystroke made by a computer user, takes screenshots and extracts passwords from web browsers. The Retadup malware is also a worm, which means that this malware has the ability to spread itself within networks without user interaction. In September 2017,Trend Microdetected a new version of Retadup malware, this time, infecting specific industries and governments in South America and controlling these infected computers as a botnet, stealing the computing power of these infected computers to mine the cryptocurrency Monero. As of September 2017, Trend Micro said the malicious actor or actors behind Retadup botnet earned 314 Monero coins, worth US$36,000 as a result of the illicit cryptocurrency mining. Since the discovery of the Retadup malware in June 2017, this malware has evolved into different versions. Most of these versions, however, retain the original features, such as the worm capability and stealth capabilities. According to Avast, the most recent version of Retadup malware, avoids cryptocurrency mining on the infected computers when taskmgr.exe is running in order to make it harder for users to detect increased CPU usage. With the permission from the office of the public prosecutor in France and with the technical assistance of Avast, the Cybercrime Fighting Center of the French National Gendarmeriedismantled the command and control server of the Retadup malware and replaced it with a disinfection server. This disinfection server, Avast said, made it possible for the self-destruction of the Retadup malware on the infected computers forming the Retadup botnet. To date, while the Retadup botnet is neutralized as a result of the collaboration of the office of the public prosecutor in France, Avast, and the Cybercrime Fighting Center of the French National Gendarmerie, the creator or creators of Retadup, however, remain at large as no arrest or arrests have been made as a result of the operation. Threat Mitigation & PreventionBotnets are a threat to the online community. As shown by the Retadup botnet, it can wreak havoc via cryptocurrency mining, ransomware and stealing information. Other botnets, like the Mirai botnet, had in the past brought down the internet in certain parts of the world via distributed denial-of-service (DDoS) attack. Here are some cyber security measures in order to protect your organization’s computers or devices from being infected with malware and making them part of a botnet:
When you need help with threat mitigation, audits and prevention, connect with our cybersecurity experts. How to Find Out If Your Organization’s Resources Are Illicitly Used for Crypto MiningUkraine’s National Nuclear Energy Generating Company, also known as Energoatom, a state enterprise operating all four nuclear power plants in Ukraine disclosed that a recent search carried out inside one of Ukraine’s nuclear power plants revealed that a power plant employee had installed his own computer equipment inside the plant for cryptocurrency mining. This incident shows the danger of employees stealing their employers’ resources for cryptocurrency mining. What Is Cryptocurrency Mining?Cryptocurrency mining, also known as crypto mining, is the process of validating transactions and for these transactions to be added to the list of all transactions known as the blockchain. Anyone with a computer and an internet connection can become a cryptocurrency miner. Some cryptocurrencies can be mined using small and low processing power computers such as Raspberry Pi. Other cryptocurrencies such as Bitcoin can only be mined using specialized computers with high computing power. In exchange for the computing power and electricity used for mining, miners get rewarded with cryptocurrency. As cryptocurrency mining is power-hungry, especially the top cryptocurrencies like Bitcoin, high electricity bill is one of the obstacles why many don’t venture into this field. To remedy this high electricity bill hurdle, malicious actors illicitly steal power from their employers and even from strangers. Aside from stealing electricity, malicious actors also steal from employers or strangers computing power of computers that can process a significant amount of data faster than ordinary computers. The illicit stealing of electricity at one of Ukraine’s nuclear power plantsisn’t the first time that an employee has been caught stealing an employer’s resources for cryptocurrency mining. In February 2018, nuclear weapons engineers at the All-Russian Research Institute of Experimental Physics were arrested for mining cryptocurrencies at the workplace. Unlike the cryptocurrency mining at one of Ukraine’s nuclear power plants which only stole the plant’s electricity as the accused installed his own computer equipment, the crypto mining incident at the All-Russian Research Institute of Experimental Physics used not only the facility’s electricity but the office computer as well. Tatyana Zalesskaya, head of the research institute’s press service confirmed to Interfaxthat there had been an unauthorized attempt to the institute’s “computing power for personal purposes, including for the so-called mining”. CryptojackingEmployees aren’t the only one interested in your organization’s computer power for crypto mining, unknown external attackers are also after your organization’s computer power. Attackers steal computing power in the process called “cryptojacking”. In cryptojacking, malicious actors, which could be either be insiders or outsiders, in order to earn cryptocurrency, install a crypto mining software into vulnerable systems, including websites, operating systems or public cloud accounts. In February 2018, researchers at RedLockreported that Tesla was once a victim of cryptojacking. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” researchers at RedLock said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry. In addition to the data exposure, hackers were performing crypto mining from within one of Tesla’s Kubernetes pods.” PrevalenceIn May this year, researchers at Guardicore Labsreported that over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors were compromised for crypto mining. Illicit crypto mining isn’t only a threat to large organizations or businesses. This type of attack also threatens small and medium-sized organizations. In late 2018, a school principal in China was fired after stealing the school’s electricity to mine cryptocurrency. The South China Morning Postreported that the fired school principal deployed inside the school 8 computers used for mining the cryptocurrency Ethereum for about a year, racking up an electricity bill of 14,700 yuan, equivalent to US$2,120. Ways to Monitor Crypto Mining and Preventive MeasuresHere are some security measures in order to monitor crypto mining activities within your organization’s premises and also ways to prevent this threat to occur in your organization:
An unusual increase of electric bill is a sign that computers operating within your organization’s premises are being used for cryptocurrency mining.
Somewhere lurking in your organization’s premises could be computers used for cryptocurrency mining and racking up your organization’s electricity bill.
If your organization’s computers are functioning a bit slower than usual, this could be a sign that your organization’s computers are being used for illicit cryptocurrency mining.
Malicious actors in recent months have learned how to be stealthy in their crytojacking activities, such as mining only cryptocurrencies that use less computer power and electricity to deflect suspicion. For instance, the crytojacking incident which compromised 50,000 servers reported by Guardicore Labs in May this year, mined a relatively new cryptocurrency called “Turtlecoin”, a cryptocurrency that can be mined even in small and low processing computers such as Raspberry Pi. Monitoring network traffic is one of the ways in discovering this type of stealth crytojacking activities. Access to your organization's network from unknown locations and during non-working hours are telltale signs of a network compromise and possible illicit cryptocurrency mining. Lastly, practice basic cyber hygiene such as keeping your organization’s operating systems up-to-date and using multi-factor authentication as gate-keepers to these computers and servers. In many cases, computers and servers are compromised for illicit cryptocurrency mining by the mere failure of applying the latest security update and the used of weak login details and lack of multi-factor authentication. When you need help, contact our teamof experts to mitigate the cybersecurity risks for your organization. Threat Actors Continue to Target WebsitesThe European Central Bank (ECB) shut down one of its websites following the discovery that malicious actors accessed the site without authority and infected it with malicious software (malware). This incident shows that threat actors continue to target websites. ECB, in a statement, said that unauthorized parties had breached the Bank’s Integrated Reporting Dictionary (BIRD) website, a site purposely built to provide the banking industry with details on how to produce statistical and supervisory reports. The Bank said that contact data, including email addresses, names and position titles of 481 subscribers to the BIRD newsletter may have been stolen by the attackers. ECB, in a statement, said that the attack on BIRD website was discovered as a result of a “regular maintenance work”. An ECB spokesman told Reutersthat the earliest evidence found of the website attack dated back to December 2018, which means that the attack had gone unnoticed for months before being discovered during maintenance work. This isn’t the first time that ECB reported an attack on its IT infrastructure. In 2014, ECBdisclosed that an unknown attacker or attackers had breached another of the Bank’s website used for registrations for events of the Bank such as conferences and visits. The 2014 website attack, the Bank said, led to the theft of email addresses and other contact data left by individuals registering for events at the ECB. This 2014 attack in one of the Bank’s website was only known after an anonymous email was sent to the Bank asking for financial compensation in exchange for the data stolen. Injection AttacksIn the latest attack on one of its websites, ECB said the attackers “succeeded in injecting malware onto the external server to aid phishing activities”. In the 2014 attack, ECB said the malicious actor or actors attacked a “database serving its public website”. Beyond those phrases, not much is known in the “injection” and “database” attacks. The Open Web Application Security Project (OWASP)lists injection attacks as the number one threat to web security. Injection attacks refer to a broad attack paths that allow attackers to gain access to the database records of vulnerable websites. In certain cases, this type of attack allows attackers to gain administrative rights to a database. One example of an injection attack is the SQL injection, also known as SQLI, attack. SQL, which stands for Structured Query Language, is a programming language understood by databases. By inserting malicious commands from this programming language into input fields on websites such as input forms, attackers can gain access to the database records of vulnerable websites, resulting in the unauthorized access of any data available in the database. In late 2007 and early 2008, thousands of websites were defaced as a result of SQL injection attacks. According to researchers at Microsoft, These particular SQL injection attacks didn’t exploit vulnerabilities in Windows, IIS, SQL Server, or other infrastructure code; rather, it exploited vulnerabilities in custom web applications running on this infrastructure. Thousands of websites were affected due to 2 factors: first, there was an automated tool to launch this attack, and second, this SQL attack tool spread through the use of a botnet. SANSreported that thousands of websites were compromised in late 2007 and early 2008 as the attacker or attackers used an automated tool in search engines to find vulnerable web applications and exploiting them. “The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site,” SANS reported. SecureWorks, meanwhile, reported that the automated SQL attack tool, spread to thousands of websites as the attackers relied on a botnet – a group of computers or devices infected by the same malware and controlled by an attacker for malicious purposes such as in this case the spread of SQL attack tool. Other than using SQL injection to attack indiscriminate websites using an automated tool and a botnet, SQL injection has also been used by attackers in targeted attacks. According to the U.S. Federal Bureau of Investigation (FBI), a malicious group obtained confidential information from Sony Pictures’ computer systems on May 27, 2011 to June 2, 2011 using an SQL injection attack against Sony Pictures’ website. According to the UK's Information Commissioner's Office, SQL injection was also used in the TalkTalk cyber attack on the company’s website. As a result of the SQL injection attack on TalkTalk’s website, personal details of 156,959 customers, including their names, addresses, dates of birth, phone numbers and email addresses were stolen. The attacker also stole the bank account number and sort code of 15,656 TalkTalk’s customers. PreventionAs shown in above-mentioned examples, injection attacks on websites are highly detrimental to the affected organizations. Loss of customer trust is one potential cost of an SQL injection attack should personally identifiable information such as full names, addresses and credit card details be stolen. One of the cyber security measures, in order to prevent injection attacks such as SQL injection attacks, is through the use of a web application firewall (WAF). A WAF is often used to filter out injection attacks such as SQL injection attacks. In filtering out SQL injection attacks, a WAF uses a list that contains signatures to address specific attack vectors. This WAF is regularly updated to provide new filtering rules for newly discovered security vulnerabilities. At The Driz Group, we specialize in protecting your websites and web applications with instant attack mitigation and a guaranteed DDoS protection. We support all deployment types including Cloud and on-premise. Setup take several minutes and there is nothing to buy, support, or maintain. Connect with ustoday for a free consultation and protect your websites, web applications, online reputation and mission critical data. What Are the Biggest Mobile Cybersecurity Threats Every Business Must Know?How many times a day do you Google something on your smartphone? It’s second nature now. Any questions you have, any movie stars you want to look up, any local restaurants you want to check out — just grab your phone and ask. And with more than half of worldwide internet traffic originating from phones, the popularity of mobile search shows no sign of slowing down. Particularly for businesses. The ease, speed and convenience of mobile internet means employees can access work documents, data and software at any time. But accessing business accounts and data via your mobile device opens you up to cybersecurity threats, just like browsing on a computer. So, what are the biggest mobile cybersecurity threats every business must know? Malware Lurking in Websites and AppsIt’s easy to assume malware is a risk to employees going online via their desktop or laptop computers, not mobile devices. But that’s just not the case. Malware can infect a smartphone just as it would bigger hardware and cause serious problems. Mobile malware typically attacks smartphones through web pages, attachments or apps primed to unleash infections. Clicking a link in an email, downloading a program or installing an app could put your business’s data in danger within seconds. It’s a simple mistake to make, especially for non-tech-savvy employees. Infected apps may access your smartphone’s data storage, memory, internal processes and other apps. It may even run in the background without being noticed by the user, gathering information and sharing it with whoever created it. Hands-on Device TheftOne of the most obvious and damaging cybersecurity risks is theft. And we mean physical theft: having a phone or tablet stolen by a mugger or opportunistic criminal. It’s not hard to imagine how this might happen. An employee is out enjoying the sunshine on their lunch break, maybe sitting in the park or outside a cafe. They put their phone down for a moment to grab a drink or open their bag. When they look back up, the phone is gone. This takes just seconds but can have devastating results. A hacker would be able to bypass a pin or password and get into the owner’s accounts with ease. They could access your business’s emails, banking and communications in next to no time. Scary, isn’t it? That’s why it’s so vital that all employees take good care of their company and personal phones. Any device with data relating to the business should be secured with a pin or password, as well as the additional security measures (such as facial recognition and fingerprint scanning). Encourage all staff to stay vigilant and be aware. If their phone is stolen, they have to admit it fast: the sooner they raise the alarm, the sooner action can be taken to protect data in the cloud. Unsecured Wi-Fi NetworksFree, public Wi-Fi is great. Employees can take their phone or tablet to the local coffee shop and do a little work outside the office for a change of scenery. The Wi-Fi is thrown in free when you buy a drink or snack so there’s no reason to lose momentum. But free Wi-Fi networks tend to be unsecured. And that makes anyone using them vulnerable to cybersecurity risks. Any social media interactions, emails,writing, calls and more may be available to hackers. This is why employees must be careful when accessing Wi-Fi networks beyond their own or your business’s. If they need to wait until they’re back in the office to finish a task or make a call, a slight delay is far better than the alternative. And this leads us nicely on to … The Threat of Network SpoofingFree, public Wi-Fi networks may pose a threat, but network spoofing is much more dangerous. This involves hackers creating fake access points designed to look like legitimate Wi-Fi connections. You might see them appear on a list of Wi-Fi networks when you visit a coffee shop, bar, airport etc. Cybercriminals give their fake networks believable names (‘Coffee Place’, ‘Airport Open Wi-Fit’ etc.) to entice oblivious users. They might ask you to set-up an account before giving you access or just let you dive right in. One big hazard is that employees might use their standard username and password to create accounts with fake networks. And that means cybercriminals would be able to get into emails, banking accounts and anything else protected by the same details. The entire business’s and clients’ data could be in danger because of a simple mistake. Taking Action to Minimize Your Business’s VulnerabilityEvery company wants to be safe against cybersecurity risks. Every company wants to trust its employees to handle accounts and data in a responsible way. But it’s not so simple. Cybercriminals use ever-more-sophisticated techniques and tools to target businesses. Employees need to be made aware of the threats they face when they’re online across all devices. Effective training is key to help your workforce exercise caution and stay vigilant whenever they’re working or communicating on their smartphone or tablet. And make sure any company phones you hand out have been checked and utilize strict security safeguards to keep them protected. Don’t try to handle all of your cybersecurity in-house either, especially if your business is brand new and you have little to no experience with managing data. Clients expect you to keep their information confidential and safe against leaks — if you don’t, your reputation could take a serious hit. Work with cybersecurity specialists to assess your vulnerability and take action to defend your data. The Driz Group’s experts are here to:
Want to learn more about our managed services and how they help companies just like yours every single day? Just get in touch with our dedicated teamright now! Decade-Old Vulnerability Found in Avaya VoIP PhonesResearchers at McAfee Advanced Threat Research have discovered a decade-old security vulnerability lurking in the Voice over Internet Protocol (VoIP) phones of Avaya, the world’s second largest VOIP phone provider. The decade-old vulnerability present in Avaya VOIP phones, specifically 9600 Series, J100 Series and B189 Series using the H.323 firmware, according to researchers at McAfee Advanced Threat Researchallows remote code execution (RCE) – enabling an attacker to access someone else's device and make changes to it, regardless of where this device is geographically located. The RCE vulnerability in a piece of open-source software that Avaya used, the researchers said, was likely copied and modified 10 years ago and the company failed to apply subsequent security patches. The researchers added that a malicious actor exploiting the said vulnerability could take over the normal operation of the phone, copy audio from speakerphone and “bug” the phone. The piece of open-source software that Avaya copied bore the 2004-2007 copyright, which according to the researchers is a “big red flag” as this piece of software has an exploit that has been publicly available since 2009. The 2009 exploit demonstrated that devices using DHCP client version 4.1 and below allows remote DHCP servers to execute arbitrary code. A DHCP client, also known as dhclient, is a device that needs an IP address; while DHCP server hands out an IP address to the dhclient. Researchers at McAfee Advanced Threat Research found that Avaya VOIP phone’s version of dhclient is vulnerable to the exploit reported in 2009. The researchers said that malicious actors could build a “weaponized version” of the exploit and threaten private networks. The researchers reported their discovery to Avaya. In June this year, Avayaissued a patch for the affected VOIP phones. VOIP Phones as Path to IntrusionEarly this month, researchers at Microsoft Threat Intelligence Center reported that VoIP phone is one of the devices being used by a known cyber adversary to gain initial access to corporate networks. Aside from VoIP phone, the researchers said, popular office IoT devices printer and video decoder, are also being used by this known cyber adversary in gaining an initial foothold into corporate networks. Researchers at Microsoft Threat Intelligence Center, however, didn’t specify the brands of VOIP phone, office printer and video decoder. These office devices, according to the researchers, were compromised either as these devices were deployed without changing the default manufacturer’s login details or the latest security update hadn’t been applied. According to Microsoft Threat Intelligence Center researchers, the known cyber adversary used these 3 popular office IoT devices as points of ingress in gaining initial foothold to a corporate network. Once inside a corporate network via these compromised IoT devices, the attacker was seen conducting a simple network scan to look for other vulnerable devices. As the attacker moved from one vulnerable device to another, a simple shell script was dropped to establish persistence on the network. This simple shell script allowed the attacker to search for higher-privileged accounts that would grant access to higher-value data, the researchers at Microsoft Threat Intelligence Center found. BotnetsAside from using popular office IoT devices as points of ingress in accessing high-value data, these compromised devices are also used to build a botnet – referring to a group of devices infected with a malicious software (malware) and controlled by an attacker or attackers for malicious activities, including distributed denial-of-service (DDoS) attacks. In a DDoS attack, a botnet or group of infected devices is controlled to direct their traffic to a target, overwhelming this target with too much traffic that the target can’t handle, ultimately bringing the target offline and rendering the target inaccessible to its legitimate customers. VPNFilter is an example of a botnet. At its peak, VPNFilter infected at least 500,000 networking devices in at least 54 countries. The following are devices affected by VPNFilter: Linksys, MikroTik, NETGEAR and TP-Link networking equipment in the small and home office (SOHO) space, as well at QNAP network-attached storage (NAS) devices. According to researchers at Cisco, VPNFilter has a self-destruct capability that can be triggered en masse via the botnet structure and has the potential of cutting off internet access for hundreds of thousands of users worldwide. The researchers are unsure why so many devices were infected with VPNFilter. Most of the infected devices, however, have known public exploits or default manufacturer’s login details hadn’t been changed. In May 2018, the potential negative effect of VPNFilter was mitigated when the U.S. Federal Bureau of Investigation (FBI)seized a domain used as command and control (C2) by the threat group in their botnet campaign. In a botnet operation, C2 (could be a website or a public cloud account) is used to communicate or control the infected devices. The devastating effect of a botnet was shown to the world when the Mirai botnet attacked in 2016 Dyn, a major dynamic DNS provider, resulting in the widespread internet outages across the U.S. and Europe. The earlier versions of the Mirai, including the one that attacked Dyn, infected hundreds of thousands of wireless cameras and routers and turned them as botnets. Since the publication of the source code of the Mirai in 2016, a number of Mirai versions has been observed in the wild. Researchers at Palo Alto Networks discovered a different version of the Mirai which targeted WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs – IoT devices that are often used by businesses. Many of the Mirai variants infect IoT devices by exploiting the practice of users of not changing the default manufacturer’s login details. PreventionToday’s IoT devices outnumber the combined number of personal computers and mobile phones. Hundreds of thousands, if not, millions of these IoT devices are, however, left without basic management. Changing the default manufacturer’s login details and applying the latest security update are two cyber security best practices in preventing malicious actors from accessing your organization’s network. These practices also stop your organization’s IoT devices from being used as part a botnet for malicious activities such as DDoS attacks. 8/4/2019 Capital One Data Breach Aftermath: 3 Cyber Threats that Every Organization Should be MindfulCapital One Data Breach Aftermath: 3 Cyber Threats that Every Organization Should be MindfulThe data breach at Capital One Financial Corporation, the data breach that affected approximately 100 million individuals in the U.S. and approximately 6 million in Canada, throws light into 3 cyber threats that every organization using the public cloud should be mindful: account takeover attack, attack on misconfigured web application firewall (WAF) and Server-Side Request Forgery (SSRF) attack. Large enterprises like Capital One build their own web applications on top of Amazon’s cloud services to answer to their specific needs. Amazon told the New York Timesit had found no evidence of compromise on its underlying cloud services. The company added that its customers fully control the web applications that they built. Last July 29th, the U.S. Department of Justicearrested a Seattle resident for the intrusion on the stored data of Capital One. The arrest of the Seattle resident came as an offshoot of an email sent to the official email for responsible disclosure of Capital One. The tipster wrote that someone’s GitHub account was exposing data which appeared to belong to Capital One. In the indictment document, Joel Martini, Special Agent at the U.S. Federal Bureau of Investigation (FBI) stated that the exposed data was verified to belong to Capital One and the GitHub account was traced to belong to the accused Seattle resident, who goes with the handle “erratic” in her Twitter and Slack accounts. A review of June 26, 2019 Slack postings, FBI Special Agent Martini said, showed that Erratic claimed to be in possession of files belonging to several companies, government entities and educational institutions, and one of these files was associated with Capital One. Capital One, in a statement, said that it had fixed the “configuration vulnerability” that was exploited in the data breach. Publicly-available data and new information, however, show that more than one cyber threats were exploited in the Capital One data breach. 1. Account TakeoverAccount takeover refers to the access of someone else’s online account for malicious purposes. In the indictment, FBI Special Agent Martini stated that the file that was publicly exposed by Erratic in her GitHub account contained a list of more than 700 folders and code for three commands. The first command, when executed, provides login details to an account that enabled access to certain storage space of Capital One at Amazon cloud service. The said account, which had the necessary permissions, was used to extract or copy Capital One’s data. The indictment didn’t mention how the accused got hold of the login details of the account used to access Capital One’s data. 2. Misconfigured Web Application Firewall (WAF)Web application firewall (WAF) filters, monitors and blocks traffic between a web application and the internet. A properly configured WAF blacklists and/or whitelists traffic to and from a web application. A WAF that operates based on a blacklist, also known as negative security model, blocks traffic that doesn’t meet the predetermined qualifications. A WAF that operates on a whitelist, also known as positive security model, grants entry only to traffic that has been pre-approved. Many of today’s WAF implements both negative security model and positive security model. A typical WAF also protects web applications from attacks such as SQL injection and other common attacks against web applications. In the indictment document, FBI Special Agent Martini stated that the data breach at Capital One was a result of a misconfigured WAF. Capital One’s logs show a number of connections or attempted connections from IP addresses beginning with 46.246. Specifically, on or about March 12, 2019, Capital One’s logs show IP address beginning in 46.246 attempted to access Capital One’s cloud data. Publicly-available records show that this IP address is controlled by a company that provides VPN services. Capital One’s logs also show IP addresses believed to be TOR exit nodes accessed Capital One’s cloud data on or about March 22, 2019. A properly configured WAF could have blacklisted IP addresses such as those belonging to the known VPN company. Conversely, a properly configured WAF could have whitelisted only IP address or addresses used by authorized personnel of Capital One. Malicious actors, however, are continually finding creative means in breaking into web applications that are shielded by properly configured WAFs. 3. Server Side Request Forgery (SSRF) VulnerabilityNew information has recently been made public about the Capital One data breach. Based on new data, including information from one who is privy to details about the ongoing Capital One breach investigation, during the attack period, Capital One used ModSecurity, an open-source WAF that’s deployed along with the open-source Apache Web server. The new report said that the Server Side Request Forgery (SSRF) vulnerability was exploited in the Capital One data breach. While ModSecurity protects web applications against many common attack categories, it doesn't protect against SSRF. MITREdescribes SSRF in this manner: “The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly.” Prevention In the case of the Capital One data breach, one can’t say which of the attack methods – account takeover attack, attack on misconfigured WAF or Server-Side Request Forgery (SSRF) attack – played the biggest role in the data breach. These 3 types of threats have their own specific preventive and mitigating measures that every organization using the public cloud should be mindful. When you need to safeguard your cloud applications, our web application security expert will design the right sized solution and will mitigate common risks within minutes. Contact ustoday and avoid a major breach.
How to Prevent Account Takeover AttacksAccount takeover attacks – accessing someone else’s online account for malicious purposes – continue to be one of the fastest-growing security threats faced by organizations today. Account takeover happens as a result of inadvertently exposing account login details or through malicious account takeover via botnets. The account takeover of an account owned by SSL certificate issuer Comodo is an example of account takeover as a result of inadvertently exposing account login details. Netherlands-based security researcher Jelle Ursem told TechCrunchthat Comodo’s email address and password were inadvertently left exposed in a public GitHub repository owned by a Comodo software developer. This enabled Ursem to login to Comodo’s Microsoft-hosted cloud services containing sensitive information of the company. The said account wasn’t protected with two-factor authentication. Ursem said he contacted Comodo about the exposed account. When contacted by TechCrunch, Comodo said, “The data accessed was not manipulated in any way and within hours of being notified by the researcher, the account was locked down.” Ursem, however, told TechCrunch, “This account has already been hacked by somebody else, who has been sending out spam.” Account Takeover BotnetsWhile many malicious actors are opportunistic, that is, while many abused inadvertently exposed account login details, many just don’t wait for these opportunities to come. Many of today’s malicious actors are aggressively taking over accounts through botnets. In the Sixth Annual Fraud Attack Index, Forter found that there had been a 45% increase in account takeover attacks by the end of 2018 compared to the beginning of 2017. One of the means by which malicious actors perpetuated account takeover attacks is thorough bots, Forter found. “Fraudsters often try to hide their activities behind these devices [bots], flying under the radar of detection for most legacy fraud prevention systems, which are simply not equipped with sophisticated enough technology to pick up on the nuances of these behavioural indicators and the personas hiding behind them,” Forter said. Botnet, also known as bot, refers to a group of computers infected with malicious software (malware) that allows an attacker to control this group of infected computers as one army for malicious activities. Many of these botnets have been used by attackers as an army for distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining. Malicious actors are increasingly using these botnets for account takeover attacks. An account takeover botnet works by installing a credential cracking malware on compromised computers. These infected computers are then controlled by an attacker or attackers to login into an account of banking site, social network or email. Once the correct username and password combination is cracked, the account taken over is then used by attackers to steal money (in case of a banking site), steal confidential information such as credit card information, or purchase goods and services. Between April 7th to April 22nd this year, Impervaobserved the account takeover attacks carried out by a botnet, composed of an enslaved army of 2,500 infected computers – with a corresponding 2,500 IPs overall – that attacked more than 300 sites while active. Each day during the attack period, 800 IPs were actively attacking 30 sites with 150,000 login attempts, Imperva found. From the victim site perspective, each site was attacked for 7 hours by 500 IPs sending 7,000 login attempts with 7,000 different login details (usernames and passwords); and from a single site perspective, each botnet-controlled IP was responsible for approximately 14 login attempts during the attack time, or approximately 2 login attempts per hour, Imperva found. The above-mentioned method of attack is called a “low and slow” attack – whereby the botnet enslaves a lot of computers, each sending only a small number of requests, to cover-up the attack as legitimate traffic. Distributing the account takeover attacks across many infected computers or IP addresses makes these attacks go without being detected. The usernames and passwords used in the login attempts for account takeover attacks often come from credential cracking and credential stuffing. In credential cracking, every word in the dictionary is tried to crack the correct username and password combination. In credential stuffing, the attackers exploit users’ tendency to reuse passwords across multiple sites. Credential stuffing was cited by StubHubas the reason why a “small number” of users’ accounts had been illegally taken over by fraudsters. In the StubHub case, attackers illegally took over 1,000 StubHub users’ accounts and used these compromised accounts to buy thousands of high-value tickets, including tickets to Justin Timberlake and Elton John concerts, Yankees baseball games, U.S. Open tennis matches and Broadway shows. The account takeover attackers then resold these tickets for a profit of more than a million dollars. PreventionTraditional security solutions have proven to be ineffective in “low and slow” account takeover attacks using botnets. By using account takeover botnets, malicious actors spread the attack via thousands of compromised computers or IPs, making them go undetected for a long period of time. Choosing a strong username and password combination via eliminating the use of dictionary words, using a unique username and password combination for every account and the use of multi-factor authentication are some of the best cyber security practices in preventing account takeover attacks. Malicious actors, however, are always finding creative ways to crack those unique and strong usernames and passwords and even multi-factor authentication. An automated security solution that monitors abnormal access to these accounts is one of the mitigating measures against account takeover attacks. When you need help minimizing cybersecurity risks, our team of experts will answer the questions you have and will help you protect your data. Contact ustoday. The Importance of Facing Up to Cybersecurity RisksA cybersecurity emergency has been declared across Louisiana, USA, after three public school districts were struck by a malware attack. The cybersecurity danger hit Sabine, Morehouse and Ouachita, in North Louisiana, causing widespread concern. The Governor’s Office of Homeland Security and Emergency Preparedness put its crisis action team into motion quickly to handle the attack. Sabine School District issued a statement, addressing the nature of the cybersecurity breach and their actions to fix it: “The Sabine Parish School System was hit with an electronic virus [...[ this virus has disabled some of our technology systems and our central office phone system.” According to the principal of Sabine Parish’s Florien High School, a ransomware virus had infiltrated their system and caused disruptions. The alarm was raised when the school’s technology supervisor noticed ‘unusually high bandwidth usage’. Fortunately, Jones believes no sensitive information has been exposed during the attack, though everything stored on the School District’s servers was lost. This amounts to documents from across 17 years of Jones’s hard work, including schedules, speeches and more. Taking Action, Addressing Issues FastWhile this is certainly a challenging situation for the three school districts, it appears the end result is nowhere near as terrible as it could have been. It’s clear everyone involved took decisive action when the suspicious activity was noticed, and the proper authorities were informed. Plans for future protection and security measures are, apparently, being devised by state officials (in coordination with the FBI). But this case indicates just how important it is to face up to cybersecurity risks and take proper action to minimize the threat to systems. Simply hoping hackers will miss or choose to ignore your business, organization, school etc. is simply not enough. Implementing effective defenses is the best way to safeguard your critical data, client information and financial details. If any of these, and other types of vital data, become exposed by nefarious individuals, the clean-up could be a long, time-consuming, difficult process. The worst thing you can do in the event of a breach is sweep it under the carpet and try to contain any damage without raising the alarm. Those involved in the Louisiana case alerted the proper parties and are dealing with the situation as best they can. Yes, acknowledging that a cybersecurity attack took place does have the potential to affect your reputation and the trust people place in you. Yet it’s far better to be transparent and admit your cybersecurity measures may not have been quite as efficient as they should be than to lie. The Problem of Ransomware and Preparing Your TeamRansomware is, as our regular readers may know, a common choice of cyberattack for hackers. The Louisiana case is just one example of many. The first ransomware was distributed by a biologist (Dr. Joseph Popp) in 1991: he sent floppy disks containing PC Cyborg Trojanto researchers, in an attempt to extort money. Ransomware has come a long way since then, but while it has evolved in various ways, the aim remains the same. Other notorious ransomware attacks include WannaCry, which was detected more than 250,000 times across 116 countries in 2017. This was designed to take advantage of a simple software defect, encrypting hard drive files to make them inaccessible — with the attackers only unlocking them after a bitcoin payment had been made. The issue is, of course, that agreeing to pay a ransom doesn’t actually guarantee the people responsible will stick to their end of the deal. After all, why should they? If they’re willing to disrupt your daily processes, cost you money, damage your reputation and more, there’s no reason to believe they will do as they promise. Prevention is, as the saying goes, better than cure. And that means taking steps to prepare your team for potential cybersecurity threats in their day-to-day work. How can you do this? Taking Steps to Protect Your SystemImplementing security measures and processes to protect your system against breaches can be daunting, especially if you have no experience or real knowledge of this area. It’s essential that you embrace the most cutting-edge cybersecurity software available and consult with experts. Professionals specializing in security measures and reinforcing systems will be able to identify the biggest dangers you face, how to defend against them and advise your team to be more vigilant. In terms of training your staff, there are certain things you can try. Raise cybersecurity issues and trends in regular meetingsKeep your employees updated on the latest cybersecurity hazards and techniques: make sure they understand what suspicious activities they should be aware of when responding to emails, downloading software or visiting websites. Try to cultivate a more vigilant workforce and boost recognition of effective ‘safety first’ procedures. Get them into the habit of questioning links, emails and other potentially-infected elements when they’re not sure how safe they are. Run exercisesFind time in a day to run a test exercise for your team. Act as if a cybersecurity attack has struck your system and have staff go through the motions of responding appropriately. Do they know what to do if they spot the warning signs of an impending threat? Can they work as a cohesive team even when they’re not completely sure what’s happening? Work to make the answer to both a firm ‘yes’. Plan aheadEveryone should know what role they have in the event of a cybersecurity breach. Perhaps they’re required to do nothing but sit tight and wait for business to resume as normal. Maybe they have to take an active part in informing clients of the situation or coordinating with security experts. Having a formal plan means everyone involved can leap into action in the event of a crisis, saving valuable time and minimizing further disruption. Knowing how to handle cybersecurity risks and attacks is fundamental for any business, organization or institution today. If you want to know more about protecting your system and taking effective action,contact our specialistsnow! Mirai Malware Variants Increasingly Targeting Enterprise IoT DevicesMalware variants that evolved from the original Mirai malware are increasingly targeting enterprise IoT devices, putting at risk enterprise networks from being exploited for nefarious activities such as distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining, as well as putting at risk enterprise cloud architecture from additional malware and further compromise. Tracking the Mirai The original Mirai malware was created by Paras Jha, Josiah White and Dalton Norman. The 3 creators of the Mirai malware in due course were arrested and sentenced by U.S. authorities. Prior to their arrest and sentencing, the source code of the Mirai malware was publicly released. The publication of the source code propelled the creation of multiple versions of Mirai to propagate in the wild. Mirai was first observed in the wild in 2016. The Mirai malware gained notoriety when the malware was used by the still unidentified attacker or attackers in launching a distributed denial-of-service (DDoS) attack on Dyn DNS, amajor dynamic DNS provider, which resulted in the widespread internet outages across the U.S. and Europe2016. According to the IBM X-Force researchers, since 2016, there have been 63 Mirai variants observed in the wild. The researchers said that the multiple variants of Mirai have been used to perform nefarious activities such as DDoS attacks and illicit cryptocurrency mining. In a DDoS attack, attackers overwhelm a target, such as a website or in the case of Dyn DNS, adynamic DNS provider, with voluminous traffic, bringing the target offline and rendering it inaccessible to legitimate users. Illicit cryptocurrency mining, meanwhile, refers to the use of the computing power without the knowledge and consent of the computer owner. The Mirai malware variants are able to perform DDoS attacks and illicit cryptocurrency mining by infecting computers with security vulnerabilities and enslaving these infected computers to form as an army, also known as botnet, and perform activities such as DDoS or cryptocurrency or other activities according to the whim of the attacker controlling the botnet. The Mirai malware is a powerful tool for malicious actors as this malware allows them to automate the process of downloading any number of malware onto a large number of IoT devices. Owners of IoT devices typically don’t consider these devices as computers. These devices are often installed and then forgotten. Unlike other computers such as desktops or laptops, IoT devices aren’t monitored for irregular behaviour, nor updated or their login details changed. The original malware created by Jha, White and Norman infected hundreds of thousands of IoT devices, such as routers and security cameras and controlled these infected devices to form an army or a botnet to perform illegal activities such as DDoS attacks. The creators of the original malware were able to infect hundreds of thousands of IoT devices knowing that many IoT owners don’t bother to change the factory default logins details of these devices. The original Mirai uses 61 factory default login details in infecting IoT devices. Enterprise IoT Devices at RiskIBM X-Force researchers, which have been tracking Mirai campaigns since 2016, said that the Mirai variants’ tactics, techniques and procedures (TTPs) are now targeting enterprise IoT devices. “Nowadays, enterprise IoT devices are everywhere, from instruments that monitor patients in hospitals, to wireless devices in smart meters that relay information to utility companies, to robots in warehouses that constantly deliver inventory information,” IBM X-Force researchers said. “Enterprises are increasingly dependent on IoT devices to run day-to-day operations, and attackers are well-aware of the growing attack surface.” “As IoT devices become more common among households and large organizations, Mirai and its variants will continue to evolve to adapt to the changing environments and targets of its choice,” IBM X-Force researchers added. The researchers observed that creators of the Mirai malware variants were dropping additional malware onto the infected devices, with cryptocurrency malware leading the way. Cryptocurrency malware, which steals the computing power of infected IoT devices to generate money for the attackers, are harmful to IoT devices as these devices are prone to overheating as these devices have little computing power compared to desktop or laptop computers with central processing unit (CPU) or graphics processing unit (GPU) resources. IBM X-Force researchers also observed that creators of Mirai malware variants were dropping steganography, which hides malicious code in images that trigger the download of additional malware. The researchers also said that the Mirai malware variants pose a threat to cloud computing as IoT devices infected with Miral malware variants that are connected to cloud architecture could allow attackers to gain access to cloud servers. Once these malicious actors gain access to cloud servers, they could drop additional malware, the IBM X-Force researchers said. In early 2009, researchers at Palo Alto Networks' Unit 42discovered a variant of the Mirai malware targeting WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs–IoT devices used by businesses. Targeting IoT devices used by businesses, according to researchers at Palo Alto Networks' Unit 42, gives attackers a large attack surface as IoT devices used by businesses have larger bandwidth, giving the attackers greater firepower for attacks such as DDoS attacks. PreventionAs malicious actors are increasingly targeting enterprises IoT devices, it’s important to change the factory default usernames and passwords of these devices and to install the latest security update. If the IoT vendor no longer issues security updates or it isn’t possible to install security updates on these devices, it’s best to remove these devices from your organization’s network. Get in touchwith our experts for additional threat information and to help you mitigate cybersecurity risks. Disturbing Trend: More and More Ransomware Attack Victims Are Paying RansomUK's largest police forensics lab Eurofins reportedly paid ransom to ransomware attackers. The company joins the growing list of organizations that paid ransom to ransomware attackers. The BBCrecently reported that Eurofins, UK's largest police forensics lab, paid an undisclosed amount to attackers after its computers were crippled by a ransomware attack. Eurofins Scientific, which has about 45,000 staff in more than 800 laboratories across 47 countries, is one of the global independent market leaders in testing and laboratory services for forensics. Eurofins Forensics Services, Eurofins Scientific's Forensics subsidiary which is based in the UK, is one of the primary forensic services providers to the UK police. Last June 3, Eurofins Scientificdisclosed that during the first weekend of June 2019 (1stand 2ndJune) it fell victim to ransomware attack which caused disruption to many of its IT systems in several countries. The company said, in a statement, that from June 4th, it was able to “resume full or partial operations for a number of impacted companies and continue to do so every day”. As of June 17th, the company said, the vast majority of affected laboratories’ operations had been restored. The ransomware involved, Eurofins Scientific said, appears to be a new ransomware variant which was “initially non-detectable by the anti-malware screen of our leading global IT security services provider at the time of the attack and required an updated version made available only hours into the attack”. In a ransomware attack, a malicious actor or actors lock out legitimate users of IT systems or computer files through encryption (the process of converting plain texts to codes so that only people with access to a secret key, also known as decryption key, can access it). Ransomware attackers demand from their victims to pay ransom in exchange for the decryption keys that would unlock the encrypted IT systems or computer files. Growing List of Ransomware Victims Paying RansomEurofins Scientific joins the growing list of ransomware victims paying ransom. Two cities in Florida, U.S. and 2 towns in Ontario, Canada publicly admitted that they paid ransom to ransomware attackers. Last June 17th, the City Council of the City of Riviera Beach, Florida unanimously approved the payment of ransom to ransomware attackers. A total of 65 bitcoins was paid to the ransomware attackers, equivalent to approximately $600,000 at the time of the ransom payment approval. A few days after the ransom payment approval of the City Council of Riviera Beach City, another city in the Florida state Lake City paid its own ransomware attackers ransom. Lake City Mayor Stephen Witt told a local mediathat Lake City will pay cyber attackers USD $460,000 to get its computer system back. “I would’ve never dreamed this could’ve happened, especially in a small town like this,” the Lake City Mayor said. Two towns in Ontario, Canada, the Town of Wasaga Beach and Town of Midland, have also publicly admitted that they paid ransom to ransomware attackers. Jocelyn Lee, Director of Finance and Treasurer of the Town of Wasaga Beach, reported to the City Council of Wasaga Beach that on April 30, 2018 the Town’s computer system was infected with a malicious software (malware) that left all of the Town’s data locked. Lee said the Town ended up paying the ransomware attackers 3 bitcoins, equivalent to $34,950 Canadian at the time of the ransom payment. The Town of Midland, Ontario, meanwhile, in a statement said that on September 1, 2018, the Town's network was infected with ransomware. The Town said that it paid an undisclosed amount to the ransomware attackers in exchange for the decryption keys. In paying the ransom, the Town of Midland said, “Although not ideal, it is in our best interest to bring the system back online as quickly as possible.” To date, South Korean web hosting company Nayanaholds the record of paying the most expensive ransom, totaling 397.6 bitcoins, valued USD$1.01 million at the time of the ransom payment. Prevention & How to Recover from Ransomware AttacksAll ransomware victims that decided to pay ransom have one thing in common: They all failed to conduct regular back-up of their critical data. Organizations that diligently conduct regular back-up of critical data, in time of crisis, such as ransomware attack, can simply ignore the attackers’ ransom demand. Paying the ransom also doesn’t guarantee that attackers will hand over the correct decryption keys that will unlock encrypted IT systems or computer files. Paying the ransom could instead encourage the attackers to launch another ransomware attack or the attackers could increase their ransom payment demand, knowing that organizations will likely consider paying the amount. While conducting regular back-up of critical data is important, implementing cybersecurity measures that prevent ransomware attacks are equally important as well. The UK's National Cyber Security Centre (NCSC)recently issued a Ryuk Ransomware Advisory. Ryuk is a particular type of ransomware that was first observed in the wild in August 2018. It has since been responsible for multiple attacks worldwide. This ransomware, in particular, targets its victims and ransom payment is set based on the target’s perceived ability to pay. NCSC recommends the following measures in order to prevent ransomware attacks, in particular, Ryuk ransomware attacks:
You don’t need to face cybercriminals alone. When you need help, our team of professionals is ready to assist and help you mitigate risks, recover, and proactively secure your data. Contact ustoday and stay safe. |
AuthorSteve E. Driz, I.S.P., ITCP Archives
April 2024
Categories
All
|
9/3/2019
0 Comments