Thought leadership. threat analysis, news and alerts.
Ransomware Attacks Now Targeting Your Backups
Backups have traditionally been regarded as the last line of defence against ransomware attacks. Over the past few months, however, backups have been specifically targeted by ransomware attacks.
In the "IT threat evolution Q3 2019" report, Kaspersky researchers found that ransomware attacks on backups, specifically NAS backups, are gaining ground.
What Is NAS?
NAS, short for network attached storage, is a storage and backup system that consists of one or more hard drives. This storage and backup system can be connected to home or office network or the internet. In case a NAS device is connected to the internet, data stored on this device can be accessed using a web browser or mobile app.
Ransomware Targeting NAS
Researchers at Anomali in July of this year reported about eCh0raix, a ransomware that specifically targets QNAP network attached storage (NAS) devices. According to the researchers, the source code of eCh0raix has less than 400 lines, with functionalities that are typical to a ransomware, including checking if data in the infected system has already been encrypted, going through the file system for files to encrypt, encrypting the files, and producing the ransom note.
Researchers at Anomali noted that eCh0raix ransomware isn’t designed for mass distribution as the samples with a hardcoded public key appear to be compiled for the target with a unique key for each target.QNAP Systems, the manufacturer of QNAP network attached storage (NAS) devices, for its part, acknowledged that QNAP devices using weak passwords and outdated QTS firmware are vulnerable to eCh0raixransomware.
In July of this year, another NAS device manufacturer Synologyreported that several of Synology NAS devices were under ransomware attacks as a result of brute-forcing administrator login details. In a brute-force attack, a malicious actor submits a number of passwords in the hope of eventually guessing the correct one.
According to Synology, its investigation related to the ransomware attacks found that the attacks were due to dictionary attacks – the use of words in the dictionary in brute-forcing login details – instead of specific system vulnerabilities. Synology added that the large-scale ransomware attacks were targeted at various NAS models from different NAS vendors. Ken Lee, Manager of Security Incident Response Team at Synology, said that NAS attackers used “botnet addresses to hide their real source IP”.
Just last month, another NAS device manufacturer D-Linkacknowledged that the following D-Link network attached storage (NAS) models are vulnerable to a different ransomware called “Cr1ptT0r” ransomware: DNS-320 Ax/Bx, DNS-325, DNS-320L, DNS-327L, DNS-323 Ax/Bx/Cx, DNS-345, DNS-343 and DNS-340L. According to D-Link, Cr1ptT0r encrypts stored information and then demands payment to decrypt the information.
According to Kaspersky researchers, the growing ransomware attacks on NAS devices involve attackers scanning the internet for internet-connected NAS devices. Kaspersky researchers said that a number of NAS devices have vulnerabilities in the firmware, which enables attackers via an exploit to install on the compromised device a Trojan – a type of malicious software (malware) that’s often disguised as legitimate software – that encrypts all data on the NAS device. “This is a particularly dangerous attack, since in many cases the NAS is used to store backups, and such devices are generally perceived by their owners as a reliable means of storage, and the mere possibility of an infection can come as a shock,” Kaspersky researchers said.
Preventive and Mitigating Measures
Here are some of the preventive and mitigating measures against ransomware attacks targeting NAS backups:
Manufacturers of NAS devices, QNAP Systems, Synology and D-Link, asked users to apply the latest software or firmware version.
In the case of D-Link NAS devices, D-Link said that DNS-320 Ax/Bx, DNS-323 Ax/Bx, DNS-325 Ax and DNS-345 Ax have passed their end of service date, which means that these models are no longer supported by the company through customer support and no longer receive software or firmware updates. For the said models that have passed their end of service date, D-Link asked users to "remove the Internet access of NAS on your router by disabling the port forwarding and DMZ setting".
One thing is common to these NAS ransomware attacks: They victimized only those devices that are connected to the internet. To protect backups from this type of ransomware, it’s important to disable internet connection to these devices.
Generally, an internet-connected NAS device can only be accessed via a web or mobile app interface and this interface is protected by an authentication page, where a user has to authenticate oneself before logging in. As acknowledged by NAS manufacturers, some users use weak passwords, making it easy for attackers to brute-force or guess the passwords.
When there’s a need for these NAS devices to be accessible via the internet, it’s important to use strong passwords and, if possible, to use multi-factor authentication to add another layer of defence.
Here are some of the additional defences to protect backups from ransomware attacks:
As shown in the number of ransomware attacks in recent months, this type of cyber-attack doesn’t seem to slow down.
Organizations that have shown to be financially capable of paying ransom, including government agencies, as well as organizations in the healthcare and education sectors are particularly targeted by this attack.
You don’t have to be a victim of a ransomware attack. Stop cybercriminals before they get the leverage.
Speak with our cybersecurity experts today and stop worrying about ransomware.
Cross-Site Scripting: Still One of the Biggest Cyber Threats
Cross-site scripting, also known as XSS, is one of the most dangerous software errors that threatens websites and applications, even the likes of Gmail.
Security researcher Michał Bentkowski of Securitum recently discovered a cross-site scripting vulnerability in Gmail’s AMP4Email, also known as “dynamic email”. Launched in July 2019, Gmail’s dynamic email allows users to take action directly from within the message itself, such as RSVP to an event, filling out a questionnaire or browsinga catalog.
Allowing dynamic content in Gmail, Google knows it opens itself to security vulnerabilities such as cross-site scripting – a security vulnerability that allows malicious actors to add malicious code into trusted websites or applications. While Google takes a number of precautionary measures against cross-site scripting, Bentkowski discovered that Gmail’s dynamic email didn’t block the specific code HTML id attribute, thereby opening the email service vulnerable to cross-site scripting.
Bentkowski said he reported the cross-site scripting vulnerability to Google on August 15, 2019. According to Bentkowski, Google replied that “the bug is awesome, thanks for reporting”. Bentkowski added that on October 12, 2019, he received a confirmation from Google that the bug was fixed.
What Is Cross-Site Scripting?
Cross-site scripting vulnerability is so widespread that it’s ranked second in the 2019 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors. According to CWE, which is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA), ranking for the top most dangerous software errors is based on the data from Common Vulnerabilities and Exposures (CVE) data and data from the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD).
The NVD data, in particular, covered the period from the years 2017 and 2018, which consisted of nearly 25,000 CVEs. Based on the NVD count, out of the 25,000 CVEs for the years covered, 3,430 CVEs were cross-site scripting vulnerabilities.
Cross-site scripting is a security vulnerability found in web pages or applications that accept user input. This includes login page, check-out page and, in the case of the Gmail case, Gmail’s AMP4Email or dynamic email.
While users typically place legitimate inputs such as usernames and passwords in login pages, credit card details in check-out pages or RSVP to an event in the case of Gmail’s dynamic email, these fields that accept user input could be exploited by malicious actors, giving them opportunity to insert malicious code into an otherwise trusted website or application.
In the case of Gmail’s dynamic email, there’s no report that malicious actors were able to exploit the said cross-site scripting vulnerability.
Security engineers at Microsoft were the first ones to coin the term cross-site scripting back in December 1999. In December 2009, in commemorating the 10th year anniversary of coining the word, security engineers at Microsoft, in the blog post “Happy 10th birthday Cross-Site Scripting!”, wrote, “Let's hope that ten years from now we'll be celebrating the death, not the birth, of Cross-Site Scripting!”
As shown in the latest ranking in the most dangerous software errors, cross-site scripting appears to be far from dead. Microsoft itself recently patch a cross-site scripting vulnerability on its Microsoft Outlook for Android software. The company said that the cross-site scripting vulnerability allows an attacker to “run scripts in the security context of the current user”.
Cross-site scripting has recently been put back into the headlines by Magecart – the umbrella term given to cybercriminal groups that steal credit card details from unsecured payment forms on websites. Magecart has been linked to the data breach at British Airways and the recent data breach at Macy’s.
Researchers at RiskIQ reported that Magecart breached British Airways baggage claim information page by just inserting 22 lines of code, enabling the attackers to grab personal and financial details entered by customers and sent the data stolen to the server controlled by the attackers. A security researcher, meanwhile, who wishes to remain anonymous, told BleepingComputer that the recent data breach at Macy's website was caused by the alteration of https://www[dot]macys[dot]com/js/min/common/util/ClientSideErrorLog[dot]js script, enabling the attackers to grab data entered by customers in the company’s website, in particular, checkout page and wallet page.
Preventive and Mitigating Measures Against Cross-Site Scripting
Attempts in the past have been made to stop cross-site scripting. One such attempt was XSS Auditor, a feature added to Google Chrome v4 in 2010.
XSS Auditor aims to detect XSS vulnerabilities while the browser is processing the code of websites. It uses a blocklist to identify suspicious code. In July of this year, Google security engineer Thomas Sepez announced the retirement of XSS Auditor.
Google senior security engineer Eduardo Vela Nava first proposed the retirement of XSS Auditor in October 2018. “We haven't found any evidence the XSSAuditor stops any XSS, and instead we have been experiencing difficulty explaining to developers at scale, why they should fix the bugs even when the browser says the attack was stopped,” Nava said. “In the past 3 months, we surveyed all internal XSS bugs that triggered the XSSAuditor and were able to find bypasses to all of them.”
As shown in the above examples, cross-site scripting vulnerability is a menace to websites and applications.
This holiday season – the time of the year when online shopping and other transactions are at its peak, it’s important to sanitize your organization’s website and applications to protect it from cross-site scripting.
When you need to protect your website and web applications against XSS and other common attacks, our team of experts is a phone call away and ready to protect your web applications in just minutes.
Under denial of service attack with ransom demands? Don’t pay! We will stop the DDoS attacks in a few minutes, for good.
Call today (888) 900-3749 or connect with us online.
Healthcare Sector Breach Reports Rise After Mandatory Reporting Implementation
The Office of the Information and Privacy Commissioner of Alberta recently released an annual report, covering the period of April 1, 2018 to March 31, 2019, showing a 407% increase in healthcare sector data breaches. The spike of healthcare sector data breach reports was similarly seen in Ontario.
The period covered by the annual report includes only seven months of mandatory breach reporting in the healthcare sector in Alberta. Alberta’s Health Information Act took effect on August 31, 2018, mandating the more than 54,900 health information custodians in the province, including Alberta Health, Alberta Health Services, Covenant Health, nursing homes, physicians, registered nurses, pharmacists, optometrists, opticians, chiropractors, podiatrists, midwives, dentists, denturists and dental hygienists to notify an individual affected by a privacy breach as well as notify the Information and Privacy Commissioner of Alberta and the Minister of Health.
The Alberta law also provides penalty provisions in case the health information custodian fails to report a breach or fails to take reasonable steps in maintaining safeguards to protect health information.
The Office of the Information and Privacy Commissioner of Alberta reported that a total of 674 breaches were reported under Alberta’s Health Information Act during the period of April 1, 2018 to March 31, 2019, representing a 407% increase compared to the reported average of 130 healthcare sector data breaches for the last few years.
In the report written by Jill Clayton, Information and Privacy Commissioner of Alberta, many of the healthcare sector data breaches are relatively easy to address, requiring only the health information custodians to notify the affected individuals and to take preventive steps to prevent similar events from re-occurring in the future. A significant number of these cases, Clayton said, are much more serious, involving law violation and affecting hundreds to thousands of Albertans. A significant number of these cases, Clayton said, often becomes offense investigations and can result in significant court-imposed fines for offending parties.
The Information and Privacy Commissioner of Alberta said that active offense investigations have risen from 5-6 at any one time to over 20 as of September 30, 2019, with nearly 70 healthcare sector data breaches flagged as potential offenses. Since Alberta’s Health Information Act took effect on August 31, 2018, the Commissioner said there have been 10 convictions for knowingly accessing health information under the said Alberta law.
The Commissioner also reported that since the Health Information Act took effect, more snooping breaches – unauthorized access to health information by authorized users of health information systems – have been reported. “Cyberattacks were also reported more frequently, which is a concern that will need to be monitored,” the Information and Privacy Commissioner of Alberta said.
Healthcare Sector Data Breach Reports in Ontario
The spike of healthcare sector data breach reports was similarly seen in Ontario. In late 2017 Ontario’s Personal Health Information Protection Act took effect, requiring health information custodians, including hospitals, pharmacies, doctors’ offices, and dental clinics to report health privacy breaches to the Information and Privacy Commissioner of Ontario.
In the period covering the first full year of the mandatory healthcare sector breach reporting, from January 1 to December 31, 2018, the Information and Privacy Commissioner of Ontario reported that self-reported breaches in the healthcare sector rose from 322 in 2017 to 506 in 2018. Out of the 506 breaches reported, 120 were snooping incidents, 15 were ransomware and other cyberattacks, while the remaining 371 were due to lost, stolen or misdirected health information, records not properly secured and other collection, use and disclosure issues.
According to the Information and Privacy Commissioner of Ontario, the rise in snooping incidents wasn’t indicative of the rise of snooping incidents, but rather health information custodians have better methods of detection, such as the use of using data analytics to monitor and audit health information systems for unauthorized access and other types of health privacy breaches. The Information and Privacy Commissioner of Ontario also noted that the rise of self-reported breaches in the healthcare sector rose as health information custodians are now required to report breaches, unlike in previous years where it was only recommended to do so.
Cyber Attacks: A Growing Concern in Health Care
In the 2018 Annual Report for the Information and Privacy Commissioner of Ontario to the Legislative Assembly of Ontario, Commissioner Brian Beamish said that in 2018, Ontario’s health care sector was a prime target of ransomware and other cyber-attacks, with victims ranging from local health integration networks to long-term care facilities.
In June 2018, CarePartners, a home care service provider to Ontario's Local Health Integration Networks (LHINs) and an Ontario-based community health care agency, reported a data breach to the Information and Privacy Commissioner of Ontario. “The cyber-attack breached CarePartners' computer system and as a result patient and employee information held in that system, including personal health and financial information, has been inappropriately accessed by the perpetrators,” CarePartners said in a statement. The health care agency, however, didn’t specify the extent of the data breach in the public statement.
Commissioner Beamish said that cyber-attacks, in particular ransomware attacks, underscored the importance of the following:
In the area of snooping or unauthorized access to health information by authorized users of health information systems, Commissioner Beamish said artificial intelligence can be used to curb unauthorized access. "When deployed properly, technology that identifies anomalous behaviour is a valuable tool for health information custodians, to not only detect and deter unauthorized snooping but to immediately identify and respond to cybersecurity threats,” Commissioner Beamish said.
Healthcare organizations are a prime target for cybercriminals. Let us help you protect patient information and mitigate IT security related risks.
Contact us today to get started.
Recent DDoS Attacks Leverage TCP Amplification
A recent report from Radware showed that attackers over the past month have been leveraging TCP amplification in launching distributed denial-of-service (DDoS) attacks.
What Is TCP Amplification?
TCP amplification is one of the lesser-known ways attackers perform DDoS attacks. In a DDoS attack, multiple computers are operating together to attack a particular target, for instance, a website.
TCP is a set of rules that’s applied whenever computers connected to the internet try to communicate with one another, enabling them to transmit and receive data. With TCP, connection is only established with a three-way-handshake, also known as SYN, SYN-ACK, and ACK. During the three-way-handshake, the IP addresses of both communication parties are veriﬁed via random sequence numbers.
1. SYN (Synchronize)
This first handshake happens when computer X, for instance, sends a message containing a random sequence number to another computer, let’s call this computer Z.
2. SYN-ACK (Synchronize-Acknowledge)
This second handshake happens when computer Z responds via an acknowledgment number and a random sequence number.
3. ACK (Acknowledge)
This third handshake happens when computer X completes the connection setup by sending a ﬁnal acknowledgment to computer Z via a sequence number and acknowledgment number.
Ampliﬁcation DDoS attack, meanwhile, refers to an attack in which an attacker doesn’t directly send trafﬁc to the ultimate target but rather sends spoofed network packets to a large number of devices, also known as reflectors or ampliﬁers. Attackers often use ampliﬁers that send back responses that are significantly larger than the requests, resulting in an increased or ampliﬁed attack volume. TCP was initially thought to be immune from amplification attacks due to its three-way-handshake.
TCP’s vulnerability to amplification attacks was reported back in 2014. In the paper “Exit from Hell? Reducing the Impact of Ampliﬁcation DDoS Attacks”, researchers at Ruhr-University Bochum demonstrated that even with the three-way-handshake TCP is still vulnerable to ampliﬁcation DDoS attacks. According to the researchers, TCP is vulnerable to ampliﬁcation DDoS attacks as SYN/ACK segments are resent until connection is successfully established, connection times out, or connection is manually closed.
Resending of SYN/ACK segments, the researchers said, overloads the capacity of the victim’s network. “In face of ampliﬁcation attacks, this is problematic, as the client’s IP address is not validated until the handshake is complete,” the researchers said.
In this 2014 study, the researchers showed that hundreds of thousands of devices, mostly business and consumer routing devices, were vulnerable to be abused for ampliﬁcation DDoS attacks as these devices repeatedly sent up to 20 SYN/ACK packets in response.
In the follow-up paper "Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks", researchers at Ruhr-University Bochum identified thousands of TCP-based protocols that allow amplification of factor 50 times and higher. In this follow-up paper, the researchers also identified more than 4.8 million devices vulnerable to an average ampliﬁcation factor of 112 times. They also identiﬁed thousands of devices that can be abused for ampliﬁcation up to a factor of almost 80,000 times, reﬂecting more than 5,000 packets within 60 seconds and causing a serious impact on a victim’s network.
From the viewpoint of the attackers, the researchers said, abusing TCP brings multiple beneﬁts as there are millions of potential TCP ampliﬁers out there and ﬁxing them is an “infeasible operation”. According to the researchers, the root cause of the ampliﬁcation DDoS attacks is IP address spooﬁng which "enables attackers to specify arbitrary targets that are ﬂooded with reﬂected trafﬁc”.
TCP Amplification Attacks + Carpet Bombing
Radware reported that last month, European sports gambling website Eurobet experienced TCP amplification attacks that lasted for nearly 30 days. Radware also reported that last month, Turkish financial services company Garanti experienced TCP amplification attacks.
In the case of TCP amplification attacks on Garanti, Radware said, "In a period of 24 hours, millions of TCP-SYN packets from nearly 7,000 distinct source IP addresses part of AS12903 (Garanti Bilisim Teknolojisi ve Ticaret TR.A.S.) were sensed globally and specifically targeting ports 22, 25, 53, 80 and 443.”
According to Radware, TCP amplification attacks are combined with a technique called “carpet bombing”. Carpet bombing attack is a type of DDoS attack where instead of focusing the attack on a single IP, random IP addresses of the victim’s network are attacked. Radware reported that over the last few months, carpet bombing has been used in a number of attacks against South African internet service providers (ISPs).
Impacts, Preventive and Mitigating Measures
By leveraging carpet bombing technique, attackers increase the attack surface; and by leveraging TCP amplification, attackers increase the hit rate onto the victim’s services. For now, however, carpet bombing has been predominantly used against ISPs.
While the recent TCP amplification attacks targeted large organizations, the victims of these attacks also include small organizations and homeowners who owned devices used for the TCP amplification attacks. As the main targets of TCP amplification attacks were overwhelmed by traffic and suffered outages as a consequence, the devices used in the TCP amplification attacks – those that processed the spoofed requests and legitimate replies from the main target of the DDoS – also experienced spikes in traffic, resulting in outages.
IP blacklisting is one of the options in preventing DDoS attacks. In the case of TCP amplification attacks that rely on IP address spooﬁng, IP blacklisting has some pros and cons.
One of the disadvantages of IP blacklisting in TCP amplification attacks is that legitimate users could be affected by this blacklisting as malicious actors could mimic their IP address.
Speak with our expert team today and prevent and mitigate denial of service attacks with iron-clad guarantees. No equipment to purchase, install or maintain.
Schedule a consultation today and protect your organization.
Data Breach Reports Skyrocket After Implementation of Canada’s Privacy Law
The recent report from the Office of the Privacy Commissioner of Canada showed that data breach reports in Canada skyrocketed after the implementation of the mandatory data breach reporting required under the country’s privacy law.
Mandatory Data Breach Reporting
On November 1, 2018, organizations across Canada became subject to the mandatory data breach reporting under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA). Prior to the mandatory data breach reporting, data breach reporting was done on a voluntary basis.
Organizations subject to PIPEDA are required to report to the Office of the Privacy Commissioner of Canada any data breaches that pose a real risk of significant harm to an individual or individuals. The law also requires that the affected individual or individuals should be notified and records of all data breaches should be kept within the organization.
The Numbers After One Year of Implementation
Last November 1st, one year after the implementation of the mandatory data breach reporting, the Office of the Privacy Commissioner of Canada reported that breach reporting “skyrocket”, increasing six times the volume that the office had received during the same period one year earlier. According to the Office of the Privacy Commissioner of Canada, from November 1, 2018 to October 31, 2019, a total of 680 breaches were reported to the office, affecting over 28 million Canadians.
The Office of the Privacy Commissioner of Canada said that while some of those reports involved well-known corporate names, a significant volume came from small and medium-sized businesses.
Fifty-eight percent or 397 of the reported breaches, which made up the majority of reported breaches, involved unauthorized access, the Office of the Privacy Commissioner of Canada said. Key factors behind breaches resulting from unauthorized access were social engineering hacks and malicious insiders.
According to the Office of the Privacy Commissioner of Canada, more than one in five or 147 data breaches reported over the past year involved accidental disclosure, which includes sending critical information to the wrong person as a result of incorrect email or postal address or accidental exposure.
The Office said roughly one in four of the reported breaches involved social engineering attacks such as phishing and impersonation. In phishing attacks, attackers send malicious emails containing malicious links or attachments. Once this malicious link or attachment is clicked, it installs malicious software (malware) on the email receiver’s computer.
In impersonation, the tactic used in business email compromise (BEC) scams, fraudsters convince employees at an organization that they are someone. In a BEC scam, a fraudster impersonates via a spoofed email, for instance, a CEO and convinces an employee of an organization to release a certain amount to a bank account controlled by the fraudster.
According to the Office of the Privacy Commissioner of Canada, it observed a growing impersonation scam in the telecommunications industry. In the tactic known as SIM swap, an impersonator convinces a customer service representative of a telecommunication company into believing that he or she is an account holder. Successfully convincing a customer service representative, enables the impersonator to make changes to the account, including the change of a phone number to be assigned to a new SIM card controlled by the impersonator, allowing the impersonator to access other accounts.
In related information, the U.S. Federal Bureau of Investigation (FBI) recently issued an alert to its partner organizations warning them about SIM swap. According to the FBI, between 2018 and 2019, SIM swap is the most common tactic used by malicious actors in bypassing the two-factor authentication (2FA), which resulted in draining the bank accounts of the victims and passwords and PINs changed.
Notable Reported Breaches
The reported breaches at the financial cooperative Desjardins and financial holding company Capital One are two of the notable breaches over the past year as these two breaches affected millions of Canadians. The Desjardins data breach, which was initially announced in June 2019, affected 4.2 million Canadians; while the Capital One data breach, which was initially announced in July 2019, affected 6 million Canadians.
Desjardins attributed the data breach to one suspect, a former employee; while Capital One attributed the data breach to a “specific configuration vulnerability” in its public cloud infrastructure – a vulnerability that was exploited by one suspect, a former employee of the public cloud infrastructure, the Amazon Web Services (AWS).
Amazon, for its part, said in a statement, “AWS was not compromised in any way and functioned as designed.” The company added that the Capital One data breach, which also affected 100 million individuals in the United States, wasn’t a result of a vulnerability in the cloud server itself, but by a misconfiguration of firewall settings on a web application, managed on the cloud server by Capital One.
Preventive and Mitigating Measures Against Data Breaches
The Office of the Privacy Commissioner of Canada offers the following cyber security measures in order to prevent or mitigate the effects of a data breach:
How Does the Cybersecurity Skill Gap Affect Your Organization and What can You Do to Make it Right?
“There are only two types of companies: those that have been hacked, and those that will be.”
— Robert Mueller, FBI Director
What cybersecurity measures does your organization have in place? And who manages them?
Chances are, you’re struggling to appoint an in-house, qualified cybersecurity specialist. Research by CyberEdge Group reveals that four in five organizations are in the same boat.
This skills gap has decreased in the past couple of years, but it continues to impact different sectors in a major way. Education is the area affected most, with 87.1 percent of organizations having difficulty finding qualified experts, followed by telecommunications & tech (85.1 percent).
The lack of suitable candidates available to help organizations safeguard their systems in an age of ransomware, DDoS attacks and more is concerning. Cybercriminals continue to employ ever-more-sophisticated techniquesto disrupt businesses and organizations of different sizes, across all industries (even healthcare). Sensitive data and processes must be protected to minimize threats.
Understaffed organizations on tight budgets are especially vulnerable. 43 percent of cyberattacks target small businesses and just 14 percent of these are prepared — costing them $200,000 on average.
And it makes sense. Leading brands and massive institutions can at least invest in cutting-edge software and external consultations to set-up efficient cybersecurity defenses. Smaller ones, particularly startups and none-profits, may be unable to afford either.
Any organization without the finances for a full-time in-house IT specialist can use managed cybersecurity services to protect their system instead. A vulnerability assessment is perhaps the best place to start, to identify your biggest risks and take steps to mitigate them.
But what else can you do to tackle cybersecurity flaws in your organization when you can’t find or afford an in-house specialist?
1. Invest in quality training to make your workforce more cybersecurity-aware
Cybersecurity is a complex area. This means it’s daunting for almost anyone without qualifications or experience in IT to grasp without extensive training.
But this creates an opportunity to empower your staff with the skills, insights and practical knowledge to help your organization stay safe. Determine where your biggest vulnerabilities are and what attacks may pose the biggest risk to your operations.
For example, you might buy high-end hardware and reliable software — yet have no idea how to maximize their performance.
Alternatively, your workforce could consist of people without even basic computer skills or awareness of digital dangers. The mere mention of ransomware or malware could fly right over their heads.
Investing in cybersecurity training obviously incurs expense, but it will pay off when your organization is less susceptible to major disruptions. 60 percent of small- and medium-sized businesses close their doors within six months of being hacked. And the fallout of this can be severe when mammoth investments have been made into trying to keep an organization afloat.
You may already have an idea of which types of training will suit specific employees, based on their work experience, attitude or technical skills. But even if you don’t, taking the time to align the right knowledge upgrades with the right people will ensure organizations maximize the value of their training.
2. Make raising awareness of cybersecurity threats and trends an ongoing part of your company culture
Cybersecurity trends change as hackers’ techniques and technologies evolve. Any organizations relying on outmoded measures leave their systems more vulnerable than they need to be. That’s why it’s so important to stay in touch with the latest attacks, the ways in which they penetrate systems and how businesses deal with them.
For example, companies falling prey to a ransomware scheme may agree to pay the attacker(s) immediately out of desperation to get back on track. But there’s no guarantee that those responsible will honor their word and return your system to normal. They could take the money and leave the organization locked out of its own network.
A failure to research and keep track of the latest developments in ransomware — as well as the wider world of cybersecurity — means organizations would be more likely to hand over the cash without considering the potential fallout. As a result, it might spend thousands of dollars and still be forced to close up shop when its data remains out of reach.
Cultivate a greater awareness of cybersecurity in your organization. Share news stories, articles and updates related to the industry on a regular basis. Encourage staff to get involved with local initiatives or conferences designed to increase cybersecurity education. Offer incentives for anyone interested in growing their skill set.
Building a workforce with a deeper understanding of common cybersecurity threats, and the measures required to combat them, can make a significant difference to your organization’s safety in the future.
And don’t overlook the basics, either. Encourage staff to stay safe and remain vigilant whenever they’re online. This includes:
Another key issue to consider in your organization’s cybersecurity strategy is updating systems when employees leave, including shutting down any open sessions, something that is often overlooked by IT departments.
Change login details to stop them gaining access to sensitive data or allowing others to do so. Even workers who seem trustworthy could still go on to compromise your organization’s security, intentionally or not.
Every organization must take cybersecurity seriously. While the skill gap may make finding a qualified, experienced expert to manage your cybersecurity in-house difficult (if not impossible, depending on your budget), following the tips explored above can make a real difference.
Managed cybersecurity services are a cost-effective, simple way to identify your organization’s gaps and fill them. Reliable specialists will perform a vulnerability assessment, reduce your chances of suffering a data breach and protect cloud & on-premise environments — safeguarding your systems on all fronts.
Take action. Make a stand. Protect your organization against cyber-attacks. Contact our experts now.
Everything You Need To Know About The Recent Adobe Creative Cloud Data Breach
Adobe recently admitted that it made a mistake in configuring its cloud database, resulting in the inadvertent exposure of its Creative Cloud customer information. This latest cyber incident adds to the growing number of misconfigured cloud databases, resulting in the exposure of important customer data.
Last October 25th, Comparitech and security researcher Bob Diachenko reported that Adobe exposed its Elasticsearch database without a password or any other authentication, leaving nearly 7.5 million Adobe Creative Cloud user records open to anyone with a web browser. According to Diachenko, the Elasticsearch database of Adobe was exposed for almost a week. Comparitech and Diachenko said that Adobe secured the database on the same day it was notified about the data exposure.
Adobe, meanwhile, acknowledged that one of its “prototype environments” was “misconfigured,” which resulted in the inadvertent exposure of Creative Cloud customer information, including e-mail addresses. The company said no passwords or financial information were exposed in the said incident. “We are reviewing our development processes to help prevent a similar issue occurring in the future,” Adobe said.
Elasticsearch Database Misconfigurations
Elasticsearch is a software that allows users to index and search textual, numerical, geospatial, structured and unstructured data. This software was first released in 2010 by Elasticsearch N.V., now known as Elastic.
In January 2017, John Matherly reported that 35,000 Elasticsearch databases were exposed on the internet, with most of them deployed on Amazon Web Services (AWS) – a subsidiary of Amazon that provides on-demand cloud computing platforms. Matherly is the developer of Shodan, a search engine that allows users to find anything connected to the internet, including webcams, routers and servers.
Exposing your organization’s Elasticsearch databases to anyone with a web browser opens your organization to ransomware attacks. In January 2017, security researcher Niall Merrigan reported with the use of Shodan and "crunching some data", he found 4,000 Elasticsearch databases that fell victim to ransomware attacks.
The first report of an Elasticsearch database being hit by ransomware appeared on the official Elastic forum. In a ransomware attack on an Elasticsearch database, data indices are wiped out and replaced with a single index warning that says, “SEND 0.2 BTC TO THIS WALLET: 1DAsGY4Kt1a4LCTPMH5vm5PqX32eZmot4r IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS….”
Exposing your organization’s Elasticsearch databases to anyone with a web browser also puts your customers at risk to targeted phishing scams. Attackers, for instance, could create phishing scams that target the Adobe Creative Cloud users whose emails were leaked.
Phishing scams weaponize emails, sending emails to random or targeted individuals, tricking email recipients to open malicious emails that contain malicious links or malicious attachments. Clicking this malicious link or malicious attachment leads to the installation of malicious software (malware) on the email recipient’s computer.
“The information exposed in this leak could be used against Adobe Creative Cloud users in targeted phishing emails and scams,” said Comparitech and Diachenko. “Fraudsters could pose as Adobe or a related company and trick users into giving up further info, such as passwords, for example.”
How to Secure Your Organization’s Elasticsearch Database
Elastic, the company behind Elasticsearch, said that it isn’t responsible for the exposure of sensitive data in internet-facing Elasticsearch. “Recent reports about sensitive data being exposed in Internet-facing Elasticsearch instances are not related to defects or vulnerabilities in Elastic-developed software,” Mike Paquette, security product director at Elastic, told Infosecurity Magazine. “Reports usually involve instances where individuals or organizations have actively configured their installations to allow unauthorized and authenticated users to access their data over the internet.”
Paquette added that Elasticsearch, by default, doesn’t allow outsiders snooping at Elasticsearch database. He said Elasticsearch only communicates to local addresses by default. Paquette said that in case a system administrator wants the Elasticsearch database to be accessed by unauthorized and authenticated users, it has to be configured for this to happen. He added that system administrators often configure Elasticsearch databases to be accessed by unauthorized and authenticated users during testing and then forget to change this configuration during production.
Another reason why Elasticsearch databases keep getting hacked is due to the absence of additional authentication measures such as multi-factor authentication. In the case of Elasticsearch, while its open source features are free, additional features of the software such as multi-factor authentication are available only under the Elastic license and paid subscriptions, which means that organizations have to pay up in order to avail of this extra layer of protection.
Another reason why Elasticsearch databases keep getting hacked is due to the wrong assumption that deployment of Elasticsearch database on AWS protects this database. According to AWS, security of Elasticsearch databases deployed on AWS needs extra work, such as restricting access based on source IP addresses or by locking down access even further based on job functions and roles, such that an “esadmin” has administrator power over the database; “poweruser” has access all domains, but cannot perform management functions; and “analyticsviewer” can only read data from the analytics index.
Critical information, as a rule, shouldn’t be exposed to the public internet. It’s important to practice segmentation when using Elasticsearch database and when deploying this to the public cloud such as AWS. In segmentation, critical information such as those relating to financial information is isolated from the other less sensitive information.
Concerned about cybersecurity posture of your cloud infrastructure? Contact us at email@example.com and we will be happy to help.
Risks & Dangers of Remote Access
Avast and NordVPN, on the same day last October 21st, disclosed a separate and unrelated unauthorized intrusion into their respective networks. While these network intrusions were unrelated, these intrusions were a result of a common cyber security weakness: remote access.
What Is Remote Access?
Remote access allows a user to access a computer or a network, despite the fact that the user has no physical access to said computer or private network. Remote access to a private network can be achieved through virtual private network (VPN) or a remote access feature of an operating system.
An example of a remote access feature of an operating system is the remote desktop protocol (RDP). In Windows operating systems, RDP allows network administrators to manage or troubleshoot computers over the internet.
VPN service providers, meanwhile, promise to offer secure and encrypted connections to its customers. In both VPN and RDP, access to private network is conducted from a remote location using a laptop, desktop computer or mobile device connected to the internet.
Unauthorized Remote Access on Avast Network
Last October 21st, Avast, in a statement, said that on September 23 of this year, it identified suspicious activity on its network. After further analysis, Avast said it found that its internal network was successfully accessed with compromised credentials through a temporary VPN profile that had erroneously been kept enabled and didn’t require 2-factor authentication (2FA).
Avast said that the malicious actor had been attempting to gain access to the company’s network through its VPN as early as May 14 of this year. The company said it closed the temporary VPN profile that was accessed by a malicious actor.
As a precaution, the company suspended the upcoming releases of its product CCleaner and started checking prior CCleaner releases and verified whether malicious alterations had been made. As an added precaution, the company also re-signed a clean update of the product and provided it to users through an automatic update last October 15th.
Avast admitted in September 2017 that its product CCleaner, which it acquired from Piriform on July 18, 2017, had been compromised by malicious actors, resulting in the downloads of 2.27 million of the corrupt CCleaner version by unknowing customers.
Unauthorized Remote Access on NordVPN Network
Last October 21st, virtual private network service provider NordVPN admitted that in March 2018, one of its servers, which the company rented with a third party data center in Finland, was accessed without authority.
NordVPN said that the attacker gained access to the server by exploiting an “insecure” remote management system left by the data center provider. The virtual private network service provider said it had no knowledge the data center provider was using the remote management system.
NordVPN said it immediately terminated the contract with the third party data center and destroyed all servers that the company had been renting from the data center. The virtual private network service provider said that TLS key was taken at the same time the data center was exploited.
The company said that no user credentials have been intercepted. It also said that the TLS key “couldn’t possibly have been used to decrypt the VPN traffic of any other server.” NordVPN said that “the only possible way to abuse website traffic was by performing a personalized and complicated MiTM [man-in-the-middle] attack to intercept a single connection that tried to access nordvpn.com”.
In a man-in-the-middle attack, the attacker intercepts user traffic to steal credentials and other important information. The attacker then uses this stolen information to access the actual destination network. Preventing man-in-the-middle attacks is the reason why people use VPN in the first place.
"Intercepting TLS traffic isn't as hard as they make it seem," security researcher who uses the name “hexdefined”, one of those who analyzed the data exposed in the NordVPN breach, told Ars Technica. "There are tools to do it, and I was able to set up a Web server using their TLS key with two lines of configuration. The attacker would need to be able to intercept the victim's traffic (e.g. on public Wi-Fi)."
Preventive and Mitigating Measures
While remote management systems such as RDP and VPN have a number of benefits, their inherent weakness shouldn’t be ignored, that is, these systems provide a door to your organization’s network to the public internet. These remote management systems or these doors should be closed and opened only to authorized personnel.
One of the preventive measures in protecting these remote management systems from unauthorized entry is through the use of multi-factor authentication or 2-factor authentication. As shown in the case of the Avast data breach, using a VPN account without 2-factor authentication attracts malicious actors.
It’s important to note that there are currently tools to bypass 2-factor authentication or multi-factor authentication. For instance, security researchers at DEVCORE disclosed that they were to access the internal network of Twitter by bypassing the 2-factor authentication for the VPN used by Twitter. While the use of multi-factor authentication or 2-factor authentication isn’t the cure-all in protecting your organization’s network, this security measure decreases a number of attack surfaces.
Network segmentation, the practice of splitting your organization’s network into subnetworks, is another cyber security measures to block malicious actors. This practice ensures that if one network is breached, the others won’t be affected.
It’s also ideal not to install or disable remote management systems on the servers that housed your organization’s critical data in order not to expose this data to the public domain.
Real-Life Cases Show Some Types of 2FA Can Be Bypassed
A number of cyber incidents in the past few years have demonstrated that certain types of multi-factor authentication or two-factor authentication (2FA) can easily be bypassed.
What Is Multi-Factor of Authentication? What Is 2FA?
Multi-factor authentication is an added layer of security in which a user is required to present two or more pieces of proof in order to be granted access to a computer system or application.
Two-factor authentication (2FA) is the more popular type of multi-factor authentication. In a typical 2FA, in addition to the traditional authentication method of a combination of username and password, a user is required to present one more authentication proof. Examples of these additional authentication proofs include a one-time code that changes over time, biometrics or behavioural information such as IP address, time of day or geolocation.
3 Ways 2FA Authentication Can Be Bypassed
In the past few years, the following 3 methods have been used to bypass or circumvent certain types of 2FA authentication:
1. Sim Swap
In bypassing 2FA using the SIM swap method, an attacker convinces a customer service representative of a phone company of an intended victim to do the SIM card swap to a SIM that the attacker controls, allowing the attacker to intercept the 2FA security codes intended for the victim to access a computer system or application.
Last month, the U.S. Federal Bureau of Investigation (FBI) issued an alert to its partner organizations warning them about SIM swapping. According to the FBI, between 2018 and 2019, SIM swapping is the most common tactic used by cyber criminals in circumventing the 2-factor authentication. Victims of SIM swapping attacks, the FBI said, had their bank accounts drained and their passwords and PINs changed.
Last year, Reddit disclosed that all Reddit data from 2007 and before including account credentials and email addresses as well as email digests sent by Reddit in June 2018 were illegally accessed. The company said that the weaknesses inherent to SMS-based 2FA appeared to be the root cause of this incident. The company added that “SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept”.
Reddit, however, didn’t specify how SMS-based 2FA one-time code was intercepted. At the time of the Reddit attack, the known methods in intercepting SMS-based 2FA one-time code were through SIM swapping and mobile number port-out scams.
In port-out scams, instead of a SIM swap, an attacker impersonates an intended victim and requests that the victim’s mobile number be transferred to another mobile network provider. In both SIM swap and port-out scams, one-time codes delivered by SMS are delivered to a phone controlled by the attackers.
2. Phishing Scheme
The second method by which 2FA can be bypassed is through phishing scheme. In December 2018, researchers at Certfa Lab detected a phishing campaign in which attackers, knowing that their victims use two-step verification in their Gmail and Yahoo accounts, created phishing pages for both desktop and mobile versions of Google and Yahoo mail services.
These phishing pages ask the victims their username and password combination, as well as 2-step verification code. The attackers then enter these username and password combination and 2-step verification code into Google or Yahoo’s genuine website and hijack the email accounts of their victims.
A victim is tricked into visiting one of these phishing sites by sending a fake email alert purportedly from the email provider, stating that unauthorized individuals have tried to access their accounts. This fake email alert asks the victim to review and restrict suspicious accesses via the link – leading to the attackers’ phishing site – provided in the email.
3. Session Hijacking
The third method by which 2FA can be bypassed is through session hijacking. Among the 3 methods of bypassing 2FA, session hijacking is more technical.
A few months ago a toolkit that bypasses 2FA via session hijacking was publicly released. This toolkit uses Muraena and NecroBrowser. According to the authors of this toolkit, Muraena is a “custom target-agnostic reverse proxy solution”, while NecroBrowser takes care of the “instrumentation and session riding”. According to the FBI, Muraena tool intercepts traffic between a user and a target website which requires the usual username and password combination and 2FA code, while NecroBrowser allows cyber actors to hijack these private accounts and make changes to these accounts while maintaining access as long as possible.
Last month, security researchers at DEVCORE reported a different form of session hijacking that enabled them to access Twitter Intranet. According to the DEVCORE researchers, they were able to access Twitter Intranet by bypassing the 2FA of the SSL VPN used by the company.
“Twitter enabled the Roaming Session feature, which is used to enhances mobility and allows a session from multiple IP locations,” the DEVCORE researchers said. “Due to this ‘convenient’ feature, we can just download the session database and forge our cookies to log into their system!”
Preventive and Mitigating Measures
There’s a reason why multi-factor authentication or 2FA is widely used by organizations today. Instead of relying merely on the traditional username and password combination, multi-factor authentication provides an extra layer of security to systems or applications.
The use of multi-factor authentication can decrease numerous attack surfaces. Using multi-factor authentication, however, shouldn’t give your organization a false sense of security. As shown in the above-mentioned examples, certain types of multi-factor authentication or 2FA can be bypassed.
Hospitals in Different Parts of the World Hit by Ransomware Attacks
Michael Garron Hospital, formerly Toronto East General Hospital, recently confirmed that it was a victim of the ransomware called “Ryuk”, turning the spotlight on this ransomware and on ransomware in general.
Sarah Downey, President and CEO of Michael Garron Hospital, in a statement, said that last September 25th, the hospital became aware of a malicious software (malware), later identified as Ryuk, had infected the hospital’s servers. As a result of the ransomware attack, Downey said that “some data has been damaged” and for the first time in many years, the hospital’s clinical teams were forced to revert back to paper processes and using the telephone to call codes, access porters and check dietary orders.
The President and CEO of Michael Garron Hospital said that as a result of the attack, some of the hospital’s outpatient services were affected, with some appointments canceled and rescheduled. Downey added that the affected servers are being cleansed and it may take a few weeks for some of the hospital’s systems that are less critical to operations to be fully restored. Downey further said that the hospital hasn’t been in contact with anyone about ransom payment.
What Is a Ransomware?
Ransomware is a type of malware that’s designed to deny access to a computer system or data until a ransom is paid. In denying access to a system or data to legitimate users, attackers encrypt the system or data, turning this into a code that’s only accessible by the attackers using decryption keys.
In ransomware attacks, these decryption keys are typically handed over to the victims in exchange for a ransom payment. All too often ransomware attackers victimized organizations that can’t tolerate any downtime, making ransom payment all the more compelling.
Paying the ransom, however, doesn’t guarantee that victims can recover their encrypted systems or data as the decryption keys could simply be designed to not work at all.
What Is Ryuk Ransomware?
Ryuk ransomware was first observed in the wild in August 2018. In June 2019, UK's National Cyber Security Centre (NCSC) issued a Ryuk advisory, warning organizations globally about this ransomware.
Ryuk is often linked with two other malware: Emotet and Trickbot. Emotet was first observed in the wild in 2014, while Trickbot in 2016. In a Ryuk attack, the Emotet malware is used to drop the Trickbot malware. Trickbot, for its part, deploys hacking tools that facilitate the remote monitoring of the victim’s computer, credential harvesting and allowing the attackers to move to other computers within a network.
When ransomware opportunity is present, only then that Ryuk is deployed. It’s, therefore, possible that an organization is initially infected even without visible signs of a ransomware attack.
Prior to installing itself into the affected computer, Ryuk will first attempt to disable certain antimalware or antivirus software. Ryuk has the ability to spread to other computers within the same network as it is designed to enumerate network shares and encrypt those it can access.
According to the NCSC, it’s possible that Ryuk could be deployed through an infection chain other than using Emotet and Trickbot. NCSC added that in a Ryuk attack, it’s difficult to recover the infected computer’s backup as this malware uses anti-forensic recovery techniques such as manipulating the virtual shadow copy.
Other Cases of Ransomware Attacks
Hospitals and healthcare providers are targeted by ransomware attackers as these establishments cannot withstand IT downtime. In recent weeks, in addition to the Michael Garron Hospital, two other hospitals in Canada belonging to the Listowel Wingham Hospitals Alliance (LWHA), Listowel Memorial Hospital and Wingham and District Hospital, had been hit by ransomware.
In a statement, Listowel Wingham Hospitals Alliance said that since last September 26th its IT system has been shut down as a result of a ransomware attack. As a result of the attack, the Alliance said, “Manual and paper downtime procedures remain in place.” The Alliance hasn’t named the specific type of ransomware that hit the two hospitals.
A number of hospitals and health services in Gippsland and south-west Victoria, Australia, meanwhile, has been impacted by a ransomware attack. Victoria's Department of Premier and Cabinet, in a statement, said that the ransomware was uncovered last September 30th.
Last month, a U.S. healthcare provider Wood Ranch Medical announced that will permanently close its practice on December 17, 2019 as a direct result of a ransomware attack. Wood Ranch Medical, in a statement, said that on August 10, 2019, it suffered a ransomware attack on its computer systems. The health provider said that the ransomware, although not naming the specific type of ransomware, encrypted its servers and backup hard drives containing patients’ electronic health records.
“Unfortunately, the damage to our computer system was such that we are unable to recover the data stored there and, with our backup system encrypted as well, we cannot rebuild our medical records,” Wood Ranch Medical said. “We will be closing our practice and ceasing operations on December 17, 2019.”
Last October 1st, DCH Health System, which runs 3 hospitals: DCH Regional Medical Center in Tuscaloosa, Northport Medical Center and Fayette Medical Center, announced that it suffered a ransomware attack that impacted its systems. The specific type of ransomware wasn’t disclosed.
Last October 6th, DCH Health System said that it “obtained a decryption key from the attacker to restore access to locked systems.” The organization didn’t specify whether ransom was paid. There are reports, however, that indicate that DCH Health System paid the attacker ransom.
Organizations large and small fall victims to ransomware too often. Contact us to speak with our cybersecurity experts today to develop a solid protection and mitigation strategy reducing your stress and protecting your organization.
Steve E. Driz, I.S.P., ITCP