Thought leadership. threat analysis, news and alerts.
Capital One Data Breach Aftermath: 3 Cyber Threats that Every Organization Should be Mindful
The data breach at Capital One Financial Corporation, the data breach that affected approximately 100 million individuals in the U.S. and approximately 6 million in Canada, throws light into 3 cyber threats that every organization using the public cloud should be mindful: account takeover attack, attack on misconfigured web application firewall (WAF) and Server-Side Request Forgery (SSRF) attack.
Large enterprises like Capital One build their own web applications on top of Amazon’s cloud services to answer to their specific needs. Amazon told the New York Timesit had found no evidence of compromise on its underlying cloud services. The company added that its customers fully control the web applications that they built.
Last July 29th, the U.S. Department of Justicearrested a Seattle resident for the intrusion on the stored data of Capital One. The arrest of the Seattle resident came as an offshoot of an email sent to the official email for responsible disclosure of Capital One. The tipster wrote that someone’s GitHub account was exposing data which appeared to belong to Capital One.
In the indictment document, Joel Martini, Special Agent at the U.S. Federal Bureau of Investigation (FBI) stated that the exposed data was verified to belong to Capital One and the GitHub account was traced to belong to the accused Seattle resident, who goes with the handle “erratic” in her Twitter and Slack accounts. A review of June 26, 2019 Slack postings, FBI Special Agent Martini said, showed that Erratic claimed to be in possession of files belonging to several companies, government entities and educational institutions, and one of these files was associated with Capital One.
Capital One, in a statement, said that it had fixed the “configuration vulnerability” that was exploited in the data breach. Publicly-available data and new information, however, show that more than one cyber threats were exploited in the Capital One data breach.
1. Account Takeover
Account takeover refers to the access of someone else’s online account for malicious purposes. In the indictment, FBI Special Agent Martini stated that the file that was publicly exposed by Erratic in her GitHub account contained a list of more than 700 folders and code for three commands.
The first command, when executed, provides login details to an account that enabled access to certain storage space of Capital One at Amazon cloud service. The said account, which had the necessary permissions, was used to extract or copy Capital One’s data. The indictment didn’t mention how the accused got hold of the login details of the account used to access Capital One’s data.
2. Misconfigured Web Application Firewall (WAF)
Web application firewall (WAF) filters, monitors and blocks traffic between a web application and the internet. A properly configured WAF blacklists and/or whitelists traffic to and from a web application.
A WAF that operates based on a blacklist, also known as negative security model, blocks traffic that doesn’t meet the predetermined qualifications. A WAF that operates on a whitelist, also known as positive security model, grants entry only to traffic that has been pre-approved. Many of today’s WAF implements both negative security model and positive security model. A typical WAF also protects web applications from attacks such as SQL injection and other common attacks against web applications.
In the indictment document, FBI Special Agent Martini stated that the data breach at Capital One was a result of a misconfigured WAF. Capital One’s logs show a number of connections or attempted connections from IP addresses beginning with 46.246. Specifically, on or about March 12, 2019, Capital One’s logs show IP address beginning in 46.246 attempted to access Capital One’s cloud data. Publicly-available records show that this IP address is controlled by a company that provides VPN services.
Capital One’s logs also show IP addresses believed to be TOR exit nodes accessed Capital One’s cloud data on or about March 22, 2019. A properly configured WAF could have blacklisted IP addresses such as those belonging to the known VPN company. Conversely, a properly configured WAF could have whitelisted only IP address or addresses used by authorized personnel of Capital One. Malicious actors, however, are continually finding creative means in breaking into web applications that are shielded by properly configured WAFs.
3. Server Side Request Forgery (SSRF) Vulnerability
New information has recently been made public about the Capital One data breach. Based on new data, including information from one who is privy to details about the ongoing Capital One breach investigation, during the attack period, Capital One used ModSecurity, an open-source WAF that’s deployed along with the open-source Apache Web server.
The new report said that the Server Side Request Forgery (SSRF) vulnerability was exploited in the Capital One data breach. While ModSecurity protects web applications against many common attack categories, it doesn't protect against SSRF.
MITREdescribes SSRF in this manner: “The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. By providing URLs to unexpected hosts or ports, attackers can make it appear that the server is sending the request, possibly bypassing access controls such as firewalls that prevent the attackers from accessing the URLs directly.”
In the case of the Capital One data breach, one can’t say which of the attack methods – account takeover attack, attack on misconfigured WAF or Server-Side Request Forgery (SSRF) attack – played the biggest role in the data breach. These 3 types of threats have their own specific preventive and mitigating measures that every organization using the public cloud should be mindful.
When you need to safeguard your cloud applications, our web application security expert will design the right sized solution and will mitigate common risks within minutes. Contact ustoday and avoid a major breach.
How to Prevent Account Takeover Attacks
Account takeover attacks – accessing someone else’s online account for malicious purposes – continue to be one of the fastest-growing security threats faced by organizations today.
Account takeover happens as a result of inadvertently exposing account login details or through malicious account takeover via botnets. The account takeover of an account owned by SSL certificate issuer Comodo is an example of account takeover as a result of inadvertently exposing account login details.
Netherlands-based security researcher Jelle Ursem told TechCrunchthat Comodo’s email address and password were inadvertently left exposed in a public GitHub repository owned by a Comodo software developer. This enabled Ursem to login to Comodo’s Microsoft-hosted cloud services containing sensitive information of the company. The said account wasn’t protected with two-factor authentication. Ursem said he contacted Comodo about the exposed account.
When contacted by TechCrunch, Comodo said, “The data accessed was not manipulated in any way and within hours of being notified by the researcher, the account was locked down.” Ursem, however, told TechCrunch, “This account has already been hacked by somebody else, who has been sending out spam.”
Account Takeover Botnets
While many malicious actors are opportunistic, that is, while many abused inadvertently exposed account login details, many just don’t wait for these opportunities to come. Many of today’s malicious actors are aggressively taking over accounts through botnets.
In the Sixth Annual Fraud Attack Index, Forter found that there had been a 45% increase in account takeover attacks by the end of 2018 compared to the beginning of 2017. One of the means by which malicious actors perpetuated account takeover attacks is thorough bots, Forter found.
“Fraudsters often try to hide their activities behind these devices [bots], flying under the radar of detection for most legacy fraud prevention systems, which are simply not equipped with sophisticated enough technology to pick up on the nuances of these behavioural indicators and the personas hiding behind them,” Forter said.
Botnet, also known as bot, refers to a group of computers infected with malicious software (malware) that allows an attacker to control this group of infected computers as one army for malicious activities. Many of these botnets have been used by attackers as an army for distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining. Malicious actors are increasingly using these botnets for account takeover attacks.
An account takeover botnet works by installing a credential cracking malware on compromised computers. These infected computers are then controlled by an attacker or attackers to login into an account of banking site, social network or email. Once the correct username and password combination is cracked, the account taken over is then used by attackers to steal money (in case of a banking site), steal confidential information such as credit card information, or purchase goods and services.
Between April 7th to April 22nd this year, Impervaobserved the account takeover attacks carried out by a botnet, composed of an enslaved army of 2,500 infected computers – with a corresponding 2,500 IPs overall – that attacked more than 300 sites while active. Each day during the attack period, 800 IPs were actively attacking 30 sites with 150,000 login attempts, Imperva found.
From the victim site perspective, each site was attacked for 7 hours by 500 IPs sending 7,000 login attempts with 7,000 different login details (usernames and passwords); and from a single site perspective, each botnet-controlled IP was responsible for approximately 14 login attempts during the attack time, or approximately 2 login attempts per hour, Imperva found.
The above-mentioned method of attack is called a “low and slow” attack – whereby the botnet enslaves a lot of computers, each sending only a small number of requests, to cover-up the attack as legitimate traffic. Distributing the account takeover attacks across many infected computers or IP addresses makes these attacks go without being detected.
The usernames and passwords used in the login attempts for account takeover attacks often come from credential cracking and credential stuffing. In credential cracking, every word in the dictionary is tried to crack the correct username and password combination. In credential stuffing, the attackers exploit users’ tendency to reuse passwords across multiple sites.
Credential stuffing was cited by StubHubas the reason why a “small number” of users’ accounts had been illegally taken over by fraudsters. In the StubHub case, attackers illegally took over 1,000 StubHub users’ accounts and used these compromised accounts to buy thousands of high-value tickets, including tickets to Justin Timberlake and Elton John concerts, Yankees baseball games, U.S. Open tennis matches and Broadway shows. The account takeover attackers then resold these tickets for a profit of more than a million dollars.
Traditional security solutions have proven to be ineffective in “low and slow” account takeover attacks using botnets. By using account takeover botnets, malicious actors spread the attack via thousands of compromised computers or IPs, making them go undetected for a long period of time.
Choosing a strong username and password combination via eliminating the use of dictionary words, using a unique username and password combination for every account and the use of multi-factor authentication are some of the best cyber security practices in preventing account takeover attacks.
Malicious actors, however, are always finding creative ways to crack those unique and strong usernames and passwords and even multi-factor authentication. An automated security solution that monitors abnormal access to these accounts is one of the mitigating measures against account takeover attacks.
When you need help minimizing cybersecurity risks, our team of experts will answer the questions you have and will help you protect your data. Contact ustoday.
The Importance of Facing Up to Cybersecurity Risks
A cybersecurity emergency has been declared across Louisiana, USA, after three public school districts were struck by a malware attack.
The cybersecurity danger hit Sabine, Morehouse and Ouachita, in North Louisiana, causing widespread concern. The Governor’s Office of Homeland Security and Emergency Preparedness put its crisis action team into motion quickly to handle the attack.
Sabine School District issued a statement, addressing the nature of the cybersecurity breach and their actions to fix it:
“The Sabine Parish School System was hit with an electronic virus [...[ this virus has disabled some of our technology systems and our central office phone system.”
According to the principal of Sabine Parish’s Florien High School, a ransomware virus had infiltrated their system and caused disruptions. The alarm was raised when the school’s technology supervisor noticed ‘unusually high bandwidth usage’.
Fortunately, Jones believes no sensitive information has been exposed during the attack, though everything stored on the School District’s servers was lost. This amounts to documents from across 17 years of Jones’s hard work, including schedules, speeches and more.
Taking Action, Addressing Issues Fast
While this is certainly a challenging situation for the three school districts, it appears the end result is nowhere near as terrible as it could have been. It’s clear everyone involved took decisive action when the suspicious activity was noticed, and the proper authorities were informed.
Plans for future protection and security measures are, apparently, being devised by state officials (in coordination with the FBI). But this case indicates just how important it is to face up to cybersecurity risks and take proper action to minimize the threat to systems.
Simply hoping hackers will miss or choose to ignore your business, organization, school etc. is simply not enough. Implementing effective defenses is the best way to safeguard your critical data, client information and financial details.
If any of these, and other types of vital data, become exposed by nefarious individuals, the clean-up could be a long, time-consuming, difficult process. The worst thing you can do in the event of a breach is sweep it under the carpet and try to contain any damage without raising the alarm.
Those involved in the Louisiana case alerted the proper parties and are dealing with the situation as best they can.
Yes, acknowledging that a cybersecurity attack took place does have the potential to affect your reputation and the trust people place in you. Yet it’s far better to be transparent and admit your cybersecurity measures may not have been quite as efficient as they should be than to lie.
The Problem of Ransomware and Preparing Your Team
Ransomware is, as our regular readers may know, a common choice of cyberattack for hackers. The Louisiana case is just one example of many.
The first ransomware was distributed by a biologist (Dr. Joseph Popp) in 1991: he sent floppy disks containing PC Cyborg Trojanto researchers, in an attempt to extort money.
Ransomware has come a long way since then, but while it has evolved in various ways, the aim remains the same.
Other notorious ransomware attacks include WannaCry, which was detected more than 250,000 times across 116 countries in 2017. This was designed to take advantage of a simple software defect, encrypting hard drive files to make them inaccessible — with the attackers only unlocking them after a bitcoin payment had been made.
The issue is, of course, that agreeing to pay a ransom doesn’t actually guarantee the people responsible will stick to their end of the deal. After all, why should they? If they’re willing to disrupt your daily processes, cost you money, damage your reputation and more, there’s no reason to believe they will do as they promise.
Prevention is, as the saying goes, better than cure. And that means taking steps to prepare your team for potential cybersecurity threats in their day-to-day work.
How can you do this?
Taking Steps to Protect Your System
Implementing security measures and processes to protect your system against breaches can be daunting, especially if you have no experience or real knowledge of this area.
It’s essential that you embrace the most cutting-edge cybersecurity software available and consult with experts. Professionals specializing in security measures and reinforcing systems will be able to identify the biggest dangers you face, how to defend against them and advise your team to be more vigilant.
In terms of training your staff, there are certain things you can try.
Raise cybersecurity issues and trends in regular meetings
Keep your employees updated on the latest cybersecurity hazards and techniques: make sure they understand what suspicious activities they should be aware of when responding to emails, downloading software or visiting websites.
Try to cultivate a more vigilant workforce and boost recognition of effective ‘safety first’ procedures. Get them into the habit of questioning links, emails and other potentially-infected elements when they’re not sure how safe they are.
Find time in a day to run a test exercise for your team. Act as if a cybersecurity attack has struck your system and have staff go through the motions of responding appropriately.
Do they know what to do if they spot the warning signs of an impending threat? Can they work as a cohesive team even when they’re not completely sure what’s happening? Work to make the answer to both a firm ‘yes’.
Everyone should know what role they have in the event of a cybersecurity breach. Perhaps they’re required to do nothing but sit tight and wait for business to resume as normal. Maybe they have to take an active part in informing clients of the situation or coordinating with security experts.
Having a formal plan means everyone involved can leap into action in the event of a crisis, saving valuable time and minimizing further disruption.
Knowing how to handle cybersecurity risks and attacks is fundamental for any business, organization or institution today. If you want to know more about protecting your system and taking effective action,contact our specialistsnow!
Mirai Malware Variants Increasingly Targeting Enterprise IoT Devices
Malware variants that evolved from the original Mirai malware are increasingly targeting enterprise IoT devices, putting at risk enterprise networks from being exploited for nefarious activities such as distributed denial-of-service (DDoS) attacks and illicit cryptocurrency mining, as well as putting at risk enterprise cloud architecture from additional malware and further compromise.
Tracking the Mirai
The original Mirai malware was created by Paras Jha, Josiah White and Dalton Norman. The 3 creators of the Mirai malware in due course were arrested and sentenced by U.S. authorities. Prior to their arrest and sentencing, the source code of the Mirai malware was publicly released. The publication of the source code propelled the creation of multiple versions of Mirai to propagate in the wild.
Mirai was first observed in the wild in 2016. The Mirai malware gained notoriety when the malware was used by the still unidentified attacker or attackers in launching a distributed denial-of-service (DDoS) attack on Dyn DNS, amajor dynamic DNS provider, which resulted in the widespread internet outages across the U.S. and Europe2016.
According to the IBM X-Force researchers, since 2016, there have been 63 Mirai variants observed in the wild. The researchers said that the multiple variants of Mirai have been used to perform nefarious activities such as DDoS attacks and illicit cryptocurrency mining.
In a DDoS attack, attackers overwhelm a target, such as a website or in the case of Dyn DNS, adynamic DNS provider, with voluminous traffic, bringing the target offline and rendering it inaccessible to legitimate users. Illicit cryptocurrency mining, meanwhile, refers to the use of the computing power without the knowledge and consent of the computer owner.
The Mirai malware variants are able to perform DDoS attacks and illicit cryptocurrency mining by infecting computers with security vulnerabilities and enslaving these infected computers to form as an army, also known as botnet, and perform activities such as DDoS or cryptocurrency or other activities according to the whim of the attacker controlling the botnet. The Mirai malware is a powerful tool for malicious actors as this malware allows them to automate the process of downloading any number of malware onto a large number of IoT devices.
Owners of IoT devices typically don’t consider these devices as computers. These devices are often installed and then forgotten. Unlike other computers such as desktops or laptops, IoT devices aren’t monitored for irregular behaviour, nor updated or their login details changed.
The original malware created by Jha, White and Norman infected hundreds of thousands of IoT devices, such as routers and security cameras and controlled these infected devices to form an army or a botnet to perform illegal activities such as DDoS attacks. The creators of the original malware were able to infect hundreds of thousands of IoT devices knowing that many IoT owners don’t bother to change the factory default logins details of these devices. The original Mirai uses 61 factory default login details in infecting IoT devices.
Enterprise IoT Devices at Risk
IBM X-Force researchers, which have been tracking Mirai campaigns since 2016, said that the Mirai variants’ tactics, techniques and procedures (TTPs) are now targeting enterprise IoT devices.
“Nowadays, enterprise IoT devices are everywhere, from instruments that monitor patients in hospitals, to wireless devices in smart meters that relay information to utility companies, to robots in warehouses that constantly deliver inventory information,” IBM X-Force researchers said. “Enterprises are increasingly dependent on IoT devices to run day-to-day operations, and attackers are well-aware of the growing attack surface.”
“As IoT devices become more common among households and large organizations, Mirai and its variants will continue to evolve to adapt to the changing environments and targets of its choice,” IBM X-Force researchers added.
The researchers observed that creators of the Mirai malware variants were dropping additional malware onto the infected devices, with cryptocurrency malware leading the way. Cryptocurrency malware, which steals the computing power of infected IoT devices to generate money for the attackers, are harmful to IoT devices as these devices are prone to overheating as these devices have little computing power compared to desktop or laptop computers with central processing unit (CPU) or graphics processing unit (GPU) resources. IBM X-Force researchers also observed that creators of Mirai malware variants were dropping steganography, which hides malicious code in images that trigger the download of additional malware.
The researchers also said that the Mirai malware variants pose a threat to cloud computing as IoT devices infected with Miral malware variants that are connected to cloud architecture could allow attackers to gain access to cloud servers. Once these malicious actors gain access to cloud servers, they could drop additional malware, the IBM X-Force researchers said.
In early 2009, researchers at Palo Alto Networks' Unit 42discovered a variant of the Mirai malware targeting WePresent WiPG-1000 Wireless Presentation systems and LG Supersign TVs–IoT devices used by businesses. Targeting IoT devices used by businesses, according to researchers at Palo Alto Networks' Unit 42, gives attackers a large attack surface as IoT devices used by businesses have larger bandwidth, giving the attackers greater firepower for attacks such as DDoS attacks.
As malicious actors are increasingly targeting enterprises IoT devices, it’s important to change the factory default usernames and passwords of these devices and to install the latest security update. If the IoT vendor no longer issues security updates or it isn’t possible to install security updates on these devices, it’s best to remove these devices from your organization’s network.
Get in touchwith our experts for additional threat information and to help you mitigate cybersecurity risks.
Disturbing Trend: More and More Ransomware Attack Victims Are Paying Ransom
UK's largest police forensics lab Eurofins reportedly paid ransom to ransomware attackers. The company joins the growing list of organizations that paid ransom to ransomware attackers.
The BBCrecently reported that Eurofins, UK's largest police forensics lab, paid an undisclosed amount to attackers after its computers were crippled by a ransomware attack. Eurofins Scientific, which has about 45,000 staff in more than 800 laboratories across 47 countries, is one of the global independent market leaders in testing and laboratory services for forensics. Eurofins Forensics Services, Eurofins Scientific's Forensics subsidiary which is based in the UK, is one of the primary forensic services providers to the UK police.
Last June 3, Eurofins Scientificdisclosed that during the first weekend of June 2019 (1stand 2ndJune) it fell victim to ransomware attack which caused disruption to many of its IT systems in several countries. The company said, in a statement, that from June 4th, it was able to “resume full or partial operations for a number of impacted companies and continue to do so every day”. As of June 17th, the company said, the vast majority of affected laboratories’ operations had been restored.
The ransomware involved, Eurofins Scientific said, appears to be a new ransomware variant which was “initially non-detectable by the anti-malware screen of our leading global IT security services provider at the time of the attack and required an updated version made available only hours into the attack”.
In a ransomware attack, a malicious actor or actors lock out legitimate users of IT systems or computer files through encryption (the process of converting plain texts to codes so that only people with access to a secret key, also known as decryption key, can access it). Ransomware attackers demand from their victims to pay ransom in exchange for the decryption keys that would unlock the encrypted IT systems or computer files.
Growing List of Ransomware Victims Paying Ransom
Eurofins Scientific joins the growing list of ransomware victims paying ransom. Two cities in Florida, U.S. and 2 towns in Ontario, Canada publicly admitted that they paid ransom to ransomware attackers.
Last June 17th, the City Council of the City of Riviera Beach, Florida unanimously approved the payment of ransom to ransomware attackers. A total of 65 bitcoins was paid to the ransomware attackers, equivalent to approximately $600,000 at the time of the ransom payment approval.
A few days after the ransom payment approval of the City Council of Riviera Beach City, another city in the Florida state Lake City paid its own ransomware attackers ransom. Lake City Mayor Stephen Witt told a local mediathat Lake City will pay cyber attackers USD $460,000 to get its computer system back. “I would’ve never dreamed this could’ve happened, especially in a small town like this,” the Lake City Mayor said.
Two towns in Ontario, Canada, the Town of Wasaga Beach and Town of Midland, have also publicly admitted that they paid ransom to ransomware attackers. Jocelyn Lee, Director of Finance and Treasurer of the Town of Wasaga Beach, reported to the City Council of Wasaga Beach that on April 30, 2018 the Town’s computer system was infected with a malicious software (malware) that left all of the Town’s data locked. Lee said the Town ended up paying the ransomware attackers 3 bitcoins, equivalent to $34,950 Canadian at the time of the ransom payment.
The Town of Midland, Ontario, meanwhile, in a statement said that on September 1, 2018, the Town's network was infected with ransomware. The Town said that it paid an undisclosed amount to the ransomware attackers in exchange for the decryption keys. In paying the ransom, the Town of Midland said, “Although not ideal, it is in our best interest to bring the system back online as quickly as possible.”
To date, South Korean web hosting company Nayanaholds the record of paying the most expensive ransom, totaling 397.6 bitcoins, valued USD$1.01 million at the time of the ransom payment.
Prevention & How to Recover from Ransomware Attacks
All ransomware victims that decided to pay ransom have one thing in common: They all failed to conduct regular back-up of their critical data. Organizations that diligently conduct regular back-up of critical data, in time of crisis, such as ransomware attack, can simply ignore the attackers’ ransom demand.
Paying the ransom also doesn’t guarantee that attackers will hand over the correct decryption keys that will unlock encrypted IT systems or computer files. Paying the ransom could instead encourage the attackers to launch another ransomware attack or the attackers could increase their ransom payment demand, knowing that organizations will likely consider paying the amount.
While conducting regular back-up of critical data is important, implementing cybersecurity measures that prevent ransomware attacks are equally important as well. The UK's National Cyber Security Centre (NCSC)recently issued a Ryuk Ransomware Advisory. Ryuk is a particular type of ransomware that was first observed in the wild in August 2018. It has since been responsible for multiple attacks worldwide. This ransomware, in particular, targets its victims and ransom payment is set based on the target’s perceived ability to pay.
NCSC recommends the following measures in order to prevent ransomware attacks, in particular, Ryuk ransomware attacks:
You don’t need to face cybercriminals alone. When you need help, our team of professionals is ready to assist and help you mitigate risks, recover, and proactively secure your data. Contact ustoday and stay safe.
Why Organizations Need To Secure Microsoft Office Settings
The latest discovery of a flaw in Microsoft Excel by researchers at Mimecast shows the importance of securing your organization’s Microsoft Office settings.
Researchers at recently released a proof of concept demonstrating that a flaw in Microsoft Excel could allow a malicious actor to access someone else's computer and launch a cyber-attack, no matter where this computer is located. Mimecast researchers said that Power Query, a feature in Excel that lets users integrate their spreadsheets with other data sources, such as an external database or a web page, could allow attackers to “embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened”. Mimecast researchers added, “The malicious code could be used to drop and execute malware that can compromise the user’s machine.”
According to Mimecast researchers, Power Query is a powerful tool within Microsoft Excel that if exploited, can be used to launch . In a DDE attack, a malicious actor exploits DDE – a protocol in Windows which was first introduced in 1987 and currently used by thousands of applications such as Microsoft Excel.
The researchers added that attacks that exploit Power Query are hard to detect by anti-virus or anti-malware security solutions. “Using the potential weakness in Power Query, attackers could potentially embed any malicious payload that as designed won’t be saved inside the document itself but downloaded from the web when the document is opened,” the researchers said.
Dynamic Data Exchange (DDE) Attacks
Researchers have known about DDE vulnerabilitysince 2014, finding that “by specifying some creative arguments and a magic number, it’s possible to craft a ‘link’ that hijacks the computer of whoever opens the document”.
In May 2016, researchers at SensePostdemonstrated that DDE attack can be done in Microsoft Excel. In October 2017, researchers at SensePost demonstrated that DDE attack can be done in Microsoft Word.
In November 2017, reported that the threat Group known as “APT28” slipped a malware into a malicious Word document with a subject heading that cites of a then-recent terrorist attack in New York City. McAfee said this Word document leveraged the Microsoft Office Dynamic Data Exchange (DDE) attack technique.
According to McAfee, the malicious Word document itself is blank and once the document is opened, the document contacts a control server that drops the malware called “Seduploader” onto a victim’s computer. Seduploader is a first-stage malware deployed for the purpose of conducting reconnaissance on a network before dropping a second-stage malware.
To successfully launch a DDE attack, McAfee said, an attacker only needs to convince a user to click through a few dialogs, which would evade the latest macro-based document mitigations. “DDE can be used to launch scripts and executables from the command line by inserting the DDE field in the Office document,” McAfee said.
In an email attack scenario, Microsoft, for its part, said that an attacker could exploit the DDE protocol by sending a specially crafted attached file to the user and then convincing the user to open the attached file. “The attacker would have to convince the user to disable Protected Mode and click through one or more additional prompts,” Microsoft said.
How to Mitigate Microsoft Office Settings Risk
Microsoft, in a statement to Threatpost, said that the proof of concept of the Mimecast researchers was reviewed but in order for the concept to work, a victim “would need to be socially engineered to bypass multiple security prompts prior to loading external data or executing a command from a DDE formula”. Because of this finding, Microsoft didn’t release a patch for this security vulnerability.
Microsoft issued the following mitigating measures in order to protect your organization from DDE attacks:
1. Keep Your Microsoft Office Up-to-Date
The December 12, 2017 security updatein Microsoft’s Office disables the Dynamic Data Exchange protocol (DDE) in all supported editions of Microsoft Word.
2. Disable DDE Protocol in Microsoft Excel
Microsoft, however, hasn’t disabled DDE in Microsoft Excel. In the security advisory "Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields", Microsoft noted that Excel, in particular, depends on the DDE feature to launch documents. "Disabling this feature could prevent Excel spreadsheets from updating dynamically if disabled in the registry,” Microsoft said. “Data might not be completely up-to-date because it is no longer being updated automatically via live feed. To update the worksheet, the user must start the feed manually. In addition, the user will not receive prompts to remind them to manually update the worksheet.”
As early as 2007, Raymond Chen, who has been involved in the evolution of Windowsfor decades, said that "there is no technological reason for you to use DDE”. Chen, however, said that even if there’s no technological reason for you to use DDE, “you still have to be mindful of whether your actions will interfere with other people who choose to”.
3. Exercise Caution When Opening Suspicious File Attachments
As email attachments are a primary method by DDE attackers to spread malware, Microsoft recommends that users exercise caution when opening suspicious file attachments.
CDW Report Reveals Canadian Businesses Make Cybersecurity Top IT Priority
A new report by CDW Canada reveals almost half of businesses(47 percent) questioned have increased their expenditure on cybersecurity in the past year.
Their responses make for reassuring reading, though there is still some way to go before all of Canada’s businesses have the safeguards they need in place. With so many day-to-day operations performed online and a plethora of sensitive data stored in the cloud, effective cybersecurity should be a priority for every single company.
Other key takeaways from the survey:
That 17 percent of respondents being totally unsure whether a plan has even been drawn up or not is concerning. It’s vital for management teams to recognize the level of vulnerability they may create within their organizations in if they fail to take the appropriate action and protect their infrastructures from threats. While it’s easy to let a hectic schedule and growth overshadow any potential pitfalls, the risk is simply too big to ignore. No business can afford to be complacent or assume they are too small (or successful) to target.
What Do Canadian Businesses Consider the Biggest Cyber Threat?
The CDW report showed 24 percent of businesses questioned view the proliferation of malware a leading concern. Others were data theft (prioritized by 19 percent) and the safety of cloud storage (15 percent). All three risks have the power to cause severe problems for companies of all sizes, in all industries.
It’s good to see businesses aware of key cybersecurity hazards and being able to distinguish between them, but hackers employ increasingly sophisticated tools and tricks to infiltrate businesses’ systems, potentially even lurking undetected for weeks or months. They are able to gather critical information related to their employees, their customers, their operations, their secrets and more. Businesses affected by such covert breaches are left incredibly exposed and may be unable to actually recover if they fail to take action soon enough.
Yet not all cybersecurity dangers come from outside. Businesses must be aware of external and internal threats to their safety (and that of their customers). It may be hard to imagine someone within your organization having the audacity to endanger the security of their colleagues, employers and clients by allowing data to fall into the wrong hands — but, sadly, it does happen.
In recent weeks, Desjardins (North America’s biggest federation of credit unions) revealed that close to 3 million members’ datahad been leaked by an employee, affecting some 170,000+ businesses. Desjardins admitted it’s possible such personal details as full names, dates of birth, social insurance numbers, banking activities and email addresses were shared. It’s believed, though, that PINs, passwords and security questions were not leaked.
Tackling Internal Cybersecurity Threats
That Desjardins’ woes resulted from the actions of an employee demonstrates how vulnerable data may be even when organizations believe their system is well protected. Businesses can invest in the most cutting-edge technology and training to reinforce their safety, but if they aren’t aware of which employees may have a grudge (or simply lack the training to perform duties safely) breaches can still occur.
The Desjardins employee responsible has since been let go, but that’s unlikely to be of much comfort to the people whose sensitive information was shared without permission. This event could have an ongoing impact on Desjardins as a whole: members’ confidence may drop, prompting them to consider alternatives — potentially costing Desjardins in the long run.
Still, it’s incredibly hard for businesses to know exactly which members of their workforce could be planning to leak data or open the system up to cyberattacks, short of monitoring every single phone call, every interaction with colleagues and their every movement on the premises.
But effective training can make a positive impact and encourage a more vigilant, aware, loyal team. Educating staff on the variety of cybersecurity risks the company faces, where they originate and how they can be combated is essential. It’s vital to give them the means to share concerns with management if they believe someone may be planning to reveal sensitive information or share access details with unauthorized parties.
They may find speaking up about the people they work with every day difficult, but it’s in everyone’s best interests. After all, if a breach or attack is damaging enough, employees’ jobs may be at risk.
The Importance of the Right Training
The right training minimizes the threat of accidental cybersecurity problems. Workers may not recognize phishing scams and expose the entire network to threats, or they could download infected software. The list goes on and on. Even the smallest mistake can have lasting ramifications.
With more Canadian companies investing in their cybersecurity measures, it’s fair to assume training will improve too. But it’s not just about training: businesses have to take their security seriously, and that means equipping themselves with the most effective safeguards. A comprehensive vulnerability assessment will identify potential flaws in your system’s security, revealing how prone your company may be to attacks.
The Driz Group offers free vulnerability assessments for businesses of all sizes, helping you start on the journey to a safe, stronger cybersecurity procedure. Our Managed Cyber Security Services provide cloud-based and on-premise protection, reduce the likelihood of a data breach and fill any gaps that may be discovered. This allows you to just sit back, relax and focus on running your business while the experts keep it safe.
Want to learn more about how our Managed Cyber Security Services can help your organization? Have questions? Please don’t hesitate to contact our friendly team of expertstoday!
NASA’s Jet Propulsion Laboratory (JPL) Hacked for 10 Months
The Office of Inspector General of the National Aeronautics and Space Administration (NASA) recently revealed that the Jet Propulsion Laboratory (JPL), the center of NASA’s interplanetary robotic research efforts, was hacked for 10 months.
According to NASA's Office of Inspector General, JPL, being the center of NASA’s interplanetary robotic research efforts, maintains wide public internet-facing IT systems that support missions and networks that control spacecraft, collect and process scientific data and perform critical operational functions. Despite efforts to protect these public internet-facing IT systems, NASA's Office of Inspector General said that critical vulnerabilities remained, resulting in a cyber-attack on JPL’s network which started in April 2018.
This April 2018 attack, NASA's Office of Inspector General said, remained undetected for 10 months resulting in the exfiltration of approximately 500 megabytes of data from 23 files, 2 of which contained “International Traffic in Arms Regulations information related to the Mars Science Laboratory mission”.
How JPL’s Network Was Hacked and Lessons Learned
The April 2018 attack on JPL’s network, NASA's Office of Inspector General found, started when an unauthorized Raspberry Pi connected to its network. Raspberry Pi is a credit card-sized computer that’s capable of doing everything a desktop computer can do, from browsing the internet to playing games. The audit report showed that the malicious Raspberry Pi found its way into JPL’s network through the following series of events:
1. Incomplete and Inaccurate System Component Inventory
The report of NASA's Office of Inspector General showed that the malicious Raspberry Pi found its way into JPL’s network as JPL had incomplete and inaccurate information about the types and location of NASA system components and assets connected to its network.
One of the cybersecurity best practices, in order to prevent authorized intrusions into a network, is by having a complete and accurate inventory of all devices connected to this network. This inventory is essential in effectively monitoring, reporting and responding to cybersecurity incidents. Benefits of proper inventory of assets on the network include vetting and clearing by security officials of assets prior to connecting to the network, timely patches and tracking of valuable assets and data stored on these assets.
2. Inadequate Segmentation of Network Environment Shared with External Partners
Due to the nature of JPL’s work, its partners, including foreign space agencies, contractors and educational institutions are allowed remote access to its network for specific missions and data. Network segmentation creates barriers that attackers can’t cross as these barriers eliminate connections to other systems.
According to NASA's Office of Inspector General, the April 2018 cyber-attack exploited the lack of segmentation of JPL’s network, enabling the attacker to move between various systems connected to the network. In May 2018, NASA's Office of Inspector General said, IT security officials at the Johnson Space Center (Johnson), which handles programs such as the Orion Multi-Purpose Crew Vehicle and International Space Station, decided to temporarily disconnect from the JPL’s network due to security concerns. “Johnson officials were concerned the cyber-attackers could move laterally from the gateway into their mission systems, potentially gaining access and initiating malicious signals to human space flight missions that use those systems,” NASA's Office of Inspector General said.
3. Untimely Patch Application
Patches, also known as security updates, fix known security vulnerabilities. Attackers often exploit known security vulnerabilities with available patches, believing that certain population delays the application of these patches for days, and some even for months or years.
According to NASA's Office of Inspector General, JPL didn’t apply the patch that fixes a known software vulnerability first identified in 2017, with a critical score of 10. A security vulnerability with a critical score of 10 means that this vulnerability is at the top of the vulnerability chain. This 2017 security vulnerability, the NASA's Office of Inspector General said, was only patched in March 2019 and during the April 2018 cyber-attack, one of the JPL’s four compromised systems hadn’t been patched for the said vulnerability in a timely manner, resulting in the exfiltration of 23 files containing approximately 500 megabytes of data.
4. Delayed Response to the Attack
After detection of a cyber-attack, the next logical steps are containment and eradication. Containment strategies include performing a system shutdown, disconnecting a system from the network and identifying all attack paths. Eradication strategies, meanwhile, include assessment and analysis of exploited vulnerabilities, removal of malware and affected files, and application of security patches. “Most of these steps [containment and eradication] require sophisticated forensic expertise and tools that when not available in-house should be in place through service agreements with specialized providers,” NASA's Office of Inspector General said.
Although JPL had disabled the account targeted by the adversary and closed off the known path of attack, NASA's Office of Inspector General said the NASA Security Operations Center requested an independent assessment from the Department of Homeland Security (DHS) United States Computer Emergency Readiness Team (US-CERT) to determine the extent of the attack and totally remove the adversary from JPL’s network. NASA's Office of Inspector General added that as JPL was unfamiliar with DHS’s standard engagement procedures, DHS was only able to perform scans of the entire JPL’s network 4 months after the cyber-attack was detected.
“Once DHS performed the scans, it determined there were no other attack paths and deemed the network clean; however, the delay in executing the eradication steps left NASA data and systems vulnerable to potential additional harm,” NASA's Office of Inspector General noted.
Your business may suffer the same fate if left unprotected. More importantly, to truly understand the state of your cyber defences, you must perform an IT security audit.
Call us todayand find out if your business is well protected.
Another Canadian City Falls Victim to Phishing Email, Loses Half a Million Dollars as a Result
The City of Burlington, Ontario recently revealed that it fell victim to a phishing email, resulting in the loss of the City’s funds worth half a million dollars.
In a statement, the City of Burlingtonsaid that phishing email was sent to City staff requesting for the change of the banking account information of an established City vendor. As a result of the phishing email, the City said, a single wire transfer of funds worth approximately half a million dollars was sent to the bank account controlled by an unknown attacker or attackers last May 16.
The City said it only discovered it was a victim of fraud last May 23. The cyber incident has been reported to authorities and criminal investigations are underway by the appropriate authorities, the City said.
What Is Phishing Email?
Phishing emails are malicious emails used by cyber-attackers to launch attacks against their victims. Traditional phishing email contains a malicious attachment, that is, when clicked, downloads and installs malware into the victim’s computer. Traditional phishing email may also contain a malicious link, that is, when clicked leads to a malicious website that hosts malware and from there, the malware is downloaded and installed into the victim’s computer.
In recent years, cyber-attackers have weaponized the emails to commit fraud, known as Business Email Compromise (BEC). BEC attackers target small, medium and large organizations, as well as individuals. Prior to sending the phishing emails, BEC attackers monitor and study their selected victims.
Targeted organizations and individuals are those that regularly perform wire transfer payments. In a BEC attack, an email address of a high-level employee or an executive involved with wire transfer payments are either spoofed or compromised, resulting in the loss of funds.
According to the Federal Bureau of Investigation (FBI), as of July 12, 2018, BEC became a 12 billion dollar scam. The FBI said that from October 2013 to May 2018, a total of 78,617 BEC incidents were reported worldwide, with loss to this scam amounting to US$12.5 billion.
In April this year, another Canadian city, the City of Ottawa, revealed that it fell victim to a similar attack. Based on the report released by the Office of the Auditor General of the City of Ottawa, on July 6, 2018, the City Treasurer received an email which appeared to be from the City Manager.
This email, which was later identified as a spoofed email, requested that a wire transfer in the amount of US$97,797.20 be processed for the completion of an acquisition. On the same day the spoofed email was received, with the City Treasurer’s approval, US$97,797.20 was sent to the bank account controlled by malicious actors.
The said amount was transferred from one bank account to another, with a portion of the amount ending up in one of the bank accounts monitored by the U.S. Secret Service. The City of Ottawa was contacted by the U.S. Secret Service that the funds had been seized. The City of Ottawa, through its City Solicitor, filed a petition before the U.S. Government, asserting the City’s claim on the seized funds. It’s still unclear how much would the City of Ottawa eventually recover.
Spoofed and Compromised Emails
BEC attackers trick their victims into wiring funds into bank accounts they control by spoofing or compromising email accounts belonging to persons in authority, in particular, those in charge of approving the release of funds. Email spoofing refers to the sending of an email which is made to appear as though it was sent by someone other than the actual sender.
Many BEC attackers purchase a domain name similar to the target organization’s domain in order to own an email address that closely resembles the target organization, for instance, “xocompany.com” is similar to “xoc0mpany.com”. Attackers send this spoofed email hoping that the receiver wouldn’t notice the wrong email address.
Email spoofing can also be achieved by an attacker by manipulating the visible email header. Each email contains two headers, one visible and the other one that isn’t readily visible. The visible header shows the typical "From" which contains the email address of the sender.
This visible header can be changed by the attackers, that is, it can show a correctly-spelled email address that’s familiar to the email receiver. If the email receiver checks the not readily visible header, also known as “SMTP envelope”, the real email address of the malicious sender can be seen.
BEC attackers also launch their phishing emails by compromising legitimate emails, for instance, an email address of the organization’s CEO. BEC is also known as “CEO scam” because of the growing spoofing and compromised of CEO emails.
In a compromised email, the attackers gain total access to a legitimate email account. One way an attacker gains unauthorized access to a legitimate email is through another phishing email, tricking the victim to click on the malicious attachment or link, resulting in the installation of malware into the victim’s computer.
An example of malware is the keylogger – a type of malware that records every keystroke made by a computer user, capturing information such as usernames and passwords to emails and sending these data remotely to the attackers. Armed with these stolen login details, attackers can then access the victim’s email. From this compromised email, attackers can send an email ordering a lower-ranked employee in charge of releasing funds to proceed with the bogus wire transfer.
When you need assistance protecting your business from phishing attacks, help is a phone call away. Connect with ustoday and take a step forward to better cybersecurity posture.
Hong Kong Privacy Watchdog Orders Cathay to Overhaul IT Systems Over 2018 Data Breach
Hong Kong’s Privacy Commissioner for Personal Data Stephen Kai-yi Wong has ordered Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited, collectively referred to as Cathay, to overhaul its IT systems containing personal data of its customers over the 2018 data breach which affected approximately 9.4 million passengers from different parts of the world.
On October 24, 2018, Cathay notified both the public and Hong Kong’s Privacy Commissioner for Personal Dataover the detected suspicious activity on its network on March 13, 2018. According to Cathay, approximately 9.4 million Cathay passengers, specifically those who availed the company’s frequent flyer programs Asia Miles and Marco Polo Club as well as registered users of Cathay from over 260 locations worldwide were affected by the cyber incident. The affected personal data of Cathay passengers include name, flight number and date, title, email address, membership number, address and phone number.
Customers of both Cathay Pacific Airways Limited and Hong Kong Dragon Airlines Limited, also known as Cathay Dragon, were affected as Cathay Pacific managed and provided information management services to Cathay Dragon. With this set-up, personal data of Cathay Dragon’s passengers reside on Cathay Pacific’s IT System.
The “Data Breach Incident Investigation Report” publicly released by Hong Kong’s Privacy Commissioner for Personal Data – with many of the data coming from the disclosure of Cathay itself – identified three cyber incidents on Cathay systems: keylogger attack in October 2014, exploitation of a known security vulnerability attack in August 2017 and brute force attack in March 2018.
The earliest evidence of keylogger malicious software (malware) activity on the company’s system was on October 15, 2014. In keylogging, every keystroke made on a computer, such as usernames and passwords, is captured and these captured data are automatically sent to the attackers for criminal exploitation. It wasn’t known how the unknown attacker or attackers initially intrude the company’s system that led to the dropping of the keylogger malware.
Valid user account login details stolen via the keylogger malware, according to the report, enabled the attackers to move further into the company’s network and dropped additional tools to steal domain credentials.
Exploitation of Known Vulnerability Attack
The earliest evidence of suspicious activity where it was found that the attackers exploited a known vulnerability on the company’s internet facing server was on August 10, 2017. The exploitation of this known vulnerability allowed the attackers to bypass authentication and gain administrative access to the company’s internet facing server.
Exploiting the known vulnerability also allowed the attackers to move laterally inside the company’s IT system and install malware and credential harvesting tools. It wasn’t disclosed what particular vulnerability on the company’s internet facing server was exploited. It was, however, revealed that this particular security vulnerability was publicly known as early as 2007.
Brute Force Attack
The earliest evidence of brute force attack on the company’s system was on March 13, 2018 which resulted in approximately 500 staff users being locked out of their user accounts. In a brute force attack, a cyber attacker attempts to crack the correct username and password using a trial and error approach. There are currently brute force attack tools available to attackers that automate the process of guessing the correct username and password using thousands of commonly used usernames and passwords.
Even as the keylogger attack which happened in October 2014, exploitation of a known security vulnerability attack in August 2017 and brute force attack in March 2018, Cathy only informed the public and Hong Kong’s Privacy Commissioner for Personal Data about the suspicious activity on its network on October 24, 2018. In Hong Kong, however, there’s no law that mandates organizations such as Cathay to notify within a prescribed period of time the Privacy Commissioner for Personal Data and the data subjects of a data breach.
“Cathay did not take all reasonably practicable steps to protect the Affected Passengers’ personal data against unauthorised access in terms of vulnerability management, adoption of effective technical security measures and data governance, contravening DPP 4(1) of Schedule 1 to the Ordinance [Hong Kong’s Personal Data Ordinance],” Wong said.
The Commissioner, in particular, found Cathay had not taken reasonably practicable steps not to expose the administrator console port of its internet facing server which opened the door for attackers. “Cathay should have applied effective multi-factor authentication to all remote access users for accessing its IT System involving personal data,” The Commissioner said.
Data Breach Prevention
Under Hong Kong’s Personal Data Ordinance, if after an investigation, the Privacy Commissioner for Personal Data finds that a data user is contravening or has contravened a requirement under the Ordinance, the Commissioner may serve on the data user an Enforcement Notice to prevent recurrence of the lapses. The Commissioner’s Enforcement Notice directed Cathay to engage an independent data security expert to “overhaul the systems containing personal data to the effect that these systems are free from known malware and known vulnerabilities”.
The Commissioner also directed Cathay to implement effective multi-factor authentication to all remote users for accessing the company’s IT System involving personal data and to conduct a regular review of remote access privileges.
In order to prevent Cathay-like data breach, it’s also important to keep all your organization’s software, especially server operating systems up-to-date, as attackers typically try to exploit known software security vulnerabilities.
Navigating the world of cybersecurity can be difficult for many businesses, including large enterprises.
Steve E. Driz, I.S.P., ITCP