Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
By 2025, cybercrime is expected to reach damages of $10.5 trillion globally. Organizations around the world are noting this, just like you should. Between the years 2021 to 2025, cybersecurity spending across the globe will climb over $1.75 trillion cumulatively. Cyber security awareness is a popular business aim, high on the list of priorities. Now, how are you leveraging it as a competitive advantage? If you are not, you are really missing the boat on some major opportunities. Here is why. ProductivityThe Canadian government reports that 97.9% of their businesses are small businesses. Small businesses employ approximately 68.8% of the private labour force. The biggest challenge with cyber security is that large corporations have the budget to invest in it, while small companies view it as something that would be nice to have, but won’t make the budget. Therefore, 97.9% of Canadian businesses may not make cyber security a “must-have” priority. Cyber security means business continuity, giving your business (big or small) the upper hand in production. All businesses should prepare for hackers with fail-safes. Organizations need to prepare for disaster recovery and create protection from troublesome employees. Public RelationsA breach in security can be a PR nightmare for any company, and possibly even put them out of business completely. How do you believe a potential customer will view your organization if they feel your organization lacks data protection? Will a customer want to do business with you if they fear their data is unsafe? As a competitive advantage, with your public relations, show that you mean business for cyber security awareness. You want to let your clients and prospects know you take data protection seriously, more so than your competitors. Marketing AdvantageYou can build a brand image and an entire marketing campaign around the measures you are taking for data protection. No matter what industry you serve, and whether you sell B2B or B2C, your customers will appreciate your efforts and love doing business with you for it. Employee RetentionWhen you lock down your company’s data and keep it away from cybercriminals, you can also keep it away from your competitors too. An example is when a salesperson jumps ship and gets hired by a competitor. You do not want your intellectual property in the hands of your competition. There are IT security measures you can take to avoid this. You can implement software, configurations, and policies as a preventative measure. IT TipsWhat else can you do to protect your business from malicious actors? Work with an IT provider and ask how they protect your email, edge, and endpoints. Specifically, ask about:
Work with an IT provider that can help with training and education for your users in the business. You can run tests too, to see if your employees can spot a phishing email. Business Continuity and Disaster Recovery PlanIf you do not have a plan in place already, you will need a plan immediately. Any delay puts your business at risk. An important piece of data protection is having the ability to reverse time. Again, if you cannot quickly and easily turn back the clock for the complete system, you may risk significant damage in case of a cyber attack. In fact, an attack may render your business unable to operate. Image-based backups can help. They take snapshots hourly of your system. They back up in two locations that are totally separate, with an operating system that differs from what your business uses daily. The reason for this is that a virus can spread when using the same operating system. Having a different operating system as a backup adds a layer of protection. Use Data EncryptionAny business can encrypt its data today with the rollout of modern technology. There are multiple programs available that will encrypt and decrypt your data, simply, for emails, files, and hard drives. Speaking of hard drives, if you have old devices, you will want to do one of the following:
Keep in mind that data protection does not require a genius to do it, but it needs a company with the right tools and training for success. Stay Up to Date with Patches and General Software UpdatesThe sooner you make updates, the sooner you can feel more confident about cyber security and digital safety. Unfortunately, hackers love software vulnerabilities. It is how they thrive. A software vulnerability in a software program or operating system is a weakness or security hole. Hackers use it to their advantage and write malware to target the vulnerability. Opening a compromised message, visiting a rogue website, or playing infected media can be an entry point for an employee to exploit your system. Malware will steal data. The hacker can now control the device and encrypt files. When your business devices continually update their software, including patches, it is a way to cover security holes. This keeps hackers out. Cyber Security Awareness Means a Competitive AdvantageIf you are not currently using cyber security awareness to grow your business, you can leave money on the table. Whether it is for productivity, public relations, marketing, employee retention, or in case of a disaster, cyber security matters to your business. At The Driz Group, we are your trusted partner for cyber security and compliance. We reduce risk to your business with web application protection services, fully managed infrastructure, and delivery of cyber security consulting. Big or small, The Driz Group can help your business. Contact us today to learn more. More and more hackers are using distributed denial-of-service (DDoS) attacks to hold businesses to ransom. In June 2021, the Canadian Centre for Cyber Security issued an alert to raise awareness of increased DDoS extortion activity. One notable case occurred in September of that year, with ITWorld Canada reporting that a voice-over-IP provider in Canada had been targeted. The perpetrator was believed to have demanded one bitcoin (equal to around $45,000) as payment to end the assault. Numerous other companies have been hit since. With ransom DDoS incidents becoming more common, it’s crucial that organizations understand how serious this threat is, how it could affect them, and what defensive measures they can use to stay safe. But before we explore what a ransom DDoS attack is and how you can stop it, we’ll cover the basics. What is a DDoS Attack?A DDoS attack floods a specific network, server, website, or application with an overwhelming amount of traffic. This disrupts the normal flow of traffic and prevents the target from operating as it should. Perpetrators tend to use botnets to launch DDoS attacks. A botnet is a network comprising many connected systems, all of which have been infected with malware, to generate disruptive traffic. These devices may be computers, IoT (Internet of things) gadgets, or mobile devices. A hacker can leverage these “zombie” systems to attack their target with enough traffic to cause serious problems. Attackers may aim to:
But with ransom DDoS attacks, hackers are driven more by greed than anything else. What is a Ransom DDoS Attack?A ransom DDoS attack (often referred to as a RDDoS attack) is essentially the same, but with a few key differences. The attacker’s goal is to extort money from the target through threats and even brief demonstrations of their power. A hacker may launch a DDoS attack against a business then contact the victims to demand payment. They will expect the target to pay the ransom, and if they remain unpaid, the attacker will continue the DDoS assault. Alternatively, hackers may threaten the target before they begin the attack. Their objective will be to inspire panic in the potential victims and receive money without needing to act. However, an inexperienced or unequipped perpetrator may lack the resources or knowhow to follow through on their threat. In this case, an organization could emerge from the incident unscathed even if they refuse to pay the ransom. How Does a Ransom DDoS Attack Disrupt Businesses?A ransom DDoS attack could disrupt your business in various ways, assuming the perpetrator launches the attack instead of simply issuing a threat.
Preventing an attack, and being prepared to handle one just in case, is vital to reduce your risk of experiencing these issues. What Can You Do To Prevent a Ransom DDoS Attack?Keep the following measures in mind to help prevent a ransom DDoS attack against your organization: Refuse to Pay the RansomYour first instinct may be to pay the ransom, but you have no way of knowing whether that will stop the attack. It may continue, or the perpetrator could retarget your business again because they know you’re likely to pay a second time. Train Employees to Handle Threats ResponsiblyEducate your workers on what a ransom DDoS attack involves, how they usually unfold, and what actions to take if they receive a threatening message. They should know who to report an incident to and how to recognize early signs of an attack. Look Out for Warning Signs of Impending AttacksCommon early signs of a DDoS attack include:
These could indicate other problems, too, such as outdated equipment. However, it may be best to have any of these signs investigated by cybersecurity specialists just in case. Ensure Your Security Measures are Updated and EffectiveIf you haven’t updated your firewalls and other IT security measures in a while, review them to identify potential weaknesses. Outdated cybersecurity software may lack the features to protect your business. Work with Professional Cybersecurity SpecialistsReviewing, updating, and testing your cybersecurity setup is complicated. But it’s critical to reduce your risk of being affected by a ransom DDoS attack. For many companies in Canada, the simplest way to combat threats is to work with a team of cybersecurity professionals. At The Driz Group, we’re dedicated to providing unparalleled cybersecurity solutions for businesses in all sectors. Our experienced, trained, reliable team will perform a comprehensive IT audit and vulnerability assessment to accurately determine your unique security requirements. And we’ll implement the best security available to always defend your organization. Start protecting your business — schedule your free consultation with The Driz Group today. Did you know that the amount of money lost to cyberattacks in the US rose to a record $4.2 billion in 2020 and there were 800,000 cybercrime complaints made to the FBI? Phishing was the most common way used by cybercriminals to get confidential data from unsuspecting recipients. Are you worried about the different cyberattacks that businesses have to watch out for? Do you want to learn about this cybersecurity threat so you can protect yourself and your business better? Keep reading to find out more. 1. Phishing AttackThe weakest link when it comes to your business's cybersecurity is your employees. They are vulnerable to many different kinds of cyberattacks, the most common of these being phishing attacks. In this attack, cybercriminals trick your employees into revealing their login credentials. They might send an email with a malicious link in it, which when clicked asks them for their login details. If the employee is tricked into it, the cybercriminals can get access to their important accounts. It's a cheap and efficient way for cybercriminals to get lots of sensitive and confidential data from people. This can leave your organization vulnerable to losing customers and future business because your reputation is degraded and negatively affected. That's why people are always told never to click links in an email that seems suspicious and to never give out any sensitive or confidential information in an email. 2. Malware-Based AttackUsing a common delivery method like email, cybercriminals will install malware on the person's computer which will allow them access to the login details and other important data on the user's system. This kind of attack uses your weak link, i.e. employees, yet again. That's why training and informing your employees about various security threats is so crucial. Sometimes the cybercriminals will select their targets carefully from the employee roster at an organization, but other times, they will send an email en masse and see what they get back. 3. Attacks Through Uploading FilesThis file upload attack is used commonly on websites that allow users to upload files, like contact form attachments, social media posts, profile photos, etc. This allows cybercriminals to write a huge chunk of malicious code onto your server and get access to your entire website. The problem is most websites have this file upload option on them, such as code in a user profile or contact form. No website seems safe from this vulnerability. 4. Outdated And Vulnerable SoftwareSofware technology comes with a short life cycle and it needs constant updating, patches, and upgrades to ensure that it runs safely. And is also compatible with other software. It's important to ensure all the software your employees are updated and upgraded regularly. Attacks on outdated software or those that haven't been patched happen primarily by attacks through SQL injection and brute force. So if you have a WordPress site, ensure that you update it to the latest version as soon as it's available to keep it safe from cyberattacks. 5. Password AttacksThe most common password used in the world in 2021 is still 123456! That leads to a situation where your sensitive accounts, databases, and servers are easily vulnerable to cybercriminals. Even if you are using a complicated password for your login credentials, cybercriminals can use a bot to randomly generate passwords. They try logging into your account using those passwords until they get the correct one. That's called brute force attack. Another way a cybercriminal can guess your password and get at your account is a dictionary attack where they analytically enter words in a dictionary as a password until they get the right one. Password spraying is where they use the few common passwords most people use and get access to your account that way. That's why it's so important to choose a complicated password that's 8 characters or longer with alphanumeric characters and symbols. Also, prompt your employees to change their password at least every six months. And make it mandatory so they can't log in without changing their password. This way they won't procrastinate on this very important task. 6. DNS SpoofingHow do you know you are going to the right website when you click on a particular link? You just assume you are, since you trust the internet and everything that happens on it (or most things that happen on it). But through DNS spoofing, a cybercriminal submits false information into a DNS cache. This returns incorrect responses on a DNS query and lands the user on the wrong website. In this manner, the user submits their login information and other sensitive information to the wrong website, giving access to such important data to a cybercriminal. 7. Accidental Exposure Of Sensitive DataUnfortunately, most people aren't too careful with their sensitive data. They leave it out in the 'open', making it vulnerable to data breaches, and unauthorized access to cybercriminals. It's akin to leaving your laptop in a cafe and walking over to the bathroom to wash your hands. And being surprised when your laptop isn't anywhere to be found when you come back. Ensure that anything that's publicly accessible doesn't contain any sensitive information on it. This includes files on public servers, error messages, database tables, and log files. All information online is vulnerable to a cyberattack and must be treated as such. Cyberattacks Are Getting More Insidious As Time Goes OnCybercriminals are becoming savvier and more dangerous as time goes on. They manipulate both online data and offline people to get access to sensitive information. If you are worried about cyberattacks and feel vulnerable to such security threats, putting your head in the sand won't help. Speak to a cybersecurity cybersecurity experts at The Driz Group today.. We can help you build a solid plan for your business and employees to protect yourself from cyber threats of all kinds. We are informed of all the latest to do with cybersecurity and will keep your system safe from all emerging threats. Our emergency response team is available 24/7 to protect you and your business. Emerging Threat: Blockchain-Enabled BotnetGoogle, together with Internet infrastructure providers and hosting providers, recently disrupted the operation of a blockchain-enabled botnet, taking down the operation’s servers – for now. In partnership with Internet infrastructure providers and hosting providers such as Cloudflare, Google said it has taken down the servers of the Glupteba botnet. Glupteba BotnetGlupteba is a malicious software (malware) that has been around for less than a decade. Through the years, this malware uses many common cybercrime tricks. Similar to other malware, Glupteba is a zombie malware, also known as bot (short for software robot), that can be controlled remotely. The group being Glupteba also operates a botnet – a group of computer devices each infected with the Glupteba malware and hijacked to carry out various scams and cyberattacks. In the blog post “New action to combat cyber crime”, Royal Hansen, Vice President for Security at Google, and Halimah DeLaine Prado, Google General Counsel, said Glupteba botnet currently hijacked approximately one million Windows devices worldwide, and at times, grows at a rate of thousands of new devices per day. “Botnets are a real threat to Internet users, and require the efforts of industry and law enforcement to deter them,” Hansen and Prado said. In another blog post “Disrupting the Glupteba operation”, security researchers Shane Huntley and Luca Nagy from Google Threat Analysis Group said that individuals operating the Glupteba botnet offered multiple online services, including selling access to virtual machines loaded with stolen credentials, proxy access, and selling credit card numbers to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads. Computer devices that form part of the Glupteba botnet are also used for unauthorized cryptocurrency mining, enabling the group behind this malware to earn cryptocoins, while owners of hijacked computer devices unknowingly pay the high electric bills resulting from the cryptocurrency mining. Glupteba malware distributes itself automatically across victims’ networks via two different variants of the ETERNALBLUE exploit – a Windows exploit used in the 2017 WannaCry ransomware attack. ETERNALBLUE exploits outdated computer devices. Glupteba has also been known to exploit unprotected and outdated popular home and small business routers. The group behind Glupteba often hides its zombie malware behind pirated software. Computer devices, even those patched against ETERNALBLUE, are attacked by Glupteba malware via pirated software from well-known piracy sites. Blockchain-Enabled BotnetWhile Glupteba has been known to use many common cybercrime tricks, it’s known for using the Bitcoin blockchain for its malicious activities. Just like in the Cold War era when spies communicated using the “Personals” section in a print newspaper, the group behind the Glupteba botnet communicates using the Bitcoin blockchain. “Glupteba uses the fact that the Bitcoin transactions are recorded on the Bitcoin blockchain, which is a public record of transactions available from a multitude of sources that are unexceptionably accessible from most networks,” security researcher Paul Ducklin from SophosLabs said in the write-up "Glupteba – the malware that gets secret messages from the Bitcoin blockchain". Ducklin from SophosLabs added, “Bitcoin ‘transactions’ don’t actually have to be about money – they can include a field called RETURN, also known as OP_RETURN, that is effectively a comment of up to 80 characters.” Security researchers from SophosLabs decrypted the secret message “venoco___ol.com” in one of the Bitcoin wallets used by the group behind Glupteba. This secret message means that the new command-and-control server used by the Glupteba is moved to venoco___ol.com. “The current command-and-control servers used by the crooks, known as C2 servers or C&Cs, might get found out and blocked or killed off at any moment, so zombie malware often includes a method for using an otherwise innocent source of data for updates,” Ducklin added. “After all, to tell a bot to switch from one C&C server to another, you typically don’t need to send out much more than new domain name or IP number, and there are lots of public messaging systems that make it easy to share short snippets of data like that.” Security researchers Huntley and Nagy from Google Threat Analysis Group said that the group behind Glupteba is likely to attempt to regain control of the Glupteba botnet by using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain. Royal Hansen, Vice President for Security at Google, and Halimah DeLaine Prado, Google General Counsel, meanwhile, admitted that taking down the command and control infrastructure of Glupteba isn’t the end game for the group behind Glupteba. Before the U.S. District Court for the Southern District of New York, Google filed the first lawsuit against a blockchain-enabled botnet, in particular, suing two named individuals and 15 unidentified individuals. “However, due to Glupteba’s sophisticated architecture and the recent actions that its organizers have taken to maintain the botnet, scale its operations, and conduct widespread criminal activity, we have also decided to take legal action against its operators, which we believe will make it harder for them to take advantage of unsuspecting users,” Hansen and Prado said. Best Practices to Mitigate the Risks Here are some of the cybersecurity best practices to protect your organization’s computer devices from being hijacked as part of a botnet like the Glupteba botnet:
Top Cloud Security Threat: Unauthorized Cryptocurrency MiningGoogle's Cybersecurity Action Team recently published a report naming unauthorized cryptocurrency mining, also known as cryptojacking, as the top threat to Google Cloud Platform. What Is Cryptocurrency Mining?Cryptocurrency mining refers to the process of creating a new coin. Aside from creating new coins, cryptocurrency mining also refers to validating cryptocurrency transactions. In many countries, cryptocurrency mining is legal. With the rise of cryptocurrency prices, malicious actors are stealing computing resources such as cloud resources from Google Cloud Platform. The skyrocketing value of cryptocurrencies like Bitcoin has prompted threat actors to shift their focus from stealing data to stealing compute power in organizations’ public cloud environments. Aside from mining Bitcoin, threat actors also mine other cryptocurrencies that are particularly developed to evade transaction tracing. Crytopjacking PrevalenceAccording to Google's Cybersecurity Action Team, out of 50 recently compromised Google Cloud Platform instances, 86% were used to perform cryptocurrency mining. Unauthorized cryptocurrency mining, specifically, cloud resources is nothing new. In February 2018, RedLock reported that Tesla was once a victim of unauthorized cryptocurrency mining. “The hackers had infiltrated Tesla’s Kubernetes console which was not password protected,” RedLock said. “Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.” Google's Cybersecurity Action Team, meanwhile, said that compromised Google Cloud Platform instances were compromised through the following:
Google's Cybersecurity Action Team also found that in 58% of situations, the cryptocurrency mining software was downloaded to the system within 22 seconds of being compromised. “This suggests that the initial attacks and subsequent downloads were scripted events not requiring human intervention,” Google's Cybersecurity Action Team said. “The ability to manually intervene in these situations to prevent exploitation is nearly impossible..” Scanning ActivitiesThreat actors easily find vulnerable internet-facing applications and exposed cloud accounts through the process called scanning. Google's Cybersecurity Action Team reported that the shortest amount of time between deploying a vulnerable Cloud instance exposed to the internet and its compromise was as little as 30 minutes, with 40% of instances, the time to compromise was under eight hours. “This suggests that the public IP address space is routinely scanned for vulnerable Cloud instances,” Google's Cybersecurity Action Team said. An earlier study conducted by researchers from Palo Alto Networks' Unit 42 found that vulnerable internet-exposed applications are compromised in just 24 hours. Between July 2021 and August 2021, Unit 42 researchers set up 320 honeypots (network-attached computers purposely set up to lure threat actors) to verify how fast threat actors compromise four vulnerable internet-exposed applications. These four apps were purposely configured with weak passwords. Palo Alto Networks' Unit 42 researchers found that 80% of the 320 honeypots were compromised in just 24 hours and all of the honeypots were compromised within a week. For these honeypots, Palo Alto Networks' Unit 42 researchers applied firewall policies to block IPs from known network scanners. Unit 42 researchers found that applying firewall policies to block IPs from known network scanners doesn’t work as 85% of the attacker IPs were observed only on a single day. The researchers identified a daily average of 75,000 unique scanner IP addresses globally. According to Google's Cybersecurity Action Team, Google Cloud customers with non-secure Cloud instances will likely be detected and attacked in a relatively short period of time. “Given that most instances were used for cryptocurrency mining rather than exfiltration of data, Google analysts concluded the Google Cloud IP address range was scanned rather than particular Google Cloud customers being targeted,” Google Team said. Unauthorized Cryptocurrency Mining Risk MitigationUnauthorized cryptocurrency mining of cloud resources is bad for business. Cryptocurrency mining is resource-intensive. With unauthorized cryptocurrency mining, threat actors earn money while your organization unknowingly ends up paying the rented cloud computing bill. In the case of unauthorized cryptocurrency mining done on your organization’s internet-exposed networks, negative impacts include the substantial increase in electrical consumption and an increase in the wear and tear on the hardware. Here are some of the cybersecurity best practices to protect your organization’s internet-exposed networks and cloud accounts:
Monitor cloud configurations, network traffic, and suspicious user behavior via automated solutions. It’s important to have automated solutions. As shown by Google's Cybersecurity Action Team’s report, cryptocurrency mining software is downloaded to the system within 22 seconds of being compromised, making human intervention impossible. Contact us today to assess your cybersecurity posture and mitigate the risks. Vulnerable Internet-Exposed Applications Compromised in 24 Hours, Report ShowsA study conducted by researchers from Palo Alto Networks' Unit 42 found that vulnerable internet-exposed applications are compromised in just 24 hours. Vulnerable internet-exposed applications once compromised pose a security risk to cloud environments within the same infrastructure. HoneypotsBetween July 2021 and August 2021, Unit 42 researchers set up 320 honeypots to verify how fast threat actors compromise four vulnerable internet-exposed applications, namely, secure shell protocol (SSH), remote desktop protocol (RDP), Samba, and Postgres. Honeypots are network-attached computers that are purposely set up to lure threat actors to access these network-attached computers. Honeypots are set up to study the attackers’ methodologies. SSH is a protocol that allows users to open remote shells on other computers. Samba is a free software re-implementation of the Server Message Block (SMB) networking protocol. SMB is a communication protocol used for sharing access to files, printers, serial ports for Windows computers on the same network or domain. RDP, meanwhile, is a network communications protocol developed by Microsoft, allowing users to remotely connect to another computer. Postgres, also known as PostgreSQL, is an enterprise-class open source database management system. Access to any of these four standard applications allows attackers to remotely connect to the victim’s network and perform malicious activities such as further compromising cloud environments within the same network. The honeypots deployed by the Unit 42 researchers had vulnerable SSH, Samba, RDP, and Postgres. For instance, they intentionally use weak usernames and weak passwords. Weaknesses in SSH, Samba, RDP, and Postgres are often exploited by cyberattackers. Ransomware groups, including REvil and Mespinoza, are known to exploit internet-exposed applications to gain initial access to victims' environments. In Q3 2021, Digital Shadows reported that RDP and SSH are among the top access of choice of Initial Access Brokers – individuals or groups that act as intermediaries in identifying vulnerable organizations and selling access to the networks of these vulnerable organizations to the highest bidder. Unit 42 researchers found that 80% of the 320 honeypots were compromised within 24 hours and all of the honeypots were compromised within a week. Out of the four vulnerable internet-exposed applications, SSH was the most attacked application and on average, each SSH honeypot was compromised 26 times daily. The researchers also found that one threat actor compromised 96% of 80 Postgres honeypots globally within 30 seconds. The researchers’ honeypots applied firewall policies to block IPs from known network scanners. They found that blocking known scanner IPs is ineffective in mitigating attacks as 85% of the attacker IPs were observed only on a single day. "This number indicates that Layer 3 IP-based firewalls are ineffective as attackers rarely reuse the same IPs to launch attacks,” Unit 42 researchers said. “A list of malicious IPs created today will likely become outdated tomorrow.” The researchers also found that vulnerable internet-exposed applications were compromised multiple times by multiple different attackers. As attackers competed for the victim’s resources, tools such as Rocke or TeamTNT were used to remove the malicious software (malware) left by other cyberattackers. Scanning Activities"The speed of vulnerability management is usually measured in days or months,” Unit 42 researchers said. “The fact that attackers could find and compromise our honeypots in minutes was shocking. When a misconfigured or vulnerable service [application] is exposed to the internet, it takes attackers just a few minutes to discover and compromise the service.” The speed at which threat actors find vulnerable internet-facing applications is achieved through the process called scanning. Threat actors aren’t alone in finding vulnerable internet-facing applications through scanning. Legitimate scanning service providers, such as Shodan, Censys, and Shadowserver, allow users to find vulnerable internet-facing applications. These legitimate scanning service providers have fixed IP addresses. Threat actors, on the other hand, as shown in the findings of the Unit 42 researchers, don’t use fixed IP addresses, but rather change their IP addresses every day. Unit 42 researchers identified an average of 75,000 unique scanner IP addresses globally that enumerated more than 9,500 different ports every day. The researchers found that Samba, Telnet (a protocol that allows users to connect to remote computers over a TCP/IP network, such as the internet), and SSH were the three most scanned services, accounting for 36% of scanning traffic globally. Scanning, per se, doesn’t compromise vulnerable internet-facing applications. This method, however, is used by cybercriminals to identify potential victims. Cybersecurity Best PracticesHere are some of the cybersecurity best practices to protect your organization’s vulnerable internet-exposed applications: Keep to a bare minimum the exposure of applications to the internet. If internet-exposed applications aren’t used, disable them. If there’s a need to expose these applications to the internet, secure them by applying in a timely manner the security updates, by using strong passwords, multi-factor authentication (MFA), and other security measures such as virtual private network (VPN). In using a Firewall, use the whitelisting approach, rather than the blacklisting approach. In whitelisting, only the approved or whitelisted entities are given access to your organization’s network, blocking all others. Blacklisting, on the other hand, blocks known malicious IP addresses. As shown in the study conducted by Unit 42 researchers, cyberattackers regularly change their IP addresses defeating the purpose of blacklisting. 11/18/2021 The Rise of Internet Access BrokersThe Rise of Internet Access BrokersResearchers from BlackBerry Research & Intelligence Team recently discovered three separate threat groups using the same IT infrastructure maintained by a threat actor dubbed as Zebra2104, which the researchers believe to be an Initial Access Broker. What Is an Initial Access Broker?As the name denotes, an Initial Access Broker either buys or sells goods or assets for others. In this case, what is being bought or sold for others is the initial access to the victim’s network. Once an Initial Access Broker has access to an organization’s network, the broker then advertises this initial access to prospective buyers in the underground forums on the dark web. Initial Access Brokers typically sell access to the victim’s network to the highest bidder on underground forums. The winning bidder then deploys ransomware or other malicious software (malware) to steal or snoop the victim’s critical data. Initial Access Broker is the first kill chain of many cyberattacks, including ransomware attacks. Initial access to victims’ networks comes in different forms. These include access to vulnerable and internet exposed remote desktop protocol (RDP) and virtual private network (VPN). VPN, in principle, establishes a protected network connection when using public networks. In the past few years, a number of vulnerabilities have been discovered in many VPN products. RDP, short for remote desktop protocol, is a network communications protocol developed by Microsoft, allowing a computer user to remotely connect to another computer. In the blog post "Data science for cybersecurity: A probabilistic time series model for detecting RDP inbound brute force attacks", Microsoft Defender Security Research Team said that computers with RDP exposed to the internet are an attractive target for attackers as they offer attackers a simple and effective way to gain access to a network. According to Microsoft Defender Security Research Team, brute-forcing RDP doesn’t need a high level of expertise or the use of exploits. “RDP connections almost always take place at port 3389, and attackers can assume that this is the port in use and target it to carry out man-in-the-middle attempts, amongst other attacks,” Digital Shadows researchers said in the blog post “Initial Access Brokers In Q3 2021”. Digital Shadows researchers reported that during the third quarter of 2021, RDP and VPN continued to be the access of choice for Initial Access Brokers. During the third quarter of 2021, the average price for VPN was $1869, while the average price for RDP was $1902. According to Digital Shadows researchers, RDP and VPN were also the most popular access of choice for Initial Access Brokers Q1 and Q2 2021. “This [popularity of RDP and VPN] is likely due to a combination of the increased use of both technologies as a result of the COVID-19 pandemic and the opportunities afforded to an actor purchasing a VPN or RDP access,” Digital Shadows researchers said. Digital Shadows researchers added that the VPN-RDP combination – referring to access type that uses VPN access to a victim’s RDP dedicated server – was significantly more expensive in Q3 than the last quarter. “It’s realistically possible that this access type [VPN-RDP] may represent a more secure method of gaining access to targeted networks, and as a result, become more desirable for interested actors,” Digital Shadows researchers said. Digital Shadows researchers reported that Initial Access Brokers are advertising various accesses to RAMP (Ransom Anon Mark Place), a recently relaunched Russian-language cybercriminal forum. Zebra2104In the blog post "Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware", BlackBerry researchers said they uncovered a connection between the criminal activities of three distinct threat groups, MountLocker, Phobos, and StrongPity. “While it might seem implausible for criminal groups to be sharing resources, we found these groups [MountLocker, Phobos, and StrongPity] had a connection that is enabled by a fourth; a threat actor we have dubbed Zebra2104, which we believe to be an Initial Access Broker (IAB),” BlackBerry researchers said. MountLocker is a ransomware group that has been active since July of 2020. Phobos is another ransomware group that was first seen in early 2019. Phobos has been victimizing small-to-medium-sized organizations across a variety of industries. StrongPity, also known as Promethium, is an espionage group that has been active since at least 2012. According to BlackBerry researchers, a single domain led them down a path where they uncovered multiple ransomware attacks by MountLocker, Phobos, and a command-and-control (C2) of StrongPity. “The path also revealed what we believe to be the infrastructure of an IAB: Zebra2104,” BlackBerry researchers said. Cybersecurity Best PracticesCybercrime groups nowadays mimic multinational organizations’ business models. Similar to multinational organizations, cybercrime groups establish partnerships and alliances with other organizations, in this case, with Initial Access Brokers. Considering that RDP and VPN are the popular initial accesses, it’s important to guard these two gateways. Here are some of the best practices to guard RDP and VPN:
Some of the most widespread and devastating cyberattacks, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have included multiple vulnerabilities – a cyberattack methodology known as “chaining”. What Is Chaining?Chaining is a type of cyberattack that uses a combination of multiple cybersecurity vulnerabilities rated “critical”, “high”, “medium”, or even “low”. Today’s publicly disclosed cybersecurity vulnerabilities are listed or cataloged under CVE, which stands for Common Vulnerabilities and Exposures. Each cybersecurity vulnerability in the list is given an identification number. For example, CVE-2021-26855 is the identification number given to a part of an attack chain against Microsoft Exchange Server. This security vulnerability has a “critical” rating under CVSS, which stands for Common Vulnerability Scoring System. Although sponsored by the U.S. Department of Homeland Security (DHS) and CISA, CVE is run by the non-profit organization MITRE. The Forum of Incident Response and Security Teams (FIRST) provides a standard for CVSS numerical score and qualitative representation (critical, high, medium, and low) for CVE entries. The National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), meanwhile, provides a free CVSS calculator for CVE entries. Real-World Examples of Chaining AttacksCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 are four security vulnerabilities that are part of an attack chain against Microsoft Exchange Server. Microsoft describes the four security vulnerabilities this way: CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server. CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM [named given by Microsoft to the group behind this chain attack] the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit. CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials. CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials. In the blog post "HAFNIUM targeting Exchange Servers with 0-day exploits", Microsoft said CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 vulnerabilities were used by the threat actor HAFNIUM to access on-premises Exchange servers which enabled access to email accounts, and allowed installation of additional malware to facilitate long-term access to victim environments. According to CISA, attackers don’t rely only on “critical” vulnerabilities to achieve their goals. For instance, some attackers use lower score vulnerabilities to first gain a foothold, then exploit additional vulnerabilities to escalate privilege on an incremental basis. In the above-mentioned real-world example of chaining attacks, CVE-2021-26855 has a critical CVSS rating, while CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 have a high CVSS rating. In a chaining attack, threat actors don’t necessarily exploit multiple security vulnerabilities in one application. There are cases in which threat actors exploit vulnerabilities in multiple applications during a single attack. Mitigating the Risks of Chaining AttacksThe best cybersecurity best practice against chaining attacks is by keeping all software up to date. Keeping all software up to date, however, is easier said than done. As of November 11, 2021, there are a total of over 160,000 CVE records. Organizations need to properly assess and prioritize which security vulnerabilities should be patched first. In the study "Historical Analysis of Exploit Availability Timelines", researchers at Carnegie Mellon University found that only 4% of the total number of CVEs have been publicly exploited in the wild. The researchers further found that out of the 4% publicly exploited CVEs, 42% are being used on day 0 of disclosure; 50% within 2 days of disclosure; and 75% within 28 days of disclosure. The CVSS ratings of some of these publicly exploited CVEs have “medium” or even “low” severity ratings. CISA recently established a “living” catalog of CVEs that are exploited in the wild. The agency calls these publicly exploited CVEs as “Known Exploited Vulnerabilities (KEVs)”. CISA initially listed 182 vulnerabilities from 2017-2020 and 108 from 2021. CISA said that the CVSS scores or ratings don’t always accurately depict the danger or actual hazard that a CVE presents. Instead of only focusing on vulnerabilities that carry a specific CVSS rating, KEVs target vulnerabilities for remediation that have known exploits and are being actively exploited by malicious cyber actors. CISA recommends that these KEVs have to be remediated within a more aggressive timeline. CISA said these are two of the reasons for a more aggressive remediation timeline for KEVs:
Ransomware Attack Shuts Down Several Toronto Transit Commission (TTC) ServicesToronto Transit Commission (TTC), the public transport agency that provides public transportation services to commuters in Toronto and from surrounding municipalities, is still reeling days after a ransomware attack hit the agency’s computer network. In a statement released last October 29th, TTC said that last October 28th, it learned it was the victim of a ransomware attack. The agency said TTC IT staff detected "unusual network activity" and attackers "broadened their strike on network servers." TTC said the impacted services and systems include:
In the absence of the TTC's Vision system, operators have been forced to communicate with Transit Control with radios. Customers of Wheel Trans van service who couldn’t book online were asked to phone to reserve pickup. And without email service, customers are asked to call. Shabnum Durrani, TTC head of corporate communications, told IT World Canada that she couldn’t say what ransomware strain attacked TTC. She couldn’t say also if the attackers were able to copy emails of employees, nor could she say if any corporate data was copied. When asked whether TTC has been in contact with the ransomware attackers, Durrani said, “I cannot comment on that at this time.” As of November 3, TTC spokesperson Stuart Green said that Wheel Trans online booking system is now up and running. Ransomware Attacks on Public Transport SystemsIn December 2020, Metro Vancouver's transportation network TransLink confirmed that it was a victim of a ransomware attack. “We are now in a position to confirm that TransLink was the target of a ransomware attack on some of our IT infrastructure,” TransLink CEO Kevin Desmond said in a statement. “This attack included communications to TransLink through a printed message.” The ransomware attack on TransLink led to multi-day transit payment problems. Back in 2016, the San Francisco Municipal Transportation Agency (SFMTA) confirmed that it was a victim of a ransomware attack. SFMTA said the ransomware attack affected approximately 900 office computers, and SFMTA's payroll system was temporarily affected. The transportation agency said no data was accessed from any of its servers. What Is Ransomware?Ransomware is a type of malicious software (malware) that encrypts victims’ files, preventing victims from accessing their files. Ransomware attackers demand ransom payment from victims in exchange for the decryption tool that promises to unlock the encrypted files. A few years back, there was no transparency on whether ransomware attackers also steal data from victims. Today, ransomware attackers are open that aside from encrypting files, they also steal data from victims. The acknowledgment that ransomware attackers steal data from victims gives rise to double extortion, and lately triple extortion. In triple extortion, ransomware attackers demand ransom payment for each of these attack tactics:
Ransomware attackers first demand ransom payment for the decryption tool that promises to unlock the encrypted files.
Ransomware attackers now acknowledge that before encrypting files, they exfiltrate or steal data. Many ransomware attackers now maintain a website that names ransomware victims. These victims are threatened that stolen data from their computer networks will be published online if payment for the non-publication of the stolen date won’t be paid.
What used to be a stand-alone attack, Distributed Denial-of-Service (DDoS) has been made part of the whole attack process of some ransomware attackers. Darkside, the group behind the Colonial Pipeline ransomware attack has been known to add DDoS attack to their attack tactics. In a DDoS attack, attackers overwhelm the target or its surrounding infrastructure with a flood of Internet traffic. One example of a DDoS attack is flooding a corporate website with malicious Internet traffic, preventing legitimate users from accessing the corporate website. Adding DDoS on top of encryption and stealing data, adds pressure to IT staff who are already overwhelmed with the encryption and stolen data issues. Security researchers also refer to ransomware triple extortion as an expansion of demand payments to victims’ customers, partners, and other third parties. Vastaamo, a Psychotherapy Center in Finland with nearly 40,000 patients, declared bankruptcy after attackers breached for nearly a year the Center’s computer network. Attackers demand from Vastaamo to pay nearly half a million US dollars in Bitcoin. Patients’ personally identifiable information, including the actual written notes that therapists had taken, was stolen by the attackers. A few years after the breached period, attackers started sending extortion messages to the patients, asking them to pay a certain amount of money to prevent their data from being published. The attackers already leaked online the private data of hundreds of patients. Cybersecurity Best PracticesHere are some cybersecurity best practices against ransomware attacks:
10/27/2021 How to Prevent Supply-Chain AttacksHow to Prevent Supply-Chain AttacksKaspersky researchers recently reported that they continue to observe in the 3rd quarter of 2021 supply-chain attacks. “We continue to see supply-chain attacks, including those of SmudgeX, DarkHalo and Lazarus,” Kaspersky researchers said in their “APT trends report Q3 2021.” What Is Supply-Chain Attack?Supply-chain attack is a type of cyberattack in which an attacker inserts malicious code into a legitimate software. In a supply-chain attack, an attacker turns the compromised software into a Trojan horse. A Trojan horse is a type of malicious software (malware) that’s introduced onto a victim’s computer as it’s disguised as legitimate software. In a supply-chain attack, by compromising a single software, attackers gain access to hundreds or hundreds of thousands of customers of a legitimate software. The three common supply-chain attack techniques include hijacking updates, undermining code signing, and compromising open-source code. Attackers may use these three common supply-chain attack techniques simultaneously. Supply-Chain Attacks ExamplesDarkHaloDarkHalo is the name given by researchers to the group that launched the SolarWinds supply-chain attack. Other researchers call the group behind the SolarWinds supply-chain attack Nobelium. SolarWinds supply-chain attack is one of the high-profile supply-chain attacks that was exposed in December 2020. According to SolarWinds, the "vulnerability" was inserted within the company's Orion products and existed in updates released between March and June 2020. In a report to the U.S. Securities and Exchange Commission (SEC), SolarWinds said that nearly 33,000 of its more than 300,000 customers were Orion customers, and that fewer than 18,000 customers may have had installed the Orion product that contained the malicious code. One of the notable victims of the Solarwinds supply chain attack is Microsoft. According to Kaspersky researchers, evidence suggests that DarkHalo had spent six months inside OrionIT’s networks to perfect their attack. “In June, more than six months after DarkHalo had gone dark, we observed the DNS hijacking of multiple government zones of a CIS member state that allowed the attacker to redirect traffic from government mail servers to computers under their control – probably achieved by obtaining credentials to the control panel of the victims’ registrar,” Kaspersky researchers said. “When victims tried to access their corporate mail, they were redirected to a fake copy of the web interface. Following this, they were tricked into downloading previously unknown malware. The backdoor, dubbed Tomiris, bears a number of similarities to the second-stage malware, Sunshuttle (aka GoldMax), used by DarkHalo last year. ” SmudgeXKaspersky researchers called the supply-chain incident in which a threat actor modified a fingerprint scanner software installer package as SmudgeX. The fingerprint scanner software is used by government employees of a country in South Asia for attendance recording. Kaspersky researchers said the threat actor changed a configuration file and added a DLL with a .NET version of a PlugX injector to the installer package. “On installation, even without network connectivity, the .NET injector decrypts and injects a PlugX backdoor payload into a new svchost system process and attempts to beacon to a C2 [command and control infrastructure],” Kaspersky researchers said. The Trojanized installer version of the fingerprint scanner software appeared to have been staged on the distribution server from March to June, Kaspersky researchers said. LazarusAccording to Kaspersky researchers, evidence showed that the threat group known as Lazarus is building supply-chain attack capabilities. The researchers said that one supply-chain attack from this threat group originated from a compromised legitimate South Korean security software. Another supply-chain attack launched by this group, Kaspersky researchers said, stemmed from a hijacked asset monitoring solution software in Latvia. The U.S. Cybersecurity and Infrastructure Security Agency (CISA), meanwhile, reported that in 2017, Kaspersky Antivirus was being used by a foreign intelligence service for spying. The U.S. government directed government offices to remove the vendor’s products from networks. Cybersecurity Best Practices Against Supply-Chain AttacksSupply-chain attacks aren’t easy to protect against. Your organization’s software vendors, even the top big IT software vendors, are as vulnerable to supply-chain attacks. Here are some of the cybersecurity best practices against supply-chain attacks:
Supply-chain attackers target not just software. They also target hardware. Attackers compromised hardware components with the end view of compromising hardware users. In 2016, attackers hijacked the design of a mobile phone. The phones sold to customers encrypted users’ text and call details and transmitted the data to a server every 72-hours. Most of the cybersecurity best practices against software supply-chain attacks also apply to hardware supply-chain attacks. |
AuthorSteve E. Driz, I.S.P., ITCP Archives
April 2024
Categories
All
|
6/6/2022
0 Comments