On October 8^th 2019, an unnamed Canadian insurance company paid a total of 950 000 USD to a ransomware cyberattacker.

The attacker was able to infect 20 servers and around 1000 employee computers in the attack, encrypting data on the systems behind a ransomwall, demanding payment of 109.25 bitcoins for the safe release of the information.

It was reported that after paying the ransom fee, the cyberattackers provided decryption keys which allowed for the 20 servers to be decrypted for 5 days, and the 1000 end user computers to be decrypted for 10 days.

What was the ransomware strain responsible for the attack?

The ransomware strain that was used in this attack was “BitPaymer”. The malware was able to bypass the Canadian insurance company’s firewalls and infect its network. It is not known exactly how the malware was able to infiltrate into the company’s infrastructure.

Unlike many other ransomware strains that use strategies such as fake emails and malicious download links or websites to infect computers, it is believed that BitPaymer uses targeted brute force attacks.

Brute Force RDP (Remote Desktops Protocol) Attacks

RDP, or remote desktop protocol, is a tool developed by Microsoft for an individual to remotely connect to another computer. It is often used by IT administrators and cybersecurity professionals to diagnose and troubleshoot computer problems from a remote location. However, RDP is also a prime target for cyberattacks, as it is a direct pathway into a company’s network, if compromised.

A brute force attack tries to guess the credentials to an RDP connection through thousands of trial-and-error attempts done in rapid succession by machines.

Microsoft states that protective actions against RDP brute force attacks include activating multifactor authentication and using VPNs. Multifactor authentication is an added security feature to the login process that sends a temporary ‘second password’ to a trusted device every time an account is accessed from an unfamiliar IP.

Don’t become the victim of a brute force attack. Our team of cybersecurity professionals can identify points of vulnerability in your organizations’ network and provide remediation strategies to keep you protected. Call us at +1 888 366 4443 or email us at info@gige.ca to get started with us immediately.

Goodbye Windows 7 – today, January 14th 2020, is the day that Microsoft officially ends security support for Windows 7 computers. This means that PCs still running the decade old operating system will no longer be receiving security updates from Microsoft. According to NetMarketShare’s statistics, 1/3 of PCs around the world are still running Windows 7.

Microsoft urges all of these users to update to a newer operating system, either Windows 8.1 or Windows 10 in order to stay protected against malware threats such as ransomware. Sensitive personal information on your home or business PCs are at risk of exposure.

It’s not all bad news – Google has said that it will continue to release updates for its Chrome browser for Windows 7 until 2021. However, this by no means covers all security bases, and migrating to a newer operating system is still the best option in terms of cybersecurity.

If upgrading is not an option, follow these best practices to keep yourself protected:

For businesses still running Windows 7, your employees are the first line of defense against malware. One of the most common methods of infection is through malicious links in fraudulent emails – a strategy known as phishing. By education your employees with frequent seminars on current threats and phishing telltale signs, you can minimize the likelihood that malware can infiltrate your network. If you would like an overview on some of our recommendations against phishing, you can check out our article on the topic here: Phishing Scams – What are they and how can you protect yourself?

For both businesses and consumers, it is important not to store sensitive information such as credit card data on your Windows 7 PC. Furthermore, avoid using online banking apps on Windows 7 PCs.

Don’t fully rely on your Windows 7 PC’s storage. Keep backups of your important data in a separate location – either on an external hard drive, a USB, or on another PC. Some types of malware, such as ransomware, locks user data behind a ransomwall, demanding payment for its release. Once a computer is infected with ransomware and the data is encrypted, it cannot be read unless it is decrypted with a key only known by the attackers.

If you would like to learn more about the dangers of staying on Windows 7, you can visit our page here, or email any questions to info@gige.ca

VPNs, or Virtual Private Networks, is a secure connection between computers over the internet. It allows for data to be transferred among computers in a more secure environment than over a public network. Alex Seymour, a cybersecurity researcher at Immersive Labs, recently discovered two new VPN vulnerabilities in Aviatrix VPN: a VPN service used by enterprises such as NASA.

Seymour notes that the two vulnerabilities, named CVE-2019-17387 and CVE-2019-17388 should serve as “a wakeup call for the industry”, as VPNs are often regarded as a highly secure aspect of security solutions.

 

How dangerous are the vulnerabilities?

CVE-2019-17387 affects the operating systems Windows, Linux, and macOS. The exploit allows for cyberattackers to execute arbitrary code with elevated access. It does this by exploiting the certificate validation process that Aviatrix uses to legitimize users. By gaining access to this, sit can recreate certificates and execute code.

CVE-2019-17388 affects Windows and Linux. Seymoure discovered that on Linux operating systems, file modification privileges are weak and allow for elevated code modifications. Meanwhile on Windows systems, it was discovered that legitimate services could be replaced by malicious processes.

While the two VPN vulnerabilities described above only pertain to the Aviatrix VPN, Breakpointing Bad and the University of New Mexico have recently released information a vulnerability that allows cyberattackers to breach any VPN connection. They described the process as follows: First an attacker identifies the IP address of the VPN target. Then, the IP is used to determine the status of active connections. Finally, access the TCP session using unsolicited packets sent to the connection.

In addition to releasing information on the method of attack, the researchers also released notes on some a common method of protection: reverse path filtering Significantly, they noted that turning reverse path filtering may not be enough to prevent a VPN hijack due to the fact that the first two stages can still be successfully carried out

Don’t leave yourself unprotected against VPN exploits. Call GIGE IT Solutions at +1 888 366 4443 or info@gige.ca for more information on how to protect yourself.

To protect yourself from ongoing BlueKeep exploit attacks, Microsoft urges users with systems running Windows 7, Windows Server 2008, and Windows Server 2008 R2 to update their operating systems.

BlueKeep is a vulnerability with the ‘worm’ capability. This means that the malware can spread itself to other vulnerable computers on the network without additional input from the victim, making this type of malware particularly dangerous.

An example of the ‘worm’ malware is WannaCry, which was able to globally infect over 100 000 computers within a 24 hour period in 2017 due to its worm capability.

 

Ongoing BlueKeep Exploits

To detect malware on the internet, Cybersecurity professionals often set up ‘honeypots’ – decoy computers that are designed to study cyberattack methods by baiting attackers into infecting them with malware.

On October 23d, cybersecurity researcher Kevin Beaumond noticed that honeypots that he had set up around the world were crashing and rebooting themselves with increasing regularity. Hutchins, another cybersecurity researcher, confirmed that the reboots were caused by the BlueKeep exploit.

Upon further investigation, Hutchins also discovered that the BlueKeep exploit that was detected had the goal of installing a cryptomining malware on infected PCs. You can learn more about cryptomining in our article here.

 

What are steps that you can take to protect yourself?

Keep your system Updated

The most effective way of protecting yourself from BlueKeep exploits is by keeping your PC up-to-date. Security engineers are constantly detecting repairing security vulnerabilities in their software. It is essential that you download security patches from your software manufacturers in order to protect yourself from publicly known dangers.

Disable RDP

Remote Desktop Protocol (RDP) is a Windows feature that allows for a computer to remotely connect and control another PC. It is useful for IT management and remote troubleshooting, but can also be a security liability. BlueKeep exploits RDP in order to infiltrate PCs, so it is important to keep this feature turned off to protect yourself.

Don’t fall victim to cyberattack. We can help you protect your company from cyberattacks such as the BlueKeep. Call us at +1 888 366 4443 or email us at info@gige.ca to get started immediately.

50% of the workstations at an international airport in Europe have been infected by a cryptomining malware. The breach was discovered by researchers from cybersecurity company Cyberbit. The researchers stated that they detected the malware due to abnormal activity of the PAExec tool and Reflective DLL Loading on the infected computers.

What is cryptojacking?

Cryptojacking malware is a strain of malware that uses the computing resources of infected PCs to generate cryptocurrency for the attacker.

Cryptocurrencies are digital currencies such as bitcoin and ethereum. By dedicating computer resources for cryptomining, individuals can generate these digital currencies. Cryptojacking involves maliciously using a victim’s computer to cryptomine digital currencies for the cyberattacker without the consent of the victim.

There are many symptoms associated with cryptojacking including computer slowdowns and overheating issues. You can read more about cryptojacking in our article here.

 

What is PAExec?

PAExec is a program that allows a Windows computer to remotely connect to another Windows computer and execute a program without having to install it on the remote computer. The cybersecurity researchers at Cyberbit stated that PAExec was used to execute a malicious file called “player.exe” which stole the infected computers’ resources to mine a cryptocurrency called “Monero” for the cyberattacker. The cybervirus was able to avoid detection because it used a highly modified version of a previously known malware – CryptoMiner Variant #2.

Significantly, PAExec allowed for administrative code execution on the infected computers, which means that it was allowed to bypass antivirus protocols for detection.

How was the airport impacted?

It was discovered that the cryptomining malware gave the malicious program priority to use system resources. That means that infected computers would suffer from slowdowns and increases to power consumption. Both of these reduced the service quality of the airport and negatively impacted the businesses’ bottom line.

How does cryptojacking malware infect PCs?

It is not known how the computers became infected with the malware in this incident. Historically, there have been several known methods of infecting computers with cryptomining malware. Negligent employees can mistakenly install malware onto company computers by clicking malicious links in emails or visiting malicious websites. In another vein, malicious insiders can install malware deliberately. Outside attacks can involve strategies like fake emails or exploiting security vulnerabilities.

Don’t fall victim to cryptojacking. We can help you design and deploy network security solutions. Call us at +1 888 366 4443 or email us at info@gige.ca to get started today.

In two separate incidents, U.S. companies American Express and Yahoo have both been affected by data breaches of their clients’ personal information. Both attacks were the result of insider threats – a type of cyberattack caused by an internal person in the company.

The American Express Incident

American Express stated that data that was leaked included names, addresses, birthdays, SSNs, and account information of its customers. On September 30^th, the company began distributing a Notice of Data Breach to affected individuals. In the notice, American Express stated that the information was maliciously accessed by one of its own employees. The employee, who is no longer at American Express, accessed the data with intent for fraudulent use.

The Yahoo Incident

In another incident, a Yahoo software engineer pleaded guilty to illegally accessing 6000 Yahoo accounts. The engineer stated that they specifically targeted accounts that belonged to women. Personal images and videos of the hacked accounts were downloaded onto a hard drive in the perpetrator’s home computer. The engineer also stated that they destroyed the data when an investigation began. Yahoo stated that the engineer is no longer working for the company.

 

What is an Insider Threat?

We often hear of cyberattacks as an external threat, and that our data is safe as long as our firewalls and backups are protected from the outside. However, a study conducted by McKinsey on data breaches between 2012 and 2017 showed that 50% of reported data breaches are attributable to internal employees. 44% are associated with negligent threats, and 6% with malicious threats.

A negligent insider threat occurs when an employee unknowingly or carelessly causes a malware attack on the company. In negligent insider attacks, the employee does not have malicious intent when compromising the company. Examples of this include clicking on a malicious link in an email and connecting a compromised device to the company network.

To mitigate the risk of negligent insider threats, hold frequent seminars on cyber hygiene, recognizing symptoms of phishing, and signs of malware infection. Furthermore, network segmentation ensures that even if part of your network becomes affected, critical areas remain secure. For more information on best practices on cybersecurity, navigate to our article here.

A malicious insider threat is characterized by deliberate malevolent intent. These types of insider attacks are particularly dangerous to the company, as insiders often have detailed knowledge of internal protocols and security measures in place. One of the most common strategies used against this type of attack is employee monitoring software. This software detects ‘abnormal’ activity on an employee’s computer and reports it back to a system administrator. However, there are many disadvantages to this solution. In addition to the concerns for privacy and misuse, alerts are very prone to false positives. Furthermore this is a reactionary strategy, meaning that the attack has already occurred when the administrator gets a notification. One of the ways to counteract the privacy concerns is by using microsegmentation – a strategy that involves monitoring groups of PCs instead of individuals. Microsegmentation also reduces load on system administrators as they will have less systems to monitor and manage.

We can help you identify areas of vulnerability in your network. Contact us at +1 888 366 4443 or info@gige.ca for a consultation today.

American Not-for-profit research organization MITRE has published their 2019 report for the “Top 25 Most Dangerous Software Errors”. In their report, MITRE placed buffer flaws and cross-site scripting at the top of their list.

The CWE list of top 25 most dangerous software errors is a useful reference for software developers and cybersecurity professionals when writing software and designing security solutions.

The number 1 spot on the list is buffer flaws. A buffer flaw is a software mistake that allows for code to be read or written to memory locations that are beyond its intended limits. CVE-2019-1212 was a buffer flaw that was patched by Microsoft on August 13^th 2019. It affected a wide range of operating systems including Windows Server 2019, Windows 7 and Windows 10.

 

Cross site scripting

The second most dangerous software error on the list was cross site scripting. This is when a web application unintentionally allows unauthorized data to enter. Cross-site scripting is most dangerous when paired with a type of cyberattack called watering-hole attacks. These exploit cross site scripting as a middle-step for the ultimate goal of infecting users’ personal computers.

 

What can you do to against these dangers?

MITRE released the following recommendations to mitigate the risk of buffer flaws when writing code:

• When managing an application’s memory, make sure that the buffer size is the same size as the value that you allocated it.
• If you are using the buffer in a loop, make sure that you are not using more than the allocated space

For cross-scripting, MITRE notes that using a 3^rd party firewall can reduce the risk of being infected. This is because situations where the vulnerability cannot be immediately fixed are common.

Contact us today at +1 888 366 4443 or info@gige.ca to learn more about how we can help you design and protect your network.

Malware, or malicious software, is any piece of software that is developed with malicious intent. There are many strains of malware that do everything from stealing sensitive data to locking files behind ransom walls.

There are many ways that a computer can become infected with malware. Many of these, such as phishing, rely on user mistakes. Phishing is a method of infecting a computer with malware by attaching fraudulent links or attachments to emails, pretending to be sent from legitimate sellers. Once the user clicks on the fake link, a malicious file is downloaded onto the victim’s computer.

Once a malware infiltrates a computer, it often communicates back with the cyberattacker’s terminal through the internet.

The effects of malware depends on the strain that is used. For example, ransomware is a specific type of malware that encrypts the files on a victim’s computer and demands a ransom to be paid, often in digital currencies, for the data to be released.

Another type of malware is called a botnet. This type forces groups of infected computers to become under the control of the cyberattackers, who then uses the botnet for further malicious activity such as launching Denial of Service (DOS) attacks on other targets.

 

Worm Capability

Some malware have worm capability – this is a functionality that allows it to spread to other computers without user input. This makes worming malware extremely dangerous, as it can spread throughout entire networks without being detected.

An example of a worm-capable malware was Wannacry – a ransomware that was able to infect over 100 000 computers within 24 hours in May of 2017.

 

How do you Stop It?

Keep admin privileges on a need-to-have basis

In general, the less administrative privileges that a company’s computer has, the less of a weak point it is to the network as whole. It is important to keep administrative rights to only a few management devices, so that it is less likely that a key target computer becomes infected.

 

Segmenting your network with air gaps

As described above, worm malware can spread itself across a network without user input. The most secure way to protect your sensitive devices is by disconnecting them completely from the network. That way, if one segment becomes infected, you can be sure that another segment is still secure. Don’t fall victim to cyberattack – let our network experts help you design custom security solutions to keep your company’s data safe.