A new security vulnerability has been discovered in Citrix devices. The Canadian Centre for Cybersecurity has advised Canadian businesses to temporarily disconnect their Citrix devices from the internet. The repair patch has been rolled out as of January 19th 2020, with additional patches scheduled for January 24th. Users are advised to patch their devices as soon as possible.

The vulnerability, codenamed CVE-2019-19781, has been officially confirmed to be circulating in Canada. Exploiting the vulnerability allows for a cyberattacker to gain control of a computer without the use of valid credentials.

Products that are affected by the vulnerability include Citrix application Delivery controller, Gateway, and SD-WAN WANOP devices.

 

Why are Citrix Devices being targeted by Cyberattackers?

In many organizations’ networks, Citrix devices are often connected to both employee workstations as well as backend servers. Therefore, if a cyberattackers gains access to a Citrix device, they are in position to further the attack by spreading malware throughout the network. London-based cybersecurity company Positive Technologies noted that Citrix devices are often the first point of attack for many cyberattackers.

The exploits have been released publically

On January 10^th, Project Zero, a group of cybersecurity researchers, released the first Proof of Concept (PoC) of the Citrix device exploit. PoC exploits are often released to the public as non-harmful attacks meant to show vulnerabilities in software to help companies patch them. However, FireEye researchers discovered that malicious versions of the exploit were circulating shortly after the PoC was made public.

What can you do to protect yourself?

Citrix has provided a list of protective measures. You can read more about them here. However, the Canadian Centre for Cyber Security noted that these defensive measures won’t be effective for all devices. In the case that they cannot be applied to your device, they recommend that it is disconnected from the internet until a new patch is rolled out.

Our cybersecurity experts can help you find vulnerabilities in your company’s network. Don’t fall victim to cyberattack. Call us at +1 888 366 4443 or email us at info@gige.ca for more information.

The list of ransomware victims continues to grow. On New Year’s Eve 2020, Travelex, an international foreign exchange company, disclosed that it was struck by the “Sodinokibi” ransomware strain. Also known as REvil, Sodinokibi ransomware prevents users from accessing their computer data by encrypting it behind a ransomwall. The ransom demand for Travelex was $6M USD. They also stated that failure to pay the payment within 2 days will result in double the ransom demand.

In an effort to mitigate the spread of the ransomware, Travelex immediately disconnect infected computers from its company network.

The cyberattackers revealed to BBC that it had actually infiltrated Travelex’s network 6 months prior, and had been able to steal over 5 GB of customer data. According to the group, they have got access to customer information including birthdays and credit card information. This has been a common strategy of newer ransomware strains. Releasing the stolen data is used as a second point of leverage to extort money out of victims.

Cyberthreat intelligence company Bad Packets stated that it had notified Travelex of 7 security vulnerabilities present in their systems in September 2019. The vulnerability was caused by a security flaw in the Pulse Secure Virtual Private Network. According to Bad Packets, the vulnerability was actually patched April of that year, but that Travelex had failed to update its systems to the newest software version, leaving them vulnerable to attack.

The vulnerabilities present in the Pulse Secure VPN were widely known in the second half of 2019. In August of that year, the Canadian Center for Cyber Security urged for Canadian businesses to update their software to the latest versions to protect against attack. In October, the US National Security Agency, and the UK National Cyber Security Center issued similar warnings.

What does the vulnerability allow cyberattackers to do to unprotected systems?

Cybersecurity researcher Kevin Beaumont stated that the VPN vulnerability, also called CVE-2019-11510, allowed for attackers to remotely gain control of unprotected systems even without the use of the user credentials of the computer.

As illustrated by the Travelex, keeping computers up-to-date with current software updates to protect against cyberattack.

VPNs, or Virtual Private Networks, is a secure connection between computers over the internet. It allows for data to be transferred among computers in a more secure environment than over a public network. Alex Seymour, a cybersecurity researcher at Immersive Labs, recently discovered two new VPN vulnerabilities in Aviatrix VPN: a VPN service used by enterprises such as NASA.

Seymour notes that the two vulnerabilities, named CVE-2019-17387 and CVE-2019-17388 should serve as “a wakeup call for the industry”, as VPNs are often regarded as a highly secure aspect of security solutions.

 

How dangerous are the vulnerabilities?

CVE-2019-17387 affects the operating systems Windows, Linux, and macOS. The exploit allows for cyberattackers to execute arbitrary code with elevated access. It does this by exploiting the certificate validation process that Aviatrix uses to legitimize users. By gaining access to this, sit can recreate certificates and execute code.

CVE-2019-17388 affects Windows and Linux. Seymoure discovered that on Linux operating systems, file modification privileges are weak and allow for elevated code modifications. Meanwhile on Windows systems, it was discovered that legitimate services could be replaced by malicious processes.

While the two VPN vulnerabilities described above only pertain to the Aviatrix VPN, Breakpointing Bad and the University of New Mexico have recently released information a vulnerability that allows cyberattackers to breach any VPN connection. They described the process as follows: First an attacker identifies the IP address of the VPN target. Then, the IP is used to determine the status of active connections. Finally, access the TCP session using unsolicited packets sent to the connection.

In addition to releasing information on the method of attack, the researchers also released notes on some a common method of protection: reverse path filtering Significantly, they noted that turning reverse path filtering may not be enough to prevent a VPN hijack due to the fact that the first two stages can still be successfully carried out

Don’t leave yourself unprotected against VPN exploits. Call GIGE IT Solutions at +1 888 366 4443 or info@gige.ca for more information on how to protect yourself.

In two separate incidents, U.S. companies American Express and Yahoo have both been affected by data breaches of their clients’ personal information. Both attacks were the result of insider threats – a type of cyberattack caused by an internal person in the company.

The American Express Incident

American Express stated that data that was leaked included names, addresses, birthdays, SSNs, and account information of its customers. On September 30^th, the company began distributing a Notice of Data Breach to affected individuals. In the notice, American Express stated that the information was maliciously accessed by one of its own employees. The employee, who is no longer at American Express, accessed the data with intent for fraudulent use.

The Yahoo Incident

In another incident, a Yahoo software engineer pleaded guilty to illegally accessing 6000 Yahoo accounts. The engineer stated that they specifically targeted accounts that belonged to women. Personal images and videos of the hacked accounts were downloaded onto a hard drive in the perpetrator’s home computer. The engineer also stated that they destroyed the data when an investigation began. Yahoo stated that the engineer is no longer working for the company.

 

What is an Insider Threat?

We often hear of cyberattacks as an external threat, and that our data is safe as long as our firewalls and backups are protected from the outside. However, a study conducted by McKinsey on data breaches between 2012 and 2017 showed that 50% of reported data breaches are attributable to internal employees. 44% are associated with negligent threats, and 6% with malicious threats.

A negligent insider threat occurs when an employee unknowingly or carelessly causes a malware attack on the company. In negligent insider attacks, the employee does not have malicious intent when compromising the company. Examples of this include clicking on a malicious link in an email and connecting a compromised device to the company network.

To mitigate the risk of negligent insider threats, hold frequent seminars on cyber hygiene, recognizing symptoms of phishing, and signs of malware infection. Furthermore, network segmentation ensures that even if part of your network becomes affected, critical areas remain secure. For more information on best practices on cybersecurity, navigate to our article here.

A malicious insider threat is characterized by deliberate malevolent intent. These types of insider attacks are particularly dangerous to the company, as insiders often have detailed knowledge of internal protocols and security measures in place. One of the most common strategies used against this type of attack is employee monitoring software. This software detects ‘abnormal’ activity on an employee’s computer and reports it back to a system administrator. However, there are many disadvantages to this solution. In addition to the concerns for privacy and misuse, alerts are very prone to false positives. Furthermore this is a reactionary strategy, meaning that the attack has already occurred when the administrator gets a notification. One of the ways to counteract the privacy concerns is by using microsegmentation – a strategy that involves monitoring groups of PCs instead of individuals. Microsegmentation also reduces load on system administrators as they will have less systems to monitor and manage.

We can help you identify areas of vulnerability in your network. Contact us at +1 888 366 4443 or info@gige.ca for a consultation today.

American Not-for-profit research organization MITRE has published their 2019 report for the “Top 25 Most Dangerous Software Errors”. In their report, MITRE placed buffer flaws and cross-site scripting at the top of their list.

The CWE list of top 25 most dangerous software errors is a useful reference for software developers and cybersecurity professionals when writing software and designing security solutions.

The number 1 spot on the list is buffer flaws. A buffer flaw is a software mistake that allows for code to be read or written to memory locations that are beyond its intended limits. CVE-2019-1212 was a buffer flaw that was patched by Microsoft on August 13^th 2019. It affected a wide range of operating systems including Windows Server 2019, Windows 7 and Windows 10.

 

Cross site scripting

The second most dangerous software error on the list was cross site scripting. This is when a web application unintentionally allows unauthorized data to enter. Cross-site scripting is most dangerous when paired with a type of cyberattack called watering-hole attacks. These exploit cross site scripting as a middle-step for the ultimate goal of infecting users’ personal computers.

 

What can you do to against these dangers?

MITRE released the following recommendations to mitigate the risk of buffer flaws when writing code:

• When managing an application’s memory, make sure that the buffer size is the same size as the value that you allocated it.
• If you are using the buffer in a loop, make sure that you are not using more than the allocated space

For cross-scripting, MITRE notes that using a 3^rd party firewall can reduce the risk of being infected. This is because situations where the vulnerability cannot be immediately fixed are common.

Contact us today at +1 888 366 4443 or info@gige.ca to learn more about how we can help you design and protect your network.

The list of ransomware victims continues to grow. Florida’s Lake City and Riviera Beach City have both fallen victim to cyberattack. Both cities have been forced to pay $500 000 each to the attackers in attempts to unlock the encrypted files.

On June 5^th, the City of Riviera Beach released an official announcement stating that a “data security event” has occurred. One day later, the Lake City Police Department released a similar announcement, detailing that a ransomware attack had disabled many of the city’s systems, including email, VoIP and credit card channels.

As a result of the attacks, both governments have been thrown back to analog working environments, hand-writing bills and permits while the systems are recovered. Despite the ransom payments, there is no guarantee that the lost data will, or even can, be decrypted by the cyberattackers.

Riviera Beach released that the ransomware virus infected their systems through a malicious link in an email. Lake City, on the other hand, stated that their system was intruded after attacks on multiple fronts of their network.

What is Ransomware?

Ransomware is a type of cyberattack that encrypts data on a computer and asks for a ransom fee for an unlock key. Encryption renders ordinary data unreadable, and can only be decrypted by using the key supplied by the attackers.

This type of attack has seen a massive uptick in recent years. Since January 2016, over 4000 ransomware attacks have occurred daily, according to the U.S. Department of Homeland Security. Targets of these attacks range from households and small organizations to governments.

There are many factors that caused the widespread use of ransomware. Firstly, the rise in cryptocurrency popularity have given attackers an ideal payment channel. Recent years has seen digital currencies such as Ethereum and Bitcoin rise in both usage and value. Bitcoin, for instance, costs around CAD 14 000 as of July 3^rd 2019. Some of these currencies are designed to be difficult to track, therefore making them perfect for cyberattackers.

The unpreparedness of companies and governments to deal with ransomware attacks is another reason why this type of attack has been so successful. As demonstrated by the attacks of the Florida cities, ransomware causes significant damage to day-to-day functions. Therefore, businesses and governments are often forced to simply pay the fee to avoid compounding damage.

Don’t fall victim to ransomware. Managed IT service providers can help you design and monitor backups of your data to restore your systems in the event of an attack. GIGE IT Solutions provides customizable backup and security solutions tailored to your business goals. Call us at +1 888 366 4443 for an immediate consult.

Cyberattackers have recently taken an interest in hacking company loyalty programs. This was illustrated by a recent data breach in Marriott, which affected over 500 million customers. The guests that were affected were a part of the organization’s Starwood Preferred Guest loyalty program, which is a joint program by Marriott and Starwood Hotels and Resorts. A total of 327 million accounts are believed to have been compromised as a result of the incident.

Why loyalty programs?

Loyalty programs are often large financial aspects for companies, being billion-dollar industries. Therefore naturally they become prime targets for cyberattackers. It was reported that in the above incident, over 100 000 loyalty points were stolen. Furthermore, it was reported that there are other stolen products available on a platform called Dreammarket, including Delta Skymile loyalty points.

While people are extremely vigilant in protecting their credit card data, they often do not use as much care in protecting their loyalty points. A survey completed by Connexions Loyalty found that many customers do not regularly check their loyalty accounts, and that 1 in 10 user have not actually logged on to their accounts at all. This creates a very appealing target for cyberattackers.

Furthermore, the same carelessness extends to the passwords and usernames that people use on their loyalty accounts, which are often recycled from different accounts. This makes it even easier for cyberattackers to prey on these accounts. A study carried out by Creditcards.com on 27 loyalty programs found that the security of 50% of the companies used a 4 digit pin, or passwords with 6 characters or less. Also only 1/3 of these offered two-factor authentication.

This negligence is not only limited to the customers. Companies often do not protect the loyalty accounts of their customers with the same level of diligence as they use for credit card information.

Don’t fall victim to cyberattack. Contact us today at 888 366 4443 to protect your organization’s loyalty program. You can learn more about our security services here.

Hong Kong’s flag carrier, Cathay Pacific, has been the latest in the long list of companies affected by major digital data breaches. It was reported that the sensitive data of over 9.4 million customers were compromised due to the incident. Over 400 expired credit card numbers, and 27 active cards (without CVV information) were leaked. In these situations, is reporting data breaches a legal necessity?

The breach that resulted in the data leakages had in fact occurred in March 2018, months prior to Cathay Pacific’s official announcement. The company now states that this was when they began noticing suspicious activity in their servers. However, it was decided that the information would be held from the public in order to avoid creating an “unnecessary scare”.

This practice is not limited to Cathay Pacific. Other large companies such as Yahoo and Facebook did not notify the public of data breaches until years after they occurred. In the case of Facebook, this resulted in the Cambridge Analytica Data Controversy of early this year. Both of these companies have suffered consequences from their respective incidents. Yahoo paid a $35 Million settlement payout for withholding information to its investors, while Facebook was fined due to over 80 million of its customers having their data stolen.

Is Reporting Data Breaches A Legal Requirement?

Rules for reporting data breaches is determined differently in various jurisdictions. Individual countries generally have autonomy in how they regulate organizations that have been breached. For instance, in Hong Kong, companies do not legally need to report it to the public. Instead, they are simply encouraged to communicate with the Privacy commissioners for Personal Data (PCPD) in order to mitigate damages. However, in light of the incident, Hong Kong’s current PCPD Stephen Kai-Yi Wong stated that the state may implement stricter rules in the future.

For GDPR Regulated Countries:

For states following the GDPR regulation that was implemented May of this year, companies suffering from a data breach impacting European citizens must notify affected parties as soon as possible, up to a maximum of 72 hours under reasonable circumstances. Companies that fail to do this face fines of the greater value between 20 Million pounds or a 4% annual turn-over rate.

How will Canada’s regulation be affected by the Digital Privacy Act?

Canada’s new Digital Privacy Act will be implemented November 1^st of 2018. Following this, Canadian companies impacted by data breaches are legally bound to report the incident to both the Privacy Commissioner of Canada, and any other affected individuals. Under this new regulation, Canadian companies failing to notify these parties will net fines of up to $100 000. Furthermore, if a company does not properly keep, or deliberately destroys breach information, they will also be subject to fines of up to $100 000.

Do not fall victim to data breaches. Call us at GigE today at 888 366 4443 to protect your company from cyberthreats.