On October 8^th 2019, an unnamed Canadian insurance company paid a total of 950 000 USD to a ransomware cyberattacker.

The attacker was able to infect 20 servers and around 1000 employee computers in the attack, encrypting data on the systems behind a ransomwall, demanding payment of 109.25 bitcoins for the safe release of the information.

It was reported that after paying the ransom fee, the cyberattackers provided decryption keys which allowed for the 20 servers to be decrypted for 5 days, and the 1000 end user computers to be decrypted for 10 days.

What was the ransomware strain responsible for the attack?

The ransomware strain that was used in this attack was “BitPaymer”. The malware was able to bypass the Canadian insurance company’s firewalls and infect its network. It is not known exactly how the malware was able to infiltrate into the company’s infrastructure.

Unlike many other ransomware strains that use strategies such as fake emails and malicious download links or websites to infect computers, it is believed that BitPaymer uses targeted brute force attacks.

Brute Force RDP (Remote Desktops Protocol) Attacks

RDP, or remote desktop protocol, is a tool developed by Microsoft for an individual to remotely connect to another computer. It is often used by IT administrators and cybersecurity professionals to diagnose and troubleshoot computer problems from a remote location. However, RDP is also a prime target for cyberattacks, as it is a direct pathway into a company’s network, if compromised.

A brute force attack tries to guess the credentials to an RDP connection through thousands of trial-and-error attempts done in rapid succession by machines.

Microsoft states that protective actions against RDP brute force attacks include activating multifactor authentication and using VPNs. Multifactor authentication is an added security feature to the login process that sends a temporary ‘second password’ to a trusted device every time an account is accessed from an unfamiliar IP.

Don’t become the victim of a brute force attack. Our team of cybersecurity professionals can identify points of vulnerability in your organizations’ network and provide remediation strategies to keep you protected. Call us at +1 888 366 4443 or email us at info@gige.ca to get started with us immediately.

The list of ransomware victims continues to grow. On New Year’s Eve 2020, Travelex, an international foreign exchange company, disclosed that it was struck by the “Sodinokibi” ransomware strain. Also known as REvil, Sodinokibi ransomware prevents users from accessing their computer data by encrypting it behind a ransomwall. The ransom demand for Travelex was $6M USD. They also stated that failure to pay the payment within 2 days will result in double the ransom demand.

In an effort to mitigate the spread of the ransomware, Travelex immediately disconnect infected computers from its company network.

The cyberattackers revealed to BBC that it had actually infiltrated Travelex’s network 6 months prior, and had been able to steal over 5 GB of customer data. According to the group, they have got access to customer information including birthdays and credit card information. This has been a common strategy of newer ransomware strains. Releasing the stolen data is used as a second point of leverage to extort money out of victims.

Cyberthreat intelligence company Bad Packets stated that it had notified Travelex of 7 security vulnerabilities present in their systems in September 2019. The vulnerability was caused by a security flaw in the Pulse Secure Virtual Private Network. According to Bad Packets, the vulnerability was actually patched April of that year, but that Travelex had failed to update its systems to the newest software version, leaving them vulnerable to attack.

The vulnerabilities present in the Pulse Secure VPN were widely known in the second half of 2019. In August of that year, the Canadian Center for Cyber Security urged for Canadian businesses to update their software to the latest versions to protect against attack. In October, the US National Security Agency, and the UK National Cyber Security Center issued similar warnings.

What does the vulnerability allow cyberattackers to do to unprotected systems?

Cybersecurity researcher Kevin Beaumont stated that the VPN vulnerability, also called CVE-2019-11510, allowed for attackers to remotely gain control of unprotected systems even without the use of the user credentials of the computer.

As illustrated by the Travelex, keeping computers up-to-date with current software updates to protect against cyberattack.

The Heritage Company has temporarily shut down its operations due to a ransomware attack. In December of last year, CEO Sandra Franecke announced to the company’s 300 employees that the company had not fully restored its systems following a ransomware attack that October. As a result of the attack, the company would be temporarily suspending all its functions. In a statement to the company’s employees, she stated that “we do not prevent you from searching for other employment”.

What is data encryption?

Ransomware attacks are a type of cyberattack that encrypts data on a victim’s computer, demanding ransom payment for its release. Encryption is the act of scrambling data into a format that cannot be read unless it is decrypted using a digital key.

Unfortunately the Heritage Company has not been the only ransomware victim in recent times. Over the past year, ransomware  has become increasingly common among small sized businesses. In August of 2019, Wood Ranch Medical, a medical clinic located in California, announced that it was a victim of a ransomware attack. The attack had a widespread impact on the company’s IT infrastructure including its servers and backups, where personal client information was stored. On December 17^th 2019, the clinic closed as a result of the damages, stating that the records that were encrypted were lost and could not be recovered.

Ransomware attacks are now targeting backup systems

Ransomware attacks rely on the leverage of releasing encrypted data to extort money from victims. Therefore, if the victims have up-to-date backups of all the sensitive information, it eliminates the pressure point that attackers use. Knowing this, ransomware attacks have started to target the backup systems of victims as well, as illustrated by Wood Ranch Medical. In particular, since mid 2019, data backup manufacturers began warning customers that ransomware attackers were now targeting Network Attached Storage (NAS) devices.

Does paying the ransom fee guarantee safe release?

There have been many instances where encrypted data has not been released even after ransom has been paid. These strains of ransomware, called wipers, are designed to simply destroy the data. An example of a wiper ransomware is “NotPetya”. However, because the victim has no way of guaranteeing that the data cannot be restored, ransom payment is still the only option in many attacks.

Learn more about NotPetya and other ransomware strains by calling us today at 888 366 4443 or emailing us at info@gige.ca

Cloud computing grew drastically in 2019. However, cloud security has dragged behind in development which has resulted in some of the most devastating cyberattacks in history.

In traditional offline computing, programs and data are stored locally on a machine. On the organizational scale, data may be stored and shared on local servers that are linked to office devices within an enclosed network.

Cloud computing changes this model – instead of keeping files and programs stored locally, they are instead running on servers of tech giants such as Microsoft and Amazon and are transferred in real time to local machines over the internet. Common cloud computing platforms include Microsoft Azure, Amazon Web Services (AWS), and Google’s Compute Engine.

 

SaaS, Paas, and IaaS

There are three major types of cloud computing services. Saas, or Software as a Service, involves running programs via a web browser instead of on a local machine. An advantage of this is that end users no longer have to download update packages and that app speed is only depends on internet speed.

IaaS, or Infrastructure as a Service, includes components such as servers, storage, and networking.

Finally, PaaS, or Platform as a Service, is used by software developers to build applications.

There are many advantages to cloud computing. For businesses, cloud computing is a much more flexible and scalable option compared to on-premise solutions. Furthermore, cloud computing opens the door for many pay-as-you-go computing models, eliminating the need to purchase perpetual software.

Security Threats of Cloud Computing

The rapid growth of cloud computing – and the failure of cloud security to keep pace – has resulted in a number of devastating cyberattacks this year.

In July 2019, Capital One announced that it had suffered a data breach affecting over 100 million of its customers.

APIs are a new security weakpoint

APIs, or Application Programing Interfaces, are the channels through which a computer can communicate with a cloud service. APIs have become a vulnerability that is often exploited by cyberattackers when targeting cloud based systems.

GIGE ensures that your company is fully prepared for the cloud cyber threats that will come in 2020. Get started with us now by calling +1 888 366 4443 or emailing us at info@gige.ca

50% of the workstations at an international airport in Europe have been infected by a cryptomining malware. The breach was discovered by researchers from cybersecurity company Cyberbit. The researchers stated that they detected the malware due to abnormal activity of the PAExec tool and Reflective DLL Loading on the infected computers.

What is cryptojacking?

Cryptojacking malware is a strain of malware that uses the computing resources of infected PCs to generate cryptocurrency for the attacker.

Cryptocurrencies are digital currencies such as bitcoin and ethereum. By dedicating computer resources for cryptomining, individuals can generate these digital currencies. Cryptojacking involves maliciously using a victim’s computer to cryptomine digital currencies for the cyberattacker without the consent of the victim.

There are many symptoms associated with cryptojacking including computer slowdowns and overheating issues. You can read more about cryptojacking in our article here.

 

What is PAExec?

PAExec is a program that allows a Windows computer to remotely connect to another Windows computer and execute a program without having to install it on the remote computer. The cybersecurity researchers at Cyberbit stated that PAExec was used to execute a malicious file called “player.exe” which stole the infected computers’ resources to mine a cryptocurrency called “Monero” for the cyberattacker. The cybervirus was able to avoid detection because it used a highly modified version of a previously known malware – CryptoMiner Variant #2.

Significantly, PAExec allowed for administrative code execution on the infected computers, which means that it was allowed to bypass antivirus protocols for detection.

How was the airport impacted?

It was discovered that the cryptomining malware gave the malicious program priority to use system resources. That means that infected computers would suffer from slowdowns and increases to power consumption. Both of these reduced the service quality of the airport and negatively impacted the businesses’ bottom line.

How does cryptojacking malware infect PCs?

It is not known how the computers became infected with the malware in this incident. Historically, there have been several known methods of infecting computers with cryptomining malware. Negligent employees can mistakenly install malware onto company computers by clicking malicious links in emails or visiting malicious websites. In another vein, malicious insiders can install malware deliberately. Outside attacks can involve strategies like fake emails or exploiting security vulnerabilities.

Don’t fall victim to cryptojacking. We can help you design and deploy network security solutions. Call us at +1 888 366 4443 or email us at info@gige.ca to get started today.

In two separate incidents, U.S. companies American Express and Yahoo have both been affected by data breaches of their clients’ personal information. Both attacks were the result of insider threats – a type of cyberattack caused by an internal person in the company.

The American Express Incident

American Express stated that data that was leaked included names, addresses, birthdays, SSNs, and account information of its customers. On September 30^th, the company began distributing a Notice of Data Breach to affected individuals. In the notice, American Express stated that the information was maliciously accessed by one of its own employees. The employee, who is no longer at American Express, accessed the data with intent for fraudulent use.

The Yahoo Incident

In another incident, a Yahoo software engineer pleaded guilty to illegally accessing 6000 Yahoo accounts. The engineer stated that they specifically targeted accounts that belonged to women. Personal images and videos of the hacked accounts were downloaded onto a hard drive in the perpetrator’s home computer. The engineer also stated that they destroyed the data when an investigation began. Yahoo stated that the engineer is no longer working for the company.

 

What is an Insider Threat?

We often hear of cyberattacks as an external threat, and that our data is safe as long as our firewalls and backups are protected from the outside. However, a study conducted by McKinsey on data breaches between 2012 and 2017 showed that 50% of reported data breaches are attributable to internal employees. 44% are associated with negligent threats, and 6% with malicious threats.

A negligent insider threat occurs when an employee unknowingly or carelessly causes a malware attack on the company. In negligent insider attacks, the employee does not have malicious intent when compromising the company. Examples of this include clicking on a malicious link in an email and connecting a compromised device to the company network.

To mitigate the risk of negligent insider threats, hold frequent seminars on cyber hygiene, recognizing symptoms of phishing, and signs of malware infection. Furthermore, network segmentation ensures that even if part of your network becomes affected, critical areas remain secure. For more information on best practices on cybersecurity, navigate to our article here.

A malicious insider threat is characterized by deliberate malevolent intent. These types of insider attacks are particularly dangerous to the company, as insiders often have detailed knowledge of internal protocols and security measures in place. One of the most common strategies used against this type of attack is employee monitoring software. This software detects ‘abnormal’ activity on an employee’s computer and reports it back to a system administrator. However, there are many disadvantages to this solution. In addition to the concerns for privacy and misuse, alerts are very prone to false positives. Furthermore this is a reactionary strategy, meaning that the attack has already occurred when the administrator gets a notification. One of the ways to counteract the privacy concerns is by using microsegmentation – a strategy that involves monitoring groups of PCs instead of individuals. Microsegmentation also reduces load on system administrators as they will have less systems to monitor and manage.

We can help you identify areas of vulnerability in your network. Contact us at +1 888 366 4443 or info@gige.ca for a consultation today.

American Not-for-profit research organization MITRE has published their 2019 report for the “Top 25 Most Dangerous Software Errors”. In their report, MITRE placed buffer flaws and cross-site scripting at the top of their list.

The CWE list of top 25 most dangerous software errors is a useful reference for software developers and cybersecurity professionals when writing software and designing security solutions.

The number 1 spot on the list is buffer flaws. A buffer flaw is a software mistake that allows for code to be read or written to memory locations that are beyond its intended limits. CVE-2019-1212 was a buffer flaw that was patched by Microsoft on August 13^th 2019. It affected a wide range of operating systems including Windows Server 2019, Windows 7 and Windows 10.

 

Cross site scripting

The second most dangerous software error on the list was cross site scripting. This is when a web application unintentionally allows unauthorized data to enter. Cross-site scripting is most dangerous when paired with a type of cyberattack called watering-hole attacks. These exploit cross site scripting as a middle-step for the ultimate goal of infecting users’ personal computers.

 

What can you do to against these dangers?

MITRE released the following recommendations to mitigate the risk of buffer flaws when writing code:

• When managing an application’s memory, make sure that the buffer size is the same size as the value that you allocated it.
• If you are using the buffer in a loop, make sure that you are not using more than the allocated space

For cross-scripting, MITRE notes that using a 3^rd party firewall can reduce the risk of being infected. This is because situations where the vulnerability cannot be immediately fixed are common.

Contact us today at +1 888 366 4443 or info@gige.ca to learn more about how we can help you design and protect your network.

In one of the largest financial data theft incidents in history, Capital One Financial Corporation reported on July 19^th 2019 that around 106 million of its clients’ data was leaked due to cyberattack. Of the affected, 100 million are located in the U.S. and 6 million in Canada.

Capital One announced that personal client information between 2005 and 2019 was among the information that was illegally accessed. Leaked data included dates of births, names, emails, addresses (including zip/postal codes), phone numbers, and reported incomes.

Furthermore, customer data including credit scores and limits, account balances, payment histories, and personal contact info were also leaked. 140 000 SSNs and 80 000 bank account numbers were also illegally accessed.

Capital One estimates that the cost of the attack will be between $100 and $150 million, mostly consisting for legal fees, IT monitoring costs, and expenses to notify affected individuals.

The attacker was able to gain access to the Capital One data storage platform – a proprietary web application built off Amazon’s cloud services. Amazon stated that it was not their cloud services that were compromised, as Capital One was fully responsible for the development and maintenance of its own custom platform.

 

On July 29^th 2019 the cyberattacker behind the data breach, a Seattle resident under the online alias “Erratic”, was arrested for illegally accessing the Capital One databases. “Erratic” was a former Amazon employee.

Following an e-mail tip, it was discovered that the attacker’s GitHub account contained the confidential data that was leaked from Capital One.

 

Was the data breach preventable?

There are several key security best practices that could have prevented the data from being leaked.

Firstly, regular IT security audits could have identified and diagnosed the misconfiguration in the system before it was exploited. Performing penetration testing will also help in determining the robustness of your security systems.

The Capital One breach was the result of a misconfigured web application firewall (WAF). Under normal circumstances, the WAF would have blocked access from unknown IP addresses like the one used by the attacker. The breach occurred because the misconfiguration went unnoticed.

 

Protect the Decryption Key for critical data.

Encryption is the security measure of scrambling data into an unreadable format that can only be unscrambled by a decryption key. In this case, the attacker was also able to gain access to the means to decrypt the company’s data. This illustrates the importance of protecting the decryption key and keeping it in a separate location that cannot be accessed by cyberattackers.

 

Do not store archived data online

A portion other accessed data in the Capital One hack dates back 2 decades. Keeping this archived data online is not only financially consuming, but also poses a significant security threat, being vulnerable to cyberattack.

Are your networks safe from cyberattack? GIGE’s IT technicians have over 30 years of experience designing and testing network infrastructure. Call us at +1 888 366 4443 or send us an email at info@gige.ca to get a network security audit.