The list of ransomware victims continues to grow. On New Year’s Eve 2020, Travelex, an international foreign exchange company, disclosed that it was struck by the “Sodinokibi” ransomware strain. Also known as REvil, Sodinokibi ransomware prevents users from accessing their computer data by encrypting it behind a ransomwall. The ransom demand for Travelex was $6M USD. They also stated that failure to pay the payment within 2 days will result in double the ransom demand.

In an effort to mitigate the spread of the ransomware, Travelex immediately disconnect infected computers from its company network.

The cyberattackers revealed to BBC that it had actually infiltrated Travelex’s network 6 months prior, and had been able to steal over 5 GB of customer data. According to the group, they have got access to customer information including birthdays and credit card information. This has been a common strategy of newer ransomware strains. Releasing the stolen data is used as a second point of leverage to extort money out of victims.

Cyberthreat intelligence company Bad Packets stated that it had notified Travelex of 7 security vulnerabilities present in their systems in September 2019. The vulnerability was caused by a security flaw in the Pulse Secure Virtual Private Network. According to Bad Packets, the vulnerability was actually patched April of that year, but that Travelex had failed to update its systems to the newest software version, leaving them vulnerable to attack.

The vulnerabilities present in the Pulse Secure VPN were widely known in the second half of 2019. In August of that year, the Canadian Center for Cyber Security urged for Canadian businesses to update their software to the latest versions to protect against attack. In October, the US National Security Agency, and the UK National Cyber Security Center issued similar warnings.

What does the vulnerability allow cyberattackers to do to unprotected systems?

Cybersecurity researcher Kevin Beaumont stated that the VPN vulnerability, also called CVE-2019-11510, allowed for attackers to remotely gain control of unprotected systems even without the use of the user credentials of the computer.

As illustrated by the Travelex, keeping computers up-to-date with current software updates to protect against cyberattack.

Malware, or malicious software, is any piece of software that is developed with malicious intent. There are many strains of malware that do everything from stealing sensitive data to locking files behind ransom walls.

There are many ways that a computer can become infected with malware. Many of these, such as phishing, rely on user mistakes. Phishing is a method of infecting a computer with malware by attaching fraudulent links or attachments to emails, pretending to be sent from legitimate sellers. Once the user clicks on the fake link, a malicious file is downloaded onto the victim’s computer.

Once a malware infiltrates a computer, it often communicates back with the cyberattacker’s terminal through the internet.

The effects of malware depends on the strain that is used. For example, ransomware is a specific type of malware that encrypts the files on a victim’s computer and demands a ransom to be paid, often in digital currencies, for the data to be released.

Another type of malware is called a botnet. This type forces groups of infected computers to become under the control of the cyberattackers, who then uses the botnet for further malicious activity such as launching Denial of Service (DOS) attacks on other targets.

 

Worm Capability

Some malware have worm capability – this is a functionality that allows it to spread to other computers without user input. This makes worming malware extremely dangerous, as it can spread throughout entire networks without being detected.

An example of a worm-capable malware was Wannacry – a ransomware that was able to infect over 100 000 computers within 24 hours in May of 2017.

 

How do you Stop It?

Keep admin privileges on a need-to-have basis

In general, the less administrative privileges that a company’s computer has, the less of a weak point it is to the network as whole. It is important to keep administrative rights to only a few management devices, so that it is less likely that a key target computer becomes infected.

 

Segmenting your network with air gaps

As described above, worm malware can spread itself across a network without user input. The most secure way to protect your sensitive devices is by disconnecting them completely from the network. That way, if one segment becomes infected, you can be sure that another segment is still secure. Don’t fall victim to cyberattack – let our network experts help you design custom security solutions to keep your company’s data safe.

Almost 400 dental offices were infected with ransomware in a cyberattack this August. The computers became infected after DDS Safe, a 3^rd party cloud backup software that all the affected offices were using, was compromised. The software was developed by Dental Technology Company PerCSoft.

Affected offices had their computer files encrypted behind ransomwalls. On August 26^th, the Wisconsin Dental Association noted that the 400 offices were unable to access their client files due to the attack.

A ransomware attack typically locks files behind walls, demanding ransoms to be paid for its safe release.

A few days after the incident, PerCSoft began distributing decryption keys on its Facebook page. They did not state whether ransom was paid to the attackers, nor did they release  details on how they acquired the keys. A few of the dental offices that used the keys noted that only some of the lost data was unlocked.

As with other malware categories, there are many strains of ransomware. It is believed that the strain responsible for this attack was Sodinokibi, also known as REvil or Sodin. This particular type of ransomware was first discovered by cybersecurity research group Cisco Talos in April 2019.

This is not the first incident caused by Sodinokibi. On August 16^th, 22 local Texan governments were hit simultaneously by the first highly co-ordinated ransomware attack. It is believed that Sodinokibi was also responsible for that attack.

 

How can you defend your data from 3^rd party compromise cyberattacks?

As shown by DDS Safe, a software specifically engineered to keep off-site backups of sensitive data, keeping online backups is not enough to be an air-tight protection against ransomware. Instead, it is important to keep sensitive data in an offline storage location that is completely disconnected from the internet. If an up-to-date backup of critical data is always available, ransom demands can be ignored without consequence.

Second, it is important to keep all software and your operating system up-to-date. Cyberattackers and cybersecurity engineers are constantly battling to discover and patch new vulnerabilities. Oftentimes, publicly-known and fixed bugs are the cause of infection due to victims neglecting to update their software.

Finally, practicing network segmentation can help your protect computers by preventing the spread of malware across your network. By keeping important computers disconnected, malware with worm capabilities will not be able to access them if other PCs are infected.

GIGE Corporations’ IT technicians have years of designing and deploying cybersecurity measures to help protect companies from cyberattack. You can get a consultation today by e-mailing info@gige.ca or calling us at 888 366 4443.

The Canadian Centre for Cybersecurity recently stressed the importance of keeping VPN devices up-to-date. Because VPN devices act as points of contact between a network and the internet, they are particularly vulnerable to cyberattack.

The Centre for Cybersecurity identified four types of VPN that are particularly vulnerable: Fortinet Forigate, Palo Alto GlobalProtect, Pulse Connect Secure, and Pulse Policy Secure. Vulnerabilities in these VPN services can allow attackers to do anything from changing passwords of user portals to downloading malicious files onto the victims’ computers. For example, Palo Algo GlobalProtect VPN is susceptible to a vulnerability called CVE-2019-1579 which, when exploited, allows attackers to execute unauthorized code on a computer without the permission of the user.

Troy Mursch, an independent researcher, stated that over 14 000 Pulse Secure VPN endpoints were still susceptible to the CVE-2019-11510 vulnerability. It was found that industries including military, government, universities, and hospitals are still affected.

These vulnerabilities were discovered by DEVCORE researchers during the recent Black Hat USA 2019 Conference – a computer security event with a focus around training and briefing. Prior to announcing the vulnerabilities to the public, the researchers disclosed their findings to the affected developers so official fixes would be released simultaneously.

Between April and July this year, several patches fixing the vulnerabiltiies were released by Fortinet, Palo Alto Networks, and Pulse Secure.

Protecting Yourself from VPN vulnerabilities

When known vulnerabilities are announced to the public, it is essential that you update your affected systems to the latest patches. Cyberattackers are constantly scanning the internet for endpoint devices that are unprotected. Many are now automating this process, making the threat more immediate than ever.

GIGE IT Corporation’s network security technicians have years of experience designing and deploying security solutions for businesses. Don’t leave yourself vulnerable to cyberattack – contact us at info@gige.ca or 888 366 4443 to get started with us immediately.

The first major data exposure of 2019 has occurred. VOIPo, a Voice-Over-IP service provider based in California, accidentally publicized its databases, leading to almost 7 million VOIP call logs, message logs, and other sensitive information being leaked. The leak was discovered by Cloudfare security researcher Justin Paine, who found out that VOIPo’s data was available on the search engine Shodan. Shodan is a platform like Google or Bing that indexes webpages, but it also does so for other devices such as smart TVs.

This is the second VOIP data leak event within the last 6 months. In November of 2018, Voxox, another VOIP service provider, similarly left their databases accessible to the public.

What is Data Exposure?

With many organizations moving to network-based and cloud-based data storage, data leakage is now a more relevant problem than ever before. Because sensitive data is kept on the internet, it is easily accessible by virtually anybody if a mistake is made in password protection. Often, data exposure is the result of an accidental error in configuration. For instance, in the case of VOIPo, it could have been a mistake as simple as setting the data to public instead of private in a settings menu. With search engines such as Shodan that index everything from webpages to webcams, any address that is not protected instantly becomes identifiable and accessible by anyone with an internet connection.

How do you prevent Data Exposure?

One of the easiest and quickest ways of securing your databases is by using 2 factor authentication. This is an extra step of security that involves connecting a device or secondary email to your login process, so that whenever an unfamiliar device logs they will also require access to your device to enter your account. This ensure that even if an individual has your login credentials, they will still be unable to access your data.

It is also essential to constantly monitor account activity. A sudden increase in activity may indicate that your data has been accidentally exposed to the public.
Don’t fall victim to data exposure. Contact us at 888 366 4443 for more information on our IT security services!

The Canadian government has set November 1^st as the official date that the new Digital Privacy Act will be implemented. On this day, all private Canadian organizations will need to ensure that they have adhered to the rules defined by this new act. The document outlines regulations regarding the protocols of handling data breaches – specifically, who and when need to be notified in the event of data leakage. According to the Privacy Act, fines of up to $100 000 can be issued if an organization fails to notify a data breach to either the Privacy Commissioner of Canada, or the customers affected. Below are three important rules outlined by the Digital Privacy Act.

Reporting to the Privacy Commissioner of Canada

In the event of a data breach, the incident must be reported to the Privacy Commissioner of Canada as soon as possible. This report must contain as much of the following information as is known at the time. Firstly, it must outline the causes and depth of the breach, as well as the time that it occurred. The report must also include an estimate of the number of people who will be affected. Furthermore, it must include information on the strategy that the organization plans to employ in containing and repairing the breach. Finally, contact information of a person who can continue communications with the Privacy Commissioner needs be provided.

Reporting to the Impacted Customer

A similar report outlining the causes, scope, and reparation strategy must be provided to the individuals who are affected by the data breach. The Data Privacy Act outlines that this communication must be done in one of two methods – directly, or indirectly.

Direct communication includes methods such as email or over the telephone, while indirect communication involves public announcements.

However, indirect communication can only be used in the case of one of the following circumstances: If direct communication would cause more damage to the affected person, if direct communication would require undue hardship to the company, or if no customer contact information is available.

Keeping reports after Data Incidents

Finally, the Digital Privacy Act states that records of a data breach incident must be kept for a minimum of 2 years after the company first detects the incident. The Government of Canada states that this record-keeping will have numerous benefits to the IT security industry. In a statement, they noted that stricter reporting will ensure that affected individuals have the tools to become informed and protect themselves. Furthermore, the availability of these reports will create industry standards for handling these data breaches. This will overall have positive impact on the ability for Canadian organizations to deal with cybersecurity incidents.

Become prepared for the quickly-approaching deadline with GigE’s team of IT security Technicians. Call us at +1 888 366 4443 for a consult today.

CEO Fraud, or Business E-Mail Compromise (BEC), is an e-mail scam that aims to trick business employees into transferring money or sending sensitive information to a fraudulent account. In a recent study conducted by the Internet Crime Complaint Centre, it was found that these email scams have resulted in financial damages of more than $5 billion across the world between 2013 and 2016.

Highly Varied Impersonation Strategies

The fraudulent emails are often sent from either hacked accounts of legitimate employees, or spoofed email accounts that impersonate company emails using forged banners and signatures.  While a study conducted by Barracuda Networks discovered that 43% of the 3000 studied emails impersonated high-standing positions such as CEOs, the remainder of the attempts pretended to be general employees or people working in areas such as finance or human resources. Therefore, BEC dangers are not only limited to emails from high-level employees, and cannot be prevented by only protecting these accounts.

Another significant aspect of Business E-mail compromise is the fact that the fraudulent emails often do not contain suspicious direct hyperlinks. Therefore, common spam filters used by email providers are not able to easily filter out these emails.

Similarly to the varied impersonation strategies, there are also many different goals in BEC scams. In the aforementioned study conducted by Barracuda Networks, it was announced that the attackers’ goals ranged from fraudulent money transfers, to encouraging individuals to navigate to infected links, to stealing sensitive information.

To help you identify CEO Fraud attempts in your inbox, we have composed a table of common impersonation strategies and attacker goals used in these scams:

 

Impersonation Strategy

Cyberattack Goal

Hack a legitimate account of a high-level employee.   Impersonate an employee using a fake email address and forged headers, footers,  and company signatures   Fake or hack an email address of a close supplier used by the company   Fraudulent emails claiming to be lawyers who have critical and urgent information about your company

Asking for money transfer to a fraudulent account pretending to be a legitimate company   Stealing personal or sensitive information such as tax forms or other company financial documents   Establishing trust with the employee for further data-theft in the future   Steal W-2 information of clients   Redirect transfer of money to a fraudulent account during an active deal between the company and a supplier

 

How do you protect yourself from Business Email Compromise Scam attempts?

With so many variants of BEC scam emails, it can be impossibly difficult to reliably identify when an email from a colleague or boss is legitimate. Instead, it is important to always approach emails asking for personal information or financial transfer with caution.

Always authenticate the validity of e-mails by directly contacting the sender over the phone or in-person. Furthermore, provide regular training sessions for employees to help them become vigilant of these scams.

Our tech experts at GigE have years of cumulative experience in I.T. security and Internet Fraud. Contact us today at +1 888 366 4443 to protect yourself against BEC.