Cyberattackers using ransomware for money extortion have recently adopted a new strategy to force victims into succumbing to their threats – releasing sensitive stolen information to the public. This new strategy was brought to light by a recent cyberattack by the Maze Ransomware strain.

Typically, ransomware cyberattacks force victims to pay ransom fees by locking and encrypting their files behind paywalls. If the business or government that is hit does not have sufficient backups, they suffer major damages to productivity. Because the cost of the attack increases with each passing day that productivity is lost, these organizations opt to pay the ransom fee in order to resume daily functions. While cyberattackers also often threaten to release the files to the public, it is often believed that these threats were bluffed and that the attackers did not actually have access to the files.

The Maze Ransomware confirmed that cyberattackers can indeed access and release the files to the public. In a recent ransomware attack involving the “maze ransomware” this November, victim company Allied Universal refused to pay a ransom fee of 300 bitcoin (around $2.5 Million USD at the time). The cyberattackers then followed through on their threats and released around 700 MB of sensitive data to the public.

 

How are computer being infected with Maze?

Cybersecurity professional Jerome Segura discovered that Maze Ransomware was being spread via a fake cryptocurrency exchange webpage. It is believed that the ransomware was being distributed alongside another exploit, the ‘Fallout exploit kit”, which exploits security holes in Adobe Flash and Windows OS.

Another method of transmission is through malicious email attachments. An example of this was discovered by cybersecurity professional JAMESWT, who discovered a phishing campaign that targeted the Italian population by pretending to be the Italian revenue agency.

Previously, maintaining updated backups was sufficient best practice to protect against ransowmare attacks, as their leverage hinged on the amount of damage that is done to company productivity. In light of the new strategy of data leakage, ransomware protection has to put greater emphasis on preventative measures rather than reactive measures.

This can include strategies such as:

-Educating your employees on proper cyber hygiene and signs to look for when identifying fake emails

-maintaining strict information privilege matrices in the company so that sensitive data is kept on a need-to-access basis.

-strengthening firewalls and keeping software up-to-date

GIGE IT Solutions specializes in designing and managing your IT security for your company. Don’t be the next ransomware victim, and call us at +1 888 366 4443 to get started right away.

In a recent report, Microsoft has stated that supply chain attacks have become an increasingly pressing concern for cybersecurity professionals.

What are Supply Chain Attacks?

Computer software is constantly updated by developers. These are released to the public through cycles of patches. A supply Chain Attack is a type of cyberattack that infiltrates a victim’s computer through one of these updates.

By hacking into a software developer’s update code before it is released to the public, cyberattackers are able to avoid detection by antivirus protocols that are designed to allow these updates from trusted developers through their firewalls. In the past few years, this type of cyberattack has become more and more prominent, as illustrated by these following examples.

In June 2017, more than 10 000 computers in Ukraine were infected by a ransomware known as Petya. Incidentally, ransomware is a type of malware that locks sensitive data behind ‘ransomwalls’ and demands payment for its safe release. In its investigation, Microsoft uncovered that the attack originated from a hacked patch of the tax-accounting software MEDoc. It is now known that the attackers had illegally inserted a line of malicious code into one if its patches.

Three months later in September 2017, CCleaner, a software that unclutters old computer files, was also hacked using Supply Chain. The software’s developer Piriform stated that the malware inserted into its code stole sensitive data from victims’ computers and sent it to the cyberattacker’s computer.

A Growing Threat towards Cloud Computing

As the percentage of computers relying on cloud computing and online data storage grows, so too does the threat of cyberattacks such as Supply Chain. We are already seeing devastating damage being done to cloud servers with this kind of cyberattack. For example, Docker Hub, a cloud-storage service, was hacked in mid-2018 – an attack that lead to over 5 million infections.

Because it is often difficult for antivirus software to detect these attacks, Microsoft suggests that companies need to develop countermeasures to handle post-infection scenarios to protect themselves against Supply Chain cyberattack. An example of this is using network segmentation, which involves keeping critical computers permanently disconnected from the company network, so that it is not in danger even if a virus were to infect the main server.

Do you need help setting up or protecting your servers? Our technicians at GigE can help. Our networking solutions can help your company protect itself from cyberattack. We also provide IT consulting to help you identify weak points in your network. Call us today at +1 888 366 4443!

A server is a computer that is connected to other systems in a company through either the internet or a local network, and that dedicates its resources to ‘serving’ these computers. Because of this, servers are in constant communication with all company systems, storing, processing, and communicating data. Due to the fact that they are the central nodes of an organization’s network, they are often the targets of malware attacks. This is because servers are connected to most, if not all company systems, and therefore give easy avenues for the attackers to spread their malicious software to all computers on the network. In light of this, protecting your server should be viewed as critically important when it comes to company cybersecurity.

Recent Malware Attacks that Ravaged Company Servers

On July 16^th, Algonquin College reported that its servers were affected by a malware attack on May 16^th. The infected server, they stated, contained sensitive information belonging to students, employees, and alumni. It is believed that data such as date-of-birth and home addresses of 4,568 individuals was leaked, and that the non-sensitive data of another 106,931 individuals could also have been compromised.

Another recent case of malware infecting server systems was the “Wannacry” malicious software. In 2017, this ransomware was able to lock the files of hundreds of thousands of systems behind ransom-walls. The widespread reach of the malware was attributed to the fact that it has “worm capability”, allowing it to spread to computers connected to a server without any input from the user. In other words, once this malware attached itself onto the central server of an organization, all connected systems became at-risk of infection.

Finally, the “Adylkuzz” malware also demonstrates the importance of protecting your server. This malware is categorized as “cryptomining malware”, which transforms the infected system into a cryptomining slave that wastes its resources making digital currency for the attacker.

How to protect your servers against Malware Attacks

In many of the above instances, malware was able to infiltrate an organizations’ servers due to the fact that the companies neglected to keep their systems up-to-date with current patches. Servers, like any other system, use operating systems such as Windows. Therefore, they need to be constantly updated to receive the latest security measures developed by vendors such as Microsoft.

Following the Wannacry outbreak, Microsoft released a statement noting that “EternalBlue”, the security vulnerability that was exploited by the attackers, had in fact been patched two months prior to the incident. However, many companies failed to install the fix, leaving their systems open to infection. Similarly, the vulnerability used by “Adylkuzz” called CVE-2017-7269 was also repaired prior to the event by Microsoft in an update released on June 13^th, 2017. The severity of both of these incidents could have been drastically mitigated if organizations had been more diligent in keeping their servers’ operating systems up-to-date.

Therefore, it is clear that protecting your company’s server is critical to the safety of all systems on your network. Because they are connected to many of an organization’s systems, malware-infected servers become extreme threats to the security of all computers connected to it.

At GigE, our experts have years of experience in ensuring that your organization’s servers and computers are up-to-date with current software. Do not fall victim to malware and contact us today at +1 (888) 366-4443.

Improving your Network’s Security against Online Malware

Contrary to popular belief, online malware does not exclusively focus on breaching large corporations. Instead, The United States Computer Emergency Readiness Team (US-CERT) stresses that most malware attacks are indiscriminate in their target selection, and are just as likely to affect home or small business networks as large businesses. Therefore, an organization of any size is vulnerable to malicious software as long as it has computers that are connected to the internet.

One of the most recently discovered threats that has affected more than 500,000 routers is called “VPNFilter”. American networking hardware manufacturer Cisco has stated that routers developed by Linksys, NETGEAR, QNAP, TP-Link, and MikroTik are vulnerable to the new malware. This new malicious software is capable of destabilizing the firmware of your router and exploiting security vulnerabilities to steal sensitive information, such as website login credentials.

Cisco has reported that “VPNFilter” uses a three stage process to gain access to your router’s information. Firstly, stage 1 involves the malware finding out the ip address attached to the server, and rooting itself into the router. After successfully gaining traction, the malware initializes stages 2 and 3 of its operations. Stage 2 allows attackers to gather information from the server, as well as destabilize the firmware of the router using “self-destruct protocols”. Finally, stage 3 allows attackers to gather further traffic information such as website login information.

Cisco has outlined recommended strategies to counter “VPNFilter”. Firstly, rebooting your router can remove stage 2 and 3 of the malware from your router, and inhibits further data collection temporarily. However, this does not remove stage 1 of the malware, meaning that it will still be rooted within your device. Therefore they warn that the malware will still be able to reinitialize its stage 2 and 3 protocols after a router reboot. To fully remove the malware from your router, Cisco states that you must fully factory reset the device, restoring it to its factory settings.

The 2017 Mirai Malware

One common aspect shared by many devices infected by the VPNFilter is the fact that owners of these devices did not change the default login information of their routers, causing them to be much more vulnerable to attack.

A similar incident occurred in 2017, when the malicious software “Mirai” infected thousands of routers which still had default login credentials. These infected devices were then used to target the DNS provider “Dyn” with DDoS attacks, and managed to disturb the functioning of many enormous websites such as Paypal and Twitter.

However, “VPNFilter” and “Mirai” are only the latest of many malicious software. In light of this, here are some general best practices to protect your servers and computers from online attack.

Firstly, do not leave your router settings on default. These are often designed to be overly lenient to convenience the end-user. However, default settings can often increase vulnerability to online malware and cyberattacks. In particular, the setting “remote management”, which allows users to change the settings of the device from a remote location such as a computer on the network, is often turned on by default on many routers. However this is a major vulnerability that could be abused by cyberattackers. Therefore always ensure to turn off this setting after initial device setup.

Constantly check for software updates for your computer. These do not just contain bug fixes, but often also contain important security updates to protect your computer from newly discovered malicious software.

Download and constantly update antivirus software from a reputable developer, to ensure that your network has protection against online malware. Furthermore, ensure that firewalls are activated on all your computers connected to the internet. Firewalls constantly filter internet usage and traffic based on existing databases of dangerous software, and can be essential to protecting yourself against malicious or suspicious websites.

Finally, ensure to backup all important data, whether in a company or home setting. Despite following all these precautions, any computer connected to the internet will still be inherently vulnerable to cyberattacks and malware. Therefore, always keep encrypted backup copies of important or sensitive data. This will not only ensure that the information cannot be destroyed, but that it will also be inaccessible to an attacker who has not gained possession of an encryption key.

For more information or assistance on how to protect your network, contact us at +1 (888) 366-4443, or visit our page on our Network Solutions.