On October 8^th 2019, an unnamed Canadian insurance company paid a total of 950 000 USD to a ransomware cyberattacker.

The attacker was able to infect 20 servers and around 1000 employee computers in the attack, encrypting data on the systems behind a ransomwall, demanding payment of 109.25 bitcoins for the safe release of the information.

It was reported that after paying the ransom fee, the cyberattackers provided decryption keys which allowed for the 20 servers to be decrypted for 5 days, and the 1000 end user computers to be decrypted for 10 days.

What was the ransomware strain responsible for the attack?

The ransomware strain that was used in this attack was “BitPaymer”. The malware was able to bypass the Canadian insurance company’s firewalls and infect its network. It is not known exactly how the malware was able to infiltrate into the company’s infrastructure.

Unlike many other ransomware strains that use strategies such as fake emails and malicious download links or websites to infect computers, it is believed that BitPaymer uses targeted brute force attacks.

Brute Force RDP (Remote Desktops Protocol) Attacks

RDP, or remote desktop protocol, is a tool developed by Microsoft for an individual to remotely connect to another computer. It is often used by IT administrators and cybersecurity professionals to diagnose and troubleshoot computer problems from a remote location. However, RDP is also a prime target for cyberattacks, as it is a direct pathway into a company’s network, if compromised.

A brute force attack tries to guess the credentials to an RDP connection through thousands of trial-and-error attempts done in rapid succession by machines.

Microsoft states that protective actions against RDP brute force attacks include activating multifactor authentication and using VPNs. Multifactor authentication is an added security feature to the login process that sends a temporary ‘second password’ to a trusted device every time an account is accessed from an unfamiliar IP.

Don’t become the victim of a brute force attack. Our team of cybersecurity professionals can identify points of vulnerability in your organizations’ network and provide remediation strategies to keep you protected. Call us at +1 888 366 4443 or email us at info@gige.ca to get started with us immediately.

Cloud computing grew drastically in 2019. However, cloud security has dragged behind in development which has resulted in some of the most devastating cyberattacks in history.

In traditional offline computing, programs and data are stored locally on a machine. On the organizational scale, data may be stored and shared on local servers that are linked to office devices within an enclosed network.

Cloud computing changes this model – instead of keeping files and programs stored locally, they are instead running on servers of tech giants such as Microsoft and Amazon and are transferred in real time to local machines over the internet. Common cloud computing platforms include Microsoft Azure, Amazon Web Services (AWS), and Google’s Compute Engine.

 

SaaS, Paas, and IaaS

There are three major types of cloud computing services. Saas, or Software as a Service, involves running programs via a web browser instead of on a local machine. An advantage of this is that end users no longer have to download update packages and that app speed is only depends on internet speed.

IaaS, or Infrastructure as a Service, includes components such as servers, storage, and networking.

Finally, PaaS, or Platform as a Service, is used by software developers to build applications.

There are many advantages to cloud computing. For businesses, cloud computing is a much more flexible and scalable option compared to on-premise solutions. Furthermore, cloud computing opens the door for many pay-as-you-go computing models, eliminating the need to purchase perpetual software.

Security Threats of Cloud Computing

The rapid growth of cloud computing – and the failure of cloud security to keep pace – has resulted in a number of devastating cyberattacks this year.

In July 2019, Capital One announced that it had suffered a data breach affecting over 100 million of its customers.

APIs are a new security weakpoint

APIs, or Application Programing Interfaces, are the channels through which a computer can communicate with a cloud service. APIs have become a vulnerability that is often exploited by cyberattackers when targeting cloud based systems.

GIGE ensures that your company is fully prepared for the cloud cyber threats that will come in 2020. Get started with us now by calling +1 888 366 4443 or emailing us at info@gige.ca

With 2019 drawing to a close and 2020 almost here, we can take a look sat how the cybersecurity landscape has evolved over this past year. By far the two most prevalent topics of the year have been ransomware and data privacy.

Ransomware

By far the most relevant cybersecurity threat of 2019 was the rise of ransomware. This is strain of malware that encrypts user data behind a paywall, and demands payment for its safe release. Targets have ranged from multinational corporations to governments. Worryingly, ransomware attacks have recently become more organized, as seen in an attack in August 2019 where 22 Texan governments were simultaneously hit with ransowmare.

Data Privacy

As collecting and storing sensitive user data grows as a core requirement of many companies, so too does the risk of leaking this data to unwanted eyes. 2019 saw several enterprises falling victim to data breaches, often leading to devastating financial and legal consequences. New York’s Retrieval-Masters Creditor Bureau Inc. filed for bankruptcy due to a $3.8 million dollar data breach where its customers home addresses, SSNs, and credit card information were leaked. In another attack, Capital One Financial reported between $100 million USD to $150 million USD in damages caused by a data breach leaking customer SSNs and bank account numbers.

In 2020, ransomware will become more dangerous than ever.

A new strain of ransomware named Maze has confirmed a cyberattacker’s bluff as a real threat. In a ransomware attack, data on a victim’s computer is both encrypted and stolen by cyberattackers. Until Maze, it was not known whether cyberattackers actually had access to the stolen data. In November, Allied Universal refused to pay a ransom fee of $2.5 million USD, resulting in cyberattackers releasing 700MB of the company’s sensitive data to the public.

With the threat now confirmed, organizations must prepare for more vicious strains of ransomware in the coming year. Cybersecurity company McAfee Labs predicts that “two-stage extortion attacks” will be a major threat in 2020, where stage 1 is data encryption, and stage 2 is data theft. With 2 leverage points, cyberattackers will have more extortion power than previous attacks.

To counter the new threats coming in 2020, cybersecurity will need to improve in both preventative and restorative measures in order to fully prepare organizations for attack. Call GIGE IT Solutions at +1 888 366 4443 or info@gige.ca. With over 30 years of network security and data backup experience, we can help keep you protected against cyberattack.

 

Cyberattackers using ransomware for money extortion have recently adopted a new strategy to force victims into succumbing to their threats – releasing sensitive stolen information to the public. This new strategy was brought to light by a recent cyberattack by the Maze Ransomware strain.

Typically, ransomware cyberattacks force victims to pay ransom fees by locking and encrypting their files behind paywalls. If the business or government that is hit does not have sufficient backups, they suffer major damages to productivity. Because the cost of the attack increases with each passing day that productivity is lost, these organizations opt to pay the ransom fee in order to resume daily functions. While cyberattackers also often threaten to release the files to the public, it is often believed that these threats were bluffed and that the attackers did not actually have access to the files.

The Maze Ransomware confirmed that cyberattackers can indeed access and release the files to the public. In a recent ransomware attack involving the “maze ransomware” this November, victim company Allied Universal refused to pay a ransom fee of 300 bitcoin (around $2.5 Million USD at the time). The cyberattackers then followed through on their threats and released around 700 MB of sensitive data to the public.

 

How are computer being infected with Maze?

Cybersecurity professional Jerome Segura discovered that Maze Ransomware was being spread via a fake cryptocurrency exchange webpage. It is believed that the ransomware was being distributed alongside another exploit, the ‘Fallout exploit kit”, which exploits security holes in Adobe Flash and Windows OS.

Another method of transmission is through malicious email attachments. An example of this was discovered by cybersecurity professional JAMESWT, who discovered a phishing campaign that targeted the Italian population by pretending to be the Italian revenue agency.

Previously, maintaining updated backups was sufficient best practice to protect against ransowmare attacks, as their leverage hinged on the amount of damage that is done to company productivity. In light of the new strategy of data leakage, ransomware protection has to put greater emphasis on preventative measures rather than reactive measures.

This can include strategies such as:

-Educating your employees on proper cyber hygiene and signs to look for when identifying fake emails

-maintaining strict information privilege matrices in the company so that sensitive data is kept on a need-to-access basis.

-strengthening firewalls and keeping software up-to-date

GIGE IT Solutions specializes in designing and managing your IT security for your company. Don’t be the next ransomware victim, and call us at +1 888 366 4443 to get started right away.

VPNs, or Virtual Private Networks, is a secure connection between computers over the internet. It allows for data to be transferred among computers in a more secure environment than over a public network. Alex Seymour, a cybersecurity researcher at Immersive Labs, recently discovered two new VPN vulnerabilities in Aviatrix VPN: a VPN service used by enterprises such as NASA.

Seymour notes that the two vulnerabilities, named CVE-2019-17387 and CVE-2019-17388 should serve as “a wakeup call for the industry”, as VPNs are often regarded as a highly secure aspect of security solutions.

 

How dangerous are the vulnerabilities?

CVE-2019-17387 affects the operating systems Windows, Linux, and macOS. The exploit allows for cyberattackers to execute arbitrary code with elevated access. It does this by exploiting the certificate validation process that Aviatrix uses to legitimize users. By gaining access to this, sit can recreate certificates and execute code.

CVE-2019-17388 affects Windows and Linux. Seymoure discovered that on Linux operating systems, file modification privileges are weak and allow for elevated code modifications. Meanwhile on Windows systems, it was discovered that legitimate services could be replaced by malicious processes.

While the two VPN vulnerabilities described above only pertain to the Aviatrix VPN, Breakpointing Bad and the University of New Mexico have recently released information a vulnerability that allows cyberattackers to breach any VPN connection. They described the process as follows: First an attacker identifies the IP address of the VPN target. Then, the IP is used to determine the status of active connections. Finally, access the TCP session using unsolicited packets sent to the connection.

In addition to releasing information on the method of attack, the researchers also released notes on some a common method of protection: reverse path filtering Significantly, they noted that turning reverse path filtering may not be enough to prevent a VPN hijack due to the fact that the first two stages can still be successfully carried out

Don’t leave yourself unprotected against VPN exploits. Call GIGE IT Solutions at +1 888 366 4443 or info@gige.ca for more information on how to protect yourself.

Dexphot is a malware that has raised concern over its complex strategy of avoiding detection.

First detected in October 2018, Dexphot is a strain cryptojacking malware. Cryptojacking malware is defined by its main goal of secretly hijacking computer resources in order to generate digital currencies for the cyberattacker. The victim’s computer suffers slowdowns, and is at risk of overheating due to overuse of computer resources. You can learn more about the impacts of cryptojacking infection in our article here.

How is Dexphot designed to avoid detection?

Microsoft states that Dexphot exploits a combination of back-end processes in order to avoid detection by antivirus software. These include PowerShell, DLL, and MSI. By exploiting these three processes, Dexphot is able to use polymorphism to exist in many different forms, making file-based detection difficult.

MSI

MSI is short for Windows Installer packages. Dexphot avoids malware detection by using hundreds of unique URLs to install the malware onto victims’ computers. According to Microsoft, over 200 URLs that have been used to download Dexphot have been identified.

Furthermore, Dexphot is able to detect the presence of antivirus software during infection. If it discovers that antivirus is installed, it automatically stops the installation process.

DLL

DLL, or Dynamic Link Libraries, is a useful process that helps with code modularization, and efficient use of computer resources. However, malware such as Dexphot can exploit DLL to hide their malicious activity.

After installation, Dexphot exploits DLL in order to unpack 3 malicious files onto the victim’s computer. 2 of these files monitor and protect the 3^rd file, which executes the cryptojacking.

These 3 malicious files use a technique called “hollowing” in order to avoid detection. This involves hijacking legitimate processes and hiding malicious code in otherwise legitimate code execution. Specifically, Dexphot hijacks the processes svchost.exe, nslookup.exe, and setup.exe files in SysWoW6.

What is PowerShell?

PowerShell is a tool that is pre-installed in Windows operating systems. Its purpose is executing code, often directly from computer memory without using the disk. The danger of malware abusing PowerShell is that exploits can leave little to no evidence, making it both difficult to detect and to trace.

Dexphot exploits PowerShell in the event that it is ever compromised by antivirus software. If this occurs, Dexphot will initiate a self-termination and reinfection process that relies on PowerShell.

Microsoft states that its new Defender Advanced Threat Protection uses behaviour based detection in order to detect malware such as Dexphot. As described above, Dexphot is difficult to detect using a file-based detection strategy, as it can appear in many forms.

Don’t fall victim to malware like Dexphot. Contact us at +1 888 366 4443 or info@gige.ca to learn more about how to protect yourself.