On October 8^th 2019, an unnamed Canadian insurance company paid a total of 950 000 USD to a ransomware cyberattacker.

The attacker was able to infect 20 servers and around 1000 employee computers in the attack, encrypting data on the systems behind a ransomwall, demanding payment of 109.25 bitcoins for the safe release of the information.

It was reported that after paying the ransom fee, the cyberattackers provided decryption keys which allowed for the 20 servers to be decrypted for 5 days, and the 1000 end user computers to be decrypted for 10 days.

What was the ransomware strain responsible for the attack?

The ransomware strain that was used in this attack was “BitPaymer”. The malware was able to bypass the Canadian insurance company’s firewalls and infect its network. It is not known exactly how the malware was able to infiltrate into the company’s infrastructure.

Unlike many other ransomware strains that use strategies such as fake emails and malicious download links or websites to infect computers, it is believed that BitPaymer uses targeted brute force attacks.

Brute Force RDP (Remote Desktops Protocol) Attacks

RDP, or remote desktop protocol, is a tool developed by Microsoft for an individual to remotely connect to another computer. It is often used by IT administrators and cybersecurity professionals to diagnose and troubleshoot computer problems from a remote location. However, RDP is also a prime target for cyberattacks, as it is a direct pathway into a company’s network, if compromised.

A brute force attack tries to guess the credentials to an RDP connection through thousands of trial-and-error attempts done in rapid succession by machines.

Microsoft states that protective actions against RDP brute force attacks include activating multifactor authentication and using VPNs. Multifactor authentication is an added security feature to the login process that sends a temporary ‘second password’ to a trusted device every time an account is accessed from an unfamiliar IP.

Don’t become the victim of a brute force attack. Our team of cybersecurity professionals can identify points of vulnerability in your organizations’ network and provide remediation strategies to keep you protected. Call us at +1 888 366 4443 or email us at info@gige.ca to get started with us immediately.

Goodbye Windows 7 – today, January 14th 2020, is the day that Microsoft officially ends security support for Windows 7 computers. This means that PCs still running the decade old operating system will no longer be receiving security updates from Microsoft. According to NetMarketShare’s statistics, 1/3 of PCs around the world are still running Windows 7.

Microsoft urges all of these users to update to a newer operating system, either Windows 8.1 or Windows 10 in order to stay protected against malware threats such as ransomware. Sensitive personal information on your home or business PCs are at risk of exposure.

It’s not all bad news – Google has said that it will continue to release updates for its Chrome browser for Windows 7 until 2021. However, this by no means covers all security bases, and migrating to a newer operating system is still the best option in terms of cybersecurity.

If upgrading is not an option, follow these best practices to keep yourself protected:

For businesses still running Windows 7, your employees are the first line of defense against malware. One of the most common methods of infection is through malicious links in fraudulent emails – a strategy known as phishing. By education your employees with frequent seminars on current threats and phishing telltale signs, you can minimize the likelihood that malware can infiltrate your network. If you would like an overview on some of our recommendations against phishing, you can check out our article on the topic here: Phishing Scams – What are they and how can you protect yourself?

For both businesses and consumers, it is important not to store sensitive information such as credit card data on your Windows 7 PC. Furthermore, avoid using online banking apps on Windows 7 PCs.

Don’t fully rely on your Windows 7 PC’s storage. Keep backups of your important data in a separate location – either on an external hard drive, a USB, or on another PC. Some types of malware, such as ransomware, locks user data behind a ransomwall, demanding payment for its release. Once a computer is infected with ransomware and the data is encrypted, it cannot be read unless it is decrypted with a key only known by the attackers.

If you would like to learn more about the dangers of staying on Windows 7, you can visit our page here, or email any questions to info@gige.ca

Cloud computing grew drastically in 2019. However, cloud security has dragged behind in development which has resulted in some of the most devastating cyberattacks in history.

In traditional offline computing, programs and data are stored locally on a machine. On the organizational scale, data may be stored and shared on local servers that are linked to office devices within an enclosed network.

Cloud computing changes this model – instead of keeping files and programs stored locally, they are instead running on servers of tech giants such as Microsoft and Amazon and are transferred in real time to local machines over the internet. Common cloud computing platforms include Microsoft Azure, Amazon Web Services (AWS), and Google’s Compute Engine.

 

SaaS, Paas, and IaaS

There are three major types of cloud computing services. Saas, or Software as a Service, involves running programs via a web browser instead of on a local machine. An advantage of this is that end users no longer have to download update packages and that app speed is only depends on internet speed.

IaaS, or Infrastructure as a Service, includes components such as servers, storage, and networking.

Finally, PaaS, or Platform as a Service, is used by software developers to build applications.

There are many advantages to cloud computing. For businesses, cloud computing is a much more flexible and scalable option compared to on-premise solutions. Furthermore, cloud computing opens the door for many pay-as-you-go computing models, eliminating the need to purchase perpetual software.

Security Threats of Cloud Computing

The rapid growth of cloud computing – and the failure of cloud security to keep pace – has resulted in a number of devastating cyberattacks this year.

In July 2019, Capital One announced that it had suffered a data breach affecting over 100 million of its customers.

APIs are a new security weakpoint

APIs, or Application Programing Interfaces, are the channels through which a computer can communicate with a cloud service. APIs have become a vulnerability that is often exploited by cyberattackers when targeting cloud based systems.

GIGE ensures that your company is fully prepared for the cloud cyber threats that will come in 2020. Get started with us now by calling +1 888 366 4443 or emailing us at info@gige.ca

Cyberattackers using ransomware for money extortion have recently adopted a new strategy to force victims into succumbing to their threats – releasing sensitive stolen information to the public. This new strategy was brought to light by a recent cyberattack by the Maze Ransomware strain.

Typically, ransomware cyberattacks force victims to pay ransom fees by locking and encrypting their files behind paywalls. If the business or government that is hit does not have sufficient backups, they suffer major damages to productivity. Because the cost of the attack increases with each passing day that productivity is lost, these organizations opt to pay the ransom fee in order to resume daily functions. While cyberattackers also often threaten to release the files to the public, it is often believed that these threats were bluffed and that the attackers did not actually have access to the files.

The Maze Ransomware confirmed that cyberattackers can indeed access and release the files to the public. In a recent ransomware attack involving the “maze ransomware” this November, victim company Allied Universal refused to pay a ransom fee of 300 bitcoin (around $2.5 Million USD at the time). The cyberattackers then followed through on their threats and released around 700 MB of sensitive data to the public.

 

How are computer being infected with Maze?

Cybersecurity professional Jerome Segura discovered that Maze Ransomware was being spread via a fake cryptocurrency exchange webpage. It is believed that the ransomware was being distributed alongside another exploit, the ‘Fallout exploit kit”, which exploits security holes in Adobe Flash and Windows OS.

Another method of transmission is through malicious email attachments. An example of this was discovered by cybersecurity professional JAMESWT, who discovered a phishing campaign that targeted the Italian population by pretending to be the Italian revenue agency.

Previously, maintaining updated backups was sufficient best practice to protect against ransowmare attacks, as their leverage hinged on the amount of damage that is done to company productivity. In light of the new strategy of data leakage, ransomware protection has to put greater emphasis on preventative measures rather than reactive measures.

This can include strategies such as:

-Educating your employees on proper cyber hygiene and signs to look for when identifying fake emails

-maintaining strict information privilege matrices in the company so that sensitive data is kept on a need-to-access basis.

-strengthening firewalls and keeping software up-to-date

GIGE IT Solutions specializes in designing and managing your IT security for your company. Don’t be the next ransomware victim, and call us at +1 888 366 4443 to get started right away.

VPNs, or Virtual Private Networks, is a secure connection between computers over the internet. It allows for data to be transferred among computers in a more secure environment than over a public network. Alex Seymour, a cybersecurity researcher at Immersive Labs, recently discovered two new VPN vulnerabilities in Aviatrix VPN: a VPN service used by enterprises such as NASA.

Seymour notes that the two vulnerabilities, named CVE-2019-17387 and CVE-2019-17388 should serve as “a wakeup call for the industry”, as VPNs are often regarded as a highly secure aspect of security solutions.

 

How dangerous are the vulnerabilities?

CVE-2019-17387 affects the operating systems Windows, Linux, and macOS. The exploit allows for cyberattackers to execute arbitrary code with elevated access. It does this by exploiting the certificate validation process that Aviatrix uses to legitimize users. By gaining access to this, sit can recreate certificates and execute code.

CVE-2019-17388 affects Windows and Linux. Seymoure discovered that on Linux operating systems, file modification privileges are weak and allow for elevated code modifications. Meanwhile on Windows systems, it was discovered that legitimate services could be replaced by malicious processes.

While the two VPN vulnerabilities described above only pertain to the Aviatrix VPN, Breakpointing Bad and the University of New Mexico have recently released information a vulnerability that allows cyberattackers to breach any VPN connection. They described the process as follows: First an attacker identifies the IP address of the VPN target. Then, the IP is used to determine the status of active connections. Finally, access the TCP session using unsolicited packets sent to the connection.

In addition to releasing information on the method of attack, the researchers also released notes on some a common method of protection: reverse path filtering Significantly, they noted that turning reverse path filtering may not be enough to prevent a VPN hijack due to the fact that the first two stages can still be successfully carried out

Don’t leave yourself unprotected against VPN exploits. Call GIGE IT Solutions at +1 888 366 4443 or info@gige.ca for more information on how to protect yourself.

Dexphot is a malware that has raised concern over its complex strategy of avoiding detection.

First detected in October 2018, Dexphot is a strain cryptojacking malware. Cryptojacking malware is defined by its main goal of secretly hijacking computer resources in order to generate digital currencies for the cyberattacker. The victim’s computer suffers slowdowns, and is at risk of overheating due to overuse of computer resources. You can learn more about the impacts of cryptojacking infection in our article here.

How is Dexphot designed to avoid detection?

Microsoft states that Dexphot exploits a combination of back-end processes in order to avoid detection by antivirus software. These include PowerShell, DLL, and MSI. By exploiting these three processes, Dexphot is able to use polymorphism to exist in many different forms, making file-based detection difficult.

MSI

MSI is short for Windows Installer packages. Dexphot avoids malware detection by using hundreds of unique URLs to install the malware onto victims’ computers. According to Microsoft, over 200 URLs that have been used to download Dexphot have been identified.

Furthermore, Dexphot is able to detect the presence of antivirus software during infection. If it discovers that antivirus is installed, it automatically stops the installation process.

DLL

DLL, or Dynamic Link Libraries, is a useful process that helps with code modularization, and efficient use of computer resources. However, malware such as Dexphot can exploit DLL to hide their malicious activity.

After installation, Dexphot exploits DLL in order to unpack 3 malicious files onto the victim’s computer. 2 of these files monitor and protect the 3^rd file, which executes the cryptojacking.

These 3 malicious files use a technique called “hollowing” in order to avoid detection. This involves hijacking legitimate processes and hiding malicious code in otherwise legitimate code execution. Specifically, Dexphot hijacks the processes svchost.exe, nslookup.exe, and setup.exe files in SysWoW6.

What is PowerShell?

PowerShell is a tool that is pre-installed in Windows operating systems. Its purpose is executing code, often directly from computer memory without using the disk. The danger of malware abusing PowerShell is that exploits can leave little to no evidence, making it both difficult to detect and to trace.

Dexphot exploits PowerShell in the event that it is ever compromised by antivirus software. If this occurs, Dexphot will initiate a self-termination and reinfection process that relies on PowerShell.

Microsoft states that its new Defender Advanced Threat Protection uses behaviour based detection in order to detect malware such as Dexphot. As described above, Dexphot is difficult to detect using a file-based detection strategy, as it can appear in many forms.

Don’t fall victim to malware like Dexphot. Contact us at +1 888 366 4443 or info@gige.ca to learn more about how to protect yourself.

In two separate incidents, U.S. companies American Express and Yahoo have both been affected by data breaches of their clients’ personal information. Both attacks were the result of insider threats – a type of cyberattack caused by an internal person in the company.

The American Express Incident

American Express stated that data that was leaked included names, addresses, birthdays, SSNs, and account information of its customers. On September 30^th, the company began distributing a Notice of Data Breach to affected individuals. In the notice, American Express stated that the information was maliciously accessed by one of its own employees. The employee, who is no longer at American Express, accessed the data with intent for fraudulent use.

The Yahoo Incident

In another incident, a Yahoo software engineer pleaded guilty to illegally accessing 6000 Yahoo accounts. The engineer stated that they specifically targeted accounts that belonged to women. Personal images and videos of the hacked accounts were downloaded onto a hard drive in the perpetrator’s home computer. The engineer also stated that they destroyed the data when an investigation began. Yahoo stated that the engineer is no longer working for the company.

 

What is an Insider Threat?

We often hear of cyberattacks as an external threat, and that our data is safe as long as our firewalls and backups are protected from the outside. However, a study conducted by McKinsey on data breaches between 2012 and 2017 showed that 50% of reported data breaches are attributable to internal employees. 44% are associated with negligent threats, and 6% with malicious threats.

A negligent insider threat occurs when an employee unknowingly or carelessly causes a malware attack on the company. In negligent insider attacks, the employee does not have malicious intent when compromising the company. Examples of this include clicking on a malicious link in an email and connecting a compromised device to the company network.

To mitigate the risk of negligent insider threats, hold frequent seminars on cyber hygiene, recognizing symptoms of phishing, and signs of malware infection. Furthermore, network segmentation ensures that even if part of your network becomes affected, critical areas remain secure. For more information on best practices on cybersecurity, navigate to our article here.

A malicious insider threat is characterized by deliberate malevolent intent. These types of insider attacks are particularly dangerous to the company, as insiders often have detailed knowledge of internal protocols and security measures in place. One of the most common strategies used against this type of attack is employee monitoring software. This software detects ‘abnormal’ activity on an employee’s computer and reports it back to a system administrator. However, there are many disadvantages to this solution. In addition to the concerns for privacy and misuse, alerts are very prone to false positives. Furthermore this is a reactionary strategy, meaning that the attack has already occurred when the administrator gets a notification. One of the ways to counteract the privacy concerns is by using microsegmentation – a strategy that involves monitoring groups of PCs instead of individuals. Microsegmentation also reduces load on system administrators as they will have less systems to monitor and manage.

We can help you identify areas of vulnerability in your network. Contact us at +1 888 366 4443 or info@gige.ca for a consultation today.

In one of the largest financial data theft incidents in history, Capital One Financial Corporation reported on July 19^th 2019 that around 106 million of its clients’ data was leaked due to cyberattack. Of the affected, 100 million are located in the U.S. and 6 million in Canada.

Capital One announced that personal client information between 2005 and 2019 was among the information that was illegally accessed. Leaked data included dates of births, names, emails, addresses (including zip/postal codes), phone numbers, and reported incomes.

Furthermore, customer data including credit scores and limits, account balances, payment histories, and personal contact info were also leaked. 140 000 SSNs and 80 000 bank account numbers were also illegally accessed.

Capital One estimates that the cost of the attack will be between $100 and $150 million, mostly consisting for legal fees, IT monitoring costs, and expenses to notify affected individuals.

The attacker was able to gain access to the Capital One data storage platform – a proprietary web application built off Amazon’s cloud services. Amazon stated that it was not their cloud services that were compromised, as Capital One was fully responsible for the development and maintenance of its own custom platform.

 

On July 29^th 2019 the cyberattacker behind the data breach, a Seattle resident under the online alias “Erratic”, was arrested for illegally accessing the Capital One databases. “Erratic” was a former Amazon employee.

Following an e-mail tip, it was discovered that the attacker’s GitHub account contained the confidential data that was leaked from Capital One.

 

Was the data breach preventable?

There are several key security best practices that could have prevented the data from being leaked.

Firstly, regular IT security audits could have identified and diagnosed the misconfiguration in the system before it was exploited. Performing penetration testing will also help in determining the robustness of your security systems.

The Capital One breach was the result of a misconfigured web application firewall (WAF). Under normal circumstances, the WAF would have blocked access from unknown IP addresses like the one used by the attacker. The breach occurred because the misconfiguration went unnoticed.

 

Protect the Decryption Key for critical data.

Encryption is the security measure of scrambling data into an unreadable format that can only be unscrambled by a decryption key. In this case, the attacker was also able to gain access to the means to decrypt the company’s data. This illustrates the importance of protecting the decryption key and keeping it in a separate location that cannot be accessed by cyberattackers.

 

Do not store archived data online

A portion other accessed data in the Capital One hack dates back 2 decades. Keeping this archived data online is not only financially consuming, but also poses a significant security threat, being vulnerable to cyberattack.

Are your networks safe from cyberattack? GIGE’s IT technicians have over 30 years of experience designing and testing network infrastructure. Call us at +1 888 366 4443 or send us an email at info@gige.ca to get a network security audit.