On October 8^th 2019, an unnamed Canadian insurance company paid a total of 950 000 USD to a ransomware cyberattacker.

The attacker was able to infect 20 servers and around 1000 employee computers in the attack, encrypting data on the systems behind a ransomwall, demanding payment of 109.25 bitcoins for the safe release of the information.

It was reported that after paying the ransom fee, the cyberattackers provided decryption keys which allowed for the 20 servers to be decrypted for 5 days, and the 1000 end user computers to be decrypted for 10 days.

What was the ransomware strain responsible for the attack?

The ransomware strain that was used in this attack was “BitPaymer”. The malware was able to bypass the Canadian insurance company’s firewalls and infect its network. It is not known exactly how the malware was able to infiltrate into the company’s infrastructure.

Unlike many other ransomware strains that use strategies such as fake emails and malicious download links or websites to infect computers, it is believed that BitPaymer uses targeted brute force attacks.

Brute Force RDP (Remote Desktops Protocol) Attacks

RDP, or remote desktop protocol, is a tool developed by Microsoft for an individual to remotely connect to another computer. It is often used by IT administrators and cybersecurity professionals to diagnose and troubleshoot computer problems from a remote location. However, RDP is also a prime target for cyberattacks, as it is a direct pathway into a company’s network, if compromised.

A brute force attack tries to guess the credentials to an RDP connection through thousands of trial-and-error attempts done in rapid succession by machines.

Microsoft states that protective actions against RDP brute force attacks include activating multifactor authentication and using VPNs. Multifactor authentication is an added security feature to the login process that sends a temporary ‘second password’ to a trusted device every time an account is accessed from an unfamiliar IP.

Don’t become the victim of a brute force attack. Our team of cybersecurity professionals can identify points of vulnerability in your organizations’ network and provide remediation strategies to keep you protected. Call us at +1 888 366 4443 or email us at info@gige.ca to get started with us immediately.

A new security vulnerability has been discovered in Citrix devices. The Canadian Centre for Cybersecurity has advised Canadian businesses to temporarily disconnect their Citrix devices from the internet. The repair patch has been rolled out as of January 19th 2020, with additional patches scheduled for January 24th. Users are advised to patch their devices as soon as possible.

The vulnerability, codenamed CVE-2019-19781, has been officially confirmed to be circulating in Canada. Exploiting the vulnerability allows for a cyberattacker to gain control of a computer without the use of valid credentials.

Products that are affected by the vulnerability include Citrix application Delivery controller, Gateway, and SD-WAN WANOP devices.

 

Why are Citrix Devices being targeted by Cyberattackers?

In many organizations’ networks, Citrix devices are often connected to both employee workstations as well as backend servers. Therefore, if a cyberattackers gains access to a Citrix device, they are in position to further the attack by spreading malware throughout the network. London-based cybersecurity company Positive Technologies noted that Citrix devices are often the first point of attack for many cyberattackers.

The exploits have been released publically

On January 10^th, Project Zero, a group of cybersecurity researchers, released the first Proof of Concept (PoC) of the Citrix device exploit. PoC exploits are often released to the public as non-harmful attacks meant to show vulnerabilities in software to help companies patch them. However, FireEye researchers discovered that malicious versions of the exploit were circulating shortly after the PoC was made public.

What can you do to protect yourself?

Citrix has provided a list of protective measures. You can read more about them here. However, the Canadian Centre for Cyber Security noted that these defensive measures won’t be effective for all devices. In the case that they cannot be applied to your device, they recommend that it is disconnected from the internet until a new patch is rolled out.

Our cybersecurity experts can help you find vulnerabilities in your company’s network. Don’t fall victim to cyberattack. Call us at +1 888 366 4443 or email us at info@gige.ca for more information.

The Heritage Company has temporarily shut down its operations due to a ransomware attack. In December of last year, CEO Sandra Franecke announced to the company’s 300 employees that the company had not fully restored its systems following a ransomware attack that October. As a result of the attack, the company would be temporarily suspending all its functions. In a statement to the company’s employees, she stated that “we do not prevent you from searching for other employment”.

What is data encryption?

Ransomware attacks are a type of cyberattack that encrypts data on a victim’s computer, demanding ransom payment for its release. Encryption is the act of scrambling data into a format that cannot be read unless it is decrypted using a digital key.

Unfortunately the Heritage Company has not been the only ransomware victim in recent times. Over the past year, ransomware  has become increasingly common among small sized businesses. In August of 2019, Wood Ranch Medical, a medical clinic located in California, announced that it was a victim of a ransomware attack. The attack had a widespread impact on the company’s IT infrastructure including its servers and backups, where personal client information was stored. On December 17^th 2019, the clinic closed as a result of the damages, stating that the records that were encrypted were lost and could not be recovered.

Ransomware attacks are now targeting backup systems

Ransomware attacks rely on the leverage of releasing encrypted data to extort money from victims. Therefore, if the victims have up-to-date backups of all the sensitive information, it eliminates the pressure point that attackers use. Knowing this, ransomware attacks have started to target the backup systems of victims as well, as illustrated by Wood Ranch Medical. In particular, since mid 2019, data backup manufacturers began warning customers that ransomware attackers were now targeting Network Attached Storage (NAS) devices.

Does paying the ransom fee guarantee safe release?

There have been many instances where encrypted data has not been released even after ransom has been paid. These strains of ransomware, called wipers, are designed to simply destroy the data. An example of a wiper ransomware is “NotPetya”. However, because the victim has no way of guaranteeing that the data cannot be restored, ransom payment is still the only option in many attacks.

Learn more about NotPetya and other ransomware strains by calling us today at 888 366 4443 or emailing us at info@gige.ca

Cloud computing grew drastically in 2019. However, cloud security has dragged behind in development which has resulted in some of the most devastating cyberattacks in history.

In traditional offline computing, programs and data are stored locally on a machine. On the organizational scale, data may be stored and shared on local servers that are linked to office devices within an enclosed network.

Cloud computing changes this model – instead of keeping files and programs stored locally, they are instead running on servers of tech giants such as Microsoft and Amazon and are transferred in real time to local machines over the internet. Common cloud computing platforms include Microsoft Azure, Amazon Web Services (AWS), and Google’s Compute Engine.

 

SaaS, Paas, and IaaS

There are three major types of cloud computing services. Saas, or Software as a Service, involves running programs via a web browser instead of on a local machine. An advantage of this is that end users no longer have to download update packages and that app speed is only depends on internet speed.

IaaS, or Infrastructure as a Service, includes components such as servers, storage, and networking.

Finally, PaaS, or Platform as a Service, is used by software developers to build applications.

There are many advantages to cloud computing. For businesses, cloud computing is a much more flexible and scalable option compared to on-premise solutions. Furthermore, cloud computing opens the door for many pay-as-you-go computing models, eliminating the need to purchase perpetual software.

Security Threats of Cloud Computing

The rapid growth of cloud computing – and the failure of cloud security to keep pace – has resulted in a number of devastating cyberattacks this year.

In July 2019, Capital One announced that it had suffered a data breach affecting over 100 million of its customers.

APIs are a new security weakpoint

APIs, or Application Programing Interfaces, are the channels through which a computer can communicate with a cloud service. APIs have become a vulnerability that is often exploited by cyberattackers when targeting cloud based systems.

GIGE ensures that your company is fully prepared for the cloud cyber threats that will come in 2020. Get started with us now by calling +1 888 366 4443 or emailing us at info@gige.ca

VPNs, or Virtual Private Networks, is a secure connection between computers over the internet. It allows for data to be transferred among computers in a more secure environment than over a public network. Alex Seymour, a cybersecurity researcher at Immersive Labs, recently discovered two new VPN vulnerabilities in Aviatrix VPN: a VPN service used by enterprises such as NASA.

Seymour notes that the two vulnerabilities, named CVE-2019-17387 and CVE-2019-17388 should serve as “a wakeup call for the industry”, as VPNs are often regarded as a highly secure aspect of security solutions.

 

How dangerous are the vulnerabilities?

CVE-2019-17387 affects the operating systems Windows, Linux, and macOS. The exploit allows for cyberattackers to execute arbitrary code with elevated access. It does this by exploiting the certificate validation process that Aviatrix uses to legitimize users. By gaining access to this, sit can recreate certificates and execute code.

CVE-2019-17388 affects Windows and Linux. Seymoure discovered that on Linux operating systems, file modification privileges are weak and allow for elevated code modifications. Meanwhile on Windows systems, it was discovered that legitimate services could be replaced by malicious processes.

While the two VPN vulnerabilities described above only pertain to the Aviatrix VPN, Breakpointing Bad and the University of New Mexico have recently released information a vulnerability that allows cyberattackers to breach any VPN connection. They described the process as follows: First an attacker identifies the IP address of the VPN target. Then, the IP is used to determine the status of active connections. Finally, access the TCP session using unsolicited packets sent to the connection.

In addition to releasing information on the method of attack, the researchers also released notes on some a common method of protection: reverse path filtering Significantly, they noted that turning reverse path filtering may not be enough to prevent a VPN hijack due to the fact that the first two stages can still be successfully carried out

Don’t leave yourself unprotected against VPN exploits. Call GIGE IT Solutions at +1 888 366 4443 or info@gige.ca for more information on how to protect yourself.

Dexphot is a malware that has raised concern over its complex strategy of avoiding detection.

First detected in October 2018, Dexphot is a strain cryptojacking malware. Cryptojacking malware is defined by its main goal of secretly hijacking computer resources in order to generate digital currencies for the cyberattacker. The victim’s computer suffers slowdowns, and is at risk of overheating due to overuse of computer resources. You can learn more about the impacts of cryptojacking infection in our article here.

How is Dexphot designed to avoid detection?

Microsoft states that Dexphot exploits a combination of back-end processes in order to avoid detection by antivirus software. These include PowerShell, DLL, and MSI. By exploiting these three processes, Dexphot is able to use polymorphism to exist in many different forms, making file-based detection difficult.

MSI

MSI is short for Windows Installer packages. Dexphot avoids malware detection by using hundreds of unique URLs to install the malware onto victims’ computers. According to Microsoft, over 200 URLs that have been used to download Dexphot have been identified.

Furthermore, Dexphot is able to detect the presence of antivirus software during infection. If it discovers that antivirus is installed, it automatically stops the installation process.

DLL

DLL, or Dynamic Link Libraries, is a useful process that helps with code modularization, and efficient use of computer resources. However, malware such as Dexphot can exploit DLL to hide their malicious activity.

After installation, Dexphot exploits DLL in order to unpack 3 malicious files onto the victim’s computer. 2 of these files monitor and protect the 3^rd file, which executes the cryptojacking.

These 3 malicious files use a technique called “hollowing” in order to avoid detection. This involves hijacking legitimate processes and hiding malicious code in otherwise legitimate code execution. Specifically, Dexphot hijacks the processes svchost.exe, nslookup.exe, and setup.exe files in SysWoW6.

What is PowerShell?

PowerShell is a tool that is pre-installed in Windows operating systems. Its purpose is executing code, often directly from computer memory without using the disk. The danger of malware abusing PowerShell is that exploits can leave little to no evidence, making it both difficult to detect and to trace.

Dexphot exploits PowerShell in the event that it is ever compromised by antivirus software. If this occurs, Dexphot will initiate a self-termination and reinfection process that relies on PowerShell.

Microsoft states that its new Defender Advanced Threat Protection uses behaviour based detection in order to detect malware such as Dexphot. As described above, Dexphot is difficult to detect using a file-based detection strategy, as it can appear in many forms.

Don’t fall victim to malware like Dexphot. Contact us at +1 888 366 4443 or info@gige.ca to learn more about how to protect yourself.