Cyberattackers using ransomware for money extortion have recently adopted a new strategy to force victims into succumbing to their threats – releasing sensitive stolen information to the public. This new strategy was brought to light by a recent cyberattack by the Maze Ransomware strain.

Typically, ransomware cyberattacks force victims to pay ransom fees by locking and encrypting their files behind paywalls. If the business or government that is hit does not have sufficient backups, they suffer major damages to productivity. Because the cost of the attack increases with each passing day that productivity is lost, these organizations opt to pay the ransom fee in order to resume daily functions. While cyberattackers also often threaten to release the files to the public, it is often believed that these threats were bluffed and that the attackers did not actually have access to the files.

The Maze Ransomware confirmed that cyberattackers can indeed access and release the files to the public. In a recent ransomware attack involving the “maze ransomware” this November, victim company Allied Universal refused to pay a ransom fee of 300 bitcoin (around $2.5 Million USD at the time). The cyberattackers then followed through on their threats and released around 700 MB of sensitive data to the public.

 

How are computer being infected with Maze?

Cybersecurity professional Jerome Segura discovered that Maze Ransomware was being spread via a fake cryptocurrency exchange webpage. It is believed that the ransomware was being distributed alongside another exploit, the ‘Fallout exploit kit”, which exploits security holes in Adobe Flash and Windows OS.

Another method of transmission is through malicious email attachments. An example of this was discovered by cybersecurity professional JAMESWT, who discovered a phishing campaign that targeted the Italian population by pretending to be the Italian revenue agency.

Previously, maintaining updated backups was sufficient best practice to protect against ransowmare attacks, as their leverage hinged on the amount of damage that is done to company productivity. In light of the new strategy of data leakage, ransomware protection has to put greater emphasis on preventative measures rather than reactive measures.

This can include strategies such as:

-Educating your employees on proper cyber hygiene and signs to look for when identifying fake emails

-maintaining strict information privilege matrices in the company so that sensitive data is kept on a need-to-access basis.

-strengthening firewalls and keeping software up-to-date

GIGE IT Solutions specializes in designing and managing your IT security for your company. Don’t be the next ransomware victim, and call us at +1 888 366 4443 to get started right away.

Malware, or malicious software, is any piece of software that is developed with malicious intent. There are many strains of malware that do everything from stealing sensitive data to locking files behind ransom walls.

There are many ways that a computer can become infected with malware. Many of these, such as phishing, rely on user mistakes. Phishing is a method of infecting a computer with malware by attaching fraudulent links or attachments to emails, pretending to be sent from legitimate sellers. Once the user clicks on the fake link, a malicious file is downloaded onto the victim’s computer.

Once a malware infiltrates a computer, it often communicates back with the cyberattacker’s terminal through the internet.

The effects of malware depends on the strain that is used. For example, ransomware is a specific type of malware that encrypts the files on a victim’s computer and demands a ransom to be paid, often in digital currencies, for the data to be released.

Another type of malware is called a botnet. This type forces groups of infected computers to become under the control of the cyberattackers, who then uses the botnet for further malicious activity such as launching Denial of Service (DOS) attacks on other targets.

 

Worm Capability

Some malware have worm capability – this is a functionality that allows it to spread to other computers without user input. This makes worming malware extremely dangerous, as it can spread throughout entire networks without being detected.

An example of a worm-capable malware was Wannacry – a ransomware that was able to infect over 100 000 computers within 24 hours in May of 2017.

 

How do you Stop It?

Keep admin privileges on a need-to-have basis

In general, the less administrative privileges that a company’s computer has, the less of a weak point it is to the network as whole. It is important to keep administrative rights to only a few management devices, so that it is less likely that a key target computer becomes infected.

 

Segmenting your network with air gaps

As described above, worm malware can spread itself across a network without user input. The most secure way to protect your sensitive devices is by disconnecting them completely from the network. That way, if one segment becomes infected, you can be sure that another segment is still secure. Don’t fall victim to cyberattack – let our network experts help you design custom security solutions to keep your company’s data safe.

The Canadian Centre for Cybersecurity recently stressed the importance of keeping VPN devices up-to-date. Because VPN devices act as points of contact between a network and the internet, they are particularly vulnerable to cyberattack.

The Centre for Cybersecurity identified four types of VPN that are particularly vulnerable: Fortinet Forigate, Palo Alto GlobalProtect, Pulse Connect Secure, and Pulse Policy Secure. Vulnerabilities in these VPN services can allow attackers to do anything from changing passwords of user portals to downloading malicious files onto the victims’ computers. For example, Palo Algo GlobalProtect VPN is susceptible to a vulnerability called CVE-2019-1579 which, when exploited, allows attackers to execute unauthorized code on a computer without the permission of the user.

Troy Mursch, an independent researcher, stated that over 14 000 Pulse Secure VPN endpoints were still susceptible to the CVE-2019-11510 vulnerability. It was found that industries including military, government, universities, and hospitals are still affected.

These vulnerabilities were discovered by DEVCORE researchers during the recent Black Hat USA 2019 Conference – a computer security event with a focus around training and briefing. Prior to announcing the vulnerabilities to the public, the researchers disclosed their findings to the affected developers so official fixes would be released simultaneously.

Between April and July this year, several patches fixing the vulnerabiltiies were released by Fortinet, Palo Alto Networks, and Pulse Secure.

Protecting Yourself from VPN vulnerabilities

When known vulnerabilities are announced to the public, it is essential that you update your affected systems to the latest patches. Cyberattackers are constantly scanning the internet for endpoint devices that are unprotected. Many are now automating this process, making the threat more immediate than ever.

GIGE IT Corporation’s network security technicians have years of experience designing and deploying security solutions for businesses. Don’t leave yourself vulnerable to cyberattack – contact us at info@gige.ca or 888 366 4443 to get started with us immediately.

Due to major strides in cybersecurity protection in the past few years, cyberattackers have needed to find alternate methods of infiltrating victims’ computers. One strategy that has seen a recent increase is the exploitation of programs that already exist on victims’ computers – a strategy called “Living off the Land”. IBM has stated that over 57% of cyberattacks in 2019 have used this strategy to avoid detection by antivirus software. Furthermore,  a recent study IBM also discovered that one of the most common tools exploited by cyberattackers is a software called Powershell. So how do cyberattackers exploit your programs?

What does Powershell do?

The main function of Powershell is to automate system tasks and allow for computer administrators to access and manage computers remotely. This provides massive productivity advantages, as administrators can manage and repair computer problems regardless of the system’s location. Other features of Powershell include tasks such as network sniffing, which similarly improve IT workflows for system administrators.

Microsoft has preinstalled PowerShell on all its Windows systems since 2005, and since 2016 the software has become widely available on other operating systems as well.

How can it be exploited?

There are many characteristics of Powershell that make it a prime target that cyberattackers exploit. Most importantly, it is widely installed due to the fact that it is prepackaged on Windows systems. Furthermore, it has the ability to bypass the usual security walls by accessing memory directly.

One strategy used by cyberattackers is to leverage Powershell as a malicious downloader to install and propagate malware. For instance, the Trojan.Kotver malware exploits Powershell by installing advertisements onto a system without the victim’s permission. In this case, the cyberattacker would benefit from the revenue generated by the victim’s non-consensual advertisement views.

Another malware that exploits Powershell is PowerGhost. This malicious software installs cryptomining software onto the victim’s computer, essentially cryptojacking the infected system.

How do you protect yourself?

While cyberattackers can leverage frameworks like Powershell in their cyberattacks to avoid detection, initial infection often still uses more traditional methods such as phishing or social engineering. Therefore, the best way to protect yourself is to become aware of the threats and tell-tale signs of phishing attacks. With that said, there are also many strategies to reduce the vulnerability that comes with using Powershell.

Firstly, ensure to disable Powershell altogether if it does not assist in your organization’s IT operations. If it must be used, ensure to constantly keep track of its activity to identify suspicious commands. Be particularly vigilant for activity coming from unknown locations or at strange times. Also, make sure the latest version of Powershell is installed, as outdated versions pose an even greater security threat.

Do not fall victim to cyberattack. Call us at +1 888 366 4443 for more information on how to keep yourself safe.

Phishing scams are a type of cyberattack that is designed to steal sensitive data such as login credentials and credit card information. The term ‘phishing’ originates from the word ‘fishing’, due to the cyberattack strategy using ‘baits’ to lure out victims.

Often, phishing scams will be distributed through fraudulent email addresses that direct users to fake websites. By posing as legitimate companies, cyberattackers trick victims in to typing their credentials into fake websites that send the information directly to them.

While most phishing scams are non-personal and widely distributed, ‘spearphishing’ is a strategy that targets specific companies or groups of high-level individuals within organizations. By specifically tailoring the emails to these people, these fake emails become even more difficult to detect.

Recent phishing attacks are getting sneakier

A recent phishing attack posed as a Denver-based law firm and targeted the company’s clients. The fraudulent email asked victims to follow a link to download an “important PDF”. When clicked,  this link redirected them to a fraudulent site where they would be prompted to enter their office 365 login credentials. Once they entered the information, it would be sent to the cyberattacker. Finally, they would be redirected to the legitimate Microsoft site.

Significant to this attack is the fact that the fraudulent website was actually running on a legitimate SSL certificate and was hosted on a domain that was under Microsoft. Therefore, it was even more difficult to detect than normal phishing attempts.

Protecting yourself against phishing

The most effective way of protecting your organization from phishing scams is to educate your staff on how to spot the signs of a fraudulent email. Some common tells include spelling or grammatical errors, inconsistent capitalization in the subject line, or suspicious sender email addresses. If employees are vigilant of these warning signs, the effectiveness of phishing scams in your organization will decrease significantly. In light of the most recent phishing scam using a legitimate SSL certificate on a fraudulent site, it is also important to educate your employees on the methods of identifying object store URLs on Azure, AWS, and GCP.

In addition to being able to recognize common phishing strategies, it is also important to ensure that all company computers are running up-to-date antivirus software. It is also beneficial to actively keep track of cloud accounts in order to detect suspicious activity.

GigE Solutions can help you educate and protect yourself against phishing scams. Contact us today at +1 888 366 4443 or learn more about our IT security services here.

CEO Fraud, or Business E-Mail Compromise (BEC), is an e-mail scam that aims to trick business employees into transferring money or sending sensitive information to a fraudulent account. In a recent study conducted by the Internet Crime Complaint Centre, it was found that these email scams have resulted in financial damages of more than $5 billion across the world between 2013 and 2016.

Highly Varied Impersonation Strategies

The fraudulent emails are often sent from either hacked accounts of legitimate employees, or spoofed email accounts that impersonate company emails using forged banners and signatures.  While a study conducted by Barracuda Networks discovered that 43% of the 3000 studied emails impersonated high-standing positions such as CEOs, the remainder of the attempts pretended to be general employees or people working in areas such as finance or human resources. Therefore, BEC dangers are not only limited to emails from high-level employees, and cannot be prevented by only protecting these accounts.

Another significant aspect of Business E-mail compromise is the fact that the fraudulent emails often do not contain suspicious direct hyperlinks. Therefore, common spam filters used by email providers are not able to easily filter out these emails.

Similarly to the varied impersonation strategies, there are also many different goals in BEC scams. In the aforementioned study conducted by Barracuda Networks, it was announced that the attackers’ goals ranged from fraudulent money transfers, to encouraging individuals to navigate to infected links, to stealing sensitive information.

To help you identify CEO Fraud attempts in your inbox, we have composed a table of common impersonation strategies and attacker goals used in these scams:

 

Impersonation Strategy

Cyberattack Goal

Hack a legitimate account of a high-level employee.   Impersonate an employee using a fake email address and forged headers, footers,  and company signatures   Fake or hack an email address of a close supplier used by the company   Fraudulent emails claiming to be lawyers who have critical and urgent information about your company

Asking for money transfer to a fraudulent account pretending to be a legitimate company   Stealing personal or sensitive information such as tax forms or other company financial documents   Establishing trust with the employee for further data-theft in the future   Steal W-2 information of clients   Redirect transfer of money to a fraudulent account during an active deal between the company and a supplier

 

How do you protect yourself from Business Email Compromise Scam attempts?

With so many variants of BEC scam emails, it can be impossibly difficult to reliably identify when an email from a colleague or boss is legitimate. Instead, it is important to always approach emails asking for personal information or financial transfer with caution.

Always authenticate the validity of e-mails by directly contacting the sender over the phone or in-person. Furthermore, provide regular training sessions for employees to help them become vigilant of these scams.

Our tech experts at GigE have years of cumulative experience in I.T. security and Internet Fraud. Contact us today at +1 888 366 4443 to protect yourself against BEC.

The Zero-Day-Recovery Cybersecurity Strategy

One of the most immediate and adverse effects of a malware attack is the potential for the affected company to come to a complete productive halt. This is the case for all sorts of malware ranging from data-stealing Trojans to data-locking ransomware. Every moment that a company spends offline to deal with the infected systems compounds the financial damages of the malicious software, and in turn the leverage that the cyberattackers have on the situation.

Zero Day Recovery is a cybersecurity strategy which focuses on thoroughly testing the efficiency of backup and restore protocols. By increasing the effectiveness of these systems, a company can be assured that their data will be quickly restored in the event of a malware attack. This means that the resultant impact on their productivity would be kept to a minimum. Therefore by using this strategy the potential damages of such an incident would be drastically mitigated.

The importance of Zero Day Recovery was illustrated by a recent cyberattack that ravaged the Matanuska-Susitna Borough of Alaska. Due to the fact that their backup systems were not tested prior to the attack, many of their systems had to be kept disconnected for significant periods of time in order to isolate the spread of the virus. As a result, the staff working in the borough were forced to resort to analog typewriters and hand-writing documents while the technicians contained the breach.

The malware attack on the Matanuska-Susitna Borough was an example of a Zero-Day Cyberattack. This is an attack that exploits vulnerabilities in computer software that either have not been identified by their developers, or have not been repaired. This makes them extremely difficult to predict and defend against, due to the fact that the flaws have not yet been discovered.

The specific malware that was used during this attack was called “Emotet”. This software is dangerous for numerous reasons. Firstly, it operates as a “banking trojan” that steals sensitive information from online banking transactions. In addition to this, it is also able to infect computers with more malware. In the case of the Matanuska-Susitna attack, attackers were able to introduce a Cryptolocker ransomware which encrypted data behind ransomwalls.

The United States Computer Emergency Readiness Team (US-CERT) reported that Emotet was introduced into computers through email download links. However, it was also reported that this malware had “worm capability”, allowing it to spread itself throughout the company network after the initial infection.

Learning from the Matanuska-Susitna Borough malware attack, we are able to see that Zero-Day Recovery is an essential part to minimizing the damage that malware can cause to your organization. Due to the lack of recovery options, the productivity impact of this attack was widespread and immense.

Best Practices against Zero Day Attacks

Zero-day recovery is essential in mitigating the damage that malware can inflict on your company’s productivity. Below are some general safe practices to protect yourself from Zero-Day malware:

Firstly, always have antivirus software installed on your computer. It is essential to keep this software and other programs constantly updated, as new patches often contain security updates that repair vulnerabilities in their code.

Next, ensure that employees are well informed in identifying suspicious links in emails, as this is one of the most common methods for viruses to infect company computers. A further step that can be taken is to block the automatic download of file types such as .exe or .dll files, which are often connected with malware infection.

At GigE, our experts can help your organization protect itself against Zero-Day Attacks, and setup Zero-Day Recovery protocols. Contact us at +1 (888) 366-4443 to get started today.