Cyberattackers using ransomware for money extortion have recently adopted a new strategy to force victims into succumbing to their threats – releasing sensitive stolen information to the public. This new strategy was brought to light by a recent cyberattack by the Maze Ransomware strain.

Typically, ransomware cyberattacks force victims to pay ransom fees by locking and encrypting their files behind paywalls. If the business or government that is hit does not have sufficient backups, they suffer major damages to productivity. Because the cost of the attack increases with each passing day that productivity is lost, these organizations opt to pay the ransom fee in order to resume daily functions. While cyberattackers also often threaten to release the files to the public, it is often believed that these threats were bluffed and that the attackers did not actually have access to the files.

The Maze Ransomware confirmed that cyberattackers can indeed access and release the files to the public. In a recent ransomware attack involving the “maze ransomware” this November, victim company Allied Universal refused to pay a ransom fee of 300 bitcoin (around $2.5 Million USD at the time). The cyberattackers then followed through on their threats and released around 700 MB of sensitive data to the public.

 

How are computer being infected with Maze?

Cybersecurity professional Jerome Segura discovered that Maze Ransomware was being spread via a fake cryptocurrency exchange webpage. It is believed that the ransomware was being distributed alongside another exploit, the ‘Fallout exploit kit”, which exploits security holes in Adobe Flash and Windows OS.

Another method of transmission is through malicious email attachments. An example of this was discovered by cybersecurity professional JAMESWT, who discovered a phishing campaign that targeted the Italian population by pretending to be the Italian revenue agency.

Previously, maintaining updated backups was sufficient best practice to protect against ransowmare attacks, as their leverage hinged on the amount of damage that is done to company productivity. In light of the new strategy of data leakage, ransomware protection has to put greater emphasis on preventative measures rather than reactive measures.

This can include strategies such as:

-Educating your employees on proper cyber hygiene and signs to look for when identifying fake emails

-maintaining strict information privilege matrices in the company so that sensitive data is kept on a need-to-access basis.

-strengthening firewalls and keeping software up-to-date

GIGE IT Solutions specializes in designing and managing your IT security for your company. Don’t be the next ransomware victim, and call us at +1 888 366 4443 to get started right away.

In two separate incidents, U.S. companies American Express and Yahoo have both been affected by data breaches of their clients’ personal information. Both attacks were the result of insider threats – a type of cyberattack caused by an internal person in the company.

The American Express Incident

American Express stated that data that was leaked included names, addresses, birthdays, SSNs, and account information of its customers. On September 30^th, the company began distributing a Notice of Data Breach to affected individuals. In the notice, American Express stated that the information was maliciously accessed by one of its own employees. The employee, who is no longer at American Express, accessed the data with intent for fraudulent use.

The Yahoo Incident

In another incident, a Yahoo software engineer pleaded guilty to illegally accessing 6000 Yahoo accounts. The engineer stated that they specifically targeted accounts that belonged to women. Personal images and videos of the hacked accounts were downloaded onto a hard drive in the perpetrator’s home computer. The engineer also stated that they destroyed the data when an investigation began. Yahoo stated that the engineer is no longer working for the company.

 

What is an Insider Threat?

We often hear of cyberattacks as an external threat, and that our data is safe as long as our firewalls and backups are protected from the outside. However, a study conducted by McKinsey on data breaches between 2012 and 2017 showed that 50% of reported data breaches are attributable to internal employees. 44% are associated with negligent threats, and 6% with malicious threats.

A negligent insider threat occurs when an employee unknowingly or carelessly causes a malware attack on the company. In negligent insider attacks, the employee does not have malicious intent when compromising the company. Examples of this include clicking on a malicious link in an email and connecting a compromised device to the company network.

To mitigate the risk of negligent insider threats, hold frequent seminars on cyber hygiene, recognizing symptoms of phishing, and signs of malware infection. Furthermore, network segmentation ensures that even if part of your network becomes affected, critical areas remain secure. For more information on best practices on cybersecurity, navigate to our article here.

A malicious insider threat is characterized by deliberate malevolent intent. These types of insider attacks are particularly dangerous to the company, as insiders often have detailed knowledge of internal protocols and security measures in place. One of the most common strategies used against this type of attack is employee monitoring software. This software detects ‘abnormal’ activity on an employee’s computer and reports it back to a system administrator. However, there are many disadvantages to this solution. In addition to the concerns for privacy and misuse, alerts are very prone to false positives. Furthermore this is a reactionary strategy, meaning that the attack has already occurred when the administrator gets a notification. One of the ways to counteract the privacy concerns is by using microsegmentation – a strategy that involves monitoring groups of PCs instead of individuals. Microsegmentation also reduces load on system administrators as they will have less systems to monitor and manage.

We can help you identify areas of vulnerability in your network. Contact us at +1 888 366 4443 or info@gige.ca for a consultation today.

The Canadian Centre for Cybersecurity recently stressed the importance of keeping VPN devices up-to-date. Because VPN devices act as points of contact between a network and the internet, they are particularly vulnerable to cyberattack.

The Centre for Cybersecurity identified four types of VPN that are particularly vulnerable: Fortinet Forigate, Palo Alto GlobalProtect, Pulse Connect Secure, and Pulse Policy Secure. Vulnerabilities in these VPN services can allow attackers to do anything from changing passwords of user portals to downloading malicious files onto the victims’ computers. For example, Palo Algo GlobalProtect VPN is susceptible to a vulnerability called CVE-2019-1579 which, when exploited, allows attackers to execute unauthorized code on a computer without the permission of the user.

Troy Mursch, an independent researcher, stated that over 14 000 Pulse Secure VPN endpoints were still susceptible to the CVE-2019-11510 vulnerability. It was found that industries including military, government, universities, and hospitals are still affected.

These vulnerabilities were discovered by DEVCORE researchers during the recent Black Hat USA 2019 Conference – a computer security event with a focus around training and briefing. Prior to announcing the vulnerabilities to the public, the researchers disclosed their findings to the affected developers so official fixes would be released simultaneously.

Between April and July this year, several patches fixing the vulnerabiltiies were released by Fortinet, Palo Alto Networks, and Pulse Secure.

Protecting Yourself from VPN vulnerabilities

When known vulnerabilities are announced to the public, it is essential that you update your affected systems to the latest patches. Cyberattackers are constantly scanning the internet for endpoint devices that are unprotected. Many are now automating this process, making the threat more immediate than ever.

GIGE IT Corporation’s network security technicians have years of experience designing and deploying security solutions for businesses. Don’t leave yourself vulnerable to cyberattack – contact us at info@gige.ca or 888 366 4443 to get started with us immediately.

In one of the largest financial data theft incidents in history, Capital One Financial Corporation reported on July 19^th 2019 that around 106 million of its clients’ data was leaked due to cyberattack. Of the affected, 100 million are located in the U.S. and 6 million in Canada.

Capital One announced that personal client information between 2005 and 2019 was among the information that was illegally accessed. Leaked data included dates of births, names, emails, addresses (including zip/postal codes), phone numbers, and reported incomes.

Furthermore, customer data including credit scores and limits, account balances, payment histories, and personal contact info were also leaked. 140 000 SSNs and 80 000 bank account numbers were also illegally accessed.

Capital One estimates that the cost of the attack will be between $100 and $150 million, mostly consisting for legal fees, IT monitoring costs, and expenses to notify affected individuals.

The attacker was able to gain access to the Capital One data storage platform – a proprietary web application built off Amazon’s cloud services. Amazon stated that it was not their cloud services that were compromised, as Capital One was fully responsible for the development and maintenance of its own custom platform.

 

On July 29^th 2019 the cyberattacker behind the data breach, a Seattle resident under the online alias “Erratic”, was arrested for illegally accessing the Capital One databases. “Erratic” was a former Amazon employee.

Following an e-mail tip, it was discovered that the attacker’s GitHub account contained the confidential data that was leaked from Capital One.

 

Was the data breach preventable?

There are several key security best practices that could have prevented the data from being leaked.

Firstly, regular IT security audits could have identified and diagnosed the misconfiguration in the system before it was exploited. Performing penetration testing will also help in determining the robustness of your security systems.

The Capital One breach was the result of a misconfigured web application firewall (WAF). Under normal circumstances, the WAF would have blocked access from unknown IP addresses like the one used by the attacker. The breach occurred because the misconfiguration went unnoticed.

 

Protect the Decryption Key for critical data.

Encryption is the security measure of scrambling data into an unreadable format that can only be unscrambled by a decryption key. In this case, the attacker was also able to gain access to the means to decrypt the company’s data. This illustrates the importance of protecting the decryption key and keeping it in a separate location that cannot be accessed by cyberattackers.

 

Do not store archived data online

A portion other accessed data in the Capital One hack dates back 2 decades. Keeping this archived data online is not only financially consuming, but also poses a significant security threat, being vulnerable to cyberattack.

Are your networks safe from cyberattack? GIGE’s IT technicians have over 30 years of experience designing and testing network infrastructure. Call us at +1 888 366 4443 or send us an email at info@gige.ca to get a network security audit.

Immunity Inc., an IT security consulting company, announced that a BlueKeep Exploit will now be included in CANVAS – the company’s commercially available security penetration-testing tool.

BlueKeep is a security vulnerability that affects Windows 7, Windows 2003, Windows XP, Windows Server 2008 R2, and Windows Server 2008. Also known as CVE-2019-0708, the flaw allows attackers to exploit Remote Desktop Protocol (RDP) in order to execute code on a victim’s computer without their permission. After infiltration, attackers are able to do everything from installing malicious software to stealing personal information. Microsoft patched the critical vulnerability on May 14th 2019 through a security update, but cybersecurity company BitSight still estimates that over 800 000 computers are still vulnerable as of July 2nd 2019.

Chris Day, Chief Cybersecurity Officer of Immunity Inc.’s parent company Cyxtera, states that the BlueKeep Exploit included in their penetration kit is not self-propagating. This means that if infection occurs during security testing, the virus does not have the ability to spread on the network.

Immunity Inc. is not the only company to have developed proprietary BlueKeep exploits. For example, cybersecurity company McAfee similarly developed a working exploit. Reverse Engineer Zǝɹosum0x0 had also done the same June of this year. However, neither of these parties released details of their exploit to the public, citing that it was too dangerous to release a working exploit to the public.

How do you protect yourself against the BlueKeep Exploit?

The most effective way to protect yourself against BlueKeep exploits is to ensure that you are using a supported and up-to-date operating system. If you are using one of the affected operating systems listed above, it is essential that you have installed the Microsoft updated issued on May 14th, 2019. Disabling Windows’ Remote Desktop Protocol on your PC and enabling Network Level Authentication will also make it more difficult for cyberattackers to infect your computer, but does not provide absolute protection against BlueKeep attacks.

We can help audit, design, and deploy customized internet security solutions to make sure your data is secure. Call us at +1 888 366 4443 or email us at info@gige.ca to learn more.

In a recent report, Microsoft has stated that supply chain attacks have become an increasingly pressing concern for cybersecurity professionals.

What are Supply Chain Attacks?

Computer software is constantly updated by developers. These are released to the public through cycles of patches. A supply Chain Attack is a type of cyberattack that infiltrates a victim’s computer through one of these updates.

By hacking into a software developer’s update code before it is released to the public, cyberattackers are able to avoid detection by antivirus protocols that are designed to allow these updates from trusted developers through their firewalls. In the past few years, this type of cyberattack has become more and more prominent, as illustrated by these following examples.

In June 2017, more than 10 000 computers in Ukraine were infected by a ransomware known as Petya. Incidentally, ransomware is a type of malware that locks sensitive data behind ‘ransomwalls’ and demands payment for its safe release. In its investigation, Microsoft uncovered that the attack originated from a hacked patch of the tax-accounting software MEDoc. It is now known that the attackers had illegally inserted a line of malicious code into one if its patches.

Three months later in September 2017, CCleaner, a software that unclutters old computer files, was also hacked using Supply Chain. The software’s developer Piriform stated that the malware inserted into its code stole sensitive data from victims’ computers and sent it to the cyberattacker’s computer.

A Growing Threat towards Cloud Computing

As the percentage of computers relying on cloud computing and online data storage grows, so too does the threat of cyberattacks such as Supply Chain. We are already seeing devastating damage being done to cloud servers with this kind of cyberattack. For example, Docker Hub, a cloud-storage service, was hacked in mid-2018 – an attack that lead to over 5 million infections.

Because it is often difficult for antivirus software to detect these attacks, Microsoft suggests that companies need to develop countermeasures to handle post-infection scenarios to protect themselves against Supply Chain cyberattack. An example of this is using network segmentation, which involves keeping critical computers permanently disconnected from the company network, so that it is not in danger even if a virus were to infect the main server.

Do you need help setting up or protecting your servers? Our technicians at GigE can help. Our networking solutions can help your company protect itself from cyberattack. We also provide IT consulting to help you identify weak points in your network. Call us today at +1 888 366 4443!