Mar 18, 2019 | Blog, General, Security Bulletin
When a data breach happens on one of your systems, how fast do you think you can prevent it from spreading? Moreover, how fast do you think you need to act?
A recent threat report found that hackers from Russia were able to access critical systems in 20 minutes, the fastest in the world.
Finding and containing a breach in less than 20 minutes is not easy. In fact, the average time it takes for an organization to detect a breach is about 6.5 months (197 days), while the average time to contain a breach is 69 days. This is why when a data breach is disclosed, it’s often months after it actually occurred.
Being able to limit a data breach can prevent more data from being lost and decrease associated costs, including compliance fines. This means that companies should aim to find and contain breaches as soon as possible.
Source: Ponemon Institute
Who Detects Breaches
Being able to internally detect security alerts is important for your company. Internal detection (from security systems, IT/security experts, employees, etc.) can save your business embarrassment from lack of security self awareness and perhaps put a stop to the breach earlier. However, a majority of breaches are usually detected by external parties, such as third-party providers, law enforcement and in some cases, consumers.
Why Does Breach Detection Take So Long?
When Marriott disclosed their data breach in November last year, they said that they first learned of the breach in September 2018. That’s about two months between the disclosure and discovery. They also found that hackers had been accessing their systems since November 2014. That’s a four year gap between the initial compromise and the time they discovered the breach!
The amount of time it takes to discover a data breach depends on the type of attack. For example, stolen credit card information is often not detected until fraudulent activity is determined. In the case of a third-party breach, a company won’t know they’re at risk until they are told by the third party.
On the other hand, a cyber criminal who manages to hack privileged credentials can get away with snooping around their victim’s network undetected.
How Can I Protect My Business Data?
1. Identification: It’s important to be aware of key indicators of compromise and know how to identify them. Such signs can include: multiple log in attempts, slow internet traffic, unusual log in activities (i.e. from strange countries, unknown devices etc.), unauthorized users trying to access confidential data, etc. It’s important to teach your employees these types of signs so that they can help prevent potential attacks.
2. Detection: Using automated security tools like a SIEM system is vital in detecting potential attacks. SIEM uses behavioural analytics to detect suspicious activity across your network. It does this by collecting data from all your devices and correlating it with global threat intelligence feeds and use cases. SIEM can detect behaviours like multiple log ins, access from suspicious IP addresses and more. Automated tools like SIEM are faster than solely relying on teams to help detect threats and are therefore important in protecting your data.
3. Monitoring: In order to determine what seems suspicious, you need to monitor your networks to establish a baseline. Our Monitor IT solution provides real time reporting on your IT infrastructure and systems to ensure your infrastructure uptime availability and performance. The technicians in our Network Operations Centre will monitor your infrastructure and bring attention to availability and operating performance.
4. Prevention: Active prevention through human insight and security solutions like next generation firewalls is a continuous process. Threats are always changing and evolving, which is why it’s important to stay up-to-date. As part of your prevention process, you should conduct regular cyber awareness training for your employees so they can spot common attacks and navigate the web safely. In conjunction with that, using preventative security solutions like firewalls to block malware from entering your network.
Mar 18, 2019 | Blog, General, Security Threats
Ursnif banking Trojan
A new variant of an infamous banking Trojan malware with a history going back over ten years has emerged with new tactics to ensure it’s harder to detect.The malware aims to hunt out financial information, usernames, passwords and other sensitive data.
The Ursnif banking Trojan is one of the most popular forms of information-stealing malware targeting Windows PCs and it has existed in one form or another since at least 2007, when the its code first emerged in the Gozi banking Trojan.
Now researchers at security company Cybereason have uncovered a new, previously undocumented version of Ursnif which applies different, stealthier infection tactics than other campaigns.
This includes what researchers refer to as “last minute persistence” – a means of installing the malicious payload which tries to ensure a lower chance of being uncovered.
Source: ZDNet
How do you protect yourself?
Proper security measures must be in place to defend against Ursnif banking Trojan and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE-2019-7095
Adobe has released a security update for Adobe Digital Editions. This update resolves a critical vulnerability. Successful exploitation could lead to Arbitrary Code Execution in the context of the current user. Affected versions are 4.5.10.185749 and below.
Source: Adobe
How do you protect yourself?
Update Adobe Digital Editions to version 4.5.10.186048.
GlitchPOS Malware
A new insidious malware bent on siphoning credit-card numbers from point-of-sale (PoS) systems has recently been spotted on a crimeware forum.
Researchers at Cisco Talos said in a Wednesday analysis that they discovered the malware, dubbed “GlitchPOS,” being peddled on the Dark Web for $250. The malware first appeared on Feb. 2, and researchers said they don’t know yet how many cybercriminals bought it or are using it.
The malware is spread via email, purporting to be a game involving “various pictures of cats.”
Source: ThreatPost
How do you protect yourself?
Proper security measures must be in place to defend against GlitchPOS Malware and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
Mar 11, 2019 | Blog, General, Security Bulletin
Cybersecurity affects every employee – from the executive team to HR, sales, marketing, etc. For this reason, cybersecurity should be everyone’s responsibility. But not all employees understand this. A survey by Citrix found that 40% of employees believe that they bear no responsibility for securing information. Cybersecurity is often thought of as a job for a company’s IT department; it makes sense as they are the tech experts who would most understand how to keep a business secure. But your employees are at risk every time they log onto their computers. Therefore, a company shouldn’t rely solely on one team for security. Everyone must work together to achieve security. Here are three reasons why cybersecurity is everyone’s responsibility.
Source: Help Net Security
Every Employee Is A Potential Target
Employees engage in activities that put them at risk, whether they realize it or not. Coming across a suspicious link while browsing or receiving a spam email can happen to anyone. Those who work with confidential information may find themselves more likely to be a target.
The first step of a cyber attack is reconnaissance, where hackers research their targets beforehand. A simple LinkedIn search can show a hacker a wealth of people to target. From there they can find other social media accounts to further get information on how to tailor their attacks. They can target employees through a variety of ways such as phishing, impersonation and other social engineering tactics. Employees need to understand that their actions have an impact on your company’s security. They should be trained regularly on the cyber threat landscape and learn to engage in cyber safe habits.
Technology Isn’t a One Stop Solution
Having next generation security technologies like Firewalls and SIEM systems are key to limiting cyber attacks and protecting your data. But technology can only do the initial blocking of an attack. Whether a person clicks on a malicious link in their email or responds to an email containing CEO fraud is up to them.
There are also some attacks that technology may not be able to prevent, such as vishing. Vishing is a form of phishing where hackers call their targets to extract information instead of emailing them. Thus, your employees must work in conjunction with technology to protect themselves.
Cybersecurity Policies and Procedures Apply to Everyone
Having a strong cybersecurity culture is key to engaging employees with cybersecurity. A solid cybersecurity culture will include procedures and policies that ensure all employees meet the same security standards, such as every employee needing to change their password every 30 days. This will also show employees that they are a vital part in keeping your business safe. Updating your procedures and policies regularly will help reinforce your security mandates with your employees.
Mar 11, 2019 | Blog, General, Security Threats
StealthWorker Malware
Hackers are running a new campaign which drops the StealthWorker brute-force malware on Windows and Linux machines that end up being used to brute force other computers in a series of distributed brute force attacks.
As later discovered, the malware is capable of exploiting a number of vulnerabilities in to infiltrate Magento, phpMyAdmin, and cPanel Content Management Systems (CMSs), as well as brute force its way in if everything else fails.
While previously the StealthWorker payload was observed while being dropped on targeted servers with the help of the double-packed WallyShack Trojan downloader, the new campaign switched to a brute force-only approach aiming for any vulnerable host with weak or default credentials.
Source: BleepingComputer
How do you protect yourself?
Proper security measures must be in place to defend against StealthWorker malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE-2019-7816
Adobe has released security updates for ColdFusion versions 2018, 2016 and 11. These updates resolve a critical vulnerability that could lead to arbitrary code execution in the context of the running ColdFusion service.
Adobe is aware of a report that CVE-2019-7816 has been exploited in the wild.
Source: Adobe
How do you protect yourself?
Adobe recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.
CryptoMix Ransomware
A new CryptoMix Ransomware variant has been discovered that appends the .CLOP or .CIOP extension to encrypted files. Of particular interest, is that this variant is now indicating that the attackers are targeting entire networks rather than individual computers.
This variant is currently being distributed using executables that have been code-signed with a digital signature. Doing so makes the executable appear more legitimate and may help to bypass security software detections.
Source: BleepingComputer
How do you protect yourself?
Proper security measures must be in place to defend against CryptoMix Ransomware and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
Mar 4, 2019 | Blog, General, Security Bulletin
Last year, several retailers fell victim to a cyber attack that exposed the payment information of several of their customers. One well known example is the British Airways breach that affected more than 380,000 passengers. All of these retailers were targets of an attack known as formjacking. Formjacking is not a new attack but it is seeing a rise in the threat landscape. According to a new report by Symantec, formjacking attacks affect an average of more than 4,800 websites each month. As companies start to get more savvy in blocking attacks, hackers will be looking to use more creative ways, like formjacking, to target businesses.
Source: BleepingComputer
What is Formjacking?
Formjacking is a type of website hijacking, which is when hackers inject malicious codes into websites to steal user information. Formjacking tends to target retail websites in order to steal credit card information. It’s important to note that formjacking is not an infection that spreads to your network, but a code injection embedded in websites.
How Formjacking Works
A hacker will inject malicious script into the payment section of a website. When a user on the infected website uses the payment form to check out, the script will copy the details entered by the user and send it to the hackers. These attacks go undetected because the website continues to operate normally. Thus, users are giving their information to hackers without even realizing it.
4 Preventative Measures You Can Take
1. Don’t enter payment information directly: When making online purchases, try to avoid using the website payment form by using a payment service like PayPal instead. Customers who use PayPal are redirected to the PayPal website when making the purchase. Since your payment information is entered in a separate website, your information will not be compromised. Using mobile payment options like Apple Pay or Google Pay will also help hide your payment information, which makes it harder to steal.
2. Monitor Outbound Traffic with SIEM: Security Information and Event Management (SIEM) systems use behavioural analytics to detect threats with the help of use cases. Using a SIEM system like Secure IT – SIEM can help detect suspicious activity like increased outbound traffic. If your traffic activity is looking suspicious, it might be time to investigate your website for malicious code.
3, Review third party scripts: Formjacking attacks are also affecting businesses via third party providers. Ticketmaster was breached last year via a third party chat bot it uses for customer support. It’s important for businesses to do their research when partnering with a third-party and ensure they are properly audited. Companies should also look to reduce the amount of third-party scripts on their websites and only keep those that are essential.
4. Conduct a vulnerability assessment: Vulnerabilities tend to be discovered once they start doing damage. A vulnerability assessment will analyze your systems and networks to help you detect and address security gaps. This can help your organization address security gaps and issues before they become a larger problem. Catching malicious script in your website before it can do damage to your brand and customers is key. Have your websites scanned for malicious code when doing your assessment. If you’d like to conduct a vulnerability assessment, contact Jolera today.
Mar 4, 2019 | Blog, General, Security Threats
Farseer Malware
A new brand of malware has been developed to give a threat group the tools required to attack Windows operating systems alongside their usual Android targets.
On Tuesday, cybersecurity researchers from Palo Alto’s Unit 42 said the malware, dubbed Farseer, has connections to HenBox, a cyberespionage malware detected in 2018 in attacks against Google’s Android operating system.
HenBox primarily targets the Turkish Uyghur group in order to steal data including personal and device information, including any phone numbers with a Chinese prefix. The malware is also able to compromise smartphone cameras and microphones.
Generally focused on smartphones, the hackers have now expanded their horizons with the launch of Farseer. The malware is spread through phishing campaigns and malicious .PDF files which employ social engineering tactics through the copy-and-paste of news articles sourced through a Myanmar website.
Source: ZDNet
How do you protect yourself?
Proper security measures must be in place to defend against Farseer malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE-2018-20250
A critical 19-year-old WinRAR vulnerability disclosed last week has now been spotted actively being exploited in a spam campaign spreading malware.
The campaign, discovered by researchers with 360 Threat Intelligence Center, takes advantage of a path-traversal WinRAR vulnerability, which could allow bad actors to remotely execute malicious code on victims’ machines simply by persuading them to open a file.
Source: ThreatPost
How do you protect yourself?
Researchers urge WinRAR users to update as soon as possible to the newest version of the software, 5.70 beta 1.
B0r0nt0K Ransomware
A new ransomware called B0r0nt0K is encrypting victim’s web sites and demanding a 20 bitcoin, or approximately $75,000, ransom. This ransomware is known to infect Linux servers, but may also be able to encrypt users running Windows.
In a BleepingComputer forum post, a user stated that a client’s web site was encrypted with the new B0r0nt0K Ransomware. This encrypted web site was running on Ubuntu 16.04 and had all of its files encrypted, renamed, and had the .rontok extension appended to them.
Source: BleepingComputer
How do you protect yourself?
Proper security measures must be in place to defend against B0r0nt0K Ransomware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
Feb 25, 2019 | Blog, General, Security Bulletin
The threat of a cyber attack is constantly present and 80% of IT business leaders expect to face a critical breach this year. Companies who experience a data breach can expect loss of revenue due to downtime, reputation and recovery. One of the ways a company can reduce the impact of a cyber attack is to implement an incident response plan. According to a study done by IBM, having an incident response plan in place can save a company an average of $340,000.
Source: IBM
What is an Incident Response Plan?
An incident response plan is used to help organizations detect threats and minimize the impact of a security incident. An incident response plan is key for organizations to build the foundation of their defence. An effective incident response plan will ensure business continuity in the event of an attack and can help prevent a similar event from happening in the future.
What are the Benefits?
Compliance: Regulations like PIPEDA require organizations to keep and maintain records of any data breaches. Having an incident response plan can assist with record keeping and provide quick access to your records.
Trust: Give your clients and investors the confidence in knowing that your company is ready to respond to any security incident.
Clarity: An effective incident response plan will allow all organization personnel to know their responsibilities, leading to faster response time and clear communication across the organization and between the media/stakeholders.
5 Key Components for An Incident Response Plan
1. Determine critical areas of your network: Visibility is an important part of a response plan because when disaster strikes, things can get chaotic. It’s important to look at every part of your environment and prioritize your assets. Knowing the key assets of your business will ensure your critical components will be protected.
2. Evaluate risks: Your incident response plan should cover common threats that are prevalent in the threat landscape, such as ransomware and DDOS attacks. Vulnerabilities tend to be made aware after the fact so an important part of prevention is to find the risks before they become a problem. One way to evaluate your risk factors is to conduct a security risk assessment. A security risk assessment can help you address current risks that are specific to your organization.
3. Incident Response Team: A crucial part of an incident response plan is to have a team of key players to help mitigate immediate issues and plan for other problems (such as media communication). Assigning the proper roles to your staff members to ensure that when the time comes, everyone knows their responsibilities. Your team should include: executives, a security analyst, IT manager, communications and human resources. You may also include third parties such as legal counsel or third party stakeholders. Your team should be briefed of your incident response plan annually and update the plan if necessary.
4. Create a business continuity plan: In the event of a breach, your business operations may not be accessible. In order to limit downtime, you need to figure out a way to access business critical data. This is why it’s important to backup your data regularly so that when the time comes, you have a backup system ready to go.
5. Involve your staff: All employees should have knowledge of and be familiar with your incident response plan. Full cooperation with all employees can limit distractions and delays. Train all employees on your plan, whether they’re part of your incident response team or not.
Feb 25, 2019 | Blog, General, Security Threats
Rietspoof Malware
Rietspoof is a new malware family which uses a multi-stage delivery system, is designed to drop multiple payloads on the systems it infects, and offers very little to no information on what audience it targets.
What’s known at the moment is that the malware uses multiple stages to compromise its targets, each of them having very particular capabilities, with one acting as a bot that “can download/upload files, start processes, or initiate a self-destruct function,” and another behaving like a run-of-the-mill downloader.
At this moment, Rietspoof’s end goal, targets, and exact infection chain are not yet known, but something is obvious: the threat actors behind this malware are accelerating its development and deployment speed, adding new features and updating/improving the ones already in each day.
Source: BleepingComputer
How do you protect yourself?
Proper security measures must be in place to defend against Rietspoof malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE-2019-7815
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address a reported bypass to the fix for CVE-2019-7089 first introduced in 2019.010.20091, 2017.011.30120 and 2015.006.30475 and released on February 12, 2019. Successful exploitation could lead to sensitive information disclosure in the context of the current user.
Source: Adobe
How do you protect yourself?
Upgrade Adobe Acrobat and Reader to the latest version.
WinPot malware
The WinPot ATM jackpotting malware is evolving, as its authors look to solve the obstacles that get in their way. The latest is an effort to help ATM hackers, a.k.a. jackpotters, better target their efforts in order to steal more cash in a lesser amount of time.
Thieves infect ATMs through physical access, i.e., by using USB drives to install malware onto the machine (ATM owners can thus protect themselves through device control and software blacklisting/whitelisting). The USB port is located on the back of the ATM, which the criminals get to by popping open a flange on the front that exposes a hole.
Once the malware is installed, the cybercriminals can force the ATM to dispense cash on-demand via a software interface that appears on the ATM’s screen. The effect is a bit like hitting the jackpot on a slot machine, hence the nickname for this kind of strike.
Source: ThreatPost
How do you protect yourself?
Proper security measures must be in place to defend against WinPot Malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
Feb 19, 2019 | Blog, General, Security Bulletin
According to a recent study, 2 in 3 companies say they are unable to protect themselves from a data breach. With new regulations like GDPR and PIPEDA in place, companies face even greater fines (in addition to other consequences such as downtime, decrease in share prices and lack of customer trust) if they fall victim to a data breach. Attacks are getting more sophisticated, meaning companies need to keep up-to-date with the latest threats and security technologies in order to protect themselves. But how do hackers breach companies in the first place? And what can companies do to stop them?
Source: Forbes
5 Ways Hackers Can Enter Undetected and What You Can Do
1. Exploiting vulnerabilities: Vulnerabilities are flaws found in software programs or operating systems due to programming errors or improper configurations. Vulnerabilities act as a crack in the wall that give hackers entry into your systems until they are patched. Hackers looking to exploit vulnerabilities can use them to access your computers and/or install malware.
How Can I Protect My Business?
Users should install security updates and software patches as soon as they are released. Addressing vulnerabilities immediately is key because the longer they remain unpatched, the more opportunities a hacker has to exploit them.
2. Insider threats: Although most cyber attacks involve third party hackers, 28% of attacks involved malicious insiders. Malicious insiders can be broken down into two categories:
i) Accidental: These are stolen credentials used by hackers to steal information.
ii) Intentional: Employees, partners or contractors who intend to steal information.
Whether a user is intentionally malicious or not, insider threats are harder to detect because they are posing as a legitimate user. This is dangerous because they can wreak havoc long before they are detected.
How Can I Protect My Business?
Security Information Event Management (SIEM) systems use behavioural analysis to detect suspicious behaviour within your network. Due to its advanced capabilities, SIEM is able to pick up on things like logins at unusual hours or attempts at accessing unusual data. SIEM can also correlate suspicious behaviour with known threats to determine if a threat is taking place. For more information on what our Secure IT – SIEM can do for your business, contact us today.
3. Keylogging: Keyloggers are used to record keystrokes on your devices. When used by hackers, they can be used to steal passwords, personal information and anything else a person types. Keyloggers are spread to various means such as phishing emails or installed through web scripts.
How can I protect my business?
Using a firewall will protect you from a variety of threats, including keylogging. Keyloggers usually require a transmission of your data to the hacker through the internet. A firewall acts as a layer between your network and the internet and can potentially detect this and block malicious IP addresses/websites. At Jolera, our Secure IT – Firewall uses next generation firewalls to provide advanced protection for organizations.
4. Wireless hacking: Hackers who manage to hack your wireless routers put your networks at risk to several vulnerabilities such as eavesdropping, man-in-the-middle attacks and denial of service attacks. Successful hijacking of routers can also lead hackers to gain access to your network and the data you receive and send.
How can I protect my business?
As always, it’s important to be notified of any firmware updates for your routers and install them as soon as possible. Consider also using a WiFi security solution like Secure IT – Wifi, which includes next generation access points and 24/7/365 security event management for your wireless networks.
5. Social Engineering: Social engineering is when hackers use deception or manipulation to mislead employees into divulging confidential or private information. This means that Hackers don’t need to use high tech skills or equipment to infiltrate your organization. Social engineering relies on two things: a good impersonation (such as pretending to be a CEO, partner company, etc.) and an employee to take the bait. It can be difficult to detect social engineering because they tend to target users via email as opposed to directly hacking into your network.
How can I protect my business?
The best way to prevent employees from falling victim to social engineering is to train them on cybersecurity with a cyber awareness course like Secure IT – Training. Courses like Secure IT – Training will help promote cyber awareness in your organization by informing employees of the latest threats and what they can do to prevent them. This will help your employees stay alert for cyberthreats like social engineering and help them develop good security habits that will protect your organization in the long run. Training, combined with an email security solution like Secure IT – Mail, will combine human effort with advanced email security to protect your organization from threats like social engineering.
Feb 19, 2019 | Blog, General, Security Threats
Clipper Malware
A malicious app designed to steal cryptocurrency from victims by replacing a wallet address in the phone’s clipboard has been discovered harboring the first “clipper” malware discovered on Google Play, the official Android app store.
Usually cryptocurrency-stealers are found on unsanctioned Android app stores, but researchers with ESET on Friday said that they spotted the malicious app (a fake version of the legitimate MetaMask service) shortly after it had been introduced at the official Android store on Feb. 1. The app has since been removed, but anyone who had already downloaded it remains affected.
Source: ThreatPost
How do you protect yourself?
Proper security measures must be in place to defend against Clipper malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE-2019-7090
Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address one important vulnerability in Adobe Flash Player. Successful exploitation could lead to information disclosure in the context of the current user.
Source: Adobe
How do you protect yourself?
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the latest version:
Astaroth Trojan
A new Astaroth Trojan campaign targeting Brazil and European countries is currently exploiting the Avast antivirus and security software developed by GAS Tecnologia to steal information and load malicious modules.
According to Cybereason’s Nocturnus team which discovered the new Astaroth strain, just like previous installments, the malware uses “legitimate, built-in Windows OS processes to perform malicious activities and deliver a payload without being detected” but it also makes use “of well-known tools and even antivirus software to expand its capabilities.”
This Astaroth variant is distributed through spam campaigns just like previous versions, and the infection starts with a .7zip archive delivered to the target in the form of an e-mail message attachment or hyperlink. The malicious archive contains a .lnk file which will spawn a wmic.exe process that will “initialize an XSL Script Processing attack.”
Next, the malware connects to a command-and-control (C2) server and exfiltrates information about the infected computer. After downloading the encrypted XSL script to the infected machine, the Trojan will use BITSAdmin to grab a payload from another C2 server, carefully obfuscated as images or files without extensions containing various Astaroth modules.
Source: BleepingComputer
How do you protect yourself?
Proper security measures must be in place to defend against Astaroth Trojan and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
