A threat actor only needs one employee’s credentials to gain access to your organization’s entire infrastructure and/or data. The potential consequences of stolen credentials in the wrong hands are endless. You can experience direct financial loss, damage to brand reputation, loss of intellectual property, downtime, etc.
Anyone in your organization can have their
credentials stolen. According to the Cybersecurity Threatscape report by
Positive Technologies, one in five data thefts involved stealing account
credentials. It’s important that organizations understand the threat of
credential theft and take action to defend against it.
Hackers looking to steal credentials may
use any of the following methods:
Keylogging: Hackers can install malware with keylogggers that record the keystrokes on a computer and send the data back to hackers.
Phishing: Hackers will send users sophisticated phishing emails urging them to change their passwords or update their information. These emails will provide the user with links to web pages that look legitimate but are really phishing websites that are built to steal credentials and personal information.
Web injections: Hackers inject malicious code into your web browser via malicious browser extensions, links, or ads that allow them to intercept data as its being transmitted.
What Happens to Stolen Credentials?
Cybercriminals can do any of the following with
your stolen credentials:
Engage in fraud: Hackers can impersonate your organization and request fraudulent wire transfers from vendors or business partners.
Sell: There are several forums on the dark web dedicated to selling and buying user credentials. Once these credentials are bought, cyber criminals can essentially do whatever they want with the stolen credentials.
Spy: Hackers can use your stolen credentials to spy on your company and gather intelligence regarding your business dealings. They can then leak this information to your competitors or use this information to blackmail your organization.
Install malware: Hackers can alter the code of your website to steal customer information through formjacking or install malicious ads that can infect visitors with malware.
How to Protect Your Credentials
Credentials are the keys to your
organization and it’s imperative that organizations take the necessary steps to
secure them. Here are three things you can do to defend against credential
theft:
Monitor credentials: Sometimes hackers don’t even have to work to steal your credentials – they can easily find them on the dark web after a massive data breach. By monitoring the dark web for your company’s credentials, you can take action before they are maliciously used by a threat actor. You can start monitoring your organization’s credentials today with our Secure IT – User Defence solution. We will alert your organization as soon as any compromised credentials are found on the dark web, reducing the potential impact of a breach.
Have a good password policy: Users are responsible for creating safe passwords for their accounts. It’s important that they use good password security, such as never sharing or reusing their passwords.
Act immediately: If you experience suspicious activity in your network or find out your credentials have been exposed in a data breach, you must change your passwords immediately. Users should also never use default passwords or logins as they are easy to guess or can be easily found online. Always change the default passwords of any accounts or hardware as soon as they are added to your infrastructure.
Security researchers have detailed how the Glimpse malware uses a text mode as an alternative DNS resource record type.
According to a blog post by security researchers, the malware is written in PowerShell and associated with APT34. It is executed by Visual Basic script, yet how the script is initiated remains unclear, researchers said.
Proper security measures must be in place to defend against Glimpse Malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE 2019-8248
Adobe has released updates for Adobe Illustrator CC for windows and macOS. This update resolves critical and important vulnerabilities which could lead to Remote Code execution in the context of current user.
A newly discovered piece of ransomware written in PureBasic has been linked to a Malware-as-a-Service (MaaS) provider that has been used by Cobalt Gang, FIN6, and other threat groups.
Dubbed PureLocker, the malware comes with evasion methods and features that have allowed it to remain undetected for months. The use of PureBasic, a rather uncommon programming language, also makes porting between Windows, Linux, and macOS easy.
Proper security measures must be in place to defend against PureLocker Ransomware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
Emotet, a Banking Trojan turned devastating modular threat, has returned with upgraded functions in a new wave of attacks.
Emotet has now begun sharing a number of obfuscation techniques already utilized by Trickbot. A new export function has also been found in executable binary functions — used by both malware variants — and this feature resolves API names through an export list of loaded DLLs. The API call resolution is present in both Emotet and Trickbot packers.
Proper security measures must be in place to defend against Emotet Trojan and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE 2019-2204
Android has released its monthly security patches for several core Android components.
The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.
A new version of the MegaCortex Ransomware has been discovered that not only encrypts your files, but now changes the logged in user’s password and threatens to publish the victim’s files if they do not pay the ransom.
For those not familiar with MegaCortex, it is a targeted ransomware installed through network access provided by trojans such as Emotet. Once the MegaCortex actors gain access, they then push the ransomware out to machines on the network via an active directory controller or post-exploitation kits.
Proper security measures must be in place to defend against MegaCortex Ransomware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
Employees play a vital role in an organization’s overall security. According to Statistics Canada, the majority of large (91%), medium-sized (83%) and small (72%) businesses in Canada reported having employees primarily responsible for the overall cybersecurity of their business in 2017. To strengthen user security, organizations should supplement employee awareness training with cybersecurity testing. Testing is a great way for organizations to establish a baseline of user behaviour to determine how users respond to potential threats. Without evaluating employees, organizations won’t be able to make impactful changes on how to improve. Testing also helps organizations determine the effectiveness of their training.
Organizations can test employees through
various means such as online quizzes on common cyber threats or through simulated
phishing. Simulated phishing exposes employees to the latest phishing threats
by sending mock phishing campaigns to employee inboxes and tracking who clicks
on phishing links.
Our new security product Secure IT – User Defence
features both of these elements. With Secure IT – User Defence, organizations
can train and test employees, as well as monitor the dark web for stolen
credentials. User Defence includes simulated phishing emails that can be customized
and online training that includes quizzes to validate retention of content.
Reinforce Best Practices
Social
engineering attacks are incredibly dangerous because they rely on user error
or lax user behaviour in order to work. Testing can help users adhere to good
security practices and help change their behaviour so that they remain more
alert against these types of attacks.
Engaging employees with simulated phishing
emails allows them to feel real consequences in a safe environment. Simulated phishing
attacks give employees an idea of what phishing emails look like and help them spot
common signs that indicate a potential phishing attack. Over time, this will help
employees develop the habit of carefully inspecting emails before they respond
or click on any links.
Improve Security Culture
Testing employees also helps develop an
organization’s security culture. It gives organizations an opportunity to
openly discuss issues of security and show employees how they play a role in
keeping your company safe.
Testing is a good opportunity for
organizations to create teachable moments for their employees. If more employees
are responding to a specific type of threat, think about why. Is it because the
threat appears to be from an executive? Does the word “urgent” in the subject
line make them want to click? These are things you can look out for and talk to
employees about.
It’s important to not shame or punish
employees for failing a test as it can discourage employees from reporting security
errors and make security feel more of a taboo topic. Testing is about making
sure employees stay safe in the office and in their personal lives. It’s not
about tricking them into falling for these threats. The purpose of testing is
to them aware of current cyber threats and to empower employees to take action when
they encounter them.
SIEM is transforming the way organizations
are detecting threats thanks to its ability to collect data across several devices
and develop actionable intelligence for security response teams. Although SIEM has
been around for a while, it continues to evolve and help organizations defend
against emerging threats. According to the 2019 SIEM Report, more than 70% of
organizations found that SIEM resulted in better detection of threats and a
measurable reduction in security breaches.
SIEM stands for Security Information and Event Management and is used to detect threats by collecting and analyzing log data from various networks, systems and devices (e.g. firewalls, computers, etc.). The data collected from the SIEM is then turned into actionable information that allows security teams to respond to potential threats.
The Benefits of SIEM for Organizations
1. Compliance: SIEM includes compliance reporting capabilities, which is valuable for organizations who must adhere to compliance regulations like GDPR and HIPAA. The log data generated by SIEM provides historical records which is necessary for incident investigations.
2. Clarity: SIEM analyzes activity from every part of the infrastructure. The log data produced can help organizations understand the events happening in their infrastructure. This is especially useful if a security incident occurs and can help organizations determine what happened.
3. Save time and money: SIEM is typically expensive due to licensing fees and the costs associated with hiring a security team to run the system. Outsourcing SIEM as a service from a provider like Jolera allows organizations of all sizes to have access to an enterprise grade system like SIEM. SIEM solutions like Secure IT – SIEM make SIEM accessible and help organizations save the time and effort required to operate and maintain a SIEM.
How SIEM Improves Security
One of the biggest benefits of SIEM is its
security capabilities. Here are 3 ways our SIEM system can fortify an
organization’s security.
1. Improves threat detection
Time is crucial when it comes to detecting
threats; the longer a hacker remains undetected the more damage they can do. Therefore,
it’s important for organizations to respond to threats as soon as
possible. SIEM can quickly detect
potential threats which helps prevent security breaches.
SIEM uses built-in correlation rules and information from a global threat intelligence feed to identify potential threats. The correlation rules are a set of predefined sequences that indicate suspicious behaviour. For example, if a person is trying to login more than 5 times the correlation rule might flag it as suspicious. This would then generate a security alert that would warn your security team of potential malicious activity.
A SIEM is only as good as the threats it can detect. If a SIEM is not correlated to detect advanced threats, they may slip through. Integrating a global threat intelligence feed with SIEM ensures that the system is constantly updated with the latest threat intelligence activity. This is vital in ensuring that SIEM can detect and consequently protect against the latest evolving threats.
2. 24/7 Monitoring
The SIEM is constantly monitoring for unusual behaviours. Round-the-clock monitoring is important to ensure quick response to threats. SIEM also assists security teams in detecting threats because it is constantly monitoring the infrastructure.
Threats like malicious insiders are hard to
detect but since SIEM is constantly monitoring for suspicious events it can
analyze the pattern of behaviour of a user and determine if they’re acting
suspicious. For example, SIEM can detect
a user accessing information they don’t normally access or combine seemingly
unrelated events such as a user inserting a USB stick after accessing sensitive
information.
3. Provides visibility
In order to understand the threats facing their infrastructure, organizations need clear visibility. It can be difficult for organizations to fully understand their infrastructure because there are many moving parts. Organizations may have a hybrid infrastructure that includes on-premise and cloud environments. As organizations grow they integrate new technology, which in turn increases their attack surface and leads to blind spots like shadow IT. Hackers like to take advantage of these hidden places in your network and exploit them.
SIEM provides organizations with real time
visibility into all activity on their systems, networks and applications
(whether on-premise or in the cloud) in one centralized view. This is crucial
in helping organizations establish a baseline in understanding what constitutes
normal behaviour and usage in an environment.
Since SIEM provides an overview of the network it can also detect
unknown devices communicating within your network, helping to close the gaps on
hidden devices in your network.
Over the past six months, a new Android malware strain has made a name for itself after popping up on the radar of several antivirus companies, and annoying users thanks to a self-reinstall mechanism that has made it near impossible to remove.
But the thing that’s most “interesting” is that xHelper doesn’t work like most other Android malware. Once the trojan gains access to an Android device via an initial app, xHelper installs itself as a separate self-standing service.
Uninstalling the original app won’t remove xHelper, and the trojan will continue to live on users’ devices, continuing to show popups and notification spam.
Proper security measures must be in place to defend against xHelper Malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE 2019-13720
Google is warning users of a high-severity vulnerability in its Chrome browser that is currently being exploited by attackers to hijack computers.
The bug (CVE-2019-13720) is a use-after-free flaw, which is a memory corruption flaw where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code – or even enable full remote code execution capabilities.
Update to the latest version of Chrome, 78.0.3904.87 (for Windows, Mac, and Linux) as it rolls out over the coming days.
Adwind Trojan
A new version of the Adwind remote access trojan (RAT) has been discovered taking aim at new targets.
Adwind (a.k.a. JRAT or SockRat) is a Java-based remote access trojan that sniffs out data – mainly login credentials – from victims’ machines. While Adwind has historically been platform-agnostic, researchers say they have discovered a new four-month-old version targeting specifically Windows applications – like Explorer and Outlook – as well as Chromium-based browsers (Chromium is a free and open-source web browser developed by Google), including newer browsers like Brave.
The new variant is a JAR file (Java ARchive; a package file format typically used to aggregate many Java class files) that researchers say is typically delivered from a link in a phishing email or downloaded from a legitimate site serving up insecure third-party content.
Proper security measures must be in place to defend against Adwind trojan and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
As IT and security continue to align closer with business goals, organizations can no longer ignore the impact the risks on their infrastructure affect their business. According to Deloitte’s Global Risk Management Survey, 67 per cent of organizations named cybersecurity as a risk that would increase the most in importance for their business over the next two years. Due to the everchanging threat landscape, combatting security risks is an ongoing process and organizations need to address and understand their security risks. There are several factors that can impact security risk management. Here are three risks factors you might not think about.
Data is one of the most valuable resources for an organization so protecting it is key. While many organizations focus on protecting customer data (and rightly so), securing employee data is just as important. Corporate credentials can easily be found on the dark web and purchased by threat actors.
Threat actors that purchase these stolen
credentials can use them to navigate the corporate network undetected. Once a
threat actor is in your network, they potentially have access to all your data.
This includes customer information, corporate projects, the organization’s
chain of command, etc. With this information they can engage in several
malicious activities such as installing malware, sending phishing emails, using
social engineering tactics to target business partners or vendors, etc.
It’s important for organizations to
recognize that compromised employee credentials can be a big security risk.
Organizations need to treat their employees’ data with as much care as they do
with their customers. Implementing employee cyber training
and security solutions can help
organizations protect employee data.
2. Technology adoption
There’s always a risk when it comes to early adoption of technology because you are not only the first to receive its benefits but its problems as well. Any improvements that are made, such as better integration, usability and/or security, come from the experiences of early adopters.
When it comes to using new technology,
there’s always a chance that the product will not perform as promised or work
within the existing environment. There is also the risk that organizations may
sacrifice security in a haste to be the first to release or include the newest
technologies. According to one survey,
34% of organizations admitted to bypassing security checks in order to bring
products to the market faster.
On the other hand, refusing to adopt to new
technologies can hinder an organization’s growth and affect security. As new
technologies emerge, many companies start retiring older versions. Those who
refuse to adopt end up using outdated technology that is not updated to defend
against the latest threats or vulnerabilities.
When it comes to implementing technology, it’s
important for businesses to partner with organizations they can trust. This
includes ensuring partners/vendors/suppliers are compliant with the latest
regulations and that they have clearly defined processes that indicate
organizational maturity. Organizations should always do an assessment before
they make a major change in their environment to ensure that the new technology
will work for their business. For information on how Jolera can help your
organization, contact us today.
3. Organizational culture
The behaviours, beliefs and values of an organization build the foundation that shapes an organization. However, the importance of culture is often overlooked despite it being important to the security and performance of an organization.
For example, a culture that prefers to do
things as it’s always been done will be more hesitant to upgrade their systems
or add better security controls. This makes it harder for employees to speak up
about implementing better security changes. As a result, nothing will change
until something catastrophic happens.
Organizations need to ensure their culture
reflects their values. If an organization is committed to building
relationships with their customers but are not implementing the best controls
to help protect their data, there is a misalignment between their procedures
and policies. Organizations should assess their culture and create an action
plan to ensure that there is visible change top down.
A highly customisable form of trojan malware has returned and is being distributed via phishing emails claiming that a payment is being made to a bank account.
The Remcos remote access trojan first emerged on underground forums in 2016 and has received a number of updates over the course of the last few years.
Available to crooks for as little as $58, the malware is an information stealer and surveillance tool, using capabilities including keylogging, taking screenshots, and stealing clipboard contents to secretly take usernames and passwords from infected victims.
Proper security measures must be in place to defend against Remcos Trojan and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE 2019-11757
Mozilla has released security updates for Firefox browser. When storing a value in IndexedDB, the value’s prototype chain is followed and it was possible to retain a reference to a locale, delete it, and subsequently reference it. This resulted in a use-after-free and a potentially exploitable crash.
A new ransomware called MedusaLocker is being actively distributed and victims have been seen from all over the world. It is not known at this time, how the attacker is distributing the ransomware.
This new ransomware was found by MalwareHunterTeam at the end of September 2019, and while it is not currently known how the ransomware is being distributed, there has been a steady amount of submissions to the ID Ransomware site since then.
Proper security measures must be in place to defend against MedusaLocker ransomware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
When most people think of a cyber attack, they may imagine a hacker furiously typing away at their keyboard trying to penetrate firewalls and other security barriers to gain entry. However, there are some common user habits most people engage in that make it easier for hackers to gain access to personal information and craft attacks. And facing a cyber attack can cause a lot of financial damage. According to Cisco’s 2018 Security Capabilities Benchmark Study, 55% of attacks resulted in damages of $500,000 or more. Threat actors are always looking for opportunities to exploit. It’s important for users to be aware of common cyber threats so that they can limit their exposure. Here are four common ways a cyber threat can creep up on you.
With so many options available for apps and social networking sites, it’s easy to sign up for all of them and then move on to the next thing that catches your attention. However, people often forget to remove their accounts on these websites when they leave them. Simply uninstalling an app doesn’t mean that the data on your account is erased. And if that website or app gets hacked your information will most likely be affected, even if you haven’t touched that account in a while. It’s important to ensure that you take the time to properly remove your accounts from the services you are no longer using. Websites will usually outline the steps you can take to remove your accounts in their Help section. If you are unable to find a way to delete your account, you should contact their customer support directly. You should also disconnect third-party services that may be connected to accounts like Facebook or Gmail.
2. Unauthorized USB Sticks/Cables
Using unauthorized USB sticks and charging cables might save you money but you could end up installing malware onto your computer or give hackers remote access when you plug them in. These products are built to look legitimate so there is no telltale sign that would indicate if it is malicious or not. They also usually end up working as intended which means people will continuously use them and not suspect anything. To prevent this problem, you should only purchase these products from authorized retailers, only borrow them from people you trust and avoid picking up any USBs or cables you might find lying around in public places.
3. Out-of-office messages
Automatic out-of-office replies can potentially end up revealing a lot of information to anyone who emails you while you’re away. A typical out-of-office reply will usually look like the following:
“I will be out of the office to attend a
conference in Montreal from November 1-7. For all inquiries about project X, please
contact John Doe at johndoe@email.com. For
any urgent requests, I can be contacted at XXX-XXX-XXXX.”
A message like this can give threat actors a lot of information they can use. Firstly, you’re telling them where you are. They can use this information to craft a social engineering message pretending to be someone from the conference. Secondly, you’re giving the hacker information on the types of projects you’re working on and another person they can target. To avoid oversharing in your out-of-office message, limit what you say. Don’t provide your location or contact information in your message. It’s a good idea to set different automatic replies for those within your organization and those outside your organization.
4. Smart devices
Technology is getting smarter and many people are integrating IoT devices into their offices and/or homes. While these devices can make life easier, they also run the risk of being hacked. Hackers can use IoT devices to engage in several malicious activities, such as targeting users with mobile malware, spying or hacking billboard screens to spread their own messages. They can also render these devices useless, such as hacking a smart lock and preventing it from working. When choosing to integrate IoT devices, do your research. Check which brands have had issues with their devices in the past and ensure that you’re buying them from authorized retailers. Ensure that all endpoint devices in your corporate network are protected with endpoint security and that they are all protected with strong passwords.
Named Tarmac (OSX/Tarmac), this new malware was distributed to macOS users via online malvertising (malicious ads) campaigns.
These malicious ads ran rogue code inside a Mac user’s browser to redirect the would-be victim to sites showing popups peddling software updates — usually for Adobe’s Flash Player.
Victims who fell for this trick and downloaded the Flash Player update would end up installing a malware duo on their systems — first the OSX/Shlayer malware, and then OSX/Tarmac, launched by the first.
Proper security measures must be in place to defend against Tarmac Malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE 2019-8164
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.
SDBot uses application shimming for persistence, a technique that “can be used to Bypass User Account Control (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress).”
This, in turn, makes it possible for attackers to elevate privileges for malicious processes, to install backdoors on infected systems, as well as to disable anti-malware solutions Windows Defender.
SDBot is a modular malware as it uses an installer, a loader, and a RAT component, with the installer being used to store the RAT component within a compromised device’s registry and for establishing persistence for the loader component which executes the RAT payload.
Proper security measures must be in place to defend against SDBot trojan and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
