May 21, 2019 | Blog, General, Security Bulletin
Privileged user accounts are used for some of the most critical parts of a business, such as managing infrastructure and providing access to critical data for day-to-day activities. However, because privileged users have great access to your organization, they are a security threat. According to a report by Centrify, privileged credential abuse is involved in 74% of breaches.
Source: Centrify
What is a Privileged User Account?
Privileged user accounts are those that have unlimited access and permissions to systems, data or endpoints. These accounts can be used to modify data or grant permissions to other accounts. They are often given to people who work with critical data and infrastructure, such as C level executives or senior managers. Here are three common privileged user accounts most organizations use:
- Local admin accounts: These accounts provide administrative access to the local host. They are commonly used to perform maintenance on the network.
- Domain admin accounts: These are privileged accounts that have admin access across all workstations and servers within the domain.
- Service accounts: These accounts are used to operate specific applications.
Privileged Users Are a Security Weakness
Privileged user accounts can act as a security threat because it is easy for users to abuse their access without getting caught. Here are three reasons why your privilege users are your biggest security weakness.
1. Cyber criminals target privileged users: According to Verizon’s 2019 Data Breach Investigation Report, senior executives are 12 times more likely to be the target of a social engineering attack. Privileged users are targets for cyber criminals because they can use their accounts to gain a foothold into your network. Once they gain access to privileged credentials, they can change permissions for users and move around undetected. They might even try to infect other users by sending malicious links. Since they look like a normal user, their actions may not be immediately raise any red flags.
2. Accounts are difficult to manage: Privilege users are hard to manage because as employees change their roles, their permissions and accesses change as well. It can be difficult for organizations to keep track of the permissions that are required for each role and to make sure that unused accounts are deleted or that permissions are disabled when no longer required.
3. They can act as insider threats: Since privileged accounts have unlimited access, it’s hard to determine if a user is acting maliciously or not. If a privileged user is accessing confidential behaviour, are they doing it because it’s part of their job or because they are trying to leak sensitive information? They may also unintentionally act as an insider threat, such as giving a user access without determining if there was a true business need for it or not.
Securing Your Privileged Users
Since privileged users hold the keys to an organization, it’s important that organizations take necessary precautions to guard these accounts. Here are three things organizations can do to secure their privileged users.
1. Use a Zero Trust model: The foundation of Zero Trust is to “never trust, always verify”. In order to incorporate Zero Trust into your organization you need to build it into your security architecture. The strategy should include constant verification of users, devices and their access. User accounts should have multi factor authentication enabled and end devices connected to the network should be protected with endpoint security. Privilege access should be limited and given to only those who need it.
2. Implement Behavioural analytics: Using an automated detection system like Secure IT SIEM can help monitor user activity and detect potential threats. SIEM allows you to gain visibility into your network by analyzing data from devices and monitoring user behaviour. SIEM can detect indicators of potential insider threats, such as logins at unusual hours or accessing unusual data or systems.
3. Understand Your Privileged Accounts: Find out where your privileged accounts exist within your organization. Create an inventory of these accounts. This will help you gain an understanding of your company’s risk exposure. Make sure any privileged accounts that are no longer in use are deleted.
May 21, 2019 | Blog, General, Security Threats
ELECTRICFISH Malware
The malware implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a tunneling session. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.
Source: National Cybersecurity and Communications Integration Center
How do you protect yourself?
Proper security measures must be in place to defend against ELECTRICFISH Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE-2019-7841
Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.
Source: Adobe
How do you protect yourself?
Ensure your Adobe software is updated to the latest version.
ScarCruft APT
The ScarCruft Korean-speaking APT is changing up its espionage tactics to include an unusual piece of malware devoted to harvesting Bluetooth information – while also showing some overlap with the DarkHotel APT.
An analysis of ScarCruft’s binary infection procedure by Kaspersky Lab shows that in a campaign that continued over the course of 2018, the group used a multi-stage process to update each of its malware modules effectively while also evading detection.
The researchers said that spear-phishing and the use of various public exploits remain ScarCruft’s go-to initial attack vectors. Once the victim is compromised, the attack installs an initial dropper, which uses a known exploit for CVE-2018-8120 to bypass Windows User Account Control (UAC) in order to execute the next payload, a downloader, with higher privileges. This stage connects with the command-and-control (C2) server to grab the next payload, which is hidden in an image using steganography.
Source: ThreatPost
How do you protect yourself?
Proper security measures must be in place to defend against ScarCruft APT and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
May 13, 2019 | Blog, General, Security Bulletin
Phishing attacks are still prevalent and organizations are continuously being targeted. According to a report from Proofpoint, 83% of businesses say they experienced a phishing attack in 2018. Phishing attacks are used to steal credentials/data and spread malware and ransomware to businesses. Just last month the city of Ottawa fell victim to a phishing scam and wired $130,000 to scammers.
Source: Proofpoint
Phishing attacks work because hackers are good at making their messages seem legitimate and people are not always paying attention when reading emails. Here are 4 types of phishing attacks and steps you can take to combat them.
1. Phishing messages via SMS or Messaging apps
Although phishing emails are still prevalent, hackers are also utilizing other forms of communication, such as text messaging and messenger apps, to target potential victims. These types of phishing attacks are similar to what you’ll see in email; the only difference is the method of communication. For example, instead of getting an email saying your account is compromised, you will get a message via text with a link. In some cases, they may send a phishing email but request the correspondence to continue via text and ask for your mobile number.
How to combat
Education and awareness is key to fighting phishing attacks. Employees should be enrolled in cyber awareness training at least once a year to make sure they are updated on the latest attack vectors. Cyber awareness training will also help employees think more critically about navigating online and learn how to build good security habits. They should never engage with unknown senders or click on any links in suspicious emails.
2. Business Email Compromise (BEC)
BEC scams involve impersonating a CEO or executive of a company or a business supplier/partner. The hackers then request a wire transfer of money or for the user to purchase gift cards. These scams usually involve building a rapport with the potential victim in order to build trust or having knowledge of a business’ suppliers to seem more legitimate. According to the FBI, BEC caused losses of $1.3 billion in 2018.
How to combat
Implement a warning message when users receive messages that originate from outside the organization. This can remind users to look closely at the emails they receive and to not download attachments/files from unknown senders. This can also help combat CEO fraud as messages from executives should originate from within the organization.
3. Credential attacks
Hackers targeting credentials will send phishing messages that try to steal them. This usually done by sending a message that entices you to log in. These messages can say you need to change your password or that there was a suspicious login. Some may say you have a tax refund or target credentials to your accounts on streaming services. These types of attacks will also provide a link to a fake website that looks legitimate. When you log in using these spoofed links, the hackers will be able to gain access to your credentials. This opens up the threat of malicious insider attacks, where hackers can use compromised credentials to steal data or spread more phishing emails to clients or business partners.
How to combat
To avoid clicking on fake websites, you should always hover over the link and inspect the URL before you click on it. If you are unsure if it’s legitimate, you should type in the website directly into the search bar.
4. Clone phishing
This attack takes a legitimate email and copies or “clones” the email to include a malicious link. This attack can be difficult to spot because it’s based on a previously delivered email. The attackers will also spoof the return email address so that it closely resembles the original sender.
How to combat
Implementing a secure email solution can help detect threats like phishing and spam. Secure IT – Mail includes several security features like Advanced Threat Protection to scan for suspicious email attachments, malware and malicious links. Additionally, you can backup and archive your emails with Secure IT – Mail.
May 13, 2019 | Blog, General, Security Threats
Xwo Malware
Xwo, a newly revealed web service vulnerability scanning malware discovered by Alien Labs, a subsidiary of AT&T, was named after the very dropper which serves as it propagating module with a file named xwo.exe. Unlike a typical ransomware that immediately issues an encryption process against the user files, Xwo was more of a monitoring-type kind of virus. Initial checks show that it plants itself into the system in order to monitor the passwords for certain system services. Once a certain login credential is entered into the system, it will log the information and send it to its authors through its command and control center.
Source: The Threat Report
How do you protect yourself?
Proper security measures must be in place to defend against Xwo Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE-2019-11561
The Chuango 433 MHz burglar-alarm product line is vulnerable to a Denial of Service attack. When the condition is triggered, the OV2 base station is unable to process sensor states and effectively prevents the alarm from setting off, as demonstrated by Chuango branded products, and non-Chuango branded products such as the Eminent EM8617 OV2 Wifi Alarm System.
Source: CVE
How do you protect yourself?
Ensure you’re updated with the latest firmware patches when available.
MegaCortex Ransomware
The ransomware appears to have been designed to target large enterprise networks as part of carefully planned targeted intrusions –in a tactic that is known as “big-game hunting.”
MegaCortex appears to be just as dangerous as the other “big-game hunting” ransomware strains, with hackers quickly escalating their access to a domain controller, from where they try to deploy the ransomware to as many internal workstations as possible.
Source: ZDNet
How do you protect yourself?
Proper security measures must be in place to defend against MegaCortex Ransomware and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
May 6, 2019 | Blog, General, Security Bulletin
Whether you’re in the office or at home, you’re most likely surrounded by IoT devices. Gartner forecasts that 14.2 billion connected things will be in use in 2019, and that the total will reach 25 billion by 2021. Although these devices help increase productivity and make our lives easier, they are also targeted by cyber attacks. According to Symantec’s 2018 Internet Security Threat Report, IoT attacks went up by 600% between 2016 and 2017. As we start to incorporate more IoT devices into our lives, we need to be aware of the security risks of IoT devices. A survey by digital certificates provider DigiCert found that 25 percent of companies struggling the most with IoT security reported IoT security-related losses of at least $34 million in the last two years.
Source: ZDNet
What are the IoT Security Risks?
One of the biggest challenges in securing IoT is the fact that the attack surface is so large and contains many risks such as vulnerabilities, authentication issues and device and network threats.
Many IoT attacks can also target unconventional devices such as smart refrigerators, printers or baby monitors. Therefore, people might not realize that IoT devices pose a security risk.
Shadow IoT devices, which are active IoT devices that connect to the company network without the company’s IT support, can be easily targeted by hackers. Companies often have no control over these devices so they may lack proper authentication and security features.
IoT devices can be hijacked and used for malicious purposes. For example, the Mirai botnet attack in 2016 took advantage of insecure IoT devices to create a massive denial of service (DDoS) attack. The hackers behind the attack managed to scan for hundreds of thousands of vulnerable IoT devices and use them in DDoS attacks without the device owner’s knowledge.
Malicious actors can hack into insecure IoT devices or IoT apps and use them to spy on people or pinpoint their location. According to the Ponemon Institute, 80% of IoT applications are not tested for vulnerabilities. This is alarming as this means that many IoT apps can be exploited to carry out attacks.
4 Things You Can Do to Reduce IoT Security Risks
Keep Track of Your Devices
Each IoT device in your network has its own potential security risk, which is why it’s important to know your IoT devices. Use proper device identification and authentication so that you can keep track of the devices that are communicating with the network.
Rogue devices can pop up so being able to scan your network for devices is important. Removing devices that are no longer in use and disabling unused features can also help reduce the attack surface.
Use IoT Devices You Can Trust
IoT weaknesses can pose a large security threat to your data. Make sure you use devices that are supported by the manufacturer to ensure that you have access to necessary security patching. Keeping track of patching and firmware upgrades will help defend against exploits.
Follow Basic Cyber Hygiene Practices
Having good cybersecurity hygiene is key in defending against IoT risks. This includes patch management, backing up your data, using encryption and implementing security awareness training. It’s important to continuously monitor your environment for changes and take action when necessary.
Do an Assessment
Any of your IoT devices can be a target of a cyber attack. It’s important to be aware of the impacts each of your devices can pose to your overall network. If one device is compromised, will it affect other devices? What can you do if that happens? Having an assessment can help you prepare for your worst-case scenario. From there, you can implement a security policy/strategy that will help you prepare for any potential issues.
May 6, 2019 | Blog, General, Security Threats
Shellbot Malware
Shellbot, first written about by Jask in February, now uses an old but reliable SSH brute force technique to break into internet-connected Linux servers with weak passwords to infect a system and mine cryptocurrency.
But now the malware has new capabilities allowing it to spread through a network and shut down other cryptominers on infected computers, allowing the malware to free up more processing power for its own cryptomining operation.
The malware has three components. Although it’s not known exactly how the malware is delivered, the researchers found the dropper script used to install the malicious payload from the malware’s command and control server, an IRC chat server, which the hackers can use to check the status of the malware and remotely run commands. Using a 272-line script, the malware checks to see if any other cryptominers are on the system and installs its own. Then, the cryptominer begins mining Monero, a privacy-focused cryptocurrency, and sends the proceeds back to a MoneroHash server.
Source: TechCrunch
How do you protect yourself?
Proper security measures must be in place to defend against Shellbot Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE-2019-10952
An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer overflow vulnerability. A cold restart is required for recovering CompactLogix 5370 L1, L2, and L3 Controllers, Compact GuardLogix 5370 controllers, and Armor Compact GuardLogix 5370 Controllers Versions 20 to 30.014 and earlier systems.
Source: NIST
How do you protect yourself?
Ensure you’re updated with the latest firmware patches.
Sodinokibi Ransomware
A recently-disclosed critical vulnerability in Oracle WebLogic is being actively exploited in a slew of attacks, which are distributing a never-before-seen ransomware variant.
The ransomware first came onto researchers’ radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with a vulnerable Oracle WebLogic server.
Once attackers found a vulnerable server, they sent an HTTP POST request to that server. The request contained a PowerShell command, which downloaded a file called “radm.exe.” That then saved the ransomware locally and executed it.
Once downloaded, the ransomware encrypted the victim’s systems and displayed a ransom note to them, directing victims to a page on the Tor network to a domain (decryptor[.]top) the public web, which was registered on March 31 this year.
Source: ThreatPost
How do you protect yourself?
Proper security measures must be in place to defend against Sodinokibi Ransomware and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
May 2, 2019 | General
Microsoft has announced that Windows Server 2008 and SQL Server 2008 will be reaching end-of support. This means that Microsoft will no longer be updating and patching security vulnerabilities to these products.
Without the patching support your servers will be vulnerable to cyber attacks, data loss and compliance risks. Customers currently using these products will have to upgrade their servers to ensure they continue to receive the necessary security patching updates and meet compliance requirements. The last day of security patching updates for the Windows Server 2008 and SQL Server 2008 are as follows:
- July 9, 2019: SQL Server 2008 and 2008 R2
- January 14, 2020: Windows Server 2008 and 2008 R2
Upgrading Your Servers
To upgrade your servers, you can choose between two options:
1. Upgrade to Azure: Migrate your applications and data to Azure, where you can get Free Extended Security Updates for three more years. Upgrading to Azure can also provide significant cost savings and allow you to adopt the latest innovative technologies.
2. A hybrid upgrade: Upgrade your on-premise applications to Windows Server 2016 or 2019 and SQL Server 2017 or 2019. Take advantage of built-in hybrid cloud capabilities for backup and high availability or migrate later.
To learn more, visit Microsoft’s security brief.
To find out how you can upgrade your servers, contact us for more information.
** A custom extension contract can be purchased from Microsoft to extend updates till 2022 in special circumstances.
Apr 29, 2019 | Blog, General, Security Bulletin
In most cases, a password is the only thing protecting your account from hackers. Despite this, many people fail to choose a strong password. UK’s National Cyber Security Centre recently released a list of the most commonly used passwords and some of the passwords on the list might be shocking in how simple they are. The number one password in the list is ‘123456’ with over 23 million accounts using this password.
When hackers engage in password spray attacks, they’re using simple, common passwords like ‘123456’ to gain access to accounts. And since so many people are using these types of passwords, the hackers are most likely gaining successful entry into multiple accounts. People often reuse the same passwords which means access to one account can mean access to all accounts. With this information, hackers can act as an insider threat, and move around the network undetected. This is why it’s important to take password security seriously. Here are 5 simple things you can do to increase password security.
Use a password manager
A password manager is a program that stores and manages your passwords across all accounts. It’s considered to be more secure because they help create strong, unique passwords. However, they have their pros and cons, which is why it’s important to do your research when considering using a password manager.
Avoid storing passwords on browsers
Storing passwords for your accounts within your browsers is convenient but is also a security risk. You can easily view your saved passwords within your browser settings and see which websites have passwords saved. Normally, you need a master account password to view all your saved passwords. However, if a hacker has access to this master password, they can see all your passwords. Be cautious when storing your passwords and make sure each account has a unique password.
Turn on Multi-Factor Authentication
Multi factor authentication involves using a secondary verification method in addition to a password. This typically includes methods such as sending a code to a mobile number or secondary email account that needs to be entered after your password. In some cases, people use a hardware key that they insert into their computer for verification. You should use multi factor authentication wherever you can. This adds an extra layer of security, and most websites support the use of multi factor authentication.
Always change default passwords
Never use the default password for your accounts or hardware. Hackers can use these default credentials to hack into your devices and conduct botnet attacks. It’s important to change your passwords as soon as a new account or hardware enters your network.
Don’t leave passwords out in plain sight
If you’re writing down your password to remember it, make sure you do it somewhere safely. Writing your password down where anyone can see it, such as on a post it note on your desk, is not a smart idea. If you feel the need to write down your password, consider writing down a hint to your password instead. Overall, it’s best to not have your password written down anywhere. Creating a password that includes phrases or acronyms that is meaningful to you is a good way to have a memorable password.
Security is a team effort. Remind your employees of the importance of having good security habits, like using strong passwords, by engaging them with cyber awareness training.
Apr 29, 2019 | Blog, General, Security Bulletin
Karkoff Malware
It was this month that Talos researchers discovered the new Karkoff .Net malware. The team says that the malware is “lightweight” and permits remote code execution through the C2. There is no obfuscation in play so Karkoff is easily picked apart.
The malware does have an interesting element, however, in that Karkoff generates a log file which stores executed commands with timestamps. If organizations fall victim to Karkoff, they would be able to use this file to review exactly what happened, and where.
Source: ZDNet
How do you protect yourself?
Proper security measures must be in place to defend against Karkoff Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.
CVE-2019-3396
A group of attackers are actively exploiting a critical vulnerability in Atlassian’s Confluence collaboration software to infect servers with the GandCrab ransomware.
The vulnerability, tracked as CVE-2019-3396, is in the software’s Widget Connector that allows users to embed content from YouTube, Twitter and other websites into web pages.
Attackers can exploit the flaw to inject a rogue template and achieve remote code execution on the server. According to Atlassian’s advisory, published March 20, all versions of Confluence Server and Confluence Data Center before versions 6.6.12, 6.12.3, 6.13.3 and 6.14.2 are affected.
Source: CSO Online
How do you protect yourself?
Ensure you’re updated with the latest software patches.
Qbot Banking Trojan
A phishing campaign dropping the Qbot banking Trojan with the help of delivery emails camouflaging as parts of previous conversations was spotted during late March 2019 by the JASK Special Operations team.
Qbot (also known as QakBot and Pinkslipbot) is a quite old yet still active and continuously evolving banking Trojan with worm capabilities, used by malicious actors since at least 2009 [1, 2, 3, 4] to steal financial data and banking credentials from their targets, to drop additional malware, to log user keystrokes, and create a backdoor to compromised machines.
Source: BleepingComputer
How do you protect yourself?
Proper security measures must be in place to defend against Qbot Banking Trojan and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.
Apr 22, 2019 | Blog, General, Security Bulletin
As an organization, protecting data is vital. Loss of data can lead to a number of problems including downtime and compliance fines. According to Dell’s Global Data Protection Index, the average cost of data loss is nearly $1 million.
Threats like ransomware and accidental deletion are still prevalent and put data at risk to being lost or unrecoverable. Having a reliable backup system in place like Jolera’s Store IT will ensure that your data is protected. Here are five key points to consider when backing up your data.
Source: Dell
1. Choose the Right Type
There are different types of backup such as on-premise, cloud and hybrid. You should consider your current needs as well as anticipate what you may need for the future as well. A scalable, cloud backup might be something you want to consider if you anticipate larger storage needs in the future. If you want the benefits of both the cloud and local backup hybrid backup may be more your speed. Make sure you do your research when deciding on the type of data backup that would be best for your business needs.
2. Secure Encryption
Securing your backup data is important because you want to make sure that it will be available in the event of an emergency. If your data isn’t encrypted and hackers get access to your backups, they’ll be able to access your data. Your data should be encrypted at rest and in transit to ensure its security. All sensitive and important data should be encrypted.
3. Recovery Speed
During a disaster, such as being hit by ransomware, you want to be able to restore your files as soon as possible. Not being able to restore your data on time can decrease productivity and increase downtime. Restoring many files can take a long time due to the size of the files, so you should prioritize restoring business critical data. Your backup should be able to restore your files at a reasonable amount of time.
4. Scheduling Your Backups
Scheduling your backups can take a lot of effort. You need to organize how regularly you want to back up your data, what time you want to do it and what data you will be backing up. You should prioritize backing up the most crucial data and schedule your backups during off peak hours to minimize disruptions to your network.
5. Support
Having access to support, like the 24/7/365 live agent support Jolera provides, is an important aspect to consider for your backup. If things go wrong and you are unable to get assistance as soon as possible, your company is on the line. Being able to reach a live agent when you need support can help ensure that your data is backed up properly and that your restores run smoothly.
