Threats of the Week – April 8, 2019

Threats of the Week – April 8, 2019

Xwo Malware

 

 

A new form of malware is scanning the internet for exposed web services and default passwords in what’s thought to be a reconnaissance operation – one which might signal a larger cyberattack is to come.

It’s still uncertain how Xwo started spreading or how it gains access to internet-connected machines, but the malware is designed to conduct reconnaissance and send back information to to the command and control server through an HTTP POST request.

Xwo collects information about the use of default credentials in services such as FTP, MySQL, PostgreSQL, MongoDB, Redis, Memcached, as well as default credentials and misconfigurations for Tomcat, an open source implementation of the Java Servlet.

The malware also looks to collect information about Default SVN and Git paths, Git repository format version content, PhP admin details and more. It’s highly likely the bot is conducting surveillance of weak points that can be exploited in more damaging attacks further down the line.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Xwo Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-2027

 

 

Android has released its April security bulletin containing details of security vulnerabilities affecting Android devices.

In one of the patches released, the most severe vulnerability could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

Source: Android

How do you protect yourself?

Update your devices to the latest Android version.

 

vxCrypter Ransomware

 

 

The vxCrypter Ransomware could be the first ransomware infection that not only encrypts a victim’s data, but also tidy’s up their computer by deleting duplicate files.

When analyzing the ransomware, researchers noticed that the ransomware was keeping tracking of the SHA256 hashes of each file it encrypted. As the ransomware encrypted other files, if it encountered the same SHA256 hash, it would delete the file instead of decrypting it.

It is not known why the ransomware is doing this other than as a possible way to increase the speed of encrypting a computer.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against vxCrypter Ransomware and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Avoid These Mistakes During a Security Crisis

Avoid These Mistakes During a Security Crisis

It’s easy to become a hacker these days. Anyone can buy tools for a low cost or find videos online on how to carry out a cyber attack. In these times, your company needs to be prepared for a security crisis and that includes being able to respond to it an efficient manner. A survey found that 40% of CEOs expect a crisis in the next 3 years, making it more important now than ever for businesses to be sure of their crisis response.

Security Crisis

Source: PwC

Why Is Crisis Preparation Important?

A crisis comes with no warning. You will never be told when a crisis will happen or what you will face. And when disaster strikes, it can get chaotic. People are panicking, confused and unsure about what to do. With a crisis plan in place, you can remove some of the chaos and uncertainty because your business will already have a framework to work from. Your ability to respond to a crisis will only be as good as your preparedness for it.

How a business responds to a crisis is also important for public perception. Seeing a business in panic mode or being unsure of what to do does not inspire confidence in stakeholders or consumers.

5 Common Mistakes Made During a Crisis

Everyone in your organization needs to work together in order to manage a crisis. Here are some common business mistakes your business should avoid.

1. Not taking enough preventative measures: When a crisis occurs, the questions that  often come up are “how did this happen?” and “why couldn’t we stop this from happening?” It’s important to have a combination of good security solutions and excellent security habits in place in order to have good security posture. For example, many companies could have avoided being hit by WannaCry ransomware if they had installed security patches that were released two months prior to the attacks. A simple act like making sure your systems are updated can make all the difference.

2. Underestimating a security incident: Unusual behaviour like a multiple login attempts might not seem so suspicious initially but it could be an indicator of attempted compromise. It’s important that you don’t discount anything during a crisis. Security incidents often start small but they can end up having a great impact.

3. Not responding quickly enough: Detecting a data breach as quickly as possible is crucial for not only preventing a threat from spreading but for keeping productivity. It’s important to respond to any suspicious activity as soon as possible. Having a SIEM system like Secure IT – SIEM in place can help detect threats and prevent them from spreading.

4. Lack of communication: Clear communication within your organization and externally to partners, the media, customers, etc. is incredibly important during a crisis. Your organization needs to clearly communicate with each other in order to make sure that the crisis is being handled efficiently. You don’t want an employee accidentally making the situation worse due to unclear instructions. When a crisis hits, public perception is important. You don’t want your company to look like it’s hiding information from the public. Being transparent with the media and alerting customers as soon as possible is crucial.

5. Lack of training: Having a plan in place is a good start but it’s not enough. You need to put that plan to action by training your employees on how to respond to security crisis. Running training exercises can help improve your plan and give employees the opportunity to learn their roles during a crisis.

Threats of the Week – April 1, 2019

Threats of the Week – April 1, 2019

Gustuff Malware

 

 

A previously unreported advanced banking trojan named Gustuff can steal funds from accounts at over 100 banks across the world and rob users of 32 cryptocurrency Android apps.

The malware includes code to target top international banks such as Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, and PNC Bank. It also searches for cryptocurrency wallet apps like Bitcoin Wallet, or from services BitPay, Cryptopay, Coinbase, and more.

The malware relies on a relatively rare tactic to access and automatically change text fields in targeted apps. On compromised devices, Gustuff uses Android Accessibility services to interact with screens from other apps.

Gustuff spreads to other mobile devices by reading the contact list of the compromised phone and sending out messages with a link to its APK installation file.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against Gutstuff Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-9810

 

 

Firefox has released patches for security vulnerabilities in Thunderbird.

In general, these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled when reading mail, but are potentially risks in browser or browser-like contexts.

Incorrect alias information in IonMonkey JIT compiler for Array.prototype.slice method may lead to missing bounds check and a buffer overflow.

Source: Mozilla

How do you protect yourself?

Update Firefox to Thunderbird 60.6.1.

 

LockerGoga Ransomware

 

 

The LockerGoga ransomware that’s been targeting industrial and manufacturing companies in early 2019 contains a coding error that could potentially be exploited to stop it from encrypting files, researchers say.

The mistake pertains to how the malware handles .lnk file extensions.

According to Alert Logic, LockerGoga scans compromised machines to assess what files they are hosting. If LockerGoga identifies any .lnk file extensions, which are used by Microsoft Windows to point to executable files, then the malware attempts to resolve their paths.

Source: SC Magazine

How do you protect yourself?

Proper security measures must be in place to defend against LockerGoga Ransomware and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

4 Tips to Keep Up with Compliance Regulations

4 Tips to Keep Up with Compliance Regulations

Governments all over the world are noticing an increasing amount of cyber attacks and data breaches and are starting to take action. For example, the California Consumer Privacy Act is set to go into effect on January 1, 2020, affecting companies doing business in California. More countries are expected to continue updating their laws or create new ones as privacy concerns increase and the cybersecurity landscape continues to change. However, it can be difficult keeping up with all the changes.

compliance regulations

Source: Office of the Privacy Commissioner of Canada

Challenges With Compliance

Compliance regulations differ across industries and countries. Industries that work with sensitive information, such as financial and healthcare sectors, are more tightly regulated than others.

It’s difficult to keep up with constant regulatory changes as business needs and technologies can affect your efforts. But organizations that fail to comply with regulations face a wide variety of consequences, including: fines, legal repercussions, stakeholder/customer dissatisfaction, etc.

How Can My Business Manage Changing Compliance Regulations?

Conduct Assessments: Conducting an assessment on your IT infrastructure will help bring attention to gaps or areas in your network that need improvements. An assessment can look at your current compliance efforts and make suggestions or point out potential risks to ensure you’re properly compliant. Depending on the industry your business is in, an assessment can specifically look at the regulations that directly impact your business. If you’re interested in receiving an assessment, you can contact us for one today.

Use SIEM: Compliance regulations are putting more emphasis on detecting and reporting breaches. Consumers are becoming increasingly concerned with privacy and data leaks which is why breach reporting is important. Having a Security Information Event Management (SIEM) system like Secure IT – SIEM in your network will help protect your data by detecting threats using behavioural analysis. This will help keep your business compliant by monitoring and remediating events.

Subscribe to newsletters: The laws are constantly changing and the best way to get the most accurate news is to subscribe to government and legislative newsletters. In addition, you should also subscribe to reputable news sources that focus on the industry your business is in. Those sources will usually have the most pertinent, up-to-date information. You can also bookmark governments website and check them regularly or subscribe to Google alerts.

Hire a Compliance Officer: If you are able to, hiring a compliance officer will help ensure your company stays informed of the latest compliance requirements. This person should be well versed in national and international regulatory guidelines and standards and understand your business needs. Your compliance officer should help develop and drive your business strategies and help you understand the regulations. If

Threats of the Week – March 25, 2019

Threats of the Week – March 25, 2019

Mirai malware

 

 

Security researchers have spotted a new variant of the Mirai IoT malware in the wild targeting two new classes of devices –smart signage TVs and wireless presentation systems.

The botnet’s author(s) appears to have invested quite a lot of their time in upgrading older versions of the Mirai malware with new exploits.

Palo Alto Networks researchers say this new Mirai botnet uses 27 exploits, 11 of which are new to Mirai altogether, to break into smart IoT devices and networking equipment.

Furthermore, the botnet operator has also expanded Mirai’s built-in list of default credentials, that the malware is using to break into devices that use default passwords. Four new username and password combos have been added to Mirai’s considerable list of default creds, researchers said in a report.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Mirai malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-9790

 

 

A use-after-free vulnerability in Firefox can occur when a raw pointer to a DOM element on a page is obtained using JavaScript and the element is then removed while still in use. This results in a potentially exploitable crash.

Source: Mozilla

How do you protect yourself?

Update Firefox to Firefox 66.

 

JNEC.a Ransomware

 

 

A new ransomware called JNEC.a spreads through an exploit for the recently reported code execution ACE vulnerability in WinRAR. After encrypting a computer, it will generate a Gmail address that victims need to create in order to receive the file decryption key once they pay the ransom.

Once executed, the ransomware encrypts data on the computer and appends the .Jnec extension to the file’s original one. The price for the decryption key is 0.05 bitcoins (about $200).

The interesting part is that the malware author chose an unusual method to deliver the file decryption keys. The ID number unique for each affected computer represents a Gmail address for the delivery of the key.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against JNEC.a Ransomware and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

4 Tips for Detecting Data Breaches

4 Tips for Detecting Data Breaches

When a data breach happens on one of your systems, how fast do you think you can prevent it from spreading? Moreover, how fast do you think you need to act?

A recent threat report found that hackers from Russia were able to access critical systems in 20 minutes, the fastest in the world.

Finding and containing a breach in less than 20 minutes is not easy. In fact, the average time it takes for an organization to detect a breach is about 6.5 months (197 days), while the average time to contain a breach is 69 days. This is why when a data breach is disclosed, it’s often months after it actually occurred.

Being able to limit a data breach can prevent more data from being lost and decrease associated costs, including compliance fines. This means that companies should aim to find and contain breaches as soon as possible.

Source: Ponemon Institute

Who Detects Breaches

Being able to internally detect security alerts is important for your company. Internal detection (from security systems, IT/security experts, employees, etc.) can save your business embarrassment from lack of security self awareness and perhaps put a stop to the breach earlier. However, a majority of breaches are usually detected by external parties, such as third-party providers, law enforcement and in some cases, consumers.

Why Does Breach Detection Take So Long?

When Marriott disclosed their data breach in November last year, they said that they first learned of the breach in September 2018. That’s about two months between the disclosure and discovery. They also found that hackers had been accessing their systems since November 2014. That’s a four year gap between the initial compromise and the time they discovered the breach!

The amount of time it takes to discover a data breach depends on the type of attack. For example, stolen credit card information is often not detected until fraudulent activity is determined. In the case of a third-party breach, a company won’t know they’re at risk until they are told by the third party.

On the other hand, a cyber criminal who manages to hack privileged credentials can get away with snooping around their victim’s network undetected.

How Can I Protect My Business Data?

1. Identification: It’s important to be aware of key indicators of compromise and know how to identify them. Such signs can include: multiple log in attempts, slow internet traffic, unusual log in activities (i.e. from strange countries, unknown devices etc.), unauthorized users trying to access confidential data, etc. It’s important to teach your employees these types of signs so that they can help prevent potential attacks.

2. Detection: Using automated security tools like a SIEM system is vital in detecting potential attacks. SIEM uses behavioural analytics to detect suspicious activity across your network. It does this by collecting data from all your devices and correlating it with global threat intelligence feeds and use cases. SIEM can detect behaviours like multiple log ins, access from suspicious IP addresses and more. Automated tools like SIEM are faster than solely relying on teams to help detect threats and are therefore important in protecting your data.

3. Monitoring: In order to determine what seems suspicious, you need to monitor your networks to establish a baseline. Our Monitor IT solution provides real time reporting on your IT infrastructure and systems to ensure your infrastructure uptime availability and performance. The technicians in our Network Operations Centre will monitor your infrastructure and bring attention to availability and operating performance.

4. Prevention: Active prevention through human insight and security solutions like next generation firewalls is a continuous process. Threats are always changing and evolving, which is why it’s important to stay up-to-date. As part of your prevention process, you should conduct regular cyber awareness training for your employees so they can spot common attacks and navigate the web safely. In conjunction with that, using preventative security solutions like firewalls to block malware from entering your network.

Threats of the Week – March 18, 2019

Threats of the Week – March 18, 2019

Ursnif banking Trojan

 

 

A new variant of an infamous banking Trojan malware with a history going back over ten years has emerged with new tactics to ensure it’s harder to detect.The malware aims to hunt out financial information, usernames, passwords and other sensitive data.

The Ursnif banking Trojan is one of the most popular forms of information-stealing malware targeting Windows PCs and it has existed in one form or another since at least 2007, when the its code first emerged in the Gozi banking Trojan.

Now researchers at security company Cybereason have uncovered a new, previously undocumented version of Ursnif which applies different, stealthier infection tactics than other campaigns.

This includes what researchers refer to as “last minute persistence” – a means of installing the malicious payload which tries to ensure a lower chance of being uncovered.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Ursnif banking Trojan and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-7095

 

 

Adobe has released a security update for Adobe Digital Editions.  This update resolves a critical vulnerability.  Successful exploitation could lead to Arbitrary Code Execution in the context of the current user. Affected versions are 4.5.10.185749 and below.

Source: Adobe

How do you protect yourself?

Update Adobe Digital Editions to version 4.5.10.186048.

 

GlitchPOS Malware

 

 

A new insidious malware bent on siphoning credit-card numbers from point-of-sale (PoS) systems has recently been spotted on a crimeware forum.

Researchers at Cisco Talos said in a Wednesday analysis that they discovered the malware, dubbed “GlitchPOS,” being peddled on the Dark Web for $250. The malware first appeared on Feb. 2, and researchers said they don’t know yet how many cybercriminals bought it or are using it.

The malware is spread via email, purporting to be a game involving “various pictures of cats.”

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against GlitchPOS Malware and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

3 Reasons Why Cybersecurity Is Everyone’s Responsibility

3 Reasons Why Cybersecurity Is Everyone’s Responsibility

Cybersecurity affects every employee – from the executive team to HR, sales, marketing, etc. For this reason, cybersecurity should be everyone’s responsibility. But not all employees understand this. A survey by Citrix found that 40% of employees believe that they bear no responsibility for securing information. Cybersecurity is often thought of as a job for a company’s IT department; it makes sense as they are the tech experts who would most understand how to keep a business secure. But your employees are at risk every time they log onto their computers. Therefore, a company shouldn’t rely solely on one team for security. Everyone must work together to achieve security. Here are three reasons why cybersecurity is everyone’s responsibility.

Source: Help Net Security

Every Employee Is A Potential Target

Employees engage in activities that put them at risk, whether they realize it or not. Coming across a suspicious link while browsing or receiving a spam email can happen to anyone.  Those who work with confidential information may find themselves more likely to be a target.

The first step of a cyber attack is reconnaissance, where hackers research their targets beforehand. A simple LinkedIn search can show a hacker a wealth of people to target. From there they can find other social media accounts to further get information on how to tailor their attacks. They can target employees through a variety of ways such as phishing, impersonation and other social engineering tactics. Employees need to understand that their actions have an impact on your company’s security. They should be trained regularly on the cyber threat landscape and learn to engage in cyber safe habits.

Technology Isn’t a One Stop Solution

Having next generation security technologies like Firewalls and SIEM systems are key to limiting cyber attacks and protecting your data. But technology can only do the initial blocking of an attack. Whether a person clicks on a malicious link in their email or responds to an email containing CEO fraud is up to them.

There are also some attacks that technology may not be able to prevent, such as vishing. Vishing is a form of phishing where hackers call their targets to extract information instead of emailing them. Thus, your employees must work in conjunction with technology to protect themselves.

Cybersecurity Policies and Procedures Apply to Everyone

Having a strong cybersecurity culture is key to engaging employees with cybersecurity. A solid cybersecurity culture will include procedures and policies that ensure all employees meet the same security standards, such as every employee needing to change their password every 30 days. This will also show employees that they are a vital part in keeping your business safe. Updating your procedures and policies regularly will help reinforce your security mandates with your employees.

Threats of the Week – March 11, 2019

Threats of the Week – March 11, 2019

StealthWorker Malware

 

 

Hackers are running a new campaign which drops the StealthWorker brute-force malware on Windows and Linux machines that end up being used to brute force other computers in a series of distributed brute force attacks.

As later discovered, the malware is capable of exploiting a number of vulnerabilities in to infiltrate Magento, phpMyAdmin, and cPanel Content Management Systems (CMSs), as well as brute force its way in if everything else fails.

While previously the StealthWorker payload was observed while being dropped on targeted servers with the help of the double-packed WallyShack Trojan downloader, the new campaign switched to a brute force-only approach aiming for any vulnerable host with weak or default credentials.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against StealthWorker malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-7816

 

 

Adobe has released security updates for ColdFusion versions 2018, 2016 and 11. These updates resolve a critical vulnerability that could lead to arbitrary code execution in the context of the running ColdFusion service.

Adobe is aware of a report that CVE-2019-7816 has been exploited in the wild.

Source: Adobe

How do you protect yourself?

Adobe recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.

 

CryptoMix Ransomware

 

 

A new CryptoMix Ransomware variant has been discovered that appends the .CLOP or .CIOP extension to encrypted files. Of particular interest, is that this variant is now indicating that the attackers are targeting entire networks rather than individual computers.

This variant is currently being distributed using executables that have been code-signed with a digital signature. Doing so makes the executable appear more legitimate and may help to bypass security software detections.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against CryptoMix Ransomware and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

The Formjacking Threat Explained

The Formjacking Threat Explained

Last year, several retailers fell victim to a cyber attack that exposed the payment information of several of their customers. One well known example is the British Airways breach that affected more than 380,000 passengers. All of these retailers were targets of an attack known as formjacking. Formjacking is not a new attack but it is seeing a rise in the threat landscape. According to a new report by Symantec, formjacking attacks affect an average of more than 4,800 websites each month. As companies start to get more savvy in blocking attacks, hackers will be looking to use more creative ways, like formjacking, to target businesses.

formjacking

Source: BleepingComputer

What is Formjacking?

Formjacking is a type of website hijacking, which is when hackers inject malicious codes into websites to steal user information. Formjacking tends to target retail websites in order to steal credit card information. It’s important to note that formjacking is not an infection that spreads to your network, but a code injection embedded in websites.

How Formjacking Works

A hacker will inject malicious script into the payment section of a website. When a user on the infected website uses the payment form to check out, the script will copy the details entered by the user and send it to the hackers. These attacks go undetected because the website continues to operate normally. Thus, users are giving their information to hackers without even realizing it.

4 Preventative Measures You Can Take

1. Don’t enter payment information directly:  When making online purchases, try to avoid using the website payment form by using a payment service like PayPal instead. Customers who use PayPal are redirected to the PayPal website when making the purchase. Since your payment information is entered in a separate website, your information will not be compromised. Using mobile payment options like Apple Pay or Google Pay will also help hide your payment information, which makes it harder to steal.

2. Monitor Outbound Traffic with SIEM: Security Information and Event Management (SIEM) systems use behavioural analytics to detect threats with the help of use cases. Using a SIEM system like Secure IT – SIEM can help detect suspicious activity like increased outbound traffic. If your traffic activity is looking suspicious, it might be time to investigate your website for malicious code.

3, Review third party scripts: Formjacking attacks are also affecting businesses via third party providers. Ticketmaster was breached last year via a third party chat bot it uses for customer support. It’s important for businesses to do their research when partnering with a third-party and ensure they are properly audited. Companies should also look to reduce the amount of third-party scripts on their websites and only keep those that are essential.

4. Conduct a vulnerability assessment: Vulnerabilities tend to be discovered once they start doing damage. A vulnerability assessment will analyze your systems and networks to help you detect and address security gaps. This can help your organization address security gaps and issues before they become a larger problem. Catching malicious script in your website before it can do damage to your brand and customers is key. Have your websites scanned for malicious code when doing your assessment. If you’d like to conduct a vulnerability assessment, contact Jolera today.