3 Ways Privileged User Accounts Act as Your Biggest Security Threat

3 Ways Privileged User Accounts Act as Your Biggest Security Threat

Privileged user accounts are used for some of the most critical parts of a business, such as managing infrastructure and providing access to critical data for day-to-day activities. However, because privileged users have great access to your organization, they are a security threat. According to a report by Centrify, privileged credential abuse is involved in 74% of breaches.

Source: Centrify

What is a Privileged User Account?

Privileged user accounts are those that have unlimited access and permissions to systems, data or endpoints. These accounts can be used to modify data or grant permissions to other accounts. They are often given to people who work with critical data and infrastructure, such as C level executives or senior managers. Here are three common privileged user accounts most organizations use:

  1.       Local admin accounts: These accounts provide administrative access to the local host. They are commonly used to perform maintenance on the network.
  2.       Domain admin accounts: These are privileged accounts that have admin access across all workstations and servers within the domain.
  3.       Service accounts: These accounts are used to operate specific applications.

Privileged Users Are a Security Weakness

Privileged user accounts can act as a security threat because it is easy for users to abuse their access without getting caught. Here are three reasons why your privilege users are your biggest security weakness.

1. Cyber criminals target privileged users: According to Verizon’s 2019 Data Breach Investigation Report, senior executives are 12 times more likely to be the target of a social engineering attack. Privileged users are targets for cyber criminals because they can use their accounts to gain a foothold into your network.  Once they gain access to privileged credentials, they can change permissions for users and move around undetected. They might even try to infect other users by sending malicious links. Since they look like a normal user, their actions may not be immediately raise any red flags.

2. Accounts are difficult to manage: Privilege users are hard to manage because as employees change their roles, their permissions and accesses change as well. It can be difficult for organizations to keep track of the permissions that are required for each role and to make sure that unused accounts are deleted or that permissions are disabled when no longer required.

3. They can act as insider threats: Since privileged accounts have unlimited access, it’s hard to determine if a user is acting maliciously or not. If a privileged user is accessing confidential behaviour, are they doing it because it’s part of their job or because they are trying to leak sensitive information? They may also unintentionally act as an insider threat, such as giving a user access without determining if there was a true business need for it or not.

Securing Your Privileged Users

Since privileged users hold the keys to an organization, it’s important that organizations take necessary precautions to guard these accounts. Here are three things organizations can do to secure their privileged users.

1. Use a Zero Trust model: The foundation of Zero Trust is to “never trust, always verify”. In order to incorporate Zero Trust into your organization you need to build it into your security architecture. The strategy should include constant verification of users, devices and their access. User accounts should have multi factor authentication enabled and end devices connected to the network should be protected with endpoint security. Privilege access should be limited and given to only those who need it.

2. Implement Behavioural analytics: Using an automated detection system like Secure IT SIEM can help monitor user activity and detect potential threats. SIEM allows you to gain visibility into your network by analyzing data from devices and monitoring user behaviour. SIEM can detect indicators of potential insider threats, such as logins at unusual hours or accessing unusual data or systems.

3. Understand Your Privileged Accounts: Find out where your privileged accounts exist within your organization. Create an inventory of these accounts. This will help you gain an understanding of your company’s risk exposure. Make sure any privileged accounts that are no longer in use are deleted.

Threats of the Week – May 21, 2019

Threats of the Week – May 21, 2019

 ELECTRICFISH Malware

 

 

The malware implements a custom protocol that allows traffic to be tunneled between a source and a destination Internet Protocol (IP) address. The malware continuously attempts to reach out to the source and the designation system, which allows either side to initiate a tunneling session. The malware can be configured with a proxy server/port and proxy username and password. This feature allows connectivity to a system sitting inside of a proxy server, which allows the actor to bypass the compromised system’s required authentication to reach outside of the network.

Source: National Cybersecurity and Communications Integration Center

How do you protect yourself?

Proper security measures must be in place to defend against ELECTRICFISH Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-7841

 

 

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.

Source: Adobe

How do you protect yourself?

Ensure your Adobe software is updated to the latest version.

 

ScarCruft APT

 

 

The ScarCruft Korean-speaking APT is changing up its espionage tactics to include an unusual piece of malware devoted to harvesting Bluetooth information – while also showing some overlap with the DarkHotel APT.

An analysis of ScarCruft’s binary infection procedure by Kaspersky Lab shows that in a campaign that continued over the course of 2018, the group used a multi-stage process to update each of its malware modules effectively while also evading detection.

The researchers said that spear-phishing and the use of various public exploits remain ScarCruft’s go-to initial attack vectors. Once the victim is compromised, the attack installs an initial dropper, which uses a known exploit for CVE-2018-8120 to bypass Windows User Account Control (UAC) in order to execute the next payload, a downloader, with higher privileges. This stage connects with the command-and-control (C2) server to grab the next payload, which is hidden in an image using steganography.

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against ScarCruft APT and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Four Phishing Attacks to Look Out For

Four Phishing Attacks to Look Out For

Phishing attacks are still prevalent and organizations are continuously being targeted. According to a report from Proofpoint, 83% of businesses say they experienced a phishing attack in 2018. Phishing attacks are used to steal credentials/data and spread malware and ransomware to businesses. Just last month the city of Ottawa fell victim to a phishing scam and wired $130,000 to scammers.

Source: Proofpoint

Phishing attacks work because hackers are good at making their messages seem legitimate and people are not always paying attention when reading emails. Here are 4 types of phishing attacks and steps you can take to combat them.

1. Phishing messages via SMS or Messaging apps

Although phishing emails are still prevalent, hackers are also utilizing other forms of communication, such as text messaging and messenger apps, to target potential victims. These types of phishing attacks are similar to what you’ll see in email; the only difference is the method of communication. For example, instead of getting an email saying your account is compromised, you will get a message via text with a link. In some cases, they may send a phishing email but request the correspondence to continue via text and ask for your mobile number.

How to combat

Education and awareness is key to fighting phishing attacks. Employees should be enrolled in cyber awareness training at least once a year to make sure they are updated on the latest attack vectors. Cyber awareness training will also help employees think more critically about navigating online and learn how to build good security habits. They should never engage with unknown senders or click on any links in suspicious emails.

2. Business Email Compromise (BEC)

BEC scams involve impersonating a CEO or executive of a company or a business supplier/partner. The hackers then request a wire transfer of money or for the user to purchase gift cards. These scams usually involve building a rapport with the potential victim in order to build trust or having knowledge of a business’ suppliers to seem more legitimate. According to the FBI, BEC caused losses of $1.3 billion in 2018.

How to combat

Implement a warning message when users receive messages that originate from outside the organization. This can remind users to look closely at the emails they receive and to not download attachments/files from unknown senders. This can also help combat CEO fraud as messages from executives should originate from within the organization.

3. Credential attacks

Hackers targeting credentials will send phishing messages that try to steal them. This usually done by sending a message that entices you to log in. These messages can say you need to change your password or that there was a suspicious login. Some may say you have a tax refund or target credentials to your accounts on streaming services. These types of attacks will also provide a link to a fake website that looks legitimate. When you log in using these spoofed links, the hackers will be able to gain access to your credentials. This opens up the threat of malicious insider attacks, where hackers can use compromised credentials to steal data or spread more phishing emails to clients or business partners.

How to combat

To avoid clicking on fake websites, you should always hover over the link and inspect the URL before you click on it. If you are unsure if it’s legitimate, you should type in the website directly into the search bar.

4. Clone phishing

This attack takes a legitimate email and copies or “clones” the email to include a malicious link. This attack can be difficult to spot because it’s based on a previously delivered email. The attackers will also spoof the return email address so that it closely resembles the original sender.

How to combat

Implementing a secure email solution can help detect threats like phishing and spam. Secure IT – Mail includes several security features like Advanced Threat Protection to scan for suspicious email attachments, malware and malicious links.  Additionally, you can backup and archive your emails with Secure IT – Mail.

Threats of the Week – May 13, 2019

Threats of the Week – May 13, 2019

Xwo Malware

 

 

Xwo, a newly revealed web service vulnerability scanning malware discovered by Alien Labs, a subsidiary of AT&T, was named after the very dropper which serves as it propagating module with a file named xwo.exe. Unlike a typical ransomware that immediately issues an encryption process against the user files, Xwo was more of a monitoring-type kind of virus. Initial checks show that it plants itself into the system in order to monitor the passwords for certain system services. Once a certain login credential is entered into the system, it will log the information and send it to its authors through its command and control center.

Source: The Threat Report

How do you protect yourself?

Proper security measures must be in place to defend against Xwo Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-11561

 

 

The Chuango 433 MHz burglar-alarm product line is vulnerable to a Denial of Service attack. When the condition is triggered, the OV2 base station is unable to process sensor states and effectively prevents the alarm from setting off, as demonstrated by Chuango branded products, and non-Chuango branded products such as the Eminent EM8617 OV2 Wifi Alarm System.

Source: CVE

How do you protect yourself?

Ensure you’re updated with the latest firmware patches when available.

 

MegaCortex Ransomware

 

 

The ransomware appears to have been designed to target large enterprise networks as part of carefully planned targeted intrusions –in a tactic that is known as “big-game hunting.”

MegaCortex appears to be just as dangerous as the other “big-game hunting” ransomware strains, with hackers quickly escalating their access to a domain controller, from where they try to deploy the ransomware to as many internal workstations as possible.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against MegaCortex Ransomware and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

How to Mitigate IoT Security Risks

How to Mitigate IoT Security Risks

Whether you’re in the office or at home, you’re most likely surrounded by IoT devices. Gartner forecasts that 14.2 billion connected things will be in use in 2019, and that the total will reach 25 billion by 2021. Although these devices help increase productivity and make our lives easier, they are also targeted by cyber attacks. According to Symantec’s 2018 Internet Security Threat Report, IoT attacks went up by 600% between 2016 and 2017. As we start to incorporate more IoT devices into our lives, we need to be aware of the security risks of IoT devices. A survey by digital certificates provider DigiCert found that 25 percent of companies struggling the most with IoT security reported IoT security-related losses of at least $34 million in the last two years.

Source: ZDNet

What are the IoT Security Risks?

One of the biggest challenges in securing IoT is the fact that the attack surface is so large and contains many risks such as vulnerabilities, authentication issues and device and network threats.

Many IoT attacks can also target unconventional devices such as smart refrigerators, printers or baby monitors. Therefore, people might not realize that IoT devices pose a security risk.

Shadow IoT devices, which are active IoT devices that connect to the company network without the company’s IT support, can be easily targeted by hackers. Companies often have no control over these devices so they may lack proper authentication and security features.

IoT devices can be hijacked and used for malicious purposes. For example, the Mirai botnet attack in 2016 took advantage of insecure IoT devices to create a massive denial of service (DDoS) attack. The hackers behind the attack managed to scan for hundreds of thousands of vulnerable IoT devices and use them in DDoS attacks without the device owner’s knowledge.

Malicious actors can hack into insecure IoT devices or IoT apps and use them to spy on people or pinpoint their location. According to the Ponemon Institute, 80% of IoT applications are not tested for vulnerabilities. This is alarming as this means that many IoT apps can be exploited to carry out attacks.

4 Things You Can Do to Reduce IoT Security Risks

Keep Track of Your Devices

Each IoT device in your network has its own potential security risk, which is why it’s important to know your IoT devices. Use proper device identification and authentication so that you can keep track of the devices that are communicating with the network.

Rogue devices can pop up so being able to scan your network for devices is important. Removing devices that are no longer in use and disabling unused features can also help reduce the attack surface.

Use IoT Devices You Can Trust

IoT weaknesses can pose a large security threat to your data. Make sure you use devices that are supported by the manufacturer to ensure that you have access to necessary security patching. Keeping track of patching and firmware upgrades will help defend against exploits.

Follow Basic Cyber Hygiene Practices

Having good cybersecurity hygiene is key in defending against IoT risks. This includes patch management, backing up your data, using encryption and implementing security awareness training. It’s important to continuously monitor your environment for changes and take action when necessary.

Do an Assessment

Any of your IoT devices can be a target of a cyber attack. It’s important to be aware of the impacts each of your devices can pose to your overall network. If one device is compromised, will it affect other devices? What can you do if that happens? Having an assessment can help you prepare for your worst-case scenario. From there, you can implement a security policy/strategy that will help you prepare for any potential issues.

Threats of the Week – May 6, 2019

Threats of the Week – May 6, 2019

Shellbot Malware

 

 

Shellbot, first written about by Jask in February, now uses an old but reliable SSH brute force technique to break into internet-connected Linux servers with weak passwords to infect a system and mine cryptocurrency.

But now the malware has new capabilities allowing it to spread through a network and shut down other cryptominers on infected computers, allowing the malware to free up more processing power for its own cryptomining operation.

The malware has three components. Although it’s not known exactly how the malware is delivered, the researchers found the dropper script used to install the malicious payload from the malware’s command and control server, an IRC chat server, which the hackers can use to check the status of the malware and remotely run commands. Using a 272-line script, the malware checks to see if any other cryptominers are on the system and installs its own. Then, the cryptominer begins mining Monero, a privacy-focused cryptocurrency, and sends the proceeds back to a MoneroHash server.

Source: TechCrunch

How do you protect yourself?

Proper security measures must be in place to defend against Shellbot Malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-10952

 

 

An attacker could send a crafted HTTP/HTTPS request to render the web server unavailable and/or lead to remote code execution caused by a stack-based buffer overflow vulnerability. A cold restart is required for recovering CompactLogix 5370 L1, L2, and L3 Controllers, Compact GuardLogix 5370 controllers, and Armor Compact GuardLogix 5370 Controllers Versions 20 to 30.014 and earlier systems.

Source: NIST

How do you protect yourself?

Ensure you’re updated with the latest firmware patches.

 

Sodinokibi Ransomware

 

 

A recently-disclosed critical vulnerability in Oracle WebLogic is being actively exploited in a slew of attacks, which are distributing a never-before-seen ransomware variant.

The ransomware first came onto researchers’ radar on April 25 (the day before a patch was released), after attackers attempted to make an HTTP connection with a vulnerable Oracle WebLogic server.

Once attackers found a vulnerable server, they sent an HTTP POST request to that server. The request contained a PowerShell command, which downloaded a file called “radm.exe.” That then saved the ransomware locally and executed it.

Once downloaded, the ransomware encrypted the victim’s systems and displayed a ransom note to them, directing victims to a page on the Tor network to a domain (decryptor[.]top) the public web, which was registered on March 31 this year.

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against Sodinokibi Ransomware and similar threats. Ensure your systems have the latest patches installed. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.