Credential Theft: How It Works and How to Protect Your Business

Credential Theft: How It Works and How to Protect Your Business

A threat actor only needs one employee’s credentials to gain access to your organization’s entire infrastructure and/or data. The potential consequences of stolen credentials in the wrong hands are endless. You can experience direct financial loss, damage to brand reputation, loss of intellectual property, downtime, etc.

Anyone in your organization can have their credentials stolen. According to the Cybersecurity Threatscape report by Positive Technologies, one in five data thefts involved stealing account credentials. It’s important that organizations understand the threat of credential theft and take action to defend against it.  

Source: Verizon 

How Do Cybercriminals Steal Credentials?

Hackers looking to steal credentials may use any of the following methods:

Keylogging: Hackers can install malware with keylogggers that record the keystrokes on a computer and send the data back to hackers.  

Phishing: Hackers will send users sophisticated phishing emails urging them to change their passwords or update their information. These emails will provide the user with links to web pages that look legitimate but are really phishing websites that are built to steal credentials and personal information. 

Web injections: Hackers inject malicious code into your web browser via malicious browser extensions, links, or ads that allow them to intercept data as its being transmitted.

What Happens to Stolen Credentials? 

Cybercriminals can do any of the following with your stolen credentials:

Engage in fraud: Hackers can impersonate your organization and request fraudulent wire transfers from vendors or business partners. 

Sell: There are several forums on the dark web dedicated to selling and buying user credentials. Once these credentials are bought, cyber criminals can essentially do whatever they want with the stolen credentials. 

Spy: Hackers can use your stolen credentials to spy on your company and gather intelligence regarding your business dealings. They can then leak this information to your competitors or use this information to blackmail your organization. 

Install malware: Hackers can alter the code of your website to steal customer information through formjacking or install malicious ads that can infect visitors with malware. 

How to Protect Your Credentials

Credentials are the keys to your organization and it’s imperative that organizations take the necessary steps to secure them. Here are three things you can do to defend against credential theft: 

Monitor credentials: Sometimes hackers don’t even have to work to steal your credentials – they can easily find them on the dark web after a massive data breach. By monitoring the dark web for your company’s credentials, you can take action before they are maliciously used by a threat actor. You can start monitoring your organization’s credentials today with our Secure IT – User Defence solution. We will alert your organization as soon as any compromised credentials are found on the dark web, reducing the potential impact of a breach. 

Have a good password policy: Users are responsible for creating safe passwords for their accounts. It’s important that they use good password security, such as never sharing or reusing their passwords.

Act immediately: If you experience suspicious activity in your network or find out your credentials have been exposed in a data breach, you must change your passwords immediately. Users should also never use default passwords or logins as they are easy to guess or can be easily found online. Always change the default passwords of any accounts or hardware as soon as they are added to your infrastructure. 

Threats of the Week – November 18, 2019

Threats of the Week – November 18, 2019

Glimpse Malware

Security researchers have detailed how the Glimpse malware uses a text mode as an alternative DNS resource record type.

According to a blog post by security researchers, the malware is written in PowerShell and associated with APT34. It is executed by Visual Basic script, yet how the script is initiated remains unclear, researchers said.

Source: SC Magazine

How do you protect yourself?

Proper security measures must be in place to defend against Glimpse Malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

CVE 2019-8248

Adobe has released updates for Adobe Illustrator CC for windows and macOS. This update resolves critical and important vulnerabilities which could lead to Remote Code execution in the context of current user.

Source: Adobe

How do you protect yourself?

Update Android to the latest version.

PureLocker Ransomware

A newly discovered piece of ransomware written in PureBasic has been linked to a Malware-as-a-Service (MaaS) provider that has been used by Cobalt Gang, FIN6, and other threat groups.

Dubbed PureLocker, the malware comes with evasion methods and features that have allowed it to remain undetected for months. The use of PureBasic, a rather uncommon programming language, also makes porting between Windows, Linux, and macOS easy.

Source: SecurityWeek

How do you protect yourself?

Proper security measures must be in place to defend against PureLocker Ransomware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – November 18, 2019

Threats of the Week – November 11, 2019

Emotet Trojan

Emotet, a Banking Trojan turned devastating modular threat, has returned with upgraded functions in a new wave of attacks.

Emotet has now begun sharing a number of obfuscation techniques already utilized by Trickbot. A new export function has also been found in executable binary functions — used by both malware variants — and this feature resolves API names through an export list of loaded DLLs. The API call resolution is present in both Emotet and Trickbot packers.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Emotet Trojan and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

CVE 2019-2204

Android has released its monthly security patches for several core Android components.

The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

Source: Android

How do you protect yourself?

Update Android to the latest version.

MegaCortex Ransomware

A new version of the MegaCortex Ransomware has been discovered that not only encrypts your files, but now changes the logged in user’s password and threatens to publish the victim’s files if they do not pay the ransom.

For those not familiar with MegaCortex, it is a targeted ransomware installed through network access provided by trojans such as Emotet. Once the MegaCortex actors gain access, they then push the ransomware out to machines on the network via an active directory controller or post-exploitation kits.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against MegaCortex Ransomware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Why Testing Employee Behaviour Improves Security

Why Testing Employee Behaviour Improves Security

Employees play a vital role in an organization’s overall security. According to Statistics Canada, the majority of large (91%), medium-sized (83%) and small (72%) businesses in Canada reported having employees primarily responsible for the overall cybersecurity of their business in 2017. To strengthen user security, organizations should supplement employee awareness training with cybersecurity testing. Testing is a great way for organizations to establish a baseline of user behaviour to determine how users respond to potential threats. Without evaluating employees, organizations won’t be able to make impactful changes on how to improve.  Testing also helps organizations determine the effectiveness of their training.

Source: Statistics Canada

How to Test User Behaviour

Organizations can test employees through various means such as online quizzes on common cyber threats or through simulated phishing. Simulated phishing exposes employees to the latest phishing threats by sending mock phishing campaigns to employee inboxes and tracking who clicks on phishing links.

Our new security product Secure IT – User Defence features both of these elements. With Secure IT – User Defence, organizations can train and test employees, as well as monitor the dark web for stolen credentials. User Defence includes simulated phishing emails that can be customized and online training that includes quizzes to validate retention of content.

Reinforce Best Practices

Social engineering attacks are incredibly dangerous because they rely on user error or lax user behaviour in order to work. Testing can help users adhere to good security practices and help change their behaviour so that they remain more alert against these types of attacks.

Engaging employees with simulated phishing emails allows them to feel real consequences in a safe environment. Simulated phishing attacks give employees an idea of what phishing emails look like and help them spot common signs that indicate a potential phishing attack. Over time, this will help employees develop the habit of carefully inspecting emails before they respond or click on any links.

Improve Security Culture

Testing employees also helps develop an organization’s security culture. It gives organizations an opportunity to openly discuss issues of security and show employees how they play a role in keeping your company safe.

Testing is a good opportunity for organizations to create teachable moments for their employees. If more employees are responding to a specific type of threat, think about why. Is it because the threat appears to be from an executive? Does the word “urgent” in the subject line make them want to click? These are things you can look out for and talk to employees about.

It’s important to not shame or punish employees for failing a test as it can discourage employees from reporting security errors and make security feel more of a taboo topic. Testing is about making sure employees stay safe in the office and in their personal lives. It’s not about tricking them into falling for these threats. The purpose of testing is to them aware of current cyber threats and to empower employees to take action when they encounter them.

3 Ways SIEM Enhances Security

3 Ways SIEM Enhances Security

SIEM is transforming the way organizations are detecting threats thanks to its ability to collect data across several devices and develop actionable intelligence for security response teams. Although SIEM has been around for a while, it continues to evolve and help organizations defend against emerging threats. According to the 2019 SIEM Report, more than 70% of organizations found that SIEM resulted in better detection of threats and a measurable reduction in security breaches.

Source: AlienVault

What is SIEM?

SIEM stands for Security Information and Event Management and is used to detect threats by collecting and analyzing log data from various networks, systems and devices (e.g. firewalls, computers, etc.). The data collected from the SIEM is then turned into actionable information that allows security teams to respond to potential threats.

The Benefits of SIEM for Organizations

1. Compliance: SIEM includes compliance reporting capabilities, which is valuable for organizations who must adhere to compliance regulations like GDPR and HIPAA. The log data generated by SIEM provides historical records which is necessary for incident investigations.

2. Clarity: SIEM analyzes activity from every part of the infrastructure. The log data produced can help organizations understand the events happening in their infrastructure. This is especially useful if a security incident occurs and can help organizations determine what happened.

3. Save time and money: SIEM is typically expensive due to licensing fees and the costs associated with hiring a security team to run the system. Outsourcing SIEM as a service from a provider like Jolera allows organizations of all sizes to have access to an enterprise grade system like SIEM. SIEM solutions like Secure IT – SIEM make SIEM accessible and help organizations save the time and effort required to operate and maintain a SIEM.  

How SIEM Improves Security

One of the biggest benefits of SIEM is its security capabilities. Here are 3 ways our SIEM system can fortify an organization’s security.

1. Improves threat detection

Time is crucial when it comes to detecting threats; the longer a hacker remains undetected the more damage they can do. Therefore, it’s important for organizations to respond to threats as soon as possible.  SIEM can quickly detect potential threats which helps prevent security breaches.

SIEM uses built-in correlation rules and information from a global threat intelligence feed to identify potential threats. The correlation rules are a set of predefined sequences that indicate suspicious behaviour. For example, if a person is trying to login more than 5 times the correlation rule might flag it as suspicious. This would then generate a security alert that would warn your security team of potential malicious activity.

A SIEM is only as good as the threats it can detect. If a SIEM is not correlated to detect advanced threats, they may slip through. Integrating a global threat intelligence feed with SIEM ensures that the system is constantly updated with the latest threat intelligence activity. This is vital in ensuring that SIEM can detect and consequently protect against the latest evolving threats.

2. 24/7 Monitoring

The SIEM is constantly monitoring for unusual behaviours. Round-the-clock monitoring is important to ensure quick response to threats. SIEM also assists security teams in detecting threats because it is constantly monitoring the infrastructure.

Threats like malicious insiders are hard to detect but since SIEM is constantly monitoring for suspicious events it can analyze the pattern of behaviour of a user and determine if they’re acting suspicious.  For example, SIEM can detect a user accessing information they don’t normally access or combine seemingly unrelated events such as a user inserting a USB stick after accessing sensitive information.

3. Provides visibility

In order to understand the threats facing their infrastructure, organizations need clear visibility. It can be difficult for organizations to fully understand their infrastructure because there are many moving parts. Organizations may have a hybrid infrastructure that includes on-premise and cloud environments. As organizations grow they integrate new technology, which in turn increases their attack surface and leads to blind spots like shadow IT. Hackers like to take advantage of these hidden places in your network and exploit them.

SIEM provides organizations with real time visibility into all activity on their systems, networks and applications (whether on-premise or in the cloud) in one centralized view. This is crucial in helping organizations establish a baseline in understanding what constitutes normal behaviour and usage in an environment.  Since SIEM provides an overview of the network it can also detect unknown devices communicating within your network, helping to close the gaps on hidden devices in your network. 

For more information on how Secure IT – SIEM can help protect your business, contact us today.

Threats of the Week – November 18, 2019

Threats of the Week – November 4, 2019

xHelper Malware

Over the past six months, a new Android malware strain has made a name for itself after popping up on the radar of several antivirus companies, and annoying users thanks to a self-reinstall mechanism that has made it near impossible to remove.

But the thing that’s most “interesting” is that xHelper doesn’t work like most other Android malware. Once the trojan gains access to an Android device via an initial app, xHelper installs itself as a separate self-standing service.

Uninstalling the original app won’t remove xHelper, and the trojan will continue to live on users’ devices, continuing to show popups and notification spam.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against xHelper Malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

CVE 2019-13720

Google is warning users of a high-severity vulnerability in its Chrome browser that is currently being exploited by attackers to hijack computers.

The bug (CVE-2019-13720) is a use-after-free flaw, which is a memory corruption flaw where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code – or even enable full remote code execution capabilities.

Source: ThreatPost

How do you protect yourself?

Update to the latest version of Chrome, 78.0.3904.87 (for Windows, Mac, and Linux) as it rolls out over the coming days.

Adwind Trojan

A new version of the Adwind remote access trojan (RAT) has been discovered taking aim at new targets.

Adwind (a.k.a. JRAT or SockRat) is a Java-based remote access trojan that sniffs out data – mainly login credentials – from victims’ machines. While Adwind has historically been platform-agnostic, researchers say they have discovered a new four-month-old version targeting specifically Windows applications – like Explorer and Outlook – as well as Chromium-based browsers (Chromium is a free and open-source web browser developed by Google), including newer browsers like Brave.

The new variant is a JAR file (Java ARchive; a package file format typically used to aggregate many Java class files) that researchers say is typically delivered from a link in a phishing email or downloaded from a legitimate site serving up insecure third-party content.

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against Adwind trojan and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.