PC PORTAL

Experienced. Trusted. Solutions.

ransomware

By

Here’s the missing ingredient in a solid security and business continuity plan

Security incidents can cast an unforgiving light on many organisations’ readiness. They highlight the need for security programmes that go further than just fixing things when they break.

Response has been security’s classic default reaction to an incident. Something is broken, so we need to fix it. But this misses a critical ingredient: resilience. If an important system fails, organisations need to know they can continue by using alternative systems, be they technical or manual.

Resilience, not just recovery

“Security incidents invariably lead to downtime. So it makes sense to focus on resilience in security programmes, not just detection and recovery. This way, a business can continue to survive and function even if key services are disrupted or temporarily unavailable,” says Brian Honan, CEO of BH Consulting.

Last year’s ransomware outbreaks were a classic case in point. FedEx’s TNT subsidiary shipped a $300 million loss following the NotPetya infection. It took weeks to restore IT operations fully, and deliveries and sales declined during this time. The NHS in the UK cancelled 22,000 hospital appointments as it struggled to cope in the wake of WannaCry.

Steps to resilience

Brian recommends that organisations should become more resilient by integrating incident response and business continuity. He suggests the following four steps:

  • Identify key systems and services for your business
  • Look at the key risks and threats to those services
  • Based on that risk analysis, identify the key areas to address such as single points of failure, inter-reliance of systems and interdependency of systems
  • Engineer ways to mitigate the impact of any potential failure, either through cybercrime or other means.

Once you start talking the language of risk, you’re talking the language of business, not IT. That’s why Brian recommends getting agreement from business owners as to how the organisation manages the risks that it discovers. Suppose the assessment stage uncovers a vulnerable system. The organisation has three choices: replace the system outright, upgrade the current version, or accept the risk that the business will be unavailable for whatever time it takes to recover from downtime.

Decision time for the business

Each option comes at a price, but it’s up to the business to determine the cost it’s willing to bear. “The security professional’s role is to give the business well informed data and analysis so that they can make the appropriate decision for the business. The CSO is chief security officer, not the chief scapegoat officer,” says Brian.

There’s still vigorous debate over the meaning of resilience in the context of information security. Kelly Shortridge of Security Scorecard recently wrote a lengthy and thoughtful post that’s well worth reading. Drawing on a range of examples from far beyond security, she says security has too often focused on robustness. “Resilience is ultimately about accepting reality and building a defensive strategy around reality,” she writes. Quoting the ecological economics scholar Peter Timmerman, she adds: “resilience is the building of ‘buffering capacity’ into a system, to improve its ability to continually cope going forward.”

Another word for resilience is flexibility. That’s arguably an incomplete definition too, but the term hints at an ability to bounce back from an interruption to something approaching normal service.

The post Here’s the missing ingredient in a solid security and business continuity plan appeared first on BH Consulting.

By

Crime and Crypto: An Evolution in Cyber Threats

Reading Time: ~6 min.

Cybercriminals are constantly experimenting with new ways to take money from their victims. Their tactics evolve quickly to maximize returns and minimize risk. The emergence of cryptocurrency has opened up new opportunities to do just that. To better understand today’s threat landscape, it’s worth exploring the origins of cryptocurrencies and the progress cybercriminals have made in using it to advance their own interests.

The FBI screen lock

Source: @DavidSGingras on Twitter

Many readers may remember the infamous FBI lock malware that would pop up and prevent users from using their computer at startup. The malware presented the (false) claim that the victim had downloaded copyrighted material illegally or had watched pornography.

This was a common and successful scam that made millions globally by localizing the “official” police entity in order to legitimize the threat. The money it made was transferred via Ukash and MoneyPak, which were essentially gift cards available at local convenience stores that could be loaded with specified amounts of cash. Victims would enter the pin on the back of the card to pay the criminals.

This method of collecting money wasn’t without risks for criminals, however. If enough victims reported the scam to law enforcement, they would try to find and identify those responsible (attention criminals obviously tried to avoid).

Bitcoin and Silk Road

While the Ukash and MoneyPack scams were still alive and well, another popular and anonymous black market called Silk Road was experimenting with Bitcoin as a payment system.

Silk Road was essentially an underground market on the encrypted dark web for goods otherwise illegal or extremely difficult to purchase in most countries. The site’s buyers and sellers remained effectively anonymous to one another and were almost impossible to track. For years this marketplace thrived and proved the efficacy of Bitcoin as a transactional system. Its success came to an abrupt halt in 2013, however, when the FBI seized Silk Road and arrested its founder.

The shutdown initially caused a nosedive in Bitcoin’s market price, but it quickly bounced back to surpass its value even at the height of the Silk Road.

So, what contributed to the shift?

Source: coindesk.com

Enter CryptoLocker

The first variants of Cryptolocker ransomware were seen in late September 2013. In terms of criminal business models, it was an instant success. Soon, many variants were infecting users around the world. Early editions accepted the still widely-used Ukash and MoneyPak as payment, but with a twist. Cryptolocker would provide a discount for Bitcoin payments. The proverbial Rubicon had been crossed in terms of cryptocurrencies receiving preferential treatment from cybercriminals. With ransomware rapidly rising to the top of the threat landscape, Bitcoin saw corresponding growth as fiat currencies were exchanged for it so ransoms could be paid.

Is Bitcoin Anonymous?

Not really. Since all Bitcoin transactions are recorded on a public ledger, they are available for anyone to download and analyze. Each time a victim pays a ransom, they’re given a Bitcoin address to which to send payment. All transactions to and from this address are visible, which, incidentally, is how the success of many ransomware campaigns is measured.

When a criminal wants to cash out Bitcoin, they typically need to use an exchange involving personal identifiable information. So, if a criminal isn’t careful, their victim’s Bitcoin wallet address can be tracked all the way to the criminal’s exchange wallet address. Law enforcement can then subpoena the exchange to identify the criminal. Criminals, however, are often able to keep this situation from unfolding by using tactics that prevent their “cash out” address from being flagged.

For a time, Bitcoin “mixers” offered to clean coins that were widely available on the dark web. Their methods involved algorithms that would split up and send dirty coins of varying amounts to different addresses, then back to another address clean, a process not unlike physical currency laundering. Yet, the process was not foolproof and did not work indefinitely. Once cryptocurrencies had gained significant legitimate adoption, several projects were started to search Bitcoin blockchain transactions for fraudulent activities. Chainalysis is one example.

Ransomware takes multiple cryptocurrencies

In the spring of 2014, a new cryptocurrency arrived. Dubbed Monero, it filled Bitcoin’s shoes, but without a public ledger that could be analyzed. Monero quickly became criminals’ most useful payment system to date. It uses an innovative system of ring signatures and decoys to hide the origin of the transactions, ensuring transactions are untraceable. As soon as criminals receive payment to a Monero wallet address, they’re able to send it to an exchange address and cash out clean, with no need to launder their earnings.

Source: Security Affairs

Monero started to see “mainstream” adoption by criminals in late 2016, when certain flavors of ransomware started experimenting with accepting multiple cryptocurrencies as payment, with Bitcoin, Ethereum, Monero, Ripple, and Zcash among the most common.

The Emergence of CryptoJacking

Monero has proven useful for criminals not just because it’s private. It also has a proof-of-work mining system that maintains an ASIC resistance. Most cryptocurrencies use a proof-of-work mining system, but the algorithm used to mine them can be worked by a specific chip (ASIC) designed to hash that algorithm much more efficiently than the average personal computer.

In this sense, Monero has created a niche for itself with a development team that maintains it will continually alter the Monero algorithm to make sure that it stays ASIC-resistant. This means Monero can be mined profitably with consumer-grade CPUs, sparking yet another trend among criminals of generating money from victims without ever delivering malware to their systems. This new threat, called “cryptojacking,” has gained momentum since CoinHive first debuted its mining JavaScript code in September 2017.

The original purpose of crypto-mining scripts, as described by CoinHive, was to monetize site content by enabling visitors’ CPUs to mine Monero for the site’s owners. This isn’t money from thin air, though. Users are still on the hook for CPU usage, which arrives in the form of an electric bill. While it might not be a noticeable amount for one individual, the cryptocurrency mined adds up fast for site owners with a lot of visitors. While CoinHive’s website calls this an ad-free way to generate income, threat actors are clearly abusing the tactic at victims’ expense.

We can see in the image above that visiting this Portuguese clothing website causes the CPU to spike to 100 percent, and the browser process will use as much CPU power as it can. If you’re on a newer computer and not doing much beyond browsing the web, a spike like this may not even be noticeable. But, on a slower computer, just navigating the site would be noticeably sluggish.

Cybercriminals using vulnerable websites to host malware isn’t new, but injecting sites with JavaScript to mine Monero is. CoinHive maintains there is no need block their scripts because of “mandatory” opt-ins. Unfortunately, criminals seem to have found methods to suppress or circumvent the opt-in, as compromised sites we’ve evaluated rarely prompt any terms. Since CoinHive receives a 30 percent cut of all mining profits, they’re likely not too concerned with how their scripts are used. Or abused.

Cryptojacking becomes 2018’s top threat

Cryptojacking via hijacked websites hasn’t even been on the scene for a full year, and already it has surpassed ransomware as the top threat affecting the highest number of devices. After all, ransomware requires criminals to execute a successful phishing, exploit, or RDP campaign to deliver their payload, defeat any installed security, successfully encrypt files, and send the encryption keys to a secure command and control serverwithout making any mistakes. Then the criminals still have to help them purchase and transfer the Bitcoin before finally decrypting their files. It’s a labor-intensive process that leaves tracks that must be covered up.

For criminals, cryptojacking is night-and-day easier to execute compared to ransomware. A cybercriminal simply injects a few lines of code into a domain they don’t own, then waits for victims to visit that webpage. All cryptocurrency mined goes directly into the criminal’s wallet and, thanks to Monero, is already clean.

That’s why you should expect cryptojacking to be the preferred cyberattack of 2018.

For more analysis of modern cyber threats, including cryptojacking, be sure to check out Webroot’s 2018 Threat Report. Questions? Drop me a line in the comments below.

The post Crime and Crypto: An Evolution in Cyber Threats appeared first on Webroot Blog.

By

Security newsround: May 2018

We round up reporting and research from across the web about the latest security news and developments. This month: police success against cyber villains, the value of personal data, IoT security, a new ransomware strain, a new security framework and Gmail goes for 2FA.

Law’s long arm collars cyber crooks

Police forces scored three big wins against various cybercrime operations recently. In late April, authorities took down WebStresser.org, one of the world’s most popular marketplaces for launching DDoS attacks. Reuters reported that WebStresser was behind attacks on seven of Britain’s largest banks last November. The service is also alleged to have been responsible for four million attacks since 2015 against governments, police services, and businesses.

The Dutch Politie and the UK’s National Crime Agency led ‘Operation Power Off’, supported by Europol and a dozen other law enforcement agencies. They arrested alleged WebStresser administrators in four countries, seized infrastructure, and took unspecified “further measures” against some of its top users.

Before police pulled the plug, WebStresser had amassed 136,000 registered users. Threatpost aptly described WebStresser as a “criminal fantasy dream site”. It reported that there are 6.5 million DDoS attacks per year on average, earning attackers $13 million in revenue.

In separate operations, a coalition of eight countries led by Belgium took down propaganda broadcasting infrastructure of the Islamic State. Authorities targeted web assets of Amaq News Agency, an online media outlet which authorities called “the main mouthpiece of IS”. The same action also took down other IS-branded media outlets.

Completing the hat-trick, cybercrime teams from Dutch police seized the Anon-IB forum in an investigation relating to criminal offences. Vice Motherboard described Anon-IB as “possibly the most infamous site focused on revenge porn – explicit or intimate images of people shared without their consent”.

We’re always pleased to see law enforcement prevail in the fight against cybercrime. BH Consulting has been a partner of Europol for years. In 2013, our CEO Brian Honan was appointed as a special advisor on internet security to Europol’s CyberCrime Centre (EC3).

What’s your data worth?

If data is the new oil, there’s no shortage of ways that criminals can refine it for profit. As this post from Dark Reading makes clear, stolen data has many purposes that security teams need to know about. Crimes range from stolen IP to filing fraudulent tax rebates to schemes for stealing money, Steve Zurier wrote. Once hackers hold an inventory of stolen data , they package up and sell personal information such as names, addresses, phone numbers, and email addresses. They usually sell this data in bulk to maximise their profits. The more recent the records, the more value they fetch on the black market, Zurier said.

The question of what our data is worth in the digital economy is especially resonant and relevant in light of the recent Facebook/Cambridge Analytica scandal. Not to mention a certain four-letter privacy regulation. In Medium, Rik Ferguson of Trend Micro wrote a thoughtful post that considers the value of our personal information in the online economy. Data, he wrote, “unlike oil … is not burned up when used, but can be sold and resold, mined and reused”.

There’s plenty to chew on for privacy and security professionals. Rik wrote: “Our data is cataloged and combined with the traces we leave behind in the physical world, correlated and mined to reach conclusions far beyond those we might perhaps be comfortable with publicising, and then sold as a commodity or a subscription-based service to any interested party. It is an industry based our ignorance and our nonchalance.”

Securing all the things

ENISA has developed a free interactive tool based on its baseline security recommendations for the Internet of Things. This lets anyone working on IoT projects search and identify good practices. The tool is available to download here, and this page also includes a help guide. It’s based on the agency’s original study on IoT security which it published last year. The new tool is timely, as criminals have apparently begun exploiting IoT as another way to profit from cryptocurrency mining. Trend Micro researchers identified malware that hijacks the processing power of IoT devices and smartphones to mine for cryptocurrency. As Lesley Carhart of Dragos jokingly tweeted: “Your router and your IOT thermostat should really beep like your smoke detector when it’s missing a critical security patch.”

Prepare for a summer of SamSam?

Researchers are warning of criminals taking a new approach to ransomware infections. Sophos analysed the SamSam variant and found criminals carefully choose target organisations. They then launch thousands of copies of SamSam onto that organisation’s computers all at once. Once the infection has hit, the criminals offer victims a volume discount to clean all machines. This differs from the usual spam-like scattergun approach to ransomware of sending one malware copy to multiple possible targets. “The cybercriminals behind SamSam use vulnerabilities to gain access to the victims’ network or use brute-force tactics against the weak passwords of the Remote Desktop Protocol (RDP)”, the researchers wrote. Here’s ThreatPost’s writeup of the research. Sophos’ own blog describes the findings, and here’s a link to the technical paper.

Guidelines in the NIST

The US National Institute of Standards and Technology (NIST) has released version 1.1 of its Framework for Improving Critical Infrastructure Cybersecurity. This updates the original version 1.0 which proved popular on its release in February 2014. Version 1.1’s updated guidelines cover authentication and identity, cybersecurity risk self assessment, supply chain security management, and vulnerability disclosure. NIST programme manager Matt Barrett said the framework is flexible enough to meet an individual organisation’s business or mission needs. It applies to a wide range of technology environments such as information technology, industrial control systems and the Internet of Things. Later this year, NIST will release an updated companion document, the Roadmap for Improving Critical Infrastructure Cybersecurity. NIST’s press release is here and the framework is available free in PDF at this link.

Google beefs up Gmail security

Two-factor authentication got a shot in the arm after Google added this security feature for its Gmail app last month. Also called two-step verification, this sends a prompt to a user’s phone when they access their Gmail account on another computer. Naked Security said this is more secure than sending an SMS code to the phone, which can be vulnerable to fraud. It also pointed out that ease of use will encourage more people to use it, as takeup of 2FA to date has been low. Why does this matter? Here’s how many Gmail users there are in the world: 1.2 billion, to be exact. Google has more details on its blog. If you or your users still prefer passwords, here’s our advice from last year on how to choose better ones.

 

The post Security newsround: May 2018 appeared first on BH Consulting.

By

Cyber News Rundown: Facebook Reveals “Clear History” Feature

Reading Time: ~2 min.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Cyberattack Shuts Down Mexico Central Bank

Within the past week, several payment systems associated with Mexico’s central bank were compromised for an unspecified amount of time. The impacted systems led to delays with money transfers and processing of transactions for central bank customers, but officials claim no funds or data were stolen. It is still unclear how the attackers accessed the systems, though the issue has heightened awareness of possible security flaws.

Facebook Implementing History Removal Tool

In the wake of the data mishandling scandal that tarnished Facebook’s privacy standards, the company announced it’s working on a new tool that will allow users to clear browsing history and cookies from within Facebook, along with opting out of allowing Facebook to gather future browsing data. While this tool is still being created, Mark Zuckerberg has said Facebook hopes to give more privacy controls back to the users who trust the site.

Fitbit Adopts Google Healthcare API

Recently, Fitbit announced they will be integrating their current systems to incorporate the Cloud Healthcare API from Google in order to give healthcare providers better access to important data. Fitbit has been working towards this for some time by constantly improving their data analysis and providing better feedback to users and their health professionals. The partnership with Google’s API allows them to use an industry-compliant system, without the trouble of creating one from the ground up.

Northeast School District Pays Hefty Ransom

Following the April 14 cyberattack that encrypted much of a Massachusetts school district’s computer systems, local police recommended the district pay the $10,000 ransom to restore the system. While it paying ransoms is normally suggested only as a last resort, it would appear that the district wasn’t capable to restoring the systems on their own. In the end, it opted to pay the requested amount in hopes the criminals stay true to their word.

DVRs Being Compromised

A researcher recently released a tool that would allow anyone access to several brands of DVRs and illicitly obtain both device credentials and live video recordings. Using Shodan, the researcher was able to identify nearly 55,000 unique, accessible DVR devices that could be exploited with his tool using a previously discovered flaw for DVR devices.

The post Cyber News Rundown: Facebook Reveals “Clear History” Feature appeared first on Webroot Blog.

By

Cyber News Rundown: Amazon DNS Service Hijacked

Reading Time: ~2 min.

The Cyber News Rundown brings you the latest happenings in cybersecurity news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst and a guy with a passion for all things security. Any questions? Just ask.

Amazon IPs Rerouted for Several Hours

Early Tuesday morning attackers compromised an ISP that allowed them to reroute 1,300 IP addresses belonging to Amazon’s Route 53 DNS service. Amazon quickly released a statement on the issue and clarified that it was a specific vendor’s domain that was sharing the traffic across multiple peer networks. In doing so, the attackers were able to masquerade as MyEtherWallet.com, which netted them over $150,000 in cryptocurrency.

Middle East Ride-Hailing App Compromised

In an announcement at the beginning of this week, the ride-hailing app Careem addressed a data breach that occurred in mid-January. The breach could affect nearly 14 million customers, though officials have stated that no payment information was amongst the compromised data, as it is stored off-site. Fortunately, the breach shouldn’t affect anyone who signed up for the app after January 14.

Complaints of Tech Support Scams on the Rise

Over the course of 2017, Microsoft saw a 24% rise in the number of complaints regarding tech support scams their customers fell victim to. This increase is similar to the findings of the FBI’s Internet Crime Complaint Center, which saw an 86% change from the previous year. While the tactics used have not varied much, the number of scam calls have gone up significantly and have branched out to include both Mac and Linux users.

City of Atlanta Closing in on $3 Million Mark for Ransomware Recovery

It was recently revealed the City of Atlanta has spent close to $3 million to recover from a ransomware attack nearly a month ago. Though the original ransom was set at $51,000, paying it would not guarantee a swift resolution. Even now, Atlanta is still working on returning its systems to full working order. The delay may have been lengthened by the unknown amount of time the hackers had access to its system.

Malicious Crypto-miner Disables System Security

The newly dubbed PyRoMine, a cryptocurrency miner, which uses the EternalRomance NSA exploit to propagate, has been spotted in the wild over the past month. By disabling any security services it encounters, as well as Windows Updates, the malicious VBScript is able to compromise RDP to allow consistent traffic through port 3389. Even though it hasn’t spread widely, the number of unpatched machines still accessible to malware authors is a goldmine just waiting to be found.

The post Cyber News Rundown: Amazon DNS Service Hijacked appeared first on Webroot Blog.