Cybersecurity Threats, Scams & Updates You Need to Know About
We bring you the hacks, vulnerabilities and challenges of securing your daily habits and work environment. This brief is intended to help you make sense of the ever-changing world of cybersecurity as well as outline strategies to prevent, detect and respond to cybersecurity incidents.
View our growing list of topics below:
On Friday, March 25, the FCC declared that AO Kaspersky Lab was a threat to national security and has been blacklisted by the United States. Two additional telecommunications service providers from China were also added to the list. The complete list can be viewed here.
The BSI (Federal Office for Information Security) in Germany has warned companies to discontinue Kaspersky’s portfolio of virus protection solutions. According to the Act on the Federal Office for Information Security section 7, “the Federal Office may warn the affected groups or the public of security gaps in information technology products and services and of harmful software.” This warning comes in light of the Russian invasion of Ukraine. Kaspersky is based in Moscow and there are concerns that the Russian government could force the company to utilize their systems to launch various cyberattacks. Kaspersky has issued a statement that they are a privately managed company with no ties to the Russian government and believes that the BSI warning was politically motivated.
The BSI has not banned the use of Kaspersky software, but believes that consumers could be the victim of damage spillover due to the ongoing conflict. They also noted that the warning is meant to raise awareness of possible dangers. The CSIRT (Computer Security Incident Response Team), Italy’s security agency, has also issued a warning advising organizations to assess the risks related to technologies and services provided by Russian companies.
Thursday, February 17, 2022, Deputy Attorney General Lisa Monaco delivered a speech to the Annual Munich Cybersecurity Conference where she addressed the growing landscape of cybersecurity. Monaco stressed that, with the potential (and now-active) threat of a Russian invasion of the Ukraine, conventional weapons are no longer the only means of attack, and we must look at cybersecurity as a global security issue. The FBI is currently investigating more than 100 different ransomware variants that can be traced back to dozens of ransomware groups. The victims of these ransomware attacks are stuck with financial burdens to the tune of billions of dollars.
Monaco was later quoted, “Given the very high tensions that we are experiencing, companies of any size and of all sizes would be foolish to not be preparing right now as we speak — to increase their defense, to do things like patching, to heighten their alert systems, to be monitoring in real-time their cybersecurity.”
The Cybersecurity Advisory group, a team led by the Cybersecurity and Infrastructure Agency, National Security Agency and the FBI, is working hard to keep organizations informed on the latest cyberthreats and tactics. The CSA advises organizations to be prepared, enhance cybersecurity posture, and increase organizational vigilance. Historically, Russian threat actors have gained access to networks through phishing, brute force and exploiting known vulnerabilities. Understanding your cybersecurity risk, protecting your organization from ransomware and working to create a culture of security will help you mitigate these and other imminent risks.
If your organization manages critical infrastructure, it’s vital that you tighten up your cybersecurity. And regardless of industry, it’s more important than ever to ensure your systems are patched and secure.
Kronos, (a major software company that specializes in providing cloud-based payroll, time, and workforce management services), discovered they were a victim of a ransomware attack on the evening of Saturday, December 11, and recovery may take weeks. Depending on the products a customer is utilizing, this has the potential to impact the availability to log hours, pay employees in a timely manner or process newly hired employees. Kronos is still trying to determine the extent of the damage of the attack but believes that personal information has been stolen during the incident, including names, addresses and the last four digits of social security numbers. Kronos did have protocols in place for backups in case of disaster, but due to the nature of the attack, they are still trying to determine the best path forward at this time.
The majority of ransomware is brought into systems through social engineering, such as an employee opening a phishing email or visiting a compromised website. Many of these cases are not due to the malicious intent of an employee, but rather a lack of proper training in cybersecurity best practices. It was estimated that ransomware attacks in the first half of 2021 increased over 60% with an average payment over $500,000. With the growing number of remote and hybrid workers each year, this number is expected to grow.
The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) have observed an increase in highly impactful ransomware attacks occurring on holidays and weekends —when offices are normally closed. The FBI and CISA encourage all entities to examine their current cybersecurity posture and implement the recommended best practices and mitigations to manage the risk posed by all cyberthreats, including ransomware. The official cybersecurity advisory can be found here.
A new Ransomware group called BlackMatter recently demanded $5.9 million from an association of Iowa corn and soy farmers called New Cooperative Inc. after claiming to have compromised 1,000 GB of the agricultural company’s data.
New Cooperative is a farming co-op that also specializes in grain, as well as feed and other services to assist farming operations.
To contain the breach, New Cooperative had to take all their systems offline, which could lead to further disruption of the agriculture supply chain, specifically in grain, pork and chicken.
This attack is similar to the ransomware attack on Colonial Pipeline earlier this year, and ransomware attacks are continuing to pick up speed despite warnings for cybercriminals to stay away from critical infrastructure, as well as increased action from the U.S. government.
The Bipartisan Infrastructure Bill that was recently approved by the senate includes an investment of roughly $2 billion in cybersecurity infrastructure. Cyberattacks on organizations such as Solar Winds and the Colonial Pipeline highlighted a variety of cybersecurity issues in the public and private sector, and with an increase in breaches of government data systems, improving cybersecurity is a top priority.
Here’s how the bulk of these funds will be split:
President Biden recently signed an Executive Order designed to improve the nation’s cybersecurity and protect federal government networks. The order comes after a wave of cyber-attacks, including Solar Winds and the Colonial Pipeline. These occurrences exposed the lack of cybersecurity defenses across many public and private section organizations.
Specifically, the order outlines the following:
Cybersecurity experts are continuing to work to stem the impact of what may be the single largest global supply-chain ransomware attack on record. On July 2 around 10:30 EST, many servers of Kaseya VSA, a remote monitoring and management platform with thousands of clients throughout the world, were exploited and used to deploy ransomware throughout hundreds of companies. The attack took advantage of the Independence Day holiday weekend, when IT staffing is generally thin in the United States.
As of July 6, Kaseya is aware of fewer than 60 customers who were directly compromised by this attack. All of those customers were using the VSA on-premises product. Many of these customers provide IT services to multiple other companies, and Kaseya says the total impact thus far could be up to 1,500 downstream businesses—including many small and medium-sized enterprises—being affected. These businesses include a grocery store chain, a public broadcaster, schools, and a national railway system. All were hit by the file-encrypting malware, causing disruption and forcing some to close.
The group claiming responsibility for this international ransomware outbreak is the Russia-linked REvil group, the same group that the FBI said was behind the hacking of the world’s largest meat processor, JBS, in May. The REvil ransomware gang, also known as Sodinokibi, is publicly demanding $70 million to restore the data it’s holding ransom.
To carry out this attack on Kaseya VSA servers, attackers uploaded malicious files to exploited servers. These files looked like images but instead executed code that disabled existing user sessions, removed logs, and performed other cleanup activities. After these files were uploaded, a series of GET and POST requests were then issued to communicate with several of the attacker’s IP addresses, downloading additional malicious files. These files were used to exploit endpoints that were connected to the Kaseya server, encrypting its files and restricting user access.
Kaseya stated, “R&D has replicated the attack vector and is working on mitigating it. We have begun the process of remediating the code and will include regular status updates on our progress starting tomorrow morning [July 6].”
Over 50% of companies have experienced one or more cyberattacks in the last 12 months. On average, it takes most companies at least six months to detect a data breach, regardless of its size. Are you prepared for that kind of impact to your organization?
JBS, the world’s largest meat processor, recently paid an $11 million ransom in Bitcoin to hackers that forced the shutdown of all its U.S. beef plants, as well as disrupted operations at poultry and pork plants. This ransom was paid in an attempt to secure its data and protect its customers against risk.
JBS is Brazil-based and processes about a fifth of the U.S. beef and pork. The cyberattack on the meat producer caused concern that it would disrupt the market with shortages and create a rise in meat prices. This did not come to pass, as JBS was able to promptly resume its operations. They lost less than a day’s worth of food production during the attack and would be able to recoup it in less than a week. JBS claimed the attack did not breach any of its data or the data of its customers.
The company also said that it had been targeted in late May by an attack affecting some of the servers powering its IT systems in North America and Australia. This led them to suspend those systems and close down the production plants.
This breach is the most recent in a chain of cyberattacks targeting critical infrastructure, which has raised concerns about U.S. business vulnerabilities. The suspected criminals behind the attack make up one of the most specialized and sophisticated cybercriminal groups in the world. JBS USA’s ability to quickly resolve the issues resulting from the attack was due to its cybersecurity protocols, redundant systems and encrypted backup servers. The company spends more than $200 million annually on IT and employs more than 850 IT professionals globally.
Many cybersecurity experts and even the FBI note that you should never pay a ransom, as it incentivizes cybercriminals. If criminals know that insurance companies and organizations will continue to pay the ransom, they will continue to attack organizations—no matter the industry or size of the organization.
Even with significant backups, many organizations are willing to pay the ransom because it’s quicker and easier to pay than to have operations down while restoring data. Even if an organization does have sufficient backups and is willing to restore data, cybercriminals have figured out a way to combat the backup. Many cybercriminals have started to exfiltrate sensitive data to hold hostage before they encrypt your data.
This JBS meat processor hack, as well as the recent Colonial Pipeline attack, are reminders that backups are not the only thing organizations need to be doing to protect against ransomware. While the FBI was able to recover some of the ransom paid in the Colonial Pipeline attack, organizations shouldn’t assume this will always be the case. Along with backups, other foundational controls should be in place or configured in order to reduce an organization’s overall risk profile, examples include:
Colonial Pipeline, which operates the U.S.’s largest fuel pipeline, recently suffered a ransomware attack that resulted in the temporary shutdown of the pipeline that provides 45% of the gas to the east coast of the U.S. (WSJ). Within a week, a majority of operations were restored, but the investigation is still ongoing to determine exactly how the incident occurred and what could have been done to prevent it. To ensure the organization was able to quickly recover from the incident, the organization agreed to pay nearly $5 million in ransom to cybercriminals (The Verge). The incident shows that the impact of ransomware is not only limited to the organization and its customers, but it can also affect consumers of their product. This was seen when the price of gas rose quickly for most of the eastern U.S., and lines of consumers waited to try and fill up to ensure they had a full tank of gas for the upcoming week.
Many cybersecurity experts and even the FBI note that you should never pay a ransom, as it incentivizes cybercriminals. If criminals know that insurance companies and organizations will continue to pay the ransom, they will continue to attack organizations—no matter the industry or size of the organization.
Even with significant backups, many organizations are willing to pay the ransom as it’s quicker and easier to pay than to have operations down while restoring data. Even if an organization does have sufficient backups and is willing to restore data, cybercriminals have figured out a way to combat the backup. Many cybercriminals have started to exfiltrate sensitive data to hold hostage before they encrypt your data. In the case of Colonial Pipeline, they stole 80GB of data (SecurityScoreCard), threatening to release the data if the company did not pay the ransom. The criminals do this to use as leverage so organizations can’t simply restore from backups and move on.
The colonial pipeline incident is a reminder that backups are not the only thing organizations need to be doing to protect against ransomware. Along with backups, other foundational controls should be in place or configured, such as:
On March 16th, the FBI issued a “FLASH” report surrounding a significant increase in PYSA (Protect Your System Amigo) ransomware targeting higher education in the 12 US states and the United Kingdom. PYSA is a malware that’s capable of removing data and encrypting critical files stored on an institution’s systems. The attacks are specifically targeted at higher education, K-12 schools and seminaries.
The attackers deliver the payloads to encrypt systems by either gaining initial access to networks through phishing emails or after obtaining stolen or compromised credentials for a victim’s Remote Desktop Protocol (RDP) before utilizing other attacker tools to gain access. Before encrypting data with a .pysa extension, the attackers may also collect and take information such as personally identifiable information (PII) from employment and/or financial records in an effort to further threaten victims to pay a ransom before the attackers leak the information online.
The FBI has recommended some actions for mitigation, including:
Make sure your higher education institution is protected.
More devices are connecting to WiFi now than ever before, and an organization's wireless is usually an area that doesn't get the necessary attention when it comes to cybersecurity.
Most organizations and homes are setup with just two wireless networks: a primary and a guest. With the addition of so many devices, most organizations don't realize that having just one primary wireless network for all company-owned devices is a risk. In a recent study by Probrand, 72% of companies who suffered a data breach in the last year found that the network infiltration came from an unsecured wireless device, such as a printer, scanner, mobile phone, or laptop connected to their Wi-Fi network. The older approach of keeping all company owned device on one network and setting another wireless network for all personal or guest devices is no longer enough.
A primary and guest wireless setup is acceptable if you only have specific managed devices like laptops on the primary wireless, but this is usually not the case any longer. What about all of the non-standard devices that are connected to the wireless (e.g. iPads, printers, thermostats, medical devices, wireless phones, cameras, Amazon Echo/Google Home or other such devices)?
Below are steps you can take to ensure your organization's (or even your home’s) wireless is properly configured:
Multi-factor authentication is one of the best things organizations and individuals can do to protect their accounts from cyberattacks. Multi-factor authentication (aka two-factor authentication or 2FA) is a secure authentication method that verifies user's identity by requiring multiple identifiers. Multi-factor consists of at least two of the following three identifiers: something you know (e.g., password or pin), something you have (e.g., phone or token), and something you are (e.g., fingerprint, retina scan).
Microsoft recently noted that multi-factor authentication can block over 99.9% of account compromise attacks. In a nutshell, multi-factor authentication provides an extra layer of protection in the event your password is stolen or guessed. It is in no way a silver bullet, though, and you should remember to use multi-factor authentication in conjunction with other controls that can greatly protect accounts. These controls include:
Another step organizations can take to provide users a better experience is utilizing adaptive multi-factor authentication. Rather than an “always on” approach that constantly asks the user for secondary credentials, the organization can use context to create an adaptive, step-up approach that only requires additional factors when necessary. Examples of this are logins from a new device, logins outside of the organization or after several failed logins.
Many organizations see security as an inconvenience and a hinder on their ability to get work done. Organizations are always balancing security and ease of use. One setting that tends to fall towards the “easy but not secure” side is providing users with local administrative access.
Local administrative access makes it easy and convenient for end-users to install new software, add a printer or change preferences with their operating system. At first glance, this doesn't seem like a major issue, but with that type of power comes a scientifically higher risk of a cybersecurity incident or data breach. By giving an employee administrative rights, you also give those same rights to any malicious program infecting the system. Administrative access also provides employees with the ability to:
Even an employee with the best of intentions can accidentally do something that puts your organization's network at risk, and the problem lies in the privileges that local administrative rights give users. Once a device with administrative rights becomes infected, it's only a matter of time before it propagates to other devices. In this video, Leon Johnson from Rapid7 shows how easily and quickly one device with local administrative access can lead to a major incident.
With the total cost of a breach now averaging 3.92 million dollars (according to IBM), the few minutes of inconvenience caused by a user having to request a new printer to be installed doesn’t seem that bad.
K-12 schools are being urged to safeguard networks via federal resources. Currently only 2,000 of the 13,000 U.S. school districts have signed up for free membership in the Multi-State Information Sharing & Analysis Center. This program offers government organizations network vulnerability assessments, cyber threat alerts and other cybersecurity related services. According to experts, even a minimal effort to strengthen cybersecurity infrastructure in K-12 schools can make a big difference.
IT departments are great at many things, but sometimes they rely on outdated ideas concerning cybersecurity. Unfortunately, sometimes these ideas put you and your organization at risk. Below are four common myths IT professionals might share with leadership.
The FBI is warning the U.S. healthcare system of a potential wave of data-scrambling extortion attempts. The schemes are designed to lock up hospital information systems, hurting patient care. The cyberattacks involve ransomware that scrambles data and can only be unlocked once the intended target pays. The FBI, along with the Department of Homeland Security and the Department of Health and Human Services, said they have received credible information about an “increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
The attacks are launched through Ryuk, a strain of ransomware seeded in a network of zombie computers known as Trickbot. Microsoft has been trying to counter Trickbot attacks since early October. Authorities have given Microsoft as much as detail as possible so it can help distribute information to its customers.
A total of 59 U.S. healthcare systems have seen ransomware attacks in 2020. This resulted in a disruption to patient care in up to 510 facilities. The healthcare industry is one of the leading industries impacted by cybersecurity. To learn more about how to protect your healthcare organization, schedule a cyber consultation.
Today's world is filled with many different cybersecurity threats, but one has been a top threat year after year. Emotet began as a trojan, or malware virus, years ago. It was originally used to specifically target financial institutions, but has since evolved and become a problem for other industries as well. Emotet is an easily deployable malware-as-a-service. For a small fee, cybercriminals can deploy Emotet to targets with very little effort or knowledge. Emotet as a service is developed and supported by cybercriminals who make sure the malware keeps evolving to avoid new controls within target organizations.
Once unleashed within a target environment, Emotet spreads to as many devices as possible, and it usually remains undetected since it leverages encrypted channels. Emotet usually spends months within an organization silently gathering data and information about systems before eventually starting to encrypt every file it can within the organization. This is when most organizations become aware of the issue. Unfortunately, since Emotet has usually been within the systems for months at this point, it likely will have infected backup files, so restoring from backups sometimes is not possible.
Recently, Bleeping Computer reported that Emotet is being deployed as fake Windows updates asking end uses to update Microsoft Word. In this instance, the user is asked to enable editing on a malicious attachment. Once the user enables editing on the word document, Emotet can go to work.
To avoid Emotet, there are several things organizations can do:
More than 250 hospitals across the United States have experienced a cyberattack that is wreaking havoc on their operations. The attack against Universal Health Services, one of the largest hospital chains in the US, has affected the computer and phone systems at hundreds of their hospitals. The attack resulted in cancelled surgeries, rerouted ambulances and lack of access to online medical records, leading staff conduct business using pen and paper.
The attack began with outages that logged all staff out of computer systems and blocked them from logging back in. The staff currently has no access to patient records and has compromised financial and clinical operations.
Hospitals are prime targets for cyber attacks and data breaches. Their systems contain sensitive information on patient wellness and medical history, making it valuable information for potential hackers. In fact, according to IBM’s Cost of a Data Breach report, healthcare incurs the highest average breach cost of any industry. The average cost of a breach at a hospital amounts to $7.13 million, a 10.5 percent increase over the 2019 findings.
It’s never been more important to keep your hospital or health system protected. Make sure you have a cybersecurity plan in place for your health system.
In the past few weeks, a flurry of ransomware attacks against US organizations has been in the news. Garmin, Blackbaud, Travel Agency CWT, and a Texas School District (Sans) all were attacked and paid ransomware demands. LG and Xerox were affected by the maze ransomware operators but decided not to pay and data that was exfiltrated from their internal network is now posted on maze’s website (Zdnet).
Protecting against ransomware attacks is not solely the responsibility of the IT department or the security team. IT departments and security teams play a major part in protecting an organization, but the executive team also has a major role in protecting organizations against ransomware.
The IT department/ security team should be responsible for:
The executive team should be responsible for:
If you receive any emails claiming to be from the Small Business Administration (SBA) regarding your SBA Application for COVID-19 relief, proceed with caution. Don’t click on any links or enter your SBA login credentials without first verifying it’s legitimate.
The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) is currently tracking an unknown cyber actor who is spoofing the Small Business Administration (SBA) COVID-19 relief webpage via phishing emails. These emails include a malicious link to a fake page used for re-directs and credential stealing.
Small business owners and organizations at all levels should review the alert and apply the recommended mitigations to strengthen the security posture of their systems.
Be suspicious of any emails that contain any of the following:
hxxps://leanproconsulting [.] com.br/gov/covid19relief/sba.gov
This is a screenshot of the webpage arrived at by clicking on the hyperlink in the phishing email.
If you have you believe your organization is a victim of this phishing email and would like immediate assistance, please contact Isaac De La Garza, Cybersecurity Incident Response Manager, at 405.594.2044.
Offices are beginning to open back up all across the country. As organizations put safeguards in place to ensure the safety of their employees and customers, they also need to remember to protect their data as employees come back into the office. A recent study conducted in March 2020 by BitSight found that home networks were 3.5x more likely to be infected by malware than corporate networks. As organizations begin reopening for office work, employees could be bringing devices that are infected with malware.
Due to the pandemic, many organizations have relaxed their cybersecurity measures in an effort to focus on getting everyone quickly set up to work from home. To help facilitate this, many organizations allowed personal printers and scanners to be attached to corporate devices as well as allowed unsanctioned software and the use of personal devices. All of these measures, if not properly monitored, could greatly impact the organization.
As organizations open back up, they should protect their data and networks:
Organizations should also take time to ensure their monitoring tools and tools they use to keep systems up to date are properly configured to work outside of the organization, even if a device isn't connected by a VPN. This will help protect organizational resources in the event employees must work from home again.
Most organizational leaders agree that cybersecurity risk is one of the biggest risks to their organization, but many organizations do not regularly educate their employees on these risks. A recent survey conducted by KnowBe4 found that over a third of organizations provide only annual security training, or no training at all, to users at their organization.
Effective security awareness training should not just be a once-a-year click-through training course. The goal of a cybersecurity awareness training program should be to develop and maintain a security culture within the organization. With ongoing training, users are much more likely to think twice before clicking on a link.
To have a successful security awareness training program, a key thing to remember is to make it easy for users to do the right thing. This can be accomplished in a number of ways, including:
The following are our top three tips for a successful security awareness program:
Ransomware has always been a major risk to organizations, but many organizations can recover from ransomware with sufficient backups (as long as the backups weren't also encrypted). Cybercriminals know this and began to hedge their bet by updating ransomware software to not just encrypt all files within an organization but to also steal all of the data in the process.
In traditional ransomware, cybercriminals would encrypt an organization's data and hope the company will pay a ransom to get a key to decrypt the data. Now cybercriminals are stealing the data and using it as even more incentive to pay their ransom. To make matters worse, once the data is stolen, the cybercriminals post samples of the data on "shaming" sites that provide evidence that they have the organization's data. Many different variations of ransomware (e.g. Maze, Sodinokibi, DoppelPaymer) have begun utilizing this type of attack to force organizations to pay the ransom.
In many cases, the cybercriminals have stolen terabytes of data, and they threaten to post or sell all of the data if the victim doesn’t pay their ransom. This technique also forces organizations to quickly disclose breaches to customers, clients and employees due to the breach being readily posted online.
Unfortunately, there is no silver bullet to prevent ransomware, but below are a few tips that can help:
As the world adjusts to working from home, many tools are becoming essential to working remotely. One of the most widely used tools is video communication services. These services include Zoom, Teams, Skype, GoToMeeting, WebEx and more. Each service offers unique functionality, but all of them will let you video chat with one person or a group of people. This is an important feature when your team is no longer working in the same office. Using these services can bring new risks to an organization, however, and it's important to understand the new risks while educating users on acceptable communication tools and settings.
Due to their recent surge in popularity, many of the video communication services have come under scrutiny over security and privacy settings. The issues with the services have ranged from lack of end-to-end encryption to monitoring attendees via their webcam. These risks have led some organizations to ban the use of some video communication services. Zoom has become a very popular and useful service during the recent pandemic, but many users have recently reported a spike in disruptions due to Zoombombing. Zoombombing occurs when strangers join an open zoom meeting and cause disruption, often forcing the host to end the meeting.
To avoid some of the security and privacy risks with using video communication services, there are a few things you can do to help protect yourself and your organization.
If your organization fell victim to a cyberattack, would your employees know what to do? The worst time to think about how to handle a cyberattack is when its currently happening. To help in the event of an attack, an organization should have an incident response plan, but just having a plan isn’t all that is needed to prepare. To help prepare for a cyberattack, organizations should conduct tabletop exercises that outline the steps they might take during a cyberattack. By discussing scenarios in advance, an organization can identify gaps in their response plan and make adjustments.
In a recent survey conducted by Carbon Black, 59% of organizations surveyed stated they have never proactively tested their incident response plan. Conducting regular tabletop exercises can help uncover issues before they happen for real, validate the effectiveness of incident response plans, evaluate the need for external support resources and enhance awareness and readiness.
Common scenarios for cyberattacks include ransomware, email phishing, physical exfiltration and denial of service attacks. Each of these different scenarios would require employees to make unique decisions under pressure and usually very quickly. Identifying many of those questions and answers during a tabletop exercise will better prepare the employees and provide guidance in the event of a real cyberattack.
For years, companies have promoted that reusing passwords is bad, but surveys have shown that nearly 60% of people reuse passwords either at work or for personal accounts. Many wonder, “what’s the risk of reusing a password if it’s secure and you never forget it?” The problem is you could have the longest and most unique password, but if that password is lost or stolen, it’s no longer secure.
Credentials for websites or services tend to be stored in a database by the company you are doing business with. If that company is hacked, all of those passwords can be used by criminals to see what other websites or services they can get into. Criminals do this by running scripts that automate the testing of the stolen credentials on a number of websites and services.
This technique is called credential stuffing and has been in the news lately for incidents regarding strangers accessing Ring security cameras. Many of these cameras were inside people’s homes, and the criminals were able to watch and talk to the individual.
The issue doesn’t appear to be that Ring has suffered a breach, but that individuals set up their ring account using a password that they have used before and that has been part of a breach. The same type of attack has been seen with other companies, including Dunkin Donuts and State Farm.
Protecting yourself and your company against these types of attacks can be prevented by encouraging users not to reuse passwords. IT departments should also frequently compare known passwords in breaches to current employee passwords.
On January 14, 2020, Microsoft is set to release the last monthly security update for Windows 7. Microsoft has been pushing users and organizations to upgrade their operating systems for the past few years, but like previous very successful Microsoft Operating systems (such as XP), users and organizations are reluctant to upgrade.
Keeping operating systems up to date and patched is one of the best defenses against cybersecurity incidents, and with the end of support coming, users and organizations could be vulnerable. Unfortunately, a recent study by security firm Kaspersky shows that 47% of businesses are still running Windows 7 in their environment. The end of support should not be a surprise to anyone, since Microsoft has advertised it for years.
The best way to make sure your personal devices stay secure is to upgrade to Windows 10 before the final security updates are released. (It appears that you can still receive free upgrades to Windows 10 from Windows 7 and 8 as noted by CNET). If your business is still running Windows 7 and can't upgrade to Windows 10 before January, don't panic—Microsoft is going to provide security updates after the deadline, but organizations will have to pay. Pricing ranges from $25 to $50 a year per device (depending on the version type, Enterprise vs. Pro). After the first year, the price doubles—meaning if you want to keep Windows 7, three years from now, you may be paying $200 per device for security updates.
At first glance, pricing doesn't appear to be outrageous, especially compared to the average cost of a breach. But for organizations with tight budgets, $50 per device can add up quickly. Organizations should remember keeping operating systems up to date is just one thing they need to do to stay secure. Cybersecurity risks should routinely be reviewed and mitigated.
Last month (October) was National Cybersecurity Awareness Month. It’s a great time of year to remind users about cybersecurity, but cybersecurity awareness should not just be a once a year checkbox. Cultivating a cyber-conscious culture within an organization is one of the best things an organization can do today to prevent an incident.
Every year, many organizations assign an online training course about cybersecurity followed by a quiz that hasn't changed for years, and employees often have the answers saved somewhere in their documents. Engaging users with different training techniques that are interactive and collaborative can increase participation and show that training doesn't have to be boring. This year, several organizations abandoned click through online training sessions in favor of training sessions that involved cyber-focused card games and escape rooms, and they saw great success.
One of the easiest ways to get users some hands-on experience is to run regular simulated phishing on all users. A recent study done by KnowBe4 showed that regular testing of users is crucial to reducing the number of phishing emails users fail to identify and click on to open links or attachments. The study showed that organizations reduced their average click rate on phishing emails from 27% to just over 2% within a year of conducting regular simulated phishing tests on all users. Just imagine how this could benefit your organization!
Users are constantly being tested by criminals trying to get them to click on links in emails or download malicious software. There are many technical controls in place to help prevent those types of emails from even getting into a user's inbox, and many users a trained to spot these types of emails. Criminals know this and are testing new scams using AI to help.
In a recent article, The Wall Street Journal uncovered an incident of criminals using sophisticated AI to deepfake a CEO's voice to call a coworker and convince them wire $243,000 dollars to supplier. Of course, the bank account numbers weren't owned by the supplier, and the funds quickly bounced from one country to another to avoid being tracked.
This form of social engineering is called voice phishing, or "vishing." With the ability to use AI to learn and mimic voices on the rise, it's only a matter of time before more criminals utilize this technology. Organizations should train users that no personnel (even CEOs) are allowed to request money transfers without proper approvals and verification of recipients.
When cyber threats don’t get the attention of the media, sometimes threats remain unknown to users—especially executives. Ransomware is a huge threat to all organizations, and it’s hard to imagine anyone in an organization today not knowing about the destruction and cost that is associated with it. But last year, another threat cost companies even more money than ransomware.
According to the FBI’s 2018 Internet Crime Report, Business Email Compromise or “BCE” cost companies over $1.2 billion in losses. A business email compromise is a technique used to get unauthorized transfer of funds to bank accounts owned by criminals. This is usually done by spoofing or using stolen email credentials to solicit the transfer of funds. One of the most common examples of this type of attack is when a criminal spoofs the CEO’s email address and emails someone in accounting, typically stating that they are about to board a plane and need to pay an invoice they forgot about. They provide the necessary routing numbers to “get the invoice paid immediately.” Unfortunately, the email is not legitimate, and the funds are sent to the criminal's bank account.
Of the 351,936 IC3 complaints reported last year, only 20,373 were of BEC (6%), but accounted for almost half (45%) of the total amount of money lost.
These types of attacks are not seen on major news outlets, since they are not destructive like ransomware, which can affect whole companies and cities. These types of incidents also usually do not affect millions of consumers, like breaches in which a plethora of data is stolen. Even though these attacks are not often reported by the media, organizations should be aware of these types of attacks and educate users on how to properly handle such requests.
Ransomware has exploded over the last few years. Online services that specialize in ransomware allow even the most novice person access to release ransomware. Since the market of deploying ransomware has grown, so has the business of data recovery.
With organizations and even entire cities (most recently Baltimore) under attack from ransomware, many are turning to third parties to help them recover. Most recovery companies will tell you that, unless there is something wrong with the deployment of the ransomware, it’s very unlikely you will ever be able to decrypt your files. They often recommend that you start restoring data from backups and wipe all devices that were infected.
This is not the case for some recovery companies, though; some companies guarantee they can decrypt ransomware. In a recent article published by Renee Dudley and Jeff Kao for ProPublica, some of these companies were investigated. ProPublica found that most of the time, these “recovery” companies just pay the ransom on your behalf and say their propriety technology decrypted the data. Even worse: in some cases, the recovery companies appeared to have relationships with the criminals. Paying the ransom is never advised, since there is no guarantee the criminals will provide the decryption keys, and the ransom money could be used for other illegal activities.
It’s always best to engage with an incident response company before an incident occurs. This gives you time to properly review the company and understand all their services. It’s also important to work to prevent ransomware from infecting your organization. The best way to protect your organization against ransomware outside of the technical aspects (keeping things up to date, firewalls, endpoint protection, etc.) is to educate users through ongoing training and simulated phishing tests. Another way is to limit user access; many times, the scope of what is encrypted from ransomware can be limited if the principle of least privileged is followed.
Do you trust outside organizations that you’ve given access to your network or services? Most organizations have a false sense of security when it comes to allowing vendors or service providers into their network. What happens if one of your vendors or service providers was infiltrated by criminals? In the most recent Global Incident Response Threat by Carbon Black, it was found that in 50% of attacks, the attacker migrates from one organization to another in a technique called island hopping. This type of attack remains most popular in healthcare and financial industries, but is growing in all industries.
These types of attacks are very effective since they leverage the trust between organizations. Island hopping attacks can also be very successful even if your vendors or service provider don’t have access to your network, as the attacks leverage the trust built between your organizations to send you a convincing phishing email. Since the email is coming from a legitimate vendor, many times spam filtering is less likely to flag the email as suspicious, and users are also more likely to act on the email since it came from a trusted source. The attackers know this and do their homework to make sure they have wording, names and dates correct when composing the phishing emails.
In the most recent occurrence of one of these attacks, Brian Krebs reported that a large IT service provider (Wipro) had been infiltrated by cybercriminals. The cybercriminals leveraged Wipro’s resources to phish and gain access to Wipro clients. The investigation is still ongoing, but many of Wipro clients have already found they have also been infiltrated by the same group on criminals. Wipro provides IT services to tens of thousands of organizations across the world including fortune 500 companies.
One of the most common questions I get asked is, “if you were going to recommend one thing to do today to better protect my business or self, what it would be?” Although it’s always hard to come up with one thing to help protect an organization or individual, the response I usually give is related to password management and second-factor authentication.
Many companies these days use online services, rather than internally hosted applications, for most of their day to day operations. Most of these services require their own login credentials. How do users manage to remember all those passwords? More often than not, the user utilizes the same password across all of the services so they can easily get into each one.
Password management includes many aspects, but the key is to not utilize the same password for multiple accounts. The only way to do this effectively when users have dozens of (if not more) accounts between their personal and work use is to utilize a password manager (LastPass, 1Password, etc.). Password managers can be a lifesaver when you have too many passwords to try and remember.
If you are going to provide a password manager for users within your organization, make sure to take the time to train users on how to utilize the tool. Also, don’t assume users know how to reset their password within a service. I’ve talked to many users who try and do the right thing and change their password to something unique, but they don’t know how. Many services bury the “change password” option deep within account settings or profile page. In these cases, even if a user decides to utilize a password manager, they may be unable to set each account up with unique passwords, which defeats the purpose of the password manager.
Like the Equifax breach in 2017, this breach may affect you even though you didn’t provide the company with any data. Also, like the Equifax breach, this latest breach could have been avoided if proper configurations were in place. A simple setting on a server recently exposed a database of more than 24 million financial records. The records included tens of thousands of mortgages from some of the nation’s largest banks. The result of the oversight made it possible for users visiting the website to view the entire database. To make matters worse, during the investigation, another server was found to be misconfigured and exposing its entire database as well.
The company responsible for this breach is Ascension Data & Analytics. Data analytics companies are becoming more common as businesses are trying to utilize data to improve their products and lower costs. Unfortunately, this type of practice can come at a price to consumers. Since data was provided to Ascension by other companies, consumers may not know they have been affected until it's too late.
This breach serves as a good reminder that organizations should have a robust change control process in place to avoid changes to production that could negatively affect the organization. Organizations should also be performing regular vulnerability scans to find misconfigured settings and vulnerabilities within their systems.
On December 14, 2018, the FBI released a statement regarding a recent hoax where hundreds of emailed bomb threats targeted businesses and schools nationwide. The email describes a placement of a bomb in the respective buildings, and, unless a ransom of bitcoin was received, the bomb would be detonated.
If anyone receives this type of communication, they are advised to contact the FBI and local law enforcement, as well as the FBI's Internet Crime Center at www.ic3.gov/ Do not reply or attempt to contact the sender. Do not pay the ransom.
Several variations of the email have been noted, but the content is largely the same. Here is an example email threat:
“Good day. There is the bomb (Tetryl) in the building where your business is conducted. It is constructed according to my guide. It can be hidden anywhere because of its small size, it can not destroy the building structure, but you will get many wounded people if it detonates.
My man keeps the building under the control. If he notices any unusual activity, panic or emergency the bomb will be exploded.”
Noted characteristics are as follows:
As always, if you notice any suspicious activity, threats or incidents, notify management and the proper authorities.
If you have a cellphone, you've probably noticed an increase in the number of those annoying spam or "robocalls." The following tips may be helpful when dealing with these calls.
What is your risk tolerance? While on a recent bicycle ride, I started analyzing my ride in terms of risk. What is the likelihood the person coming at me on a narrow path will stay on their side of the trail? Is the approaching rider looking up or are they distracted? A few riders had bike helmets but they were not wearing them; the helmet was attached to a handlebar or sitting in a basket. I realized this is similar to what is often observed in cybersecurity. If you purchase a tool or device that is intended to protect you, unless you actively use it as designed, the odds of it protecting you during an actual incident are greatly diminished. Or completely. To me, the behavior is perplexing - why make the investment yet not utilize the benefit? Why do people engage in risky behavior and not heed precautions? Be aware of the actions you are taking both at work and in your personal life. Are you consciously avoiding risk or are you moving forward and hoping for the best?
A bike helmet won't protect you at the office; knowing how to spot and avoid risky scenarios will go a long ways in offering protection. Pause before responding to an unusual email, before opening a link or attachment, and confirm with a colleague, in person, before agreeing to change a bank routing number or sending a wire transfer. If you suspect something doesn't seem right, follow your intuition. If you accidently make a mistake, such as sending an email to the wrong recipient or accidentally deleting data, let someone know so it can be corrected. Accidents can happen to anyone; it's how you recover that matters.
Have you ever Googled yourself? You should. It’s important to understand what information about you is readily available on the internet.
However, personal information isn’t just gathered online. Think about items you often carry. Are they personalized? For example, jackets, luggage tags, your computer screen, or a boarding pass. Maybe your job requires a security badge, or maybe you’re wearing a company issued items with logos or your company names. If these things are visible, they may be revealing information about you. Social engineering involves learning about people and using that personalized information to manipulate or build a sense of familiarity with unsuspecting people.
Other methods often used to gain personal details include calling someone and purposely stating incorrect information. If the caller states the wrong answer, people will often correct them and provide relevant information. Some callers will ask personal questions under the guise of a survey, while others will even knock on your door at home, armed with personal information, acting as if they are trying to persuade you to vote a certain way or support a cause.
By understanding what data is available both online and in person and limiting the information you share, you can better protect yourself and lower the risk of personal data being used to target you. It’s all about security awareness.
Cyber extortion is not a new topic, however there is a new scam, sextortion. Here is an overview of the scheme. A “bad actor” sends an email, with a message similar to this:
Your email address is <actual email address>; your password is <corresponding password>
I recently placed malware on a site hosting sexual content; I caught you visiting the site. As proof, your email is <email> and your password is <password>. I was able to connect to your computer, and I've copied all of your contacts. I also made a split-screen video; one video is the activity on your computer of websites visited. The second video is your webcam recording you watching online content.
The sender demands a bitcoin ransom be paid within 24 hours, or he will release the footage to all of your contacts. The “bad actor” also includes additional graphic and threatening language. Ransom amounts vary, but are typically around $1,000 to $2,700.
This is extortion. This scam may be automated, with the goal of actually finding people who fall for the scheme. Due to the number of data breaches, it is relatively easy to obtain a valid email and password, especially if they have been reused. Some people who have received this threat noted the email/password combinations appear to be from previous data breaches, some as old as 10 years ago.
If a susceptible person receives this email, they may feel guilty, panic, and decide to pay the ransom. The extortionist is purposely looking to exploit personal fears. In extreme cases, the fear of exposure may lead to suicide.
According to the FBI, here are some things you can do to avoid becoming a victim:
The FBI advises that in many sextortion cases, the perpetrator is an adult pretending to be a teenager, and you are just one of the many victims being targeted by the same person. If you believe you’re a victim of sextortion, or know someone else who is, the FBI wants to hear from you. Contact your local FBI office or toll-free at 1-800-CALL-FBI.
And of course, continue to help build awareness.
Whenever you're working at your desk, and you need to step away, get in the habit of locking your PC. It's just three little buttons Ctrl + Alt + Del. By locking your screen, you let coworkers know you are away from your desk. It's helpful to know you aren't at your desk if you use Communicator or an Instant Messenger. Secondly, it protects any applications you currently have open such as a sensitive document or a spreadsheet. Establishing good habits such as locking your PC every time youstep away, are simple ways to improve your security posture.
Next time you walk down the hall at work or you're in a public space, see if you notice any unattended and/or unlocked PCs. It's interesting to observe the number of PCs left wide open. It also prevents anyone from tampering with your PC or seeing data that isn't meant to be seen by others. Do you ever use a PC in a public area? It is important to ensure an unintended user doesn't access your data.
It also demonstrates to others that you take protecting company assets seriously and are trying to avoid unintended access. It may be unlikely that someone would use your PC in your absence but then again, why wait until something bad happens. Make it a habit to lock your PC on a regular basis. Organizations should also set an auto lock after a short period of inactivity.
This tip also applies to cell phones. It's easy to inadvertently set a phone down. By getting in the habit of locking your phone, you help protect the data, the applications, and the phone from misuse by a stranger.
The internet is filled with people looking for ways to obtain personal information about you. Facebook has been in the news lately as a source for other organizations to "scrape" personal data. Another common scam technique often masquerades as a friendly, unassuming survey or a game. Sometime they are featured as part of another webpage where you're reading a news article, it may be on social media, it may also come in an email as a link. It may encourage you to share the survey with family and friends!
In person, if you were asked a very private question, you may object or not respond. Surveys are a clever way to obtain data without the responder even realizing the information they are providing. Historical information is particularly valuable - what year were you born? It may be a fun survey about pets and ask - what was your first pet and what was its name? What was your first job? These are also common security questions to gain access to an account if you forget your password.
If you would like to see other examples of how fun and innocent surveys appear, click here.
If your phone suddenly switches to "emergency calls only" mode, you better act fast. A new scam has fraudsters targeting individuals to gather personal information including name, cellphone number and carrier, in addition to the usual date of birth, Social Security number and address. The fraudster contacts the cell service provider and reports the phone as stolen, and requests to have the cell number "ported" or assigned to a new phone and/or a new carrier.
Once the cell number has been moved to a new device, hackers attempt to access accounts that utilize a text message as part of authentication. Victims have had their bank accounts drained, credit card accounts hacked and other instances of fraud.
If you suddenly receive a text thanking you for signing up for a new cellphone carrier or your cell service drops, contact your cellphone carrier immediately. Also change passwords to any online accounts as soon as possible and take steps to recover your identity. As a preventative measure, you can institute a pin number on your cellphone account. Please share the details of this scam with others to help increase awareness.
For more on the story check out the Better Business Bureau’s advice, here.
Brian Krebs writes a security blog, KrebsonSecurity.com, which recently shared details of tax preparer fraud to help people be aware:
"On Feb. 2, 2018, the IRS issued a warning to tax preparers, urging them to step up their security in light of increased attacks. On Feb. 13, the IRS warned that phony refunds through hacked tax preparation accounts are a “quickly growing scam.” "
Basically, identity thieves focused on tax fraud, hack online accounts at tax preparers, and file phony tax returns. Clients receive tax refunds they were not expecting. Then the victim receives notification from a fraudster, posing as a debt collector or even as the IRS, stating they have received funds in error, and demanding that the funds are repaid immediately. The scam may also include a website with a posted video, explaining the error and how to return the funds via wire transfer along with instructions. Some scams even assign a case worker along with telephone number and email address, to “help resolve the issue.” The hackers provide the social security number of the targeted individual along with other personal information such as date of birth, address, to make the scam appear official.
“Thieves know it is more difficult to identify and halt fraudulent tax returns when they are using real client data such as income, dependents, credits and deductions,” the agency noted in the Feb. 2 alert. “Generally, criminals find alternative ways to get the fraudulent refunds delivered to themselves rather than the real taxpayers.”
One last note of caution, if you go to file taxes and receive a notice that your taxes have already been filed, it is a good indicator that a scam artist may have beat you to it. Tax fraud is so prevalent, the IRS provides documentation "Taxpayer Guide to Identity Theft" along with a form to file in the event you are a victim.
Brian's original blog can be found here.
Email spoofing is a trick that has been employed by hackers for a long time. The hacker alters the “From” field in an email so that it appears to originate from someone other than the hacker. The objective is to trick the recipient into believing the email is from a trusted source, such as a friend or coworker.
Security researchers recently discovered a set of vulnerabilities that could be exploited to perform email spoofing on several widely-used email applications. They have called this collection of email vulnerabilities MailSploit. Recently, a number of organizations and individuals have been victims of MailSpoit attacks.
How can you help protect yourself from email spoofing? Here are five helpful tips:
If you are concerned that you may have already been the victim of email spoofing, please contact your local IT team immediately. They can help to identify and limit the impact of any data breach that may have occurred.
The credit monitoring service Equifax experienced a data security breach that could affect as many as 143 million people. Hackers exploited a flaw on the Equifax website to gain unauthorized access to files that contained consumer identity and credit card information.
The breach provides us with two important reminders:
The firm offers a foundational risk assessment – Cybersecurity Compass® – that provides non-IT leaders with an overview of how their organization has addressed these and other cybersecurity risks. This assessment also outlines recommendations and priority projects to help direct risk remediation efforts.
Google recently notified its employees and the state of California that they had been victims of a cybersecurity breach. One of their travel agencies, Carlson Wagonlit Travel (CWT), utilizes the system called SynXis Central Reservation System (CRS), which is owned and operated by Sabre Hospitality Solutions. Sabre discovered that hackers had gained unauthorized access to SynXis CRS. The hackers had taken travel reservation data including names, contact information, and payment card information. Google is now managing the impact and cost of a security breach that occurred at a vendor (Sabre) used by their vendor (CWT). This story highlights a significant challenge all organizations face as they enter into vendor relationships – how to ensure they partner with organizations who treat their data in a secure manner.
We live in an increasingly outsourced world. Organizations are eager to capitalize on the cost savings that result from contracting with third-parties to perform anything from payroll processing to software development. The common thread throughout all these outsourced activities is the sharing of data, and if those third-parties don’t have adequate security practices, then that shared data is at risk of being compromised. Cybersecurity experts at Eide Bailly recently conducted a risk assessment at a manufacturing client where they identified over five vendors who had significant access to the company’s systems or data with little or no oversight. The team is now assisting this client in establishing a vendor management program to regulate the data and access provided to third-parties and to hold vendors accountable for the security of data with which they are entrusted.
On Friday, May 12, organizations all around the world were victims of ransomware attacks. Cybersecurity experts tracked more than 75,000 coordinated ransomware attacks in 99 countries. Ransomware locks the files on an infected computer rendering them inaccessible. The victim is then instructed to pay the hackers a “ransom” before the files can be unlocked. The British National Health System was one of these victims, causing hospitals across the United Kingdom to turn away patients. Other victims included Russia’s Interior Ministry and Telefonica (one of the largest private telecommunications companies in the world). The attackers demanded ransoms of only $300, indicating that their goal was to infect as many organizations as possible – irrespective of size. Even small and mid-sized organizations were targeted.
Organizations face ever-increasing risk of attacks to their computer systems and networks. Without appropriate preparation, monitoring, and response, their operations could be negatively impacted or their critical data lost. Eide Bailly’s Cybersecurity team has the experience and tools necessary to prepare and educate clients so they are not the next victim of ransomware. If an organization has experienced a ransomware attack, we can provide response management and risk assessment services to give clients peace of mind.
You may recall the 1983 movie “War Games” in which Matthew Broderick plays a high school student who, at one point, uses a stolen password to hack into the school’s computer system to change his grades. Just recently this scene played out in real life. A high school sophomore attending a Spring Branch Independent School District school in Houston, Texas was arrested on March 31, 2017 and charged with a felony for hacking the District’s computer system with the purpose of changing student grades. Just like in the movie, this student used a stolen password to hack into the system and took it even a step further by offering to change other students’ grades for a fee.
School systems and higher education face a significant challenge when it comes to cybersecurity. Their young students know as much or more about their computer systems than those charged with administering them. Eide Bailly’s Cybersecurity team recently completed a Cybersecurity Compass assessment at a school district in Idaho. With over 14,500 students, 1,500 employees, and thousands of computers and tablets, the district’s leadership was seriously concerned about their organization’s cybersecurity readiness. The Cybersecurity Compass provided them a clear understanding of their cybersecurity risks and gave recommendations to help them begin strategically tackling these risks.