Cybersecurity Snapshots #1 - Phishing Attacks Are Becoming More of a Problem For Organizations

Cybersecurity Snapshots #1 -

Phishing Attacks Are Becoming More of a Problem for Organizations

Research and experience have shown that phishing attacks need to be taken more seriously by businesses and individuals. Phishing is defined as a type of cyberattack that primarily uses email as a weapon. The goal of a phishing attempt is to trick the email recipient into believing that the message contains something they want or need. Some examples include emails that are from an individual's bank or a note from someone in their company, and some of the emails have a link to click on or an attachment to download. Phishing attempts are one of the oldest types of cyberattacks, and date back to the 1990s. Phishing attempts are still one of the most widespread forms of attack, and phishing messages and techniques are becoming increasingly sophisticated.

In a recent study about phishing attacks, researchers found that the total number of phishing sites detected from July through September 2019 was 266,387. This was up 46 percent from the 182,465 seen in the second quarter of 2019, and almost double the 138,328 seen in Q4 2018. This was the worst period for phishing that the researchers have seen in three years, since the fourth quarter of 2016. In addition to the increase in phishing volume, the number of brands that were attacked by phishers in Q3 was also up. The researchers saw attacks against more than 400 different companies per month in Q3, versus an average of 313 per month in Q2. The top targeted industries are largely consistent with previous quarters. Webmail and SaaS sites remained the biggest targets of phishing. BEC (Business E-mail Compromise) attacks remained highly damaging. These attacks target employees who have access to company finances or valued data assets. Adversaries usually conduct a spear phishing attack and try to trick employees by sending them emails from fake or compromised email accounts. According to the researchers, 40 percent of BEC attacks use a domain name registered by a scammer. These domains are often variations of a trusted, existing company name, meant to fool unwary individuals. Unfortunately, employees do fall for these attacks, and the average amount of money that was wire transferred from victims tricked by the emails was $52,325. This study shows why phishing attacks need to be seen as a big issue and brought to the attention to more of the public, and employees of companies.

In another study that surveyed cyber professionals, social engineering via email was most likely to be perceived as a growing threat (55% of respondents reported seeing an increase in July/August 2019). This was followed by DDoS attacks and ransomware (both 54%) and general phishing (53%). Cyber professionals agree that phishing attacks are on the rise, and steps need to be taken in order to make sure more businesses and individuals do not fall for phishing attempts since the number of phishing attempts grow each year.

Studies have shown that the best way to prevent individuals and businesses from being affected by phishing attempts is through education. Once an employee or individual knows how to spot a phishing attempt, then they are less likely to fall for it.

Cybersecurity Snapshots #2 - Ransomware Is Not Only a Headache but Can Also Kill

Cybersecurity Snapshots #2 -

Ransomware Is Not Only a Headache but Can Also Kill

Ransomware is becoming more of a problem among all organizations and needs to be considered a significant concern. Ransomware is very costly for organizations to fix. In May 2019, the city of Baltimore's IT systems were kept hostage by adversaries because of a ransomware attack. The adversaries demanded 100,000 dollars in bitcoin. The governor of Baltimore did not pay the ransom, and the attack ultimately cost the city more than 18 million dollars.

Researchers believe that the number of ransomware attacks will increase. Researchers especially believe that small businesses are going to be a primary target for cybercriminals because of their fewer investments in their cybersecurity infrastructure. Researchers expect that a new organization will be affected by a ransomware attack every 11 seconds as soon as 2021.

Ransomware attacks on healthcare organizations, especially hospitals, are becoming more prevalent, and this is putting patients' lives in danger. A new study discovered that the time for a patient suffering a heart attack to get from the emergency room to the electrocardiogram (EKG) room, increased as much as 2.7 minutes after a ransomware attack. The lag in time also remained as high as 2 minutes even after four years after the organization was affected by ransomware. Researchers found that there are as many as 36 additional deaths per 10,000 heart attacks annually at the hospitals that have been affected by ransomware. This year alone, 759 healthcare providers were affected by ransomware attacks.

Unfortunately, since hospitals need most of the information affected by ransomware attacks to operate correctly, usually they pay the ransom demand to the adversaries, for them to restore working order to the network, or to decrypt files. Paying a ransom is a big problem because once an organization pays off the ransomware demand, it usually makes them more appealing to target for other adversaries. There is also no guarantee that if an organization pays off the demands that the adversary unlocks their system. Payment demands are also increasing. The Beazley report indicates that the average amount an organization pays adversaries to decrypt files or unlock systems was 224,871 dollars in the first quarter of 2019 far-surpassing 2018's total of 116,324 dollars.

Since most ransomware is distributed through, mainly spoofing emails, employees must learn about the proper handling of strange emails. Spoofing emails are emails that an adversary sends to their target posing as someone they might know, for example, a coworker. It is essential for individuals to not click on a suspicious link or document in an email. Email users should always look at the entire email to see if the email looks correct. If one has a question about the legitimacy of an email and it looks like someone, they know sent it, then the individual can ask the person they know if they sent the email. One should also notify the IT department if one receives a suspicious email so that they can reach out to other employees and warn them. Organizations with sensitive information should also keep backup storage of essential files that they have, so that if adversaries encrypt essential files, then they can use the backup files that they have instead of having to pay the ransom.

The number of ransomware attacks is going to increase in the future, which will cause more organizations to be affected by ransomware. Organizations can now hire companies to conduct a ransomware simulation on their servers. Once completed, the hired company will then give insights into the impact the ransomware attack could have on the organization and help the organization come up with a plan to prevent an attack like that from occurring. Organizations need to take the risk of ransomware attacks seriously. In a new study, 65 percent of surveyed infosec professionals said their organization experienced a ransomware infection in 2019. Out of the organizations' surveyed, 63 percent started taking corrective action with users who repeatedly make mistakes related to phishing emails through the implementation of a consequence model. Once an organization implemented a consequence model, employee awareness improved. Researchers believe that better education of employees and the implementation of a consequence model will decrease the number of suspicious emails that are clicked on, which in return will lessen the number of successful ransomware attacks among organizations.

Cybersecurity Snapshots #3 - Airports and Airlines Severely Lack Good Cybersecurity Practices

Cybersecurity Snapshots #3 -

Airports and Airlines Severely Lack Good Cybersecurity Practices

Airport and airplane cybersecurity need to be taken seriously among cyber professionals. In a new study conducted by ImmuniWeb on the top 100 world's biggest airports, they found that almost all of the airports they studied had an alarming lack of systems in place to protect their websites, mobile applications, and public clouds. Two-thirds of the top 100 airports had highly confidential data like IDs, financial records, or plaintext passwords for production systems located on the dark web. Fully 87% percent of the airports had some sensitive or internal data exposed at various public code repositories, such as GitHub or BitBucket. Amongst them, 59 airports were identified with 227 code leakages of critical risk. The researchers also discovered that more than 70 of the 325 exposures found were of a "critical or high risk," indicating a severe breach. Nearly 90% of the airports have data leaks on public code repositories, and 503 of the 3,184 leaks are of a critical or high risk that could potentially lead to a breach. Three percent of airports studied have unprotected public clouds with sensitive data available. Doug Carr, who is vice president of regulatory and international affairs at the National Business Aviation Association, believes that all employees at an airport need to be taught about proper cybersecurity hygiene and about the hacking risks that come with the job they have.

In 2019, airports saw a significant increase in ransomware attacks. Aviation Information Sharing and Analysis Center (A-ISAC) and Airports Council International (ACI) World want to help combat the cybersecurity issues that airports have. The two organizations have signed an agreement to help Airports Council International members join the A-ISAC for access to airport-specific cyber threat intelligence and actionable data. Airports that join the Aviation ISAC will gain access to a dedicated working group, a quarterly report that talks about the latest threats and trends affecting airports, and other content that is solely focused on airport cybersecurity concerns. This agreement also will allow organizations to work together at industry events and activities with the primary goal of ensuring a more secure and safer aviation infrastructure.

The Transportation Security Administration (TSA) and airports want to do more to embed cybersecurity within screening equipment. The agency created 17 new cyber-related vendor requirements which, once shared with industry, will provide vendors an opportunity to demonstrate their cybersecurity credentials, increase security levels, provide an aligned approach across the industry, and raise the bar of cybersecurity across screening solutions. Vendors need to implement access control and account management practices that can "adequately" enable multi-level access to equipment and restrict users to required levels. TSA is currently holding meetings to try to address cybersecurity risks. In the past, TSA has held meetings addressing information security risk management and cyber requirements for Explosives Detection Systems for Cabin Baggage (EDS CB), automatic tray return systems, and screening lanes. TSA intends to hold meetings in the near future on the information security and cyber risk of security scanners, advanced imaging technology, and EDS CB.

Airplanes are also at risk of cybersecurity attacks. The U.S. Department of Homeland Security warned that hackers who gain physical access to a plane could attach a device that could possibly cause pilots to lose control of the plane. Adversaries also might be able to gain access to onboard electronics by hacking an airplane in-flight entertainment system. Because of this risk, Embry-Riddle Aeronautical University created a program to teach and train students on how to prevent the hacking of airplane systems and devices that are carried by air travelers. There has been a growing interest in avionics cybersecurity, mainly because global business travel associations expect business travel to reach $1.7 trillion in spending by 2022. The aviation industry is beginning to provide active training programs, led by companies like Garmin and Honeywell, to address the threat of being hacked during a flight. The Aviation Accreditation Board International would like to provide a program specifically targeting avionics cybersecurity in the near future. Even though there has been an increase in investment in trying to make airplane systems nearly impossible to breach, new graduates entering the market with new skills and abilities are still needed, as cybersecurity attacks become more prevalent and more destructive. With the increase in cybersecurity measures taken by airports and airlines, this will hopefully help decrease the number of successful cyberattacks against them.

Cybersecurity Snapshots #4 - Cybercriminals Are Capitalizing on Coronavirus Panic

Cybersecurity Snapshots #4 -

Cybercriminals Are Capitalizing on Coronavirus Panic

As the coronavirus (COVID-19) spread increases in intensity around the United States and the world, adversaries are using the fear people have about the spread of the coronavirus to their advantage and are putting out scams related to the virus. The World Health Organization (WHO), Federal Trade Commission (FTC), Securities and Exchange Commission (SEC), and the Better Business Bureau have all issued warnings because of the increase in the number of criminal scams that are tied to the coronavirus. According to researchers at Reuters, since February, victims in the United Kingdom have lost more than PS800,000 ($1,000,000) to coronavirus-linked scams.

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a document that provides risk management actions that executives should take to help the address physical issues, supply chain issues, and cybersecurity issues that are arising because of the spread of the coronavirus.

The World Health Organization (WHO) is warning people that criminals are taking advantage of the spread of COVID-19 to try to steal money or sensitive information from users. Adversaries have been posing as WHO representatives through phishing emails, websites, phone calls, text messages, and fax messages. WHO says one should be cautious if the adversary ever asks for login information, sends an attachment in an email that is directing the user anywhere other than www.who.int, and if the adversary is asking for direct donations to the emergency response plans or funding appeals--none of those are valid.

Adversaries are also using the coronavirus to spread malware. In January and February of this year, there was a malware spreading campaign that targeted Japan. The malware that was distributed was Emotet. Emotet is a self-propagating, advanced, and modular Trojan. Emotet was sent through a malicious email attachment that was pretending to be sent by a Japanese disability welfare service provider.

Since the coronavirus outbreak, there has been a noticeable number of new websites with a registered domain name related to the virus. Many of the new domains are being used for phishing attempts. Many of the websites claim to sell face masks, vaccines, and home tests that can detect the virus. Once you put in your shipping information and payment information on these sites, then your personal information and payment information is given to the adversaries, and you never receive the supplies you ordered. The National Fraud Intelligence Bureau (NFIB) has had 21 reports of fraud since February 10th, with many involving the sales of masks. The individuals buy the masks on fake websites but do not receive the product. One person spent over PS15,000 ($17,506) for masks and never received them. An example of such a website is vaccinecovid-19\.com, which was created on February 11, 2020. The website was registered in Russia, and the website is insecure. The website proclaims that they sell "the best and fastest test for coronavirus detection at the fantastic price of the equivalent of $300. Some of the websites do ship you a product, but it is a fake version of the product. For example, China alone has seized over 31 million fake face masks that were being sold to people from fake websites. Some of these websites are also spreading fake news and promoting bogus cures, including nasal sprays, necklaces, and even bleach drinks. The sale of fake products and the spread of fake news through these fake websites about the coronavirus, can lead to more people being affected by the coronavirus and even dying from it.

As with other scams and phishing attempts, people should be on the lookout for lookalike domains, spelling errors in emails or websites, emails from unfamiliar email senders, and avoid clicking on links provided in emails from unknown senders.

Cybersecurity Snapshots #5 - Automobile Cybersecurity is a Big Issue

Cybersecurity Snapshots #5 -

Automobile Cybersecurity is a Big Issue

Cars are becoming more connected than ever, and should, therefore, meet the highest level of security, safety, and performance. However, that is not always the case. As cars have become more connected and have more autonomous features, they are extremely susceptible to malicious cyberattacks and could potentially be weaponized by adversaries. Cars today have up to 100 Electrical Control Units (ECUs) and more than 100 million lines of code, which is a large attack surface. Auto manufacturers also source ECUs from many different suppliers, which means that no one player is in control of or even familiar with all of a vehicles source code. In the future, cybersecurity needs to be embedded in the first stages of the car's design before they are manufactured.

For a number of years, researchers have been able to find vulnerabilities in cars that would make them susceptible to adversarial attacks. Researchers have been able to gain remote access to vehicles by exploiting software vulnerabilities in General Motors' On-star and Bluetooth systems. The researchers were able to take physical control over the vehicles, such as controlling the display on the speedometer, controlling the brakes, and shutting off the engine. Jeep Cherokees, for example, were found to be vulnerable through exploitation of the Wi-Fi password. The car's Wi-Fi password was generated automatically based upon the time that the head unit was turned on for the first time. This is a relatively secure way to generate a password because it is based upon the date and time down to the second, which would give the password many potential combinations. Researchers found that if an adversary knew the year and month of manufacture, then the number of possible combinations was reduced to 15 million. Adversaries would then most likely assume that the head unit was turned on during the day, which would reduce the number to 7 million combinations. Once the researchers were able to crack the car's Wi-Fi password, they were then able to change the radio system, the volume, and track the car via its GPS navigation system. The head unit is not connected to the CAN Bus (the internal network), but the researchers were able to communicate with it via a connected component, the V850 controller. They were able to reprogram the V850 controller with a firmware update over the car's Wi-Fi connection. Once this was completed, they were able to send commands to the CAN Bus and were able to control the car remotely. Researchers could control everything including the engine, transmission, steering wheel, and brakes. The researchers reported this issue to Fiat Chrysler, which led to a recall of 1.4 million cars.

In another example, researchers were able to take control of a Tesla Model X brakes remotely, open the trunk and the doors, and control the radio. They were able to hack the vehicle through Wi-Fi and cellular connections using malware, which was sent to the car's web browser in a series of circuitous computer exploits. The researchers notified Tesla, and Tesla fixed the vulnerabilities within two weeks. In 2020 researchers discovered a flaw in Tesla Model 3's web interface. The interface had a denial of service (DoS) vulnerability. In order for the adversary to exploit the systems' vulnerability, a user would have to go to a malicious webpage. If they went to a webpage that had been compromised, using the central display, it could allow the attackers to disable the speedometer, web browser, climate controls, turn signals, navigation, autopilot notifications, and blinker notifications along with other miscellaneous functions from the main screen. The user would still be able to drive the car. Tesla was notified, and has since patched the flaw.

The National Highway Traffic Safety Administration (NHTSA) suggests that automotive companies take a multi-layered approach to cybersecurity by focusing on a vehicle's entry points, both wireless and wired. The NHTSA also suggests that all automotive companies have a risk-based prioritized identification and protection process for self-critical vehicle control systems. The automotive companies should also be able to timely detect and rapidly respond to potential vehicle cybersecurity incidents on America's roads. Architectures, methods, and measures need to be designed with cyber resiliency in mind and must be able to facilitate rapid recovery from incidents. NHTSA also suggests that information be shared across the automobile industry to facilitate the quick adoption of industry-wide lessons learned.

In an encouraging sign, the automobile industry is starting to take cybersecurity more seriously. NHSTA encouraged the formation of Auto-ISAC, which is an industry group that emphasizes cybersecurity awareness and collaboration across the automotive industry. Recently the Auto-ISAC released a comprehensive set of best practices for automotive cybersecurity. Automakers are planning for these guidelines to serve as the foundation for industry-wide cybersecurity standards. Several OEMs from Tesla, GM, and Fiat Chrysler, have also established a new "bug bounty" program, which rewards individuals that find and report security flaws in their cars' software, to fortify their systems against vulnerabilities. The bug program has been helping automobile companies with finding a multitude of flaws. In 2019, Tesla rewarded researchers $10,000 through their bug bounty program called Bugcrowd. The researchers discovered a stored cross-site scripting (XSS) vulnerability that could have been exploited to obtain vehicle information. The automotive industry will continue to take cybersecurity more seriously in the future and will need to be able to adapt to the ever-changing forms of cyberattacks that could affect their automobiles. They will also need to be expedient when patching flaws found, because the longer the flaws go un-fixed, the more likely a successful cyberattack will be executed, which could cause injuries or deaths.

Cybersecurity Snapshots #6 - Will Biometric Authentication Soon Replace Password Authentication?

Cybersecurity Snapshots #6 -

Will Biometric Authentication Soon Replace Password Authentication?

World Password Day, held on May 7th, was created by Intel to help spread awareness of the critical need for the use of more robust passwords. Many individuals still do not follow suggestions given by experts regarding passwords.

Researchers from Ofcom conducted a poll of 1805 adults aged 16 and over and discovered that 55 percent of the participants used the same password for most websites. Over one quarter of the participants used easy-to-remember passwords, such as people's names or birthdays. In a new global survey, researchers polled 3,250 individuals across the United States, Singapore, Australia, Germany, Brazil, and the United Kingdom. They discovered that there is a heightened global awareness of good security practices, hacking incidents, and data breaches, yet consumer password behaviors remain mostly unchanged. Over 90 percent of the participants know that using the same password on multiple accounts is a security risk, yet 66 percent still use the same password, which is an increase of 8 percent from 2018. Half of participants reported that they had not changed their passwords in the last 12 months. While three quarters of the participants say they feel informed on password best practices, only half of them still try to memorize passwords, and one quarter write their passwords down somewhere. Most of the participants were concerned with having their passwords compromised, yet half of them never change their passwords if not required.

The number one reason why participants use the same password for multiple logins and create easy-to-remember passwords, even though they know it puts them more at risk for a breach, is because users are afraid of forgetting their login information. Since this is the case, users should consider password management software because it can remember hard-to-crack passwords, and can help generate complex passwords. Researchers at Fico discovered that currently only 23 percent of respondents use an encrypted password manager, which many consider best practice. Another reason why participants use easy-to-remember passwords, and use the same one for multiple accounts, is that many want to be in control of their passwords.

In the global survey, researchers also found that respondents are much more comfortable with biometric authentication, which uses face or fingerprint to login to devices or accounts. Sixty-five percent of the participants said they trust facial and fingerprint recognition more than traditional text passwords. Many individuals and organizations believe it is time to ditch using word passwords and rely on biometric authentication entirely. Biometric authentication can provide some useful benefits, including simplicity and convenience to the user, which is why it has grown in popularity. It can also provide higher authenticity because fingerprints and faces are hard to replicate. The use of biometric authentication also helps deter shoulder surfing, which is when an adversary tries to hack an individual's account by watching the target enter PIN codes or passwords.

Biometric authentication also has some negative aspects. Biometric data is irreplaceable, which means that if it is compromised during a breach, it cannot be reset. Worded passwords can always be reset if a breach is discovered. Biometric authentication methods usually rely on partial information to authenticate one's identity, which can allow for false positives. In 2018 researchers from New York University were able to train AI neural networks to crack fingerprint authentication at a success rate of 20 percent. They relied on the fact that most fingerprint scanners only scan a portion of the finger. Face ID on iPhones counters false authentication by adding a "liveliness" detection system. The Face ID was able to do pretty well against the 3D-printed head hack, which beat several Android devices; however, the researchers eventually managed to have Face ID conduct a false positive.

It will continue to be essential for individuals to use strong and complex passwords to help prevent individuals or organizations from being breached. Biometric authentication is being used more and more but still has challenges. It is unlikely that biometric authentication will take over the use of text passwords anytime soon, even though many users feel more comfortable using it. Companies who store biometric data need to strategize on a secure way to store the data more securely to make sure it will never be compromised. Companies also will need to figure out how to make biometric authentication more secure so that methods such as facial recognition and fingerprints do not perform false positives. Some researchers have turned to the development of changeable biometrics to overcome the security risk of static fingerprints, irises, and face shapes. Berkely researchers came up with a futuristic system called "passthoughts". The technique combines three factors a thought, a user's brain patterns, and an EEG sensor for measuring brainwaves. To authenticate a passthought, the user would think of their secret key while wearing the sensor. The thought itself is never transmitted and is just a mathematical representation of the electric signals the user's brain makes while thinking of the secret key. If someone were able to figure out precisely what a user was thinking, then they would not be able to impersonate the user's passthought, because every person thinks the same thought differently. If the passthoughts of a user were ever compromised, then the user could always change their passthought.

Cybersecurity Snapshots #7 - Is Online Voting a Good Idea?

Cybersecurity Snapshots #7 -

Is Online Voting a Good Idea?

Government officials have expressed mounting concerns for how the coronavirus could diminish voter turnout during the 2020 presidential election. Officials have expressed interest in allowing internet voting as an alternative toson ballot casting in the upcoming presidential election in November. The concept of internet voting has been around since the 1990s. A handful of states including Delaware, West Virginia, and New Jersey, have introduced an internet voting pilot program. Many individuals in the computer science community see online voting as a slippery slope towards a looming security risk.

David Dill, a computer science professor at Stanford University, is against the idea of piloting online voting in the next presidential election. He believes that there is no way to ensure that devices and apps are free of malware that might influence a voter's choices. Dill also says that a hacker from an adversarial foreign government could theoretically hack their way into these systems and change or manipulate votes. Barbara Simons a former president of the Association for Computing Machinery has been a long-time critic of internet voting and overly mechanized voting systems. She believes that voting over the internet is too risky, and if voters are not able to vote in person due to COVID-19 in November, then Vote-By-Mail (VBM)is the safest way for voters to cast their ballots. The FBI, EAC, NIST, and the Department of Homeland Security's CISA have released a warning against the wholesale embrace of internet voting. They stated that there are some effective risk management controls to enable electronic ballot delivery and marking, but electronic ballot return technologies are high-risk even with controls in place.

Google recently announced that earlier this month, on June 4th, an Advanced Persistent Threat (APT) group targeted Joseph Biden's campaign staff with phishing attempts. The group behind the attacks is called APT31, also known as Zirconium. Zirconium is a Chinese state-sponsored hacking group that has been active since early 2016. Historically this group has targeted foreign companies to steal intellectual property but has also targeted diplomatic entities in the past. The adversaries did not appear to compromise the campaign's security. Analysts believe that China's primary motive for breaking into a campaign is to collect intelligence, such as Biden's proposals for U.S. policy on China. The adversaries could, later on, use the stolen information to interfere in the campaign itself.

In a new survey conducted by Vanfi, 485 IT security professionals attending the RSA Conference 2020 were surveyed about election infrastructure cybersecurity. Almost three-quarters of the cybersecurity professionals believe that - local governments cannot defend election infrastructure against cyberattacks from foreign and domestic threat actors. Most of the IT security professionals surveyed thought that the spread of malicious information was the most significant cyber risk to election integrity. In October 2018, voter databases of around 35 million U.S. citizens were being sold on the Dark Web. The databases were priced between $150 and $12,500. These databases included personal information like phone numbers, names, address details, and voting history. The databases included information of voters from 19 states.

In another new study, researchers explored a voting platform called OmniBallot to determine what vulnerabilities existed in this technology. OmniBallot is a platform approved for online voting in multiple US states. Researchers at the Massachusetts Institute of Technology (MIT) and the University of Michigan have found that OmniBallot is vulnerable on multiple levels and is susceptible to various degrees of manipulation. Researchers assessed risks connected with three methods of using OmniBallot which included blank ballot delivery, online ballot marking, and online ballot return. Adversaries would be able to change election outcomes without detection by leveraging many techniques. The researchers urge jurisdictions not to deploy OmniBallot's online voting features in order to - maintain election integrity.

To be completely confident in online voting and to deploy these types of platforms in the future, appropriate security controls, mechanisms, and auditing features are necessary. Researchers believe that blockchain technology or homomorphic encryption could help ensure the integrity of a voter's ballot selection and would help mitigate tampering concerns. A hybrid cloud provider under intense guard would also be needed to manage the load of data. Securing online voting needs to be organized as a central effort with federal regulations from the National Institute of Standards and Technology (NIST). The responsibility to regulate online voting should not be created and enforced piecemeal as it would create multiple unique opportunities for exploitation.

Cybersecurity Snapshots #8 - Is Your Home Router Secure?

Cybersecurity Snapshots #8 -

Is Your Home Router Secure?

Due to COVID-19, many employees are now working remotely from their homes which means that they are using their home routers to connect to the internet. Cybercriminals know that home routers are not secured with default credentials, but most users are unaware of this. Many do not question if there are flaws with their home routers that could lead to a data breach. Cybercriminals are now trying to exploit the lack of knowledge employees have and are trying to access their home routers leading to the question-- Are home routers secure?

Force login attempts against routers are increasing. In September 2019, researchers at Trend Micro recorded 23 million brute force login attempts. Since then, the number of brute force attacks against routers has gone up significantly. In March 2020 Trend Micro recorded almost 194 million brute force login attempts. Adversaries are also attempting to open telnet sessions with IoT devices like smart home appliances, printers, and internet connected cameras to probe for user credentials. In mid-March 2020, nearly 16,000 botnets tried to open telnet sessions with IoT devices in a single week.

In 2019 researchers at NanoLock Security discovered a firmware flaw in routers made by the company Buffalo which has millions of customers that own their routers. The routers are vulnerable to a firmware attack that can downgrade devices to a less secure version, which would further compromise them. In 2019 NanoLock researchers met with Buffalo engineers to describe the attack and the firmware flaw that their routers contain. However, as of today, Buffalo has not released an update that fixes the flaw found by the researchers.

Recently two security researchers discovered a vulnerability that impacts 758 different firmware versions that are used on 79 Netgear routers. The severe security flaw can allow hackers to take over devices remotely. Some firmware versions affected by this vulnerability were first deployed on devices released as far back as 2007. The bug resides in the web server component that is packed inside the vulnerable Netgear router firmware. The vulnerability allowed the researchers to start the router's telnet daemon as root listening on TCP port 8888 and did not require a password to log in. The researchers reported the vulnerability to Netgear in early 2020, but due to the vulnerability's broad impact and the enormous amount of work needed to produce and test a patch for all devices, the router maker requested more time to fix these issues; however, this extension expired on June 15th.

In another new study, researchers from Germany's Fraunhofer Institute for Communication, Information Processing, and Ergonomics (FKIE) looked at 127 router models including ASUS, AVM, D-Link, Linksys, Netgear, TP-Link, and Zyxel. The researchers discovered that nearly all tested routers were afflicted with scores of unpatched and often severe security flaws, which could put users at risk of a cyberattack. Even the routers that had been recently updated still contained many vulnerabilities. The researchers found that the average length of time since the routers had their latest security updates was 378 days. Of the 127 routers tested, 46 had not received any security update within the last year. On average, the routers were impacted by 53 critical-related vulnerabilities.

To help prevent attacks against home routers, users should use strong passwords for their home routers and change them from time to time. They should also make sure that their routers are running the latest firmware, and only allow logins to their router from the local network. It is very important that in the future router manufacturers take a different approach to cybersecurity than what is currently in place. Companies need to focus on ways to address security vulnerabilities before they are exposed to ensure that their growing networks of routers will remain resilient if an adversary attempts to hack them.

Cybersecurity Snapshots #9 - Organizations Need to Address Mobile Security

Cybersecurity Snapshots #9 -

Organizations Need to Address Mobile Security

Businesses continue to be threatened by data breaches, but data suggests that working remotely is changing how data breaches may occur. Based on research by Ponemon, companies have a nearly 28% chance of experiencing at least one data breach in the next two years. The Bring Your Own Device (BYOD) trend, where people use their personal devices for work activities, was on the rise in 2019. With the coronavirus, many more employees work remotely and mobile device access to business data is now the norm, not the exception. Companies are ignoring their most vulnerable endpoint, and it is not the laptop, it is the mobile devices that employees use to access company data.

Researchers at Verizon conducted a study in 2019 and found that most companies allow mobile devices to access some of their most business-critical information, though the amount of access varies from company to company. They also found that 4 in 10 companies suffered a data breach through a mobile device.

According to an IBM study, users are three times more likely to respond to a phishing attack on a mobile device than a desktop, in part because a phone is where people are most likely to see a message first. The latest research by Verizon also supports that conclusion. The researchers at Verizon add that the smaller screen sizes and corresponding limited display of detailed information on smartphones (particularly in notifications, which frequently now include one-tap options for opening links or responding to messages) can also increase the likelihood of phishing success. Verizon also found that 15% of users who are successfully phished will be phished at least one more time within the same year.

Researchers at security firm Wandera found that 83 percent of phishing attacks took place out of the inbox, in the form of text messages, apps like Facebook Messenger and WhatsApp, a variety of games, and social media services. Mobile devices provide many avenues for a user or employee to be tricked by a phishing scheme, which could lead to a data breach. Individuals are also more vulnerable to social engineering attacks on mobile devices. Social engineering attacks are when adversaries try to exploit human psychology and susceptibility to trick victims into uncovering sensitive data or convince them to break security measures that will allow the adversary to gain access to the victim's network.

Other research by Wandera found that corporate mobile devices use Wi-Fi, almost three times as much as they use cellular data. Nearly a quarter of corporate mobile devices have connected to open, and potentially insecure Wi-Fi networks, where devices may encounter a man-in-the-middle-attack. This attack is where an adversary maliciously intercepts communication between two parties. Employees using corporate mobile devices should be warned not to connect to public Wi-Fi networks, and if they have too, they should use an enterprise-class VPN to help prevent a man-in-the-middle-attack. Employees should be made aware of the risks of mobile malware which is one of the fastest-growing threat categories of threats in cybersecurity, including iPhones.

Organizations should put into place mobile device management (MDM). Mobile device management refers to any tool or software designed to help IT administrators control and secure mobile devices like smartphones and tablets. The two critical elements of mobile device management are an MDM server that resides in a data center and an MDM agent that resides on a mobile device. When an IT admin needs to configure a mobile device on a company network, the admin inputs the new policy on the MDM server's management console. Mobile device management protects company data through device-level policies provided by the device manufacturer or platform provider. It also allows the administrator to control what apps can be downloaded on an employee's work cellphone, what corporate services can be accessed from the phone, and enable remote wiping if the device is lost or stolen. Organizations should also deploy network-layer threat detection on employee work phones. With intrusion detection, prevention (IDS/IPS), and anomaly detection, regardless of whether the threat comes through email, SMS, or app, device-level network-traffic monitoring would detect the abnormal traffic and flag it for remediation.

Since more employees are accessing critical business data with mobile phones, it is important that organizations put proper policies in place to keep their information as secure as possible. Organizations need to address mobile security, to help decrease the chance of a data breach from occurring through a mobile device.

Cybersecurity Snapshots #10 - Organizations Need to Take Bluetooth Security Seriously

Cybersecurity Snapshots #10 -

Organizations Need to Take Bluetooth Security Seriously

Bluetooth security is coming under increased scrutiny as its use grows beyond personal applications. Researchers are starting to emphasize that the risks of Bluetooth security, and potential rewards for malicious hackers are increasing significantly. Bluetooth is spreading from being mainly used in consumer settings to being adopted more and more by enterprises and governments for large-scale deployment in corporate offices, hospitals, and industrial control environments. As more devices are using Bluetooth, more Bluetooth bugs are being discovered by security researchers.

Academic researchers recently found that Bluetooth chips from Apple, Qualcomm, Intel, Samsung, and others contained security flaws that allowed Bluetooth Impersonation Attacks (BIAS). The researchers conducted BIAS attacks on more than 28 unique Bluetooth chips by attacking 30 different devices. All the devices tested were vulnerable to the BIAS attack. Academic researchers found that the bugs discovered allow an attacker to insert a rogue device into an established Bluetooth paring, masquerading as a trusted endpoint. This attack would allow an adversary to capture sensitive data from the other device.

Another Bluetooth vulnerability was discovered recently by researchers at Purdue University. The high-severity Bluetooth vulnerability they call "BLURtooth" exists in the pairing process for Bluetooth 4.0 through 5.0 implementations. The vulnerability could allow an unauthenticated adversary within wireless range (330 feet for Bluetooth 4.0 devices, and 800 feet for Bluetooth 5.0) to eavesdrop or alter communications between paired devices.

Another recently discovered vulnerability allows an adversary to hack Android cellphones via Bluetooth. Researchers at DBAPPSecurity have discovered an authentication bypass vulnerability, dubbed "BlueRepli." An adversary can bypass authentication by imitating a device that has previously been connected with a target. Victims do not need to give permission to a device for the exploit to work. The exploit makes it so that the victim has no awareness at all when attackers access their phone book or SMS messages. If the vulnerability is exploited, attackers can steal users' contacts, call logs, and short messages. The vulnerability also allows adversaries to send fake text messages from victims' devices if they exploit any device made by one particular Android manufacturer.

Security researchers believe that most Bluetooth bugs are due to faulty implementations as a result of the written standard's scale and complexity. The Bluetooth standard is about 3000 pages long, defines the radio frequency layer for Bluetooth, and has components at every layer of tech, from hardware up through applications, to guarantee interoperability between Bluetooth devices. According to Matthew Green, a cryptographer at Johns Hopkins University, the standard's complexity makes it very hard for developers to have a full mastery of the available choices, which results in faulty implementations.

Since Bluetooth is being used in more corporate offices, hospitals, and industrial control environments, security researchers strongly suggest that organizations address Bluetooth wireless technology in their security policies. A security policy that defines requirements for Bluetooth security is the foundation for all other Bluetooth related countermeasures. The security policy should include a list of approved uses for Bluetooth, a list of the types of information that may be transferred over Bluetooth networks, and, if used, requirements for selecting and using Bluetooth personal identification numbers. Organizations should ensure that their Bluetooth users are made aware of their security responsibilities regarding Bluetooth uses, and the annual required security awareness programs should be updated to include Bluetooth security policy guidelines. Security researchers also suggest that Bluetooth capabilities on personal devices be turned off when not in use, and one should refrain from transferring sensitive data to another device using Bluetooth.

Cybersecurity Snapshots #11 - Are Security Cameras Vulnerable to Cyberattacks?

Cybersecurity Snapshots #11 -

Are Security Cameras Vulnerable to Cyberattacks?

The use of security cameras in both personal and commercial applications has continued to grow and have become an attractive target for hackers. While users acknowledge that cybersecurity related to security cameras needs to be taken very seriously, currently many security cameras have vulnerabilities which could allow adversaries to spy on victims, gain access to video recordings to sell, and possibly gain access to other devices on the same network.

Researchers at Genetec Inc. conducted a study that found 7 out of 10 security cameras are currently running out-of-date firmware. Over half of the security cameras with out-of-date firmware (53.9 percent) contained known cybersecurity vulnerabilities. Genetec's lead security researcher stated that nearly 4 out of every 10 security cameras are vulnerable to a cyber-attack. The researchers also discovered that 1 in 4 organizations fail to use unique passwords for their security cameras and instead rely on the same password across all cameras, leaving an easy point of entry for hackers once only one camera has been compromised.

Individuals and organizations should keep security cameras firmware up to date because it is a crucial step in ensuring that their security cameras are resilient against cyberattacks. Constantly updating the security cameras firmware ensures that the latest cybersecurity protection measures are implemented as soon as they become available. Individuals and organizations should change the default password of security cameras they receive to strong, hard-to-guess passwords. Each camera should have its own password, and should employ two-factor authentication if possible. That way, if an adversary does have your password to access the security cameras, it is less likely they will access them successfully. If you get an alert that someone has tried to access your security cameras and it was not you, then change your passwords immediately.

Recently, researchers at a company called Which? discovered that around 3.5 million security cameras installed in homes and offices predominantly in Asia and Europe , but can also be found around the world, have serious vulnerabilities that could allow an adversary to spy on victims, steal their data, or target other devices on the same networks. Brands with potentially vulnerable cameras include Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT, and Tenvis. The researchers stated that any wireless camera using the CamHi app and sporting a certain type of Unique Identification Number (UID) could be susceptible to a hack. About 700,000 of the cameras stated above are in use in Europe, including 100,000 in the UK. Recently an unnamed hacker group gained access to over 50,000 home security cameras and stole victims' private footage to post on their discord server. Discord servers are topic-based channels where one can collaborate and share information with anyone who is in the same discord channel.

Security researchers at Internet of Things security firm Dojo by Bullguard discovered a way to successfully exploit a security vulnerability in Amazon Ring video doorbell that, if exploited, could leave audio and video transmission exposed to third-party attacks. To exploit the vulnerability, the adversary would have to gain access to a victim's Wi-Fi network. The ring owner would also have to be connected to the same network. Once connected, the attacker can see audio and video as transmitted from the Ring video doorbell to the Ring application used by the owner. That footage is unencrypted when transmitted, making it easy to intercept once a hacker has gained access. The adversaries could use the video and audio to spy on the homeowners. The adversaries could also inject their own footage, which could be used to trick a homeowner into unlocking their door remotely. Amazon has been made aware of the issue and has issued an update to its Ring app to address the vulnerability.

Researchers at Strategy Analytics predict that smart home surveillance cameras will grow from a 7.0 billion market in 2018 to a 9.7 billion dollar market in 2023. They also forecast that sales of smart home surveillance cameras will more than double over this period, from 54 million in 2018 to 120 million in 2023. Due to the continual increase in the use of surveillance cameras in the future, it will be even more important to make sure they are not vulnerable to cyberattacks.

Cybersecurity Snapshots #12 - Open Source Code: Is It Secure?

Cybersecurity Snapshots #12 -

Open Source Code: Is It Secure?

Many organizations are adopting the use of open source code to help them develop commercial applications faster. A third of the average commercial application code base is comprised from open source code. Since many organizations rely on producing software fast, researchers believe it is not viable for organizations to eliminate the use of open source code when developing software. Researchers at Black Duck, a company that focuses on software composition analysis, discovered that 96 percent of commercial applications now use open source components. The average commercial application has 147 different open source components, and 67 percent of these used components with known vulnerabilities. Since more organizations are using open source code, how secure is it to employ it in order to build software?

Clearly, there are advantages in using open source software. It reduces the time it takes to create commercial applications. Many companies are comfortable using major open source projects if they have large groups maintaining them. Since so many are using the same code components, it might be easier for vulnerabilities to be caught and addressed. Another advantage to using open source code is that companies can open the code and fix it immediately if there is a problem. If a company uses code that is licensed under proprietary agreements, then they generally have to wait for vendors to respond before they fix the code.

There are also some disadvantages to using open source software. New vulnerabilities are constantly being found in open source code, and many projects have no mechanisms in place for finding and fixing problems. According to a recent Snyk survey of open source maintainers, 44 percent have never had a security audit, and only 17 percent said that they had a high level of security know-how. There's also no standard way of documenting security on open source projects. In the top 400,000 public repositories on GitHub, only 2.4 percent had security documentation in place. If the open source code provider fixes a problem, there is often isn't a mechanism to find and notify all of the users of the old code. The open source community isn't tracking the use of their components. According to the Snyk survey, 88 percent of open source code maintainers add security-related announcements to the release notes, and 34 percent of them claim to deprecate the older, insecure version. A quarter of the open source code maintainers said that they make no effort to notify users of vulnerabilities, and only 10 percent file a CVE (Common Vulnerabilities and Exposures).

The giant Equifax breach involved a vulnerability in the Apache Struts open source software. A patch came out a couple of months before the breach occurred, and while Equifax was aware of the patch, the company was unable to make the fixes in time. During the data breach, 143 million users were affected. The information the adversaries may have obtained included names, social security numbers, birthdates, and home addresses.

Researchers at Veracode found that only 28 percent of organizations do any regular analysis to find out what components are built into their applications. As the use of open source code grows, the risk surface expands. Many organizations using open source do not scan their code for potential security weaknesses, although there are resources to scan the open source codes for defects before companies employ it to create their software. Synopsys provides a free service called Coverity Scan to do just this. So far, the tool has been used by organizations to analyze about 750 million lines of open source code, and the tool identified 1.1 million defects, of which 650,000 had already been addressed. Integrating open source vulnerability scans into the development process is very important as the use of open source code and software becomes adopted more widely, and since it can be difficult to track down all the code that is in use. Organizations should make sure to scan the open source code for vulnerabilities before they use it to create their commercial software.

The use of open source code saves time and money, which means organizations will most likely continue employing it as the base of their software. Its popularity will most likely increase in the future as well. It is critical that the code be scanned for vulnerabilities before it is used to create commercial applications, as it would tremendously decrease the risk of using open source code.

Cybersecurity Snapshots #13 - Are IoT Devices Secure?

Cybersecurity Snapshots #13 -

Are IoT Devices Secure?

Internet-of-things (IoT) devices are already being used frequently in homes and businesses, and their use will be continue to grow in the future. Researchers from Hub Entertainment Research found that in 2020 39% of all homes in the US have a connected device, and there was a 33% increase in US homes using smart home gadgets in 2020. Since IoT devices are increasingly being used within enterprise and home settings, we need to ask whether IoT devices are secure.

Researchers with Nokia's Threat Intelligence Lab discovered that IoT devices had become a favorite target for cybercriminals this year. New research has shown that there has been a sharp increase (100%) in IoT infections observed on wireless networks. IoT devices are now responsible for 32.72% of all infections observed in mobile and Wi-Fi networks, up from 16.17% in 2019. Researchers with Nokia's Threat Intelligence Lab believe that IoT infections will continue to grow as connected devices increase in home and enterprise settings.

Researchers at Purdue University found a Bluetooth Low Energy (BLE) vulnerability that allows spoofing attacks and potentially impacts billions of IoT devices. The BLESA flaw arises from authentication issues in the process of device reconnection, which is an area often overlooked by security experts. Attackers can use BLESA on BLE implementations on Linux-based BlueZ IoT devices, Android-based Fluoride, and the iOS BLE stack, while Windows implementations of BLE remain unaffected.

Researchers at Palo Alto Networks Unit 42 have found that 99% of all IoT device traffic is unencrypted, exposing personal and confidential data on the network. The researchers also found that more than half of all IoT devices are vulnerable to medium or high severity attacks. The type of device that brings in the most security issues are cameras, and they amount to about 33% of security issues seen among general enterprise IoT devices. Many IoT devices have insecure software or have been deployed in an insecure configuration, which leaves them vulnerable to attack. For example, 83% of medical imaging systems use unsupported operating systems, which is a severe security issue. Even though the number of imaging systems used in the medical field is not as great as other medical devices, it is the number one type of device that brings in the most security issues.

Researchers at Irdeto conducted a survey of 700 security decision-makers from the US, UK, Japan, Germany, and China, from the connected health, connected transport, and connected manufacturing industries to determine the types of cyberattacks targeting IoT devices, their concerns about the technology, and the security measures in place. The researchers found that 82% of healthcare organizations' IoT devices have been targeted with a cyberattack within the last year, compared with 80% of organizations overall. Manufacturing organizations' IoT devices were the second hardest hit (79%), followed by connected transports' IoT devices (77%). On average, an IoT-focused cyberattacks cost healthcare organizations $346,205, slightly higher than the overall average for all industries that totaled $330,602. Only 7% of attacks against healthcare IoT devices had no financial impact. Overall, more than three-quarters of US organizations have faced an IoT cyberattack. Operational downtime was the biggest impact for those organizations (55%), followed by compromised customer data (37%), and compromised end-user safety (36%). Only 11% said they had no impact after the IoT security event. Almost all manufacturers and 96% of users said the IoT devices they manufacture or use could be improved a little or by a great extent. Those numbers increase for the healthcare sector, with 98% saying IoT devices have room for security improvements. The overwhelming majority (83%) of organizations are concerned about IoT devices being targeted by cyberattacks, hacking, or a security breach, with 82% expressing concern that these devices are not adequately secured.

IoT security has been foreshadowed in the past, with many organizations and users stressing that there is a lack of standard guidance about IoT security, contributing to the lack of overall awareness. The new IoT Cybersecurity Improvement Act that recently got the stamp of approval by the U.S. Senate aims to help create more IoT security guidance. Dirk Schader, global vice president at New Net Technologies (NNT), stated that security measures, like the IoT Cybersecurity Improvement Act, "improves the security posture overall." Hack Mannino, CEO at nVisium, believes that Fixing IoT security requires a concerted effort across the supply chain, not on fixing a singular technology or vulnerability. He also believes that establishing better standards and accountability for securing devices and their software is a positive development. The number of attacks on IoT devices is predicted to grow into the future. Hopefully, with new IoT security standards put in place, insecure IoT devices will cause fewer data breaches in the future.

Cybersecurity Snapshots #14 - The Rise of Ryuk

Cybersecurity Snapshots #14 -

The Rise of Ryuk

Ryuk ransomware first appeared in August 2018 although it is based on an older ransomware program called Hermes that was sold on underground cybercrime forums in 2017. Researchers originally believed that North Korean hackers created Ryuk, but that theory has been disproven. Researchers now generally agree that a Russian-speaking cybercriminal group created Ryuk., and the Ryuk gang is currently causing big problems. Recently, Universal Health Services (UHS), a Fortune-500 owner of a nationwide network of hospitals, was hit with a ransomware attack. UHS has not mentioned the kind of attack it suffered, but information from workers seems to point to the Ryuk ransomware. The encrypted files were being appended with the .RYK extension and a ransom note that showed up on all affected computers referenced the phrase "Shadow of the Universe," which is known to be included in Ryuk ransom notes. A Ryuk ransomware attack also recently disabled the Baltimore County Public School system's entire network, and the adversaries demanded a ransom payment. The cybercriminal group behind Ryuk ransomware usually demands higher ransom payments from their victims than many other ransomware gangs. The ransom amounts associated with Ryuk typically range between 15 and 50 bitcoins ($100,000 - $500,000). The adversaries go after organizations with critical assets that are more likely to pay, known as "big game hunting." The Ryuk gang is very successful at monetizing its campaigns.

Joel Decapua, a supervisory special agent with the FBI's Global Operations and Targeting Unit, found that organizations paid $144.35 million in bitcoin to ransomware groups between 2013 and 2019. The data did not include ransom payments in other cryptocurrencies. Of the payments, $61.26 million were sent to the Ryuk gang, which is three times larger than what Crysis/Dharma, the second most successful ransomware gang, managed to extract from victims in three years of operation. Researchers from HYAS and Advanced Intelligence LLC recently conducted a study and looked at transactions for known bitcoin addresses associated with Ryuk ransomware and concluded that the Ryuk ransomware criminal enterprise is worth more than $150M. The researchers traced 61 deposit addresses associated with the ransomware and found that most of the funds were sent to exchanges through intermediaries for cash out. The cybercriminals appear to be primarily using the Asian crypto-exchanges Huobi and Binance. Additionally, the researchers found that Ryuk operators are sending "significant flows of cryptocurrency" to several small addresses that the researchers believe is a crime service that exchanges the cryptocurrency for local currency or another digital currency.

Ryuk ransomware is almost exclusively distributed through TrickBot. TrickBot is one of the most prevalent Trojans and is distributed through malicious spam emails but is also delivered by another widespread Trojan program called Emotet. TrickBot is believed to follow a similar Malware-as-a-Service (MaaS) model as Emotet, but is only available to a relatively small number of top-tier cybercriminals, according to a recent report by cybercrime intelligence firm Intel 471. Not all TrickBot infections lead to Ryuk. When they do, Ryuk ransomware's deployment happens weeks after TrickBot first shows up on a network. Researchers believe that this is likely because the adversaries use the data collected by TrickBot to identify potentially valuable networks. The Ryuk gang, after picking their target, usually conducts manual hacking activities that involve network reconnaissance and lateral movement, with the end goal to compromise domain controllers and gain access to as many systems as possible. By doing this, the cybercriminals can ensure that when Ryuk ransomware is deployed, the damage is swift and widespread across the network, which is more likely to force an organization's hand than holding just a few of its endpoints hostage.

Ryuk encrypts all files except for those with the extensions dll, lnk, hrmlog, ini, and exe. It also skips files stored in the Windows System32, Chrome, Mozilla, Internet Explorer and Recycle Bin directories. These exclusion rules are likely meant to preserve system stability and allow the victim to use a browser to make payments. Ryuk ransomware uses strong file encryption based on AES-256. The encryption keys are stored at the end of the encrypted files, which have their extension changed to .ryk. The AES keys are encrypted with a RSA-4096 public-private key pair that is controlled by the attackers. Despite the whitelisting of certain system files and directories, Ryuk can still encrypt files critical to the system's normal operation, which sometimes results in unbootable systems after they are restarted. Publicly available tools cannot decrypt Ryuk files. If a victim does pay the ransom, the decrypter that the Ryuk gang sends can sometimes corrupt files. This usually happens on larger files when Ryuk intentionally performs only partial encryption to save time. All these issues can complicate the recovery efforts and increase the cost incurred by victims.

There are multiple steps that security professionals can take to lessen system susceptibility to ransomware attacks. When an organization's security team sees that common malware is removed from company systems, they should perform further investigations because common threats like Emotet and TrickBot rarely come alone. If further investigation is not conducted, it can lead to much deeper problems and more disastrous consequences a few weeks later. Microsoft researchers suggest that when malware infections like Emotet, Dridex, and Trickbot are found on company systems, they should be remediated and treated as a potential full compromise of the system, including any credentials present on them. Security teams should address the infrastructure weaknesses that allowed the malware to get in and propagate. Security teams should also harden their network against lateral movement by practicing good credential hygiene and enforcing least-privilege access. Restricting unnecessary Sever Message Block (SMB) traffic between endpoints and limiting the use of administrative credentials can also make an organization's network more resilient against human-operated ransomware campaigns such as Ryuk.

Cybersecurity Snapshots #15 - Attacks Against the Nation's Water Systems

Cybersecurity Snapshots #15 -

Attacks Against the Nation's Water Systems

A threat actor recently remotely accessed the IT system of the water treatment facility of Oldsmar, Florida, and tried to poison the town's water supply by raising the levels of sodium hydroxide, or lye, in the water supply. The hacker's attempt to damage the water treatment plant raises alarms about just how vulnerable the nation's water systems may be to attacks by more sophisticated intruders. Water treatment plants are typically cash-strapped and lack the cybersecurity depth of the power grid and nuclear plants.

According to local authorities, the water treatment facility's breach in Oldsmar, Florida, occurred just two days before the NFL's Super Bowl LV was held nearby in Tampa. An operator at the plant first noticed a brief intrusion Friday, Feb. 5, around 8:00 a.m. Someone remotely accessed the computer system that controls chemical levels in the water and other operations while the operator was monitoring it. The operator "didn't think much of it" because it's normal for his supervisors to use the remote access feature to monitor his computer screen at times. However, around 1:30 p.m., the computer system was again accessed remotely. The operator observed the mouse moving around on the screen to access various systems that control the water being treated. During the second intrusion, which lasted three to five minutes, the intruder changed the level of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million, which is a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners and is used to control water acidity and remove metals from drinking water in water-treatment plants. Fortunately, the operator quickly changed the level back to normal after the intrusion and alerted supervisors, who then contacted the Pinellas County Sheriff's Office. The FBI and U.S. Secret Service are investigating the incident to discover who was behind the attack. At this time, authorities have leads but have not identified a suspect, nor do they know if the attack came from inside the United States or outside the country.

CISA, the FBI, EPA, and MS-ISAC have recently confirmed the hackers used the desktop sharing software TeamViewer to gain access to the city's water system. All of the computers with this remote access tool were discovered using the same password for accessing the water system. A firewall was also not implemented.

A local sheriff's startling announcement that the water supply of Oldsmar, population 15,000, was briefly in jeopardy exhibited uncharacteristic transparency. Suspicious incidents are rarely reported and usually are made to seem like mechanical or procedural errors, experts say. No federal reporting requirement exists, and state and local rules vary widely.

Principal incident responder at Dragos Security Lesley Carhart stated that it had been well known for a long time that municipal water utilities are extraordinarily underfunded and under-resourced, which makes them a soft target for cyberattacks. Lesley Carhart, who specializes in industrial control systems, also stated that she works with many municipal water utilities for small, medium, and large-sized cities, and all of them have a very small IT staff. Some of them have no dedicated security staff at all.

Bonnifer Ballard, director of the Michigan Section of the American Water Works Association, stated that the Florida incident had grabbed water plant operators' attention. Ballard stated that such a breach is technically possible at water plants in Michigan, but safeguards are in place, and cybersecurity audits are required by federal law. She stated that breaches like the one in Florida are unlikely to succeed because even small water systems have humans who monitor treatment levels. Employees at water plants are trained to spot and respond to irregularities. The Florida plant had safeguards that would have detected the chemical alteration in 24 to 36 hours. Water goes to holding tanks before reaching customers and would have been caught by a secondary chemical check. Jake Williams, CEO of the cybersecurity firm Rendition Infosec, stated that engineers have been creating safeguards "since before remote control via cyber was a thing," making it highly unlikely the breach could have led to "a cascade of failures" tainting Oldsmar's water.

The Michigan Department of Environment, Great Lakes and Energy (EGLE) urged water plants to check the security protocols they have in place. The EGLE stressed awareness and pushed water plants to ensure they have security protocols to avoid such a breach such as what happened in Florida. The EGLE stated that if the water plant allows some level of remote monitoring and operation of the facilities, they suggest adding additional safeguards like establishing chemical dosage limits, eliminating equipment overrides, and reducing controls on systems to minimize the impact of this type of security breach.

CISA recently provided recommendations on how to securely implement TeamViewer software, such as setting random passwords to generate 10-character alphanumeric passwords. They also provided recommendations for bolstering water and waste treatment systems security, including installing independent cyber-physical safety systems. They also recommend water treatment facilities enable multi-factor authentication, use strong passwords to protect remote desktop protocol credentials, implement firewalls, and use the most up-to-date operating system.

A new 2020 paper in the Journal of Environmental Engineering found that water utilities have been hacked by various intruders, including amateurs just poking around, disgruntled former employees, cybercriminals looking to profit, and state-sponsored hackers. Although such incidents have been relatively few, that does not mean the risk is low and that most water systems are secure. There has been an increase in the frequency, diversity, and complexity of cyberthreats to the water sector. Although the emergence of new threats, such as ransomware or cryptojacking, was found, a recurrence of similar vulnerabilities and threats, such as insider threats, was also evident, emphasizing the need for an adaptive, cooperative, and comprehensive approach to water cyberdefense.

Cybersecurity Snapshots #16 - REvil/Shodinokibi Was the Most Widespread Ransomware in 2020

Cybersecurity Snapshots #16 -

REvil/Shodinokibi Was the Most Widespread Ransomware in 2020

Researchers at SonicWall discovered that ransomware threats in 2020 spiked 62% globally and 158% in North America. The retail sector saw a 365% increase in ransomware threats in 2020, followed by the healthcare sector (123%) and the government sector (21%). According to recent reports from security firms, REvil, also known as Sodinokibi, is considered the most widespread ransomware threat.

REvil is a ransomware-as-a-service (RaaS) operation that has extorted large amounts of money from organizations worldwide over the past year. The group's name stands for Ransomware Evil. The group behind it doubles down on its extortion efforts by also stealing business data and threatening to release it. REvil first appeared in April 2019 and rose to prominence after another RaaS gang called GandCrab shut down its service. The REvil gang appears to adjust its ransom requests based on the victim organizations' annual revenue, which is why its demands varied widely in 2020 between $1,500 and $42 million and up to 9% of the victim's yearly income. IBM researchers estimate that REvil's profits over the past year were at least $81 million. The REvil gang is also trying to grow. In late September, researchers found that the group deposited $1 million in bitcoin on a hacker forum to try to recruit more skilled hackers to become its affiliates.

Recently the REvil gang has claimed to have infected nine organizations across Africa, Europe, Mexico, and the United States over the past two weeks. The organizations supposedly affected include two law firms, an insurance company, an architectural firm, a construction company, and an agricultural co-op, all located in the United States. The other organizations affected include two large international banks (one in Mexico and one in Africa), and a European manufacturer. Researchers at eSentire stated that REvil cybercriminals posted documents on underground forums that purported to be from the victims' systems, including company computer file directories, partial customer lists, customer quotes, and copies of contracts. The researchers also stated that the threat group also posted what appears to be several official IDs, either belonging to an employee or a customer of the victim companies. The researchers are not 100% sure the claims are accurate. However, after reviewing several of the documents that the REvil gang claims are from their new victims, the researchers found that many appear authentic.

In September, the IBM Security X-Force Incident Response team reported that one in four cybersecurity incidents it was called to remedy this year in customer networks was a ransomware infection. The researchers also found that one in every three ransomware infections involved REvil/Sodinokibi. Sodinokibi also makes up 29% of all IBM Security X-Force ransomware engagements in 2020, suggesting that Sodinokibi actors are more skilled at gaining access to victim networks when compared to other ransomware strains. According to Coveware, REvil/Sodinokibi had the largest market share among ransomware groups during the third quarter of 2020, being responsible for 16% of infections. The group also led during the previous quarter. IBM Security X-Force estimated that REvil hit at least 140 organizations since it appeared in April 2019 with wholesale, manufacturing, and professional services being the most frequently targeted industries. Around 60% of the gang's victims are organizations from the US, followed by UK, Australia, and Canada. The researchers also estimates that a third of REvil victims paid the ransom, one in ten had their sensitive information auctioned off on the dark web, and a third of the group's victims had their data stolen.

REvil is one of the ransomware programs deployed during human-operated ransomware campaigns, similar to Ryuk, WastedLocker, and others. After breaking in, adversaries use various tools and techniques to map the network, perform lateral movement, obtain domain administrator privileges, and deploy the ransomware on all computers to maximize the impact. According to researchers at Coveware, REvil is now distributed primarily through compromised RDP sessions (65%), phishing (16%), and software vulnerabilities (8%). REvil stands apart from other ransomware programs through its use of Elliptic-curve Diffie-Hellman key exchange instead of RSA, Salsa20, and AES to encrypt files. Elliptic-curve Diffie-Hellman key exchange uses shorter keys than other encryption methods, is highly efficient, and is uncrackable if implemented correctly. REvil kills some processes on the infected machines, including email clients, SQL and other database servers, Microsoft Office programs, browsers, and other tools that might keep important files locked or backed into RAM. It then deletes Windows shadow copies of files and other backups to prevent file recovery.

Almost half of all ransomware cases investigated by Coveware involved threats to release exfiltrated data, with an increasing number of groups adopting this technique. In particular, Coveware has seen incidents where victims who already paid were re-extorted by REvil a few weeks later with threats to release the same data. An affiliate that was interviewed, who is referred to as "Unknown," stated that REvil is also looking into adopting other techniques, such as launching Distributed Denial-of-Service (DDoS) attacks to force the hand of organizations that suspend negotiations. Researchers suggest that organizations and individuals should never pay the ransom.

The Coveware researchers believe professional services such as law or accounting firms are especially vulnerable to the REvil ransomware. The 4.2 million US professional services firms make up about 14% of all businesses in the country but make up 25% of attacks. The researchers stated that these firms commonly leave vulnerabilities like RDP open to the internet and are victimized much more regularly than companies in other industries. The researchers stated that small professional services firms must recognize that there is no such thing as being "too small" to be targeted. The researchers also stated that if an organization presents a cheap vulnerability to the internet, they will get attacked.

To protect one's organization from REvil ransomware, the researchers suggest that organizations should always secure their remote access with strong credentials, two-factor authentication and consider making such services available over VPN only. The researchers also suggested that all publicly exposed servers, applications, and appliances should be kept updated and regularly scanned for vulnerabilities, misconfiguration, and suspicious behavior. Brute force protection that blocks excessive login attempts with the wrong credentials should also be enabled where possible. Inside local networks, an organization should block unneeded SMB and RPC communications between endpoints that can be used for lateral movement. Organizations should also monitor privileged accounts for suspicious behavior. Organizations should have a data backup process in place that stores backups offsite and test that restoring from backups can be done in a timely manner. It is also critical that an organization have a clearly defined incident response plan to immediately take action if an attack is detected.

Cybersecurity Snapshots #17 - DoppelPaymer Ransomware Gang

Cybersecurity Snapshots #17 -

DoppelPaymer Ransomware Gang

In a new report, McAfee researchers discovered that from Q3 to Q4 of 2020, the number of ransomware incidents that affected organizations rose 69%. In 2020 the FBI put out a warning of increased activity of a ransomware gang called DoppelPaymer. DoppelPaymer was behind a few high-profile attacks in 2020. DoppelPaymer cybergang first appeared in 2019 as an offshoot of the cybercrime operation called Evil Corp. According to researchers at CrowdStrike, the DoppelPaymer gang demands ransoms of $25,000 to $1.2 million in bitcoin.

In November 2019, Mexico's state-owned oil company PEMEX (Petroleos Mexicanos) suffered a DoppelPaymer ransomware attack. The gang asked for $4.9 million worth of bitcoins as a ransom for decrypting files. PEMEX did not pay the ransom. The FBI stated that in 2020 the DoppelPaymer gang was behind an attack on an unidentified U.S. county. The ransomware operators compromised a 911 center and made changes that prevented police and other officials from accessing the county's computer-aided dispatch system. The ransomware forced emergency services to revert to manual operations. In another attack by the cyber gang, they were able to infect the network of a German hospital, leading to one patient being transported 20 miles away for treatment. The FBI also says DoppelPaymer is believed to have compromised the networks of several community colleges in the United States in 2020. Newcastle University had also suffered a cyberattack conducted by the DoppelPaymer ransomware gang in 2020. The threat actors stole 750Kb worth of data and posted it on their data leak site "Dopple Leaks." They caused so much damage to the school's systems that it took several weeks to get the system running back to normal.

The DoppelPaymer gang, like other ransomware gangs, deploys double extortion tactics to pressure victims into paying up. Double extortion tactics are where they encrypt victims' files to make them inaccessible and threaten to leak confidential data if their demands are not met. Double extortion tactics first started appearing in late 2019, becoming an increasingly common trend through 2020. DoppelPaymer is one of the first ransomware gangs where they call the victims to entice payments. During a warning put out by the FBI, they claimed that in one case, a member of the DoppelPaymer gang used a spoofed US-based telephone number while claiming to be located in North Korea, and threatened to leak or sell data from an identified business if the business did not pay the ransom. During subsequent telephone calls to the same company, the actor threatened to send an individual to an employee's home and provided the employee's home address. The actor also called several of the employee's relatives.

DoppelPaymer is believed to be based on the BitPaymer ransomware (which first appeared in 2017) due to similarities in their code, ransom notes, and payment portals. There are some key differences between DoppelPaymer and BitPaymer, however. For example, DoppelPaymer uses 2048-bit RSA + 256-bit AES for encryption, while BitPaymer uses 4096-bit RSA + 256-bit AES (with older versions using 1024-bit RSA + 128-bit RC4). Furthermore, DoppelPaymer improves upon BitPaymer's rate of encryption by using threaded file encryption. Another difference between the two is that before DoppelPaymer executes its malicious routines, it needs to have the correct command-line parameter. The researchers found that the samples that they encountered have different parameters for different samples. The researchers believe that this technique is possibly used by the attackers to avoid detection via sandbox analysis and to help prevent security researchers from studying the samples. Another unique aspect of DoppelPaymer is its use of a tool called Process Hacker, which it uses to terminate services and processes related to security, email server, backup, and database software to impair defenses and prevent access violation during encryption.

The DoppelPaymer gang usually starts off with network infiltration via malicious spam emails containing spear-phishing links or attachments designed to lure unsuspecting users into executing malicious code. This code is responsible for downloading other malware with more advanced capabilities (such as Emotet) into the victim's system. Once Emotet is downloaded, it will communicate with its Command-and-Control (C&C) server to install various modules and download and execute other malware. In one campaign, researchers found that the C&C server was used to download and execute the Dridex malware family, which in turn was used to download either DoppelPaymer directly or tools such as PowerShell Empire, Cobalt Strike, PsExec, and Mimikatz. These tools are used for various activities, such as stealing credentials, moving laterally inside the network, and executing different commands, such as disabling security software. Once Dridex enters the system, the threat actors do not immediately deploy the ransomware. Instead, they try to move laterally within the affected system's network to find a high-value target to steal critical information. Once this target is found, Dridex will proceed in executing its final payload, DoppelPaymer. DoppelPaymer encrypts files located in the network as well as fixed and removable drives in the affected system. Finally, DoppelPaymer will change user passwords before forcing a system restart into safe mode to prevent user entry from the system. It then adjusts the notice text that appears before Windows proceeds to the login screen. The new notice text is now DoppelPaymer's ransom note, which warns users not to reset or shut down the system, as well as not to delete, rename, or move the encrypted files. The note also contains a threat that their sensitive data will be shared to the public if they do not pay the ransom that is demanded from them. DoppelPaymer will also drop the Process Hacker executable, its driver, and a stager DLL. DoppelPaymer will create another instance of itself that executes the dropped Process Hacker. Once Process Hacker is running, it will load the stager DLL via DLL Search Order Hijacking. Stager DLL will listen/wait for a trigger from the running DoppelPaymer process. DoppelPaymer has a crc32 list of processes and services it will terminate. If a process or service in its list is running, it will trigger the Process Hacker to terminate it.

The DoppelPaymer ransomware gang is expected to be more active in 2021. Security researchers suggest that organizations protect themselves from ransomware such as DoppelPaymer by ensuring that security best practices are in place. The researchers recommend that individuals should refrain from opening unverified emails, clicking on any embedded links or attachments in these messages, and regularly back up important files using the 3-2-1 rule. The 3-2-1 rule is when an individual creates three backup copies in two different file formats, with one of the backups in a separate physical location. One should also update both software and applications with the latest patches as soon as possible to protect them from vulnerabilities. The researchers also suggest monitoring inbound and outbound network traffic, with alerts for data exfiltration in place.

Cybersecurity Snapshots #18 - Oil And Gas Companies Need to Take Cybersecurity More Seriously

Cybersecurity Snapshots #18 -

Oil And Gas Companies Need to Take Cybersecurity More Seriously

At present, oil and gas companies rely on Industrial Control Systems (ICS) to maintain safe and reliable operations, and that's unlikely to change. The future increasingly appears to be one in which oil and gas companies will rapidly integrate robotics, analytics, and the Internet of Things (IoT) into the operational environment. Increasing connectivity can drive value creation by deploying data and analytics to find new markets, improve operational performance, and streamline the supply chain. A more connected oilfield, pipeline, or refinery is, however, potentially a more vulnerable one.

Researchers stated that attackers might try to target oil refineries more frequently in the future, leading to tank overflow, vessel rupturing, or even an explosion. A cyberattack that affects an oil refinery can be very costly. For example, a loss of a single day of operations for a 100,000 barrel-per-day refinery could reduce revenue by over $5.5 million and profit by $1.4 million. The United States has more than 140 oil refineries, with a total daily capacity exceeding 18 million barrels, all of which could be potentially vulnerable. If a cyberattack spread from one facility to another or down the value chain affecting the distribution and retail networks, it could potentially lead to tens of millions of dollars of lost revenue. In addition, any physical damage could possibly inflict millions (if not billions) of dollars of repair and construction costs. In a more connected world with connected sensors, higher-level automation, and less direct human control, broader impact becomes increasingly more likely and more consequential, the researchers stated.

New research published by researchers at Kaspersky examines a rise in the number of cyberattacks on ICS computers used by the oil and gas industry. Over the first six months of 2020, the percentage of systems attacked in the oil and gas industry increased compared to the same period the prior year. The researchers found that the percentage of ICS computers on which malicious objects were blocked grew from 36.3% to 37.8% in the oil and gas industry. Growth in the number of attacks on the oil and gas industry occurred as the percentage of industrial control system computers attacked in other sectors declined.

Just recently, a ransomware attack knocked offline the country's largest fuel pipeline. Colonial Pipeline confirmed that it had suffered a severe cyberattack. The attack was launched by the Russian-speaking DarkSide group, who claim to have also stolen 100GB of data in a classic "double extortion" play. The East Coast pipeline is estimated to carry 2.5 million barrels a day, representing nearly half of the East Coast's supply of diesel, gasoline, and jet fuel. The fuel pipeline was offline for five days after the attack. However, contrary to initial reports that it refused to engage with the DarkSide threat group, the company actually paid the ransom within hours of the attack. Colonial Pipeline paid the adversaries over $4M. Researchers stated that the most significant factor at play here is the feedback loop of malicious activity created by surrendering and paying the ransom. Paying the ransom allows the groups to achieve a greater level of sophistication during their next attacks, whether via training, new tooling, purchasing credentials, or recruitment. Researchers also stated that feeding this industry only ensures that they become collectively more of a threat, and, in the long run, facilitating more breaches and more payments. Thus, the cycle continues.

After the ransomware attack on the Colonial Pipeline, President Biden has issued a long-awaited Executive Order (EO) designed to improve supply chain security, incident detection, response, and overall resilience to threats. Among the key measures is a requirement for all federal government software suppliers to meet strict rules on cybersecurity. Eventually, the plan is to create an "energy star" label so both government and public buyers can quickly and easily see whether software was developed securely. Other measures included in the EO are an "aircrash investigation-style" Cybersecurity Safety Review Board, which will make recommendations for improvements after any significant incident, and a standardized playbook for government incident response. The EO will also mandate a drive to secure cloud services and zero trust, including multi-factor authentication and data encryption at rest and in transit, by default. Security experts have welcomed the EO.

Also, after the attack on the Colonial Pipeline, more than a dozen members of the House Committee on Homeland Security reintroduced legislation geared toward codifying federal agencies' roles in securing the nation's oil and gas pipelines. The Pipeline Security Act would explicitly codify the roles of the Transportation Security Administration (TSA) and Cybersecurity and Infrastructure Security Agency (CISA) in securing critical infrastructure pipelines. The new legislation also requires TSA to develop a personnel strategy for security staffing, as well as improve mechanisms for stakeholder engagement and congressional oversight of TSA's efforts. The bill was once introduced in 2020 and has received new life following the ransomware attack carried out on the IT systems of the Colonial Pipeline. The attack on the Colonial Pipeline has made it clear that cyberattacks on critical infrastructure are national security and economic threats to the homeland. It is essential in the future that cybersecurity is taken seriously by oil and gas companies because of the overall effect it can have on society. The new Pipeline Security Act and the EO are a step in the right direction. They should help make oil and gas companies' infrastructures more resilient to cyberattacks in the future.

Cybersecurity Snapshots #19 - Are Smart Home Gym Equipment and Health and Fitness Apps Secure?

Cybersecurity Snapshots #19 -

Are Smart Home Gym Equipment and Health and Fitness Apps Secure?

Due to the coronavirus, the use of smart home gym equipment and health and fitness app downloads have skyrocketed. For example, Peloton stock soared more than 400 percent in 2020, Mirror ended 2020 with $150 million in revenue, up from a previously projected $100 million, and Tonal reported a staggering 700 percent year-over-year increase in sales in 2020. According to researchers from Sensor Tower, from January through November of 2020, approximately 2.5 billion health and fitness apps were downloaded worldwide, a 47 percent jump from the same period in 2019. Researchers believe that the use of smart home gym equipment and health and fitness app downloads will keep increasing in the future, which raises the question of how secure they are against cyberattacks?

Security researchers from the Pen Test Partners in May discovered several issues with the software used by exercise equipment maker Peloton, which may have leaked sensitive customer information to unauthenticated users. The researchers stated that the mobile, web application, and back-end APIs had several endpoints that revealed users' information to authenticated and unauthenticated users. Among the potentially exposed data were user and instructor IDs, group membership, location, workout stats, gender, age, and whether users are in the studio or not. The security researchers also found that the security flaws were so bad that they leaked information even for users in privacy mode. A month later, researchers from McAfee's Advanced Threat Research (ATR) team discovered that the popular Peloton Bike+ and Peloton Tread exercise equipment contained a security vulnerability that could expose gym users to a wide variety of cyberattacks. According to the researchers, the vulnerability would allow a hacker to gain remote root access to the Peloton's "tablet." The tablet is the touch screen installed on the devices to deliver interactive and streaming content. From there, a diligent hacker could install malware, intercept traffic and user's personal data, and even control the Bike+ or Tread camera and microphone over the internet. McAfee noted that to exploit the vulnerability, an attacker would need either physical access to the workout machines or access during any point in the supply chain (from construction to delivery). Researchers believe that a full investigation should be conducted by Peloton to improve their security, especially now that well-known individuals are openly using this service.

Fitness technology company Echelon, like Peloton, offers a range of workout hardware like bikes, rowers, and a treadmill as a cheaper alternative for members to exercise at home. Echelon also has an app that lets members join virtual classes. At Pen Test Partners, security researchers found that Echelon's API allowed them to access the account data, including name, city, age, sex, phone number, weight, birthday, workout statistics, and history of any other member in a live or pre-recorded class. The API also disclosed some information about members' workout equipment, such as its serial number. The researchers also found another bug that allowed members to pull data on any other member because of weak access controls on the API. The researchers stated that this bug made it easy to capture user account IDs and scrape account data from Echelon's servers.

Arxan, a Maryland-based tech firm, looked at 71 health and fitness apps from the U.S., U.K., Germany, and Japan. The researchers found that a whopping 97 percent of the apps they looked at lacked binary protection, 79 percent had insufficient transport layer protection, and 56 percent experienced unintended data leakage. The researchers stated that many of the bugs expose the apps to tampering, making it easier for attackers to reverse engineer apps or potentially leak users' personal information. Researchers also found that 86% of health apps they reviewed had at least two critical vulnerabilities. The researchers also conducted a survey of 1,083 individuals, comprised of health app users and IT decision-makers, who produce health apps. The survey results revealed that 55% of users of health apps expected their apps to be hacked in the next six months.

Researchers have stated that it is hard to get companies who create smart home gym equipment and health and fitness apps to respond to disclosures of vulnerabilities promptly. Sometimes the researchers disclosing the vulnerabilities have to contact the press to get a response from the company. As the use of smart home gym equipment and health and fitness apps continues to grow, users may require the companies behind the equipment and health and fitness apps to take cybersecurity more seriously.

Cybersecurity Snapshots #20 - Are Smartwatches Secure?

Cybersecurity Snapshots #20 -

Are Smartwatches Secure?

Smartwatches have become extremely popular, and the number of people using smartwatches is expecting to keep growing long into the future. According to a study by Acumen, the global smartwatch market is anticipated to grow at a CAGR of around 20.1% during the forecast period 2020 to 2027 and to reach around US$ 88.7 Billion by 2027. But just how secure are smartwatches?

In 2015, a report by the IT security firm Trend Micro highlighted a potential smartwatch cybersecurity oversight: the physical protection of sensitive data. The researchers analyzed smartwatches from significant providers like Apple, Samsung, Motorola, LG, Sony, Asus, and Pebble. Through their study, they were able to determine that each smartwatch's physical protection (i.e. how secure they are if stolen) wasn't up to scratch, stating that each manufacture "opted for convenience" over security. The researchers criticized the oversight at the time and said that while a lack of authentication features made devices easier to operate, the risk of having personal and corporate data compromised was far too great to overlook. The researchers also highlighted the fact that smartwatches save data locally when they're out of range from their connected smartphone. This means that if the smartwatch is stolen and does not have any physical data protection method in place, the thief would be able to access all the data saved onto that device instantly.

Researchers at Kaspersky looked at whether smartwatch movements could be used to reveal passwords and other personal information. The researchers worked with an Android-based smartwatch and wrote a dedicated app that was able to process and transmit accelerometer data which is a type of data that smartwatches monitor to determine a user's movement. From this, the researchers were able to trace whether the wearer was sitting or walking and, thanks to the GPS tracker contained inside, where exactly they were located at the time. The researchers were also able to determine when somebody was typing at a computer and what the user was writing after repeatedly analyzing the accelerometer data. When a user typed in the same password over and over again, the smartwatch's accelerometer would move in a similar way, making it easier to determine which keys they were typing. The researchers concluded that smartwatch hackers can work out computer passwords and PINs. The researchers stated that smartwatches are not the easiest devices to hack, but they definitely can be hacked by adversaries with enough persistence and dedication.

Security researchers at the Norwegian Consumer Council (NCC) looked at how secure certain smartwatches explicitly made for children were. NCC researchers looked at four smartwatch models (Gator 2, Tinitell, Viksfjord, and Xplora) and found that they can give parents a false sense of security. Some features, such as the SOS and the geofencing alerts, didn't work reliably. And, most worrying of all, through simple steps, strangers could take control of the smartwatches. Given the lack of security in the devices reviewed, eavesdroppers could listen in on a child, talk to them behind their parent's back, use the watch's camera to take pictures, track the child's movements, or give the impression that the child is somewhere other than where they really are. The researchers also found that several of the watches also transmit personal data to servers located in North America and East Asia, in some cases without using encryption. In one of the smartwatches, knowing a user's phone number would allow an attacker to gain full access to the device. In another watch, the researchers inadvertently came across sensitive personal data belonging to other users, including location data, names, and phone numbers. Another one of the watches allowed the researchers to pair an existing gadget with a completely new account, enabling them to see user data, including the watch's current location and location history and contact phone numbers in the account, all without notifying the watch user.

In another study, researchers at the Munster University of Applied Sciences in Germany tested the security of six brands of smartwatches marketed for kids. The smartwatches focused on were sold by JBC, Polywell, Starlian, Pingonaut, ANIO, and Xplora. These smartwatches were designed to send and receive voice and text messages and let parents track their child's location from a smartphone app. The researchers found that hackers could abuse those features to track a target child's location using the watch's GPS in five out of the six brands of watch they tested. Several of the watches had even more severe vulnerabilities, allowing hackers to send voice and text messages to children that appear to come from their parents, to intercept communications between parents and children, and even to record audio from a child's surroundings and eavesdrop on them. The Munster researchers shared their findings with the smartwatch companies but say that several of the bugs they disclosed have yet to be fixed.

Smartwatches can vary substantially in terms of both quality and sophistication. Therefore, a consumer tends to get what they pay for. Higher-end products will typically have a much greater resistance to cyber threats than lower-end alternatives. Since smartwatches contain valuable information about users, it is essential for the device's security to be taken seriously among manufacturers and users. To keep a smartwatch as protected as possible from adversaries, the user should make sure to change their unlock code frequently and update their software whenever a new bug or operating system update is released.

Cybersecurity Snapshots #21 - Do You Know Where Your QR Code Is Taking You?

Cybersecurity Snapshots #21 -

Do You Know Where Your QR Code Is Taking You?

For some time, QR codes were mainly used in industrial environments to help keep track of inventory and production. They later gained popularity among advertisers because it was easier for consumers to scan a code than to type a long URL. But people could not tell from a QR code where scanning would lead them, so they got cautious, and QR codes started to disappear. Then the coronavirus came, and now QR codes are being used more than ever by the public. When a user scans a QR code, these shortcuts usually open a website, but they can be programmed to perform any number of mobile actions, including drafting emails, placing calls, opening marketing collateral, opening a location on a map and automatically starting navigation, opening a Facebook, Twitter or LinkedIn profile page, or starting any action from any app (such as opening PayPal with a pre-seeded payment handle). Because QR codes are being used more often again, scammers are starting to target people using QR codes.

The easiest QR code scam for adversaries to pull off is clickjacking. Some people get paid to lure others into clicking on a specific link. Researchers have seen adversaries replace QR codes on famous monuments, where people expect to find background information about the landmark by following the link in the QR code. The original QR code is replaced with a QR code that takes the user to an unintended site, allowing the clickjacking operator to get paid a fee.

Another scam being seen by researchers is a small advance payment scam. For some services, it is accepted as normal to make an advance payment before using that service. For example, to rent a shared bike, you are asked to make a small payment to open the lock on the bike. The QR code to identify the bike and start the payment procedure is printed on the bike. But the legitimate QR codes can be replaced by criminals that are happy to receive these small payments into their own account.

Phishing links can also just as easily be disguised as QR codes. Phishers place QR codes where it makes sense for the user. For example, if someone is expecting to log in to start a payment procedure or to get access to a particular service, the scammers may place a QR code there. Researchers at Proofpoint found phishing emails equipped with fraudulent QR codes. One of the phishing emails instructed the receiver to install the "security app" from their bank to avoid their account being locked down. However, when the QR code was scanned, it took the user to a malicious app outside of the webstore. The user had to allow installs from an unknown source to do this, which should have been a huge red flag, but still, some people fell for it. Researchers have also seen redirect payment scams in the wild. One was used by a website that facilitated Bitcoin payments. While the user entered a Bitcoin address as the receiver, the website generated a QR code for a different Bitcoin address to receive the payment.

According to a new survey of 2100 consumers across the U.S. and the U.K., researchers at MobileIron found that 71% of survey respondents said they could not distinguish between a legitimate and malicious QR code. More than half (51%) of respondents in the survey said they don't have (or don't know if they have) security software installed on their mobile devices. While 67% of participants in the survey are aware that QR codes can open a URL, they are less aware of the other actions that QR codes can initiate. Only 19% of respondents believe scanning a QR code can draft an email, 20% believe scanning a QR code can start a phone call, and 24% believe scanning a QR code can initiate a text message. More than a quarter (35%) of the participants said they don't know whether hackers can even target victims using a QR code. The researchers stated that QR codes are an area of security that deserves more focus because more than half (53%) of the participants said they would like to see QR codes used more broadly in the future. Almost half (40%) of participants stated they would even be open to voting for president using QR codes.

Since more and more users are using QR codes, it is important for users to be more vigilant. Researchers suggest that users of QR codes should not trust emails from unknown senders and should never scan a QR code embedded in an email. The researchers also suggest that users should check to see whether a different QR code sticker was pasted over the original and if so, should not scan it. The researchers also suggest that users use a QR scanner that checks or displays the URL before it follows the link, and they further suggest that users use a scam blocker or web filter on their device to protect them against known scams.

Cybersecurity Snapshots #22 - BlackMatter: The DarkSide Ransomware Group Rebranded?

Cybersecurity Snapshots #22 -

BlackMatter: The DarkSide Ransomware Group Rebranded?

On Friday, May 7, 2021, an affiliate of the DarkSide Ransomware-as-a-Service (RaaS) attacked Colonial Pipeline, a major U.S. fuel pipeline. A week later, DarkSide announced it was shutting down its operations after its servers were allegedly seized and its cryptocurrency wallets drained. DarkSide was followed into apparent retirement by another ransomware service, REvil, the threat actor behind the attack on Kaseya which affected approximately 50 of its companies worldwide. In late July, a new RaaS appeared on the scene called BlackMatter. The operators behind BlackMatter claim that their ransomware incorporates the best features of DarkSide, REvil, and LockBit 2.0 ransomware. The operators also say that while they are closely acquainted with the Darkside operators, they are not the same people, but is that true?

Researchers at Sophos took a deeper look at BlackMatter ransomware and found that when victims are hit with the BlackMatter ransomware, the files on the drives are encrypted, and BlackMatter sets a very similar wallpaper to DarkSide's. Also, like DarkSide, the wallpaper is stored in the same folder on disk (C:\ProgramData), with an identical file size (2,818,366 bytes), image format (.BMP), and image size (1706 x 826 pixels, 16-bit color depth). BlackMatter, like DarkSide and LockBit 2.0 employs a partial encryption scheme, which means the ransomware does not encrypt the entire file but only a portion. This has the same effect but significantly shortens the attack duration since only a fraction of a file is read and overwritten. Researchers at Sophos stated that attacking merely 1 MB of each file means hundreds of files can become encrypted in a second. In addition to partial encryption, BlackMatter makes use of multithreading. Multithreading has been available in CPUs since 2001 and increases the utilization of a processor core by using the complementary processes of thread-level parallelism and instruction-level parallelism. This effectively leads to higher throughput and lower latency since data in a faster medium (such as memory) can be retrieved by one thread while another thread retrieves data from a slower medium (such as storage), with neither thread waiting for the other to finish. During encryption, the BlackMatter ransomware's file system activity and use of multithreading looks the same as DarkSide's. Like DarkSide and REvil, BlackMatter uses a runtime API that can hinder static analysis of the malware. And like the other two ransomware groups, strings are also encrypted and revealed during runtime. Like REvil, LockBit 2.0, and DarkSide, BlackMatter also attempts to elevate its privileges when limited by User Account Control (UAC). The BlackMatter ransomware collects information from victim machines, like hostname, logged in user, operating system, domain name, system type (architecture), language, and the size of the disk and available free space.

Even though BlackMatter is a new group, they have already caused significant damage to organizations through their ransomware. So far, BlackMatter has published stolen data from 10 organizations on its leak site. The group primarily targets large and well-resourced organizations in the U.S., U.K., Canada, Australia, India, Brazil, Chile, and Thailand. Olympus was recently affected by BlackMatter ransomware which affected the organization's computer network in Europe, Middle East, and Africa. The attack began on the morning of September 8th. An Iowan agricultural group was also recently hit by BlackMatter ransomware during the weekend of September 18th and 19th. The Iowan Agriculture group stated that the attack's impact on the U.S. public could be worse than the Colonial Pipeline incident. According to reports, BlackMatter targeted New Cooperative, a major U.S. grain producer, with a $5.9m ransom demand. In emails sent to the ransomware gang during negotiations, New Cooperative wrote that about 40% of grain production runs on their software, and 11 million animals' feed schedules rely on them. New Cooperative also stated that the ransomware attack will cause a public disruption to the grain, pork, and chicken supply chain. The ransomware gang has not budged on their $5.9m ransom demand. The Biden administration has made it clear that 16 critical infrastructure sectors of the U.S. economy are off-limits to cybercrime groups thought to be operating from Russia. BlackMatter claimed that New Cooperative doesn't reach the threshold that the President laid out. After a relatively quiet summer, this attack would appear to be testing those red lines. Security researchers stated that if this is the attitude Russia-based threat actors have towards the President's warnings, this could indicate similar attacks to come.

Several factors suggest a connection between BlackMatter and DarkSide. However, after researchers at Sophos conducted malware analysis, the researchers determined that while there are similarities with DarkSide ransomware, the code is not identical, which means the BlackMatter group is not the DarkSide group rebranded. The researchers stated that in the hands of an experienced adversary, BlackMatter ransomware can cause a lot of damage without triggering any alarms. Security researchers noted that organizations should be on the lookout for this new malware in the future and warned organizations to never pay the demanded ransom. Security researchers also stated that it is important for defenders to promptly investigate endpoint protection alerts as they can be an indication of an imminent attack with disastrous consequences.

Cybersecurity Snapshots #23 - Cybercriminals Are Decreasing Their Use of Bitcoin

Cybersecurity Snapshots #23 -

Cybercriminals Are Decreasing Their Use of Bitcoin

In a new report, McAfee researchers discovered that from Q3 to Q4 of 2020, the number of ransomware incidents that affected organizations rose 69% compared to Q1 and Q2 of 2020. Many ransomware gangs have used Bitcoin to collect ransomware payments; however many ransomware groups are now requesting ransom payments to be paid using "more secure" cryptocurrencies.

The U.S. Treasury has tracked $5.2bn worth of Bitcoin transactions likely to have been ransomware payments in the first half of 2021. Its Financial Crimes Enforcement Network (FinCEN) bureau stated that the $5.2bn figure is associated with 177 wallet addresses mentioned in the Suspicious Activity Reports (SARs) sent by banks to the authorities to combat financial crime and money laundering. The number of those SARs related to ransomware has soared over the first half of 2021, FinCEN said. Some 635 were filed during the reporting period of January 1 and June 30, 2021, up 30% from the total of 487 SARs filed for the entire 2020 calendar year.

Researchers at Elliptic found that cybercriminals are becoming more sophisticated in their use of cryptocurrencies to launder money, with hundreds of millions of dollars of dirty funds last year flowing through digital wallets that allow users to hide their trail. At least 13% of all criminal proceeds in Bitcoin passed through privacy wallets, making it harder to track cryptocurrency transactions in 2020, up from 2% in 2019. Bitcoin has often been mislabeled as an anonymous digital currency, but the reality is very much the opposite; anonymity has never been a characteristic of the currency or the blockchain it's built on. The currency's public ledger records every transaction broadcast across the network, resulting in the ability to trace all coins from their originating source to their final destination. For that reason, Bitcoin is referred to as pseudonymous rather than anonymous. Over the past decade, law enforcement has become better at tracking illicit activity on blockchains. Privacy wallets, of which there are several types, combine, mix, and anonymize cryptocurrency transactions, making it complicated to follow a money trail. The security researchers at Elliptic stated that privacy wallets make it practically impossible to track funds, especially if adversaries do a series of transactions through privacy wallets. Recent law-enforcement action to seize or disrupt high-profile criminal marketplaces (Empire, Dark Market, and AlphaBay) show the advancement of blockchain analysis techniques. Cybercriminals now realize that even with using privacy wallets, there is an inherent danger that the owner of a wallet may be unmasked through historical transactions with arrested individuals, identifiers, and previous connections to criminal platforms. Cybercriminals are increasingly advocating a shift from Bitcoin to alternative, privacy-based digital currencies, such as Monero.

Monero is emerging as the new go-to criminal coin because of its reputation and experience. Monero is regarded as one of the industry's most privacy-focused coins in existence. The currency builds on the strengths of Bitcoin but looks to maintain the privacy of the user's transaction activity. The Monero community recently attempted to get the currency included as a viable payment option, alongside Bitcoin, for Tesla. This showcases its popularity in the crypto world. Another cryptocurrency that adversaries might use in the future includes ZCash. ZCash started in 2016 and stems from the same code as Bitcoin, but the currency operates on its blockchain with a PoW (Proof of Work) mining consensus separate from that associated with Bitcoin. The currency incorporates the use of private "shielded" and public transfers. This enables transactions to be verified without revealing the sender, receiver, or transaction amount. Interestingly, this currency allows a user to disclose particular details of a transaction for compliance or audit purposes.

Another cryptocurrency that might be used by cybercriminals in the future includes Dash. Although the coin's creator states the currency is not an "AEC" (Anonymity-Enhanced Cryptocurrency), a function called PrivateSend allows a user to opt to send transactions anonymously. The technology essentially complicates transactions by continuously pooling groups of transactions to the point that analytics cannot detect where coins are being sent or received. Cybercriminals may also use Verge cryptocurrency in the future. This digital currency was created in 2014 and runs on its blockchain. Initially known as "DogeCoinDark," Verge enables private transfers through the use of I2P or Tor, which helps conceal user locations. Cybercriminals may also use two newer cryptocurrencies called Beam and Grin in the future. These currencies emerged on the scene in 2019 with a newer blockchain technology called Mimblewimble. This technology introduces the concept of no identifiable or reusable addresses, meaning that all transactions look like random data to an outsider, with blocks looking like one large transaction rather than a combination of several individual ones.

Researchers believe that in the future, the use of Bitcoin by cybercriminals to receive payments from victims will decrease. Cybercriminals will still probably use Bitcoin, but most of the time, victims will be expected to make payments using more "secure" cryptocurrencies. This will make it harder for law enforcement to track payments and cybercriminals in the future.

Cybersecurity Snapshots #24 - Cybercriminals Feeling the Heat From Law Enforcement

Cybersecurity Snapshots #24 -

Cybercriminals Feeling the Heat From Law Enforcement

Researchers at SonicWall discovered that the number of ransomware attacks in the first three quarters of 2021 surged 148% year-on-year to reach 470 million. This makes 2021 already the worst year on record for attacks, the researchers stated. This year, there has also been an increase in Business Email Compromise (BEC) attacks, and the FBI claimed that BEC has been the highest-grossing cybercrime category over the past three years. Even though cyberattacks are increasing, law enforcement is getting better at tracking and arresting adversaries who perform cyberattacks.

Irish police, during an 18-month long operation, were able to arrest over 400 suspects behind BEC attacks. The investigators were able to reveal links between an Ireland-based gang and notorious Nigerian crime syndicate Black Axe, which also focuses on BEC scams. Interpol's Global Financial Crime Task Force (IGFCTF) provided on-the-ground support to the Irish Garda National Economic Crime Bureau (GNECB) to help share intelligence with international forces. Interpol also helped Irish police with digital forensic work, downloading data and call records from seized devices, and analyzing the evidence "through a global lens." This has already triggered cooperative investigations with police in the US and South Africa, Interpol said. Interpol claimed that arrests and prosecutions outside of Ireland are foreseen as ongoing investigations unfold. Interpol also recently announced the arrest of six members of the Clop (aka Cl0p) ransomware group. Clop ransomware group has conducted ransomware attacks on numerous private and public organizations in Korea, the US, and elsewhere.

Twelve threat actors were singled out by Europol last week in a significant ransomware operation targeting multiple organized crime groups. The unnamed suspects are believed to have been involved in deploying the LockerGoga, MegaCortex, and Dharma variants or laundering the proceeds, the trans-national policing group claimed. It is not clear whether the 12 have been arrested or charged. Europol would only say that they are "high-value targets" under investigation in multiple high-profile cases in different jurisdictions. Police from Norway, France, the Netherlands, U.K., Ukraine, Germany, Switzerland, and the US worked alongside Europol and Eurojust, the European Union Agency for Criminal Justice Cooperation, to help identify the twelve threat actors.

Europol also recently announced that law enforcement agencies in several countries arrested seven people allegedly linked to REvil and GrandCrap ransomware operations. The arrests have been carried out since February. Three suspects were arrested in South Korea, one in Kuwait, two in Romania, and one in an unnamed European country. Five of the suspects are believed to have been involved in cyberattacks that leveraged REvil (aka Sodinokibi) ransomware, while the other two have been linked to GandCrab attacks.

Even though the number of cyberattacks encountered each year is growing, there is still a good amount of hope as law enforcement gets better at tracking and arresting cybercriminals. Interpol's director of cybercrime, Craig Jones, stated that "despite spiraling global ransomware attacks, this police-private sector coalition saw one of global law enforcement's first online criminal gang arrests, which sends a powerful message to ransomware criminals, that no matter where they hide in cyberspace, we will pursue them relentlessly." Chief data scientist Bob Rudis at Rapid7 stated that it is encouraging to see what can be done when policy meets enablement and authorities are given support and resources to take decisive action. He also said that "I'm hopeful that as more criminals are caught and prosecuted, and as their ill-gotten gains are recovered, we will finally start to see attackers move on to other, less risky business models (or go away completely, but that is more of a dream than likelihood)."

Cybersecurity Snapshots #25 - Schools and Universities Targeted by Hackers During Pandemic

Cybersecurity Snapshots #25 -

Schools and Universities Targeted by Hackers During Pandemic

According to researchers, ransomware attacks hit schools and colleges harder than any other industry during the first year of the pandemic. Malicious actors look for easy targets, and education institutions often struggle to find enough skilled workers to defend their growing IT needs. For K-12 schools particularly, a lack of adequate funding also limits their ability to defend themselves properly against threats. In 2020 researchers found that including the costs of downtime, repairs, and lost opportunities, the average ransomware attack cost educational institutions $2.73 million. That is 48% higher than the global average across all sectors. Ransomware attacks alone impacted 1,681 U.S. schools, colleges, and universities in 2020. From November 23 to December 23, 2021, educational organizations were the target of over 8.3 million malware attacks, or almost 69% of all such attacks recorded by Microsoft in those 30 days. At the moment, there is no sign that education organizations will be targeted less in the year to come.

In March 2020, the Sheldon Independent School District in Texas, which is home to 10,000 students, experienced a ransomware attack and paid nearly $207,000 in ransom after hackers locked officials out of critical software systems, blocking access to emails, important staff data, and security cameras. In September 2020, Newcastle University in Tyne, England, had its systems breached by the DoppelPaymer ransomware gang, exposing the data of staff and students. Also in September 2020, Clark County, a Las Vegas, Nevada school district serving 320,000 students, became the largest school district to fall victim to a ransomware attack since the beginning of the COVID-19 pandemic. In October 2020, a ransomware attack occurred against Las Cruces, a public school system in New Mexico, which shut down computers and networks across the district. The school district's IT teams reportedly reacted quickly, shutting down all computers immediately after detecting the attack to evaluate the extent of the damage and develop a remediation plan. In November 2020, schools in Baltimore County, Maryland, were hit with a ransomware attack that forced the district to cancel remote classes for its 115,000 students for a couple of days. The attack affected the district's websites and remote learning programs, as well as its grading and email systems. A public school district in Mississippi's capital city is implementing new cybersecurity measures after a ransomware attack affected its servers last year. Since the February 2020 attack, Jackson Public Schools has implemented a cyber-education program for employees and a new anti-virus and malware protection program. The school district also installed a multi-factor authentication system for key employees and improved network infrastructure and security.

Significant ransomware attacks also affected schools in 2021. The University of California (UC) fell victim to a ransomware attack, where an unauthorized individual copied and transferred UC files by exploiting a vulnerability in Accellion's file transfer service. The stolen information included names, birthdates, social security numbers, and bank account information. Stanford University School of Medicine was also breached because of adversaries exploiting a vulnerability in Accellion's file transfer service. A ransomware attack affected Howard University, which left its systems down for a couple of days. The school did not pay the ransom demanded by the adversaries and discovered that no personal information was exposed during the incident.

Matt Donahue, a compliance and risk analyst at technology solutions and IT services provider SentientDigital, said that the issue is becoming so common because many schools are unable to install strong enough security measures. Donahue noted that, in the future, schools should be maintaining encrypted backups of all data and regularly testing their usage. He noted that they should also be stored offline because cybercriminals will look for and delete backup information. He also said that schools would not need to pay ransoms if the data remains in their hands. Donahue also said schools should develop cyber response plans, regularly train staff in the procedures, and conduct drills to ensure a smooth response in a real attack. Doing this will help identify the most critical threats so leaders can put resources there first. Donahue also stated that schools need to know that the best way to prevent ransomware attacks is by being prepared ahead of time. Since researchers believe that the number of ransomware attacks on schools and universities will keep increasing in the future, schools and universities must take cybersecurity seriously, and implement proper precautions to help defend themselves against cyberattacks. 

Cybersecurity Snapshots #26 - North Korean Hackers Are Focusing on Stealing Cryptocurrency

Cybersecurity Snapshots #26 -

North Korean Hackers Are Focusing on Stealing Cryptocurrency

North Korean hackers have been linked to several major crypto heists in recent years, and last year alone were able to steal nearly $400 million worth of cryptocurrency. One major breach in 2021 was against Japan-based Liquid, a cryptocurrency exchange, where North Korean hackers were able to steal over $97 million in cryptoassets. Ethereum tokens made up $45 million of the cryptoassets stolen. In the past five years, North Korean hacker groups stole $1.5 billion in cryptocurrency, not including the unaccounted hundreds of millions more that the country has stolen from the traditional financial system. Stolen cryptocurrency now contributes significantly to Kim Jong-un's totalitarian regime coffers as it seeks to fund itself and its weapons programs, despite the country's heavily sanctioned, isolated, and ailing economy.

According to researchers at Chainalysis, North Korean hacking groups used various techniques to siphon crypto funds out of the victims' internet-controlled "hot" wallets into Democratic People's Republic of Korea (DPRK) controlled addresses. These included phishing lures, code exploits, malware, and advanced social engineering. The researchers stated that once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out. Many of the hacks observed by the researchers were likely carried out by the notorious Lazarus Group (APT 38), which is led by North Korea's main intelligence agency, Reconnaissance General Bureau. The researchers stated that since 2018, the group has focused its efforts on cryptocurrency crime. One reason the North Korean hackers are now focusing on cryptocurrency over other forms of financial crime is no doubt the relative ease of laundering digital cash. After the Lazarus Group's Bangladeshi bank heist, for instance, the North Koreans had to enlist Chinese money launderers to gamble its tens of millions at a casino in Manila to prevent investigators from tracking the stolen funds. By contrast, Chainalysis found that the groups have plenty of options to launder its stolen cryptocurrency. The researchers also found that the North Koreans have been remarkably patient in cashing out their stolen crypto, often holding onto the funds for years before beginning the laundering process to help avoid detection. The researchers noted that the hackers appear to still be holding on to $170 million in unlaundered cryptocurrency from previous years' thefts, which they will undoubtedly cash out over time.

In 2021, for the first time since researchers at Chainalysis began tracking North Korean cryptocurrency thefts, Bitcoin no longer represented anywhere near the majority of the country's take, accounting for only around 20 percent of the stolen funds. Fully 58 percent of the groups' cryptocurrency gains came instead in the form of stolen ether, the Ethereum network's currency unit. Another 11 percent, around $40 million, came from stolen ERC-20 tokens, a form of crypto asset used to create smart contracts on the Ethereum blockchain.

Because North Korea's hackers operate under the auspices of the isolated state and are rewarded at home for their thefts abroad, it is very difficult to stop them from stealing more cryptocurrency. Counterstrikes on the country's web infrastructure are limited because North Korea has few connected devices, and its cellphone data network is mainly cut off from the rest of the world. Security researcher Jenny Jun from Atlantic Council stated that "the fight against North Korea's illicit activities is like a whack-a-mole game, cracking down will lead to displacement rather than cause the regime to stop or focus on legitimate economic activity." Many security researchers believe that until the cryptocurrency industry figures out how to secure itself against hackers and prevent their coins from being laundered and converted into clean bills, then North Korea's revenue from stolen cryptocurrency will only continue to grow.

Cybersecurity Snapshots #27 - Organizations Are Urged to Be On the Lookout for Potential Russian Cyberattacks

Cybersecurity Snapshots #27 -

Organizations Are Urged to Be On the Lookout for Potential Russian Cyberattacks

The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to strengthen their security stance and stay on alert for potential Russian cyberattacks. According to CISA, all organizations in the US are at risk from cyberattacks that could disrupt essential services and impact public safety. CISA is not currently aware of a specific threat to US organizations but stated that due to the increasing tensions at the Ukraine border, the Russian government might consider "escalating its destabilizing actions" to impact entities outside of Ukraine. CISA is warning that the Russian government understands that disabling or destroying critical infrastructure, including power and communications, can augment pressure on a country's government, military and population and accelerate their acceding to Russian objectives. Russia has conducted cyberattacks in the past to help accelerate their agenda.

In 2017 NotPetya cyberattack was directed initially at Ukrainian private companies before it spilled over and destroyed systems worldwide. NotPetya masqueraded as ransomware, but in fact, it was a purely destructive and highly viral piece of code. The destructive malware used in January against Ukraine to deface and disable more than 70 government websites, now known as WhisperGate, also pretended to be ransomware while aiming to destroy critical data that renders machines inoperable. Russian threat actors were behind both NotPetya and WhisperGate, according to researchers. The White House said the NotPetya attack caused more than $10 billion in global damage and deemed it "the most destructive and costly cyberattack in history." In 2015 and 2016, Russian hackers attacked Ukraine's power grid and turned out the lights in the capital city of Kyiv. During the invasion and seizure of Crimea in 2014, Russian hackers shut down telecommunications systems in the region, including through jamming the mobile phones of Ukrainian members of parliament. In 2008, the Russian invasion of Georgia was preceded by a swarm of digital attacks that overwhelmed Georgia government websites with traffic and temporarily disabled them, including the website of the country's president. Russia also launched cyberattacks that overwhelmed the websites of Estonian government agencies and other national institutions in 2007 over disagreements around Estonia's decision to move a Soviet-era World War II statute. While intelligence agencies worldwide have pinned these attacks on Russia, Moscow historically has either denied the incidents or avoided comment.

The Department of Homeland Security believes that if the US imposes sanctions on Russia, they may be prompted to conduct cyberattacks on our critical infrastructure. The past year alone has made it clear how vulnerable key aspects of life in the US are to being disabled by hackers. The ransomware attacks against Colonial Pipeline and JBS disrupted key supply chains, and an unsuccessful attempt by a hacker to hack a water treatment plant to poison the water supply in Oldsmar, Florida, illustrated the ability for cyberattacks to cause harm to millions. Christopher Painter, the former coordinator for cyber issues at the State Department under the Obama and Trump administrations, stated that if Russia launched massive cyberattacks on the US or other Ukraine allies, it would mark a turning point in cyber warfare and challenge the idea that cyberattacks are less serious than physical assaults.

CISA is currently working with critical infrastructure partners to increase awareness of potential threats and is now urging all organizations to be proactive and make sure their most critical assets are well defended in the event of an attack. CISA recommends that organizations should ensure multi-factor authentication is enabled for all remote access to their environments, including privileged or administrative access; keep all software updated and prioritize patching against known exploited vulnerabilities; disable all unused ports and protocols; and ensure that strong controls are implemented for all cloud services that may be in use. CISA also recommends that organizations should ensure that their cybersecurity/IT personnel can quickly identify and address unusual network behavior; keep their environments protected with security products; make sure that a response plan is implemented in the event of an intrusion; and maximize resilience to destructive cyberattacks. CISA noted that organizations that work with Ukrainian organizations should take extra care to monitor, inspect, and isolate traffic from those organizations.

Cybersecurity Snapshots #28 - Implementing Zero Trust Models is Easier Said Than Done

Cybersecurity Snapshots #28 -

Implementing Zero Trust Models is Easier Said Than Done

Many organizations still have a traditional or perimeter network security approach that focuses on keeping attackers out of the network but is vulnerable to users and devices inside the network. "Verify, then trust" security trusts users inside the network by default. Individuals with the correct user credentials could be admitted to the network's complete array of sites, apps, or devices. Security researchers are urging organizations to start creating zero trust architectures. Zero trust requires strict identity verification for every user and device when attempting to access resources on a network, even if the user or device is already within the network perimeter. Zero trust also provides the ability to limit a user's access once inside the network, preventing an attacker who has accessed a network from enjoying lateral freedom throughout the network's applications. Implementing a zero trust model is easier said than done as it requires a rethinking of an organization's entire security posture and environment.

Security researchers at One Identity conducted a new survey of IT security professionals to get their opinions on the adoptions and experiences with zero trust security. Among the respondents, 75% cited zero trust as critically or very important to their organization's security posture. Some 24% said it was somewhat important, while only 1% dismissed it as unimportant. For most organizations surveyed, zero trust is still a work in progress. Only 14% have already adopted a zero trust model, 39% said that they've started their implementation but aren't finished, 22% plan to set up a full zero trust model within the next 12 months, 14% said that they plan to set up a full zero trust model but would take longer than 12 months, and 8% reported no plans to set up zero trust. The two most common barriers to implementing zero trust security models for participants were a lack of clarity around how zero trust should be implemented and the requirement of zero trust for ongoing identity and access management. Other common barriers to implementing zero trust security models for participants were that zero trust security models impact employee productivity and that security staffers are too busy and have other priorities. Additional obstacles to kicking off a zero trust initiative included a lack of resources or budget, the challenges in predicting the benefits and building a business use case, the tendency of zero trust to create a siloed approach, and the lack of access to zero trust technology. Only 6 % of participants said they had no barriers when implementing zero trust security models.

The security researchers at One Identity stated that there is no one correct approach to kicking off a zero trust initiative. The respondents of their survey pointed to a variety of methods on how to start implementing a zero trust security model. Almost half of the participants (49%) suggested that organizations begin by continuously verifying who has access to what and when. Some 48% of participants advised organizations to better monitor user access and privileges, 41% recommended starting by setting up new access management technologies, and 35% suggested mapping the traffic of sensitive data. Larry Chinski, VP of global IAM strategy at One Identity, stated that overall, the key to successful implementation and deployment of zero trust is to focus on the overall concept of never trust, always verify. Larry also stated that looking at zero trust holistically is a key to helping organizations most effectively implement a zero trust architecture. Organizations can reference third-party resources to help deploy zero trust models. The National Institute of Standards and Technology (NIST) developed a starting guide for organizations on how to begin planning for a zero trust architecture.

The White House's recent requirement for federal agencies to achieve a zero trust architecture is a significant first step, but zero trust can't stop there. Security researchers believe that there are critical steps the federal government needs to take before zero trust has any hope of moving beyond the federal level on a larger scale. Firstly, the federal government needs to define zero trust and describe why it matters. Organizations need to know what zero trust is and why they should care. This is especially true for those not in an information technology role. Secondly, the federal government needs to clarify the zero trust implementation process. The researchers stated that without clear guidance, how are organizations supposed to know which guidelines and best practices work best for them and where to begin? Some researchers have already questioned whether the federal government can achieve the zero trust goal by the end of fiscal year 2024. If it is a challenge at the federal level, there will be an even heavier burden on non-government organizations, where cybersecurity preparedness varies significantly. Researchers are urging companies to work towards implementing zero trust methods sooner rather than later. Researchers are also urging the federal government to do a better job at helping organizations implement zero trust architectures in the future.

Cybersecurity Snapshots #29 - The LAPSUS$ Hacking Group

Cybersecurity Snapshots #29 -

The LAPSUS$ Hacking Group

LAPSUS$ has been in the news a lot lately. The cybercrime group first surfaced in December 2021 with an extortion demand on Brazil's Ministry of Health. Even though LAPSUS$ is a relatively new cybercrime group, it has hit big companies, including Microsoft, Okta, Ubisoft, Nvidia, Samsung, and Vodafone.

During the data breach of Microsoft, LAPSUS$ claimed to have stolen source code for Bing, Cortana, and internal Microsoft projects from a server. LAPSUS$ released a torrent containing 37GB of source code for around 250 projects. The group claimed the data includes 90 percent of Bing's source code and 45 percent of Cortana and Bing Maps code. Other affected projects included websites, mobile apps, and web-based infrastructure. The leaks reportedly contain internal emails and documentation related to published mobile apps. The torrent is not believed to include code for desktop software such as Windows or Microsoft Office. During the data breach of Samsung, LAPSUS$ was able to steal various source codes. The source codes involved in the incident are related to the operation of the company's Galaxy devices. LAPSUS$ published 190GB of confidential data it claimed had been exfiltrated from the tech company. The published data reportedly contained source codes and biometric unlocking algorithms linked to Samsung and source code belonging to American multinational technology corporation Qualcomm. During the breach at Nvidia, LAPSUS$ claimed to have stolen 1TB of data, including all the silicon, graphics, and computer chipset files "for all recent Nvidia GPUs." Security researchers at Microsoft have stated that while it may be tempting to dismiss LAPSUS$ as an immature and fame-seeking group, their tactics should make anyone in charge of corporate security sit up and take notice.

Microsoft's security researchers discovered that LAPSUS$ mostly gains illicit access to targets via "social engineering." This involves bribing or tricking employees at the target organization or its myriad partners, such as customer support call centers and help desks. The researchers found instances where the group successfully gained access to target organizations through recruited employees. The LAPSUS$ Telegram channel has grown to more than 45,000 subscribers, and Microsoft found an ad they posted there offering to recruit insiders at major mobile phone providers, large software and gaming companies, hosting firms, and call centers. After further investigation, it was found that LAPSUS$ has been recruiting insiders via multiple social media platforms since at least November 2021. One of the core LAPSUS$ members who used the nicknames "Oklaqq" and "WhiteDoxbin" posted recruitment messages to Reddit last year, offering employees at AT&T, T-Mobile, and Verizon up to $20,000 a week to perform "inside jobs." Many of LAPSUS$'s recruitment ads are written in both English and Portuguese. According to researchers at Flashpoint, LAPSUS$ currently does not operate a clearnet or darknet leak site or traditional social media accounts. LAPUSUS$ instead uses Telegram and email. The researchers stated that the individuals behind the group are likely experienced and have demonstrated in-depth technical knowledge and abilities. The group has claimed it is not state-sponsored.

Security researchers at Digital Shadows stated that little is known of the group's origins. However, given that LAPSUS$'s initial activity was directed toward several organizations in Brazil, some researchers have speculated that the group is based in South America. The London police recently stated that seven people between the ages of 16 and 21 had been arrested in connection with an investigation into a hacking group. One of the individuals, a 16 year old from Oxford, was arrested and accused of being one of the leaders of the cybercrime gang. The 16-year-old used an online moniker "White." Unit 221B working with Palo Alto after identifying the actor, watched him on his exploits throughout 2021, periodically sending law enforcement a heads-up about the latest crimes. The researchers tracked "White" through a trail of activity linked through a nearly unbroken stream of the boy's online accounts. The researchers stated that the trail was followed thanks to mistakes "White" made in failing to cover his tracks. During the arrest of the seven people, LAPSUS$-related cybercrime activities continued with the leak of some 70GBytes of data allegedly purloined from software development company Globant. The mystery of who, what, and where the LAPSUS$ kingpins are located has deepened.

Security researchers stated that the critical thing to remember is that the LAPSUS$ attacks, along with many others, rely at least in part on ongoing attempts to trick, persuade, or bribe insiders into granting remote access. So, organizations should do a better job at vetting employees before they are hired, and organizations need to do a better job at training staff. Organizations should also have a fast, simple way for staff to report security anomalies to the proper in-house security experts. LAPSUS$ does not give up if their first attempt to break in fails, so the sooner an employee in a company feels empowered to say something, the sooner everyone can be warned and protected. Researchers noted that if employees do not feel like they can say anything, then the adversaries get a free pass to try to sneak in repeatedly.

Cybersecurity Snapshots #30 - The Water Sector Needs to Take Cybersecurity Seriously

Cybersecurity Snapshots #30 -

The Water Sector Needs to Take Cybersecurity Seriously

The United States has approximately 52,000 drinking water and 16,000 wastewater systems, many of which service small communities of fewer than 10,000 residents. Many of these systems operate with limited budgets and even more limited cybersecurity personnel and expertise. Security researchers have stated that the automation of technology that these water utilities implemented over the past two decades to save money and increase efficiency has also exposed them to malicious cyber activity that could disrupt or manipulate services. In October of 2021, the FBI, National Security Agency, Cybersecurity and Infrastructure Security Agency (CISA), and Environmental Protection Agency (EPA) warned that U.S. water and wastewater systems are being targeted by "known and unknown" malicious actors.

Multiple cyberattacks against U.S. water and wastewater systems were discussed in the warning. In March 2019, a cyberattack involved an attempt to threaten a town's drinking water in Kansas. In another cyberattack in September 2020, the Makop ransomware hit a New Jersey water and wastewater (WWS) facility. There was also a cyberattack in February 2021 where an unidentified hacker accessed the computer systems of a water treatment facility in Oldsmar, Florida, and modified chemical levels to dangerous parameters. In March 2021, a Nevada water treatment plant was hit with an unknown ransomware variant. The ransomware affected the victim's SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full Industrial Control System (ICS). An attack in July 2021 saw the ZuCaNo ransomware used to damage a wastewater facility in Maine. In August 2021, Ghost ransomware was deployed against a WWS facility in California. Attackers spent a month inside the system before releasing a ransomware message on three SCADA servers. Recently researchers found that 1 in 10 waste and wastewater plants has a critical security vulnerability.

After these attacks, CISA claimed that they were going to team up with the EPA to provide guidance, technology, and direct support to the sector. After announcing that CISA was teaming up with the EPA, some researchers thought CISA should have chosen the National Association of Water Companies (NAWC) as a partner to tackle the problem instead of the EPA. NAWC supports establishing national standards to safeguard all water systems from cyberattacks and protect the communities they serve. While not all water companies belong to NAWC, researchers found that more than 90 percent of NAWC members have a cybersecurity plan in place, while non-member companies may or may not have plans in place.

In January 2022, it was announced that the White House, EPA, and CISA created a 100-day plan to improve the cybersecurity of the country's water systems. The "Industrial Control Systems Cybersecurity Initiative -- Water and Wastewater Sector Action Plan" includes several measures that officials believe can be taken in just a few months to address cybersecurity gaps within the water utility industry. The plan will create a task force of leaders in the water utility industry, kickstart incident monitoring pilot programs, improve information sharing, and provide technical support to water systems needing help. The EPA will invite water utilities to a pilot program, but participation will be voluntary, the officials said. After the announcement of the new 100-day plan the reaction among ICS cybersecurity experts was mixed. Mark Carrigan, Senior VP of Process Safety and Operational Technology (OT) Cybersecurity at Hexagon PPM, stated that the measures outlined will not be nearly sufficient to reduce the risk to an acceptable level. Carrigan noted that the state of detection technology today is not "fool-proof" and stated that many infiltrations and subsequent attacks start with exploiting zero-day vulnerabilities that are not recognized until after the fact. Carrigan also noted that it is time for critical infrastructure to increase investments to improve operational resiliency to respond to an attack, minimize the impact, and restore operations within an acceptable period of time. Carrigan also stated that as a nation, we must accept that we cannot prevent all cyberattacks due to the nature of the control systems that deliver critical services. Instead, we must improve our ability to respond and recover.

In March 2022, a cyber incident reporting bill was passed. Elke Sobieraj, the Director for Critical Infrastructure Cybersecurity at the White House's National Security Council, stated that before the cyber incident reporting bill was passed, it was very difficult to assess the risks the water sector was facing from ransomware because many water companies did not report ransomware incidents. She hailed the passage of the cyber incident reporting bill, which requires critical infrastructure entities like water companies to report incidents to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency within 72 hours. Sobierai noted that this will make it easier to access the risks the water sector faces from ransomware.

Recently Nick Santillo, VP for Digital Infrastructure and Security at American Water, stated that insurers increasingly require water utilities to meet stringent cybersecurity requirements even to consider insuring them. These requirements include a strong and secure access management program for protecting administrative credentials with privileged accounts and endpoint detection and response tools. Santillo stated that many water utility companies have gone through their renewals and ended up either becoming uninsurable or have implemented some new controls in order just to get to the point of being insurable.

As the cybersecurity risks and threat vectors continue to grow and become more sophisticated, we must be proactive to improve the cybersecurity position across the entire water sector. With the new stringent cybersecurity requirements for organizations in the water sector to get insured, the "Industrial Control Systems Cybersecurity Initiative -- Water and Wastewater Sector Action Plan," and the cyber incident reporting bill, the companies within the water sector will hopefully start to take cybersecurity seriously and take steps to make sure their infrastructure is more secure against cyberattacks.

Cybersecurity Snapshots #31 - Healthcare Organizations Are Being Inundated With Cyberattacks

Cybersecurity Snapshots #31 -

Healthcare Organizations Are Being Inundated With Cyberattacks

Attackers have realized hospitals are prime targets for cyberattacks, so healthcare leaders must prioritize protecting their systems. In 2021, healthcare organizations were inundated with cyberattacks, and they can expect more to come. The U.S. Department of Health and Human Services keeps track of cyberattacks and breaches at healthcare providers. According to the department, in 2021, there were 618 breaches, with each data breach affecting at least 500 patients. According to a new study by IBM, the cost of a typical healthcare breach rose to an average of $9.4 million in 2021, an increase of $2 million over the previous year. The average ransomware attack on healthcare costs $4.6 million per incident. In 2022 all healthcare organizations and hospitals are at risk. In November 2021, Matt Georgy, a chief healthcare executive, stated that small and mid-size hospitals and healthcare systems typically have fewer resources to defend critical systems, with smaller staffs and budgets to defend against cyberattacks. Larger hospitals and health networks are also at risk because they offer many more entry points for attackers to find vulnerabilities. Their attack footprint is massive. Cybersecurity attacks aren't just costly to healthcare systems. They're hurting patient care. In November 2020, a Healthcare Information and Management Systems Society (HIMSS) survey shed more light on the toll cyberattacks are taking on healthcare. Most participants (61%) indicated that a cyberattack disrupted non-emergency clinical care. And 28% of respondents reported those attacks disrupted emergency services. In just the first six months of 2022 there have been over 10 documented cyberattacks on healthcare systems affecting well over three million patients. The affected healthcare systems included healthcare providers, medical practices, hospitals, and clinics, and were across the United States. In addition to putting patents' health at risk, the data breaches also led to identity theft and compromise of medical information.

Security researchers have found that adversaries are going after two primary objectives: disruption and data. First, attackers are looking to disrupt healthcare operations. Healthcare providers aren't like other businesses that can take their time if a system is compromised. If a hospital can't access its records or its ability to serve patients is compromised, that's a massive problem. While many threat actors are mainly concerned with disrupting services, some are going after the data in healthcare systems. Researchers noted that in some breaches, attackers have taken the data first and then deployed the ransomware into the organization. In such cases, attackers tell the healthcare organization to pay a ransom, and they can get the data back, and if they don't pay, they'll detonate the ransomware and lock up their computer systems. Mac McMillan, the founder of CynsergisTek states that he thinks we will continue to see more ransomware attacks on the healthcare sector and that they will get more complex and harder to deal with. Leon Lerman, CEO of Cynerio, stated that in the future, he expects to see an increase in both the sheer number of attacks on hospitals as well as severity.

Healthcare organizations aren't investing enough in bolstering their defenses against cyberattacks currently. McMillan stated that adversaries have figured out healthcare is a lucrative target that is more susceptible to disruption than other sectors because they haven't made the investments others have made. Some sectors put 10-15% of their information technology budgets toward cybersecurity. Healthcare organizations, on the other hand, typically spend 6% or less of their IT budgets on cybersecurity, according to the HIMSS survey. Cybersecurity experts say hospitals can improve their defenses with simple measures, including training staff to ensure all employees understand the gravity of breaches to healthcare systems. Other steps such as using two-factor authentication to access systems can help. Georgy stressed the importance of policies instructing workers to frequently change passwords and use passwords that aren't easy to guess. Currently, healthcare systems are developing more Application Programming Interfaces (APIs), the tools needed to exchange records and data. McMillan said APIs should be thoroughly tested before being put into the healthcare systems. McMillan noted that in most cases, it's just as easy to develop them securely as it is to develop them insecurely. Researchers suggest that hospital systems need to invest in defenses such as privileged access management tools to limit the ability of attackers to gain access to passwords or other sensitive data. McMillan noted that as hospitals invest in more security systems, they also need to have someone tracking those systems. Healthcare systems sometimes install monitoring systems to detect breaches, but they don't have personnel actively watching those systems. Cybersecurity experts also stress the need for keeping some segmentation in their systems so that a breach can be contained. Lerman noted that it is critical for hospitals to have proactive response strategies in place to prevent attacks and ensure continuity of care in the event of an attack. Lerman also stated that more government intervention is needed "to ensure hospitals are prepared with the tools they need to address the evolving threat landscape in healthcare." In the future, healthcare organizations must prioritize strengthening their cybersecurity because it could be the difference between life or death for some patients.

Cybersecurity Snapshots #32 - LockBit Ransomware Group

Cybersecurity Snapshots #32 -

LockBit Ransomware Group

Security researchers at Digital Shadows have discovered that ransomware activity continues to increase, and they cite the LockBit ransomware group as a major contributor to the rise. The researchers monitored almost 90 data leak sites on the dark web and observed that ransomware groups claimed 705 victims in Q2 2022, representing a 21% increase over the prior quarter's 582. The researchers stated that the LockBit ransomware group overtook Conti in victim numbers as Conti ceased operations following the leak of internal chat logs. Conti had reached almost 900 victims during its operations, but LockBit is now closing in on 1000 after a 13% growth in activity during the quarter. At around 230, LockBit's quarterly victim numbers far exceeded any other group in Q2. It was accountable for almost a third of all postings to leak sites in Q2. Some big companies that fell victim to the LockBit ransomware group included Mandiant, La Poste Mobile, Atento, and Accenture.

LockBit ransomware gang first emerged in September 2019. LockBit functions as Ransomware-as-a-Service (RaaS). RaaS means that cyber criminals place a deposit in exchange for the use of custom "for-hire" attacks. LockBit originally targeted organizations in the U.S., the UK, Germany, China, India, France, Ukraine, and Indonesia.

LockBit 1.0 eventually evolved into LockBit 2.0. LockBit 2.0 first appeared in Russian-language cybercrime forums in January 2021. LockBit 2.0 relied on tools such as Windows PowerShell and Server Message Block (SMB) to attack organizations and to scan networks in order to infect compromised devices. LockBit 2.0 primarily used tools that are built into Windows systems, which means it was more difficult to detect malicious activity. LockBit 2.0 successfully deployed ransomware within the following industries: manufacturing, retail and food, construction, and professional services, with most of the attempts being against Chile, Taiwan, Italy, and the U.K. After re-emerging as LockBit 2.0, the gang chose not only to encrypt systems, but they also adopted the double extortion model. With double extortion, threat actors go beyond just encryption by exfiltrating an organization's data and threatening to publicize the stolen data if the demanded ransom is not paid. If an organization does not pay the ransom, the gang will publish and sell the exfiltrated data on their own dedicated data leak site. Sometimes they will sell the stolen data even if an organization paid the demanded ransom.

The LockBit ransomware group touts its speed over competing ransomware families to attract potential buyers for its RaaS. Many buyers of RaaS want the fastest ransomware, because using ransomware that encrypts files fast makes it virtually impossible for victims to counter the ransomware attack. Earlier this year, the LockBit group posted a table listing encryption speeds for more than 30 ransomware families, highlighting that LockBit 2.0 was the fastest. Security researchers on Splunk's SURGe research team conducted a new study to see if LockBit's claim that it was the quickest ransomware is true. The researchers found that LockBit was faster than other ransomware families, but there were some notable differences. For example, the LockBit 2.0, was actually slower at encrypting files than the original LockBit 1.0. LockBit 1.0 takes 2.33 minutes to encrypt 98553 files and LockBit 2.0 takes 2.5 minutes to encrypt 98548 files. The security research stated that the pace that ransomware encrypts files is faster than any network defender can handle. The researchers noted that enterprise defense cannot "win" during the encryption phase, so their best chance for foiling a ransomware attack is to detect the intrusion before the encryption process kicks off. Researchers at Mandiant recently reported that ransomware families tend to spend three to five days in the victim environment collecting information before kicking off the encryption process. The researchers stated that security teams need to be acting during those three to five days.

The ransomware gang continues to innovate and recently launched LockBit 3.0 in March 2022. With the launch of LockBit 3.0, the gang created a bug bounty program. Similar to how legitimate companies reward researchers for helping them improve their security, LockBit operators claim they are prepared to pay out between $1,000 and $1 million to security researchers and hackers. Rewards can be earned for website vulnerabilities, flaws in the ransomware encryption process, vulnerabilities in the Tox messaging app, and vulnerabilities exposing their Tor infrastructure. According to researchers at Cyble, the latest version of the ransomware encrypts files on victim's machines and appends the extension of encrypted files as "HLjkNskOq." It then requires a key from the command-line argument "-pass" to execute. Resolving its API functions dynamically, LockBit 3.0 is encrypted and decrypts the strings and code during runtime. The researchers noted that additionally, the ransomware creates various threads to perform numerous tasks in parallel for faster encryption. The threads are responsible for querying system information, as well as ransom note creation, getting file attributes, and deleting services. To encrypt files successfully, LockBit 3.0 deletes a few services. After encryption, the victims are instructed on how to pay the demanded ransom via a ransom note that is dropped onto the victim's computer. Victims are threatened and told their data will be leaked on LockBit 3.0's data leak site if the ransom isn't paid in Bitcoin. Some new features in LockBit 3.0 also include support for payments using the Zcash cryptocurrency, a reward program for any information on high-value targets, and a new data leak site that allows anyone to purchase victim data. The top sectors targeted with LockBit 3.0 include Bank Financial Services Industry (BFSI) (33.3%), professional services (22.2%), technology (11.1%), manufacturing (11.1%), consumer goods (11.1%), and construction (11.1%).

The LockBit ransomware gang is expected to be more active in the future. Security researchers suggest that organizations protect themselves from ransomware such as LockBit 3.0 by ensuring that usual security best practices are in place, including not opening unverified emails or clicking on any embedded links or attachments in such messages, and regularly backing up important files using the 3-2-1 rule. The 3-2-1 rule is when an individual creates three backup copies in two different file formats, with one of the backups in a separate physical location. As usual, regular updates of software and applications with the latest patches are also recommended. The researchers also suggest monitoring inbound and outbound network traffic, with alerts for data exfiltration in place.

Cybersecurity Snapshots #33 - Car Dealerships Need to Take Cybersecurity More Seriously

Cybersecurity Snapshots #33 -

Car Dealerships Need to Take Cybersecurity More Seriously

Automotive dealerships are becoming targeted more frequently by adversaries because they realize that many are easy targets and hold a large amount of confidential customer data. Security researchers at CDK Global found that 85% of dealership IT employees surveyed reported that their dealership had suffered a cyberattack in the last two years. The researchers noted that auto dealer IT networks intercept around 153 viruses and 84 malicious spam emails daily. Many surveyed dealerships (70%) do not have up-to-date antivirus software and researchers found that a successful ransomware attack against a dealership usually causes a 16-day downtime.

In 2019 Arrigo Automotive Group was hit with a ransomware attack that halted business for several days. In August 2020 a German dealership belonging to the Volkswagen Group had fallen victim to the "Conti" ransomware group. In total, 8,325 invoices in PDF form were stolen and published on a leak site, exposing details that could be used in scamming or phishing attacks against the clients. Also, these invoices could help Business Email Compromise (BEC) actors target Volkswagen. In February 2021, Kia Motors America was hit with a ransomware attack that caused a nationwide IT outage affecting internal, dealer, and customer-facing systems. The DoppelPaymer ransomware gang left a ransom note stating that a "huge amount" of data was stolen and would be released in 2-3 weeks if Kia Motors America did not pay the ransom. On January 11, 2022, one of Europe's biggest car dealers, Emil Frey, was hit by a ransomware attack. The Swiss company showed up on the list of victims of Hive ransomware on February 1. One of the UK's largest family-run car dealerships suffered a serious ransomware attack in July which resulted in data theft and the damage "beyond repair" of some core systems. Holdcroft Motor Group was earlier hit with a ransom demand after hackers stole two years' worth of data, including staff personal information. Researchers noted that many automotive companies do not check their vendors' cybersecurity practices before doing business, also making them easy targets. In May 2021, it was discovered that one of Volkswagen's vendors left one of its systems open for nearly two years, exposing the personal data of 3.3 million customers. The breach took place between August 2019 and May 2021. Volkswagen noted that the data, mainly collected for sales and marketing, was exposed by a vendor used by Volkswagen, its Audi subsidiary, and authorized dealers. It was noted that for upwards of 97% of the affected customers, the attackers got access to personal information about customers and prospective buyers, including names, postal and email addresses, and phone numbers. Other buyers or prospective buyers got hit harder since they had more sensitive data, including Social Security numbers, dates of birth, and driver's license numbers, stored on the vendor's leaky server.

Automotive dealerships need to take their cybersecurity more seriously, especially since 84% of consumers surveyed said they would not go back to buy another vehicle after their data had been compromised. If a cyberattack does occur, there is a high likelihood that many customers will never return. Security experts are urging car dealerships to follow cybersecurity best practices. Employee cybersecurity training should be provided to all dealership employees, and dealerships need to do a better job ensuring that all their software is up to date. When using a vendor to provide a service, security experts suggest that the vendor's cybersecurity practices should be reviewed before ever doing business with them.

Cybersecurity Snapshots #34 - Hive Ransomware Group

Cybersecurity Snapshots #34 -

Hive Ransomware Group

Hive ransomware was first observed in June 2021 and the Hive ransomware group is believed to be based in Russia. Since then, it has grown into one of the most prevalent ransomware payloads in the Ransomware as a Service (RaaS) ecosystem. According to the Palo Alto Networks Incident Response Report, the group is now one of the top three active ransomware gangs. Analysis by the company's Unit 42 division revealed that Hive was responsible for 8% of observed ransomware attacks between May 2021 and April 2022, despite only emerging in the second half of 2021. Between August 1, 2021, to February 28, 2022, researchers at Trend Micro detected Hive ransomware on 1264 machines. The top 10 countries most targeted by the Hive ransomware gang in 2021 included Argentina (312), Brazil (216), United States (160), Thailand (127), Italy (89), Spain (67), Columbia (56), France (48), Saudi Arabia (41), and El Salvador (36). The top 10 sectors that were targeted by the Hive ransomware gang in 2021 included Energy (186), Healthcare (125), Financial (102), Media (55), Education (38), Materials (31), Manufacturing (30), Telecommunications (13), Technology (11), and Government (8). The Hive ransomware gang continues to infect many organizations with its ransomware.

Some of the Hive ransomware victims include Costa Rica's public health service, the largest European consumer electronics retailer MediaMarkt, one of Europe's largest car dealers, Emil Frey, Indonesian gas giant Perusahaan Gas Negara, US-based healthcare organizations Partnership HealthPlan, Memorial Healthcare System, and Empress EMS (Emergency Medical Services), the New York Racing Association (NYRA), Bell Technical Solutions (BTS) a subsidiary of Bell Canada, and multiple organizations with vulnerable Microsoft Exchange Servers.

Recently the Hive ransomware gang released a new variant of its ransomware. The main difference between the new Hive variant and the old one is the programming language used. The old variant was written in Go (also referred to as GoLang), while the new Hive variant is written in Rust. Rust has advantages over other programming languages for ransomware. Security researchers at Microsoft noted that Hive benefits from the following advantages by using Rust: it has several mechanisms for concurrency and parallelism, thus enabling fast and safe file encryption, has a good variety of cryptographic libraries, and is relatively more difficult to reverse-engineer. The new Hive variant uses string encryption, which can make it more evasive. The researchers noted that the most interesting change in the Hive variant is its cryptography mechanism. The new variant uses a different set of algorithms: Elliptic Curve Diffie-Hellmann (ECDH) with Curve25519 and XChaCha20-Poly1305 (authenticated encryption with ChaCha20 symmetric cipher). The new Hive variant also uses a unique approach to file encryption. The researchers noted that instead of embedding an encrypted key in each file that it encrypts, it generates two sets of keys in memory, uses them to encrypt files, and then encrypts and writes the sets to the root of the drive it encrypts, both with .key extension. After both keys files are written to the disk, the multi-threaded file encryption starts. The researchers noted that before encrypting each file, the malware checks its name and extension against a list of strings. If there is a match, then the file will not be encrypted.

The Hive ransomware group is expected to continue to be one of the most active ransomware groups this year. This means that organizations need to be aware of Hive ransomware. The security researchers at Microsoft noted some key ways to help organizations not be affected by ransomware. Organizations should require good credential hygiene and should be auditing credential exposure. Organizations should also prioritize deploying active directory updates and conducting cloud hardening. The researchers noted that organizations should also enforce MFA on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times. The researchers also suggest that organizations should enable passwordless authentication methods and disable legacy authentication.

Cybersecurity Snapshots #35 - The Impact of Global Warming on Supercomputers

Cybersecurity Snapshots #35 -

The Impact of Global Warming on Supercomputers

Managers at High-Performance Computing (HPC) facilities which include both supercomputers and data centers, are waking up to the costly effects of climate change. Natalie Bates, chair of an HPC energy efficiency working group set up by Lawrence Livermore National Laboratory (LLNL), stated that HPC facilities have heavy demands for cooling and a massive appetite for energy, which means weather extremes are making the design and location of supercomputers far more difficult.

In 2018, during a drought, the California wildfire known as the Camp Fire burned 620 square kilometers of land, reducing several towns nearly to ashes and killing at least 85 people. The disaster also had an effect far from the flames at a supercomputer facility operated by Lawrence Berkeley National Laboratory (LBNL) 230 kilometers away. The National Energy Research Scientific Computing Center (NERSC) typically relies on outside air to help cool its hot electronics. However, smoke and soot from the fire forced engineers to cool recirculated air, driving up humidity levels. Humidity can also threaten computers themselves, as NERSC discovered during a second fire. As interior air was recirculated, condensation inside server racks led to a blowout in one cabinet. Hot and dry weather took a toll again a year later. California utilities cut NERSC's power for fear that winds near LBNL might blow trees into power lines, sparking new fires. Although NERSC has backup generators, many machines were shut down for days. NERSC, for its next supercomputer, set to open in 2026, is planning to install power-hungry chiller units, similar to air conditioners, that would both cool and dehumidify outside air. Nicolas Dube, the chief technologist for Hewlett Packard Enterprise's HPC division, stated that creating chiller units for supercomputers comes with massive costs, and such adaptations are motivating some HPC centers to migrate to cooler and drier climates, places like Canada and Finland. Nicolas stated that HPCs will not be able to build in some locations in the future, since it just doesn't make sense. Natalie Bates, thinks the opposite and states that running from climate change can be futile. For example, in 2012, the National Center for Atmospheric Research opened a supercomputer site in Cheyenne, Wyoming, to take advantage of its cool, dry air. However, climate change has led to longer and wetter thunderstorm seasons there, hampering evaporative cooling. In response, the Wyoming center added a backup chiller. Bates noted that no matter where an HPC is located, you now have to build infrastructure to meet the worst possible conditions, which gets expensive.

Some HPC facilities find themselves stuck and cannot move. For example, the supercomputers at LLNL are used to simulate the explosions of nuclear weapons. Chief Engineer Anna-Maria Bailey noted that the cost of relocating specialized personnel could be prohibitive, and LLNL's California site is a highly secure facility. Instead of moving the supercomputers, LLNL is studying the possibility of moving its computers underground. Bailey noted that humidity and temperature control would be a lot easier underground.

Climate change is also threatening the lifeblood of these HPC facilities, electricity. HPC centers consume up to 100 megawatts of power, as much as a medium-sized town. Meanwhile, hotter temperatures can increase power demands by other users. During California's heat wave this past summer, when air-conditioning use surged, LLNL's utility told the facility to prepare for power cuts of 2 to 8 megawatts. Although the cuts did not happen, it was the first time the laboratory was asked to prepare for non-voluntary cuts. Many HPC facilities are heavy users of water too, which is piped around components to carry away heat. Water will grow scarcer in the western United States as droughts persist or worsen. To counter this, Jason Hick, LANL program manager, noted that a decade ago, Los Alamos National Laboratory in New Mexico invested in water treatment facilities so its supercomputers could use reclaimed wastewater rather than more precious municipal water.

Although droughts and rising temperatures may be the biggest threats, a RIKEN HPC facility in Kobe, Japan, must contend with power outages because of storms, which are expected to intensify with global warming. A high-voltage substation was flooded in 2018, cutting RIKEN's power for more than 45 hours. Similarly, a lightning strike on a power line this year knocked the facility out for about 15 hours. Fumiyoshi Shoji, who directs operations and computer technologies, stated that the center's 200 projects span fields such as materials science and nuclear fusion. Shoji noted that these research projects would stall if their systems were unavailable.

As climate change is expected to worsen, academia and industry need to discuss the effect supercomputers have on the environment and how environmental factors affect supercomputers. Bates noted that future supercomputers will need to be constructed in ways that will allow them to cut performance, and the need for cooling and power, during bouts of bad weather.

Cybersecurity Snapshots #36 - Phobos Ransomware

Cybersecurity Snapshots #36 -

Phobos Ransomware

Recently security researchers at Deep Instinct found that Phobos was one of the most common ransomware families during Q3 2022. Phobos ransomware first appeared at the end of 2017. It is an older ransomware variant. The adversaries behind Phobos usually target small and medium size companies across many different sectors. The average Phobos ransom payment as of July 2022 is $36,932, up from $13,955 in 2020. The total number of companies that have fallen victim to Phobos ransomware since its inception is unknown.

Researchers from Coveware and Palo Alto Networks Unit 42 have noted that Phobos shares several similarities with Dharma ransomware. Security researchers at Coveware noted that like Dharma, Phobos exploits open or poorly secured Remote Desktop Protocol (RDP) ports to sneak inside networks and execute a ransomware attack, encrypting files and demanding a ransom be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension. Aside from the "Phobos" logos, the ransom note is the same as the note used by Dharma, with the same typeface and text used throughout. The researchers noted that Phobos shares much of the same code as Dharma, with researchers describing it as a "largely cut and paste variant of Dharma." Security researchers at Coveware stated that Phobos also contains elements of CrySiS ransomware, also related to Dharma, with anti-virus software detecting Phobos as CrySiS. The researchers noted that the ransomware's file markers differentiate it from Dharma. However, the attack methods and threat remain the same. The researchers at Coveware indicated that while the ransomware type may be different, the group distributing Phobos, the exploit methods, ransom notes, and communications remain nearly identical to Dharma. Researchers believe that Phobos is being distributed by the gang behind Dharma and likely serves as an insurance policy for malicious campaigns, providing attackers with a second option for conducting attacks should Dharma end up decrypted or prevented from successfully extorting ransoms from victims. Phobos has served as the foundation for later variants, including Eking, discovered in October 2020, and Fair detected in March 2021.

Researchers noted that developers added new fileless and evasive techniques in this most recent variant. Given the considerable effort by the ransomware developers to add new defense evasion capabilities and footprint reduction in the recent Fair variant of Phobos ransomware, it suggests that the operators behind Phobos are likely more focused on cyber espionage while attempting to increase their foothold in enterprise businesses. The researchers stated that in one case, the threat actors maintained persistence in a company's network for eight months while remaining undetected. One of the more significant recent updates to Phobos ransomware is a lower scope of encryption in which the Phobos developers removed the User Account Control (UAC) requirement to maintain medium integrity. This means no encryption of privileged folders, which leads to a lower footprint. The researchers noted that while there are fewer files to encrypt, Phobos's developers did not want to compromise files with open handles, which most likely would significantly impact the victims. The researchers noted that there is also a clear indication that Phobos ransomware targets servers versus workstations, as some of the malware's commands are only relevant to servers.

The U.S. Department of Health and Human Services (HHS) in an advisory noted that common infection vectors for Phobos ransomware include distribution from malicious attachments via phishing, open and poorly secured RDP connections, brute force techniques to obtain RDP credentials, leveraging stolen or illegally purchased RDP credentials, common security misconfigurations, and insecure connections on ports 338 and 3389, which are legitimate protocols used to access servers remotely.

Security researchers at Malwarebytes suggested mitigations organizations could implement to help protect themselves from Phobos ransomware. The researchers say organizations should set their RDP server, built in the Windows OS, to deny public IPs access to TCP ports 3389 and 338. TCP ports 3389 and 338, the default ports of Windows Remote Desktop, enable remote connections to other computers. The researchers noted that if an organization has no need for RDP, it is better to disable the service altogether. The researchers said that a critical system or systems with sensitive information should not have RDP enabled. The researchers also suggest blocking TCP port 445, the default port. They further propose that organizations should only allow RDP access to IP addresses that are under the organization's control. Organizations should enable the logging of RDP access attempts and review them regularly to detect instances of potential intrusion. Organizations should enforce strong passwords and account lockout policies for Active Directory domains and local Windows accounts. Organizations should also have employees use virtual private networks (VPNs) when working remotely, use multi-factor authentication when possible, and ensure that software, including OS and anti-malware, is up to date.

Cybersecurity Snapshots #37 - New Ransomware Families and Variants

Cybersecurity Snapshots #37 -

New Ransomware Families and Variants

Researchers at Cybersecurity Ventures predict that ransomware will cost its victims around $265 billion annually by 2031, with a new attack on a consumer or business occurring every 2 seconds as ransomware perpetrators progressively refine their malware payloads and related extortion activities. Security researchers at Deloitte estimate that around 4,000 ransomware attacks occur daily. Researchers argue that companies cannot just put "good cybersecurity hygiene practices" into place to stay protected from ransomware attacks. Companies must also keep up to date on what new ransomware families or variants are being created so that they can make any changes to the security practices they have in place if they need to do so. In just the first half of 2022, the number of new ransomware variants that FortiGuard Labs identified increased by nearly 100% compared with the previous six-month period. The FortiGuard Labs team documented 10,666 new ransomware variants in the first half of 2022, compared with just 5,400 in the second half of 2021.

Security researchers at Fortinet have shared information on three new popular ransomware families: Aerst, ScareCrow, and Vohuk. The researchers noted that the new ransomware targets Windows computers, encrypts victim files, and demands a ransom payment in exchange for a decryption key. This new ransomware has been used in an increasing number of attacks. The researchers stated that Aerst was seen appending to encrypted files the ".aerst" extension and displaying a popup window containing the attacker's email address instead of dropping a typical ransom note. The researchers noted that the popup window contains a field where the victim can enter a purchase key required to restore the encrypted data. Aerst deletes Volume Shadow copies to prevent file recovery. The other ransomware Vohuk does drop a ransom note readme.txt, asking the victim to contact the attackers via email. Seemingly under continuous development, the malware assigns a unique ID to each victim. The researchers noted that this ransomware family appends the ".vohuk" extension to the encrypted files, replaces file icons with a red lock icon, and changes the desktop wallpaper with its own. This ransomware leaves a distinctive mutex, "Global\\VohukMutex," which prevents different instances of Vohuk ransomware from running on the same system. Vohuk has been used mainly to target users in Germany and India. The third ransomware, ScareCrow, has a ransom note named "readme.txt," which instructs victims to contact the attacker using one of three Telegram channels. This ransomware seems to be the most widespread, with files submitted from the United States, Germany, India, Italy, the Philippines, and Russia. The researchers noted that they have identified some similarities between ScareCrow and Conti, such as the use of the CHACHA algorithm for encryption and the use of the WMI command-line utility to delete Volume Shadow copies, which suggest that ScareCrow's developers might have used Conti source code leaked earlier this year. The researchers stated that the ransomware's developer has encrypted each command string in the malware, including DLL names, API names, and even command strings, with a different decryption routine. ScareCrow appends the ".crow" extension to the encrypted files.

According to the researchers at FortiGuard, the growth in the number of new ransomware families and variants is primarily because more adversaries are taking advantage of Ransomware-as-a-Service (RaaS) on the Dark Web. As new ransomware families come to life and as new variants are created, it will be critical for companies to stay informed as much as possible on what is happening and to make any changes needed to help mitigate them. .

Cybersecurity Snapshots #38 - Royal Ransomware

Cybersecurity Snapshots #38 -

Royal Ransomware

Royal ransomware emerged in January 2022. Microsoft initially attributed the distribution of Royal ransomware to DEV-0569. Now researchers are stating that the threat actors behind Royal ransomware have officially branded themselves with the name Royal. The threat group is primarily focused on targeting entities within the United States. Researchers noted that the ransomware operation uses unusual techniques to breach networks before encrypting them with malware and demanding ransom payments. Some Royal ransomware campaigns distribute the malware via malicious attachments, and some distribute the malware via malicious advertisements. Researchers stated that although Royal is a newer ransomware operation, they believe that the threat actors behind it are very experienced due to evidence of previously seen tactics and techniques.

Initially, Royal used BlackCat's encryptor, but then transitioned to using their own Zeon encryptor. Since Royal emerged, the ransomware operators have evolved their delivery methods to include using Google Ads in a campaign to blend in with normal ad traffic, making malicious downloads appear authentic by hosting fake installer files on legitimate looking software download sites, and using contact forms located on an organization's website to distribute phishing links. The above methods have allowed the ransomware operators to reach a greater number of targets and achieve their goal of deploying various post-compromise payloads. Microsoft stated that Royal uses signed binaries and delivers encrypted malware payloads relying heavily on defense evasion techniques. The group has also continued to use Nsudo, an open-source tool, to try and disable antivirus solutions.

When Royal uses malicious links delivered to their targets to obtain initial access, the links are embedded in advertisements, fake forum pages, phishing emails, and blog comments. After the victim clicks, the links lead them to malicious files signed by Royal using a legitimate certificate. The malicious files masquerade as installers or updates for applications such as Zoom or Microsoft teams. Researchers noted that the victim does not know that the files are malware downloaders known as BATLOADER. When legitimate applications are launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity. BATLOADER also uses the MSI Custom Actions to run batch scripts that attempt to disable security solutions, leading to the delivery of various encrypted malware payloads. Researchers observed Royal using BATLOADER hosted on attacker-created domains masquerading as software download sites, such as anydeskos.com, and on legitimate repositories, such as OneDrive and GitHub, between August and October 2022.

In addition to using installer files, Royal uses file formats such as Virtual Hard Disk (VHD) to impersonate legitimate software for first-stage payloads. The threat actor also uses various infection chains that use PowerShell and batch scripts, ultimately leading to the download of malware payloads such as a legitimate remote management tool used for persistence on the network. The management tool also acts as an access point for the staging and spreading of ransomware. By late October 2022, researchers observed Royal using malicious Google Ads to deliver BATLOADER in what researchers are calling a malvertising campaign. The Google Ads pointed to the legitimate Traffic Distribution System (TDS) Keitaro. According to Microsoft, Keitaro provides capabilities to customize advertising campaigns via tracking and ad traffic and user or device-based filtering. The researchers noted that the TDS redirects the victim to a legitimate download site or to a malicious BATLOADER download site. By using Keitaro, Royal can filter traffic and avoid IP ranges of known security sandboxing solutions.

The group's phishing attacks include callback phishing, where they impersonate food delivery and software providers in emails that look like subscription renewals. Researchers noted that the phishing emails contain phone numbers the victim must contact to cancel the "subscription." Once the victim calls the number, they speak to threat actors who use social engineering to convince the victim to install remote access software. This remote access software is used to gain initial access to corporate networks.

Royal is not a ransomware-as-a-service (RaaS) operation with affiliates. Instead, they work with vetted team members. The group is relatively low-key and does not promote its attacks as some other groups do. Their ransom note is named README.TXT and contains a link to a private Tor negotiation page unique to each victim. The negotiation page consists of a chat screen for communication with Royal ransomware operators. Researchers noted that the group will decrypt a few files during negotiation to prove their decryptor works. They will also share file lists of stolen data at times. Their victim site is hosted on the Tor network and includes the victim's name, a link to their website, and a company profile. They will also post samples of exfiltrated files at the start of negotiations with links to the entire data set if negotiations fail.

In September 2022, the operators behind Royal ransomware began ramping up their malicious activities. In November 2022, Royal took responsibility for a ransomware attack on one of the United Kingdom's most popular racing circuits Silverstone Circuit. The attack held up dozens of Formula One races and motorcycle events. Security researcher Brett Callow at Emisoft stated that, unlike current ransomware groups, Royal uses multiple ransomware types and uses the .Royal extension for encrypted files rather than using randomly generated extensions. In December 2022, Royal conducted a ransomware attack on the Travis Central Appraisal District. The agency provides appraisal values for properties. As a result of the attack, the agency's servers, website, and email were shut down for more than two weeks.However, because the agency diversified where its information was stored, it was able to continue operations. Also, in December 2022, the Department of Health and Human Services Cybersecurity Coordination Center (HC3) warned that Royal based ransomware attacks were steadily increasing. HC3 noted that ransom demands from Royal ranged from $250,000 to more than $2 million. HC3 also stated that Royal should be considered a threat to the health and public health sectors due to the ransomware group victimizing the healthcare community.

Security researchers warn that organizations should keep an eye out for this group, as they are quickly ramping up operations and will likely become one of the more significant enterprise-targeting ransomware operations in 2023.

Cybersecurity Snapshots #39 - Exascale Supercomputers

Cybersecurity Snapshots #39 -

Exascale Supercomputers

Supercomputers are used to model and simulate complex, dynamic systems that would be too expensive, impractical, or impossible to demonstrate physically. Supercomputers have changed the way scientists explore the evolution of our universe, biological systems, weather forecasting, and even renewable energy. A new type of supercomputer is now being used called exascale supercomputers. Exascale supercomputers are allowing scientists to simulate better the complex processes involved in stockpile stewardship, medicine, biotechnology, advanced manufacturing, energy, material design, and the universe's physics more quickly and with higher definition.

In 2018 the Oak Ridge National Laboratory unveiled Summit as the world's most powerful and smartest scientific supercomputer, with a peak performance of 200,000 trillion calculations per second or 200 petaflops. In 2018, Summit was eight times more powerful than America's top-ranked system at the time. In 2022, Oak Ridge National Laboratory unveiled the first declared exascale computer, Frontier. Frontier has a peak performance of 2 quintillion calculations per second or 2 exaflops. Frontier will soon have better competition from incoming exascale supercomputers such as El Capitan, housed at Lawrence Livermore National Laboratory, and Aurora, which will reside at Argonne National Laboratory.

The new exascale supercomputers are projects of the Department of Energy (DOE) and its National Nuclear Security Administration (NNSA).The DOE oversees these labs and a network of others across the country. NNSA is tasked with keeping watch over the nuclear weapons stockpile, and one of exascale computing's reasons for being is to run calculations that help maintain that arsenal. When scientists are finished commissioning Frontier, the DOE stated that it would be dedicated to fundamental research. The DOE hopes to illuminate core truths in various fields, such as learning about how energy is produced, how elements are made, and how the dark parts of the universe spur its evolution, all through almost-true-to-life simulations in ways that wouldn't have been possible even with supercomputers of a few years ago.

Frontier is made up of nearly 10,000 Central Processing Units (CPUs), which perform instructions for the computer and are generally made of integrated circuits and almost 38,000 Graphics Processing Units (GPUs) GPUs. GPUs were originally created to quickly and smoothly display visual content in gaming. But they have been reappropriated for scientific computing, in part because they're good at processing information in parallel. The DOE noted that the two kinds of processors inside Frontier are linked. The GPUs do repetitive algebraic math in parallel, which frees the CPUs to direct tasks faster and more efficiently. The DOE noted that by breaking scientific problems into a billion or more tiny pieces, Frontier allows its processors to each eat their own small bite of the problem. The DOE stated that the 9,472 different nodes in the supercomputer are also all connected in such a way that they can pass information quickly from one place to another. The DOE noted that, importantly, Frontier doesn't just run faster than machines of the past. It also has more memory. This allows Frontier to run more extensive simulations and hold tons of information in the same place it's processing the data.

The DOE stated that with its power, Frontier could teach humans things about the world that might have remained opaque before. In meteorology, it could make hurricane forecasts clearer. In chemistry, it could experiment with different molecular configurations to see which might make great superconductors or pharmaceutical compounds. And in medicine, it has already analyzed all the genetic mutations of SARS-CoV-2, the virus that causes COVID. It was able to cut the time that calculation took from a week to a day and allowed scientists to understand how these mutations affect the virus's contagiousness.

Douglas Kothe, associate laboratory director of computing and computational sciences at Oak Ridge, stated that, in principle, the community could have developed and deployed an exascale supercomputer much sooner, but it would not have been usable, useful, and affordable by their standards. Kothe noted that obstacles such as huge-scale parallel processing, energy consumption, reliability, memory, storage, and lack of software to start running on such supercomputers stood in the way of those standards. Years of focused work with the high-performance computing industry lowered those barriers to finally satisfy scientists. Frontier's upgraded hardware is the main factor behind its improvements, but hardware alone doesn't do scientists that much good if they don't have software that can harness the machine's new power. That's why an initiative called the Exascale Computing Project (ECP), which brings together the DOE, NNSA, and industry partners, have sponsored 24 initial science-coding projects alongside the supercomputers' development. Frontier can process seven times faster and hold four times more information in memory than its predecessors. In the future, we can look forward to seeing the new advancements and knowledge that exascale supercomputers will allow us to achieve.

Cybersecurity Snapshots #40 - Trigona Ransomware

Cybersecurity Snapshots #40 -

Trigona Ransomware

According to cybersecurity firm Palo Alto Networks, a new ransomware family has proven highly active over the past several months. The new ransomware has been dubbed Trigona. Trigona has had minimal coverage by security news articles to date. The company noted that this lack of security community awareness allows Trigona to discreetly attack victims while other higher-profile ransomware operations dominate the news headlines.

The malware emerged at the end of October 2022, targeting agriculture, construction, finance, high-tech, manufacturing, and marketing organizations in Australia, Italy, France, Germany, New Zealand, and the United States. Palo Alto Networks noted that one of the main features that set Trigona apart from other file-encrypting ransomware is that it uses a .hta ransomware note that contains JavaScript code to display payment instructions to the victim. The JavaScript code contains unique victim identifiers, a link to a Tor portal to negotiate with the attackers, and an email address. Based on the victim IDs embedded in identified ransom notes, Palo Alto Networks believes that at least 15 organizations were potentially compromised in December 2022 alone. Several other ransom notes were found in January and February 2023.

According to Palo Alto Networks, upon execution on the victim's system, the Trigona ransomware uses a Delphi AES library to encrypt files and appends the "_locked" extension to them. The malware achieves persistence for itself, and the dropped ransom note by modifying registry keys. Trigona's operators have been observed compromising a target's network, performing reconnaissance, employing Remote Monitoring and Management (RMM) software to download malware, creating new user accounts, and executing the ransomware. Some of the tools observed in Trigona attacks by researchers include NetScan (for reconnaissance), Start.bat batch script (copies files to a newly created folder), Turnoff.bat (a cleanup script), Newuser.bat (creates a new user account), Mimikatz, DC4.exe (executes a batch file to disable UAC, opens specific firewall ports, and enables remote desktop connections), and Advanced Port Scanner.

Palo Alto Networks noted that the ransomware operators also use a leak site to shame victims and pressure them into paying up by threatening to release stolen data. Posts on the leak site include descriptions of the company and stolen data, a timer, and a button to bid for the data. Palo Alto Networks noted that some posts on the leak site have countdown timers of over 300 days, and some have near-duplicate posts as on the Alphv (BlackCat) leak site, which suggests that Trigona might be leveraging BlackCat's reputation to extort victims. The leak site is no longer available on the surface web, indicating that it might have been a development environment before being moved to the dark web. Palo Alto Networks also identified similarities with the Tactics, Techniques, and Procedures (TTPs) associated with CryLock ransomware, which suggests that CryLock's operators might have moved on to the new ransomware family. Trigona ransomware is expected to claim many more victims this year, so organizations must be on the lookout for it.

Cybersecurity Snapshots #41 - BlackCat Ransomware Group

Cybersecurity Snapshots #41 -

BlackCat Ransomware Group

BlackCat ransomware group, also known as ALPHV and Noberus, has been around since at least November 2021. In April 2022, the FBI stated that BlackCat had infected more than 60 victims since starting in 2021, and now in April 2023, their leak website currently lists more than 300 victims. The group has been known to target industrial companies. According to Group-IB, which focuses on cybercrime, the BlackCat ransomware group targets mostly organizations in the United States, making up 47.3% of all organizations breached. One of the recent companies that fell victim to BlackCat ransomware is payments giant NCR.

In a FLASH alert, the FBI went into details about the BlackCat ransomware group stating that the threat actors gain initial access to a targeted system usually by using compromised user credentials. They then leverage that access to compromise user and admin accounts in the Active Directory. This enables the threat to configure malicious Group Policy Objects (GPOs) through the Windows Task Scheduler for the purpose of deploying the ransomware payload. The FBI noted that upon initial deployment, BlackCat disables security features within the victim's network so that it can exfiltrate information prior to execution. It then uses several batch and PowerShell scripts to proceed with its infection. These include "est.bat," which copies the ransomware to other locations, and "drag-and-drop-target.bat," which launches the ransomware executable for the MySQL Server. The FBI stated that BlackCat stands out among other ransomware operations for the following reasons: it's a possible rebranding of DarkSide, it's written in Rust, and it pays affiliates a comparatively larger share than similar schemes.

The FBI stated that Rust enables BlackCat to target a broader range of systems, including both Windows and Linux. It also makes BlackCat into a very complex ransomware with efficient algorithms to aid in the encryption process of breached systems. The FBI noted that Rust aids in making the ransomware harder to analyze in sandbox environments. That's because many security solutions are still catching up in their ability to analyze threats written in Rust and other more modern languages.

Palo Alto Networks Unit 42 stated that as a RaaS operation, BlackCat's business model revolves around letting other attackers use their ransomware, conduct their own campaigns, and keep a percentage of their earnings. Most RaaS operations allow affiliates to keep 70% of their profits. With BlackCat, however, affiliates can expect to keep 80-90%. This makes this particular ransomware very popular among cybercriminals.

The use of BlackCat ransomware is expected to grow in the future, so it is essential for organizations to be aware of BlackCat ransomware and to put good cyber hygiene practices in place to help lessen the chance that one's organization will be affected by ransomware.

Cybersecurity Snapshots #42 - New Ransomware Gang Discovered: The RA Group

Cybersecurity Snapshots #42 -

New Ransomware Gang Discovered: The RA Group

According to security researchers at GuidePoint Security, LockBit was once again the most prolific ransomware group, accounting for 31% of victims on leak sites in April, followed by Alphv (14%). Overall, however, the ransomware industry is increasingly characterized by a large number of smaller groups. The researchers observed a diverse slate of active threat groups in April 2023, with 27 unique groups. One of the smaller ransomware gangs recently discovered is called "RA Group." Security researchers at Cisco Talos discovered the ransomware gang, which emerged online on April 22.

The security researchers at Cisco Talos stated that the RA GROUP has already claimed to have stolen nearly 2.5 terabytes of data across just four victims, three in the U.S. and one in South Korea. Three of the victims were posted on April 27, and the next on April 28. The targets include a smaller company in the insurance industry, two larger companies in financial services, and an electronics supplier servicing the computer, communication, aerospace, marine, and military industries.

The security researchers found that, as is usual for such groups, ransom notes are built into the code and personalized for each victim organization. However, RA Group is unusual in also naming the victim in the executable. The researchers noted that both the debug path and the fact that the ransomware contains the same mutex as Babuk supports Cisco Talos's assessment that the group is using the Babuk source code, which was leaked back in September 2021. The researchers stated that the executable itself uses curve25519 and eSTREAM cipher hc-128 algorithms but only partially encrypts files in order to accelerate the process. Once completed, a ".Gagup" extension is applied, and all recycle bin and volume shadow copies of data are deleted. Cisco Talos noted that the RA Group doesn't encrypt all files and folders, leaving some untouched so that victim organizations can "download the qTox application and contact RA Group operators using the qTox ID provided on the ransom note."

After analyzing previous ransom notes, Cisco Talos asserted that victims get three days to contact their extorters, after which time RA Group begins to leak their files. The researchers noted that the victims can confirm the exfiltration of their information by downloading a file using the gofile[.]io link in the ransom note. Cisco stated that there is no information thus far on how the group gains initial access or conducts post-intrusion activity.

The researchers at Cisco Talos noted that the RA GROUP website has undergone cosmetic changes since it was first published, "confirming they are in the early stages of their operation." The researchers warned that the group is ramping up activity fast and that this ransomware group should not be underestimated.

Cybersecurity Snapshots #43 - Rorschach Ransomware

Cybersecurity Snapshots #43 -

Rorschach Ransomware

New ransomware variants are emerging, with one new one officially taking the "encryption speed king" title from LockBit 3.0. Speed is so decisive that ransomware-as-a-service (RaaS) platforms advertise the speed of execution for prospective ransomware affiliates. The Rorschach ransomware variant was discovered by researchers at Check Point and was first detected in April 2023. It is a customized strain of the Babuk ransomware code. The researchers noted that one important speed component is the ability to quickly spread malware as far and wide as possible. In the past, ransomware gangs have leveraged many techniques for fast propagation, including supply chain attacks and using existing IT and security tools to propagate their malware. However, the researchers noted that Rorschach has built and demonstrated an interesting self-propagating and autonomous capability that leverages Active Directory (AD) Domain Group Policy Objects (GPO). This enables the malware to rapidly propagate across the network and execute ransomware on every endpoint at blistering speeds.

Researchers at Check Point have found that on Windows endpoints, Rorschach's creators have carefully chosen to use HC-128, a stream cipher that encrypts large streams of file data with impressive performance. Rorschach ransomware uses the asymmetric key exchange method, which is based on Curve25519. The researchers noted that it is efficient in both computational performance and memory consumption while simultaneously retaining strong security. Like many other ransomware strains, including LockBit and Babuk, Rorschach encrypts only parts of a file instead of the entire file's contents. This tactic is known as intermittent encryption, which has become popular in the last couple of years for its efficiency and speed. The researchers noted that encrypting only parts of the file dramatically reduces the time required to complete the data encryption. By shortening the encryption phase of an attack, ransomware operators give security tools less opportunity to detect them. The researchers stated that data encryption is the visible part of an attack, and attackers are shortening that window to better their odds in the race against defenders. Like other ransomware, Rorschach also leverages parallelism and multithreading for high-performance speedy encryption. Because Rorschach ransomware implementation is customized for each operating system type, it leverages specific Windows capabilities known as I/O completion ports for efficient multithreaded encryption. The researchers noted that this technique is borrowed from LockBit 3.0, REvil, Hive, BlackMatter, and DarkSide. Researchers at Check Point found that while Rorschach does outpace competitors in speed in some realms, it currently does not appear to exfiltrate data for double extortion.

The researchers stated that one of Rorschach's particularly innovative moves is its ability to stay under the radar by using deception technology. Rorschach's advanced security evasion capabilities leverage deception techniques and concepts for malicious purposes, including using obfuscation techniques, valid domain user and service accounts, and argument spoofing techniques to hide the true capabilities of the ransomware.

Experts are warning that to combat Rorschach's technique for self-propagation using AD GPOs and high-speed campaigns, defenders need solutions that can detect and respond to real-time, novel, and autonomous ransomware capabilities. The Rorschach variant demonstrates the importance of continuous defender innovation, as well as the need to counter attacker movement in real-time.

Cybersecurity Snapshots #44 - Data Travel is the Organization's Next Big Cybersecurity Challenge

Cybersecurity Snapshots #44 -

Data Travel is the Organization's Next Big Cybersecurity Challenge

The number of data breaches continues to rise, and so do data breach costs. According to IBM, the cost of data breaches rose to $4.45 million per incident in 2023, up 2.3% from $4.35 million in 2022. Overall, the average cost has increased 15.3% from the $3.86 million average in 2020. IBM found that cloud data was involved in most breaches. IBM noted that 82% of breaches involve data stored in public, private or a combination of multiple clouds. In 39% of cases, breaches crossed multiple cloud environments and ran a higher-than-average data breach cost of $4.75 million per incident. Many organizations do not know where their data lives once in the cloud. Knowing how or where data is used, shared, or stored is essential to ensure organizational security.

Data travel is the journey data takes once it leaves an organization's direct control. With the rise of cloud services, data has become increasingly mobile and interconnected, often passing through various servers, data centers, and potentially third-party entities before reaching its intended destination. Each new point in this journey represents a possible opportunity for data exposure or mishandling, which makes data travel a serious cybersecurity concern, particularly when it comes to an organization's data. For example, data could be intercepted during transmission, improperly accessed at rest, or incorrectly disposed of at the end of its lifecycle. The CTO of ClearDATA, Jim Ducharme, stated that each server or network an organization's information travels through, each device it's accessed from, and every person who accesses it represents potential vulnerabilities that could be exploited by bad actors. Ducharme noted that understanding data travel is a crucial first step in ensuring that an organization's data remains protected throughout its entire lifecycle, from creation to deletion.

One common myth among organizations is that data stored in the cloud stays in a fixed location. In reality, data in the cloud is far from stationary. Cloud storage often means distributing data across multiple servers and data centers, often in different locations, to ensure reliability and quick access. Cloud providers usually utilize strict security measures to protect this data, but the fact that this data is scattered and constantly moving makes it that much harder to monitor and secure. Ducharme stated that each jump data takes between servers could potentially expose it to additional vulnerabilities. Ducharme noted that as data passes over geographic boundaries, it can fall under the jurisdiction of various regulations. For example, data stored in the European Union is subject to GDPR, while the same data stored in the U.S. falls under different laws. Ducharme stated that to navigate these complexities of data travel, it's essential for organizations to first understand the true nature of data movement in the cloud. Once the foundation of that understanding has been established, organizations can then work to implement comprehensive security measures to keep data secure across the dynamic cloud landscape.

Ducharme shared some essential strategies organizations can utilize to manage and monitor data travel effectively. First is data mapping. Data mapping allows an organization to gain a comprehensive view of how data moves within and outside an organization. Ducharme noted that it enables one to map data flow and identify every point one's data touches, from devices and networks to third-party vendors. Secondly, organizations must encrypt their data stored on the cloud, whether it is in transit or at rest, because it provides an additional layer of security, ensuring that even if data falls into the wrong hands, it remains unreadable without the correct decryption key. Organizations should also establish rigorous access controls to ensure that only authorized users can access the data. Organizations should also continuously monitor data access and usage so one can detect any suspicious activity and rapidly mitigate it. It is also essential for organizations to partner with cloud providers that prioritize security and offer transparency into their data handling practices. Ducharme noted that if data travel across multiple geographic locations is a concern, look for providers that offer data residency guarantees to ensure regulatory compliance. Lastly, Ducharme recommended that organizations should regularly hold trainings for their entire staff to learn the latest data management best practices because human error is often the cause of data breaches.

Cybersecurity Snapshots #45 - Cuba Ransomware

Cybersecurity Snapshots #45 -

Cuba Ransomware

The Cuba ransomware group was first discovered in 2019. According to CISA, as of August 2022, the group compromised 101 entities, 65 in the US and 36 elsewhere, demanding a total of $145 million in ransom payments and receiving around $60 million. According to security researchers at BlackBerry, the group uses Cuban Revolution references and iconography in its code, and its leak site, but ample evidence suggests its members are, in fact, of Russian origin. Cuba is a financially motivated threat actor known for big money ransomware attacks primarily targeting US organizations. According to the FBI, the group uses the following techniques to gain initial access: known vulnerabilities in commercial software, phishing campaigns, compromised credentials, and legitimate Remote Desktop Protocol (RDP) tools.

According to security researchers at BlackBerry, Cuba has updated its attack tooling to include a Veeam exploit designed to harvest logins. The researchers stated that their discovery came from investigations into attacks by the Cuba group on a US critical national infrastructure provider and a South American IT integrator. Now in its fourth year of operation, the group appears to be using a slightly tweaked set of Tactics, Techniques, and Procedures (TTPs), blending old and new tools and methods. Among the new discoveries made by the researchers was Cuba's exploitation of CVE-2023-27532, which impacts Veeam Backup & Replication software and is being used to steal credentials from configuration files on the victim's device. The researchers noted that the exploit works by accessing an exposed API on a component of the Veeam application (Veeam.Backup.Service.exe). This vulnerability exists on any version of the Veeam Backup & Replication software prior to version 11a (build 11.0.1.1261 P20230227) and version 12 (build 12.0.0.1420 P20230223). The researchers noted that elsewhere, Cuba exploited a legacy flaw in Microsoft NetLogon (CVE-2020-1472) and used custom and off-the-shelf tools such as custom downloader BugHatch, a Metasploit DNS stager, host enumeration tool Wedgecut, BurntCigar malware, and numerous evasive techniques including Bring Your Own Vulnerable Driver (BYOVD). The researchers stated that initial access in these studied compromises came from an administrator-level login via RDP. The researchers noted that it is likely that the Cuba group bought this from an Initial Access Broker (IAB) or achieved it via vulnerability exploitation.

The researchers at BlackBerry stated that Cuba is deployed selectively using a big game hunting strategy, targeting a few high-profile organizations in financial services, government, healthcare, critical infrastructure, and IT sectors. The researchers noted that Cuba operators reliably deliver a decryption package to decrypt victims' files when a ransom is paid but that they also employ a double-extortion tactic and are known to publish the stolen data and documents of victims that refuse to pay.

To defend against the Cuba Ransomware, the security researchers at BlackBerry recommend that organizations emphasize detection technologies, prompt and perhaps automated patching, and investing in advanced threat intelligence. If all else fails, the researchers noted that quick and decisive action must be taken because "if there is a delay because of the weekend or a lack of resources, then it may lead to huge losses."