Cyber News Rundown: Maze Ransomware Shuts Down
Maze Ransomware Group Ends Operations
A press release issued this week announced the end of the Maze ransomware group’s data theft operations. In the release, the Maze authors revealed their motives behind one of the most successful ransomware campaigns to date, and why they chose to finally shut down their massive project. It also stated the Maze team was working to expose the major security holes key industries fail to address, though their methods created many victims.
Magecart Targets International Gold Retailer
Nearly three months after a data breach caused by a Magecart attack struck the international precious metals retailer, JM Bullion has finally released an official statement to customers. After identifying unauthorized activity on their systems in the mid-July, the company went on to find that their systems had been compromised since February by Magecart payment card-skimming software. The company has yet to acknowledge why took so long to discover the breach or why it failed to follow GDPR regulations by immediately contacting affected customers.
Ryuk Remains Top Player Throughout 2020
With ransomware continuing its stay at the top of the cyberthreat throne, Ryuk variants have been responsible for over a third of all ransomware attacks in 2020 alone or roughly 67 million attacks. Ryuk has been around for over two years, but found much greater success this year after being found responsible for only 5,100 attacks in 2019. Ransomware attacks grew 40 percent over last year, to nearly 200 million as of Q3.
Cannabis Site Leaves Database Exposed
An unsecured database belonging to cannabis website GrowDiaries and housing over 3.4 million user records was found to be accessible last month. The data included 1.4 million user passwords that were encrypted using MD5 hashing, which is known to be easily unlocked by cybercriminals. Nearly a week after being informed of the database GrowDiaries properly secured it from public access, though it remains unclear how long it was accessible or who accessed it during that time.
Mattel Reveals Ransomware Attack
Following a July ransomware attack, Mattel has finally issued an official statement regarding the overall damage. The company has confirmed that no data was stolen during the attack, which was quickly identified by their security, and many systems were taken offline to prevent any damage or theft occured. The ransomware attack was likely perpetrated by TrickBot, as it’s known for concentrating on large organizations and leaving them exposed for some encrypting variant to follow.
The Importance of Mobile Security for Safe Browsing
Mobile devices have become an indispensable part of our lives. By the time we’re teenagers, we’re already tethered to technology that lives in our pockets and connects us to a network far larger than we ever imagined possible. Because of the way we interact with our phones, it knows our likes, curiosities and vulnerabilities, in addition to our passwords, financial data and most closely held secrets. This seemingly infinite amount of data also makes our mobile devices highly attractive targets for malicious actors. That’s why it’s critical to protect phones from threats.
A successful attack on your phone could compromise your personally identifiable information (PII), banking accounts and even your professional life or the success of your business. Just like you lock the doors of your house when you go away, or your storefront after business hours, you should take care to secure the entry points that cybercriminals use to gain access to the data on your phone.
WiFi and Mobile APP threats
The convenience and ubiquity of public WiFi and mobile apps are also their greatest weakness. With unsecured public WiFi, you can never be sure if you’re connecting directly to a secure hotspot or to a hacker, who is stealing your information and relaying it to another malicious actor. Before you connect to an unfamiliar public WiFi network, follow these best practices to reduce the chances of compromising yourself:
- Use a virtual private network (VPN) instead – VPN is highly recommended for all business communications. VPN keeps your network and Wi-Fi communications encrypted, which makes it much harder for hackers to access.
- Disable sharing on all apps – While you may be comfortable sharing your location with apps when you’re on a secure connection, consider disabling it in system preferences or settings when you’re connecting to public WiFi.
- Verify all public WiFi networks – Hackers can easily set up a public WiFi that looks like it’s owned by the proprietor. Before you connect to “Java House Guest WiFi,” ask someone behind the counter the exact name of their WiFi network.
- Plug Bluetooth vulnerabilities – Hackers often use Bluetooth connections to infect or steal files. This puts personal data at risk when using Bluetooth. These attacks involve using the device for phone calls or text messages, or using Bluetooth functionality to find deeper vulnerabilities in the phone system or to steal data stored on the phone. Similar exploits exist for Apple users through the AirDrop feature. The best way to plug theses vulnerabilities is to turn off Bluetooth or AirDrop when not in use, keep your software up to date, only pair with trusted devices and use a VPN to encrypt your data and hide your identity.
- Disable auto-join for open networks – Public WiFi networks are ideal environments for a range of cybersecurity attacks, including rogue networks, man-in-the-middle attacks, viruses, and snooping or sniffing. To prevent the likelihood of these attacks, remote users should turn off Wi-Fi auto-connect settings for public WiFi networks.
With more than 120 million Android users, Android malware continues to be a real and increasingly common threat. Google has already pulled a large number of malicious apps from the Play store. But the open nature of the Android operating system makes it an easy play for hackers. The year 2020 has been a particularly risky one for mobile app users. A few of the more dangerous mobile threats in circulation include:
- Joker – Since 2019, Joker has been stealing credit card information and banking credentials by simulating other legitimate apps.
- CryCryptor – Based off the open-source ransomware CryDroid, this mobile variant has been spotted masquerading as a COVID-19 tracing app.
- EventBot – This malicious app abuses accessibility features to steal user data, and reads and steals SMS messages to bypass two-factor authentication.
- Dingwe – This modified remote access tool is capable of controlling a device remotely. Samples have been found impersonating as COVID-19 tracing apps.
Many of these malicious operators use various tricks to evade detection. Since Android devices can come with hundreds of apps pre-installed, there’s a high potential for security gaps that a malicious app maker could exploit.
#1 Defense Measure: Update the OS
One of the major vulnerabilities with Android devices is outdated software. More than 40% of Android devices are using an OS version older than v9. This makes them more vulnerable to malicious applications.
Webroot® Mobile Security can help improve your mobile defenses without impacting your browser speed. It allows you to browse, shop, search, bank or use social networks, all while blocking malicious websites that try to steal your personal information. Webroot® Mobile Security includes proactive identity protection features, which block malicious sites that try to steal your personal info or harm your device. With Webroot® Mobile Security, you can hide your digital footprint and your browsing history through private browsing mode.
Cyber News Rundown: Flash Banned from Windows
Adobe Flash Being Uninstalled on Windows Systems
Following its September announcement, Microsoft has released an update that removes Adobe Flash from Windows 10 systems and prevents reinstallation. It should be noted that this update only removes the version of Adobe Flash that comes bundled with Windows 10. Internet browser extensions and stand-alone installs of the software will remain unaffected by this update. Should the user want to re-install Adobe Flash on an updated system, they must either revert to a point prior to the update or perform a fresh install of Windows 10.
Gunnebo Suffers Critical Data Breach
Officials for Gunnebo, a Swedish security firm, have revealed that they were victims of a data breach in August. Researchers also discovered an 18GB file confirmed to contain customer information stolen from Gunnebo. The compromised data was uploaded to a public server after Gunnebo refused to pay a ransom, exposing roughly 38,000 sensitive files.
Finnish Health Center Hacked
It was recently revealed that the Finnish psychotherapy center Vastaamo suffered a ransomware attack that compromised highly sensitive patient data belonging to thousands of individuals. After refusing to pay a 40 Bitcoin ransom, the attackers began publishing the stolen data on the dark web. While officials have yet to determine when the breach occurred, they have been contacting victims about the stolen data since October 21.
Customer Accounts at UK Restaurant Chain Breached
Recent technology changes at restaurants and other public establishments like touchless methods of interaction have left UK restaurants open major security flaws. One such flaw has been exploited at UK restaurant chain Nando’s, with several customer accounts affected. By accessing previous account logins and using credentials that were stolen in prior cyberattacks, hackers have been able to create fraudulent orders. The company has since confirmed that, though they themselves weren’t the target of the breach, they will compensate any customers who are fraudulently charged.
Ryuk Suspected in Major Steelcase Attack
International furniture maker Steelcase was forced to take its systems offline following a ransomware attack that began late last week. It is believed that the attack used the highly active ransomware variant, Ryuk, though this has yet to be confirmed by Steelcase. By shutting down the remaining unaffected systems, Steelcase hopes it was able to stop the spread of encryption before irreparable damage was caused.
Employee Spotlight: Nurul Mohd-Reza, Customer Retention Specialist
Nurul Mohd-Reza knows how to empathize with the customers she serves. Her work with marginalized groups as a college student, she says, helped prepare her for when the pandemic turned many of her customers’ businesses upside down last March.
Here she discusses what she’s learned after just 10 months in the industry and provides some advice for those looking to dive headfirst into something new.
Tell us a little bit about your career background. How did you get to where you are today?
I started working at Webroot back in January, so my time here hasn’t been long. For most of my collegiate career I worked in the Division of Student Affairs at CU Boulder, focusing specifically on leadership and development. I served as a student advisor to university officials and local businesses. And so, as time went on, I became very interested in the dynamic between people and business. From there, I knew I wanted to dive deeper into this realm but was unsure on how to get started. So after college I began working in healthcare operations.
I believe what got me interested in this career path was when I attended Denver Start Up Week, which was a phenomenal experience. It opened my eyes to the unfamiliar world of customer success. Seeing how companies used technology and data to proactively understand their customer persona, and on top of that, scale engagements to fit their customer’s needs was truly insane. I thought what better way of molding my interests than being on the front lines serving as an advocate between people and product.
And how did you land at Webroot specifically?
It’s a funny story. I had come across this position and halfway through filling out the application I thought I might not be well-equipped for the role, so I actually ended up not finishing the application. And then a recruiter reached out to me and said they were interested in starting a conversation. It was unconventional, but I’m very grateful she reached out because it gave me an opportunity to explain my transition and why I wanted to make that jump into tech.
From there, I ended up interviewing here at Webroot and it was a great experience overall. Being early on in my career, I knew I wanted to work in an environment that obviously fostered growth, professionally and personally. After speaking with my current boss, I was very optimistic about the trajectory of Webroot, as well as the vision for Customer Success and this team specifically.
What are your core responsibilities as a customer retention specialist?
I would say my time is split between two main responsibilities. My primary role is to oversee the renewal process for a subset of SMBC contracts projected for the quarter. On the other hand, we are a customer facing role. So handling business customer inquiries as they arise. This involves everything from advising customers on certain buying decisions to providing in-product guides.
However, we are starting to shift our focus on how to effectively connect with customers throughout their lifecycle. Previously, we’ve concentrated on the renewal period which is 90 days before expiration. Now, we’re starting to expand our scope and engage with customers to create those smooth onboarding workflows, as well as push early-on adoption of the product.
At the end of the day, it’s really about strategy—how do we effectively educate and guide the customer to build depth behind the product in hopes of retaining that relationship for the long haul.
What would you say has been the most significant challenge of your career so far?
I think one of the most significant challenges was switching to an industry I’d never worked in before. The learning curve was steep in terms of familiarizing myself with the products we offer, our workflow with all the various systems we use, and the dynamic relationships between our various partners.
In Customer Success, it’s not simply about securing renewals. The process involves having to solve roadblocks in order to help a customer achieve their goal. We have to work with a range of departments to solve issues the customer is facing—whether it be from a product standpoint or a billing redundancy. So being able to learn each player’s role and then manage those relationships was obviously a challenge to begin with. It’s exciting, though. It keeps you on your feet and you get to meet a lot of new people from diverse backgrounds.
Another obvious challenge was COVID-19. I had only been working in the office for about two months when the pandemic hit. Learning how to onboard remotely was new and something I had to juggle with most definitely.
What skills do you feel have carried over well from your work in public affairs?
I believe Customer Success is focused on building relationships with our customers—which to my advantage was a valuable skill I carried over from my work in public affairs. In this role, it’s very important to enjoy solving problems and addressing issues head-on. You have to be incredibly flexible and create some sense of fluidity in the midst of a growing que of customer requests.
In my previous role, I worked with marginalized communities to combat an array of social issues. So learning how to communicate with empathy, while also moving with focus and intent was crucial and very much transcends into my current role now.
Do you have a favorite part of the job after 10 months with the company?
I’m optimistic about being able to refine the customer journey. I believe the beauty behind Customer Success is it’s still an unknown territory. Everywhere you look, companies have a different way and methodology on how they interact with the customer. Not to mention, the type of technology and automation coming into play is fascinating.
In addition to that, our team is fairly new, which gives us a range of autonomy to create the structure and the formatting that we believe will best deliver value to our customers throughout their lifecycle. Although we are now part of a 15,000-person organization, it still feels like a start-up environment. We are constantly working to strategize and envision how we want the customer experience to evolve. To me, it’s very exciting to be at the intersection of all these moving parts.
Any advice for someone in your same situation, looking to cross over into the tech industry?
Well, given my experience, I’d say don’t doubt your capabilities. No experience is wasted experience. Even if you might not be the absolute perfect fit for a position, you have a breadth of skills you’ve developed over the past couple of years that will help mold you into whatever new role you’re interested in.
I believe one of the best pieces of advice I was ever given was don’t close a door on yourself before the opportunity even presents itself. By saying you can’t do this, or you don’t have the skills for that, you’ve already blocked out all these great possibilities. So be open to new experiences and don’t hold back.
To see what positions are available for you at OpenText, visit our careers page here.
The Nastiest Malware of 2020
For the third year running, we’ve examined the year’s biggest cyber threats and ranked them to determine which ones are the absolute worst. Somewhat unsurprisingly, phishing and RDP-related breaches remain the top methods we’ve seen cybercriminals using to launch their attacks. Additionally, while new examples of malware and cybercriminal tactics crop up each day, plenty of the same old players, such as ransomware, continue to get upgrades and dominate the scene.
For example, a new trend in ransomware this year is the addition of a data leak/auction website, where criminals will reveal or auction off data they’ve stolen in a ransomware attack if the victim refuses to pay. The threat of data exposure creates a further incentive for victims to pay ransoms, lest they face embarrassing damage to their personal or professional reputations, not to mention hefty fines from privacy-related regulatory bodies like GDPR.
But the main trend we’ll highlight here is that of modularity. Today’s malicious actors have adopted a more modular malware methodology, in which they combine attack methods and mix-and-match tactics to ensure maximum damage and/or financial success.
Here are a few of nastiest characters and a breakdown of how they can work together.
- Emotet botnet + TrickBot Trojan + Conti/Ryuk
ransomware
There’s a reason Emotet has topped our list for 3 years in a row. Even though it’s not a ransomware payload itself, it’s the botnet that is responsible for the most ransomware infections, making it pretty darn nasty. It’s often seen with TrickBot, Dridex, QakBot, Conti/Ryuk, BitPaymer and REvil.
Here’s how an attack might start with Emotet and end with ransomware. The botnet is used in a malicious spam campaign. An unwitting employee at a company receives the spam email, accidentally downloads the malicious payload. With its foot in the door, Emotet drops TrickBot, an info-stealing Trojan. TrickBot spreads laterally through the network like a worm, infecting every machine it encounters. It “listens” for login credentials (and steals them), aiming to get domain-level access. From there, attackers can perform recon on the network, disable protections, and drop Conti/Ryuk ransomware at their leisure.
- Ursnif Trojan + IcedID Trojan + Maze
ransomware
Ursnif, also known as Gozi or Dreambot, is a banking Trojan that has resurfaced after being mostly dormant for a few years. In an attack featuring this troublesome trio, Ursnif might land on a machine via a malicious spam email, botnet, or even TrickBot, and then drop the IcedID Trojan to improve the attackers’ chances of getting the credentials or intel they want. (Interestingly, IcedID has been upgraded to use steganographic payloads. Steganography in malware refers to concealing malicious code inside another file, message, image or video.) Let’s say the Trojans obtain the RDP credentials for the network they’ve infected. In this scenario, the attackers can now sell those credentials to other bad actors and/or deploy ransomware, typically Maze. (Fun fact: Maze is believed to have “pioneered” the data leak/auction website trend.)
- Dridex/Emotet malspam + Dridex Trojan + BitPaymer/DoppelPaymer ransomware
Like TrickBot, Dridex is another very popular banking/info-stealing Trojan that’s been around for years. When Dridex is in play, it is either dropped via Emotet or its authors’ own malicious spam campaign. Also like TrickBot, Dridex spreads laterally, listens for credentials, and typically deploys ransomware like BitPaymer/DoppelPaymer.
As you can see, there are a variety of ways the attacks can be carried out, but the end goal is the more or less the same. The diverse means just help ensure the likelihood of success.
The characters mentioned above are, by no means, the only names on our list. Here are some of the other notable contenders for Nastiest Malware.
- Sodinokibi/REvil/GandCrab ransomware – all iterations of the same ransomware, this ransomware as a service (RaaS) payload is available for anyone to use, as long as the authors get a cut of any successful ransoms.
- CrySiS/Dharma/Phobos ransomware – also RaaS payloads, these are almost exclusively deployed using compromised RDP credentials that are either brute-forced or easily guessed.
- Valak – a potent multi-functional malware distribution tool. Not only does it commonly distribute nasty malware such as IcedID and Ursnif, but it also has information stealing functionalities built directly into the initial infection.
- QakBot – an info-stealing Trojan often dropped by Emotet or its own malspam campaigns with links to compromised websites. It’s similar to TrickBot and Dridex and may be paired with ProLock ransomware.
Combine protections to combat combined attacks.
If businesses want to stay safe, they need to implement multiple layers of protection against these types of layered attacks. Here are some tips from our experts.
- Lock down RDP. Security analyst Tyler Moffitt says unsecured RDP has risen over 40% since the COVID-19 pandemic began because more businesses are enabling their workforce to work remotely. Unfortunately, many are not doing so securely. He recommends businesses use RDP solutions that encrypt the data and use multi-factor authentication to increase security when remoting into other machines.
- Educate end users about phishing. Principal product manager Phil Karcher points out that many of the attack scenarios listed above could be prevented with stronger phishing/spam awareness among end users. He recommends running regular security training and phishing simulations with useful feedback. He also says it’s critical that employees know when and how to report a suspicious message.
- Install reputable cybersecurity software. Security intelligence director Grayson Milbourne can’t stress enough the importance of choosing a solution that uses real-time threat intelligence and offers multi-layered shielding to detect and prevent multiple kinds of attacks at different attack stages.
- Set up a strong backup and disaster recovery plan. VP of product management Jamie Zajac says that, particularly with a mostly or entirely remote workforce, businesses can’t afford not to have a strong backup. She strongly recommends regular backup testing and setting alerts and regular reporting so admins can easily see if something’s amiss.
Discover more about the 2020’s
Nastiest Malware on the Webroot Community.
Hone Your Cybersecurity Superpowers with Tips from Wonder Woman
October 21 is Wonder Woman Day. It commemorates Wonder Woman’s first appearance in All Star Comics #8. With the upcoming release of Wonder Woman 1984, we took the opportunity to talk superheroes, superpowers and protecting data with our very own Briana Butler, Engineering Services Manager at Webroot.
Q: Wonder Woman got her powers from her divine mother, Queen Hippolyta. How did you get your data protection superpowers?
I had a reboot in life. I was previously a retail buyer then I went back to school for computer science and ended up switching to the business school. I was hired at Webroot to be a bridge between engineering and business – you have to have people that can speak both languages – and that’s exactly what I wanted to do and what I was trying to forge with my new career.
I first began as a data analyst, which meant working on privacy compliance, GDPR, CCPA, and data mapping, understanding where data is stored and processed, and who has access to it. My latest role is as an Engineering Services Manager, meaning I help engineering and product with personnel and hiring needs, ISO certification and making sure our development teams receive the training they need to stay up to date with the fast pace of tech.
Q: Wonder Woman had several superpowers, or super powerful gadgets, like indestructible bracelets and a lasso that forced people to tell the truth. Is cyber resilience a superpower?
Every superhero has different talents or powers. When we think of cyber resilience, it’s sort of like our own personal toolbox of powers that we can use against malicious actors who want to take our data and make money off it.
Our toolbox of cyber resilience includes basic best practices like knowing how to create a strong password, not clicking every link that comes into your email inbox and daily behaviors of how to navigate and defend yourself online. The goal is to live your best digital life confidently, without disruption.
Q: What about our data? Does that give us any powers that we wouldn’t have without it?
I think it’s more about understanding the power data has if we give it away. When we give people access to our data, that’s when it becomes powerful. Whether it’s corporations or malicious actors, when we willingly hand out our data, that gives it power because then, they know things about us. I talk a lot about privacy and why everyone should be more critical and cognizant of the data they’re sharing. We share a lot more than we realize. It’s time for all of us to understand what we’re sharing and then decide if we, personally, really want to share it.
Q: Wonder Woman encountered her fair share of comic strip villains, like the Duke of Deception, Doctor Psycho and Cheetah. Who are the villains in the digital world?
They’re the malicious actors and cybercriminals who would take your data and sell it on the open market. It could even be the person trying to get access to your Hulu account. There are also nation-state actors and the companies you buy things from. There’s a huge spectrum of villains, and they all want your data. There’s big money in data. So, it’s important that you’re aware of what’s being shared.
I’ve started reading privacy policies – those long, convoluted legal documents – to see if I can understand where I’m going to be sharing my information and make a more conscious decision.
For one large social platform, when I went through it, I started asking myself, am I really okay sharing this information? Do I really need this service or platform? Is it necessary in exchange for what I’m about to share with them? In the end, I didn’t sign up for it.
I’ve also gone through the frustrating and somewhat time-consuming act of cleaning up all my passwords and using a password manager. Most people say they have anywhere from 15 to 20 password-protected accounts. But when I went through all the places I’ve shared my password, it was upwards of 100!
One of my favorite topics is password strength. We recently did an analysis of password configurations with Maurice Schmidtler, our head data scientist, who created a Monte Carlo simulation. We took what you usually see when you’re told to create a password – like using uppercase and lowercase letters or special symbols – and applied those within the simulation. What we found was that the more constraints you put on a password, the fewer viable options you have for a strong password, meaning it decreases the number of good password options. Whereas if you focus on creating a strong password, where length is more important than the various character-type constraints, you’ll end up with a much stronger password. Length is strength because it takes more computing power to break.
Q: Wonder Woman was a founding member of the Justice League. So, even she needed the help of a squad to defeat the villains. Do we need help from a squad to be more cyber resilient?
We all need assistance because as humans, we are fallible. Inevitably, someone might click on a malicious link, or some unforeseen event might happen where you need a backup that’s going to allow you to recover data instead of losing it permanently.
When it comes to ransomware, or really any other attack, you need awareness. That’s why we encourage proactive education and regular security awareness training, so people truly understand the threat landscape and how to identify the most prevalent types of attacks.
Q: At one point in the story, Wonder Woman surrendered her superpowers and used fighting skills instead. In what ways do we surrender our powers when it comes to cyber resilience?
Oversharing content or data about yourself, your name or address are surefire ways to surrender power in the digital age. All these things identify you and allow criminals to gain insight that can be used against you through social engineering.
You’re also surrendering power when you practice poor cyber hygiene, like repeating passwords across multiple logins. Once a cybercriminal gains access to one login, they can discover more details about you and use it elsewhere. For example, you may not be worried about a criminal getting access to your Netflix account, but if you use the same password there as you do with your bank, then the situation just became much more serious.
You also surrender power by not protecting your home network and not using VPN when you’re on public Wi-Fi. People often think “it won’t happen to me,” until it’s too late. And recovery can be costly and time-consuming. That’s why implementing layers of protection up front strengthens cyber resilience and helps keep your digital life easy, secure and free of complications.
Q: Are you going to watch the new Wonder Woman movie?
Oh sure! I will because I’ve seen all the other ones. I’m a big fan of Guardians of the Galaxy. And, of course, I love Iron Man. And I was a big fan of Black Panther, too. Doctor Strange is also one of my faves.
Q: If cybercriminals were villains from Wonder Woman, who would they be?
The Duke of Deception! Hackers, cybercriminals and nation-state actors are constant antagonists, and that’s exactly who we defend our users against.
What DoH Can Really Do
Fine-tuning privacy for any preference
A DNS filtering service that accommodates DNS over HTTPS (DoH) can strengthen an organization’s ability to control network traffic and turn away threats. DoH can offer businesses far greater control and flexibility over their privacy than the old system.
The most visible use of DNS is typically the browser, which is why all the usual suspects are leading the charge in terms of DoH adoption. This movement has considerable steam behind it and has extended beyond just applications as Microsoft, Apple and Google have all announced their intent to support DoH.
Encrypting DNS requests is an indisputable win for privacy-minded consumers looking to prevent their ISPs from snooping on and monetizing their browsing habits. Businesses, on the other hand, should not easily surrender this visibility since managing these requests adds value, helping to keep users from navigating to sites known to host malware and other threats.
Here are three examples of how.
1. By enhancing DNS logging control
Businesses have varying motivations for tracking online behavior. For persistently troublesome users—those who continuously navigate to risky sites—it’s beneficial to exert some control over their network use or even provide some training on what it takes to stay safe online. It can also be useful in times of problematic productivity dips by helping to tell if users are spending inordinate amounts of time on social media, say.
On the other hand, for CEOs and other strategic business units, tracking online activity can be cause for privacy concerns. Too much detail into the network traffic of a unit tasked with investigating mergers and acquisitions may be unwanted, for example.
“If I’m the CEO of a company, I don’t want people paying attention to where I go on the internet,” says Webroot DNS expert Jonathan Barnett. “I don’t want people to know of potential deals I’m investigating before they become public.”
Logging too much user information can also be problematic from a data privacy perspective. Collecting or storing this information in areas with stricter laws, as in the European Union, can unnecessarily burden organizations with red tape.
“Essentially it exposes businesses to requirements concerning how they’re going to use that data, who has access to it and how long that data is preserved” says Barnett.
By optionally never logging user information and backing off DNS logging except when a request is deemed a security threat, companies maintain both privacy and security.
2. By allowing devices to echo locally
With DoH, visibility of DNS requests is challenging. The cumulative DNS requests made on a network help to enhance its security as tools such as SIEMs and firewalls leverage these requests by controlling access as well as corelating the requests with other logs and occurrences on the network.
“Let’s say I’m on my network at the office and I make a DNS request,” explains Barnett. “I may want my DNS request to be seen by the network as well as fielded by my DNS filtering service. The network gets value out of DNS. If I see inappropriate DNS requests I can go and address the user or fix the device.”
Continuing to expose these DNS requests through an echo to the local network provides this, while the actual requests are secure and encrypted by the DNS protection agent using DoH. This option achieves the best of both worlds by adding the security of DoH to the security of the local network.
3. By allowing agents to fail open
DNS is instrumental to the functionality of the internet. So, the question is, what do we do when a filtered answer is not available? By failing over to the local network, it’s assured that the internet continues to function. However, there are times when filtering and privacy are more important than connectivity. Being able to choose if DNS requests can leak out to the local network helps you stay in control by choosing which is a priority.
“Fail open functionality essentially allows admins to make a tradeoff between the protection offered by DNS filtering and the productivity hit that inevitably accompanies a lack of internet access,” says Barnett.
Privacy your way
The encryption of DoH enables options for fine-tuning privacy preferences while preserving the security benefits of DNS filtering. Those that must comply with the needs of privacy-centric users now have control over what is revealed and what is logged, while maintaining the benefits of communicating using DoH.
Click here to read related blogs covering the transition to DNS over HTTPS.
Cyber News Rundown: Child Smartwatch Backdoored
Backdoor Found in Children’s Smartwatch
Researchers have discovered that the X4, made by Norwegian smartwatch seller Xplora, contains a backdoor that could allow for information to be stolen. The X4 watch is designed specifically for children with a limited number of capabilities, mostly for children’s security. The backdoor, however, could allow attackers to take snapshots, view messages, call records, and access geolocational data from the wearer. The watches are designed and built in China and it remains unclear who has access to data created and stored on the devices.
Ransomware Strikes London Borough
The London borough of Hackney recently fell victim to a ransomware attack, taking several of the council’s primary services offline. While still little is known about the attack, it’s likely that encrypted files were also stolen for auctioning to the highest bidder. Council officials are working with law enforcement to determine the initial attack vector and information that may have been targeted.
Carnival Reveals Updates to Recent Cyberattack
Nearly two months after a ransomware attack compromised a third-party vendor for the Carnival Corporation, the company announced sensitive passenger information has indeed been exposed. An undetermined number of customers and employees may be affected across three Carnival cruise lines. With 150,000 employees worldwide, and upwards of 13 million customers, this data breach could be affect millions of individuals.
Ransomware Takes Aim at International Law Firm
International law firm Seyfarth Shaw has confirmed a ransomware attack targeted their systems over the weekend. While the extent of the attack remains unclear, several systems were forced offline after encryption was executed to stop additional spreading. Firm officials stated that no client information was stolen or illicitly accessed, but they are still operating without email or a live website. Some systems were saved from the attack but officials have yet to confirm if customers were affected by the breach.
Software AG Suffers Major Data Breach
German IoT specialist Software AG suffered a ransomware attack that was able to exfiltrate significant amounts of data. Officials have confirmed that, while they have been able to maintain online services throughout the attack, the malicious downloading of an unknown amount of sensitive data did take place. The attacking group has not yet been identified, but other attacks of similar scale have cost companies anywhere from $20 to $70 million in ransoms for the return of their data.
Cyber News Rundown: COVID-related Attacks Target Canadian Companies
New Jersey Hospital Pays Massive Ransom
Officials have decided to pay roughly $670,000 in ransom following a ransomware attack on the University Hospital in New Jersey. The hospital was likely forced into this decision after being unable to restore from backups the 240GB of data stolen in the attack on their systems. It’s not entirely clear what information was stolen, but given the haste of payment it was likely highly sensitive patient data.
COVID-Related Cyberattacks Target Canadian Companies
A recent survey revealed that over 25% of all Canadian business organizations had been targeted by a COVID-19-themed cyberattack since the beginning of the year. Most of the organizations surveyed also reported seeing a significant rise in overall cyberattacks since the pandemic began. Worrisome findings also revealed that 38% of organizations surveyed were unsure if they had fallen victim to any type of cyberattack, which could mean the amount of customer information for sale on black markets could be significantly higher.
Boom! Mobile Website Compromised
Customer data has been compromised for users of the Boom! Mobile website, which was infiltrated by malicious JavaScript. It’s still unclear how the unauthorized code got onto the site or how long was active. Officials for the mobile company have confirmed they do not store payment card data and that no Boom! Mobile accounts were compromised.
Major Ransomware Attacks Increase Through Q3
Researchers have reported a massive increase in ransomware attacks in Q3 of 2020, with the Maze group being responsible for 12% of all attacks. They also reported that Ryuk ransomware variants were responsible for an average of 20 attacks per week. With the ongoing neglect of cybersecurity in major corporations, ransomware attacks will likely continue as long as their authors find them profitable.
Chicago Food Delivery Service Stricken with Data Breach
Nearly 800,000 customer records were compromised following a data breach at ChowBus, a Chicago-based food delivery service. With roughly 440,000 unique email addresses exposed, many individuals are now more susceptible to additional phishing attacks or identity theft. Fortunately, however, ChowBus does not store payment card information on its site.
It’s Time to Talk Seriously About Deepfakes and Misinformation
Like many of the technologies we discuss on this blog—think phishing scams or chatbots—deepfakes aren’t necessarily new. They’re just getting a whole lot better. And that has scary implications for both private citizens and businesses alike.
The term “deepfakes,” coined by a Reddit user in 2017, was initially most often associated with pornography. A once highly trafficked and now banned subreddit was largely responsible for developing deepfakes into easily created and highly believable adult videos.
“This is no longer rocket science,” an AI researcher told Vice’s Motherboard in an early story on the problem of AI-assisted deepfakes being used to splice celebrities into pornographic videos.
The increasing ease with which deepfakes can be created also troubles Kelvin Murray, a senior threat researcher at Webroot.
“The advancements in getting machines to recognize and mimic faces, voices, accents, speech patterns and even music are accelerating at an alarming rate,” he says. “Deepfakes started out as a subreddit, but now there are tools that allow you to manipulate faces available right there on your smartphone.”
While creating deepfakes used to require good hardware and a sophisticated skillset, app stores are now overflowing with options creating them. In terms of technology, they’re simply a specific application of machine learning technology, says Murray.
“The basics of any AI system is that if you throw enough information at it, itcan pick it up. It can mimic it. So, if you give it enough video, it can mimic a person’s face. If you give it enough recordings of a person, it can mimic that person’s voice.”
There are several ways deepfakes threaten to redefine the way we live and conduct business online.
Deepfakes as a threat to privacy
A stolen credit card can be cancelled. A stolen identity, especially when it’s a mimicked personal attribute, is much more difficult to recover. The hack of a firm dedicated to developing facial recognition technology, for instance, could be a devastating source of deepfakes.
“So many apps, sites and platforms host so many videos and recordings today. What happens when they get hacked? Will the breach of a social media platform allow a hacker to impersonate you,” asks Murray.
Businesses must be especially careful about the data they collect from customers or users, asking both if it’s necessary to collect and if it can be stored safely afterwards. If personal data must be collected, security must be a top priority, and not only for ethical reasons. Governments are starting to enact some strict regulations and doling out some stiff fines for data breaches.
Ultimately, Murray thinks those governments may need to weigh in more heavily on the threat of deepfakes as they become even more indistinguishable from reality.
“We’re not going to stop this technology. It’s here. But people need to have the discussion about where we’re heading. In the same way GDPR was created to protect people’s data, we’re going to need to have a similar conversation about deepfakes leading to a different kind of identity theft.”
Deepfakes as a cybersecurity threat to businesses
It’s important to note the ways in which deepfakes can be used to target businesses, not just to spoof individuals.
“These business-related instances aren’t too common yet,” says Murray. “But we’re at the beginning of a wave right now in terms of AI-enabled threats against businesses.
A late 2019 attack against a U.K. energy firm could be a sign of scary things to come. Rather than video, this attack took advantage of voice-spoofing technology to pose as an executive’s manager, insisting he wire nearly $250 thousand to a “supplier” immediately. In the aftermath of the scam, the victim reported being convinced by both the accent and the rhythm of the fake speech pattern.
To safeguard against what could be a rising attack method, Murray recommends businesses understand what deepfakes are capable of and follow best practices for avoiding fraud, no matter the technology.
“Have well-defined protocol for changing account details and signing off on any invoices,” he advises “Train financial and accounting teams especially rigorously on these protocols and encourage them to pick up the phone and double-check when anything seems strange or off. In these days of increased working from home it’s also tougher for financial staff to walk up to other finance or sales colleagues and make informal double checks.”
Deepfakes and misinformation campaigns
Soon after deepfakes went mainstream, implications for politics and the weaponization of misinformation became clear, prompting the U.S. Senate to address the issue in 2018.
While initially used to humiliate or extort people, mostly women, malicious actors began to see them as a way to sway public opinion or sow chaos. Deeptrace, a company dedicated to uncovering deepfakes, has noted instances where manipulated video was used to promote social discord and scandal across the globe.
“Deepfakes further undermine our ability to believe what we read, and now even watch, on the internet,” says Murray. This leads to widespread distrust, especially on issues where understanding is crucial, like the coronavirus pandemic, where misinformation is bountiful.
To combat misinformation, Murray advises to keep in mind how much of it is out there. Always consider the source of the information you’ve received before acting on it, especially if it makes you angry or elicits some other strong emotional response.
Deepfakes will likely make the internet even more difficult to rely on as a source of information in the years to come. But reducing their impact starts with understanding how far they’ve come and what they’re capable of.
Cyber News Rundown: Ryuk Wreaks Healthcare Havoc
Ryuk Shuts Down Universal Health Services
Computer systems for all 400 Universal Health Services facilities around the globe have reportedly been shut down following an attack by the Ryuk ransomware group. Ryuk is known for targeting large organizations, but the healthcare industry has been gaining popularity among these groups due to high volumes of sensitive information and typically low levels of security. It’s unknown if the healthcare firm has paid ransoms for the encrypted data or if they are restoring systems from available backups.
Global Insurance Firm Targeted by Ransomware
The Fortune 500 insurance firm AJG was forced to take several computer systems offline over the weekend after identifying a cyber-attack. It’s still unclear which ransomware variant was responsible for the attack and officials with the firm haven’t revealed if customer or employee information was stolen. Third-party researchers confirmed multiple AJG servers, unpatched for a serious vulnerability, could have been the entry point for the attack.
French Shipping Company Knocked Offline by Ransomware
All computer systems and websites belonging to CMA CGM, a French shipping giant, were knocked offline by a crippling ransomware attack. This attack on CMA CGM makes them the fourth international shipping company to fall victim to a cyberattack, which have proven profitable, in as many years. The company has verified that the Ragnar Locker ransomware group was behind the attack, though they have not revealed the ransom asked.
Cyber Attack Forces Swatch to Disconnect Online Services
Though not confirmed by Swatch, the Swiss watchmaker was reportedly forced to take many of their systems offline after likely falling victim to a ransomware attack. While the company did not verify the type of attack, ransomware’s prevalence this year makes it a likely culprit. Swatch has announced they plan to seek legal action against the attackers.
DDoS Attacks See Substantial Rise in 2020
There were over 4.8 million DDoS attacks during the first half of 2020, a 15% rise over the same period last year. May alone saw more than 900,000 DDoS attacks, a record for most in a single month. Ninety percent of these attacks lasted for under an hour, marking another shift from previous years’ attacks. They have also increased in complexity, leaving victims and researchers with little time to defend themselves.
False Confidence is the Opposite of Cyber Resilience
Have you ever met a person who thinks they know it all? Or maybe you’ve occasionally been that person in your own life? No shame and no shade intended – it’s great (and important) to be confident about your skills. And in cases where you know your stuff, we encourage you to keep using your knowledge to help enhance the lives and experiences of the people around you.
But there’s a big difference between being reasonably confident and having false confidence, as we saw in our recent global survey. Featured in the report COVID-19 Clicks: How Phishing Capitalized on a Global Crisis, the survey data shows that, all over the world, people are pretty confident about their ability to keep themselves and their data safe online. Unfortunately, people are also still getting phished and social engineering tactics aimed at employees are still a major way that cybercriminals successfully breach businesses. These data points strongly suggest that we aren’t all being quite as cyber-safe as we think.
Overconfidence by the Numbers
Approximately 3 in 5 people (59%) worldwide think they know enough to stay safe online.
You may think 59% doesn’t sound high enough to earn the label of “false confidence”. But there were two outliers in our survey who dragged the average down significantly (France and Japan, with only 44% and 26% confidence, respectively). If you only take the average of the five other countries surveyed (the US, UK, Australia/New Zealand, Germany and Italy), it’s a full ten percentage points higher at 69%. UK respondents had the highest level of confidence out of all seven regions surveyed with 75%.
8 in 10 people say they take steps to determine if an email message is malicious.
Yet 3 in 4 open emails and click links from unknown senders.
When so many of us claim to know what to do to stay safe online (and even say we take steps to determine the potential sketchiness of our emails), why are we still getting phished? We asked Dr. Prashanth Rajivan, assistant professor at the University of Washington and expert in human behavior and technology, for his take on the matter. He had two important points to make.
Individualism
According to Dr. Rajivan, it’s important to note that Japan had the lowest level of confidence about their cybersecurity know-how (only 26%), but the survey showed they also had the lowest rate of falling victim to phishing (16%). He pointed out that countries with more individualistic cultures seem to align with countries who ranked themselves highly on their ability to keep themselves and their data safe.
“When people adopt a less individualistic mindset and, instead, perceive themselves to have a greater responsibility to others, their average level of willingness to take risks decreases. This is especially important to note for businesses that want to have a cyber-aware culture.”
– Prashanth Rajivan, Ph.D.
The Dunning-Kruger Effect
Another factor Dr. Rajivan says may contribute to overconfidence in one’s ability to spot phishing attacks might be a psychological phenomenon called the “Dunning-Kruger Effect”. The Dunning-Kruger Effect refers to a cognitive bias in which people who are less skilled at a given task tend to be overconfident in their ability, i.e. we tend to overestimate our capabilities in areas where we are actually less capable.
How These Numbers Affect Businesses
Only 14% of workers feel that a company’s cyber resilience is a responsibility all employees share.
The correlations between overconfidence and individualism may also translate into a mentality that workers are not responsible for their own cybersecurity during work hours. While 63% of workers surveyed agree that a cyber resilience strategy that includes both security tools and employee education should be a top priority for any business, only 14% felt that cyber resilience was a shared responsibility for all employees.
How to Create a Cyber Aware Culture
The short answer: a strong combination of employee training and tools.
The long answer: when asked what would help them feel better prepared to avoid phishing and prevent cyberattacks, workers worldwide agreed that their employers need to invest more heavily in training and education, in addition to strong cybersecurity tools. Dr. Rajivan also agrees, stating that, if employers want to build cybersecurity awareness into their business culture, then they need to invest heavily in their people.
“By creating a feeling of personal investment in the individuals who make up a company, you encourage the employees to return that feeling of investment toward their workplace. That’s a huge part of ensuring that cybersecurity is part of the culture. Additionally, if we want to enable employees to assess risk properly, we need to cut down on uncertainty and blurring of context lines. That means both educating employees and ensuring we take steps to minimize the ways in which work and personal life get intertwined.”
– Prashanth Rajivan, Ph.D.
Additionally, he tells us, “Human behavior is shaped by past experiences, consequences and reinforcement. To see a real change in human behavior related to phishing and online risk-taking habits in general, people need frequent and varied experiences PLUS appropriate feedback that incentivizes good behavior.”
Ultimately, the importance of
training can’t be emphasized enough. According to real-world data from
customers using Webroot® Security Awareness Training, which provides both
training courses and easy-to-run, customizable phishing simulations, consistent
training can reduce click rates on phishing scams by up to 86.5%.
It’s clear a little training can go a long way. If you want to increase cyber
resilience, you have to minimize dangerous false confidence. And to do that, you
need to empower your workforce with the tools and training they need to
confidently (and correctly) make strong, secure decisions about what they do
and don’t click online.