It was recently confirmed that Energias
de Portugal (EDP), one of the largest energy producers in the world, has
fallen victim to the Ragnar Locker ransomware variant. The original attack took
place in April but was only discovered in May after nearly three weeks of being
active on their systems. After contacting affected customers, the company also
revealed it was subject to a Bitcoin ransom of roughly $10 million to ensure
the stolen data wasn’t publicly released.
Xchanging MSP Falls Victim to Ransomware
An MSP known as Xchanging,
which primarily serves the insurance industry, was hit with a ransomware attack
over the weekend that forced it to take many of its systems offline. Though the
attack was largely confined to Xchanging’s systems and only affected a small
number of customers, it is still unclear how long the infection was active
before discovery. In a statement, the company says it’s working to restore access
to customer operating environments as quickly as possible.
Fitness Firm Exposes Customer Info
Nearly 1.3 million customer files and photos were
compromised after the fitness firm V
Shred was breached, potentially affecting up to 100,000 clients. The data was
stored on an improperly configured Amazon S3 bucket that was discovered as a
part of a larger mapping project that had already located several similar leaks.
While V Shred confirmed much of the data was publicly available, it originally
denied that the dataset itself contained full names, addresses, and other
highly sensitive personal information that could be used maliciously.
Magecart Group Surpasses 570 Victim Sites
In the three years since Magecart Group 8’s initial foray onto
the card-skimming scene, it has successfully compromised over 570 e-commerce
sites around the world. More than 25 percent of the attacks targeted US domains
and stemmed from 64 unique attack domains that were able to distribute injected
JavaScript software with relative ease. Many were nearly identical to
legitimate domains. It’s believed the group has netted over $7 million from selling
stolen payment card information since April 2017.
Clubillion Casino App Leak Could Affect Millions
A database containing personally identifiable information on
millions of users of the casino app Clubillion
was compromised in late March. The breach was discovered and secured within five
days, though heavy traffic to the site may have enabled the compromise of hundreds
of thousands more individuals in that time. These types of apps are common targets
of cyberattacks because they hold such large quantities of sensitive data that
can be used for further attacks by leveraging the stolen data.
“What’s an evasive attack? At a very basic level, it’s exactly what it
sounds like; it’s a cyberattack that’s designed to hide from you,” says Grayson
Milbourne, Security Intelligence Director at Webroot, an OpenText company.
Based on Grayson’s initial explanation, you can imagine
that evasive tactics are pretty common throughout cybercriminal activities. But
they’re especially prevalent in the context of scripts. Scripts are pieces of
code that can automate processes on a computer system. They have tons of
legitimate uses, but, when used maliciously, they can be extremely effective
and difficult to detect or block.
With Grayson’s
help, we’ll talk you through some of the common script evasion techniques that
criminals use.
LolBins
Living off the
Land Binaries (“LoLBins”) are
applications that a Windows® system already has on it by default. Funny name
aside, they’re extremely useful for attackers because they provide a way to
carry out common steps of an attack without having to
download anything new onto the target system. For example, criminals can use
them to create persistency (i.e. enable the infection to continue operating
after a reboot), spread throughout networked devices, bypass user access
controls, and extracting passwords or other sensitive information.
There are dozens of
LoLBins for criminals to choose from that are native to the Windows
OS, such as powershell.exe, certutil.exe, regsr32.exe, and many more.
Additionally, there are a variety of common third party applications that are
pretty easy to exploit if present, such as java.exe, winword.exe, and
excel.exe.
According to Grayson, this is one of the ways malicious hackers disguise their activities, because default OS applications are unlikely to be detected or blocked by an antimalware solution. He warns, “unless you have strong visibility into the exact commands that these processes are executing, then it can be very hard to detect malicious behavior originating from LoLBins.
Script Content Obfuscation
Like LoLBins and
scripting overall, hiding the true content or behavior of a script—or content “obfuscation”—has completely
legitimate purposes. But, in terms of malicious hacking, it’s pretty
self-explanatory why obfuscation would lend itself to criminal activities. The
whole point is not to get caught, right? So it makes sense that you’d take
steps to hide bad activities to avoid detection. The screenshots below show an
example of obfuscated code (top), with its de-obfuscated version (bottom).
Fileless and
Evasive Execution
Using scripts,
it’s actually possible to execute actions on a system without needing a file.
Basically, a script can be written to allocate memory on the system, then write
shellcode to that memory, then pass control to that memory. That means the
malicious functions are carried out in memory, without a file, which makes
detecting the origin of the infection (not to mention stopping it) extremely
difficult.
Grayson explains,
“one of the issues with
fileless execution is that, usually, the memory gets cleared when you reboot
your computer. That means a fileless infection’s execution could be stopped
just be restarting the system. Persistence after a reboot is pretty top-of-mind
for cybercriminals, and they’re always working on new methods to do it.”
Staying
Protected
The Windows® 10 operating system now includes Microsoft’s Anti-Malware Scan
Interface (AMSI) to help combat the growing use of malicious and obfuscated
scripts. That means one of the first things you can do to help keep yourself
safe is to ensure any Windows devices you own are on the most up-to-date OS
version.
Additionally, there are several other easy steps that can help ensure an effective and resilient cybersecurity strategy.
Keep
all applications up to date
Check all Windows and third party apps regularly for updates (and actually run
them) to decrease the risk of having outdated software that contains
vulnerabilities criminals could exploit.
Disable
macros and script interpreters
Although enabling macros has legitimate applications, the average home or
business user is unlikely to need them. If a file you’ve downloaded gives you a
warning that you need to enable macros, DON’T. This is another common evasive
tactic that cybercriminals use to get malware onto your system. IT admins
should ensure macros and script interpreters are fully disabled to help prevent
script-based attacks. You can do this relatively easily through Group Policy.
Remove
unused 3rd party apps Applications such as Python and Java are often unnecessary. If present and
unused, simply remove them to help close a number of potential security gaps.
Educate
end users End users continue to be a business’ greatest vulnerability. Cybercriminals
specifically design attacks to take advantage of their trust, naiveté, fear,
and general lack of technical or security expertise. By educating end users on
the risks, how to avoid them, and when and how to report them to IT personnel,
businesses can drastically improve their overall security posture.
Use
endpoint security that includes evasive script protection In a recent update to Webroot® Business Endpoint Protection, we released a
new Evasion Shield policy. This shield leverages AMSI, as well as new,
proprietary, patented detection capabilities to detect, block, and quarantine
evasive script attacks, including file-based, fileless, obfuscated, and
encrypted threats. It also works to prevent malicious behaviors from executing
in PowerShell, JavaScript, and VBScript files, which are often used to launch
evasive attacks
Malicious hackers
are always looking to come up with new ways to outsmart defenses. Grayson
reminds us, “It’s up to all
of us in cybersecurity to research these new tactics and innovate just as
quickly, to help keep today’s businesses and home users safe from tomorrow’s
threats. There’s always more work to be done, and that’s a big part of what
drives us here at Webroot.”
To learn more about evasive scripts and what Webroot is doing to combat them,
we recommend the following resources:
Over 30 news sites were compromised in the latest WastedLocker
attack that affected many sites under a single parent company. Of the more than
30 companies targeted, eight belong to the Fortune 500 group and were in the
early stages of a experiencing a fully encrypting ransomware attack. Luckily, security
teams monitoring these sites acted quickly and were able to block attacks against
some sites while mitigating extensive damage to others. The infiltration of
these sites was caused by employees accessing previously injected websites and compromising
themselves in the process.
UCSF Pays Hefty Ransom
Following a ransomware attack on the University
of California San Francisco (UCSF) last
month, officials have decided to pay a ransom of $1.14 million to decrypt several
vital systems. The ransom amount was decided upon after negotiations between
the university and the attackers. The original ask was around $3 million but
was cut to less than half and was paid the following day. UCSF is one of three universities
targeted with ransomware by the Netwalker hacker group in June that decided to
pay a ransom to restore normal network function.
EvilQuest Wiper Targets MacOS
A new malicious actor has taken aim at MacOS with an info-stealer
disguised as a ransomware attack that goes by the name of EvilQuest.
Upon execution of the malicious installer, the malware begins encrypting files
indiscriminately and displays a ransom note demanding only $50 in Bitcoin for
decryption. The notice of encryption, however, is merely a cover for the damage
occurring behind the scenes: sensitive files removed from the system with no
way to retrieve them.
Fake DNS Update Looks to Steal Login Credentials
Researchers have spotted a new malicious email campaign that
spoofs security companies and claims to offer a DNS update
if the domain admin enters their credentials. Using a surprisingly accurate
landing page, which mocks the real login sites convincingly, the site user is instructed
to log in to update. To make matters worse, the attackers can scan for the
site’s hosting service and customize the fake landing page to their specific
victim, thus ensuring a higher probability of gaining their login info.
Passports Compromised in COVID19 Scam
In the continuing saga of COVID19
HMRC scams, attackers in Great Britain have begun focusing on the passport
details of self-employed individuals in hopes of attaining personal or banking
information. The scam itself originates as a text message with an urgent
warning for the recipient to access a legitimate looking Her Majesty’s Revenue
and Customs site to receive a tax refund. Dozens of victims have been identified
across London. With these login credentials alone, attackers could access much
of the victims’ data.
After surveying more than
10,000 people in 50 states about their cybersecurity habits, we wound up with
some pretty surprising results. Like the fact that tech experts demonstrate
riskier behaviors than average Americans. But the most significant result of
all was the fact that most Americans are more confident than they should be
when it comes practicing good cyber hygiene. So, we thought this would be a
good opportunity to highlight a few of the riskiest behaviors from the report and
suggest ways to correct them and minimize your chances of falling for a
cyberattack.
Small business owners beware
The problem
– It’s not easy being a home-based business owner. Also known as very small
businesses (VSBs), they’re often too busy and stretched thin just running their
businesses. They often lack the time and resources to do everything they should
to protect their important business files from online threats.
Risky habits
– Around 80% of VSB owners use the same device for both work and personal use.
In addition, 71% use the same password for their personal and business
accounts, putting both their personal life and company at risk.
The fix
– Owning separate devices for personal
and small business use can be cost-prohibitive. But you can enforce better
security by partitioning business files on your hard drive and creating a
secure password to access those files. Make sure that password is different
from any you’re using for personal use. Again, easier said than done in today’s
world of password proliferation. If you’re struggling keeping track of all your
passwords, consider using a password management app, especially for business
files.
Knowing is half the battle
The problem
– There is a gap between awareness and real understanding of cyber-related
attacks. Most Americans can confidently explain phone scams but are not as
equipped to explain malware or phishing. This indicates that Americans may not
be as prepared to confront risks as they think.
Risky habits
– Americans who never read the news are 70% less likely to recognize malware, phishing,
ransomware or crypto-mining, and 51% less likely to be able to confidently
explain these risks. Compare this with 89% of Americans who consistently
consume technology news and can confidently explain common cybersecurity risks.
The fix
– Not everyone can afford security
awareness training, but if you’re a business, consider the cost and
consequences of a data breach to your business. Regular security awareness
training can significantly increase your ability to identify and prevent a
malware or phishing attack. If you’re a consumer or VSB owner, you can easily
find free sources of cybersecurity news (like this one!). As the report shows,
being a regular reader of tech news can significantly raise your awareness and
reduce your risk.
Digital defense and immunity
The problem
– One in five Americans say they’ve been impacted by malware in the past year.
While 61% of Americans say they’ve not been impacted, 18% aren’t sure. And with
only 32% of Americans who feel they understand cyber-related attacks, it’s
likely that many more have been impacted and just don’t know it.
Risky habit
– Many businesses and users haven’t updated their defenses. They haven’t
updated their antivirus protection to include cloud-based threat intelligence,
AI and machine-learning (ML). Or they’re failing to install necessary patches
to plug holes in applications. And they’re still running obsolete operating
systems, like Windows 7 or Server 2008, leaving them highly exposed.
The fix
– For today’s advanced threats, you need multiple layers of protection,
including advanced antivirus as well as backup. Having just one of these layers
is not enough. Perimeter protection with AI/ML functionality is critical for
identifying polymorphic code that changes with each device it seeks to infect. Backup
is essential for mitigating phishing attacks and disaster scenarios.
Cybercriminals can also identify outdated operating systems. So, it’s worth the
extra cost to update them, even if the hardware they’re running on is still
functioning normally.
Identity theft
The problem –
Poor cybersecurity often leads to identity theft. Failing to wipe a device
before discarding it is one problem. So is sharing personal information on
social media and video streaming sites. The more hackers know about you, the
easier it is for them to impersonate you online.
Risky habits
– A quarter of Americans have had their identity stolen, including 8% who have
been a victim of identity theft more than once. Twice as many people who use
mobile banking apps have been victims compared with those who don’t. Across
industries, those in technology, banking and automotive are most likely to
become victims of identity theft.
The fix– Cover your tracks wherever you go. Erase the contents on a device before discarding it. Beware of the personal information you reveal on social media. And be careful when using banking apps and websites. Use two-factor authentication (2FA) when using the app. If you’re using the bank’s website, go directly to it by typing the URL into your browser, or use a bookmark that you trust and have used before. Be careful when searching or googling the bank’s name, which could return a spoof site in the top results.
Something phishy
The problem –
We knew phishing was a problem. In fact, it may be even bigger than our results
indicate. A lot of users don’t know how to identify phishing scams. You can’t
protect yourself from threats you don’t see coming.
Risky habits
– According to the report, 36% of respondents claim to have fallen for a
phishing scam. But more enlightening is that only 35% claim to know how to identify
a phishing attack. Similar to the lack of understanding about cyber-related
attacks in general, the report seems to indicate that phishing is far more
prevalent than the data indicate.
The fix
– Learn the tricks of the phishing trade,
like bogus URLs and emails that ask you to confirm personal and banking
information. Remember, bank logos can be easily faked. And banks won’t
typically reach out to you for information they already have on file. If someone
claiming to be from a bank contacts you by phone, call them back on an
authentic customer service number from one of your banking statements.
Where to learn more
Want to read the complete 2020
state-by-state results? You can download a copy here. If you have any
questions about improving your cyber security habits, feel free to reach out to us.
While the proliferation of encrypted DNS is being driven by
consumer privacy, businesses will want to take notice. Encrypted DNS – also
known as DNS over HTTPS, or DoH – obscures internet traffic from bad actors. But
it also has the potential to decrease visibility for IT admins whose
responsibility it is to manage DNS requests for their organizations. So, what’s
the solution? Strangely, DoH.
As previously mentioned, DoH is now the default for Mozilla Firefox. It’s also available in Google Chrome and other Chromium-based browsers. This is a win for consumers, who have newfound control over who can see where they’re going on the internet.
However, by surrendering control over DNS requests to the
browser, IT administrators lose the ability to apply filtering to DNS requests.
Encrypted DNS that skirts the operating system eliminates the visibility that
IT admins need to ensure security for internet traffic on their networks. It
also prevents the business from being able to run threat intelligence against
DNS requests and identify dynamic malware that could circumvent consumer DoH
implementations. This leads to gaps in security that businesses can’t afford.
Staying ahead of the curve
There is a way to ensure privacy over DNS requests while
maintaining control and visibility into network activity. The solution is to apply
DoH across the entire system, not just browser activity. By wresting control over
DNS requests from the browser, the agent can instruct Firefox not to engage its
DoH feature. The same holds true for Chrome users running DoH. These requests are
passed back through the operating system, where the DNS solution can manage
them directly. This helps support both filtering and visibility.
An advanced agent
will manage DNS requests on the device securely through DoH so the requests go directly
to the server with no other entity having visibility into them. At the same
time, the agent can apply threat intelligence
to ensure requests aren’t resolving to malicious destinations. Admins have
visibility into all DNS requests, and the requests are encrypted.
When the agent detects a prohibited resource, it returns the
IP address of a block page. So, if there’s a virus on the system and it’s
trying to access a command and control server to deliver a malicious payload,
it won’t be able to. It also prevents botnets from being able to connect since
they also leverage DNS. For any process that requests something from the
internet, if it doesn’t get the resource that it’s requesting, it’s not going
to be able to act on it.
Privacy plus security
The novel coronavirus didn’t start the mobile workforce phenomenon,
but it certainly has accelerated it. The traditional perimeter firewall with
all systems and devices living behind it no longer exists. Modern networks
extend to wherever users connect to the internet. This includes the router someone
bought from a kid down the street, and the home network that was set up by a
consulting company 10 years ago and hasn’t been patched or updated since.
When someone on their home network opens a browser and goes
to their favorites, they’re not expecting to get phished. But if they’re resolving
to an alternative IP address because DNS is not being managed, is broken or is being
redirected, they may be exposed to phishing sites. Enter encrypted DNS as another
layer of protection within your cyber resilience portfolio. It starts working
against a higher percentage of threats when you stack it with other layers, reducing
the likelihood of being infected. It also addresses a blind spot that allows exploits
to go undetected.
Embracing DoH
Privacy is the main driver for DoH adoption by consumers,
while business agendas are generally driven by security. As a business, controlling
DNS requests allows you to protect both the business and the user. If you don’t
have that control and visibility, the user is potentially more exposed. And, if
you don’t apply threat intelligence and filtering to DNS requests, a user can more
easily click on malware or land on a phishing site.
It didn’t take long for COVID-19 to completely alter the way
we work. Businesses that succeed in this rapidly changing environment will be
the ones that adapt with the same velocity. In our second installment from The Future
of Work
series, you’ll hear from Webroot Product Marketing Director George Anderson,
who shares his perspective on how businesses will need to adapt and evolve to
stay on course during and after the global coronavirus pandemic.
How has COVID-19 changed cybersecurity
and cyber resilience planning? What will be the most important steps to take
moving forward?
In some ways not at all. We were already existing in a
fairly perimeter-less network world. There was already a hybrid between on- and
off-network staff, and reviewing where data was being worked upon, accessed and
secured, and asking how data was being processed and secured during its journey.
Many businesses data was already split between user devices and the cloud.
Confidentiality, integrity and availability in the case of
cyber-attacks or other forms of potential data loss need to be clearly understood
as before, and any weaknesses addressed. The imperative is to have a safe data
cloud in place both in terms of security and recovery.
The steps to take include:
Setting up regular and if practical continuous risk
assessment to get visibility of data risks
Understanding where the greatest risks and weaknesses exist
in people, process and technology
Investing and allocating appropriate budget to address where
the greatest data loss and compromises could and would now occur
What could the future look like after
the coronavirus? Specifically, what will change in IT and business?
Not everyone will want to choose to continue working from
home. While the savings in closing offices down are attractive to businesses,
they are not necessarily the same for an employee whose home environment is not
conducive to work. These employees may seek alternative employment to remove the
burden of working from home if an office option is not available. IT has
already, for the most part, moved to the cloud where it can, and remained
on-prem where it needs to be because of security, compliance and control. The
main IT imperatives will be factors like secure 5G and faster communications
for better collaboration.
In business, people buy from people. And face-to-face
interaction is the norm. While this will reduce in the near-term, in the long
run, peoples’ wellness depends on social interaction. Businesses that ignore
that will not thrive. However, businesses are generally going to be more open
to remote working roles and a lot better positioned to recruit staff for remote
work, without them necessarily being close to physical offices.
IT investments will shift in the coming
months, what will take precedence for companies as they go back to ‘business as
usual’?
The pandemic will make companies look, in broader terms, at
the all the risks to their business. And they’ll use IT where practical to put
protections and assistance in place. More holistic Disaster Recovery springs to
mind as benefiting from this pandemic, as does better backup of user desktops
that particularly among MSPs and SMBS has not been a priority in the past.
What advice do you have for SMBs who
will need time and a renewed economy to recover?
There will be many opportunities as the economy comes back
and many holes where competitors and others have failed. An approach that is
flexible and can react to those opportunities is essential. So, look to
business arrangements in IT, Finance, HR and other key areas that will let you
maximize your ability to take advantage of new opportunities. If you have not
looked to an MSP to help you in the past then now is the time to look at how
experts in remote management an remote working like an MSP can help?
For a step by step guide on how to improve business cyber
resilience click here.
Most major tech blogs have run some variation of the
following headline in recent months: Is it worth paying for an antivirus
solution anymore?
The insinuation, of course, is that built in antivirus
solutions for Mac and Windows machines have progressed to such a point that
it’s no longer worth reinforcing them with a paid solution.
While it’s sure to generate clicks, many of the answers from
tech writers are either convoluted or hedged
to the point of not really providing an answer. Let’s explore the question more
here.
The state of built-in security
Even our own experts will join third-party voices in
admitting that built-in solutions like Windows Defender Security Center
(previously Windows Defender) have improved significantly in terms of effective
malware protection.
“Windows Defender has come a long way since the days of
Windows XP and Windows 7,” says Webroot security analyst Tyler Moffitt. “It’s
better than we’ve ever seen. But it’s still not enough.”
PC Magazine lead analyst Neil Rubenking recently said
much the same, writing “Windows Defender’s own developers seem to
consider it a Plan B, rather than a main solution. If you install a third-party
antivirus, Windows Defender goes dormant, so as not to interfere.”
While many built-in antivirus solutions do reasonably well
at turning away well-known strains of malware, it’s the new, sophisticated
variations that tend to have success outsmarting them.
“Top-tier campaigns like Bitpaymer and Ryuk ransomware, or
Trickbot and dridex Trojans—these are all going to get past a lot of built-in
antivirus software.”
Evasive scripts are another source of trouble for much
built-in security software. This newly common type of attack relies on a user
clicking on a link in a “malspam” email, which then downloads a malicious
payload. Interfaces like Command Line and PowerShell are often used to launch
these attacks. If those terms are unfamiliar, it’s simply important to remember
that they are script-based and regularly evade built-in security.
“There is a growing trend that many people feel that they
don’t need any security software on their computers and that out-of-the-box
security is enough,” says Moffitt. “The reality is that it’s not enough and
built-in software has proven time and time again that it will be beaten by
malware.”
What you really need from your online security
First off, multi-layered security. Traditional malware isn’t
the only type of threat to watch out for nowadays. In addition to the
script-based attacks mentioned above, mal-vertising campaigns are frequently
launched from legitimate sites using
exploits in runtimes like Java, Silverlight and flash. Drive-by
downloads and pop-up ads can secretly install crypto miners and malicious
programs on a machine without a user knowing it, some miners don’t even need to
download, but your browser will be hijacked and max out CPU to mine cryptocurrency.
And phishing campaigns are becoming increasingly
favored by cybercriminals based on their cost-effectiveness.
“While free solutions offer better security than most
built-in solutions, you can’t beat premium solutions that utilize multiple
layers of security and are backed by cutting-edge technologies like
massive-scale machine learning and contextual analysis engines,” says Moffitt.
What else should you look for in an antivirus solution for
the home? Here are a couple features:
Something lightweight—By that, we mean
something that doesn’t take up a lot of memory or resources on your machine.
Gamers should especially insist on this quality from an antivirus, but it
should appeal to a broader market as well. “This is especially useful if
you’re using your own devices to work from home during the pandemic and are
worried that security solutions would slow your machines down,” says
Moffitt.
Customer service—Something you’re
unlikely to get from a built-in provider. It’s hard to underestimate the value
of a dedicated team standing by to help you troubleshoot if something goes
wrong. Especially if tech isn’t your sweet spot, you don’t want to commit to
long periods of waiting for a response from a global tech giant, or worse, no
support team at all.
A VPN for privacy—This is especially
important if working from home is your new normal. “Not only are VPNs a great
way to add a layer of protection by filtering out malicious webpages like
phishing, but they are also a must if you are handling customer information for
work,” says Moffitt. Making sure that critical data is protected at rest and in
transit could help shield your company from major data security compliance
fines.
It’s no surprise that we advocate not relying on built-in
antivirus protection to safeguard your data and devices. But our concerns
aren’t unfounded. We’ve simply seen too many fails to protect at the level they
promise. Expect more from your online security solutions and strengthen your
digital fitness, today.
Knoxville,
Tennessee officials have been working over the past week to secure systems
and determine if any sensitive information was stolen after a ransomware attack
was identified. Fortunately, city IT staff were able to quickly implement security
protocols and shut down critical systems before the infection could spread.
Within the day, many of the targeted city domains were redirected to new sites,
allowing city services to operate normally.
Magecart Attacks Multiple Online Retailers
Malicious Magecart
scripts have been identified in recent months on multiple domains belonging to
online retailers. Following the registration of a fake domain related to
Claire’s in March, several weeks of inactivity passed before code was again spotted
on Claire’s websites being used to intercept payment card transactions. It was
finally removed from the company’s domains in the second week of June, but not
before leaving thousands of customers potentially compromised.
Maze Ransomware Infiltrates US Chipmaker
The computer systems of MaxLinear,
a U.S. computer chip maker suffered a Maze ransomware attack that forced them
to take their remaining systems offline. Officials discovered that for more
than a month there was unauthorized access resulting in the leak of over 10GB
of stolen data from an alleged trove of over 1TB of total data. MaxLinear has
since refused to pay the ransom and been in contact with affected customers.
The manufacturer does not believe future operations will be delayed.
Over 100 NHS Email Accounts Compromised
Within the last two weeks a phishing campaign hit the National
Health Service (NHS), successfully accessing over 100 internal email
accounts. The affected accounts make up an extremely small portion of total NHS
email accounts, of which there are nearly 1.4 million in total. The hacked accounts
were used to distribute a malicious spam campaign designed to steal credentials
through a fake login page.
Following the multi-way merger that resulted in the
formation of DraftKings
Inc., DraftKings revealed that one of the subsidiaries, SBTech, suffered a
ransomware attack within weeks of the merger being finalized. While it is still
not known what variant of ransomware was used in the cyberattack, officials
have determined that no information was compromised. Rather, the attack was
focused on taking their online systems down. Though SBTech was required to
create a significant emergency fund preceding the merger, the deal seems to
have been unaffected by the attack.
As these times stress the bottom lines of businesses and
SMBs alike, many are looking to cut costs wherever possible. The problem for
business owners and MSPs is that cybercriminals are not reducing their budgets
apace. On the contrary, the rise in COVID-related scams has
been noticeable.
It’s simply no time to cut corners in terms of
cybersecurity. But there is hope. Cybersecurity, traditionally suffering from a
lack of qualified and experienced professionals, can be a source of savings for
businesses. How? Through the automation and efficiency that artificial intelligence
(AI) and machine learning can offer.
AI & ML in Today’s Cybersecurity Landscape
By way of background, Webroot has been collecting IT
decision makers’ opinions on the utility of AI and machine learning for years
now. Results have been…interesting. We’ve seen a steady rise in adoption not
necessarily accompanied by an increase in understanding.
For instance, during a 2017 survey of IT decision makers in
the United States and Japan, we discovered that approximately 74 percent of
businesses were already using some form of AI or ML to protect their
organizations from cyber threats. In 2018, 74 percent planned even further
investments.
And by 2019, of 800 IT professional cybersecurity
decisionmakers across the globe, a whopping 96 percent reported using AI/ML
tools in their cybersecurity programs. But, astonishingly, nearly seven out of
ten (68%) of them agreed that, although their tools claim to use AI/ML, they
aren’t sure what that means.
So, are these tools really essential to securing the cyber
resilience of small businesses? Or are they unnecessary luxuries in an age of
tightening budgets?
AI and ML in the Age of Covid-19
Do AI and ML have something unique to offer businesses—SMBs
and MSPs alike—in this age of global pandemic and remote workforces?
We asked the topically relevant question to it to one of the
most qualified individuals on the planet to answer it: literal rocket
scientist, BrightCloud founder, and architect behind the AI/ML engine known as
the Webroot Platform, Hal Lonas.
Can AI and machine learning tools help people do their
jobs more effectively now that they’re so often remote?
Put directly, the Carbonite and Webroot CTO and senior VP’s
response was bullish.
“AI and machine learning tools can absolutely help
people do their jobs more effectively now more than ever,” said Lonas.
“Security professionals are always in short supply, and now possibly
unavailable or distracted with other pressing concerns. Businesses are facing
unprecedented demands on their networks and people, so any automation is
welcome and beneficial.”
In machine
learning, a subset of AI, algorithms self-learn and improve their findings
and results without being explicitly programmed to do so. This means a business
deploying AI/ML is improving its threat-fighting capabilities without
allocating additional resources to the task– something that should excite
cash-strapped businesses navigating tough economic realities.
Our AI/ML report backs up Lonas’s assertion that these
technologies make a welcome addition to most business security stacks. In fact,
94 percent of respondents in our survey reported believing that AI/ML tools
make them feel more comfortable in their role.
“People who use good AI/ML tools should feel more
comfortable in their role and job,” he asserts. “Automation takes
care of the easy problems, giving them time to think strategically and look out
for problems that only humans can solve. In fact, well-implemented tools allow
security workers to train them to become smarter—in effect providing the ‘learning’
part of machine learning. Each new thing the machine learns makes more
capable.”
AI/ML adopters also reported:
An increase in automated tasks (39%)
An increase in effectiveness at their job/role
(38%)
A decrease in human error (37%).
Strongly agreeing that the use of AI/ML makes
them feel more confident in performing their roles as cybersecurity
professionals. (50%)
Given today’s limited budgets, dispersed workforces, and increasingly
sophisticated attacks, the time may never be better to empower professionals to
do more with less by automating defenses and freeing them to think about
big-picture cybersecurity.
Stemming from a cyber-attack back in April, Nintendo
has just announced that roughly 300,000 user accounts have been compromised,
though most belong to systems that are now inoperable. From the excessive
unauthorized purchases, the attackers likely used credential-stuffing methods
to access accounts and make digital purchases through PayPal accounts that were
already logged in. Nintendo has since contacted the affected customers and has
begun pushing out mandatory password resets.
Kingminer Botnet Locks Down Entry Points Behind Them
After nearly two years of operation, the owners of the Kingminer
crypto jacking botnet have taken up a new tactic of patching the very
vulnerabilities they used to illicitly access systems. This implementation is
likely being used to block any other malicious campaigns from accessing the
compromised systems and net them larger profits. By using the EternalBlue
exploit and patching it behind themselves, they can brute force their way into
any vulnerable system and then keeping their own crypto mining scripts active
for an increased amount of time before being discovered.
Honda Shuts Plants After Ransomware Attack
Several Honda
plants around the world have recently closed due to a ransomware attack that
has targeted several manufacturing systems. The shutdown came only hours after
a new Snake ransomware sample was uploaded to Virus Total and was seen
attempting to contact an internal site belonging to Honda. Currently, officials
for Honda are still working to determine exactly what parts of their systems
were affected and if any personally identifiable information was compromised.
Scammers Created Fake SpaceX YouTube Channels to Steal Cryptocurrency
Multiple malicious YouTube accounts have changed their names
to keywords relating to SpaceX
in order to scam viewers out of Bitcoin cryptocurrency donations. While it
should be obvious that these channels are not the legitimate SpaceX account
based solely on the number of subscribers, the fake channels have also been
livestreaming old recorded SpaceX interviews with Elon Musk, to improve their
legitimacy. Unfortunately, during the livestreams, the channels promote
cryptocurrency scams in the chat section to entice other viewers to send in a
small amount of cryptocurrency with the promise of a significant amount more
being sent back.
Florence, Alabama Pays Ransom Demand
In the last week, officials for Florence,
Alabama have been working to negotiate with the authors of the DoppelPaymer
ransomware attack that took down the city’s email systems. Though the initial
ransom amount was 38 Bitcoins, or the equivalent of $378,000, the security team
that was brought in was able to drop the demand to 30 Bitcoins, or $291,000,
which the city has decided to pay. It is still unclear exactly what information
may have been stolen or accessed, the Mayor of Florence concluded that it was
best to just pay the ransom and hope their information is returned and their
systems are decrypted.
