24Nov

2021 Prediction: Expect Ransomware Attacks Will Increase in Frequency and Variety

November 24, 2020By 0 comment

A new forward-looking report from security vendor FireEye Mandiant predicts the greatest single cyber threat today is only going to become a greater menace next year.

With 2020 being a dumpster fire of a year, we’re all looking for some good news to shed some light at the end of this tunnel we’re living in. But with the bad guys evolving their tricks and growing more greedy by the day, there’s apparently no good news on the cybersecurity forefront.

According to the FireEye Mandiant report A Global Reset: Cyber Security Predictions 2021, you should expect to see ransomware grow and develop in scale, scope, effectiveness, and impact. FireEye Mandiant’s chief cyberthreat consultant Jaimie Collier expects ransomware to evolve and expand. “We’re seeing the affiliate models expand, where different threat actors combine leading to a huge amount of specialization within the overall process. Some of the actors develop the ransomware, but work with others that specialize in gaining the initial access, and post-compromise exfiltration; all leading to a broader criminal ecosystem.”

We’ve already seen massive growth in the frequency of ransomware attacks this year, as well as previously unthinkable ransom amounts both demanded and paid. So, hearing that it’s only going to get worse next year is as big a warning as you’re ever going to get.

READ MORE
23Nov

One-Third of Employees Say Their Company Has No Cybersecurity Measures in Place While Working from Home

November 23, 2020By 0 comment

At a time when organizations should be implementing additional security measure to ensure the logical perimeter of their network is protected, new research shows companies aren’t prepared.

You’d think everyone would have this figured out by now; the bad guys have been stepping things up to take advantage of users working remotely making it necessary to increase your cybersecurity stance.

But according to new research covering how organizations are managing their cybersecurity risk around remote work during COVID paints a very disturbing picture. According to the report, an average of about one-third of organizations are mandating any of the obvious security measures for employees when working remotely:

  • 65% of organizations are not mandating a secure WiFi be used
  • 69% aren’t requiring Multi-Factor Authentication (MFA)
  • 69% aren’t using a VPN

The most disturbing is that 34% of employees say their employer hasn’t implemented any of these measures.

This isn’t good.

Organizations with a remote workforce need to double down on implementing a layered security strategy that takes into account the specific areas of risk that exist when a user works from home. Most importantly is the need for Security Awareness Training. According to the research, 68% of organization’s provided no training to their remote workforce. But, given the nature of cyberattacks, the use of social engineering, and the prevalent need for users to engage with malicious content before it can be weaponized, training them to be watchful for such attacks and maintain a state of vigilance is a key step towards keeping your remote workers – and the organization – secure.

READ MORE
30Oct

Phishing Attacks Can Come from an Unlimited Number of Trusted Phishing Sites Thanks to Google App Engine

October 30, 2020By 0 comment

Scammers are taking advantage of Google’s Trust Service Verification and the way their App Engine creates unique URLs to host trusted landing pages used in phishing scams.

Ever phishing scammer that needs a website to take their victim to complete the scam or to host a command-and-control server to complete at attack needs that site to be one that security solutions will allow.

It’s one of the reasons some cybercriminals choose to compromise and infect websites owned by legitimate companies, while others choose to create malicious apps hosted with cloud providers like Azure and Google.

Traditionally, once a domain or subdomain has been identified as being malicious by a security solution, it’s game over for the bad guy. The challenge with blocking URLs built using Google’s App Engine is how Google App Engine (hosted on appspot.com) creates the URL names.

Today, the URLs use the following subdomain nomenclature:

VERSION-dot-SERVICE-dot-PROJECT_ID.REGION_ID.r.appspot.com

Note how values such as version and project ID could vary over time or simply be purposely updated to generate hundreds or even thousands of identical malicious webpages, as was the case when security engineer Yusuke Osumi found over 2000 URLs that all pointed to the same fake Office 365 logon page.

Keep in mind, again, because these are running on Google’s own appspot.com, which is a Google Trusted domain, the pages created under this domain are trusted by everyone and every solution.

That’s bad.

This checked the “it’s ok” box for just about every security solution, so it’s up to your users to act as a line of defense, scrutinizing URLs when being sent to what should be a known website. Users that enroll in Security Awareness Training are taught to always be skeptical of web links, requests for credentials, and other common tricks used as part of a phishing scam. Since Google App Engine isn’t doing you any favors, it’s time to do one for yourself with Security Awareness Training.

READ MORE
08Oct

Healthcare Sector Still Sustains Phishing Campaigns

October 8, 2020By 0 comment

No one should take too seriously the high-minded things criminals sometimes say about how they’re restraining themselves during the pandemic, and that they’re going to avoid hitting hospitals and biomedical research organizations. If anything, attacks on such targets have increased in recent months, and phishing is the usual approach.

The goal of the phishing attacks is financial: the attackers are extortionists. Healthcare organizations are attractive targets for many reasons, among them being the importance of data availability to their work, their relatively deep pockets, and their complicated networks that present a large and varied attack surface. Health IT Security describes four recent and ongoing campaigns that afford good examples of the techniques in use against the healthcare sector.

The first of these involves message quarantine phishing. In this attack, an employee receives a message that spoofs an organization’s email service. The bogus notification says that several emails have failed to “process properly,” and that the recipient should review the quarantined messages to confirm their validity. The prospect of deletion suggests urgency.

“This could potentially lead the employee to believe that the messages could be important to the company and entice the employee to review the held emails,” researchers at Cofence explained. “Potential loss of important documents or emails could make the employee more inclined to interact with this email.” Should the user click, they’re spirited to a login page designed to harvest their credentials.

The second is a zero font attack, which conceals malicious code in ways that serve to evade security controls that would otherwise intercept them before they reached the target’s in-box. Researchers at INKY explained: “Attackers can embed text into their emails that is both invisible to end users and visible — and confusing — to the machines that automatically scan the mail looking for signs of malicious intent or branding. If the software is looking for brand-indicative text like ‘Office 365’, it won’t find a match. This tactic therefore prevents legacy mail protection systems from classifying this mail as appearing to be from Microsoft. Since it doesn’t know it appears to be from Microsoft, it doesn’t require the mail to be from a Microsoft-controlled mail server. So it sails right through, ending up in the victim’s inbox.”

The third campaign involves the venerable Agent Tesla remote access Trojan (RAT). Gangs are actively distributing the RAT in COVID-19-themed phishing emails. It’s commodity malware traded in criminal markets. “Various tiers are available for purchase that provide additional licenses and different functionality,” Area 1 researchers explained. “However, in typical internet fashion, there is a torrent available on Russian websites. For the initial file, the attacker uses a 32-bit Windows executable to ensure that the malware can be executed on common Windows devices. This file is a trojan, appearing as a benign application but containing hidden, malicious functionality. This initial phase determines if it is in a malware analysis environment so the program can decide whether to proceed with the attack or go to sleep.”

And, fourth, there are nation-state actors engaged in similar financially motivated phishing expeditions. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has warned that North Korean operators continue to use their KONNI RAT against targets in the healthcare sector. Their technique has evolved into more closely tailored spear phishing, with phishbait designed to attract specific individuals. Spearphishing tends to be more persuasive than classic indiscriminate phishing through mass-mailed spam.

While the healthcare sector is currently receiving more than its fair share of attacks, other industries also need to be on their guard. The four techniques Health IT Security described all depend upon social engineering for their success. New school security awareness training can help organizations install a proper, healthy skepticism in their personnel.

READ MORE
06Oct

Scammers are using Black Lives Matter as Phishbait

October 6, 2020By 0 comment

phishing campaign is using Black Lives Matter-themed phishing lures to trick people into installing malware, Yahoo reports. Adam Levin from Cyberscout told Yahoo that the phishing emails contain the subject line, “Vote anonymous about ‘Black Lives Matter.’” The email body states, “Leave a review confidentially about ‘Black Lives Matter.’ Claim in attached file.”

The attached file is a Microsoft Word document titled, “e-vote_form_3438.” If the user opens this document, they’ll see a slide telling them to click “Enable Editing” and then “Enable Content” in order to view the content. If these buttons are clicked, the document will be allowed to run a macro that will trigger the malware’s installation process. This is an extremely common tactic, but many people still fall for it.

Levin says the final payload in this campaign is TrickBot. TrickBot is a notorious and versatile commodity banking Trojan that’s used by both criminals and some nation-state actors due to its effectiveness. In addition to stealing passwords and financial information, TrickBot can spread to other computers and download additional malware such as ransomware.

Yahoo notes that since cybercrime is such a profitable industry, these attacks won’t be slowing down anytime soon.

“This particular TrickBot scam may be new, but malware scams are always rampant on the internet,” Yahoo says. “The statistics are staggering: by 2020, the global cost of malware attacks is expected to hit $6 trillion—yes, trillion—according to the cyber experts at Cybersecurity Ventures.”

Attackers always try to exploit hot-button issues and current events to trick people into making poor security decisions. As the US gets closer to its election in November, we can expect to see more scammers trying to take advantage of issues that people feel strongly about. New-school security awareness training can help your employees take a step back and think about what they’re doing, rather than impulsively clicking on a link or downloading a document.

READ MORE
03Oct

Newly Relaunched ProLock Ransomware Seeks Ransoms as High as $3 Million

October 3, 2020By 0 comment

Seeing successful attacks as frequently as one per day, the creators of ProLock seek out larger organizations using the QBot trojan to infiltrate, spread throughout, and infect a network.

What starts as yet another phishing attack that uses a weaponized VBScript via Office documents turns out to be a far more invasive attack that brings operations to its’ knees and organizations considering reaching for their wallets.

According to security researchers at Group-IB, ProLock’s evolution from a failed prior iteration under the name PwndLocker has yielded a bit of malware so effective in its ability to perform network reconnaissance and lateral movement, its creators are big game hunting for organizations across both North America and Europe, looking to take down the largest of ransoms.

Now some good news.

Group-IB’s researchers have indicated that the phishing attacks used are “simple and straightforward” as seen in the email example below:

14d6458c0d68b72229f80114f7240046

There’s a really simple way to stop this ransomware from ever gaining control over your network: teach your users to not click on suspicious email links or attachments. This is easily done by enrolling them in new school Security Awareness Training that shows them what to look for, how to remain vigilant while doing their job, and how to keep from becoming the entry point for this and any other phishing-based attack.

READ MORE
02Oct

Global Ransomware Attacks Increase by 715 Percent as Cybercriminals Capitalize on the Pandemic Opportunity

October 2, 2020By 0 comment

The massive rise in frequency is a signal that cybercriminals are not only finding their ransomware campaigns successful, but are also seeing increases in ransom amounts.

The goal of any business is to build a product where you make a very healthy profit margin. Once you have that, you take it to market and continue to increase the reach of your sales efforts to see both revenue and profits increase annually.

This is exactly the same mentality cybercriminal enterprises have when it comes to ransomware – if it works, send it out to more people. If they’re willing to pay $1000, see if they will pay $5000, $10,000, and more. Recent data has shown that ransomware creators are doing both.

According to BitDefender’s Mid-Year Threat Landscape Report 2020, the first half of 2020 saw a 7x jump in the frequency of ransomware attacks when compared to the same time in 2019. The report shows that the distribution of attacks was relatively evenly distributed across the first six months of this year.

We’ve also seen ransoms jump by an average of 60 percent this year, signaling that cybercriminals are keenly aware of what the havoc they’ve wreaked is worth to an infected organization.

According to the Bitdefender report, both the pandemic and the shift to working from home play a significant role in the success rate of attacks, as users have their defenses down and have been overwhelmed by the unprecedented change in the way we all work and live. Half of remote employees simply aren’t prepared for the organization’s dependence upon them to be vigilant against cyberattacks including ransomware. New school Security Awareness Training provides an effective means to not only educate users on how the bad guys go about phishing and social engineering attacks, but also on how users can become and remain vigilant while doing their job – thus, lowering the threat surface for ransomware attacks.

With such a massive increase in the amount of ransomware attacks, organizations should assume that ransomware is only going to become more prevalent, pervasive, and profitable for the bad guys.

READ MORE
01Oct

Phishing Attacks Continue to Grow More Sophisticated

October 1, 2020By 0 comment

Both criminal and nation-state threat actors have “rapidly increased in sophistication” over the past twelve months, according to Microsoft’s Digital Defense report. Microsoft found that attackers are putting more effort into social engineering tactics, and they’re incorporating more familiar techniques like credential stuffing to maximize their effectiveness.

“Email phishing in the enterprise context continues to grow and has become a dominant vector,” the report states. “Given the increase in available information regarding these schemes and technical advancements in detection, the criminals behind these attacks are now spending significant time, money, and effort to develop scams that are sufficiently sophisticated to victimize even savvy professionals. Attack techniques in phishing and business email compromise (BEC) are evolving quickly. Previously, cybercriminals focused their efforts on malware attacks, but they’ve shifted their focus to ransomware, as well as phishing attacks with the goal of harvesting user credentials.”

Microsoft warns that attackers are automating their attacks in order to avoid detection,which results in millions of new malicious URLs being distributed each month.

“In 2019 we blocked over 13 billion malicious and suspicious mails, out of which more than 1 billion were URL-based phishing threats (URLs set up for the explicit purpose of launching a phishing credential attack),” the report says. “These URLs were set up and weaponized just in time for the attacks and had no previous malicious reputation. We’re seeing approximately 2 million such URL payloads being created each month for credential harvesting, orchestrated through thousands of phishing campaigns.”

Microsoft notes that the number of COVID-19 themed phishing attacks has fallen in recent months, after spiking in March. This isn’t surprising: the attackers exploited the chaos and confusion at the start of the pandemic, then adapted their lures when things (sort of) began to settle down.

“Over the past several months, we have seen cybercriminals play their well-established tactics and malware against our human curiosity and need for information,” Microsoft says. “Attackers are opportunistic and will switch lure themes daily to align with news cycles, as seen in their use of the COVID-19 pandemic.”

While attackers are constantly evolving their tactics to evade new defenses, Microsoft notes that most of these attacks are still fundamentally similar.

“Despite sophistication and diversity of the attacks, the methodology is often the same, whether the actors use large-scale attacks for financial gain or targeted attacks to support geopolitical interests,” the report says. “A phishing email can be a massive campaign targeting millions of users or a single, targeted email that represents a socially engineered marvel many months in the making.”

Likewise, Microsoft points out that organizations and individuals can thwart most cyberattacks by implementing basic security hygiene.

“Given the leap in attack sophistication in the past year, it is more important than ever that we take steps to establish new rules of the road for cyberspace: that all organizations, whether government agencies or businesses, invest in people and technology to help stop attacks; and that people focus on the basics, including regular application of security updates, comprehensive backup policies and, especially, enabling multi-factor authentication (MFA),” Microsoft says. “Our data shows that enabling MFA would alone have prevented the vast majority of successful attacks.”

New-school security awareness training can enable your employees to recognize phishing attacks and teach them how to proactively protect their accounts.

Microsoft has the story.

READ MORE
01Oct

Don’t Just Catch a Phish, Captcha One

October 1, 2020By 0 comment

Researchers at Menlo Security have identified a phishing site that uses three layers of visual captchas to evade detection by automated security crawlers. Captchas are brief tests on websites that ask you to enter a word or select a series of images to prove you’re not a robot. Almost everyone has encountered these, since they’re usually used by legitimate sites to filter out malicious or unwanted traffic from bots.

In this case, however, the attackers are using captchas to prevent good bots (i.e., bots that are designed to hunt down phishing sites) from accessing the phishing page. The researchers also note that the captchas have the added benefit of lending credibility to the phishing page, since users associate these tests with legitimate sites.

“Two important things are happening here,” they write. “The first is that the user is made to think that this is a legitimate site, because their cognitive bias has trained them to believe that checks like these appear only on benign websites. The second thing this strategy does is to defeat automated crawling systems attempting to identify phishing attacks.”

When a user first accesses the phishing site, they’ll be presented with the familiar “I’m not a robot” reCAPTCHA checkbox. After clicking this box, the user will be asked to select the correct set of images to proceed (for example, images with bicycles, street signs, school buses, and so forth). The user will have to solve three of these tests before they’re allowed to access the phishing page, which is a convincingly spoofed version of an Office 365 login portal designed to steal their credentials.

“Microsoft happens to be the brand that is most phished across our customer base,” the researchers explain. “This is a result of the increased adoption of O365 by many enterprises and cyber criminals are looking to take over legitimate accounts and use them to launch additional attacks within the enterprise.”

Attackers are constantly adapting their techniques to stay ahead of improved security technology. New-school security awareness training can give your employees the knowledge they need to avoid falling for these attacks.

Menlo Security has the story.

READ MORE