Posts

cloud services

Cloud Services in the Crosshairs of Cybercrime

It’s a familiar story in tech: new technologies and shifting preferences raise new security challenges. One of the most pressing challenges today involves monitoring and securing all of the applications and data currently undergoing a mass migration to public and private cloud platforms.

Malicious actors are motivated to compromise and control cloud-hosted resources because they can gain access to significant computing power through this attack vector. These resources can then be exploited for a number of criminal money-making schemes, including cryptomining, DDoS extortion, ransomware and phishing campaigns, spam relay, and for issuing botnet command-and-control instructions. For these reasons—and because so much critical and sensitive data is migrating to cloud platforms—it’s essential that talented and well-resourced security teams focus their efforts on cloud security.

The cybersecurity risks associated with cloud infrastructure generally mirror the risks that have been facing businesses online for years: malware, phishing, etc. A common misconception is that compromised cloud services have a less severe impact than more traditional, on-premise compromises. That misunderstanding leads some administrators and operations teams to cut corners when it comes to the security of their cloud infrastructure. In other cases, there is a naïve belief that cloud hosting providers will provide the necessary security for their cloud-hosted services.

Although many of the leading cloud service providers are beginning to build more comprehensive and advanced security offerings into their platforms (often as extra-cost options), cloud-hosted services still require the same level of risk management, ongoing monitoring, upgrades, backups, and maintenance as traditional infrastructure. For example, in a cloud environment, egress filtering is often neglected. But, when egress filtering is invested in, it can foil a number of attacks on its own, particularly when combined with a proven web classification and reputation service. The same is true of management access controls, two-factor authentication, patch management, backups, and SOC monitoring. Web application firewalls, backed by commercial-grade IP reputation services, are another often overlooked layer of protection for cloud services.

Many midsize and large enterprises are starting to look to the cloud for new wide-area network (WAN) options. Again, here lies a great opportunity to enhance the security of your WAN, whilst also achieving the scalability, flexibility, and cost-saving outcomes that are often the primary goals of such projects.  When selecting these types of solutions, it’s important to look at the integrated security options offered by vendors.

Haste makes waste

Another danger of the cloud is the ease and speed of deployment. This can lead to rapidly prototyped solutions being brought into service without adequate oversight from security teams. It can also lead to complacency, as the knowledge that a compromised host can be replaced in seconds may lead some to invest less in upfront protection. But it’s critical that all infrastructure components are properly protected and maintained because attacks are now so highly automated that significant damage can be done in a very short period of time. This applies both to the target of the attack itself and in the form of collateral damage, as the compromised servers are used to stage further attacks.

Finally, the utilitarian value of the cloud is also what leads to its higher risk exposure, since users are focused on a particular outcome (e.g. storage) and processing of large volumes of data at high speeds. Their solutions-based focus may not accommodate a comprehensive end-to-end security strategy well. The dynamic pressures of business must be supported by newer and more dynamic approaches to security that ensure the speed of deployment for applications can be matched by automated SecOps deployments and engagements.

Time for action

If you haven’t recently had a review of how you are securing your resources in the cloud, perhaps now is a good time. Consider what’s allowed in and out of all your infrastructure and how you retake control. Ensure that the solutions you are considering have integrated, actionable threat intelligence for another layer of defense in this dynamic threat environment.


This article was provided by our service partner : webroot.com

cybersecurity

7 Critical, and Often Overlooked, Ways to Improve Your Cybersecurity

What you don’t know can, and will, hurt you. Cybersecurity is now at the forefront of business IT needs. If you ignore it, it won’t go away, and even worse, your customers will look elsewhere to get the services they need if you’re not providing them. It’s time to face the music. I recently sat down to chat with Chris Loehr, Executive Vice President of Solis Security, who specializes in cybersecurity incident response.

Chris has experience conducting forensic work on cyberattacks. He works with MSPs day in and day out and sees first-hand the mistakes commonly made all the time. Here are the tips he shared with us on how to wise up about cybersecurity:

Know Your Power

Your tools, specifically your remote monitoring and management (RMM) tool, are extremely powerful. While it can be used for the purpose it was intended, allowing you to work on multiple machines at the same time, it can also be used maliciously to attack several companies at once. This makes MSPs an ideal target for attackers to gain access to an entire database in a relatively short amount of time vs. attacking companies individually. And unfortunately, in some cases, businesses never recover. You need to ensure that your RMM is secure.

Don’t Blindly Trust Your Providers

You should hold yourself responsible and perform due diligence on your key vendors/service providers. Your customers trust you. The vendors you work with are an extension of you and the services you provide. Ensuring that your vendors are doing the right things makes it easier for you to also do right by your customers. You need to educate your customers on what threats could impact them, what you do or do not cover, and provide the appropriate solutions. In doing so, you can be the trusted service provider they believe you are. And in the long run, this level of earned trust translates directly to customer retention.

Invest the Time to Truly Know Your Customers

When disaster strikes should not be the time that you’re learning about your customers and their operations. You need to know ahead of time what the critical applications/files are that need to be backed up. They might not be the obvious applications. Too often after disaster strikes, you find out you didn’t back up something essential to the customers’ business because you didn’t know about it or its importance. A business impact assessment (BIA) should be performed annually for each monthly recurring revenue (MRR) customer.

Give Your Best Customers Some Love

When disaster strikes, the best customers usually will be the most upset and most willing to pursue legal action. Even though everything appears to be going great, you don’t know what may be happening behind the scenes. Having crucial conversations with decision makers is key to your ongoing success. Ensure these conversations include topics around cybersecurity to help protect them, as well as yourself.

Don’t Be Cybersecurity Insurance Ignorant

Cybersecurity coverage is not the same as an auto insurance or health insurance policy. Filing a claim does not make your premiums go up. Be especially careful when deciding what coverages to waive. To get lower premiums, companies sometimes waive cyberextortion coverage. However, this type of coverage pays for a ransom, should you be in a situation to require one. Even though you might have enough money in the bank to pay it, keep in mind that you are still responsible for operational expenses as well (like payroll).

Doing a risk assessment is helpful to understand where you and your customers stand and in the future could also become a tool for the insurance industry to help underwrite policies.

Realize That Your Contracts Aren’t a Magic Shield

This is the biggest weakness of many MSPs. Anyone can sue you regardless of your contract. You need to know when certain scenarios will negate your liability limitations. Often, MSPs rely on only one attorney to assist in creating their contracts. It’s always best to have a second option. We highly advise getting a litigation attorney to look at your contracts. Also, take into consideration different state laws if you operate in more than one state and how that impacts your contracts.

Prepare for a Disaster

As the saying goes, “If you fail to plan, you’re planning to fail.” Not planning for a disaster could quite literally put you out of business or set you back a couple of years. Your backup solution is the ultimate piece that will save your business. It has to be more than rock solid. Test it and test it again. Backing up data is the first step but being able to restore from the back up is the true measure of success. The worst-case scenario is to have to tell your customer that you lost all the files that were previously backed up. A one size fits all backup solution might not work for each customer.


This article was provided by our service partner : connectwise.com

Digital Identity

Lock Down Your Digital Identity

The last decade has been one of digital revolution, leading to the rapid adoption of new technology standards, often without the consideration of privacy ramifications. This has left many of us with a less-than-secure trail of digital breadcrumbs—something cybercriminals are more than aware of. Identity theft is by no means a new problem, but the technology revolution has created what some are calling a “global epidemic.”

What is a Digital Identity?

The first step in locking down your digital identity is understanding what it is. A digital identity is the combination of any and all identifying information that can connect a digital persona to an actual person. Digital identities are largely comprised of information freely shared by the user, with social media accounts generally providing the largest amount of data. Other online services like Etsy and eBay, as well as your email and online banking accounts, also contribute to your digital identity. Realistically, any information that can be linked back to you, no matter how seemingly inconsequential, is part of your digital identity.

Digital Identity Theft

Digital identity theft occurs in several ways. A common tactic is social media fraud, where a hacker will impersonate a user by compromising an existing social media account, often messaging friends and family of the user requesting money or additional account information. If unable to gain full control of a genuine social media account, identity thieves will often set up a dummy social media account and impersonate the user using it.

A less widely-known form of digital identity fraud is internet-of-things (IoT) identity theft, where an attacker gains access to an IoT device with weak security protocols and exploits it to gain access to a higher priority device connected to the same network. Another growing threat is “SIM swapping”— an attack that involves tricking a mobile provider into swapping a legitimate phone number over to an illegitimate SIM card, granting the attacker access to SMS-enabled two-factor authentication (2FA) efforts.

Even those who don’t consider themselves targets should be aware of these tactics and take steps to lock down their digital identities.

Locking it Down

Reviewing your social media accounts’ privacy settings is one of the easiest things you can do to cut opportunistic identity thieves off from the start. Set your share settings to friends only, and scrub any identifying information that could be used for security clearance — things like your high school, hometown, or pets’ names. Only add people you personally know and if someone sends you a suspicious link, don’t click it! Phishing, through email or social media messages, remains one of the most prevalent causes of digital identity theft in the world. But your digital identity can be compromised in the physical world as well — old computers that haven’t been properly wiped provide an easy opportunity hackers won’t pass up. Always take your outdated devices to a local computer hardware store to have them wiped before recycling or donating them.

The Right Tools for the Job

This is just the start of a proper digital identity lock-down. Given the sensitive nature of these hacks, we asked Webroot Security Analyst Tyler Moffitt his thoughts on how consumers can protect their digital identities.

“Two-factor authentication in combination with a trusted virtual private network, or VPN, is the crown jewel of privacy lock-down,” Tyler said. “Especially if you use an authenticator app for codes instead of SMS authentication. A VPN is definitely a must… but you can still fall for phishing attempts using a VPN. Using two-factor authentication on all your accounts while using VPN is about as secure as you can get.”

2FA provides an additional level of security to your accounts, proactively verifying that you are actually the one attempting to access the account. 2FA often uses predetermined, secure codes and geolocation data to determine a user’s identity.

Because 2FA acts as a trusted gatekeeper, do your research before you commit to a solution. You’ll find some offerings that bundle 2FA with a secure password manager, making the commitment to cybersecurity a little bit easier. When making your choice, remember that using SMS-enabled 2FA could leave you vulnerable to SIM swapping, so though it is more secure than not using 2FA at all, it is among the least secure of 2FA strategies.

VPNs wrap your data in a cocoon of encryption, keeping it out of sight of prying eyes. This is particularly important when using public WiFi networks, since that’s when your data is at its most vulnerable. Many VPNs are available online, including some free options, but this is yet another instance of getting what you pay for. Many free VPNs are not truly private, with some selling your data to the highest bidder. Keeping your family secure behind a VPN means finding a solution that provides you with the type of comfort that only comes with trust.


This article was provided by our service partner : webroot.com

cloud security

How Threats Have Evolved & Why You Need to Do Something About It

Whether you realize it or not, the
cybersecurity threat landscape has changed dramatically in the last few years—and recent security issues prove it.

Everywhere you turn, conversations about cyber issues today are happening. The media coverage on massive breaches continues to grow by the day. But since most of the high profile cases people read about are large companies (Equifax, Apple, Target, etc.), many small business owners you work with have it in their mind that large companies are the targets and they’re immune or safe from new threats.

That couldn’t be further from the truth.

Attacks on SMBs, as well as MSPs, are on the rise, and you both must be vigilant as a result. According to the Ponemon Institute: 2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB) study, the average cost due to damage or theft of IT assets and infrastructure increased from $879,582 to $1,027,053. The average cost due to disruption of normal operations increased from $955,429 to $1,207,965.

Attacks and breaches 1
So, What’s Changed?

Security was a modest part of the services you’ve provided—until now. It’s made its way to the forefront of business IT needs so you can protect against the top cybersecurity threats out there. Endpoint protection, firewall protection, and email protection were staples of the managed services business, but they’re simply not enough anymore. Failure to address these increases the chance of a serious security event, and reduces the chance to avoid downtime, a work stoppage, or worse.

For years, MSPs have provided a successful security strategy that has provided their customers excellent uptime and productivity. Cybercriminals are getting more sophisticated and targeting small to medium businesses. Ransomware, data breaches, and phishing attacks are examples of tactics that eclipse the solutions that we’ve relied on thus far. You’ll want to make sure they’re safeguarded against these more sophisticated attacks, and mitigate as much risk as possible. Cyber issues today don’t just impact your customers, but their customers, suppliers, etc. If someone were to breach your customer, it could give them access to all of their critical systems and data. If an incident happens in a regulated industry, the cause goes beyond their loss of business. It would compromise your patient’s protected data and be in breach of HIPAA requirements. Aside from financial implications due to a work stoppage, breaches in industries that are regulated (financial, healthcare, industrial, government, etc.) are also subject to investigations, digital forensics teams, and litigation.

As an MSP, more times than not you’ll be questioned and have to participate in those investigations. If the customer has cyber insurance, the insurance company will do their investigation before paying out. In a breach today where data is compromised, the financial impact is a whopping $148 per record. It’s not just downtime that can render a business in trouble after a breach, because the lingering effects are crippling to most companies.

What Can You Do About It?

Several things. First, realize that this is not a problem you can throw a bunch of tools at to fix. People and process is a key component of a strong security posture. As you can see in the chart “What’s Behind the Trends: Root Cause”, 54% of data breaches were a result of negligent employees or contractors. That correlates to nearly half of all attacks being executed through phishing or social engineering. Implementing security awareness training through Customer Security Programs is a good way to expand your service offering and reduce your customers risk that doesn’t involve adding another tool to your stack.

Attacks and breaches : root cause

Second, leverage a proven framework as a benchmark to measure your customers’ businesses (and your own). We believe the NIST Cybersecurity Framework (CSF) is the most comprehensive and easiest framework for MSPs to adopt. We’ve built a risk assessment based on that framework that includes strengths and weaknesses for your customer, plus an actionable report and an attestation letter that protects you against recommendations your customer doesn’t wish to add. With this, you can walk into a customer’s office and say, “In order to make sure you’re as protected as you can be, I went ahead and did a risk assessment of your business to help determine your security posture. The assessment is based on the Cybersecurity Framework created by the National Institute of Standards and Technology, and it’s the benchmark we use to grade all companies—regardless of size or industry. It’s also the same assessment I perform regularly on my own company.”


This article was provided by our service partner : connectwise.com

WiFi Security

The Hidden Costs of ‘Free’ WiFi

The True Cost of Free WiFi

Ease-of-access is a true double-edged sword. Like all powerful technologies, WiFi (public WiFi in particular) can be easily exploited. You may have read about attacks on publicly accessible WiFi networks, yet studies show that more than 70% of participants admit to accessing their personal email through public WiFi. WiFi vulnerabilities aren’t going away anytime soon—in 2017, the WPA2 security protocol used by essentially all modern WiFi networks was found to have a critical security flaw that allowed attackers to intercept passwords, e-mails and other data.

So what are the most commonly seen attacks via free WiFi, and how can we protect ourselves and our families? We turned to Tyler Moffitt, Webroot’s Sr. Threat Research Analyst, for answers.

Common Public WiFi Threats

“Criminals are either taking over a free WiFi hotspot at the router level, or creating a fake WiFi hotspot that’s meant to look like the legitimate one,” explained Moffitt. “The purpose of these man-in-the-middle attacks is to allow attackers to see and copy all of the traffic from the devices connected to the WiFi they control.”

Basic security protocols often aren’t enough to protect users’ data.

“Even with HTTPS sites where some data is encrypted, much of it is still readable,” Moffitt said. “Beyond just seeing where you surf and all the login credentials, criminals also have access to your device and can drop malicious payloads like ransomware.”

We are now seeing these attacks evolve, with cryptojacking becoming a particularly lucrative exploitation model for public WiFi networks. Cryptojacking is seen as a “low risk” attack as an attacker siphons a victim’s computer processing power, something far less likely to be detected and tracked than a traditional malware or ransomware attack. This was particularly notable in a 2017 cryptojacking attack that targeted Starbucks customers, which went uncorrected until Noah Dinkin—a tech company CEO—noticed a delay when connecting to the shop’s WiFi. Dinkin took it upon himself to investigate

It’s not just coffee shops that are being targeted. Airports, hotels, and convention centers are particularly prime targets due to their high  traffic. To demonstrate the power of a targeted attack in a conference setting, a security experiment was conducted at the 2017 RSA Conference. Surprisingly, even at an IT security conference, white hat hackers were able to trick 4,499 attendees into connecting to their rogue WiFi access point. The targeting of high-traffic, travel-focused locations means that many frequent travelers will leave themselves exposed at some point by connecting to public WiFi options—even though they may know better.

How to Detect the Threat

What are the telltale signs of a compromised system?

“With cryptomining, you will definitely notice that your machine will start acting slow, the fans will kick on full blast, and the CPU will increase to 100 percent, usually the browser being the culprit,” Moffitt said. “But there are few signs of a man-in-the-middle attack, where wireless network traffic is spied on for credentials and financial information. You won’t notice a thing, as your computer is just connecting to the router like normal. All information is being observed by someone in control of the router.”

With one recent attack in 2018 alone affecting 500,000 WiFi routers, the need for WiFi security has never been stronger.

Protecting Yourself on the Go

You can take steps to keep your data secure; the first of which is being sure that you have a VPN installed and protecting your devices. Nothing else will as effectively encrypt and shield your traffic on a public network.

“Using a VPN is the most impactful way to combat the dangers of free WiFi,” Moffitt said. “Think of VPN as a tunnel that shelters all of your information going in and out of your device. The traffic is encrypted so there is no way that criminals can read the information you are sending.”

“I use a VPN on my phone when I’m on the go,” he continued. “It’s really easy to use and you make sure all your data is private and not visible to prying eyes.”

But be sure to research any VPN before you commit to ensure it is trustworthy. It’s important to review the vendor’s privacy policy to make sure the VPN does not monitor or retain logs of your activities. Remember that, with security software and apps, you generally get what you pay for.

While free VPN apps will shield your data from the router you are connecting to, they may still spy on you and sell your information,” Moffitt said.

What does this all mean for you? If there is no such thing as free lunch, then there is definitely no such thing as free WiFi. The true cost just might be your online security and privacy.

Stay vigilant, secure all of your web traffic behind a trusted VPN, and check back here often for the latest in cybersecurity updates


This article was provided by our service partner : webroot.com

ransomware secuirty

The Ransomware Threat isn’t Over. It’s Evolving.

Ransomware is any malware that holds your data ransom. These days it usually involves encrypting a victim’s data before asking for cash (typically cryptocurrency) to decrypt it. Ransomware ruled the malware world since late 2013, but finally saw a decline last year. The general drop in malware numbers, along with defensive improvements by the IT world in general (such as more widespread backup adoption), were factors, but have also led this threat to become more targeted and ruthless.

Delivery methods

When ransomware first appeared, it was typically distributed via huge email and exploit kit campaigns. Consumer and business users alike were struck without much discretion. 

Today, many ransomware criminals prefer to select their targets to maximise their payouts. There’s a cost to doing business when it comes to infecting people, and the larger the group of people you are trying to hit, the more it costs. 

Exploit kits

Simply visiting some websites can get you infected, even if you don’t try to download anything. This is usually done by exploiting weaknesses in the software used to browse the web such as your browser, Java, or Flash. Content management and development tools like WordPress and Microsoft Silverlight, respectively, are also common sources of vulnerabilities. But there’s a lot of software and web trickery involved in delivering infections this way, so the bulk of this work is packaged into an exploit kit which can be rented out to criminals to help them spread their malware. 

Renting an exploit kit can cost $1,000 a month, so this method of delivery isn’t for everyone. Only those cybercriminals who’re sufficiently motivated and funded. 

“Because the cost of exploitation has risen so dramatically over the course of the last decade, we’ll continue to see a drop in the use of 0-days in the wild (as well as associated private exploit leaks). Without a doubt, state actors will continue to hoard these for use on the highest-value targets, but expect to see a stop to Shadowbrokers-esque occurrences. The mentioned leaks probably served as a powerful wake-up call internally with regards to who has access to these utilities (or, perhaps, where they’re left behind).” – Eric Klonowski, Webroot Principal Threat Research Analyst

Exploits for use in both malware and web threats are harder to come by these days and, accordingly, we are seeing a drop in the number of exploit kits and a rise in the cost of exploits in the wild. This threat isn’t going anywhere, but it is declining.

Figure 1. Still plenty of exploit kits out there. Source: Execute Malware

Email campaigns

Spam emails are a great way of spreading malware. They’re advantageous for criminals, as they can hit millions of victims at a time. Beating email filters, creating a convincing phishing message, crafting a dropper, and beating security in general is tough to do on a large scale, however. Running these big campaigns requires work and expertise so, much like an exploit kit, they are expensive to rent. 

Figure 2. Shade ransomware delivered from a recent spam email campaign Source: InfoSec Handlers Diary Blog

Targeted attacks

The likelihood of a target paying a ransom and how much that ransom is likely to be is subject to a number of factors, including:

  • The country of the victim. The GDP of the victim’s home nation is correlated to a campaign’s success, as victims in richer countries are more likely to shell out for ransoms 
  • The importance of the data encrypted
  • The costs associated with downtime
  • The operating system in use. Windows 7 users are twice as likely to be hit by malware as those with Windows 10, according to Webroot data
  • Whether the target is a business or a private citizen. Business customers are more likely to pay, and pay big

Since the probability of success varies based on the target’s circumstances, it’s important to note that there are ways of narrowing target selection using exploit kits or email campaigns, but they are more scattershot than other, more targeted attacks.

RDP

Remote Desktop Protocol, or RDP, is a popular Microsoft system used mainly by admins to connect remotely to servers and other endpoints. When enabled by poor setups and poor password policies, cybercriminals can easily hack them. RDP breaches are nothing new, but sadly the business world (and particularly the small business sector) has been ignoring the threat for years. Recently, government agencies in the U.S. and UK have issued warnings about this completely preventable attack. Less sophisticated cybercriminals can buy RDP access to already hacked machines on the dark web. Access to machines in major airports has been spotted on dark web marketplaces for just a few dollars.

Figure 3. Servers for sales on underground forums. Source: Fujitsu

Spear phishing

If you know your target, you can tailor an email specifically to fool them. This is known as spear phishing, and it’s an extremely effective technique that’s used in a lot of headline ransomware cases.

Modular malware

Modular malware attacks a system in different stages. After running on a machine, some reconnaissance is done before the malware reinitiates its communications with its base and additional payloads are downloaded. 

Trickbot

The modular banking Trojan Trickbot has also been seen dropping ransomware like Bitpaymer onto machines. Recently it’s been used to test a company’s worth before allowing attackers to deploy remote access tools and Ryuk(ransomware) to encrypt the most valuable information they have. The actors behind this Trickbot/Ryuk campaign only pursue large, lucrative targets they know they can cripple.

Trickbot itself is often dropped by another piece of modular malware, Emotet

What are the current trends?

As we’ve noted, ransomware use may be on the decline due to heightened defences and greater awareness of the threat, but the broader, more noteworthy trend is to pursue more carefully selected targets. RDP breaches have been the largest source of ransomware calls to our support teams in the last 2 years. They are totally devastating to those hit, so ransoms are often paid.

Figure 4. A slight dip but a consistently high amount of RDP malware seen by us last year.

Modular malware involves researching a target before deciding if or how to execute and, as noted in our last blog on information stealers,they have been surging as a threat for the last six months. 

Automation

When we talk about selecting targets, you might be inclined to assume that there is a human involved. But, wherever practical, the attack will be coded to free up manpower. Malware routinely will decide not to run if it is in a virtualised environment or if there are analysis tools installed on machines. Slick automation is used by Trickbot and Emotet to keep botnets running and to spread using stolen credentials. RDP breaches are easier than ever due to automated processes scouring the internet for targets to exploit. Expect more and more intelligent automation from ransomware and other malware in future.

What can I do?

  • Secure your RDP
  • Use proper password policy. This ties in with RDP ransomware threats and especially applies to admins.
  • Update everything
  • Back up everything. Is this backup physically connected to your environment (as in USB storage)? If so, it can easily be encrypted by malware and malicious actors. Make sure to air gap backups or back up to the cloud.
  • If you feel you have been the victim of a breach, it’s possible there are decryption tools available. Despite the brilliant efforts of the researchers in decryption, this is only the case in some instances.

This article was provided by our service partner : webroot.com

The Rise of Information Stealers

As noted in a previous blog post, mining malware is on a decline, partly due to turmoil affecting cryptocurrencies. Ransomware is also on a decline (albeit a slower one). These dips are at least partly the result of the current criminal focus on information theft.

Banking Trojans, hacks, leaks, and data-dealing are huge criminal enterprises. In addition to suffering a breach, companies might now be contravening regulations like GDPR if they didn’t take the proper precautions to secure their data. The ways in which stolen data is being used is seeing constant innovation. 

Motivations for data theft

Currency

The most obvious way to profit from data theft is by stealing data directly related to money. Examples of malware that accomplishes this could include:

  • Banking Trojans. These steal online banking credentials, cryptocurrency private keys, credit card details, etc. Originally for bank theft specialists, this malware group now encompasses all manner of data theft. Current examples include Trickbot, Ursnif, Dridex.
  • Point of Sale (POS). These attacks scrape or skim card information from sales terminals and devices.
  • Information stealing malware for hijacking other valuables including Steam keysmicrotransactional or in-game items

Trade

Data that isn’t instantly lucrative to a thief can be fenced on the dark web and elsewhere. Medical records can be worth ten times more than credit cards on dark web marketplaces. A credit card can be cancelled and changed, but that’s not so easy with identity. Examples of currently traded information include:

  • Credit cards. When cards are skimmed or stolen, they’re usually taken by the thousands. It’s easier to sell these on at a reduced cost and leave the actual fraud to other crooks.
  • Personal information. It can be used for identity theft or extortion, including credentialschildren’s data, social security information, passport details, medical records that can be used to order drugs and for identity theft, and sensitive government (or police) data

Espionage

Classified trade, research, military, and political information are constant targets of hacks and malware, for obvious reasons. The criminal, political, and intelligence worlds sometimes collide in clandestine ways in cybercrime. 

As a means of attack

While gold and gemstones are worth money, the codes to a safe or blueprints to a jewellery store are also worth a lot, despite not having much intrinsic value. Similarly, malware can be used to case an organisation and identify weaknesses in its security setup. This is usually the first step in an attack, before the real damage is done by malware or other means. 

“In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.” –From a story that appeared in the New York Times

Just another day in the Cobalt/Carbanak Heists 

Some examples of “reconnaissance” malware include:

  • Carbanak. This was the spear-tip of an attack in an infamous campaign that stole over €1 billion ($1.24 billion) from European banks, particularly in Eastern Europe. The Trojan was emailed to hundreds of bank employees. Once executed, it used keylogging and data theft to learn passwords, personnel details, and bank procedures before the main attacks were carried out, often using remote access tools. ATMs were hacked to spill out cash to waiting gang members and money was transferred to fraudulent accounts.
  • Mimikatz, PsExec, and other tools. These tools are freely available and can help admins with legitimate issues like missing product keys or passwords. They can also indicate that a hacker has been on your network snooping. These software capabilities can be baked into other malware.
  • Emotet. Probably the most successful botnet malware campaign of the last few years, this modular Trojan steals information to help it spread before dropping other malware. It usually arrives by phishing email before spreading like wildfire through an organisation with stolen/brute-forced credentials and exploits. Once it has delivered its payload (often banking Trojans), it uses stolen email credentials to mail itself to another victim. It’s been exfiltrating the actual contents of millions of emails for unknown purposes, and has been dropping Trickbot recently, but the crew behind the campaign can change the payload depending what’s most profitable. 

“Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”- An August 2018 warning from the American DHS

  • Trickbot/Ryuk. Trickbot is a banking Trojan capable of stealing a huge array of data. In addition to banking details and cryptocurrency, it also steals data that enables other attacks, including detailed information about infected devices and networks, saved online account passwords, cookies, and web histories, and login credentials. Trickbot has been seen dropping ransomware like Bitpaymer onto machines, but recently its stolen data is used to test a company’s worth before allowing attackers to deploy remote access tools and Ryuk(ransomware) to encrypt the most valuable information they have. The people behind this Trickbot/Ryuk campaign are only going after big lucrative targets that they know they can cripple.

What are the current trends?

Emotet is hammering the business world and, according to our data, has surged in the last six months of 2018:

Data recorded between 1 July and December 31, 2018. Webroot SecureAnywhere client data.

Detection of related malware surged alongside these detections. Almost 20% of Webroot support cases since the start of December have been related to this “family” of infections (Emotet, Dridex, Ursnif, Trickbot, Ryuk, Icedid).

What can I do?

  • Update everything! The success of infections such as WannaMine proved that updates to many operating systems still lag years behind. Emotet abuses similar SMB exploits to WannMine, which updates can eliminate.
  • Make sure all users, and especially admins, adhere to proper password practices.
  • Disable autoruns and admin shares, and limit privileges where possible.
  • Don’t keep sensitive information in plain text.

This article was provided by our service partner : Webroot

cryptomining

A Miner Decline: The Surprising Slowdown of Cryptomining

In Webroot’s 2018 mid-term threat report, we outlined how cryptomining, and particularly cryptojacking, had become popular criminal tactics over the first six months of last year. This relatively novel method of cybercrime gained favour for being less resource-intensive and overtly criminal when compared to tactics involving ransomware. But mining cases and instances of mining malware seem to have dropped off significantly in the six months since this report, both anecdotally and in terms of calls to our support queue. 

The crytpo world has gone through significant turmoil in this time, so it’s possible the reduced use of malicious cryptojacking scripts is the result of tanking cryptocurrency values. It’s also possible users are benefitting from heightened awareness of the threat and taking measures to prevent their use, such as browser extensions purpose-built to stop these scripts from running. 

Setting aside the question of why for a moment, let’s take a look at some stats illustrating that decline during that time period.

Cryptojacking URLs seen by Webroot over six months beginning 1 July through 31 December, 2018, Webroot SecureAnywhere client data. 


Webroot endpoints detected URLs associated with over 17,000 cryptojacking instances over the last year.

New miner malware seen by Webroot 

Data from six months beginning 12 July through 9 Jan, 2019, Webroot data, units logarithmic.


Portable executable mining malware seen by Webroot threat intelligence. Data from hundreds of millions of Webroot sensors.

Monero mining profitability ($)

Data covering six months from 12 July – 9 Jan, 2019, Bit Info Charts, units logarithmic


We chose Monero as the currency to analyse here because of its popularityamong crooks operating miners or cryptojacking sites. However, results for Bitcoin over the same time period are similar.

Monero price ($)

Data covering six months from 12 July through 9 Jan, 2019, World Coin Index

Interpreting the data

None of the graphs are identical, but without too much statistical comparison, I think a broad trend can be seen: malicious mining is on the decline alongside a general decline in coin value and coin mining profitability. 

Profitability affecting criminal tactics is of course not surprising. The flexibility of exploit kits and modern malware campaigns like Emotet mean that cybercriminals can change tactics and payloads quickly when they feel their malware isn’t netting as much as it should.

Thanks to the dark web, criminal code has never been easier to buy or rent than in recent years, and cryptocurrencies themselves make it easy to swap infection tactics while keeping the cash flowing. Buying or renting malicious code and malware delivery services online is easy, so the next time the threat landscape changes, expect criminals to quickly change with it. 

Should I still care about miners?

Yes, absolutely. 

Cryptocurrency, cryptomining, and malicious cryptomining aren’t disappearing. Even with this dip, 2018 was definitely a year of overall cryptocrime growth. Our advanced malware removals teams often spot miner malware on machines infected by other malware, and it can be an indication of security holes in need of patching. And any illegal mining is still capable of constantly driving up power bills and frustrating users.

Where are cybercriminals focused now?

Information theftis the current criminal undertaking of choice, a scary development with potentially long-lasting consequences for its victims that are sometimes unpredictable even to thieves. The theft, trade, and use for extortion of personal data will be the focus of our next report.

What can I do?

Cryptojacking may only be on the decline because defences against them have improved. To up your chances of turning aside this particular threat, consider doing the following:

  • Update everything. Even routers can be affected by cryptojacking, so patch/update everything you can.
  • Is your browser using up lots of processor? Even after a reset/reinstall? This could be a sign of cryptojacking.
  • Are you seeing weird spikes in your processor? You may want to scan for miner infections.
  • Don’t ignore repeated miner detections. Get onto your antivirus’ support team for assistance. This could be only the tip of the iceberg.
  • Secure your RDP.

What can Webroot do?

Webroot SecureAnywhere®antivirus products detect and remove miner infections, and the web threat shield blocks malicious cryptojacking sites from springing their code on home office users. For businesses, however, the single best way to stop cryptojacking, is with DNS-level protection. DNS is particularly good at blocking cryptojacking services, no matter how many sites they try to hide behind.

Persistent mining detections might point to other security issues, such as out-of-date software or advanced persistence methods, that will need extra work to fix. Webroot’s support is quick and easy to reach.

In the end, cryptomining and cryptojacking aren’t making the same stir in the cybersecurity community they were some months ago. But they’ve far from disappeared. More users than ever are aware of the threat they pose, and developers are reacting. Fluctuations in cryptocurrency value have perhaps aided the decline, but as long as these currencies have any value cryprojackers will be worth the limited effort they require from criminals.

Watch for the use of cryptominers to be closely related to the value of various cryptocurrencies and remain on the lookout for suspicious or inexplicable CPU usage, as these may be signs that you’re being targeted by these threats. 


This article was provided by our service partner : Webroot

Managed Security Services

Managed Security Services—the Opportunity, the Risk, and the Challenge

Worldwide SMBs are projected to grow their spending on remote managed security to an estimated $21.2 billion by 2021, making it the highest growth area in the managed services market. Yet many IT service providers are shying away from this services goldmine because they don’t possess the people, process, or technology to address increasingly sophisticated cyberattacks. Ironically, your customers believe you are handling ‘all things’ security related, which begs the question; is there a way to have a common language to communicate and mitigate the ambiguity of ‘who owns the risk?’

Why does your customer feel you are responsible for ‘all things’ security related? Have you ever said any of the following things to a prospect and/or customer? “We are your outsourced IT department. We reduce your risk and exposure. Our Virtual CIO (vCIO) meets with you quarterly to ensure your business and technology requirements are in alignment. You pay one monthly fee that is outcome driven. We do it all!” For more than ten years, our industry has preached managed services at every industry event and customer/prospect engagement. Our industry has prophesized managed services and therefore conditioned our customers that ‘we do it all!’

With today’s attacks becoming more sophisticated, the days of securing ourselves and our customers through a tools-based model (endpoint and firewall protection, email security/backup, and DNS) are not enough. Some managed service providers (MSPs) have started to add phishing services with security awareness training, which is an excellent step in meeting compliance for security awareness training.

To recalibrate our customer’s mindset, we need to be able to speak a common language about how the threat landscape has changed, and what has worked for years, won’t work in the future. A cybersecurity risk assessment is necessary to identify the gaps in your customer’s critical security controls and to determine actions to close those gaps. Learning how to perform a risk assessment, and more importantly, the art of having the conversation about ‘who owns the risk,’ are the critical next steps an MSP should be taking with their customers if they are not today. Vulnerability scanning and continuous monitoring would be critical next steps, post risk assessment.


This article was provided by our service partner : connectwise.com

cybersecurity

Top 5 Things SMBs Should Consider When Evaluating a Cybersecurity Strategy

SMBs are overconfident about their cybersecurity posture.

A survey of SMBs conducted by 451 Research found that in the preceding 24 months, 71% of respondents experienced a breach or attack that resulted in operational disruption, reputational damage, significant financial losses or regulatory penalties. At the same time, 49% of the SMBs surveyed said that cybersecurity is a low priority for their business, and 90% believe they have the appropriate security technologies in place. Clearly, SMBs are not correctly evaluating cybersecurity risk.

Many of us can relate – each day we ignore obvious signs that point to a reality that is in direct contrast to our beliefs. For example, as each year passes, most of us get a little slower, muscles ache that never ached before, we get a bit softer around the middle, and we hold our reading material farther away. Yet, we are convinced we could take on an NBA player in a game of one-on-one or complete the American Ninja Warrior obstacle course on the first try. 

While it’s unlikely that most of us can make the improvements needed to compete with elite athletes, the same can’t be said for enterprise cybersecurity. The journey is not an easy one given the security talent vacuum, a lack of domain understanding at the executive level, and the complexity of implementing a long-term, metric-based strategy. But, if you are an SMB struggling to run up and down the proverbial court, here are five things you should consider when building a better security practice:

1.   Experienced staff are valuable, but expensive, assets. 

Although enterprise cybersecurity is a 24/7/365 effort requiring a full roster of experienced professionals, many SMB cybersecurity teams are underequipped to handle the constant deluge of alert notifications, let alone the investigation or remediation processes. In fact, only 23% of survey respondents plan to add staff to their security teams in the coming year. For many SMBs, the security staffing struggles may get worse as 87% reported difficulties in retaining existing security professionals. To fill this gap, SMBs are increasingly turning to MSPs and MSSPs to provide the expertise and resources needed to protect their organizations around the clock.

2.   Executives understand what is at stake, but not what action to take. 

As the threat landscape becomes more treacherous, regulatory requirements multiply, and security incidents become more common, executives at SMBs have become more acutely aware of the business impact of security incidents – most are feeling an urgency to strengthen organizational cybersecurity. However, acknowledging the problem is only the first step of the process. Executives need to interface with their internal security teams, industry experts and MSPs in order to fully understand their organization’s risk portfolio and design a long-term cybersecurity strategy that integrates with business objectives.

3.   Security awareness training (SAT) is low-hanging fruit (if done right). 

According to the 451 Research Voice of the Enterprise: Information Security: Workloads and Key Projects survey, 62% of SMBs said they have a SAT program in place, but 50% are delivering SAT on their own using ‘homegrown’ methods and materials. It should be no surprise that many SMBs described their SAT efforts as ineffective. MSPs are increasingly offering high-quality, comprehensive SAT for a variety of compliance and regulatory frameworks such as PCI-DSS, HIPAA, SOX, ISO, GDPR and GLBA. SMBs looking to strengthen their security posture should look to partner with these MSPs for security awareness training.

4.   Securing now means securing for the future. 

The future of IT architecture will span both private and public clouds. This hybrid- and multi-cloud infrastructure represents a significant challenge for SMBs that require a cybersecurity posture that is both layered and scalable. SMBs need to understand and consider long-term trends when evaluating their current cybersecurity strategy. With this aim in mind, SMBs can turn to MSPs and MSSPs with the experience and toolsets necessary for securing these types of complex environments. 

5.   A metrics-based security approach is needed for true accountability. 

In a rush to shore up organizational security, SMBs might make the all-too-common mistake of equating money spent with security gained. To be clear: spending not backed by strategy and measurement only enhances security posture on the margins, if at all. To get the most bang for each buck, SMBs need to build an accountable security system predicated on quantifiable metrics.Again, this is an area where SMBs can partner with MSPs and MSSPs. This serves as an opportunity to develop cybersecurity strategy with measurable KPIs to ensure security gains are maintained over time. MSPs can help SMBs define the most applicable variables for their IT architectures, whether it be incident response rate, time-to-response or other relevant metrics.

The strategic reevaluation of organizational security is a daunting task for any organization, but given the risks SMBs face and their tendency to be underprepared, it is a necessary challenge. These key points of consideration for SMBs embarking on this critical journey underscore the importance of building an accountable and forward-looking security system and highlight the ways in which SMBs can work alongside MSP or MSSP partners to implement the right cybersecurity system for their organizations. I hope this will be the wake-up call all SMBs need to unleash their inner cybersecurity all-star.


This article was provided by our service partner : webroot.com