Month: April 2016
The recent rise in ransomware infections has been attributed to the proliferation of ransomware-as-a-service, with many malicious actors now getting in on the act and sending out spam email campaigns to unsuspecting users.
Ransomware-as-a-Service Proliferation is a Major Cause for Concern
The problem with ransomware-as-a-service is how easy it is for attackers with relatively little technical skill to pull off successful ransomware attacks. All that is needed is the ability to send spam emails and a small investment of capital to rent the ransomware. The malicious software is now being openly sold as a service on underground forums and offered to spammers under a standard affiliate model.
The malware author charges a nominal fee to rent out the ransomware, but takes a large payment on the back end. Providers of ransomware-as-a-service typically take a cut of 5%-25% of each ransom. Spammers get to keep the rest. Renters of the malicious software cannot access the source code, but they can set their own parameters such as the payment amount and timescale for paying up.
SMBs Increasingly Targeted by Attackers
While individuals were targeted heavily in the past and sent ransom demands of around $400 to $500 to unlock their family photographs and other important files, attackers and now extensively targeting businesses. Often the same model is used with a fee charged by the attackers per install.
When an organization has multiple devices infected with ransomware the cost of remediation is considerable. One only needs to look to Hollywood Presbyterian Medical Center to see how expensive these attacks can be. The medical center was forced to pay a ransom of $17,000 to unlock computers infected with ransomware, in addition to many man-hours resoling the infection once the encryption keys had been supplied. Not to mention the cost of reputation damage and clearing the backlog due to the shutting down of its computers for over a week.
Warning Issued About the Insider Ransomware Threat
As if the threat from ransomware was not enough, researchers believe the situation is about to get a whole lot worse. Ransomware-as-a-service could be used by a malicious insider to infect their own organization. With insider knowledge of the locations and types of data critical to the running of the business, an insider would be in the best position to infect computers.
Insiders may also be aware of the value of the data and the cost to the business of losing data access. Ransoms could then be set accordingly. With payments of tens of thousands of dollars possible, this may be enough to convince some employees to conduct insider attacks. Since finding hackers offering ransomware-as-a-service is not difficult, and network access has already been gained, insiders may be tempted to pull off attacks.
To counter the risk of insider ransomware attacks businesses should develop policies to make it crystal clear to employees that attackers will be punished to the full extent of the law. Software solutions should be put in place to continuously monitor for foreign programs installed on networks and network privileges should be restricted as far as is possible. Employees should have their network activities monitored and suspicious activity should be flagged and investigated. It is not possible to eliminate the risk of insider attacks, but it is possible to reduce risk to a minimal level.
IT professionals are well aware of the shadow IT risk. Considerable risk is introduced by employees installing unauthorized software onto their work computers and mobile devices. However, this has been clearly illustrated this week following the discovery of a new malware by the Talos team. To date more than 12 million individuals are believed to have installed the new Trojan downloader.
Seemingly Genuine Software Performs a Wide Range of Highly Suspect System Actions
Many users are frustrated by the speed of their PC and download tools that will help to resolve the problem, yet many of these are simply bloatware that perform no beneficial functions other than slowing down computers. These can be used to convince users to pay for additional software that speeds up their PCs, or worse. The software may perform various nefarious activities.
It would appear that the new malware is of this ilk. Furthermore, it is capable of being exploited to perform a wide range of malicious actions. The software performs a wide range of highly suspect functions and has potential to steal information, gain administration rights, and download malicious software without the user’s knowledge.
The new malware has been referred to as a “generic Trojan” which can check to see what AV software is installed, detect whether it has been installed in a sandbox, determine whether remote desktop software has been installed, and check for security tools and forensic software.
By detecting its environment, the malware is able to determine whether detection is likely and if so the malware will not run. If detection is unlikely a range of functions are performed including installing a backdoor. The backdoor could be used to install any number of different programs onto the host machine without the user’s knowledge.
So far more than 7,000 unique samples have been discovered by Talos. One common theme is the use of the word “Wizz” throughout the code, with the malware communicating with “WizzLabs.
Analysis of the malware revealed that one of the purposes of the software was to install adware called “OneSoftPerDay”. The company behind this adware is Tuto4PC, a French company that has got into trouble with authorities before for installing PUPs on users’ computers without their knowledge.
By allowing the malware to run, researchers discovered it installed System Healer – another Tito4PC creation – without any user authorization. Whether the malware will be used for nefarious activity other than trying to convince the users to download and pay for PUPs is unclear, but the potential certainly exists. With 12 million devices containing this software, at any point these machines could be hijacked and the software used for malicious purposes.
The Shadow IT Risk Should Not Be Underestimated
The shadow IT risk should not be underestimated by security professionals. Many seemingly legitimate software applications have the capability of performing malicious activities, and any program that does to such lengths to detect the environment in which it is run and avoid detection is a serious concern.
Organizations should take steps to reduce Shadow IT risk and prevent installation of unauthorized software on computers. Policies should be put in place to prohibit the installation of unauthorized software, and software solution should be employed to block installers from being downloaded. As an additional precaution, regular scans should be conducted on networked devices to check for shadow IT installations and actions taken against individuals who break the rules.
Anti-phishing strategies can be employed to protect networks from attack; however, a new report from Verizon shows that phishing is proving more successful than ever. Anti-phishing strategies are being employed, but they are not sufficient to prevent attacks from taking place. End users are still opening phishing emails and divulging their login credentials to attackers.
Anti-Phishing Strategies Are Being Implemented But Employees are Still Falling for Phishing Scams
According to the new report a greater percentage of employees are now falling for phishing scams. Last year’s Verizon Data Breach Report showed that 23% of phishing emails were being opened. This year the number has risen to 30%.
Opening a phishing email does not result in a network being compromised or the attacker gaining access to email accounts. For that to happen, an end user must open an infected email attachment or click on a link to a malicious website.
How often are employees taking this extra step? According to the Verizon data breach report, 12% of end users open the phishing email and double click on an attached file.
A similar percentage (13%) of end users click on the malicious links contained in the emails. These links either direct the user to a website containing an exploit kit or to a site where login credentials or other sensitive data are entered and revealed to attackers.
Anti-phishing methods are being taught to company employees, but attacks are still succeeding with alarming frequency. Phishing is proving to be a highly effective method of cyberattack.
The report also indicates that when attacks are successful attackers have plenty of time to exfiltrate data. Organizations are also finding it much harder to detect breaches when they occur. Attacks are taking minutes from the sending of a phishing email to network access being gained, yet it can take months for breaches to be detected.
Training Alone is Insufficient to Protect Against All Phishing Attacks
Anti-phishing strategies adopted by many organizations are not robust enough to prevent successful attacks. Anti-phishing strategies that rely too heavily on training staff members how to identify phishing emails are likely to fail.
It only takes one employee to respond to a phishing email for a network to be compromised and it is a big ask to expect every employee to identify every phishing email, 100% of the time.
Providing staff members with anti-phishing training can help to reduce risk, although software solutions should also be employed. A robust spam filtering solution should be implemented to ensure the majority of phishing emails are blocked and never delivered to end users’ inboxes. No anti-spam solution is effective 100% of the time, although blocking 99.9% of phishing emails is possible with solutions such as SpamTitan.
Attackers are using ever more sophisticated methods to fool end users into clicking on malicious links. A great deal of time and effort goes into spoofing domains and producing carbon-copy spoof websites. Preventing these websites from being visited is one of the best defenses against phishing attacks. Web filtering solutions can be highly effective way of reducing the risk of a phishing attack being successful.
A web filter can be configured to block phishing websites and other potentially harmful websites. Even if links are clicked, the user is prevented from compromising their device and network.
K-12 schools in the United States have been put on alert after it was discovered that backdoors have been installed on a number of servers running Follet’s Destiny Library Management System. More than 60,000 schools in the United States use Destiny to track school library assets, a number of which now face a high risk of cyberattack.
A security vulnerability in the JBoss platform has recently been used to launch attacks on a number of organizations in the United States. The vulnerability has allowed malicious actors to gain access to servers and install ransomware. The main targets thus far have been hospitals, including Baltimore’s Union Memorial which was infected as a result of a ransomware attack on its parent organization MedStar. The attackers gained access to servers at MedStar and used SamSam ransomware to lock critical files with powerful encryption. The discovery of the ransomware resulted in the forced shutdown of MedStar’s EHR and email causing widespread disruption to healthcare operations.
Over 2000 Backdoors Discovered to Have Been Installed on Servers Running JBoss
Since the attack took place, Cisco’s Talos security team has been scanning the Internet to locate servers that are vulnerable via the JBoss security vulnerability. Earlier this week Talos researchers discovered 3.2 million servers around the world are vulnerable to attack. However, there is more bad news. Attackers have already exploited the security vulnerability and have installed backdoors in thousands of servers. In some cases, multiple backdoors have been installed by a number of different players by dropping webshells on unpatched servers running JBoss. 2,100 backdoors were discovered and 1,600 IP addresses have been affected.
Hospitals have been targeted as they hold a considerable volume of valuable data which are critical to day to day operations. If attackers are able to lock those files there is a high probability that the hospitals will be forced to pay a ransom to unlock the encryption. Hollywood Presbyterian Medical Center had to pay a ransom of $17,000 to unlock files that had been encrypted in a ransomware attack. Schools are also being targeted.
Poor patch management policies are to blame for many servers being compromised. The JBoss security vulnerability is not new. A patch was issued to correct the vulnerability several years ago. If the patch had been applied, many servers would not have been compromised. However, some organizations, including many schools, are not able to update JBoss as they use applications which require older versions of JBoss.
Destiny Library Management System Vulnerabilities Addressed With A New Patch
A number of schools running Destiny Library Management System were discovered to have been compromised by attackers using the JexBoss exploit to install backdoors, which could be used to install ransomware. Follett discovered the problem and has now issued a patch to address the security vulnerability and secure servers running its Destiny Library Management System. The patch plugs security vulnerabilities in versions 9.0 to 13.5, and scans servers to identify backdoors that have been installed. If non-Destiny files are discovered they are removed from the system.
Any school using the Destiny Library Management System must install the patch as a matter of urgency. If the Destiny Library Management System remains unpatched, malicious actors may take advantage and use the backdoors to install ransomware or steal sensitive data.
A new study has confirmed that the healthcare industry faces the highest risk of cyberattacks. Healthcare providers and health plans are being targeted by cybercriminals due to the value of patient data on the black market. A full set of medical records, along with personally identifiable information and Social Security numbers, sells for big bucks on darknet marketplaces. Health data is far more valuable then credit cards for instance.
Furthermore, organizations in the healthcare industry store vast quantities of data and cybersecurity protections are still less robust than in other industry verticals.
The survey was conducted by 451 Research on behalf of Vormetric. Respondents were asked about the defenses they had put in place to keep sensitive data secure, how they rated their defenses, and how they planned to improve protections and reduce the risk of cyberattacks occurring.
78% of respondents rated their network defenses as very or extremely effective, with network defenses having been prioritized by the majority of healthcare organizations. 72% rated data-at-rest defenses as extremely or very effective. While this figure seems high, confidence in data-at-rest defenses ranked second from bottom. Only government industries ranked lower, with 68% of respondents from government agencies rating their data-at-rest defenses as very or extremely effective.
Even though many IT security professionals in the healthcare industry believe their network and data-at-rest defenses to be robust, 63% of healthcare organizations reported having experienced a data breach in the past.
The Risk of Cyberattacks Cannot Be Effectively Managed Simply by Becoming HIPAA-Compliant
Many organizations have been prioritizing compliance with industry regulations rather than bolstering defenses to prevent data breaches. Many healthcare organizations see compliance with the Health Insurance Portability and Accountability Act (HIPAA) as being an effective way of ensuring data are protected.
HIPAA requires all covered-entities – healthcare providers, health plans, healthcare clearinghouses, and business associates of covered entities – to implement administrative, technical, and physical safeguards to keep confidential patient data secure. By achieving “HIPAA-compliance” covered entities will improve their security posture and reduce the risk of cyberattacks, but compliance alone will not ensure that data are protected.
One only needs to look at the Department of Health and Human Services’ Office for Civil Rights breach portal to see that healthcare data breaches are commonplace. Many of the organizations listed in the breach portal have implemented defenses to protect data and are HIPAA-compliant. Compliance has not prevented data breaches from occurring.
The 451 Research survey asked respondents their views on compliance. 68% said it was very or extremely effective at ensuring data were secured. The reality is HIPAA only requires healthcare organizations to implement safeguards to achieve a minimum level of data security. In order to prevent data breaches and effectively manage the risk of cyberattacks, organizations need to invest more heavily in data security.
HIPAA does not, for example, require organizations to protect data-at-rest with encryption. If the network perimeter is breached, there is often little to prevent data from being stolen. Healthcare organizations are focusing on improving network protection but should not forget to protect data-at-rest with encryption. 49% said network security was still the main spending priority over the next 12 months, which was the highest rated security category for investment.
Healthcare organizations did appreciate that investment in technologies to protect data-at-rest was important, with 46% of respondents saying spending would be increased over the next 12 months on technologies such as disk and file encryption to help manage the risk of cyberattacks.