Ragnar locker Attacks Portuguese Energy Producer
It was recently confirmed that Energias de Portugal (EDP), one of the largest energy producers in the world, has fallen victim to the Ragnar Locker ransomware variant. The original attack took place in April but was only discovered in May after nearly three weeks of being active on their systems. After contacting affected customers, the company also revealed it was subject to a Bitcoin ransom of roughly $10 million to ensure the stolen data wasn’t publicly released.
Xchanging MSP Falls Victim to Ransomware
An MSP known as Xchanging, which primarily serves the insurance industry, was hit with a ransomware attack over the weekend that forced it to take many of its systems offline. Though the attack was largely confined to Xchanging’s systems and only affected a small number of customers, it is still unclear how long the infection was active before discovery. In a statement, the company says it’s working to restore access to customer operating environments as quickly as possible.
Fitness Firm Exposes Customer Info
Nearly 1.3 million customer files and photos were compromised after the fitness firm V Shred was breached, potentially affecting up to 100,000 clients. The data was stored on an improperly configured Amazon S3 bucket that was discovered as a part of a larger mapping project that had already located several similar leaks. While V Shred confirmed much of the data was publicly available, it originally denied that the dataset itself contained full names, addresses, and other highly sensitive personal information that could be used maliciously.
Magecart Group Surpasses 570 Victim Sites
Clubillion Casino App Leak Could Affect Millions
A database containing personally identifiable information on millions of users of the casino app Clubillion was compromised in late March. The breach was discovered and secured within five days, though heavy traffic to the site may have enabled the compromise of hundreds of thousands more individuals in that time. These types of apps are common targets of cyberattacks because they hold such large quantities of sensitive data that can be used for further attacks by leveraging the stolen data.
“What’s an evasive attack? At a very basic level, it’s exactly what it sounds like; it’s a cyberattack that’s designed to hide from you,” says Grayson Milbourne, Security Intelligence Director at Webroot, an OpenText company.
Based on Grayson’s initial explanation, you can imagine that evasive tactics are pretty common throughout cybercriminal activities. But they’re especially prevalent in the context of scripts. Scripts are pieces of code that can automate processes on a computer system. They have tons of legitimate uses, but, when used maliciously, they can be extremely effective and difficult to detect or block.
With Grayson’s help, we’ll talk you through some of the common script evasion techniques that criminals use.
Living off the Land Binaries (“LoLBins”) are applications that a Windows® system already has on it by default. Funny name aside, they’re extremely useful for attackers because they provide a way to carry out common steps of an attack without having to download anything new onto the target system. For example, criminals can use them to create persistency (i.e. enable the infection to continue operating after a reboot), spread throughout networked devices, bypass user access controls, and extracting passwords or other sensitive information.
There are dozens of LoLBins for criminals to choose from that are native to the Windows OS, such as powershell.exe, certutil.exe, regsr32.exe, and many more. Additionally, there are a variety of common third party applications that are pretty easy to exploit if present, such as java.exe, winword.exe, and excel.exe.
According to Grayson, this is one of the ways malicious hackers disguise their activities, because default OS applications are unlikely to be detected or blocked by an antimalware solution. He warns, “unless you have strong visibility into the exact commands that these processes are executing, then it can be very hard to detect malicious behavior originating from LoLBins.
Script Content Obfuscation
Like LoLBins and scripting overall, hiding the true content or behavior of a script—or content “obfuscation”—has completely legitimate purposes. But, in terms of malicious hacking, it’s pretty self-explanatory why obfuscation would lend itself to criminal activities. The whole point is not to get caught, right? So it makes sense that you’d take steps to hide bad activities to avoid detection. The screenshots below show an example of obfuscated code (top), with its de-obfuscated version (bottom).
Fileless and Evasive Execution
Using scripts, it’s actually possible to execute actions on a system without needing a file. Basically, a script can be written to allocate memory on the system, then write shellcode to that memory, then pass control to that memory. That means the malicious functions are carried out in memory, without a file, which makes detecting the origin of the infection (not to mention stopping it) extremely difficult.
Grayson explains, “one of the issues with fileless execution is that, usually, the memory gets cleared when you reboot your computer. That means a fileless infection’s execution could be stopped just be restarting the system. Persistence after a reboot is pretty top-of-mind for cybercriminals, and they’re always working on new methods to do it.”
The Windows® 10 operating system now includes Microsoft’s Anti-Malware Scan Interface (AMSI) to help combat the growing use of malicious and obfuscated scripts. That means one of the first things you can do to help keep yourself safe is to ensure any Windows devices you own are on the most up-to-date OS version.
Additionally, there are several other easy steps that can help ensure an effective and resilient cybersecurity strategy.
all applications up to date
Check all Windows and third party apps regularly for updates (and actually run them) to decrease the risk of having outdated software that contains vulnerabilities criminals could exploit.
macros and script interpreters
Although enabling macros has legitimate applications, the average home or business user is unlikely to need them. If a file you’ve downloaded gives you a warning that you need to enable macros, DON’T. This is another common evasive tactic that cybercriminals use to get malware onto your system. IT admins should ensure macros and script interpreters are fully disabled to help prevent script-based attacks. You can do this relatively easily through Group Policy.
unused 3rd party apps
Applications such as Python and Java are often unnecessary. If present and unused, simply remove them to help close a number of potential security gaps.
End users continue to be a business’ greatest vulnerability. Cybercriminals specifically design attacks to take advantage of their trust, naiveté, fear, and general lack of technical or security expertise. By educating end users on the risks, how to avoid them, and when and how to report them to IT personnel, businesses can drastically improve their overall security posture.
endpoint security that includes evasive script protection
Malicious hackers are always looking to come up with new ways to outsmart defenses. Grayson reminds us, “It’s up to all of us in cybersecurity to research these new tactics and innovate just as quickly, to help keep today’s businesses and home users safe from tomorrow’s threats. There’s always more work to be done, and that’s a big part of what drives us here at Webroot.”
To learn more about evasive scripts and what Webroot is doing to combat them, we recommend the following resources:
WastedLocker Shuts Down US News Sites
Over 30 news sites were compromised in the latest WastedLocker attack that affected many sites under a single parent company. Of the more than 30 companies targeted, eight belong to the Fortune 500 group and were in the early stages of a experiencing a fully encrypting ransomware attack. Luckily, security teams monitoring these sites acted quickly and were able to block attacks against some sites while mitigating extensive damage to others. The infiltration of these sites was caused by employees accessing previously injected websites and compromising themselves in the process.
UCSF Pays Hefty Ransom
Following a ransomware attack on the University of California San Francisco (UCSF) last month, officials have decided to pay a ransom of $1.14 million to decrypt several vital systems. The ransom amount was decided upon after negotiations between the university and the attackers. The original ask was around $3 million but was cut to less than half and was paid the following day. UCSF is one of three universities targeted with ransomware by the Netwalker hacker group in June that decided to pay a ransom to restore normal network function.
EvilQuest Wiper Targets MacOS
A new malicious actor has taken aim at MacOS with an info-stealer disguised as a ransomware attack that goes by the name of EvilQuest. Upon execution of the malicious installer, the malware begins encrypting files indiscriminately and displays a ransom note demanding only $50 in Bitcoin for decryption. The notice of encryption, however, is merely a cover for the damage occurring behind the scenes: sensitive files removed from the system with no way to retrieve them.
Fake DNS Update Looks to Steal Login Credentials
Researchers have spotted a new malicious email campaign that spoofs security companies and claims to offer a DNS update if the domain admin enters their credentials. Using a surprisingly accurate landing page, which mocks the real login sites convincingly, the site user is instructed to log in to update. To make matters worse, the attackers can scan for the site’s hosting service and customize the fake landing page to their specific victim, thus ensuring a higher probability of gaining their login info.
Passports Compromised in COVID19 Scam
In the continuing saga of COVID19 HMRC scams, attackers in Great Britain have begun focusing on the passport details of self-employed individuals in hopes of attaining personal or banking information. The scam itself originates as a text message with an urgent warning for the recipient to access a legitimate looking Her Majesty’s Revenue and Customs site to receive a tax refund. Dozens of victims have been identified across London. With these login credentials alone, attackers could access much of the victims’ data.
After surveying more than 10,000 people in 50 states about their cybersecurity habits, we wound up with some pretty surprising results. Like the fact that tech experts demonstrate riskier behaviors than average Americans. But the most significant result of all was the fact that most Americans are more confident than they should be when it comes practicing good cyber hygiene. So, we thought this would be a good opportunity to highlight a few of the riskiest behaviors from the report and suggest ways to correct them and minimize your chances of falling for a cyberattack.
Small business owners beware
- The problem – It’s not easy being a home-based business owner. Also known as very small businesses (VSBs), they’re often too busy and stretched thin just running their businesses. They often lack the time and resources to do everything they should to protect their important business files from online threats.
- Risky habits – Around 80% of VSB owners use the same device for both work and personal use. In addition, 71% use the same password for their personal and business accounts, putting both their personal life and company at risk.
- The fix – Owning separate devices for personal and small business use can be cost-prohibitive. But you can enforce better security by partitioning business files on your hard drive and creating a secure password to access those files. Make sure that password is different from any you’re using for personal use. Again, easier said than done in today’s world of password proliferation. If you’re struggling keeping track of all your passwords, consider using a password management app, especially for business files.
Knowing is half the battle
- The problem – There is a gap between awareness and real understanding of cyber-related attacks. Most Americans can confidently explain phone scams but are not as equipped to explain malware or phishing. This indicates that Americans may not be as prepared to confront risks as they think.
- Risky habits – Americans who never read the news are 70% less likely to recognize malware, phishing, ransomware or crypto-mining, and 51% less likely to be able to confidently explain these risks. Compare this with 89% of Americans who consistently consume technology news and can confidently explain common cybersecurity risks.
- The fix – Not everyone can afford security awareness training, but if you’re a business, consider the cost and consequences of a data breach to your business. Regular security awareness training can significantly increase your ability to identify and prevent a malware or phishing attack. If you’re a consumer or VSB owner, you can easily find free sources of cybersecurity news (like this one!). As the report shows, being a regular reader of tech news can significantly raise your awareness and reduce your risk.
Digital defense and immunity
- The problem – One in five Americans say they’ve been impacted by malware in the past year. While 61% of Americans say they’ve not been impacted, 18% aren’t sure. And with only 32% of Americans who feel they understand cyber-related attacks, it’s likely that many more have been impacted and just don’t know it.
- Risky habit – Many businesses and users haven’t updated their defenses. They haven’t updated their antivirus protection to include cloud-based threat intelligence, AI and machine-learning (ML). Or they’re failing to install necessary patches to plug holes in applications. And they’re still running obsolete operating systems, like Windows 7 or Server 2008, leaving them highly exposed.
- The fix – For today’s advanced threats, you need multiple layers of protection, including advanced antivirus as well as backup. Having just one of these layers is not enough. Perimeter protection with AI/ML functionality is critical for identifying polymorphic code that changes with each device it seeks to infect. Backup is essential for mitigating phishing attacks and disaster scenarios. Cybercriminals can also identify outdated operating systems. So, it’s worth the extra cost to update them, even if the hardware they’re running on is still functioning normally.
- The problem – Poor cybersecurity often leads to identity theft. Failing to wipe a device before discarding it is one problem. So is sharing personal information on social media and video streaming sites. The more hackers know about you, the easier it is for them to impersonate you online.
- Risky habits – A quarter of Americans have had their identity stolen, including 8% who have been a victim of identity theft more than once. Twice as many people who use mobile banking apps have been victims compared with those who don’t. Across industries, those in technology, banking and automotive are most likely to become victims of identity theft.
- The fix – Cover your tracks wherever you go. Erase the contents on a device before discarding it. Beware of the personal information you reveal on social media. And consider using a bank’s website rather than its app for personal banking.
- The problem – We knew phishing was a problem. In fact, it may be even bigger than our results indicate. A lot of users don’t know how to identify phishing scams. You can’t protect yourself from threats you don’t see coming.
- Risky habits – According to the report, 36% of respondents claim to have fallen for a phishing scam. But more enlightening is that only 35% claim to know how to identify a phishing attack. Similar to the lack of understanding about cyber-related attacks in general, the report seems to indicate that phishing is far more prevalent than the data indicate.
- The fix – Learn the tricks of the phishing trade, like bogus URLs and emails that ask you to confirm personal and banking information. Remember, bank logos can be easily faked. And banks won’t typically reach out to you for information they already have on file. If someone claiming to be from a bank contacts you by phone, call them back on an authentic customer service number from one of your banking statements.
Where to learn more
While the proliferation of encrypted DNS is being driven by consumer privacy, businesses will want to take notice. Encrypted DNS – also known as DNS over HTTPS, or DoH – obscures internet traffic from bad actors. But it also has the potential to decrease visibility for IT admins whose responsibility it is to manage DNS requests for their organizations. So, what’s the solution? Strangely, DoH.
As previously mentioned, DoH is now the default for Mozilla Firefox. It’s also available in Google Chrome and other Chromium-based browsers. This is a win for consumers, who have newfound control over who can see where they’re going on the internet.
However, by surrendering control over DNS requests to the browser, IT administrators lose the ability to apply filtering to DNS requests. Encrypted DNS that skirts the operating system eliminates the visibility that IT admins need to ensure security for internet traffic on their networks. It also prevents the business from being able to run threat intelligence against DNS requests and identify dynamic malware that could circumvent consumer DoH implementations. This leads to gaps in security that businesses can’t afford.
Staying ahead of the curve
There is a way to ensure privacy over DNS requests while maintaining control and visibility into network activity. The solution is to apply DoH across the entire system, not just browser activity. By wresting control over DNS requests from the browser, the agent can instruct Firefox not to engage its DoH feature. The same holds true for Chrome users running DoH. These requests are passed back through the operating system, where the DNS solution can manage them directly. This helps support both filtering and visibility.
An advanced agent will manage DNS requests on the device securely through DoH so the requests go directly to the server with no other entity having visibility into them. At the same time, the agent can apply threat intelligence to ensure requests aren’t resolving to malicious destinations. Admins have visibility into all DNS requests, and the requests are encrypted.
When the agent detects a prohibited resource, it returns the IP address of a block page. So, if there’s a virus on the system and it’s trying to access a command and control server to deliver a malicious payload, it won’t be able to. It also prevents botnets from being able to connect since they also leverage DNS. For any process that requests something from the internet, if it doesn’t get the resource that it’s requesting, it’s not going to be able to act on it.
Privacy plus security
The novel coronavirus didn’t start the mobile workforce phenomenon, but it certainly has accelerated it. The traditional perimeter firewall with all systems and devices living behind it no longer exists. Modern networks extend to wherever users connect to the internet. This includes the router someone bought from a kid down the street, and the home network that was set up by a consulting company 10 years ago and hasn’t been patched or updated since.
When someone on their home network opens a browser and goes to their favorites, they’re not expecting to get phished. But if they’re resolving to an alternative IP address because DNS is not being managed, is broken or is being redirected, they may be exposed to phishing sites. Enter encrypted DNS as another layer of protection within your cyber resilience portfolio. It starts working against a higher percentage of threats when you stack it with other layers, reducing the likelihood of being infected. It also addresses a blind spot that allows exploits to go undetected.
Privacy is the main driver for DoH adoption by consumers, while business agendas are generally driven by security. As a business, controlling DNS requests allows you to protect both the business and the user. If you don’t have that control and visibility, the user is potentially more exposed. And, if you don’t apply threat intelligence and filtering to DNS requests, a user can more easily click on malware or land on a phishing site.
It didn’t take long for COVID-19 to completely alter the way we work. Businesses that succeed in this rapidly changing environment will be the ones that adapt with the same velocity. In our second installment from The Future of Work series, you’ll hear from Webroot Product Marketing Director George Anderson, who shares his perspective on how businesses will need to adapt and evolve to stay on course during and after the global coronavirus pandemic.
How has COVID-19 changed cybersecurity and cyber resilience planning? What will be the most important steps to take moving forward?
In some ways not at all. We were already existing in a fairly perimeter-less network world. There was already a hybrid between on- and off-network staff, and reviewing where data was being worked upon, accessed and secured, and asking how data was being processed and secured during its journey. Many businesses data was already split between user devices and the cloud.
Confidentiality, integrity and availability in the case of cyber-attacks or other forms of potential data loss need to be clearly understood as before, and any weaknesses addressed. The imperative is to have a safe data cloud in place both in terms of security and recovery.
The steps to take include:
- Setting up regular and if practical continuous risk assessment to get visibility of data risks
- Understanding where the greatest risks and weaknesses exist in people, process and technology
- Investing and allocating appropriate budget to address where the greatest data loss and compromises could and would now occur
What could the future look like after the coronavirus? Specifically, what will change in IT and business?
Not everyone will want to choose to continue working from home. While the savings in closing offices down are attractive to businesses, they are not necessarily the same for an employee whose home environment is not conducive to work. These employees may seek alternative employment to remove the burden of working from home if an office option is not available. IT has already, for the most part, moved to the cloud where it can, and remained on-prem where it needs to be because of security, compliance and control. The main IT imperatives will be factors like secure 5G and faster communications for better collaboration.
In business, people buy from people. And face-to-face interaction is the norm. While this will reduce in the near-term, in the long run, peoples’ wellness depends on social interaction. Businesses that ignore that will not thrive. However, businesses are generally going to be more open to remote working roles and a lot better positioned to recruit staff for remote work, without them necessarily being close to physical offices.
IT investments will shift in the coming months, what will take precedence for companies as they go back to ‘business as usual’?
The pandemic will make companies look, in broader terms, at the all the risks to their business. And they’ll use IT where practical to put protections and assistance in place. More holistic Disaster Recovery springs to mind as benefiting from this pandemic, as does better backup of user desktops that particularly among MSPs and SMBS has not been a priority in the past.
What advice do you have for SMBs who will need time and a renewed economy to recover?
There will be many opportunities as the economy comes back and many holes where competitors and others have failed. An approach that is flexible and can react to those opportunities is essential. So, look to business arrangements in IT, Finance, HR and other key areas that will let you maximize your ability to take advantage of new opportunities. If you have not looked to an MSP to help you in the past then now is the time to look at how experts in remote management an remote working like an MSP can help?
For a step by step guide on how to improve business cyber resilience click here.
Most major tech blogs have run some variation of the following headline in recent months: Is it worth paying for an antivirus solution anymore?
The insinuation, of course, is that built in antivirus solutions for Mac and Windows machines have progressed to such a point that it’s no longer worth reinforcing them with a paid solution.
While it’s sure to generate clicks, many of the answers from tech writers are either convoluted or hedged to the point of not really providing an answer. Let’s explore the question more here.
The state of built-in security
Even our own experts will join third-party voices in admitting that built-in solutions like Windows Defender Security Center (previously Windows Defender) have improved significantly in terms of effective malware protection.
“Windows Defender has come a long way since the days of Windows XP and Windows 7,” says Webroot security analyst Tyler Moffitt. “It’s better than we’ve ever seen. But it’s still not enough.”
PC Magazine lead analyst Neil Rubenking recently said much the same, writing “Windows Defender’s own developers seem to consider it a Plan B, rather than a main solution. If you install a third-party antivirus, Windows Defender goes dormant, so as not to interfere.”
While many built-in antivirus solutions do reasonably well at turning away well-known strains of malware, it’s the new, sophisticated variations that tend to have success outsmarting them.
“Top-tier campaigns like Bitpaymer and Ryuk ransomware, or Trickbot and dridex Trojans—these are all going to get past a lot of built-in antivirus software.”
Evasive scripts are another source of trouble for much built-in security software. This newly common type of attack relies on a user clicking on a link in a “malspam” email, which then downloads a malicious payload. Interfaces like Command Line and PowerShell are often used to launch these attacks. If those terms are unfamiliar, it’s simply important to remember that they are script-based and regularly evade built-in security.
“There is a growing trend that many people feel that they don’t need any security software on their computers and that out-of-the-box security is enough,” says Moffitt. “The reality is that it’s not enough and built-in software has proven time and time again that it will be beaten by malware.”
What you really need from your online security
First off, multi-layered security. Traditional malware isn’t the only type of threat to watch out for nowadays. In addition to the script-based attacks mentioned above, mal-vertising campaigns are frequently launched from legitimate sites using exploits in runtimes like Java, Silverlight and flash. Drive-by downloads and pop-up ads can secretly install crypto miners and malicious programs on a machine without a user knowing it, some miners don’t even need to download, but your browser will be hijacked and max out CPU to mine cryptocurrency. And phishing campaigns are becoming increasingly favored by cybercriminals based on their cost-effectiveness.
“While free solutions offer better security than most built-in solutions, you can’t beat premium solutions that utilize multiple layers of security and are backed by cutting-edge technologies like massive-scale machine learning and contextual analysis engines,” says Moffitt.
What else should you look for in an antivirus solution for the home? Here are a couple features:
- Something lightweight—By that, we mean something that doesn’t take up a lot of memory or resources on your machine. Gamers should especially insist on this quality from an antivirus, but it should appeal to a broader market as well. “This is especially useful if you’re using your own devices to work from home during the pandemic and are worried that security solutions would slow your machines down,” says Moffitt.
- Customer service—Something you’re unlikely to get from a built-in provider. It’s hard to underestimate the value of a dedicated team standing by to help you troubleshoot if something goes wrong. Especially if tech isn’t your sweet spot, you don’t want to commit to long periods of waiting for a response from a global tech giant, or worse, no support team at all.
- A VPN for privacy—This is especially important if working from home is your new normal. “Not only are VPNs a great way to add a layer of protection by filtering out malicious webpages like phishing, but they are also a must if you are handling customer information for work,” says Moffitt. Making sure that critical data is protected at rest and in transit could help shield your company from major data security compliance fines.
It’s no surprise that we advocate not relying on built-in antivirus protection to safeguard your data and devices. But our concerns aren’t unfounded. We’ve simply seen too many fails to protect at the level they promise. Expect more from your online security solutions and strengthen your digital fitness, today.
Ransomware Knocks Out Knoxville, TN
Knoxville, Tennessee officials have been working over the past week to secure systems and determine if any sensitive information was stolen after a ransomware attack was identified. Fortunately, city IT staff were able to quickly implement security protocols and shut down critical systems before the infection could spread. Within the day, many of the targeted city domains were redirected to new sites, allowing city services to operate normally.
Magecart Attacks Multiple Online Retailers
Malicious Magecart scripts have been identified in recent months on multiple domains belonging to online retailers. Following the registration of a fake domain related to Claire’s in March, several weeks of inactivity passed before code was again spotted on Claire’s websites being used to intercept payment card transactions. It was finally removed from the company’s domains in the second week of June, but not before leaving thousands of customers potentially compromised.
Maze Ransomware Infiltrates US Chipmaker
The computer systems of MaxLinear, a U.S. computer chip maker suffered a Maze ransomware attack that forced them to take their remaining systems offline. Officials discovered that for more than a month there was unauthorized access resulting in the leak of over 10GB of stolen data from an alleged trove of over 1TB of total data. MaxLinear has since refused to pay the ransom and been in contact with affected customers. The manufacturer does not believe future operations will be delayed.
Over 100 NHS Email Accounts Compromised
Within the last two weeks a phishing campaign hit the National Health Service (NHS), successfully accessing over 100 internal email accounts. The affected accounts make up an extremely small portion of total NHS email accounts, of which there are nearly 1.4 million in total. The hacked accounts were used to distribute a malicious spam campaign designed to steal credentials through a fake login page.
DraftKings Announces Ransomware Attack Amidst Merger
Following the multi-way merger that resulted in the formation of DraftKings Inc., DraftKings revealed that one of the subsidiaries, SBTech, suffered a ransomware attack within weeks of the merger being finalized. While it is still not known what variant of ransomware was used in the cyberattack, officials have determined that no information was compromised. Rather, the attack was focused on taking their online systems down. Though SBTech was required to create a significant emergency fund preceding the merger, the deal seems to have been unaffected by the attack.
As these times stress the bottom lines of businesses and SMBs alike, many are looking to cut costs wherever possible. The problem for business owners and MSPs is that cybercriminals are not reducing their budgets apace. On the contrary, the rise in COVID-related scams has been noticeable.
It’s simply no time to cut corners in terms of cybersecurity. But there is hope. Cybersecurity, traditionally suffering from a lack of qualified and experienced professionals, can be a source of savings for businesses. How? Through the automation and efficiency that artificial intelligence (AI) and machine learning can offer.
AI & ML in Today’s Cybersecurity Landscape
By way of background, Webroot has been collecting IT decision makers’ opinions on the utility of AI and machine learning for years now. Results have been…interesting. We’ve seen a steady rise in adoption not necessarily accompanied by an increase in understanding.
For instance, during a 2017 survey of IT decision makers in the United States and Japan, we discovered that approximately 74 percent of businesses were already using some form of AI or ML to protect their organizations from cyber threats. In 2018, 74 percent planned even further investments.
And by 2019, of 800 IT professional cybersecurity decisionmakers across the globe, a whopping 96 percent reported using AI/ML tools in their cybersecurity programs. But, astonishingly, nearly seven out of ten (68%) of them agreed that, although their tools claim to use AI/ML, they aren’t sure what that means.
So, are these tools really essential to securing the cyber resilience of small businesses? Or are they unnecessary luxuries in an age of tightening budgets?
AI and ML in the Age of Covid-19
Do AI and ML have something unique to offer businesses—SMBs and MSPs alike—in this age of global pandemic and remote workforces?
We asked the topically relevant question to it to one of the most qualified individuals on the planet to answer it: literal rocket scientist, BrightCloud founder, and architect behind the AI/ML engine known as the Webroot Platform, Hal Lonas.
Can AI and machine learning tools help people do their jobs more effectively now that they’re so often remote?
Put directly, the Carbonite and Webroot CTO and senior VP’s response was bullish.
“AI and machine learning tools can absolutely help people do their jobs more effectively now more than ever,” said Lonas. “Security professionals are always in short supply, and now possibly unavailable or distracted with other pressing concerns. Businesses are facing unprecedented demands on their networks and people, so any automation is welcome and beneficial.”
In machine learning, a subset of AI, algorithms self-learn and improve their findings and results without being explicitly programmed to do so. This means a business deploying AI/ML is improving its threat-fighting capabilities without allocating additional resources to the task– something that should excite cash-strapped businesses navigating tough economic realities.
Our AI/ML report backs up Lonas’s assertion that these technologies make a welcome addition to most business security stacks. In fact, 94 percent of respondents in our survey reported believing that AI/ML tools make them feel more comfortable in their role.
“People who use good AI/ML tools should feel more comfortable in their role and job,” he asserts. “Automation takes care of the easy problems, giving them time to think strategically and look out for problems that only humans can solve. In fact, well-implemented tools allow security workers to train them to become smarter—in effect providing the ‘learning’ part of machine learning. Each new thing the machine learns makes more capable.”
AI/ML adopters also reported:
- An increase in automated tasks (39%)
- An increase in effectiveness at their job/role (38%)
- A decrease in human error (37%).
- Strongly agreeing that the use of AI/ML makes them feel more confident in performing their roles as cybersecurity professionals. (50%)
So despite some confusion about the role these technologies play in cybersecurity (which we think vendors could help demystify for their clients), their effects are clearly felt. And because cybercriminals are willing to adopt AI/ML for advanced attacks, they may force the hands of SMBs and MSPs if they want to keep up in the cybersecurity arms race.
Given today’s limited budgets, dispersed workforces, and increasingly sophisticated attacks, the time may never be better to empower professionals to do more with less by automating defenses and freeing them to think about big-picture cybersecurity.
Nintendo Accounts Breached
Stemming from a cyber-attack back in April, Nintendo has just announced that roughly 300,000 user accounts have been compromised, though most belong to systems that are now inoperable. From the excessive unauthorized purchases, the attackers likely used credential-stuffing methods to access accounts and make digital purchases through PayPal accounts that were already logged in. Nintendo has since contacted the affected customers and has begun pushing out mandatory password resets.
Kingminer Botnet Locks Down Entry Points Behind Them
After nearly two years of operation, the owners of the Kingminer crypto jacking botnet have taken up a new tactic of patching the very vulnerabilities they used to illicitly access systems. This implementation is likely being used to block any other malicious campaigns from accessing the compromised systems and net them larger profits. By using the EternalBlue exploit and patching it behind themselves, they can brute force their way into any vulnerable system and then keeping their own crypto mining scripts active for an increased amount of time before being discovered.
Honda Shuts Plants After Ransomware Attack
Several Honda plants around the world have recently closed due to a ransomware attack that has targeted several manufacturing systems. The shutdown came only hours after a new Snake ransomware sample was uploaded to Virus Total and was seen attempting to contact an internal site belonging to Honda. Currently, officials for Honda are still working to determine exactly what parts of their systems were affected and if any personally identifiable information was compromised.
Scammers Created Fake SpaceX YouTube Channels to Steal Cryptocurrency
Multiple malicious YouTube accounts have changed their names to keywords relating to SpaceX in order to scam viewers out of Bitcoin cryptocurrency donations. While it should be obvious that these channels are not the legitimate SpaceX account based solely on the number of subscribers, the fake channels have also been livestreaming old recorded SpaceX interviews with Elon Musk, to improve their legitimacy. Unfortunately, during the livestreams, the channels promote cryptocurrency scams in the chat section to entice other viewers to send in a small amount of cryptocurrency with the promise of a significant amount more being sent back.
Florence, Alabama Pays Ransom Demand
In the last week, officials for Florence, Alabama have been working to negotiate with the authors of the DoppelPaymer ransomware attack that took down the city’s email systems. Though the initial ransom amount was 38 Bitcoins, or the equivalent of $378,000, the security team that was brought in was able to drop the demand to 30 Bitcoins, or $291,000, which the city has decided to pay. It is still unclear exactly what information may have been stolen or accessed, the Mayor of Florence concluded that it was best to just pay the ransom and hope their information is returned and their systems are decrypted.
Nestled within our chapter on malware in the 2020 Webroot Threat Report is a comparison of infection rates between business and personal devices. The finding that personal devices are about twice as likely as business devices to become infected was always significant, if not surprising.
But the advent of the novel coronavirus—a development that followed the publication of the report—has greatly increased the importance of that stat.
According to a joint study by MIT, Stanford, and the National Bureau of Economic Research (NBER), more than a third (34%) of Americans transitioned to working from home as a result of COVID-19. They join approximately 14.6% of workers already working from home to bring the total to nearly half the entire American workforce.
During remote work many employees are forced or simply able to use personal devices for business-related activities. This presents unique security concerns according to Webroot threat analyst Tyler Moffitt.
“In a business setting,” he says, “when you’re given a corporate laptop it comes pre-configured based on what the IT resource considers best practices for cybersecurity. This often includes group policies, mandatory update settings, data backup, endpoint security, a VPN, et cetera.”
Individuals, on the other hand, have much more freedom when it comes to device security. They can choose to put off updates to browser applications like Java, Adobe, and Silverlight, which often patch exploits that can push malvertising. They can opt to not install an antivirus solution or use a free version. They can ignore the importance of backing up data altogether.
These risky practices threaten small and medium-sized businesses (SMBs) both immediately and when workers gradually return to their shared office spaces as the virus abates.
As our report notes, “With a higher prevalence of malware and generally fewer security defenses in place, it’s easier for malware to slip into the corporate network via an employee’s personal device.”
What’s at stake, for SMBs, is the loss of mission-critical business data due to device damage, data theft via phishing and ransomware, and GDPR and CCPA fines for data breaches. Any of these threats on their own could be existential for SMBs.
What can businesses do to prevent BYOD-enabled data loss?
“Super small businesses may not have the luxury of outlawing all use of personal devices,” says Moffitt. “BYOD is a fact of life now, especially with so many individuals at home, using home computers.”
But employers aren’t out of luck entirely. They can still purchase for their employees, and encourage the use of, several essential security tools. These include:
- Endpoint security software – Employers should provide endpoint security for home devices when necessary. When it comes to free solutions, you get what you pay for in terms of protection. Currently, there’s the expectation, especially among younger people, that built-in antivirus solutions are enough for blocking advanced threats. In reality, layered security is essential.
- Backup and recovery software – Many SMBs rely on online shared drives for collaborating. This is dangerous because a single successful phishing attack can unlock all the data belonging to a company. GDPR and CCPA fines don’t differentiate between data stolen from personal or business devices, so this level of risk is untenable. Make sure data is backed up off-site and encrypted.
- A VPN – IT admins or contractors should ensure that any sensitive company data requires a secure VPN connection. Especially with employees connecting on public or unsecure networks, it’s important to guard against snooping for data in transit.
- Secure RDPs – Remote access can be a great option when working from home, but it must be done securely. Too often unsecured RDP ports are the source of attacks. But, when encrypted and protected by two-factor authentication, they can be used to access secure environments from afar. Many are even free for fewer than five computers.
- User education – Security awareness training is one of the most cost-effective ways of protecting employees from attack on their own devices. Phishing attacks can be simulated and users in need of additional training provided it at very little additional cost. When compared to a data breach, the cost of a few licenses for security training is miniscule.
Collaboration over coercion
It’s difficult to mandate security solutions on personal devices, but managers need to at least have this conversation. Short of installing “tattleware,” this has to be a collaborative rather than a coercive effort.
“You can’t enforce a group policy on a computer or a network that you don’t own,” reminds Moffitt. “Ideally, yes, give each employee a corporate laptop to work at home that’s securely configured. But if that’s not possible, work with employees to ensure the right steps are taken to secure corporate data.”
Companies should work with IT consultants to source high-performing versions of the solutions mentioned above and cover their cost if it’s understood that personal devices should be used during this period of working from home. If taken advantage of, it can be an opportunity to foster a culture of cyber resilience and your organization will come out stronger, wherever your employees are located.
TrickBot Silently Targets Servers
Knowing that many domain controller servers are rarely shutdown or rebooted, the authors of TrickBot have made some changes to allow the infection to run from memory. While this can be detrimental to the payload, as a reboot could easily remove it, the stealth approach could let the infection cause major havoc on systems that aren’t routinely restarted. Though TrickBot is normally dropped as a secondary infection from Emotet, it’s taken this new stealth approach to move across networks more easily.
Stenography Makes Leaps into Industrial Cyberattacks
Researchers have been following a new trend of incorporating multiple levels of steganography into cyber attacks focused mainly on large industries. The attacks are specified for each victim, including a language localization script that only executes if the local OS is in the right language and using macros to launch hidden malicious PowerShell scripts that require no additional input. The scripts, when executed, communicate with imgur.com or other image hosting sites to grab pictures with malicious code hidden in the pixels that eventually drops an encrypting payload.
Flaw in Apple Sign-in Nets Bounty Hunter $100,000
An authentication flaw has been discovered within the Apple sign-in feature for third-party sites that could allow an attacker to forge fake accounts if the victim hadn’t chosen their own email address to be identified. If a victim chooses not to do so, Apple creates a unique email ID that is used to create a JSON web token (JWT) to sign in the user. This could easily be forged alongside the email ID to gain unlimited access to any account. The researcher who found the bug and reported it to the Apple Security Bounty Program was rewarded with $100,000.
Ransomware Authors Begin Data Auction
The authors behind several prominent ransomware campaigns, including Sodinokibi and REvil, have begun an auction for stolen data on their dark web site. Currently, there are two auctions active on the site, one with data belonging to an unnamed food distributor and the other with accounting and financial information for an unnamed crop production company from Canada. The auctions have starting prices of $55,000, along with fees to be paid in Monero cryptocurrency because of its anonymity and ease of direct payment from victims.
San Francisco Employee Retirement Database Compromised
A vendor conducting a test on a database belonging to the San Francisco Employee Retirement Systems (SFERS) recently noticed some unauthorized access to the database containing records on 74,000 members. Though the database didn’t contain Social Security Numbers, it did contain a trove of personally identifiable information including names, addresses, and birthdates. Fortunately, the database was using old data for the test and had nothing newer than 2018. Nevertheless, SFERS officials are offering credit and identity monitoring services for affected victims.