Industry Intel

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Threat hunting: Your best defense against unknown threats

Feb 2, 2022 | Threat Lab

Threat actors are becoming more sophisticated, agile and relentless in their pursuit of stealing personal information for financial gain. Rapid and evolving shifts in the threat landscape require the knowledge and solutions to prepare and prevent threats that could spell disaster for organizations’ reputations and operations.

Organizations of all sizes remain at risk. Small to medium-sized businesses (SMBs) and managed service providers (MSPs) are especially vulnerable to the stealth efforts of bad actors. With fewer financial resources, a ransomware payment demand could mean the difference between staying in business and closing up shop.

Government entities are also prone to attack. In December 2021, Belgium’s Ministry of Defence experienced a cyberattack exploiting the Log4j vulnerability that paralyzed the ministry’s computer network. Within the same month, Australia’s utility company, CS Energy, experienced a ransomware attack involving the well-known ransomware Conti.

Evolving cyber threats can be unpredictable, but that doesn’t mean businesses have to tackle them alone. A robust security stack can help businesses stay protected and prepared. Establishing this level of resilience involves partnering with a provider that has human-powered threat hunting resources.

What is threat hunting?

Threat hunting involves actively searching for adversaries before an attack is carried out. Threat hunting involves the use of tools, intelligence and analytics combined with human intervention. Threat hunting centers around the proactive containment and identification of potentially damaging files before malicious vectors can cause severe damage to an organization’s operations.

What does a threat research analyst do?

“At Webroot, we focus our efforts on analyzing customer data. Our threat research analysts examine this data to determine if malicious files are present. Our analysts are constantly looking for files that possess certain characteristics that make up various types of malware. If we identify and determine that critical elements of a suspicious file are present, we classify and block them. Making determinations can be approached in different ways. One avenue of determination is carried out by creating isolated conditions to run the suspicious file to see what results it presents,” says Marcus Moreno, manager, threat research at Carbonite + Webroot, OpenText companies.

“Since our database is comprised of mass quantities of SMB and MSP data, we can continue to make determinations from a large and evolving data set. This is why SMBs and MSPs can derive value from partnering with Webroot,” adds Moreno.

Take your security stack to the next level

Cyberattacks will continue to be a concern for businesses, governments and individuals. Combatting cyber threats means adopting a cyber resilience approach. Cyber resilience is the ability to remain operational in the face of threats – whether human or maliciously-based. One important element of a solid cyber resilience strategy is to remain in a pre-emptive and proactive stance. Avoid costly ransomware payment demands, bolster customer confidence and minimize downtime for business operations by investing in a solutions provider backed by threat hunting capabilities.

Discover how Webroot’s solutions can protect your business.

Report: Phishing Attacks Sustain Historic Highs

Jan 26, 2022 | Threat Lab

Phishing attacks sustain historic highs

In their latest report, IDG and the pros behind Carbonite + Webroot spoke with 300 global IT professionals to learn the current state of phishing. We learned that 93% of IT executives are still concerned about phishing – and it’s no wonder, as companies averaged 28 attacks each over the previous 12 months.

Luckily, the report details how to fight back. With the right preparation and the right protection, companies can prevent all but 0.3% of attacks.

Phishing capitalizes on COVID

Phishing attacks have been part of the cybercriminal arsenal for years. But it’s only recently that phishing has flourished into the scourge it is today. That’s because cybercriminals have found success by targeting COVID-19 fears with their schemes.

In fact, phishing attacks spiked by 510% from just January – February 2020, according to the 2021 Threat Report. These increases leveled off by the summer, but phishing attacks still increased 34% from September – October 2020. Overall, 76% of executives report that phishing is still up compared to before the pandemic.

COVID-based tactics might purport to have new info on a shutdown, to share COVID stats or even suggest info from your doctor. But in each case, cybercriminals are looking to steal your information.

Who’s getting attacked?

IT departments are feeling the brunt of these attacks, with 57% of them targeted by phishing. Carbonite + Webroot Sr. Security Analyst Tyler Moffitt says, “Even if malware targets someone with lower-level access, the attack will move laterally to eventually find an IT administrator.”

He goes on to say that attackers can then linger for a week or more to find valuable data or steal a balance sheet that gives an indication of how much ransom to charge.

Because they often have important credentials, top executives and finance groups are also common targets. Public-facing customer service employees also offer easy access.

Consequences of phishing

75% of global IT executives say they’ve suffered negative consequences from phishing attacks. That includes:

37% suffered downtime lasting more than a day
37% suffered exposure of data
32% lost productivity
19% had to pay legal or regulatory fines

A layered approach to security

But it’s not all bad news. Yes, phishing is using new tactics to target businesses. But there are ways to fight back.

The report cites training as one of the most effective tools. But the frequency of training varies greatly, and 25% of those who use it don’t include phishing simulations. By using security awareness training that offers regular simulations, you can reduce phishing by up to 70%.

But even with great training, the report notes that people will still click some of the time. That’s why a multi-layered approach gives peace of mind that not all is lost if one person messes up.

No layer is 100% effective, but taken together many layers get very close. A defense in depth security posture utilizing DNS and endpoint detection as well as a sound backup strategy can give you confidence that you’re prepared to withstand even a successful phishing attack.

Ready to start protecting yourself and your business? Explore how Carbonite + Webroot provide a full range of cyber resilience solutions.

Download the IDG report.

Data Privacy Week 2022: The Security Awareness Canary in the Coalmine

Jan 24, 2022 | Industry Intel

Whether you’re shopping for the latest tech gadgets or checking your work email, your online presence is susceptible to malicious threats. No industry or sector is immune. Even in the early days of 2022, a hospital in Jackson, Florida, experienced a ransomware attack that left medical professionals struggling to access patient records. Attacks like this not only have implications for patient care, but they also serve as a stark reminder of ongoing privacy issues in the online realm. As consumers and businesses are becoming increasingly more concerned about their data privacy, understanding how to protect that information becomes vital.

This week, the global community is rallying together to raise awareness about online privacy through Data Privacy Week.

What is Data Privacy Week?

Data Privacy Week began as a day of awareness in the United States, Canada and Europe and to commemorate the signing of Convention 108, the first internationally binding agreement addressing privacy and data protection. This year, the initiative has expanded to a week-long effort to generate awareness.

As data privacy and security implications become important for both businesses and individuals, there are a series of steps everyone can take:

Adopt privacy mindfulness. Whether it’s for your home or your business, ensure you take privacy into account when you agree to the terms and conditions of items available for download from the internet or when you create a program that may expose your employees to online risk.
Educate yourself. Avoid common attempts to compromise your information and identity by investing in security awareness training. Participate in simulated modules to test your knowledge and learn what traps to avoid.
Back up your precious files. Not ready to part with your personal information? Make sure it’s backed up. That way, if you experience accidental or malicious data loss, your information is secure and accessible.
Use antivirus software. Ensure online activities like shopping and browsing are secure by investing in a reliable antivirus. Adhere to updates and always renew your subscription to avoid a lapse in protection.
Partner with a reliable provider. Some providers offer free protection and backup solutions, but can you really trust them? Always do your research and select a reputable provider to keep your devices and data safe.

From the rise of ransomware as a service (RaaS) to the use of malware to disrupt the political landscape, security, privacy and governance remain at a crossroads. With no signs of a resolution apparent, it’s important for everyone to take stock of their security stack.

One reliable approach is to adopt cyber resilience. Cyber resilience is a multi-layered, defense in depth strategy to ensure continuous access to your personal and business data no matter what happens. Establishing cyber resilience begins by assessing your current defense approach and employing the tools and know-how to remain protected and prepared for unknown threats. Whether it’s taking the time to educate your staff, upgrading your antivirus solution or investing in a reliable backup provider, make cyber resilience a priority.

This Data Privacy Week, let’s move beyond just becoming more aware of bad actors. Let’s take action to protect our data and our privacy.

Survey: How well do IT pros know AI and machine learning?

Oct 18, 2021 | Managed Service Providers, Threat Lab

What do the terms artificial intelligence and machine learning mean to you? If what comes to mind initially involves robot butlers or rogue computer programs, you’re not alone. Even IT pros at large enterprise organizations can’t escape pop culture visions fed by films and TV.

But today, as cyberattacks against businesses and individuals continue to proliferate, technologies like AI and ML that can drastically improve threat detection, protection and prevention are critical. This is even more true as workforces continue to operate remotely in such numbers.

That’s why, for a few years now, we’ve been conducting surveys of IT professionals to determine their familiarity with, and attitudes toward, artificial intelligence (AI) and machine learning (ML). For the purposes of this report, we surveyed IT decision-makers at enterprises (1000+ employees), small and medium-sized businesses (<250 employees), and consumers (home users) throughout the U.S., U.K., Japan, and Australia/New Zealand.

As a result, we learn about:

Baseline cyber hygiene, including what cybersecurity tools are in use and how they’re used
General experience with data breaches and attitudes toward the safety of their data
How many organizations use cybersecurity tools with AI components
Whether IT admins feel that AI actively contributes to the safety of their organizations or is marketing fluff

We titled this year’s survey Fact or Fiction: Perceptions and Misconceptions of AI and Machine Learning and expanded it to include professionals in the enterprise, mid-market organizations and private individuals. It’s one of the largest and most thorough reports on the topic we’ve put together to date and is packed with interesting findings.

Historically, we’ve seen significant confusion surrounding AI and ML. IT professionals are generally aware that they’re in-use, but struggle to voice how they’re helpful or what it is exactly that they do. In Australia, for instance, while the bulk of IT decision makers employ AI/ML-enabled solutions, barely over half (51%) are comfortable describing what they do.

Nevertheless, adoption of AI/ML-enabled technologies continues to rise. Today, more than 93% of enterprise-level businesses report using them. Overall, slightly less than half (47%) call increasing adoption of AI/ML their number one priority for addressing cybersecurity concerns in the coming year.

Here are a few other key takeaways regarding enterprise attitudes toward AI/ML:

Understanding is growing – But more education is still required, so vendors must focus on benefits of AI/ML in terms of the bottom line and an enhanced security posture.
AI/ML are key to repelling modern threats – Especially for remote workforces, advanced technologies are emerging as a key component for ensuring uptime and availability for clients.
AI/ML can differentiate a business – Buyers are looking to invest in their tech stacks to stay out of the headlines for suffering a breach. As understanding of AI/ML grows, more are looking for these capabilities in their cyber defenses.

For the mid-market and individuals, another theme has persisted through our studies: overconfidence.

Among IT professionals at businesses with fewer than 250 employees, almost three-quarters (74%) of respondents believe their organizations are safe from most cyberattacks. But 48% have also admitted to falling victim to a data breach at least once. Interestingly, despite their confidence in their cybersecurity, the same respondents also believe their security situation has been worse by COVID-19.

Other notable findings among small and mid-sized businesses include:

They’re beginning to recognize they’re targets – SMBs are catching onto the fact that cybercriminals pick off weak targets and realizing this fact’s implications for their supply chains.
Limited IT budgets must be spent wisely – Without the resources to hire full-time IT staff, it becomes critical that a security stack defends against all the most common forms of attack (and their consequences).
User education is key – If a business can’t spring for top-of-the-line cybersecurity solutions, educating users on how to keep from enabling breaches can go a long way towards building a strong defense with relatively little investment.

Consumers continue to report abysmal habits in their personal online lives. Less than half use an antivirus or other security tool. Only 16% report using a VPN when connecting in public spaces and 48% have had data stolen at least once. On the brighter side, constant headlines concerning corporations leaking consumer data have made consumers wary about who they give their data to and how much. This healthy skepticism is a good sign as the next large data breach is likely just around the corner.

Some valuable learning from the consumer sector, and how it bleeds over into the corporate sector, include:

Business breaches affect consumers’ data – And they know it. Consumers are wary of providing too much sensitive data to companies after being barraged by news of high-profile hacks and data breaches.
Consumers ARE NOT taking proper precautions – Fewer than half of home users have antivirus, backup or other cybersecurity measures in place. In all, 11% take no precautions online. This finding is especially relevant if remote workers are using personal devices for business.
Unsurprisingly, AI/ML knowledge is lacking – When paid IT professionals don’t understand the technology, it may not be practical to expect the average consumer to be. But consumers should do their research on the tech powering their protection before committing to a VPN, antivirus or backup solution.

For the report’s complete findings, including a breakdown of cybersecurity spending by business size, download the full report.

The 6 Nastiest Malware of 2021

Oct 13, 2021 | Threat Lab

Malware leaps from the darkness to envelop our lives in a cloak of stolen information, lost data and worse. But to know your enemy is to defeat your enemy. So we peered over the ledge leading to the dark web and leapt. The forces we sought are disruptors – without warning, they disturb our businesses and our connections to family and friends.

And darkness we found – from million-dollar ransoms to supply chain attacks, these malware variants were The 6 Nastiest Malware of 2021.

How malware disrupted our lives

These days, every major ransomware campaign runs a “double extortion” method, a scary prospect for small businesses. They steal and lock files away and they will absolutely leak data in the most damaging way if a ransom settlement is not reached.

Phishing continues to be key for these campaigns and it’s typically the first step in compromising a business for the nastiest malware.

This highlights the importance of user education – training users to avoid clicking these phishing lures or preventing them from enabling macros from these attachments are proven in stopping malware in its tracks.

While the list below may define payloads into different categories of malware, note that many of these bad actor groups contract work from others. This allows each group to specialize on their respective payload and perfect it.

This year’s wicked winners

Lemonduck

A persisting botnet with a cryptomining payload and more
Infects via emails, brute force, exploits and more
Removes competing malware, ensuring they’re the only infection

REvil

The Nastiest Ransomware of 2021 that made headlines with supply chain attacks
Many attempts to shutdown the REvil group have so far failed
Their ransomware as a service (RaaS) platform is on offer to other cybercriminals

Trickbot

Decade old banking and info-stealing Trojan and backdoor
Disables protections, spreads laterally and eventually leads to ransomware like Conti
Extremely resilient, surviving numerous attacks over the years

Dridex

Banking and info-stealing Trojan and backdoor
Spreads laterally and listens for domain credentials
Eventually leads to ransomware like Grief/BitPaymer/DoppelPaymer

Conti

Longstanding ransomware group also known as Ryuk and likely linked to LockFile ransomware
TrickBot’s favorite ransomware
Will leak or auction off data if victims don’t pay the ransom

Cobalt Strike

White hat-designed pen testing tool that’s been corrupted and used for evil
Very powerful features like process injection, privilege escalation and credential harvesting
The customizability and scalability are just too GOOD not to be abused by BAD actors

Victimized by malware

The good news (I guess) is that last year’s average ransom payment peaked at $200,000 and today’s average is just below $150,000.

The bad news is that hackers are spreading the love and targeting businesses of all sizes. In fact, most victims are small businesses that end up paying around $50,000. Ransomware actors are getting better with their tactics, recruiting talent and providing a streamlined user experience.

The whole process is terrifyingly simple and for every one that gets shut down, two spring up to replace it. To top it off, supply chain attacks are becoming a massive issue.

Protect yourself and your business

The key to staying safe is a layered approach to cybersecurity backed up by a cyber resilience strategy. Here are tips from our experts.

Strategies for business continuity

Lock down Remote Desktop Protocols (RDP)
Educate end users
Install reputable cybersecurity software
Set up a strong backup and disaster recovery plan

Strategies for individuals

Develop a healthy dose of suspicion toward messages
Protect devices with antivirus and data with a VPN
Keep your antivirus software and other apps up to date
Use a secure cloud backup
Create strong, unique passwords (and don’t reuse them across accounts)
If a download asks to enable macros, DON’T DO IT

Discover more about 2021’s Nastiest Malware on the Webroot Community.

Supply chain attacks are closing in on MSPs

Aug 18, 2021 | Business + Partners, Industry Intel

If you attended Black Hat this year, you couldn’t avoid the topic of supply chain attacks. From keynotes to vendor messaging to booth presentations, they were a ubiquitous topic in Las Vegas this year.

Supply chain attacks are cyberattacks targeting an upstream vendor for the ultimate purpose of compromising one or more of its customers. Cybercriminals are aware that, by compromising updates from trusted vendors, they can easily bypass installed security software to infect all customers that install it.

Essentially, compromising a software vendor allows damage to cascade down the supply chain to another supplier– a consequence sometimes known as the “waterfall effect” – to increase collateral damage against multiple targets.

Black Hat founder Jeff Moss even began this year’s conference with a few words about software supply chains.

“We all rely on the software supply chain,” he said. “We’re building tools and systems based on it. We’re trusting it. We’re hoping that people in the supply chain…are doing things to help everyone else in the supply chain. Because, if they don’t, everything we do is potentially vulnerable.”

“We all depend on the supply chain being fully immunized,” he continued, “and it’s not there yet.”

Now, “not there yet” is putting it mildly. A few recent, high-profile attacks bear recalling to demonstrate the scope of the problem.

SolarWinds

For many within cybersecurity, the SolarWinds attack by what are widely believed to be state-sponsored cybercriminals was the most significant supply chain attack since the Cleaner attack of 2018 and a worrying reminder of the damage made possible by the tactic.

SolarWinds is a Texas-based IT management platform that unknowingly pushed a Trojanized update to a large portion of its some 300,000 customers. It’s believed that the attackers concealed their presence within the victim’s network for some time to ensure they could carefully select their next targets and preserve time for intelligence gathering.

While not widely known at the time, it’s now assumed that this wide-net attack was ultimately an effort to compromise a handful of high-value intelligence and governmental agencies. Second-stage infections were then pushed against these targets, plus some of the world’s most influential technology vendors.

Critically, this type of espionage-inspired cyberattack differs a great deal from moneymaking practices embraced by for-profit hacking groups. These broadly targeted attacks against suppliers cause widespread disruption without obviously disrupting a specific target.

Codecov

Another supply chain attack targeted Codecov, a software development firm that makes tools for developers, in January 2021. Investigators told the newswire service Reuters that attackers were able to use the access they’d gained to breach hundreds of Codecove customers.

As was the case with SolarWinds, compromising Codecov may have presented access to other software vendors, which could have initiated the waterfall effect presented previously. The firm counts among its clients giants like IBM, Hewlett Packard and Atlassian.

The infosec researcher Matt Tait, who spoke at this year’s Black Hat on the topic of supply chain attacks, called the Codecov compromise an instance of high-volume disruption based on indiscriminate targeting.

According to the company, information stolen from customer devices was then sent to a third-party server outside of Codecov’s control, suggesting that espionage may have once again been the end-goal of the attackers.

Kaseya

Perhaps the most far-reaching supply chain attack conducted by a non-state actor in the history of the tactic took place this July. This time, Kaseya, one of the world’s largest IT management platforms, was compromised by the Russia-based hacking group REvil. Unlike in the SolarWinds and Codecov, this attack included a ransomware stage meant to deliver financial rather than intelligence returns for the attackers.

REvil targeted Kaseya’s remote monitoring and management (RMM) solution, known as Kaseya VSA, which is used to manage client machines from afar. Again, targeting was indiscriminate, but unlike with espionage actors, the ransomware gang could focus on maximizing financial returns of the attack rather than trying to avoid detection.

Describing the impact of this attack, the USC Berkeley infosec researcher Nicholas Weaver noted that, “Each victim is a small-to-medium-sized business that is going to, at best, find its computers unusable and, at worst, have all their data lost forever.”

In terms of the cascading effects of a supply chain attack, the Kaseya VSA compromise hit MSPs and their small business clients especially hard.

Protecting

Like a technology that advances through state-sponsored R&D but then becomes available to a wider public, recent supply chain attack techniques were honed by state-backed actors but have now been adopted by more run-of-the-mill ransomware actors. This is bad news for MSPs.

While agencies like the FBI and CISA have been warning for some time that MSPs are likely targets of advanced persistent threats (APTs), the Kaseya attack seems to have crossed a threshold. The problem is a significant security challenge, and one that some think only vendors can solve.

But there are a few measures MSPs can take to enhance their defenses against supply chain attacks. These include:

Layer cybersecurity defenses for both you and your clients. Supply chain attacks commonly evade defenses by sneaking in with a trusted update. But after the initial compromise, network security can block communication with known-malicious IP addresses to limit damage.
Mandating two-factor authentication (2FA) wherever possible. While 2FA isn’t the end of security issues, it makes things more difficult for cybercriminals at every turn.
Monitor for anomalous web traffic. Be wary of communications with previously unknown IP addresses, unusual application traffic and other out-of-the-ordinary happenings on your network. Consider following these steps to reducing the time to detection of a compromise if one occurs.
Push patches and updates with urgency. Zero-day vulnerabilities often play a key role in advancing the spread of supply chain infections. Closing those gaps as soon as possible is an actionable step MSPs can take to protect themselves and their clients.
Back up everything. One of the most surefire ways of reducing the leverage an attacker has over you and your clients is keeping multiple backups of critical business data. Cybercriminals can’t be trusted to restore data even after a ransom is paid, so don’t be left relying on them.
Test your backup plan. The day disaster strikes is not the time to discover if your disaster recovery plan is well designed. Instead, simulate a worst-case scenario ahead of time and see if any gaps emerge.

As global cybercrime collectives continue to experiment with supply chain attack techniques, we should expect more indiscriminate, wide-net infections to make headlines. To prevent passing these infections along to their clients, vendors must take the lead in security their products and processes. But MSPs aren’t helpless in protecting themselves and their clients.

Podcast: Can we fix IoT security?

Jun 25, 2021 | Business + Partners, Managed Service Providers, Threat Lab

For many U.S. workers the switch to remote work is a permanent one. That means more high-stakes work is being conducted on self-configured home networks. For others, home networks are simply hosting more devices as smart doorbells, thermostats and refrigerators now connect to the internet.

Security experts warn that while the internet of things (IoT) isn’t inherently a bad thing, it does present concerns that must be considered. Many devices come pre-configured with inherently poor security. They often have weak or non-existent passwords set as the default.

As our guest and host Joe Panettieri discuss, these are issues that would be addressed on corporate networks by a professional IT administrator. The conversation covers the issues of IoT and home network security both from the perspective of the average family household and what the age of remote work means for employees working on their own networks.

Security intelligence director Grayson Milbourne brings a unique perspective to the podcast. Having held senior roles in both threat intelligence and product management, Milbourne is acutely aware of what the threats security products come up against. He knows both the cyber threat landscape and the consumer internet security market, so he’s able to provide insightful advice for how tech-loving homeowners can keep personal networks powerful and protected.

Milbourne suggests problems of IoT and home network security could be addressed with a cybersecurity version of ENERGY STAR ratings. A program could formalize current IoT security best practices and incorporate them into a standard consumers recognize.

During this informative podcast, Panettieri and Milbourne discuss that idea and more cybersecurity topics related to IoT devices. They cover:

The difference between device security and the security of the app used to control it
How to leverage user reviews while researching IoT devices and what security concerns to check on before buying
Privacy and data collection issues, including why one of the most common IoT devices may be among the most intrusive
Configuring IoT devices to prevent them from joining rogue IoT zombie networks

Targeted assets: The need for cyber resilient infrastructure

May 12, 2021 | Industry Intel

Aging infrastructure in the United States is not confined to crumbling roads and bridges. Recent events have shown that connected devices in our pipelines, water treatment facilities and power grids are also vulnerable to exploitation.

As of now, we still don’t know much about the ransomware attack against the operators of the Colonial Pipeline. Details about how and when cybercriminals were able to compromise Colonial’s network have yet to emerge. The FBI has confirmed that Darkside, a ransomware as a service (RaaS) group, was behind the attack but background on that group is about the only place where information is plentiful.

We still don’t know if a ransom has been paid. Or if Colonial was able to completely isolate its operational network from its corporate systems – the intended target of the attack according to the company – or if Darkside could have bridged that gap.

Based on the Darkside’s own statements and analyses of its past behavior, experts believe the attack wasn’t intended to seriously disrupt the nation’s gasoline supply or cause major harm to its critical infrastructure. But that’s beside the point.

It was enough for states of emergency to be declared up and down the Eastern seaboard and for the federal government to issue warnings to other utility providers to be on the lookout for similar attacks.

And this cyberattack against critical infrastructure is far from the first of its kind and unlikely to be the last. A 2019 attack on a power grid control center responsible for supplying several sites in the Western U.S. was considered a near miss in which the country got off easy.

Early this year, remote access software at a water treatment facility in Oldsmar, Florida was compromised and hackers used the access to attempt to increase the concentration of a tissue-damaging chemical normally used to prevent the corrosion of pipelines. Only an attentive employee and the delay needed to get the added chemical into the water supply prevented serious harm.

The sorry state of cybersecurity in U.S. critical infrastructure is well-known within the industry. The rise of the Internet of Things (IoT) isn’t limited to the consumer sector. These devices help with automation and make industrial control systems (ICSs) smarter than they’ve ever been before, but cybersecurity is often an afterthought in their design if it’s one at all. One source claimed it was communication between an ICS and Colonial’s corporate networks, responsible for simplifying the billing process, that caused concern about the attack spreading to operational systems.

Making more cyber resilient infrastructure

After several shots across the bow have luckily not resulted in direct hits, what can we do to bring about a hardening of U.S. infrastructure cybersecurity? How can we prevent a replay of the 2017 attacks against Ukraine’s power grid from happening here?

Here are a few suggestions:

Don’t disincentivize cybersecurity investment. – Ransomware insurance isn’t a bad idea, but providers won’t subsidize poor security practices forever. We’re already seeing some pushback against companies who happily shell out for ransoms knowing a reimbursement will soon follow. Well-insured but under-protected organizations may have gotten away with it for a while, but surging ransomware incidents are ushering those days out the door.

Actively promote that investment. – Policy analysts who have studied this issue urge government, at whatever level, ensure that critical infrastructure providers have the financial wiggle room to invest in better cybersecurity. Designing these investment incentives is beyond the scope of this post, but our near misses should make it clear that this is a national security imperative. Even private companies like Colonial, until now under less pressure than a public utility to account for compromises, should be invited in.

Don’t forget to secure corporate networks, too. – Just because the computer in the lobby of corporate HQ can’t crank up the sodium hydroxide in the drinking water doesn’t mean it’s not worthy of an antivirus. If access between corporate and operational networks exists, it can be exploited by determined cybercriminals. Endpoint protection for all devices and network-level security are the bare minimum. And with phishing attacks enabling the majority of breaches year after year, it’s important to train workforces on how to spot them.

Make smarter ICSs more secure. – IoT devices are not going anywhere. Their applications are many and varied and they make us more effective. But they’re seldom designed with cybersecurity in mind. In high-stakes applications like water treatment, oil and gas delivery and power distribution, this cannot be taken for granted. Manufacturers should consider OEM applications for threat intelligence feeds that make their smart devices more secure. This problem has been well studied but should be addressed with greater urgency.

For the time being, major damage and fears of prolonged fuel shortages may be unfounded with the Colonial Pipeline attack. But we need to act deliberately now in order to avoid relying on the same luck in the future.

We explored the dangers of pirated sport streams so you don’t have to

May 12, 2021 | Industry Intel, Threat Lab

Coauthored by Dominick Bitting, Sr. Threat Research Analyst, and Colin Maguire, Web Content Specialist.

Manchester City win the Carabao Cup Final, many illegal streamers lose

The COVID pandemic has led to a surge in content consumption as people stayed home and turned to Netflix, Youtube and other streaming services for entertainment. Not everyone agrees with paying for the latest episode or album, however, and this rise has ran parallel with a rise in digital piracy.

Piracy is widespread and – ethical issues aside – makes for an interesting case study from a threat research perspective. In terms of sports, European football is the most commonly pirated, making up more than a quarter of all illegal sports streams according to one recent study.

There is a sizable online community that shares bootlegged movies, TV and live sports streams without copyright protection over HTTP/HTTPS. Sites streaming pirated sports, specifically the English football “free-to-view” sites, were the subject of an April 2021 Webroot study on the week of the Carabao Cup final game between Manchester City and Tottenham Hotspur.

This was not meant to be an exhaustive study, but rather focused on getting a snapshot of the dangers involved in spending 90 minutes illegally streaming a match online.

The sites we analysed

We analysed a total of 20 sites in the study, of which 12 “game sites” were analysed in greater detail for the duration of the Cup Final. 92% per cent of illegal streaming sites analysed by Webroot were found to contain some form of malicious content.

Site Ratings

Sites ranged from having a “trusted” Webroot Brightcloud® reputation score of 92 to an “untrusted” rating of 44. All sites at time of testing had a safe, zero detection rating in Virus Total except for one, “daddylive”, with a rating of 1/85.

However, when examined more closely, most hosting IPs were found to have hosted malicious content (such as some serious malware) in the past, and had connections to other high-risk IPs. Some of the sites caught our attention for leading to a massive amount of URLs. For instance, rojadirecta[.]me pulled 565 different URLs. We focused most of our attention on these suspicious sites.

Virustotal.com graph for hulkstreams. Contextual graphs such as these show the relationships between web hosts and dropped malware

Brightcloud’s Threat Investigator Showing Contextual Information for jokerstream

Insecure Sites

Most of the sites analysed were insecure and running HTTP. The lack of security on these sites means any personal data shared across the site’s connection is out in the open. While the more secure HTTPS isn’t always a guarantee a site is completely safe, the lack of certification and security protocol were red flags, making sharing details or sensitive information risky.

Malvertising/Dishonest links

Most of these sites (more specifically the advertising on these sites) use dishonesty and social engineering to fool users into opening links, enabling an action on their browser or downloading a file they never intended to. This is done using an array of tricks like fake “X” boxes on video overlays, false “notification enable” messages and outrageous promises and warnings.

Redirects

Redirects are not bad in and of themselves, but when links jump between a number of unrelated sites (e.g. sports to dating to bitcoin to online shopping) this is a definite red flag. And we observed it a lot on illegal streaming sites. This signals that the site or site network admins must constantly change what their links direct to as they introduce new URLs. The presence of zero-day (or brand new) sites is a related bad indicator when looking at any site and it’s connected IPs.

Types of threats we saw on pirated streaming sites

Bitcoin scams

“With cryptocurrency values soaring again, executable based cryptojacking has been on the rise.”
Webroot’s 2021 Threat Report

We observed targeted and localised bitcoin scams promising riches and asking users for banking details. The price of Bitcoin and other cryptocurrencies have been booming over the last year, and the rise and fall of these prices affects cryptocrime levels. We observed convincing ads and websites that link directly to fake news sites or feature local(ised) celebrities and politicians selling scams.

An example of a bitcoin scam site that has been localised to appeal to users browsing with an Irish IP address

This “Mirror” fake news page is clearly designed to copy the popular UK newspaper. It is a front for a “get rich quick” scam designed to gather users’ cash and personal details. Different versions of this scam have been observed localised for different countries. This was pushed on the vipleague[.]lc streaming site.

“Appearing on the ‘BBC Breakfast’ show, Bill Gates revealed that he invested substantial amounts of money. The idea was simple: allow the average person the opportunity to cash in…”
Text from one scam we witnessed

An example of a bitcoin scam site that has been localised to appeal to users browsing with a UK IP address

A fake AV scam claiming to have found threats on your machine.

Hijacked search results

Hijacking browsers allows cybercriminals to switch a user’s default browser and take over its notifications. This means different search results are served up or users can be spammed with junk notifications and explicit content. Even if users shut down their laptops, the changes will remain.

Notification hijacking

Users looking to watch a stream are also tricked into allowing notifications, which bombard them with explicit and extreme content, as well as scams and links to other malicious sites.

Users of Technoreels are asked to allow notifications to see a stream. This button does not need to be clicked to view content so the messaging is dishonest and those that allow the content will get constant notifications for porn, dating, scams and other content.

An example of spam browser notifications. This one localised to appear to German IP addresses.

Browser Hijacker

Links on jackstream. push users into installing a browser hijacker known as mysearchflow.com, which is blocked as Spyware/Adware by Webroot. Clicking on the stream causes a popup which asks to allow notifications. These particular notifications were pop-up ads appearing in the screen’s right corner that were very intrusive and not easy to disable.

Mobile Threats

All these sites supported mobile browsing and the advertising, social engineering and malicious content targeting mobile users, too. For instance, links pointed to fake mobile apps with privacy issues and useless in-app purchases ranging from £2.09 – £114.99. It’s important for users to note that many of these mobile apps can also be installed on PCs and are often difficult to remove. Here’s a mobile advertisement from hulkstreams.com that earns clicks by claiming a device is infected with viruses.

Figure 2 The initial false “Google” warning on Hulksteams pushing

We installed and ran this particular product. It turned out to be an example of fleeceware, a type of malware that tries to sneak excessive fees past subscribers. It had over 10 thousand downloads on the Google Play store already. The product offered in-app purchases ranging from £2.09 – £114.99 per item and has since been marked as malicious by our threat intelligence.

The sites we analysed. Starred sites indicate “game sites.”

hulkstreams.com*

jackstreams.com*

0eb.net*

jokerswidget.com*

strims.world*

livetotal.tv*

vipleague.lc*

fotyval.com*

footybite.com*

daddylive.co/*

elixx.me/schedule.html*hdstreamss.club/*

liveonscore.tv/

red.soccerstreams.net/

www.blacktiesports.net/soccerstreams/

www.hesgoal.com/

www.ovostreams.com/soccer-streams.php

www.sportnews.to/schedule/

www.sportp2p.com

Figure 3 After installation the app incorrectly advises that you have “several trojans” and then offers to “repair your device”. This is a front for pushing more bogus upgrades and charges.

Our advice

Since pirate streams operate outside the law, they often sell advertising space to entities that are also operating outside the law. Although we found some advertising from reputable vendors, we would not recommend visiting these sites for the good of your overall online safety.

We do recommend that, when browsing any site on the web, users update their software and operating systems, employ AV and anti-phishing detection, and double-check any links before clicking, especially when they profess to offer something that seems too good to be true.

We Finally Got Businesses to Talk About Their Run-ins With Ransomware. Here’s What They Said.

Apr 13, 2021 | Business + Partners, SMBs, Threat Lab

“It is a nightmare. Do all you can to prevent ransomware.”
– A survey respondent

Many businesses are hesitant to talk about their experiences with ransomware. It can be uncomfortable to cop being hit. Whether it’s shame at not doing more to prevent it, the risk of additional bad publicity from discussing it or some other reason, companies tend to be tight-lipped about these types of breaches.

By offering anonymity in exchange for invaluable quantitative and qualitative data, Webroot and professional researchers surveyed hundreds of business leaders and IT professionals about their experiences with ransomware attacks.

Perhaps the most surprising finding from our survey, and certainly one that presents broader implications for those involved, is that the ransom demanded by attackers is only a small part of the loss that accompanies these crimes. There are also lost hours of productivity, reputational suffering, neutralized customer loyalty, data that remains unrecoverable with or without paying a ransom and the general sense of unfairness that comes with being the victim of a crime.

Our ransomware report seeks to quantify these knock-on effects of ransomware to the extent possible. We looked at the value of a brand and how likely customers are to remain loyal to one after their data is compromised in a breach. We studied the relationship between the time to detection of the incident and its cost. We added up the labor cost spent during remediation.

But we were also interested in real people’s stories concerning their run-ins with ransomware. What advice would they give to those who may find themselves in their same position? Respondents talked about the inevitability of attack, the relief when frequent backups mitigate the worst effects of ransomware, the importance of a plan, and advised against the payment of ransoms.

Finally, we provide advice for defending against or at least reducing the disruptive impact of ransomware attacks. As a security company, it won’t be surprising that we recommend things like endpoint and network security. But it goes deeper than that. We stress the importance of empowering users with the knowledge of what they’re up against and implementing multiple layers of defense.

Most importantly – no matter how comprehensive or scattershot a business’s protection is – is that that it’s are in place before it’s needed. During the fight is not the time to be building battlements. If your organization has avoided the scourge of ransomware so far, that’s excellent. But IT administrators and other decision-makers shouldn’t count on their luck holding out forever.

Here are a few of the report’s most enticing findings, but be sure the download the full eBook to access all of the insights it delivers.

KEY FINDINGS

50% of ransomware demands were more than $50k

40% of ransomware attacks consumed 8 or more man-hours of work

46% of businesses said their clients were also impacted by the attack

38% of businesses said the attack harmed their brand or reputation

45% were ransomware victims in both their business and personal lives

50% of victims were deceived by a malicious website email link or attachment

45% of victims were unaware of the infection for more than 24 hours

17% of victims were unable to recover their data, even after paying the ransom

Download the eBook

Is the Value of Bitcoin Tied to Ransomware Rates?

Apr 7, 2021 | Industry Intel

With investors currently bullish on Bitcoin, is its high value driving cybercriminals to pursue crypto-generating forms of cybercrime like ransomware and illicit miners?

At time of writing, the value of one Bitcoin is north of $58 thousand. Famously volatile, a crash is widely expected to accompany the current bubble, perhaps before the end of 2021. The reason for this volatility is at least partly attributed to an event known as “the halvening,” where the reward generating supply of the cryptocurrency is cut in half, simultaneously increasing demand.

At the same time, the average cost of a ransomware incident is also rising steeply. A study by Palo Alto Networks charted a growth rate of 171 percent in ransoms paid between 2019 and 2020, with the average cost now over $312 thousand. The steepest ransom doubled between 2015 and 2020, from $15 million to $30 million.

An iron law?

So, is it fair to argue that the two trends positively correlated? When the price of Bitcoin rises we should expect ransomware activity to rise with it? Not necessarily, says threat researcher and cryptocurrency expert Tyler Moffitt.

For one, Moffitt cautions it’s important to keep the relative values of U.S. dollars and the various cryptocurrencies in mind when comparing the cost of ransomware. Demanding $50 million in Monero last month for hacking the Taiwanese PC manufacturer Acer and demanding $10 million in Bitcoin for a hack last year will not have netted cybercriminals the same amount. Patient ones, at least.

“Ransomware actors can always grow their demands based on the value of the U.S. dollar,” says Moffitt. “But they have the added benefit of being able grow profits exponentially by riding the Bitcoin market.”

As could be expected with such a volatile asset, these swings sometimes happen quickly. Like when ransomware actors had Baltimore’s public schools between a rock and hard place with WannaCry. The price of Bitcoin had crashed in 2018, but as the ransom demand was on the desk of the city the price surged, sending the total value of the ransom up with it.

In a sense, it’s the volatility of Bitcoin that undermines any direct, positive relationship with ransomware rates. While it’s tempting to see today’s sky-high price and assume cybercriminals would rush to get their slice of that pie, they too know how markets work. It’s possible a ransom of Bitcoin this year could be worth far less next year. For ransomware actors, it’s better to ride out the market, treating their Bitcoin stash like a cybercrime savings plan for aging hackers.

“A lot of ransomware actors aren’t turning their Bitcoin into cash as soon as they get it,” says Moffitt. “Many of them live cheaply on the hope that the $200 million they made in their cybercrime careers will one day net them billions.”

A more direct relationship

Cryptojacking—the process of secretly hijacking a victim’s computing power to generate cryptocurrency—has a much simpler relationship with the value of various currencies. Because miners only collect their currency after doing the work (redirected CPU in this case), it’s only worth doing when values justify it.

“With cryptojacking, we do actually see an increase or decrease in the number of attacks based on its price. So right now, in a bull year when the price keeps rising, you’re going to earn more when you mine,” says Moffitt.

Browser-based cryptojacking uses scripts injected into the webserver, usually by exploiting an unpatched server or capitalizing on an out-of-date WordPress plugin, etc. Then any browser that visits that webpage will mine cryptocurrency using the viewers browser. This attack skyrocketed from its inception in 2017 into 2018.

A watershed moment in browser-based cryptojacking followed the great crypto-crash of 2018 mentioned above. At least according to their official statement, the drop in mining profitability caused the ostensibly-legitimate mining script company Coinhive to shut down in early 2019.

“The ‘crash’ of the crypto currency market, with the value of [Monero] depreciating over 85% in the last year,” was cited by the company as a reason for closing up shop, though some researchers doubt how much truth there is to that claim.

In reality, Coinhive scripts were used by cybercriminals to mine on unsuspecting users’ devices. Researchers at Cornell University discovered that 99 percent of the sites they found running malicious mining scripts were no longer running them following the shutdown of Coinhive.

Its authors concluded, “It became less attractive not only because Coinhive discontinued their service, but also because it became a less lucrative source of income for website owners. For most of the websites, ads are still more profitable than mining.”

Executable-based cryptojacking is when criminals leverage a breach on a machine, whether through phishing, exploits, RDP, and then drop a payload that on execution will use the machines resources to mine crypto. This attack was around before browser-based scripts and is still alive today. In fact, it’s the tactic seeing the most growth during cryptocurrency bull markets.

Monero, a favored cryptocurrency for miners based on its efficiency using consumer-grade devices, witnessed a rebound during this period. Over the course of 2020 and into 2021, the value rose from around $50 to around $250, perhaps explaining why Webroot found 8.9 million cryptojacking scripts in use in 2020.

In summary, both of these crypto-generating schemes require patience from their perpatraitors. When ransomware actors land a big payment from an extorted business, they may be forced to wait out market forces to maximize their earnings. For cryptojackers, profits trickle in over time. First they must determine whether they’re worth the effort and if they too want to play the long game with their take.

Cyber News Rundown: Phishing Targets NHS Regulatory Commission

Mar 12, 2021 | Industry Intel

Spanish labor agency suffers ransomware attack

Multiple systems were taken offline following a ransomware attack on the Spanish government labor agency SEPE, which has affected all 700 of their offices across the country. While some critical systems were impacted by the attack, officials have confirmed that the systems containing customer and other sensitive payroll data were not compromised. The Ryuk ransomware group are believed to be behind the attack. The group were involved in nearly a third of all ransomware attacks in 2020.

Latest phishing campaign targets NHS regulatory commission

Officials for the Care Quality Commission (CQC) have been received roughly 60,000 malicious phishing emails over the past three months that seems to be linked to the release of the COVID- 19 vaccine. The campaign has followed a pattern of spreading false information and requesting sensitive information for user’s NHS accounts. The use of the pandemic to scare recipients of fraudulent emails continues as many look forward to their turn to receive the vaccine.

Hackers gain admin access to surveillance company cameras

Hackers from a known collective were able to gain access to over 150,000 Verkada surveillance cameras in various sensitive locations across the globe after finding an access point available on the web. Viewable feeds included jails, banks and internal entry cameras for top companies like Cloudflare, which has since confirmed that they have taken these cameras offline. It remains unclear how long the hackers had access to the systems. They have stated they were able to steal roughly 5GB of data from the Verkada systems, which will likely be leaked in the coming months.

Ransomware distributor arrested in South Korea

An individual was arrested by South Korean police late last month after a lengthy investigation tracked ransomware payments to withdrawals made by the individual. The man in custody is believed to be responsible for distributing more than 6,000 phishing emails spoofing local law enforcement. These used malicious attachments to trigger GandCrab ransomware payloads to encrypt systems. This is the second reported GandCrab affiliate caught by law enforcement in the past year as global law enforcement agencies work together to transnational ransomware organizations.

REvil ransomware group puts 170GB of data up for sale

Officials for the Pan-American Life Insurance Group have issued a statement regarding recent outages in their systems, which were the result of a ransomware attack. Though there was a post on a known REvil ransomware group forum claiming to have taken 170GB of data from this breach, that post has since been removed, which could indicate that Pan-American could be in negotiations with the group to restore their systems.