Password predictability is one of the most significant challenges to overall online security. Well aware of this trend, hackers often seek to exploit what they assume are the weak passwords of the average computer user. With a little bit of background information, “brute forcing” a simple password is a straightforward undertaking.
How are passwords cracked?
Cybercriminals use computing power to crack passwords with a method known as a brute force attack. With this method, an attacker guesses at the password repeatedly with the help of computer software/scripts. This makes the process automated and essentially effortless for the attacker.
The weaker the password (meaning the easier it is to guess), the quicker an attacker can crack with computing power.
So, how do we combat this?
The problem is password predictability
Passwords can be very easy to guess. Ironically, one factor that contributes to this is one that’s supposed to make passwords safer; the uniform standard most websites impose on users when creating a new password. Typically, sites require a single capital letter, at least 6 charters, numbers and one special character.
Attackers can use this information to guess when and where each character may be using only the predictable tendencies of human users. And because many users create a single password that meets these requirements and use them on multiple sites like Netflix, Facebook and Instagram, getting lucky once can lead to a bonanza for cybercriminals.
Here is an example of a password that would meets the requirements of most websites:
Example1234!
This would be considered “secure” in most cases because it meets the most common internet standard for password creation. Now swap “Example” out for the name of a child or pet, and the easily remembered combination is very likely to be someone’s actual, real-life password. It’s easy for the user to remember, and therefore convenient to use across multiple sites.
Let’s assume a user has a pet named Toby and plug it into the above example format.
Toby1234!
This is not a strong password. Pet’s names, children’s names and birthdays are often easily discoverable, especially by mining social media accounts. An attacker may just need to do a little recon on Facebook to scrounge up a handful of likely options.
Passwords vs. Passphrases
A password is a short character set of mixed digits. A passphrase is a longer string of text making up a phrase or sentence. The important thing to know about passphrases is that, when allowed, they’re far more secure than passwords. The idea that a password should be one word is outdated and retiring it would benefit user security greatly.
A method for devising a passphrase is to simply pick a line from your favorite movie, book or song and mix it with capitals and numbers. If we take Arnold’s famous line “I’ll be back,” we can easily make it into a secure passphrase.
Original: “I’ll be back”
Remove quate marks and spaces, since they can’t be used as password inputs.
Illbeback
Add some capitals: iLLbeBack
Add Numbers: iLL3beBack
And finally, a special character: iLL3beBack$
As a fun test, you can use this password-checking tool to see how long it would take a computer to crack your new creation. How long would it take to crack yours?
For comparison, let’s take one of our simple password examples from above and see how long it would take to crack. We can use Toby1234! (and yes, some people do use such simple passwords).
As you can see, it wouldn’t take long at all.
What about our new passphrase iLL3beBack$
I think we’ll be secure for now.
More tips and tricks for password safety
Using a password manger is the most practical way for making passwords more secure. Users tend to gravitate toward the most convenient solution to a given problem, and password managers keep them from having to memorize a series of complex passwords for different sites. The user can automatically save passwords with an internet browser plugin and let autofill features handle the rest.
Here are some other good rules of thumb for password safety:
Don’t let a predictable password come back to bite you. When made up of easily guessable public information, a weak password can be cracked in minutes. Instead, choose a passphrase or rely on one of the many secure password management tools available on the web today.
It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed to prepare and respond to cyber threats or attacks against your organization.
It may be as simple as the deployment of antivirus plus backup and recovery applications for your end users, or a more complex approach with security operations center (SOC) tools or managed response solutions coupled with network security tools such as DNS and Web filtering, network and endpoint firewalls, VPNs, backup and recovery and others.
It’s also essential to ensure end-users are trained on ransomware threats as a part of a good security awareness training program. The bottom line is, if prevention tools and training fail and your organization is compromised, you need to have a protection plan that gets your company assets and resources back to work quickly and securely.
What preparation is needed
When contemplating an in-depth plan, specific questions come to mind—the whats, the hows, the whys, and most importantly, the whos must be defined in the plan. When asking these questions, we need to be prepared to identify the resources, people and applications inlcuded. We must determine how to react to the situation and execute the logical steps and processes required to reduce damage as quickly as possible.
Below are some questions to get us started.
Key questions
Who will be involved in recovery and communication when your DR plan is in action?
How much downtime can your organization withstand?
What service level agreement (SLA) do we need to provide to the business and users?
What users do we need to recover first?
What tools do we have to reduce risk and downtime within the environment?
How are user networks separated from operational or business networks?
How quickly can data protection tools get us up and running again?
Can users get their data back if an endpoint device is compromised?
Can we determine when the ransomware first hit the network or endpoint devices?
Are we able to stop the proliferation of ransomware or malware throughout the network?
Can we recover quickly to a specific point in time?
Can our users access their data from the cloud before it has been restored?
Application Needs
The solutions below, coupled with an exercised BC/DR plan, will help reduce your organizational risk exposure and allow for quick remediation.
An endpoint security solution capable of determining what events took place and when
A DNS security solution capable of turning away security threats at the network level
A solution for endpoint backup and recovery that can safeguard data should these other solutions be compromised
Lines of Communication
Equally important as the technology are the people who manage and maintain the systems that support the different business units within an organization. For example, your security team and your endpoint support team need to be in regular discussions about how the teams will communicate when under attack. You need to determine who is responsible, what systems, and when they should be brought into the process when under attack.
System Response Ratings
A system response rating system can assist in determining which systems or employees require a higher degree or speed of response. To do this, organizations must specify the value of the system or resource and where that resource sits regarding protection or remediation priority. This is often determined by the value of the resource in monetary terms. For example, suppose the loss of a specific system would incur a massive loss of incoming revenue. In that case, it might be necessary to place a higher priority in terms of protection and remediation for it over, say, a standard file server.
The same can be said for specific individuals. Often C-level resources and mid-tier executives need to be out in front of a situation, which highlights the importance of making sure their resources like laptops and portable devices are protected and uncompromised. They are often as important as critical servers. It is necessary to classify systems, users and customers regarding their criticality to the business and place priorities based on the rating of those resources.
Now that we know a bit of the who, what, and how, let’s look at how to recover from a single system to an entire enterprise.
Recovery and Remediation
Recovery is an integral part of any BC/DR plan. It gives organizations a playbook of what to do and when. But it’s not enough to recover your data. Admins also need to understand the remediation process that should be followed to prevent further infection of systems or proliferation of malware within an organization.
Scenario
Ransomware hits user’s laptops, encrypting all of the data. The laptops have antivirus protection, but no DNS protection. All network security is in as firewalls and VPNs, with some network segmentation. There is also a security team in addition to the end-user support team. The ransomware that hit is polymorphic, meaning that it changes to prevent detection even if the first iteration of the ransomware is isolated.
Solution
The first step is consulting the endpoint security console to learn when and where the malware was first seen. If backups are still running, they should be suspended at this point to prevent infected data from being being backed up with malware. This can be done either from the dashboard or from an automated script to suspend all devices or devices that have been compromised.
A dashboard should provide the ability to do single systems easily, while scripts can help with thousands of devices at a time. APIs can help to automate processes like bulk suspend and bulk restore of devices. At this time it may be prodent to block traffic from the infected areas if network segmentation is enabled to prevent the spread of malware.
Now it’s time to review the protection platform to determine the date the file was noticed, the dwell time and when the encryption/ransomware started executing. Once these facts have been determined, it’s possible track down how the organization was breached. Understanding how malware entered the network is critical to prevent future infections. Since, in our example, ransomware infected devices, a tested and reliable recovery process is also necessary.
Understanding the timeline of events is critical to the recovery process. It is essential to know the timing for the first step in the restore process to set your time to restore. Once an admin can zero in on date and time to restore, affected devices can be compiled into a CSV file and marked with a device ID number to reactivate any backups that were halted once the breach was discovered..
Once the data, source, target device IDs, date, and time to restore from are combined with a bulk restore script, a bulk restore can be pushed to the same laptops or new laptops. As heppen, solutions offering web portals can return to work quickly.
Summary
Thre right tools, planning, importance hierarchy and communication channels across a business are essential for establishing cyber resilience. Once a timeline of a breach has been determined, these elements make restoring to a pre-infection state a process that can be planned and perfected with practice.
In a previous post, we talked a bit about what pen testing is and how to use the organizations that provide them to your benefit. But, what about when one of them hands a client a failing grade?
Consider this, you’re an MSP and you get a letter or email from one of your customers that reads:
“Dear ACME MSP,
We regret to inform you that you’ve had a Penetration Test Failure produced by: “FreindlyHacker-Pentesting Inc” and we’d like to discuss the details further to determine if you have what it takes to continue to handle our security needs.
Regards,
Largest MSP Customer.”
A customer may not pass along this exact wording, but the implications are clear. The results can be embarrassing or at worst devastating. When a customer reaches out after failing penetration testing, it can put an MSP on its heels and create unnecessary angst. Should the MSP have been more involved in the testing? Did my tools cause the failure Has the MSP soured its relationship with its client? Will the business be lost?
So, how should an MSP respond when a customer fails a pen test?
Some MSPs turn to self-doubt and start wondering if the layers of protection they’ve put in place are worth the costs. Others will immediately start pointing fingers at the tools that were identified in the pen test report. When a report comes through with a failure, it’s usually unexpected and can take time away from more important activities.
To save time and effort if this should happen to you, here are a few key elements of a good response to a pen test failure.
Immediately start asking questions.
What kind of penetration testing was involved?
Who performed the testing and what are their credentials?
How was the penetration testing organization positioned to start taking action?
Where the testers acting as “Red Team” or “Blue Team” actors?
When did the testing take place?
May I examine the data and reporting?
Review your tools configurations.
Rather than immediately assume bad tech, it’s best to step back and evaluate each tool identified in the pen test report and the associated configurations, policies and control points. Often, a security tool is designed to identify, evaluate and/or stop bad actors along the threat chain. If it failed, it could be that a setting was disabled or miss-configured. Review all tools’ “best practice” guides, documents and suggestions before making assumptions.
Ask for partnership with the customer during their next review.
If the customer did not provide a heads up or pretesting communication, request that you be more involved during their next review. If pen testing is important enough for them to do once, it’s probably that they’ll do it bi-annually or annually, depending on the industry and regulatory concerns. It’s always good to be involved in advanced than after the fact.
Blue Teams vs. Red Teams: Which type of test was conducted?
The difference between a Blue Team and Red Team is how much previous access they have to a target’s networks and devices. This can make a huge difference in how the results of a pen test are interpreted. When a Blue Team—with some previous knowledge of an organization and its IT systems—is able to breach a business, it may not be representative of real-world circumstance. It could be an internal IT admin who was able to find a vulnerability after poking around in a system she previously had access to.
When a Red Team compromises a client, on the other hand, it’s time to examine the reporting closely. Starting with zero knowledge of an organization’s systems, this type of breach could point to serious flaws in the defenses an MSP has set up for a client. Likely there are real holes here which need to be patched.
Evaluate the pen testing organizations
While there are many levels of testing capability, keep in mind that pen testers come from many IT walks of life. Former sysadmins, hackers and network administrators make the most common tester. They come with their own experiences, specialties and biases.
One question to always ask is, what are the testing organizations credentials? What is their background and how did they come to the business? How long have they been testing?
The goal is to guage whether the individuals who’ve conducted the test are knowledgeable enough to make judgments about your organization’s defenses? Did they actually breach the defenses or are they simply reporting on a “potential” for a breach?
Not all testers are alike, not all testing organizations are alike. Each has to successfully make the case of its own expertise in coming to the conclusion that it has.
As I say, trust but verify. And be prepared to ask LOTS of questions if a client ever fails a pen test.
You’ve likely heard of software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and numerous other “as-a-service” platforms that help support the modern business world. What you may not know is that cybercriminals often use the same business concepts and service models in their own organizations as regular, non-criminal enterprises; i.e., the same practices the majority of their intended victims use.
As senior threat research analyst Kelvin Murray explains to Joe Panettieri, editor of Channel E2E and MSSP alert, in our most recent Hacker Files podcast, cybercrime-as-a-service “essentially follows the same path as most as-a-service things in business.” He goes on to explain, “If you were a small company in 2002 and needed to set up email, you’d set up a mail server, a mail relay, mail clients, and you might hire an email admin. And then you might have to set up things like spam filters yourself. People like Microsoft figured out that they could just provide all of [these services] from a web page and rent it out to companies and take all the hassle out of companies’ hands.” That’s the as-a-service model in a nutshell.
According to Kelvin, a very similar thing happened in the cybercriminal space. Effectively, talented criminals who’ve written successful malicious code have begun renting access to their own cybercrime “solutions” to lower-level criminals who either don’t have the resources or know-how to design, write, and execute cyberattacks on their own.
Of course, the people providing the so-called service don’t do so out of any goodness in their hearts; they do it for a cut (sometimes a significant one) of any profits made in an attack that uses their code.
Hear more about the evolution of cybercrime-as-a-service in the full podcast. Be sure to check out other discussions and recordings in our Cybersecurity Sound Studio.
The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic. For MSPs, that makes up a good portion of their clientele.
Remote workers were abruptly pulled out from behind the corporate firewall, immediately becoming more susceptible to the targeted attacks of cybercriminals. Acceptable use policies could no longer be easily enforced, home devices became work devices, and employees distracted by life around them became more likely to click carelessly.
What’s worse, because the pandemic was affecting more or less all of us at the same time, cybercriminals had a virtually limitless pool of targets on which to test out new scams. Phishing scams imitating eBay skyrocketed during the first months of product shortages brought on by COVID-19. Scam emails claiming to be from Netflix rose by more than 600% in 2020.
We were fish in cybercriminals’ collective barrel. Now, even with vaccinations rising in the U.S., many companies are rethinking the way they work. It’s up to MSPs to have a strategy for security remote workers, because they’ll likely need to serve more than ever before.
Find out how to ensure your clients’ remote workers are resilient against attacks across networks in this informative conversation between ChannelE2E and MSSP Alert editor Joe Panettieri and his guest Jonathan Barnett. In addition to being a network security expert and senior product manager for Webroot’s DNS solution, Barnett brings 20 years of experience as the head of his own MSP business to the podcast.
If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous term; everyone wants it to be better, but what exactly does that mean? And how do you properly measure it? After all, if a security product is effective, then that means few or no cyberattacks should be getting through the lines of defense to the actual infrastructure. Yet, faced with modern cyber threats, that seems like a pretty impossible goal, particularly as many attacks are designed to operate under the radar, evading detection for weeks or months at a time.
As a result, many businesses and managed service providers may try to account for their efficacy needs in the tools that they choose, vetting the solutions with the highest reviews and the best third party testing scores. But the tools aren’t everything. What else can you do?
Here are our top 5 tips for getting the best possible efficacy out of your IT security stack.
Partner with solution vendors who can guide you to the right setup. Most small to medium-sized businesses and many MSPs just don’t have the resources to keep dedicated security experts on staff. That’s not a problem, per se, but it does mean you might have to do some extra legwork when selecting your vendor partners. For example, it’s important to take a hard look at the true value of a solution; if it requires costly or time-consuming training to attain a skill level high enough to get maximum value from the product, then the cost-benefit ratio is much different than it initially appears. Be sure to choose vendors who provide the type of guidance, support, and enablement resources you need; who can and will advise you on how best to configure your cybersecurity and backup and disaster recovery systems; and who are invested in helping you ensure maximum return on the investment you and your customers are making in these solutions.
Trust your tools, but make sure you’re using them wisely. According to George Anderson, director of product marketing for Carbonite + Webroot, OpenText companies, many of the tools IT admins already use are extremely effective, “as long as they’re being used properly,” he cautions. “For example, Webroot® Business Endpoint Protection includes powerful shielding capabilities, like the Foreign Code Shield and the Evasion Shield, but these are off by default, so they don’t accidentally block a legitimate custom script an admin has written. You have to turn these shields on and configure them for your environment to see the benefits; many people may not realize that. But that’d be one simple way admins could majorly improve efficacy; just check out all your tools and make sure you’re using them to their fullest capacity.”
Consider whether EDR/MDR/ADR is right for you. If you’re not already using one of the solutions these acronyms stand for, you’ve likely heard of them. Endpoint detection and response has a lot of hype around it, but that’s no reason to discount it out of hand as just another industry buzzword. It’s just important to demystify it a little so you can decide what kind of solution is right for your needs. Read more about the key differences here. Keep in mind, there’s often a high level of involvement required to get the most out of the additional information EDR provides. “It’s really more of a stepping stone to MDR for most MSPs,” per George Anderson. “Webroot Business Endpoint Protection actually provides all the EDR telemetry data an MDR solution needs, so I don’t recommend EDR alone; it should be used with an MDR or SIM/SIEM solution.”
Lock down common security gaps. Some of the easiest ways to infiltrate an organization’s network are also the easiest security gaps to close. Disable remote desktop protocol (RDP.) If you really need these kinds of capabilities, change the necessary credentials regularly and/or use a broker for remote desktop or terminal services. Use hardened internal and external DNS servers by applying Domain Name System Security Extensions (DNSSEC), along with registry locking domains; looking at certificate validation; and implementing email authentication like DMARC, SPF and DKIM. Be sure to disable macros and local admin privileges, as well as any applications that are not in use. And, of course, run regular patches and updates so malicious actors can’t just saunter into your network through an old plugin. These are all basic items that are often overlooked, but by taking these steps, you can drastically reduce your attack surfaces.
Train your end users to avoid security risks. Phishing and business email compromise are still top security concerns, but they’re surprisingly preventable at the end user level. According to the 2021 Webroot BrightCloud® Threat Report, regular phishing simulations and security awareness training can reduce phishing click-through by as much as 72%. Such a significant reduction will absolutely improve the overall efficacy of your security program, and it doesn’t impose much in the way of administrative burden. The secret to successful cyber-awareness training for end users is consistency; using relevant, high-quality micro-learning courses (max of 10 minutes) and regular phishing simulations can help you improve your security posture, as well as measure and report the results of your efforts.
All in all, these tips are simple, but they can make all the difference, especially if you have big efficacy goals to meet on a lean budget.
For more industry tips and tricks and product-related news, follow @webroot and @carbonite on Twitter and LinkedIn.
That’s a claim from the highly respected “techno-geek” bible Ars Technica in it’s wonderful explainer on NFTs, or non-fungible tokens. Since cryptocurrencies were, are and will continue to be impactful technologies, surely NFTs are a topic worth exploring.
They exploded into public consciousness this year as pieces of art, albums, photographs and dozens of other assets were sold in NFT form. Some net their sellers huge profits, many more are ignored or overlooked completely.
Naysayers call NFTs worthless figments of our own imagination, apologists hail them as handy tools for eliminating middlemen and empowering creators. One writer has referred to NFTs as, simply, “bragging rights.”
But naturally, at Carbonite + Webroot, we just wonder how they’ll be used and abused by cybercriminals or if they can be irrevocably lost like the password to a crypto wallet.
Before we dive into that, a brief primer of our own on NFTs.
Non-what token?
An NFT can be thought of as a sort of digital deed. It is unalterable proof of ownership of a unique digital asset. That’s what the “non-fungible” in non-fungible token means: there’s only one, and it’s completely unique.
NFTs use the same blockchain ledger technology to verify uniqueness that cryptocurrencies rely on to prove ownership. A distributed group of devices does the work to vouch for the authenticity of the token the same way it does for a bitcoin.
Except, whereas each unit of a cryptocurrency is mutually interchangeable (1 Dogecoin always equals 1 Dogecoin, for instance), NFTs are designed to be completely unique. They can be programmed with their own rules and directions for use and behavior—even down to how they produce “offspring” in the case of CryptoKitties.
An often used and helpful analogy is to certificates of authenticity (COA) like those used in the art world. For ages artists have put their own unique stamps on their artwork or issued accompanying certificates to testify to the “realness” of the work. This could be in the form of a simple signature or, in Banksy’s case, written sign-off from the Pest Control Office. Think of an NFT as a digital COA or, arguably, an improvement on the concept since it can’t be reproduced or believably forged.
As with any art, the value of an NFT is in the eyes of the beholder. What’s the point of spending millions to own an original digital asset that’s been effortlessly reproduced a million times? Could one ask the same of the Mona Lisa?
The rise (and fall?) of the NFT
Regardless of your answer to these questions, a community of folks already undeniable place a huge value on NFTs. An April 2021 post on GitHub estimated the value of the “CryptoArt NFT” market to be at least $150 million worldwide.
That’s almost certainly an underestimate, since the most expensive NFT ever sold comes from the art world. It’s a work known as The First 5000 Days by the artist known as Beeple and it’s essentially a $69 million JPEG file.
And NFTs aren’t limited to fine art. The pro sports, music and meme industrial complexes have all entered the business. Even social media posts are being turned into NFTs; the digital certificate for Jack Dorsey’s first-ever Tweet sold for $2.9 million. So, while anyone interested can easily find it online, only a Malaysia-based CEO of a blockchain company can claim “ownership” of the Tweet that started…all this.
Can NFTs hold our attention for long? With absurd amounts of money changing hands over a string of digital characters, a lot of people are already wondering if NFTs are a bubble about to burst. Plentyofpundits were speculating about a bubble in mid to late-April, when sales of NFTs lagged. But as shown by nonfungible.com, a company that tracks the buying and selling of NFTs, they were back to brisk business in early May.
Perhaps NFTs are a bubble positioned to pop. Or maybe their values will vary with the cryptocurrencies in which they are mostly bought and sold. It’s certainly been speculated that they’re driving up the price of Etherium. Regardless, it’s safe to say they’re worth getting to know, because they’ll make headlines for some time to come.
NFT theft and a new brand of cybercrime
Not surprisingly, cybercriminals are already redirecting their efforts to the nascent NFT market. In an extraordinary and revealing Twitter thread, one NFT owner documented the experience of having his tokens stolen from a marketplace for digital art. He’s apparently not alone in this experience.
Even less surprising than the theft are the methods used to do it. It seems phishing for users’ passwords to the sites used to buy and sell NFTs is the main method of compromise. Two-factor authentication for accounts managing NFTs is strongly recommended by marketplaces.
Darkreading.com also notes the importance of closely guarding access keys, which are often the only means of managing an NFT. Once a key is stolen—either by phishing, a keylogger or some other means—there’s very little in terms of a realistic prospect of getting it back.
In terms of valuable digital art, NFT theft amounts to the regrettable loss of investment pieces or perhaps just the “bragging rights” akin to owning an original piece of physical art. But if the role of NFTs as proof of ownership expands into the physical realm, as is already being discussed in the real estate sector, NFT security will become critical. It may even have the power to spawn new industrials and criminal enterprises.
NFTs’ massive price tags and novel technological backing make them attractive target for cybercriminals. If the market for their sale isn’t a bubble, it’s possible that the high-profile art heists of the future may be carried out by hackers rather than the suave con men of Hollywood films, and their tools will be phishing attacks and spyware rather than fancy handheld gadgets.
Although they didn’t always call themselves a managed service provider, that’s exactly what T-Consulting has been since its inception. According to Vera Tucci, founder and CEO of the Italy-based MSP, it was her mission to give her clients more than a basic hardware/software bundle with a few hours of IT consultation. She knew her clients needed a greater level of service, especially those whose businesses had grown from small family operations into larger companies, and that’s what she built her own business to provide.
When one of her oldest clients began having issues with the previous security program T-Consulting offered — issues that prevented the client from being able to access business critical systems and required hours upon hours of her team’s time to diagnose and resolve — Tucci immediately started working to identify a better solution. As far as she was concerned, the tools her team used should solve problems, not cause them. That’s when she came across the Webroot® portfolio of cyber resilience products for endpoint protection, DNS protection, and end user training.
“I actually remember the change in mood within my company. Within days of making the decision [to switch to Webroot], my employees were happy again. They weren’t waking up worried about what would go wrong. […] We saw immediate results in terms of the time our team suddenly had on its hands. We were not wasting time trying to solve problems we shouldn’t have had in the first place.” – Vera Tucci, Founder and CEO, T-Consulting
Hear how T-Consulting integrated Webroot® Business Endpoint Protection, DNS Protection, and Security Awareness into its RMM, enabling its team members to take back their time and refocus their efforts on business priorities and revenue-generating tasks in CEO Vera Tucci’s video testimonial.
Aging infrastructure in the United States is not confined to crumbling roads and bridges. Recent events have shown that connected devices in our pipelines, water treatment facilities and power grids are also vulnerable to exploitation.
As of now, we still don’t know much about the ransomware attack against the operators of the Colonial Pipeline. Details about how and when cybercriminals were able to compromise Colonial’s network have yet to emerge. The FBI has confirmed that Darkside, a ransomware as a service (RaaS) group, was behind the attack but background on that group is about the only place where information is plentiful.
We still don’t know if a ransom has been paid. Or if Colonial was able to completely isolate its operational network from its corporate systems – the intended target of the attack according to the company – or if Darkside could have bridged that gap.
Based on the Darkside’s own statements and analyses of its past behavior, experts believe the attack wasn’t intended to seriously disrupt the nation’s gasoline supply or cause major harm to its critical infrastructure. But that’s beside the point.
It was enough for states of emergency to be declared up and down the Eastern seaboard and for the federal government to issue warnings to other utility providers to be on the lookout for similar attacks.
And this cyberattack against critical infrastructure is far from the first of its kind and unlikely to be the last. A 2019 attack on a power grid control center responsible for supplying several sites in the Western U.S. was considered a near miss in which the country got off easy.
Early this year, remote access software at a water treatment facility in Oldsmar, Florida was compromised and hackers used the access to attempt to increase the concentration of a tissue-damaging chemical normally used to prevent the corrosion of pipelines. Only an attentive employee and the delay needed to get the added chemical into the water supply prevented serious harm.
The sorry state of cybersecurity in U.S. critical infrastructure is well-known within the industry. The rise of the Internet of Things (IoT) isn’t limited to the consumer sector. These devices help with automation and make industrial control systems (ICSs) smarter than they’ve ever been before, but cybersecurity is often an afterthought in their design if it’s one at all. One source claimed it was communication between an ICS and Colonial’s corporate networks, responsible for simplifying the billing process, that caused concern about the attack spreading to operational systems.
Making more cyber resilient infrastructure
After several shots across the bow have luckily not resulted in direct hits, what can we do to bring about a hardening of U.S. infrastructure cybersecurity? How can we prevent a replay of the 2017 attacks against Ukraine’s power grid from happening here?
Here are a few suggestions:
Don’t disincentivize cybersecurity investment. – Ransomware insurance isn’t a bad idea, but providers won’t subsidize poor security practices forever. We’re already seeing some pushback against companies who happily shell out for ransoms knowing a reimbursement will soon follow. Well-insured but under-protected organizations may have gotten away with it for a while, but surging ransomware incidents are ushering those days out the door.
Actively promote that investment. – Policy analysts who have studied this issue urge government, at whatever level, ensure that critical infrastructure providers have the financial wiggle room to invest in better cybersecurity. Designing these investment incentives is beyond the scope of this post, but our near misses should make it clear that this is a national security imperative. Even private companies like Colonial, until now under less pressure than a public utility to account for compromises, should be invited in.
Don’t forget to secure corporate networks, too. – Just because the computer in the lobby of corporate HQ can’t crank up the sodium hydroxide in the drinking water doesn’t mean it’s not worthy of an antivirus. If access between corporate and operational networks exists, it can be exploited by determined cybercriminals. Endpoint protection for all devices and network-level security are the bare minimum. And with phishing attacks enabling the majority of breaches year after year, it’s important to train workforces on how to spot them.
Make smarter ICSs more secure. – IoT devices are not going anywhere. Their applications are many and varied and they make us more effective. But they’re seldom designed with cybersecurity in mind. In high-stakes applications like water treatment, oil and gas delivery and power distribution, this cannot be taken for granted. Manufacturers should consider OEM applications for threat intelligence feeds that make their smart devices more secure. This problem has been well studied but should be addressed with greater urgency.
For the time being, major damage and fears of prolonged fuel shortages may be unfounded with the Colonial Pipeline attack. But we need to act deliberately now in order to avoid relying on the same luck in the future.
Coauthored by Dominick Bitting, Sr. Threat Research Analyst, and Colin Maguire, Web Content Specialist.
Manchester City win the Carabao Cup Final, many illegal streamers lose
The COVID pandemic has led to a surge in content consumption as people stayed home and turned to Netflix, Youtube and other streaming services for entertainment. Not everyone agrees with paying for the latest episode or album, however, and this rise has ran parallel with a rise in digital piracy.
Piracy is widespread and – ethical issues aside – makes for an interesting case study from a threat research perspective. In terms of sports, European football is the most commonly pirated, making up more than a quarter of all illegal sports streams according to one recent study.
There is a sizable online community that shares bootlegged movies, TV and live sports streams without copyright protection over HTTP/HTTPS. Sites streaming pirated sports, specifically the English football “free-to-view” sites, were the subject of an April 2021 Webroot study on the week of the Carabao Cup final game between Manchester City and Tottenham Hotspur.
This was not meant to be an exhaustive study, but rather focused on getting a snapshot of the dangers involved in spending 90 minutes illegally streaming a match online.
The sites we analysed
We analysed a total of 20 sites in the study, of which 12 “game sites” were analysed in greater detail for the duration of the Cup Final. 92% per cent of illegal streaming sites analysed by Webroot were found to contain some form of malicious content.
Site Ratings
Sites ranged from having a “trusted” Webroot Brightcloud® reputation score of 92 to an “untrusted” rating of 44. All sites at time of testing had a safe, zero detection rating in Virus Total except for one, “daddylive”, with a rating of 1/85.
However, when examined more closely, most hosting IPs were found to have hosted malicious content (such as some serious malware) in the past, and had connections to other high-risk IPs. Some of the sites caught our attention for leading to a massive amount of URLs. For instance, rojadirecta[.]me pulled 565 different URLs. We focused most of our attention on these suspicious sites.
Virustotal.com graph for hulkstreams. Contextual graphs such as these show the relationships between web hosts and dropped malwareBrightcloud’s Threat Investigator Showing Contextual Information for jokerstream
Insecure Sites
Most of the sites analysed were insecure and running HTTP. The lack of security on these sites means any personal data shared across the site’s connection is out in the open. While the more secure HTTPS isn’t always a guarantee a site is completely safe, the lack of certification and security protocol were red flags, making sharing details or sensitive information risky.
Malvertising/Dishonest links
Most of these sites (more specifically the advertising on these sites) use dishonesty and social engineering to fool users into opening links, enabling an action on their browser or downloading a file they never intended to. This is done using an array of tricks like fake “X” boxes on video overlays, false “notification enable” messages and outrageous promises and warnings.
Redirects
Redirects are not bad in and of themselves, but when links jump between a number of unrelated sites (e.g. sports to dating to bitcoin to online shopping) this is a definite red flag. And we observed it a lot on illegal streaming sites. This signals that the site or site network admins must constantly change what their links direct to as they introduce new URLs. The presence of zero-day (or brand new) sites is a related bad indicator when looking at any site and it’s connected IPs.
Types of threats we saw on pirated streaming sites
Bitcoin scams
“With cryptocurrency values soaring again, executable based cryptojacking has been on the rise.” Webroot’s 2021 Threat Report
We observed targeted and localised bitcoin scams promising riches and asking users for banking details. The price of Bitcoin and other cryptocurrencies have been booming over the last year, and the rise and fall of these prices affects cryptocrime levels. We observed convincing ads and websites that link directly to fake news sites or feature local(ised) celebrities and politicians selling scams.
An example of a bitcoin scam site that has been localised to appeal to users browsing with an Irish IP addressAn example of a bitcoin scam site that has been localised to appeal to users browsing with an Irish IP address
This “Mirror” fake news page is clearly designed to copy the popular UK newspaper. It is a front for a “get rich quick” scam designed to gather users’ cash and personal details. Different versions of this scam have been observed localised for different countries. This was pushed on the vipleague[.]lc streaming site.
“Appearing on the ‘BBC Breakfast’ show, Bill Gates revealed that he invested substantial amounts of money. The idea was simple: allow the average person the opportunity to cash in…” Text from one scam we witnessed
An example of a bitcoin scam site that has been localised to appeal to users browsing with a UK IP addressA fake AV scam claiming to have found threats on your machine.
Hijacked search results
Hijacking browsers allows cybercriminals to switch a user’s default browser and take over its notifications. This means different search results are served up or users can be spammed with junk notifications and explicit content. Even if users shut down their laptops, the changes will remain.
Notification hijacking
Users looking to watch a stream are also tricked into allowing notifications, which bombard them with explicit and extreme content, as well as scams and links to other malicious sites.
Users of Technoreels are asked to allow notifications to see a stream. This button does not need to be clicked to view content so the messaging is dishonest and those that allow the content will get constant notifications for porn, dating, scams and other content.An example of spam browser notifications. This one localised to appear to German IP addresses.
Browser Hijacker
Links on jackstream. push users into installing a browser hijacker known as mysearchflow.com, which is blocked as Spyware/Adware by Webroot. Clicking on the stream causes a popup which asks to allow notifications. These particular notifications were pop-up ads appearing in the screen’s right corner that were very intrusive and not easy to disable.
Mobile Threats
All these sites supported mobile browsing and the advertising, social engineering and malicious content targeting mobile users, too. For instance, links pointed to fake mobile apps with privacy issues and useless in-app purchases ranging from £2.09 – £114.99. It’s important for users to note that many of these mobile apps can also be installed on PCs and are often difficult to remove. Here’s a mobile advertisement from hulkstreams.com that earns clicks by claiming a device is infected with viruses.
Figure 2 The initial false “Google” warning on Hulksteams pushing
We installed and ran this particular product. It turned out to be an example of fleeceware, a type of malware that tries to sneak excessive fees past subscribers. It had over 10 thousand downloads on the Google Play store already. The product offered in-app purchases ranging from £2.09 – £114.99 per item and has since been marked as malicious by our threat intelligence.
The sites we analysed. Starred sites indicate “game sites.”
hulkstreams.com*
jackstreams.com*
0eb.net*
jokerswidget.com*
strims.world*
livetotal.tv*
vipleague.lc*
fotyval.com*
footybite.com*
daddylive.co/*
elixx.me/schedule.html*hdstreamss.club/*
liveonscore.tv/
red.soccerstreams.net/
www.blacktiesports.net/soccerstreams/
www.hesgoal.com/
www.ovostreams.com/soccer-streams.php
www.sportnews.to/schedule/
www.sportp2p.com
Figure 3 After installation the app incorrectly advises that you have “several trojans” and then offers to “repair your device”. This is a front for pushing more bogus upgrades and charges.
Our advice
Since pirate streams operate outside the law, they often sell advertising space to entities that are also operating outside the law. Although we found some advertising from reputable vendors, we would not recommend visiting these sites for the good of your overall online safety.
We do recommend that, when browsing any site on the web, users update their software and operating systems, employ AV and anti-phishing detection, and double-check any links before clicking, especially when they profess to offer something that seems too good to be true.
