Top 5 Cyber Security Threats of 2020

The year 2020 will go down in history as the year the world was struck by the COVID-19 pandemic resulting in large numbers of hospitalizations and deaths. The pandemic also had a major impact on computer networks and computer systems as many businesses implemented telework solutions. The overall increase in the number of individuals using computers, the internet and more specifically cloud-based solutions, created more opportunities for the emergence of cyber threats and attacks across the globe. Below are our top 5 cyber threats of 2020.

More Sophisticated Phishing Attacks – A phishing attack occurs when an attacker sends an email to an unsuspecting user containing either an attachment or a hyperlink. When the user either opens the attachment or clicks on the hyperlink the payload the attacker sent is activated. The payload usually initiates a software installation of some kind usually designed to either ex-filtrate data from the affected system or take up residence on the machine in hopes of later exploiting the machine itself or the network the machine resides on. 2020 has seen a significant increase in both the amount and sophistication of phishing emails across the business community to include even more targeted spear phishing and whale phishing types of attacks. The best prevention against limiting successful attacks is simply, user education. Phishing campaigns designed to keep users readily mindful of phishing attempts can be an effective prevention measure. Tips on how to recognize a phishing attack are available online or from cyber security professionals at your place of employment.

New variants of Ransomeware – New strains of ransomware have continued to ravage networks and individuals around the globe. A few new variants include Cerber. Cerber targets cloud-based Microsoft 365 users and has impacted millions of users using an elaborate phishing campaign. This type of malware emphasizes the growing need for SaaS backups in addition to on-premise. Another strain is named NotPetya. NotPetya is a  variant of Petya, a strain of ransomware first seen in 2016. However, researchers now believe NotPetya is instead a malware known as a wiper with the sole purpose of destroying data instead of obtaining a ransom. Lastly, Locky’s approach is similar to many other types of ransomware. The malware is spread in an email message disguised as an invoice. When opened, the invoice is scrambled and the victim is instructed to enable macros to read the document. When macros are enabled, Locky begins encrypting a large array of file types using AES encryption. The best means of defense and protection still remains a good off-site backup of any critical data.

IOT Attacks – Internet of Things system intrusions still present a clear and present danger in today’s internet-powered world. Companies of all sizes and in all sectors are exposed, as long as they utilize non-security minded and configured IoT systems to make critical operational decisions, remotely and in real time. Such systems include, “Inventory trackers, temperature controls, or any type of IoT device that is gathering actionable data are at risk of an attack,” says Mike Nelson, Vice-President of IOT for Digicert. “The hacker either embeds malware on the device causing it to report inaccurate values, or, the hacker performs a man in the middle attack and manipulates the values as they are passed from the device.”

Botnet Attacks using AI machine learning capabilities – The first half of 2020 saw an increase in attacks and threats directed at Operational Technology (OT) and Internet of Things (IoT) networks. According to Nozomi Networks, a large number of the attacks were from from IoT botnets. Some of the IoT botnets that continue to present a threat in 2020 include Dark Nexus (derived from Qbot and Mirai), Mukashi, LeetHozer, Hoaxcalls, and Mozi.m. The CSDE issued an International Botnet and IOT Security guide for 2020 in an attempt to share information amongst various stakeholders and IT communities who need to protect their networks.

Cloud Jacking – Cloud jacking involves the compromise and subsequent hi-jacking of cloud-based accounts. Such accounts have significantly increased in usage as a result of the COVID-19 pandemic. To protect against cloud-jacking, businesses and individuals should implement multi-factor authentication technologies to additional requirements to achieve successful logon. Organizations should also consider the use of VPN technologies and private cloud network configurations to restrict network locations logon sessions can be initiated from.

As described by Mr. Lenny Zeltser, malware analysis can occur in 4 distinct phases. These steps and methods are listed in order from easiest to hardest. They are:

Fully Automated Analysis

Static Properties Analysis

Interactive Behavior Analysis

Manual Code Reversing

Fully automated analysis involve the use of tools that scan files and produce reports on its findings. Such tools are usually commercially developed with canned reports and recommendations on how to address malware. The downside of fully automated tools is they often don’t provide as much insight about a piece of malware as a investigator would using more manual processes.

The next step and\or method of analyzing malware is examining the static properties of a file. Static properties include things like hashes, file header details, packer signatures and metadata. This type of information helps to identify malware quickly which allows for quick searches for known ways to address it. This method can be very effective for widely known pieces of malware but not for more unique ones where not as much information may be available to identify and address it.

The next step or method is interactive behavioral analysis. This involves a technician with the appropriate skill sets to actually run and observe the malware in a number of controlled environments. The malware may run in an isolated lab environment or it could run in an environment that allows it to connect back to command and control servers elsewhere. When this is done the technician is able to monitor and in some cases duplicate the behavior of the malware which ultimately allows for a much deeper understanding of how the malware works and what it is capable of. The most important aspect of this method is the skill sets of the person performing the work. It would be helpful if the person had a background in network administration and some coding experience as well.

Fully automated analysis involve the use of tools that scan files and produce reports on its findings. Such tools are usually commercially developed with canned reports and recommendations on how to address malware. The downside of fully automated tools is they often don’t provide as much insight about a piece of malware as a investigator would using more manual processes.

The next step and\or method of analyzing malware is examining the static properties of a file. Static properties include things like hashes, file header details, packer signatures and metadata. This type of information helps to identify malware quickly which allows for quick searches for known ways to address it. This method can be very effective for widely known pieces of malware but not for more unique ones where not as much information may be available to identify and address it.

The next step or method is interactive behavioral analysis. This involves a technician with the appropriate skill sets to actually run and observe the malware in a number of controlled environments. The malware may run in an isolated lab environment or it could run in an environment that allows it to connect back to command and control servers elsewhere. When this is done the technician is able to monitor and in some cases duplicate the behavior of the malware which ultimately allows for a much deeper understanding of how the malware works and what it is capable of. The most important aspect of this method is the skill sets of the person performing the work. It would be helpful if the person had a background in network administration and some coding experience as well.

The last method I will discuss is manual code reversing. This method requires the use of a code disassembler and a debugger which could be accompanied by a de-compiler, various plug-ins and other tools as needed. The ability to capture and dump the contents of the memory of a system is important as well. Reverse engineering malware can provide the following benefits.

• Decoding of encrypted data stored by the malware
• Logic determination and algorithm generation
• Understanding other malware capabilities not discovered in other steps

All or one of the above methods can be used during the investigation of an incident or intrusion. It really depends a lot on the expertise of the technician performing the analysis, what information they are seeking, and how far he or she is willing to go to get it information. Reverse engineering will provide the most comprehensive understanding of a piece of malware when compared with the other methods. See a short video on protecting yourself from malware here. Click here to get review some malware analysis tools and techniques.

References

Zeltser, L. (2015, February 19). Mastering 4 Stages of Malware Analysis. Retrieved June 17, 2018, from https://zeltser.com/mastering-4-stages-of-malware-analysis/

Aubert, M. (2017, February 01). Malware Analysis for the Incident Responder. Retrieved June 17, 2018, from https://blogs.cisco.com/security/malware-analysis-for-the-incident-responder

Data Breaches

What is a data breach?

Generally, a data breach is a security incident where digital information is accessed or taken in an unauthorized manner. Enterprise risk management explains that there are five types of data breaches:

1. Malware
2. Phishing
3. Password Attacks
4. Ransomware and
5. Denial-of-Service

Malware is software whose purpose is to harm a device or computer. Phishing is a cyber attack that involves an attacker masquerading as a trusted entity to trick a user into willingly giving up sensitive information. Password attacks are those where an attacker guesses a users’ password through brute force or combination attacks. This attack is more often successful when the user has a weak password. Ransomware is when an attacker gets access to and holds data hostage until they get a reward. A denial-of-service attack is a breach in which an attacker manages to deny a user access to data they are authorized to look at. Physical theft can also cause a data breach.

Response and Preparedness

Data breaches can be complicated and costly to manage. The first way to prepare for data breaches is to have a preparedness plan in place before it occurs. A preparedness plan includes knowing who your first responders are. This should be a team with people familiar with the systems and security control of your organization and having a plan for how to identify and resolve the problem.

Here are 10 ways organizations can defend their networks and assets against a data breach:

1. Strong IT Policies
2. Strong Passwords
3. Strong anti-virus\anti-malware software
4. Strong firewall
5. Strong encryption
6. Security patching and Vulnerability scanning
7. User education
8. Data Loss Prevention capabilities
9. Log auditing
10. Backups

 

Prepared Plan Metrics

In the event a breach does occur the following metrics can be used to measure how effective an organization’s response is:

Mean Time to Identify (MTTI)

MTTI, which can also be called Mean Time to Detection (MTTD) measures how quickly an organization can identify an event and generate an alert. It determines how fast the organization is alerted when something suspicious happens anywhere in their digital environment. This metric is calculated by finding the difference between the start of any security event and its detection. Either by a technician or via monitoring tools. A detection skill ratio could be calculated by dividing the Mean Time to Resolution from the MTTI.

Mean Time to Notify (MTTN)

MTTN is a metric that measures the average time taken to notify a pre-determined list of contacts that a security incident has occurred. This metric is measured by finding the difference between the time someone is notified and the initial time the event was detected.

Mean Time to Analyze and Assess (MTTAA)

The time taken to contain and review the event. The mean time to analyze and assess an issue is the time it takes initial and second level responders to come to an understanding of what has occurred and then determine a way forward. Sometime the widespread nature and inevitable response of panic can lead to significant delays in properly assessing an issue and then charting a course forward for resolution. Once detected the MTTAA should not exceed 2 hours in most situations.

Time Taken to Gather Acquire an Image

This metric will measure the amount of time the chosen imaging tool takes to acquire an image of an affected device. This time will indeed vary depending on what kind of device is being imaged. The target times are as follows: 3 hours for workstation with a 500 GB or less hard drive. 1 hour for a tablet device. 2 hours for a cell phone device. 5 hours for a server. 2 hours for a network device. Should the tools chosen to acquire these kinds of images not be able to meet these target times an evaluation will be done to understand why and if another tool should be procured.

Escalation to a Higher or More Technical Individual or Team

Some security incidents require an escalation to a more advanced individual, engineer or team of individuals to assess and handle. This metric will measure, if necessary, how long it took the initial response team to escalate to a higher level of support. Processes should be established to clearly delineate when an escalation should occur to avoid significant delays in resolution of issues. The target time on this metric will vary depending on the incident but in general should not exceed 2-4 hours.

Mean Time to Fix (MTTF)

The MTTF metric can be used to measure the amount of time it takes to restore a service or a system or anything that causes a service outage. This includes infrastructure being taken offline due to a security incident or event. This could be a workstation for a user or it could be a server that houses lots of data and provides a service to the network. Depending on the organization a target time to fix should be 72 hours. This is an aggressive target but in many cases, it may be possible replace a system instead of making the impacted system operational again.

Mean Time to Know (MTTK) – The Root Cause of an Incident

The MTTK metric measures the amount of time it takes to determine the root cause of a security incident and the full extent of the incident including all who were affected and any data that may have been compromised. Depending on the organization a target MTTK time should be 30 days. As tools and experience increase on the team it is very possible that this time will decrease but it should certainly not increase. This includes the production of a formal root cause analysis report.

Mean Time to Verify (MTTV)

The MTTV metric can be used to measure the amount of time it takes to confirm the satisfactory resolution of a security incident with the parties affected. Depending on the organization the target time for this metric should be 14 days after the root cause report has been produced and finalized. This metric attempts to ensure that every stakeholder affected has received the best possible resolution to their issue that can be afforded.

Mean Time Between Security Incidents

As the security posture of the network improves, it is rational to expect there to be less security incidents. Therefore, one of the metrics that should be monitored is the average time between security incidents. Depending on the organization an ideal target time for this metric is 6 months. This time should continue to get longer as security practices and safeguards improve. If it is less than the target time an investigation into what can be done to meet the target time should be conducted.

Mean Time to Resolution (MTTR)

The MTTR metric is one that takes into account a few aspects of metrics listed above to measure them altogether. Those aspects include:

1. Collection of evidence
2. Validation of evidence
3. Reaction to evidence

 

Rouse, M. (2017, December). What is data breach ? – Definition from WhatIs.com. Retrieved from https://searchsecurity.techtarget.com/definition/data-breach

Written by: Marshall Frett & Pamela Katali

Loyphish – Malicious Software

PWS:HTML/Loyphish.G, more commonly referred to as Loyphish, is a type of attack that involves visiting a phishing page, which is a malicious webpage used to steal your login credentials. It belongs to be a member of the PWS:HTML/Phish family. In most cases it disguises itself as a legitimate banking webpage and attempts to trick you into completing a login attempt. While you may think you are submitting your sensitive data to your respective bank, you have actually submitted your information to a remote attacker. Attackers use images, logos, and verbiage to persuade you into thinking you are visiting the bank’s authorized website. The webpage itself can be really annoying. It pops up often when you browse or use a search engine to find information. In short, you cannot use the Internet normally. In addition, there are a lot of threats in its webpage;  threats that will be installed onto your computer when you visit the webpage. So please keep in mind, PWS:HTML/Loyphish.G is definitely a virus with a high level of risk. It needs to be removed immediately before it installs more and more threats onto your computer.

Having an understanding the major types of malware in use can help you make informed decisions about acquiring tools to protect your computer. To prevent infection from any of these threats, be sure to use up-to-date antivirus software and ensure your firewall is enabled on your computer. Be sure to install the latest updates for all of your installed software and always keep your operating system current. Finally, be cautious when visiting unknown websites and opening email attachments.

Solution

Details for a Solution – Remove PWS:HTML/Loyphish.G Manually by Yourself

Step one– Boot your computer into Safe Mode With Networking.

To perform this procedure, please restart your computer. -> As your computer restarts but before Windows launches, tap “F8″ key constantly. -> Use the arrow keys to highlight the “Safe Mode with Networking” option and then press ENTER. -> If you don’t get the Safe Mode with Networking option, please restart the computer again and keep tapping “F8″ key immediately.

Step two – open your Task Manager by pressing Ctrl+Alt+Delete keys and then stop the PWS:HTML/Loyphish.G process:

[random name].exe of PWS:HTML/Loyphish.G

Step three– delete the following files created by PWS:HTML/Loyphish.G in Local disk C hard drive:

%UserProfile%\[random].exe
%ProgramFiles%\Internet Explorer\Connection Wizard\[random]
%Windir%\Microsoft.NET\Framework\[random].exe
%System%\[random].exe
%Temp%\[random].bat

Step four – open your Registry Editor program by navigating to Start Menu, type in Regedit, and then click OK. When you have been in Registry Editor, please delete the following registry entries associated with PWS:HTML/Loyphish.G:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\[random]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\[random]
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\[random]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\svflooje\Enum\[random]

 

 

 

;

References:

Armendariz, T. (Aug. 25, 2017).  Top Malware Threats and How to Protect Yourself. Retrieved from https://www.lifewire.com/top-malware-threats-153641

Facinelli, M. (Oct. 14, 2012). Manually Remove PWS:HTML/Loyphish.G – to Get Rid of PWS:HTML/Loyphish.G Infection Completely. Retrieved from https://blog.teesupport.com/manually-remove-pwshtmlloyphish-g-to-get-rid-of-pwshtmlloyphish-g-infection-completely/

 

 

Ransomware is a type of malware that prevents or limits users from accessing their computer systems, either by locking the system’s screen or by locking the users’ files via encryption unless or until a ransom is paid. Security experts have warned that ransomware is the fastest growing form of computer virus. Like other computer viruses, it usually finds its way onto a device by exploiting a security hole in vulnerable software or by tricking somebody into installing it.

Prevention and Protection

The best protection against ransomware attacks appears to be good backups of the system before it was infected. Backups should be kept off-site as much as possible. Cloud backup services like that of Carbonite are a good option. Also anti-virus\anti-malware software should be used to alert on activity like the encrypting of files or other than normal behavior. At the time of this post Trend Micro’s offering is a good option. User education on this topic is another means of protecting networks against infiltrations. Security departments should conduct frequent phishing exercises designed to teach users the methods used to entice them to click on links that install malicious software.

Ransom Prices and Payment

Ransom prices vary depending on the ransomware variant and the price or exchange rates of digital currencies. Ransomware payments are typically made using bitcoin or similar technology. Bitcoin is a new currency that was created in 2009 by an unknown person using the alias Satoshi Nakamoto. Transactions are made with no middle men – meaning, no banks! There are no transaction fees and no need to give your real name. More merchants are beginning to accept them: You can buy webhosting services, pizza or even manicures. Several marketplaces called “bitcoin exchanges” allow people to buy or sell bitcoins using different currencies. Mt. Gox is the largest bitcoin exchange.

 

Links to articles of ransomware attacks:

San Francisco Metro System Attack

MedStar Health System Attack

Texas Police Department Attack

 

References:

CNN Money. (N.D.) What is a Bitcoin. Retrieved from http://money.cnn.com/infographic/technology/what-is-bitcoin/

Trend Micro. (N.D.) Ransomware. Retrieved from https://www.trendmicro.com/vinfo/us/security/definition/ransomware