Threat Intelligence Blog

Contact us to discuss any insights from our Blog, and how we can support you in a tailored threat intelligence report.

Antony Cleal Antony Cleal

Week in review 20 October 2019: password-cracking techniques used by hackers, lack of security training leaves firms open to attack, ransomware expected to dominate 2020, Interpol BEC campaign

Week in review 20 October 2019: password-cracking techniques used by hackers, lack of security training leaves firms open to attack, ransomware expected to dominate 2020, Interpol BEC campaign

Round up of the most significant open source stories of the last week

Links to articles are for interest and awareness and linking to or reposting external content does not endorse any service or product, likewise we are not responsible for the security of external links.


The top ten password-cracking techniques used by hackers

Think your passwords are secure? Think again

Understanding the password-cracking techniques hackers use to blow your online accounts wide open is a great way to ensure it never happens to you.

You will certainly always need to change your password, and sometimes more urgently than you think, but mitigating against theft is a great way to stay on top of your account security. You can always head to www.haveibeenpwned.com to check if you're at risk but simply thinking your password is secure enough to not be hacked into, is a bad mindset to have.

So, to help you understand just how hackers get your passwords – secure or otherwise – we've put together a list of the top ten password-cracking techniques used by hackers. Some of the below methods are certainly outdated, but that doesn't mean they aren't still being used. Read carefully and learn what to mitigate against.

More here: https://www.itpro.co.uk/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers


Lack of IT security training leaving businesses open to data breaches

Even security departments could use extra classes, new report suggests.

When it comes to the workforce – everyone needs a little extra IT education, even those working in IT departments. This is according to a new report, which concludes that there’s still a lot to do to eliminate the ever-present skills shortage. It also says that there is a sea of difference between the faith businesses have in their cybersecurity solutions, and the general awareness of how secure they really are.

The report says that 61 per cent of organisations would love to see their workforce trained more in cybersecurity awareness, but also – two fifths would love to get some of that training for their software development teams, as well. Just less than a third (29 per cent) believe the same is required – for their IT operations team.

Full article here https://www.itproportal.com/news/lack-of-it-security-training-leaving-businesses-open-to-data-breaches/


Ransomware predicted to continue to dominate cybercrime in 2020

Security teams acting as ‘first responders’ for cyberattacks, get an interesting perspective on cybersecurity – in terms of exactly what attacks are really hitting organisations and how they affect them, and in terms of understanding the motivations of those launching the attacks. Overwhelmingly, the attacks these teams see are intended to extort or steal money. These teams believe that the threats we will see in 2020 will not be very different to those threats already know all too well. While these teams occasionally deals with some advanced new threats, these are always massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.

Full article: https://www.techradar.com/uk/news/ransomware-to-dominate-cybercrime-in-2020


The Top 10 Ransomware Types Hitting Businesses in 2019

The ransomware landscape in 2019 has remained alarmingly lively, with hackers continuing to see value in targeting enterprises, public bodies and governments – sometimes with targeted, sometimes spray-and-pray approaches. Now, analysis by Zealand-based anti-malware firm Emisoft has revealed of 230,000 incidents between April 1 and September 30, 2019 reveals the top 10 ransomware strains to look out for.

1 STOP (DJVU)

The STOP ransomware strain, also known as DJVU, has been submitted to the ID Ransomware tool over 75,000 times, which only represent a sliver of the systems it may have affected worldwide.

STOP affects the systems of home users and can be easily picked up by downloading unsecure files from torrent sites. Once the infection begins the STOP malware will use the AES-256 encryption to lock the system files, followed by a payment demand issued to the user. It is by far the most common submission to ID Ransomware as it accounts for 56 percent of all submissions.

2 Dharma

The Dharma variant not only will lock a system, but it will instruct the victim to contact a specific email where they are expected to negotiate the release of their files. Dharma is a cryptovirus which is pushed onto system via malicious download links and email hyperlinks.

Operating in the threat landscape since 2016, Dharma is part of the .cezar family. It mainly targets enterprise targets. Dharma accounted for 12 percent of submissions.

3 Phobos

Credit: Luca Ruegg via Unsplash

Phobos, either named after the Martian moon or its namesake the Greek god of fear, is a ransomware variant that makes up 8.9 percent of all submissions.

It is mainly spread via exploits of insufficiently secured Remote Desktop Protocol ports. Phobos has been seen in the wild attacking corporations and public bodies indiscriminately. In a similar manner to Dharma this ransomware locks your files and then request you contact the attacker directly to negotiate their release.

4 GlobeImposter

GlobeImposter makes up 6.5 percent of all submissions to the ID Ransomware tool. GlobeImposter is the next evolution on pervious strains of the variant. What makes it different is it uses AES-256 cryptography to encrypt a victim’s files before it issues a bitcoin payment demand.

5 REvil

REvil also known as Sodinokibi was first discovered in 2019 and security research believe that it was developed by the same threat actors who created GandCrab.

Emsisoft notes that Sodinokibi is seen as a “Ransomware-as-a-service that relies on affiliates to distribute and market the ransomware. It is extremely evasive and uses advanced techniques to avoid being detected by security software.”

The attack vectors for this variant include exploiting a vulnerability in Oracle WebLogic and more traditional methods such as phishing campaigns. It makes up 4.5 percent of submissions.

Countries most affected by ransomware Credit: Emsisoft

6 GandCrab

According to Europol the GandCrab ransomware variant has infected nearly half a million victim systems since it was first detected at the start of 2018. It accounts for 3.6 percent of submissions.

The GandCrab virus infects and encrypts all the files within a user’s systems. Originally the ransomware was distributed via exploit kits such as RIG EK and GrandSoft EK. Cybersecurity company Bitdefender has created a useful decrypting tool to help mitigate GandCarb lock-outs.

7 Magniber

Magniber has been around in one form or another since 2013, but it still accounts for 3.3 percent of submissions.

Cybersecurity firm Malwarebytes have been tracking this variant for some time and noticed that it is continually evolving. In one of the latest version they state that: “Each file is encrypted with a unique key—the same plaintext gives a different ciphertext. The encrypted content has no patterns visible. That suggests that a stream cipher or a cipher with chained blocks was used (probably AES in CBC mode).”

8 Scarab

Credit: Timothy Dykes via Unsplash

The Scarab ransomware was first discovered in June 2017. The malicious software uses the encryption algorithms AES-256 and RSA-2048 to lock the files on a targeted system. It makes up 2.0 percent of submissions.

Cyber security firm Symantec notes that: “Many of Scarab’s campaigns focus on distributing the group’s custom malware (Trojan.Scieron and Trojan.Scieron.B) through emails with malicious attachments. These files contain exploits that take advantage of older vulnerabilities that are already patched by vendors. If the attackers successfully compromise the victims’ computers, then they use a basic back door threat called Trojan.Scieron to drop Trojan.Scieron.B onto the computer.”

9 Rapid

Rapid accounts for 1.8 percent of submissions. It is a ransomware that acts as a trojan horse to encrypted files and then demand a ransom.

Rapid busted onto the scene in 2018. When it infects a systems it will remove all of the Windows shadow volume copies stop all database processes and take automatic repair offline. Once files are encrypted like the others it will issues a ransom demand.

10 Troldesh

Troldesh also known as Shade accounts for 1.4 percent of submissions. Troldesh is a Trojan horse that locks files in a system via an encryption method. The malware has been around since 2014, but is still used in many active ransomware campaigns.

Malwarebytes followed one such campaign and noted that: “Spread by malspam—specifically malicious email attachments. The attachments are usually zip files presented to the receiver as something he “has to” open quickly. The extracted zip is a Javascript that downloads the malicious payload (aka the ransomware itself). The payload is often hosted on sites with a compromised Content Management System (CMS).”

Original article here: https://www.cbronline.com/news/ransomware-2019


Interpol new campaign to raise awareness of Business Email Compromise (BEC) urges public #BECareful of BEC Fraud

THE HAGUE, The Netherlands – What would you do if you received an email from your company’s CEO asking you to make an urgent payment?

What if a long-time supplier asked you to send all future payments to a new account at a different bank?

Would you immediately make the payment or change the banking details? Or would you first double-check through a different channel that the requests were genuine?

If you would make the payment, you just might become the next victim of a growing type of fraud – business email compromise, or BEC fraud.

Through a new public awareness campaign launched today, INTERPOL is encouraging the public to #BECareful about BEC fraud and know the warning signs to avoid falling into the criminals’ trap.

Full article here: https://www.interpol.int/News-and-Events/News/2019/INTERPOL-urges-public-to-BECareful-of-BEC-fraud


'Sextortion botnet spreads 30,000 emails an hour’

A large-scale “sextortion” campaign is making use of a network of more than 450,000 hijacked computers to send aggressive emails, researchers have warned.

The emails threaten to release compromising photographs of the recipient unless $800 (£628) is paid in Bitcoin.

And they contain personal information - such as the recipient’s password - probably gathered from existing data breaches, to specifically target more than 27 million potential victims at a rate of 30,000 per hour.

While analysis suggests a small fraction of targets have fallen for the ploy, one expert said such botnets still offered a great “return on investment” for cyber-criminals.

Read more here: https://www.bbc.co.uk/news/technology-50065713


Fraud attacks see huge rise in 2019

In just half a year, fraud attacks against business-to-consumer (B2C) organisations have increased 63 per cent, according to a new global report by RSA.

The digital risk management experts claim that in the first half of 2019, we’ve had 140,344 fraud attempts made against B2C organisations of all sizes. Just half a year ago, in the second half of 2018, that number stood at 86,344.

The newest trend among fraudsters are mobile apps, it seems, as the report claims that fraud attacks originating from mobile apps rose by 191 per cent, hitting a total of 57,000.

Most of the malicious actors try to evade getting detected by using “new” devices. The number of these devices (known to RSA for less than 90 days) increased from 20 per cent, to 80 per cent.

Financial malware also rose significantly in the same time period, growing 80 per cent in the first half of the year. Most of the time, fraudsters are using a modified version of the old Ramnit Banking Trojan, RSA says. It is used mostly to circumvent defences, as they distribute it via executable files downloaded and opened by unsuspecting victims.

Read the original article on ITProPortal here: https://www.itproportal.com/news/fraud-attacks-see-huge-rise-in-2019/


Smart home devices are being hit with millions of attacks

Hackers aim to build a botnet of smart devices, and poor security practices are allowing this.

Hackers want to hijack smart home devices to create large botnets and use them, for example, to launch powerful DDoS attacks. I

According to a new report by Kaspersky, the number of attacks against smart home devices increased sevenfold compared to the same period last year.

In the first half of 2018, Kaspersky tracked 12 million attacks, originating from 69,000 unique IP addresses. A year later, the same company tracked 105 million attacks, coming from 276,000 IP addresses.

Kaspersky claims the attacks aren’t sophisticated, and they’re rarely done to destroy the device. Instead, hackers are trying extra hard not to be noticed, so the users may not even realise their devices are being exploited. Most of the times, hackers employ Mirai to build the botnet. Other notable mentions are Nyadrop and Gafgyt.

Sources of infection mostly originate from China, but Brazil, Egypt and Japan are also on the list.

https://www.itproportal.com/news/smart-home-devices-are-being-hit-with-millions-of-attacks/


The Security Risks of Cloud Computing Start With You

Do you know where your data is….

Cloud computing has quickly become a key part of the business model for many organisations, but it would be wise not to ignore the security risks of cloud computing, as doing so can incur major penalties.

The cloud comes with many key advantages like lowering the cost for smaller firms to run compute-intensive business analytics, or as the case with UK challenger bank Monzo, it can allow you to build a completely new business model that is powered by cloud computing.

Yet for all the myriad useful security tools that the leading cloud providers offer, which are typically — configured right — more than the match for on-premises systems, typically the security and maintenance of the data being stored or processed in the cloud is still the sole responsibility of the firms it belongs to, and errors start with misconfigurations.

Many simple mistakes from poor account management, which is why 29 percent of organizations experienced potential account compromises, 32 percent had simple configuration issues and 23 percent found critical patches missing.

https://www.cbronline.com/feature/security-risks-of-cloud-computin


Three quarters of IT execs surveyed do not use full vulnerability management solution

ManageEngine announced the findings of its “State of IT in the UK—2019” survey. Conducted by an independent research consultancy, the study of 400 IT decision-makers working in organisations of all sizes explores their experiences dealing with IT security, GDPR compliance and cloud migration, and investigates what technologies they see having a real impact in the future.

In 2017, ManageEngine launched a survey to evaluate the IT landscape in small and medium-sized enterprises (SMEs). The latest survey has been extended to include large organisations and enterprises. It has found that businesses of all sizes lack the ability to detect anomalous activity in their IT networks. While only 12% of respondents working in enterprises believe that their organisation has that capability, the corresponding figure in SMEs and large organisations fared slightly better (21%).

Other key findings include:

IT security concerns

  • 72% of all respondents don’t use a comprehensive vulnerability management solution to detect, assess, prioritise, patch and mitigate zero-day vulnerabilities in their network.

  • Only 21% of all respondents say they are capable of detecting complex attack patterns by correlating event information across devices and through user behaviour analytics (UBA).

  • In terms of using preventive practices to mitigate zero-day vulnerabilities, IT professionals in SMEs and large organisations state they do this more (24%) than their counterparts in enterprises (14%).

  • 31% of all respondents cite cost as the main barrier to securing additional resources for better IT security, while a lack of understanding of how poor their security is (22%) turns out to be the second biggest barrier.

Cloud adoption

  • 96% of SMEs use some form of cloud technology, a significant increase from 87% recorded in ManageEngine’s 2017 UK survey. The breakdown for SMEs is 39% private (vs. 21% in 2017), 37% hybrid (vs. 40% in 2017) and 20% public (vs. 26% in 2017).

  • The main reasons why SMEs are investing in cloud technology are security (55%), CRM tools (39%), business productivity (38%) and analytics and reporting (38%).

  • 79% of all respondents plan to increase their spending on cloud computing within the next 12 months.

GDPR compliance

  • Just over half (54%) of SMEs believe they are fully GDPR-compliant. In 2017, 81% of SMEs said they were prepared to meet GDPR requirements.

  • The reasons given by SMEs, large organisations and enterprises for not being compliant include working with legacy systems (48%), lack of awareness (43%) and lack of financial investment (42%).

  • The majority of enterprise respondents (70%) believe they are fully GDPR-compliant.

The way forward

  • The technologies deemed to have the most impact in the coming years for all respondents are artificial intelligence (43%), the Internet of Everything (37%) and machine learning (29%).

  • AI is more likely to play a big part in the business operations of enterprises (52%) than in the business operations of SMEs and large organisations (35%).

  • Companies of all sizes agree that all three technologies above will help reduce time spent on manual processes (59%), provide additional time to work more strategically with other business units (53%), help detect user and network anomalies (48%) and provide greater visibility into network issues (46%).

Original article here: https://www.vanillaplus.com/2019/10/03/48755-three-quarters-execs-surveyed-not-use-full-vulnerability-management-solution-mitigate-zero-day-weaknesses/


What Is a DDoS Attack? (Hint: It Involves Zombies & Traffic Jams)

A distributed denial of service (DDoS) attack is kind of like a traffic jam on a website

What is a DDoS attack and what does it mean for your website? Instead of jumping deep into technical details, let’s start with a real-world analogy that makes it really easy to visualize what a DDoS attack is…

Imagine, for a moment, that it’s a Sunday afternoon and you’re driving down the highway with your family, headed to your favorite picnic spot. You’re cruising down the highway at 70 miles an hour – it won’t be long before you’re at the park enjoying a lovely autumn day!

…That is, until you go around a curve and see this in front of you: It’s a traffic jam — going as far as the eye can see!

You check your GPS traffic report, only to see that the jam extends for miles and there’s no way around it. There’s no way you’ll make it to the park in time for your picnic.

That’s basically what a distributed denial of service (DDoS) attack is – lots of users (in this case, cars) that are jamming up a system (the highway) to deny you from accessing a service (the park).

Usually when we talk about DDoS attacks, the resource being denied is a website and the “traffic jam” was maliciously caused by a hacker. But the concept is the same as a traffic jam on the highway. Let’s dive into what DDoS means, the types of DDoS attacks, and methods of DDoS prevention.

Let’s hash it out.

What is a DDoS Attack? A Simple Definition

Since we’re all about making technical topics simple, let’s start with a basic answer to the question: What does DDoS mean (a.k.a. “What is a distributed denial of service attack”)?

As mentioned above, a DDoS attack is a bit like a traffic jam on a website (but it’s intentionally caused by a hacker).

Here’s a simple definition for the meaning of DDoS:

A DDoS (distributed-denial-of-service) attack is when a hacker makes a website or other service inaccessible by flooding it with requests from many different devices.

If you’ve also heard the term “DoS attack,” don’t let that confuse you. A DDoS attack is just a specific type of DoS (denial-of-service) attack — one that uses multiple computers/devices to attack with.

How Does a DDoS Attack Work? (Hint: It Involves Zombies!)

Just like a traffic jam floods a highway with more cars than it can handle, a DDoS attack floods a website with more requests (i.e. visitors) than the web server or other related systems can handle.

Many hackers use botnets (a.k.a. zombie computers) to execute DDoS attacks. A botnet is a way for a single person (hacker) to control thousands of devices at once.

Here’s how a botnet works to execute a DDoS attack:

Step 1: Building the Botnet

To create a botnet, a hacker needs a way to take control of thousands of devices — these could be computers, mobile phones, or IoT devices such as webcams or smart refrigerators.

There are quite a few ways the hacker could find and take control of these devices. For example, they might write a virus that propagates and gradually takes over more and more computers. Or, they might find a specific IoT device with a known vulnerability (for example, poor default login security) and build a bot to scan the internet and hack as many of those devices as possible.

If you want to read more about how hackers do this, check out our post on Hacking IoT Devices: How to Create a Botnet of Refrigerators.

Step 2: Controlling the Botnet

As the hacker takes control of each device, they’ll do something so it will obey any instructions the hacker sends to the device. (For example, installing a small program on it.)

There are a few different approaches the hacker can use (client-server model, P2P model based on digital certificates, etc.), but the end result is the same — the hacker can issue a command and all the devices in the botnet will do whatever the hacker instructed them to do.

Step 3: Executing the Attack

Once the hacker has thousands of devices at his beck and call, he can execute the DDoS attack. There are a few different types of DDoS attacks (more on that later), but the basic idea is the same: flood a web server with more requests than it can handle.

The attacker will typically research the target website carefully to identify a weakness to exploit, then craft a request that will target that vulnerability. Finally, the attacker will instruct their zombie computers to execute that request (repeatedly).

Here’s an example: Let’s say Bob’s botnet has 100,000 devices in it. He issues a command to the botnet to send an HTTP request to example.com once per second. That’s 60 visits per minute times 100,000 devices. That adds up to 360 million visits per hour, or 8.6 billion visits per day. That’s far more than most web servers are designed to handle. If the attack was planned well, the web server will be overloaded and any real people who try to visit the site will get an error message. DDoS attack success!

DDoS the Lazy Way: Rent a Botnet!

If it sounds like a lot of work to build a botnet and execute a DDoS attack, you’d be right. But (unfortunately) there’s an easier way — lazy attackers can just go on the dark web and rent a botnet for as little as $10 per hourCybercrime is a booming industry, and services such as DDoS botnet rentals and phishing as a service solutions are just a few of the options available for purchase.

Types of DDoS Attacks

Our simplified definition of what DDoS is left out one detail: there are many different types of DDoS attacks that attackers can use depending on what specific server resource they’re trying to overload. Since we’re trying to keep things simple, we’ll just briefly highlight the broad types of DDoS attacks commonly used.

As mentioned previously, DDoS attacks are designed to jam up a website, usually by overloading a specific aspect of the site. For example, an attack could target the following to overload them:

  • Web server resources such as CPU or RAM

  • Database servers

  • Network bandwidth

  • DNS servers

  • Etc.

Original article here: https://securityboulevard.com/2019/10/what-is-a-ddos-attack-hint-it-involves-zombies-traffic-jams/

Read More