Week in security with Tony Anscombe

Phishing and how to avoid taking the bait – Offboarding employees securely – Why old malware refuses to die

In this edition of Week in security, Tony looks at these topics:

In a recent phishing quiz conducted by ESET USA, more than 60% of entrants who were presented with genuine or phishing messages failed to identify them all correctly. Here’s how you can be among those who won’t take the bait. Departing employee often put organizations at risk of data breaches. How can companies offboard employees and ensure their data remains safe? Old malware never dies, as Virus Bulletin earlier this month showed, and we look at some of the many interesting talks that were delivered at the conference.

All this – and more – on WeLiveSecurity.com. Connect with us on Facebook, Twitter, LinkedIn and Instagram.

Virus Bulletin: Old malware never dies – it just gets more targeted

Putting a precision payload on top of more generic malware makes perfect sense for malware operators

Virus Bulletin this year brought a fresh batch of amped-up, refreshed malware with lots more horsepower and devilish amounts of custom-tailored targeting. From singled-out political activist individual targets to regionalized targets, malware’s aim is getting better.

Putting a precision payload on top of more generic malware makes sense. Why forklift a whole new stack under your exploit when you can just replace the tip of the spear to best effect? For example, Lyceum seems like a redo after Talos and others got wise to previous operations. But much of the secret sauce came from threat actors just tacking on some interesting bits like turning the IP octets into four ASCII encoded commands for the C&C server, which is kind of cool.

For malware operators, there’s a certain deniability in using standard tools, which thwarts malware analysis efforts if much of the evidence is a mash-up of standard tools. How would you prove who did it with high confidence? This year we also saw plenty of “technical overlap” where shifts from prior POS hack malware to “big game hunting” ransomware basically follow the money with the smallest possible effort.

Another trend: Highly targeted, nation-state-flavored malware. Political activists in particular are a perennial target (thanks Amnesty International for insight following on from Netscout/Bitdefender work), with hackers tempting targets via malicious smartphone apps for families from the Stealjob/Knspy Donot team. When installed, the rogue app prompts for elevated Android access permissions, then records screen and keyboard input. Attackers tag team with email, and even try to get better at language localization to seem more legitimate (their French wasn’t very good in earlier attempts).

Another thing, PowerShell is the rather new darling for doing bad things on computer targets. Due to more extensive capabilities, it now can provide a host of functionality that can wreak havoc and provides a useful control panel for threat actors like file exfiltration, download of future payloads and interaction with C&C servers.

And if PowerShell is the new hotness on end-user computers, it’s just that much better on a Windows server. That’s almost game over for an affected server, and attackers have definitely noticed this year, crafting ever-more-powerful assaults against the platform.

Not to be outdone, we still have the perennial low-level target: UEFI. ESET researchers recently found a new entrant called ESPecter that alters the boot process via its ESP component, ramping up super-stealthy malware hiding spots that give security software fits.

How do you defend against these kinds of malware? Surprisingly, simple mistakes like spelling errors are still baked into the malicious exploits, like one that misspelled “backdoor” and then copied the misspelling to multiple files, thereby providing a strong thread of a clue.

Ironically, in most of the investigations highlighted, it’s striking how many pieces in the puzzle came together ultimately due to a “fortuitous discovery”: that means the researchers got lucky somewhere along the way. This may also mean finding something obvious posted on the public web that helps identify the malware authors by usernames still left on social media somewhere that clearly links to the operator identities. It’s funny, in the shadowy workings of the researcher’s palette, how often luck reigns.

Speaking of threat actors for hire, special mention goes to the name contest that must’ve been behind the “Operation Hangover” hacker-for-hire group, regardless of their level of success, which I suppose may be related in some way to the clues represented therein.

We’re looking forward to Virus Bulletin next year in Prague – we hope.

Employee offboarding: Why companies must close a crucial gap in their security strategy

There are various ways a departing employee could put your organization at risk of a data breach. How do you offboard employees the right way and ensure your data remains safe?

The COVID-19 pandemic has created the perfect conditions for insider risk. Financial crises have in the past led to a spike in fraud and nefarious activity, and it’s reasonable to assume that the wave of job losses and uncertainty that emerged in early 2020 did the same. At the same time, companies have never been more exposed, through extensive supply chains and partnerships, and their remote working and cloud infrastructure – much of which was built up in response to the pandemic.

The bottom line is that, by design or accident, employees on their way out of the door may end up causing significant financial and reputational damage if the risks are not properly mitigated. The cost of insider-related incidents spiked 31 percent between 2018 and 2020 to reach nearly US$11.5 million. That makes effective offboarding processes an essential part of any security strategy – yet one that’s too often overlooked.

Can (departing) employees be trusted?

The corporate attack surface is often viewed through a lens of external threat actors. But it can also be abused by internal employees. Cloud-based applications, data stores and other corporate networked resources can be accessed today in many organizations from virtually any device, anywhere. This has become essential to supporting productivity during the pandemic, but it can also make it easier for employees to circumvent policies unless the right controls are in place.

Unfortunately, research suggests that many (43 percent) organizations don’t even have a policy that forbids staff taking work data with them when they leave. Even more concerning, in the UK, only 47 percent revoke building access as part of offboarding and just 62 percent reclaim corporate devices.

Additionally, separate data finds that nearly half (45 percent) download, save, send or exfiltrate work-related documents before leaving employment. This happens most frequently in the tech, financial services and business, consulting and management sectors.

Why does it matter?

Whether they take data with them to impress a new employer, or steal or delete it as the result of a grudge, the potential impact on the organization is severe. A serious data breach could lead to:

Investigation, remediation and clean-up costs Legal costs stemming from class action lawsuits Regulatory fines Brand and reputational damage Lost competitive advantage

In one recent case, a credit union employee pleaded guilty to destroying 21GB of confidential data after she was fired. Despite a colleague requesting that IT disable her network access during offboarding, it was not done in time and the individual was able to use her username and password to access the file server remotely for around 40 minutes. It cost the credit union US$10,000 to fix the unauthorized intrusion and deletion of documents.

How to create more secure offboarding

Many of these threats could have been better managed if the organizations involved had put in place more effective offboarding processes. Contrary to what you might think, these should begin well before an employee signals their intent to resign, or before they are fired. Here are a few tips:

Clearly communicate policy: An estimated 72 percent of office workers apparently think the data they create at work belongs to them. This could be anything from client lists to engineering designs. Helping them understand the limits of their ownership of IP, with clearly communicated and formally written policy, could prevent a great deal of pain down the line. This should be part of any onboarding process as standard, along with clear warnings about what will happen if staff break policy.

Put continuous monitoring in place: If an unscrupulous employee is going to steal information prior to leaving your company, they’re likely to begin doing so well before they notify HR of their job move. That means organizations must put in place monitoring technologies that continuously record and flag suspicious activity—whilst of course observing local privacy laws and any employee ethical concerns.

Have a policy and process ready and waiting: The best way to ensure seamless and effective offboarding of every employee is to design a clear process and workflow ahead of time. Yet while nearly all organizations have an onboarding process, many forget to do the same for departing staff. Consider including the following:

Revoke access and reset passwords for all apps and services Revoke building access Exit interview to check for suspicious behavior Final review of monitoring/logging tools for evidence of unusual activity Escalate to HR/legal if suspicious activity is detected Reclaim any physical corporate devices Prevent email forwarding and file sharing Reassign licenses to other users

As organizations gear up to face the post-pandemic world, competition for customers will be fiercer than ever. They can little-afford valuable IP walking out of the door with departing employees, or the financial and reputational damage that could result from a serious security breach. Offboarding is one small piece of the security puzzle. But it’s a critically important one.

Don’t get phished! How to be the one that got away

If it looks like a duck, swims like a duck, and quacks like a duck, then it’s probably a duck. Now, how do you apply the duck test to defense against phishing?

The fall is an awesome time of year to get away and spend some time in the great outdoors. The criminally-inclined, meanwhile, seem to ramp up their phishing campaigns, as the daily routine of deleting the unwanted and malicious emails and SMS messages takes longer every day. October is Cybersecurity Awareness Month and the second week of the month-long campaign to bring cybersecurity to the forefront of everyone’s minds is dedicated to the ‘Fight the Phish’ theme.

The hard truths

Would you be surprised to learn that just over 60% of entrants in a recent phishing quiz, conducted by ESET, who were presented with four images of phishing or real messages failed to identify them all correctly?

Called the ESET Phishing Derby and organized by the ESET team in the USA, the free-to-enter competition is designed to show just how competent we are at identifying fake vs real messages. The scoring system is based on speed and correctly telling the messages apart, and the almost 40% who correctly identified the samples may include some entrants that identified three correctly in a super-fast time. So, in reality, the number identifying all four correctly is likely to be lower. The quiz was not designed to generate statistics – it was designed to create awareness and help educate the entrants on how to identify fake emails.

Interestingly, the results show a marked difference in how younger participants aged between 18-24 identified the samples correctly – 47%, compared to just 28% of those over 65. Those aged between 25-44 achieved 45% and 45-to-64-year-olds were at 36%. In case you are wondering about the validity of this data, the number of entrants was 4,292, and the data collected is a by-product as opposed to an academic study. A similar result was presented when the same quiz was conducted by ESET Canada in late 2020, with 68% of participants not identifying all four samples correctly. You can take the tests here or here.

What action should we take from the results? If you are reading this blog, then you are likely engaged in the need to learn more about cybersecurity and staying safe online. So, let me give you a challenge during this 2021 Cybersecurity Awareness Month – take the message on being cautious about emails and messages and other good practices you may adopt to stay safe online and teach them to friends and family, with a very specific focus on helping those in their more senior years, as the data demonstrates they may benefit from a little more help.

You might think with the continual awareness campaigns from financial organizations, cybersecurity companies, governments and such like driving the cybersecurity awareness message home that this number should be lower, much lower, and I might agree. However, some phishing emails that land in inboxes are so well crafted and look and feel just like the real deal, making it much tougher to identify them as fakes. This challenge will only get harder as cybercriminals perfect their art.

Phresh phish

Last week, I received an email that is supposedly from American Express, notifying me that a suspicious transaction attempt had been blocked and requesting I review recent transactions. At first glance, the email looks legitimate and well written and has good graphics, but there are some obvious signs that the email is a fake.

For starters, I don’t have an American Express Business Platinum Card. If you do have an account though, it may be understandable why this could trick you into taking the next step, opening it and possibly clicking on the link contained within it. The email is designed to create an emotional reaction, ‘oh no, there is fraud on my account, I need to fix it, click’.

Also, one of the fake identifiers for me in this specific email is the addressing ‘Dear Card User’ and then the ‘Account starting with 37*****’. American Express knows who their customers are and do not refer to them generically in communications, and credit card companies normally use the more unique final digits of an account number, not the less unique numbers at the start of the account number. As a past employee of American Express I know that all cards issued by them start with 3 and the second number is either a ‘4’ or ‘7’, so the number used in the email I received is generic and valid for many card holders, a shotgun approach by the cybercriminal to catch a victim.

The enhanced computing resources readily available to cybercriminals are going to make it more challenging; for example, the rental of cloud computing power, the massive amounts of personal information available from data breaches, and to some degree the funding from recent successful cyberattacks being re-invested to grow the cybercrime business sector. Now imagine the ‘American Express’ impersonating phishing email had the card holder name and the final 4 digits of the card number, gleaned from breached data, the likelihood of the recipient clicking the link will undoubtedly significantly increase.

Other red flags of phishing attacks

Here are a few more tips on how to identify a phishing email:

The email is not addressing you personally, when in the company that is supposedly the sender would know who you are and typically send emails addressed personally and not generically. Grammar and spelling mistakes: As phishing emails improve, be sure to read it twice as the errors may be harder to spot. The email is unsolicited from a company you have never communicated with. A call to take an action urgently, click a link and log in to review transactions or similar The email addressing: Hover the mouse over the email address and check the sender’s actual address and the domain it was sent from. Emails with attachments, for example,

Microsoft thwarts record‑breaking DDoS attack

The attack, which clocked in at 2.4 Tbps, targeted one of Azure customers based in Europe

Microsoft has revealed that it thwarted a Distributed Denial-of-Service (DDoS) attack that clocked in at a whopping 2.4 terabytes per second (Tbps). The onslaught, which targeted an Azure customer in Europe, surpasses the previous record holder – a 2.3 Tbps attack that was mitigated by Amazon Web Services (AWS) last year. It also dwarfs the previously largest DDoS attack (1 Tbps) on Azure from 2020.

According to Microsoft, the latest attack originated from some 70,000 sources and from several countries in the Asia-Pacific region, including Malaysia, Vietnam, Taiwan Japan, and China, as well as from the United States.

“The attack vector was a UDP reflection spanning more than 10 minutes with very short-lived bursts, each ramping up in seconds to terabit volumes. In total, we monitored three main peaks, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps,” said Senior Program Manager at Azure Networking Amir Dahan in a blog post describing the incident.

“The pace of digital transformation has accelerated significantly during the COVID-19 pandemic, alongside the adoption of cloud services. Bad actors, now more than ever, continuously look for ways to take applications offline,” Dahan added.

Traditional DDoS attacks overwhelm a target with bogus web traffic that comes from a large number of devices that have been corralled into a botnet. The aim of the attack is to take the victim’s servers offline and denying access to their services. If an attacker utilizes a reflection amplification attack, they can amplify the volume of malicious traffic while obscuring its sources.

Historically, DDoS attacks have been used as a smokescreen for other, even more damaging onslaughts, or as a means to demand massive ransom fees from the targeted companies. While the victims could stand to lose millions of dollars in revenue from the reputational damage combined with the cost of downtime caused by these attacks, there is no guarantee that the attackers would cease their onslaught even if the ransoms are paid.

Ransomware cost US companies almost $21 billion in downtime in 2020

The victims lost an average of nine days to downtime and two-and-a-half months to investigations, an analysis of disclosed attacks shows

An analysis of 186 successful ransomware attacks against businesses in the United States in 2020 has shown that the companies lost almost US$21 billion due to attack-induced downtime, according to technology website Comparitech. Compared to 2019, the number of disclosed ransomware attacks skyrocketed – by 245%.

“Our team sifted through several different resources—specialist IT news, data breach reports, and state reporting tools—to collate as much data as possible on ransomware attacks on US businesses. We then applied data from studies on the cost of downtime to estimate a range for the likely cost of ransomware attacks to businesses,” Comparitech said explaining its approach. However, it did concede that the figures may be merely a scratch on the surface of the ransomware problem.

On average, the affected companies lost nine days in downtime and it took them about two-and-a-half months to investigate the attacks and their impact on the company’s data and its systems. To put into context, Comparitech estimates that, when combined, ransomware attacks caused 340.5 days of downtime and a whopping 4,414 days of investigation. However, the downtimes varied, ranging from recovery efforts taking several months to minimal disruptions especially thanks to solid backup plans.

Cybercriminals usually requested ransoms ranging from half a million dollars all the way up to US$21 million. Some attackers also upped the ante by carrying out double-extortion attacks, where they pilfer data from the victims’ systems before going on to encrypt them with ransomware. With researchers estimating that the average cost per minute of downtime is US$8,662 and adding in the reputational damage, it’s no wonder some companies are willing to pay the ransoms as a way to fix the problem quickly. Based on the estimate, the cost of downtime to American business was US$20.9 billion. The analysis also found that the ransomware attacks resulted in over 7 million individual records being pilfered or/and abused, an almost 800% increase compared to the previous years.

Additionally, the researchers noted a shift in the targets of ransomware attacks. While previously cybercriminals would target educational institutions and government entities, during 2020 they shifted their focus towards businesses and healthcare organizations. This could be chalked up to the pandemic since many schools and governmental organizations were closed and their systems were down. Meanwhile, healthcare providers had to power through in order to tend to patients, and the pandemic forced a lot of businesses to transition to remote work probably making them easier targets to hack.

What about 2021?

Based on the trends and events of this year, it is little wonder that Comparitech estimates the costs to businesses will rise further. “If the second half of 2021 sees the same number of attacks as the first half (91), 2021’s figures will be in line with 2020s–over 180 individual ransomware attacks. However, with many attacks often revealed weeks or months after they’ve happened, these figures are likely to rise even higher over the coming months, suggesting 2021 will be a record-breaking year for ransomware attacks on US businesses,” the company warned.

To find out why ransomware remains one of the top threats and how businesses can defend against it, we suggest reading up on our recent white paper, Ransomware: A criminal art of malicious code, pressure and manipulation.

FontOnLake: Previously unknown malware family targeting Linux

ESET researchers discover a malware family with tools that show signs they’re used in targeted attacks

The post FontOnLake: Previously unknown malware family targeting Linux appeared first on WeLiveSecurity

Google to turn on 2FA by default for 150 million users, 2 million YouTubers

Two-factor authentication is a simple way to greatly enhance the security of your account

The post Google to turn on 2FA by default for 150 million users, 2 million YouTubers appeared first on WeLiveSecurity

To the moon and hack: Fake SafeMoon app drops malware to spy on you

Cryptocurrencies rise and fall, but one thing stays the same – cybercriminals attempt to cash in on the craze

The post To the moon and hack: Fake SafeMoon app drops malware to spy on you appeared first on WeLiveSecurity