As the old saying goes, “darkness falls across the land, the midnight hour is close at hand.” Halloween is upon the scene and frightening things are unforeseen. Imagine watching a chilling movie depicting a zombie apocalypse or a deadly virus spreading fast across a metropolis, infecting everything in its wake. Sounds like a monstrous scenario? Sounds analogous to a cyber-attack?

You could be onto something. Strap yourself in. It’s going to be a bumpy ride.

According to recent F5 Labs threat analysis, the top application breaches haunting companies right now with rapidly mutating sophistication include payment card theft via web injection (70%), website hacking (26%), and app database hacking (4%).

Frighteningly, further analysis shows that 13% of all web application breaches in 2017 and Q1 2018 were access related. This bloodcurdling discovery can be dissected as follows: credentials stolen via compromised email (34.29%), access control misconfiguration (22.86%); credential stuffing from stolen passwords (8.57%), brute force attacks to crack passwords (5.71%), and social engineering theft (2.76). The eerie evidence also shows that applications and identities are the initial targets in 86% of breaches.

Businesses worldwide now face a sense of creeping dread and imminent disruption. Nowadays, they are more prone than ever to terrors such as malware hijacking browsers to sniff or intercept application authentication credentials. Then there are the strains of malware that target financial logins to menace both browser and mobile clients.

There’s no way around it. Getting your cybersecurity posture right is the only way to stay safe. Get it wrong, however, and you’ll get the fright of your life in the shape of EU’s General Data Protection Regulation (GDPR) enforcement. There is definitively nowhere to hide this Halloween if you’re breached or fall short of tightening compliance expectations.

Yet, if scary movies have taught us anything about horror stories, it is to never to scream and run away. As this ghoulish season can overshadow any organisation, it’s imperative that preventative measures are in place to protect vital assets. Yes, the findings from F5 Labs may paint a bleak picture but there are plenty of preventative measures you can take to improve your security posture and safeguard your employees’ applications and sensitive data: 

  • Understand your threat environment and prioritise defences against grave risk concerns. Know which applications are important and minimise your attack surface. Remember, an app’s surface is broadening all the time, encompassing multiple tiers and the ever-increasing use of application programming interfaces (APIs) to share data with third parties.
  • Use data to drive your risk strategy and identify what attackers would typically target. Beware that any part of an application service visible on the Internet will be probed by fiendish hackers for possible exploitation.
  • Configure your network systems properly or suffer the consequences of applications leaking internal and infrastructure information, including server names, private network addresses, email addresses, and even usernames. This is all valuable ammunition for a horrible hacker to carry out an attack.
  • Be aware of common threats including DDoS attacks, ransomware, malware, phishing, and botnets. Ensure your IT response strategies are built to adapt and update in line with new vulnerabilities and threats will invariably improve survival rates.
  • Implement a strong set of easily manageable and powerful security solutions such as an advanced web application firewall (AWAF). This type of technology is extremely scalable and can protect against the latest wave of attacks using behavioural analytics, proactive bot defence, and application-layer encryption of sensitive data like personal credentials.
  • Ensure the company enforces a proactive culture of security and educates employees on policy, device management, as well as safe internet and cloud usage.
  • When travelling on business, ensure staff never conduct financial transactions requiring a debit or credit card when using public or free Wi-Fi services. Never assume mobiles and laptop devices are safe, even at the local coffee bar.
  • Change your passwords regularly (i.e. every month). This is especially important after travel. Devices may have been compromised during transit.
  • Always perform regular data backups on approved devices and/or secure cloud platforms to ensure sensitive information is not lost or stolen and can be quickly recovered in the event of an attack.
  • Remember, careless employees who feel they are unaccountable for the loss of work devices can damage business reputations.

 The grim reality

Remember this is the time of year when “creatures crawl in search of blood to terrorize the neighbourhood”. Whether you’re expecting a trick or treat this Halloween, neglecting cybersecurity is certain to have ghastly consequences.

The business world is littered with victims of cybercrime, so don’t get consigned to the grievous graveyard of cyber fraud. Know what makes your apps vulnerable and how they can be attacked. Makes sure you put the right solutions in place to lower your risk. Now is the time to stop being haunted by cybercriminals draining the lifeblood out of your business.

Source: https://www.informationsecuritybuzz.com/articles/the-haunting-horror-story-of-cybercrime/

CIO Daniel Nigrin, M.D., says hospitals must prepare for DDoS and ransomware

Most health system CIOs have heard about the 2014 attack on Boston Children’s Hospital by a member or members of the activist hacker group Anonymous. The hospital was forced to deal with a distributed denial of service (DDoS) attack as well as a spear phishing campaign. Yesterday, as part of the Harvard Medical School Clinical Informatics Lecture Series, the hospital’s senior vice president and CIO Daniel Nigrin, M.D., discussed six lessons learned from the attack.

Although the cyber-attack took place four years ago, there have been some recent developments. The attack was undertaken to protest the treatment of a teenager, Justina Pelletier, in a dispute over her diagnosis and custody between her parents and the hospital. In August 2018 Martin Gottesfeld, 32, was convicted of one count of conspiracy to damage protected computers and one count of damaging protected computers. U.S. District Court Judge Nathaniel Gorton scheduled sentencing for Nov. 14, 2018. Gottesfeld was charged in February 2016.

According the U.S. Department of Justice, Gottesfeld launched a massive DDOS attack against the computer network of the Boston Children’s Hospital. He customized malicious software that he installed on 40,000 network routers that he was then able to control from his home computer. After spending more than a week preparing his methods, on April 19, 2014, he unleashed a DDOS attack that directed so much hostile traffic at the Children’s Hospital computer network that he temporarily knocked Boston Children’s Hospital off the Internet.

In his Oct. 17 talk, Nigrin said cyber criminals still see healthcare as a soft target compared to other industries. “The bottom line is that in healthcare, we have not paid attention to cybersecurity,” he said. “In the years since this attack, we have seen ransomware attacks that have brought hospital systems to their knees. We have to pay more attention and invest more in terms of dollars and technical people, but it really does extend to entire organizations — educating people about what a phishing attack is, what a social engineering attack is. These need to be made a priority.”

He offered six lessons learned from Boston Children’s experience:

1. DDoS countermeasures are critical. No longer can healthcare organizations assume that a DDoS attacks are things that only occur against corporate entities, he said. “Prior to this event, I had never thought about the need to protect our organization against a DDoS attack,” he said. “I will submit that the vast majority of my CIO colleagues were in the same boat. And that was wrong. I think now we have gotten this understanding.”

2.  Know what depends on the internet. Having a really detailed understanding of what systems and processes in your organization depend on internet access is critical, Nigrin stressed. You also mush have good mitigation strategies in place to know what to do if you lose internet access — whether it is because you have a network outage due to a technical issue or a malicious issue. “As healthcare has become more automated and dependent on technology, these things are crippling events. You have got to know how you are going to deal with it ahead of time. Figuring it out on the fly is not going to work.”

3. Recognize the importance of email. Email may be seen as old-school, Nigrin noted, but it is still the primary method to communicate, so you have to think about how you can communicate and get the word out in scenarios where you don’t have email or lose voice communication. “In our case, we were super-lucky because we had just deployed a secure texting platform, so we could do HIPAA-compliant texting, and when our email was down, that was how we communicated, and it was very effective,” he explained.

4. Push through security initiatives – no excuses anymore.  Because he is a doctor himself, Nigrin feels OK picking on doctors about security. Historically they have always pushed back on security measures such as dual-factor authentication. He paraphrases them saying “Come on, Dan, that is an extra 10 seconds; I have to carry a secure ID, or you have to send me a text message on my phone. It is a pain. I don’t want to do it. I am the highest-paid employee in your organization and that is time better spend on something else.” But Nigrin argues that we can’t afford to think like that anymore. He used the Anonymous attack as an opportunity to push through four or five security initiatives within the next two to three months when he had everyone’s attention. “The platform was burning, and the board of trustees was willing to expend the money to pay for it all. They all of a sudden recognized the risk.”

5. Securing audio- and teleconference meetings. Nigrin said this topic wouldn’t have occurred to Boston Children’s until they were warned by the FBI. “The FBI told us about an attack that affected them when they were dealing with Anonymous. When Anonymous was attacking the FBI, the FBI convened internal conference calls on how to deal with it. Anonymous had already breached their messaging platform and intercepted the calendar invites that invited everyone to dial in. Anonymous basically was called into the meeting. Within 30 minutes of one of those meetings, the entire audio transcript of the conference call was posted to YouTube. “So we took heed of that and made sure that when we had conference calls, we sent out PINs over our secure texting platform,” he said.

6. Separating signal from noise. During the attack, Boston Children’s set up a command center and told employees: if you see something, say something. “We didn’t know what attack was coming next. We were flying blind,” Nigrin said. “We started to get lots of calls into our command center with reports of things that seemed somewhat suspicious,” he remembers. People got calls on their cell phone with a recorded message saying your bank account has been compromised. Press 1 to talk to someone to deal with it. “Today we would recognize this as some type of phishing scam and hang up,” he said, “but at the time it was sort of new. People started calling us and we didn’t know if this was Anonymous trying to get into the bank accounts of our senior clinicians. Was it part of the attack? It was tough for us to detect signal from noise.”

In the Q&A after his presentation, listeners were curious about how much the incident cost the hospital. Nigrin said there two big costs incurred: One was the technology it had to deploy in an emergent way to do DDOS protection and penetration testing. The other was revenue lost from philanthropic donations. Together they were close to $1 million.

Another person asked if the hospital had cyber insurance. Nigrin said they did, but when they read the fine print it said they were covered only if they were breached and technically they were never breached, so the insurance company was reluctant to pay. Although they eventually got compensated for a good share of it, the hospital also made sure to update its policy.

Still another attendee asked Nigrin if ransomware attacks were still targeting hospitals. He said they definitely were. “Think about community hospitals just squeaking by on their budgets,” he said. “They don’t have millions to spend, yet their data is valuable on the black market. Attackers recognize we are dead in the water as entities if we don’t have these systems. We have important data and will do anything to get our systems back up and running.”

Nigrin said even large health systems can be vulnerable because some technology they deploy is run by third-party vendors who haven’t upgraded their systems. An example, he said, might be technology to record videos in the operating room setting. Some vendors, he said, are not accustomed to thinking about security. They are unable to update their software so it works on more modern operating systems. That leaves CIOs with a tough choice. “We can shut off the functionality or take the risk of continuing to use outdated and unpatched operating systems. Those vendors now have woken up and realize they have to pay more attention.”

Source: https://www.healthcare-informatics.com/article/cybersecurity/six-lessons-boston-children-s-hacktivist-attack

The Government has been urged to appoint a cybersecurity “tsar” to ensure the State is adequately prepared to deal with potential attacks.

The call by one of the State’s leading IT security experts comes amid growing concern Ireland could be caught off-guard by a cybersecurity attack, due to a lack of joined-up thinking on the issue and a failure to take threats seriously.

Currently the response to cyber threats lies across a number of bodies, with the Department of Communications, An Garda Síochána, the Defence Forces and the Department of Defence among those involved.

Brian Honan, an independent security consultant who has also served as a special adviser to Europol’s Cybercrime Centre (EC3), said a tsar with the authority and autonomy to ensure an effective cybersecurity strategy should be appointed as a matter of urgency.

“We need a coherent and centralised approach to protecting our nation rather than having responsibilities for various aspects of cybersecurity spread throughout different departments and agencies,” he said.

Mr Honan warned that cybersecurity was becoming more of an issue globally with data breaches, DDoS and ransomware attacks, financial scams and state-sponsored hacking incidents all on the rise.

As well as domestic considerations, the State is also responsible for the security of services provided across the EU by multinational companies who have their European headquarters located here. Mr Honan said that, given this, a cybersecurity attack could not only cause widespread disruption for businesses and public agencies, but would also lead to serious reputational damage.

“It is too critical for us as a nation, both from an economic and national security point of view, for [cybersecurity] to be left to individual government departments or businesses to look after,” said Mr Honan.

Funding review

Mr Honan’s comments come just weeks after a report by the Comptroller and Auditor General revealed that a dedicated cybersecurity unit established to protect government and industry networks has no strategic plan and requires a review of its funding.

The National Cyber Security Centre (NCSC), based in UCD, was established in 2011 with a view to “securing critical national infrastructure”. However, the C&AG report into its operations found an oversight body set up to monitor its performance had not met since 2015.

Fianna Fáil has also recently urged the Government to take a more proactive approach to cybersecurity. Its defence spokesman, Jack Chambers, recently called for responsibility for the NCSC to be reassigned away from the Department of Communications.

“The Department of Defence should take ownership and control of this so it can develop a proper whole-of-government response to the area of cybersecurity as it becomes a serious national threat. It would compromise foreign direct investment if our national infrastructure were to be seriously undermined and there were to be an attack,” Mr Chambers.

Source: https://www.irishtimes.com/business/technology/ireland-vulnerable-to-cybersecurity-attack-says-industry-leader-1.3666946

Cybercrime is easy and rewarding, making it a perfect arena for criminals everywhere.

Over the past 20 years, cybercrime has become a mature industry estimated to produce more than $1 trillion in annual revenues. From products like exploit kits and custom malware to services like botnet rentals and ransomware distribution, the breadth of cybercrime offerings has never been greater. The result: more, and more serious, forms of cybercrime. New tools and platforms are more accessible than ever before to those who lack advanced technical skills, enabling scores of new actors to hop aboard the cybercrime bandwagon. Meanwhile, more experienced criminals can develop more specialized skills in the knowledge that they can locate others on the darknet who can complement their services and work together with them to come up with new and better criminal tools and techniques.

Line Between Illicit and Legitimate E-Commerce Is Blurring
The cybercrime ecosystem has evolved to welcome both new actors and new scrutiny. The threat of prosecution has pushed most cybercrime activities onto the darknet, where the anonymity of Tor and Bitcoin protects the bad guys from being easily identified. Trust is rare in these communities, so some markets are implementing escrow payments to make high-risk transactions easier; some sellers even offer support services and money-back guarantees on their work and products.

The markets have also become fractured, as the pro criminals restrict themselves to highly selective discussion boards to limit the threat from police and fraudsters. Nevertheless, a burgeoning cybercrime market has sprung from these hidden places to offer everything from product development to technical support, distribution, quality assurance, and even help desks.

Many cybercriminals rely on the Tor network to stay hidden. Tor — The Onion Router — allows users to cruise the Internet anonymously by encrypting their activities and then routing it through multiple random relays on its way to its destination. This circuitous process renders it nearly impossible for law enforcement to track users or determine the identities of visitors to certain black-market sites.

From Niche to Mass Market
In 2015, the UK National Cyber Crime Unit’s deputy director stated during a panel discussion that investigators believed that the bulk of the cybercrime-as-a-service economy was based on the efforts of only 100 to 200 people who profit handsomely from their involvement. Carbon Black’s research discovered that the darknet’s marketplace for ransomware is growing at a staggering 2,500% per annum, and that some of the criminals can generate over $100,000 a year selling ransomware kits alone. That’s more than twice the annual salary of a software developer in Eastern Europe, where many of these criminals operate.

There are plenty of ways for a cybercriminal to rake in the cash without ever perpetrating “traditional” cybercrime like financial fraud or identity theft. The first way is something called research-as-a-service, where individuals work to provide the “raw materials” — such as selling knowledge of system vulnerabilities to malware developers — for future criminal activities. The sale of software exploits has captured much attention recently, as the ShadowBrokers and other groups have introduced controversial subscription programs that give clients access to unpatched system vulnerabilities.

Zero-Day Exploits, Ransomware, and DDoS Extortion Are Bestsellers
The number of discovered zero-day exploits — weaknesses in code that had been previously undetected by the product’s vendor — has dropped steadily since 2014, according to Symantec’s 2018 Internet Security Threat Report, thanks in part to an increase in “bug bounty” programs that encourage and incentivize the legal disclosure of vulnerabilities. In turn, this has led to an increase in price for the vulnerabilities that do get discovered, with some of the most valuable being sold for more than $100,000 in one of the many darknet marketplaces catering to exploit sales, as highlighted in related a blog post on TechRepublic. Other cybercrime actors sell email databases to simplify future cybercrime campaigns, as was the case in 2016 when 3 billion Yahoo accounts were sold to a handful of spammers for $300,000 each.

Exploit kits are another popular product on the darknet. They provide inexperienced cybercriminals with the tools they need to break into a wide range of systems. However, Europol suggests that the popularity of exploit kits has fallen over the past 12 months as the top products have been eliminated and their replacements have failed to offer a comparable sophistication or popularity. Europol also notes that theft through malware was generally becoming less of a threat; instead, today’s cybercriminals prefer ransomware and distributed denial-of-service (DDoS) extortion, which are easier to monetize.

Cybercrime Infrastructure-as-a-Service
The third way hackers can profit from more sophisticated cybercrime is by providing cybercrime infrastructure-as-a-service. Those in this field are provide the services and infrastructure — including bulletproof hosting and botnet rentals — on which other bad actors rely to do their dirty work. The former helps cybercriminals to put web pages and servers on the Internet without having to worry about takedowns by law enforcement. And cybercriminals can pay for botnet rentals that give them temporary access to a network of infected computers they can use for spam distribution or DDoS attacks, for example.

Researchers estimate that a $60-a-day botnet can cause up to $720,000 in damages on victim organizations. The numbers for hackers who control the botnets are also big: the bad guys can produce significant profit margins when they rent their services out to other criminals, as highlighted in a related post.

The New Reality
Digital services are often the backbone of small and large organizations alike. Whether it’s a small online shop or a behemoth operating a global digital platform, if services are slow or down for hours, the company’s revenue and reputation may be on the line. In the old days, word of mouth circulated slowly, but today bad news can reach millions of people instantly. Using botnets for DDoS attacks is a moneymaker for cybercriminals who extort money from website proprietors by threatening an attack that would destroy their services.

The danger posed by Internet of Things (IoT) botnets was shown in 2016 when the massive Mirai IoT botnet attacked the domain name provider Dyn and took down websites like Twitter, Netflix, and CNN in the largest such attack ever seen. Botnet use will probably expand in the coming years as cybercriminals continue to exploit vulnerabilities in IoT devices to create even larger networks. Get used to it: Cybercrime is here to stay.

Source: https://www.darkreading.com/endpoint/cybercrime-as-a-service-no-end-in-sight/a/d-id/1333033

Cybercrime activity continues to expand in scope and complexity, according to the latest report by cybersecurity firm Malwarebytes, as businesses become the preferred target for crooks throughout Q3.

Malware detection on businesses shot up 55% between Q2 and Q3, with the biggest attack vector coming from information-stealing trojans such as the self-propagating Emotet and infamous LokiBot.

Criminals have likely ramped up attacks on organizations in an attempt to maximize returns, while consumers have seen significantly less action in Q3, with a mere 5% detection increase over the period.

This incline toward a more streamlined campaign, as opposed to the wide nets cast in previous quarters, is due to numerous reasons including businesses failing to patch vulnerabilities, weaponized exploits, and possibly even the implementation of privacy-protective legislation such as GDPR.

“There was a very long period where ransomware was the dominant malware against everybody,” said Adam Kujawa, director of Malwarebytes Labs, speaking to The Daily Swig about the quarterly report, Cybercrime tactics and techniques: Q3 2018.

“We’ve seen the complete evolution of ransomware to what is really just a few families, and whether we’ll see the same distribution and exposure [of ransomware] that we’ve seen in the past few years is unlikely in my opinion.”

GandCrab ransomware, however, which first appeared at the beginning of this year, has matured.

New versions were discovered during Q3 as the ransomware variant is expected to remain a viable threat to both consumers and to businesses, which are at higher risk due to GandCrab’s advanced ability to encrypt network drives.

But despite a recent report by Europol that highlighted ransomware as the biggest threat in 2018, Kujawa isn’t convinced that these campaigns will stick around in the quarters to come.

“There are so many solutions out there that can protect users from ransomware, and there are more people that know what to do if you get hit with it,” he said.

“When you compare that to is it a good return investment [for cybercriminals], we don’t think it is anymore. Most of what we’ve seen [in Q3] is information-stealers.”

Kujawa points to the banking trojan Emotet, that can spread easily and with a primary intent to steal financial data and carry out disturbed denial of service (DDoS) attacks on infected machines.

Businesses, particularly small and medium-sized enterprises with less money invested in cyber defenses, have become valuable targets due to the ease in which trojans like Emotet can spread throughout their networks.

Changes in global information systems may also be a contributing factor in the revival of data-theft.

“That may very well in part play to things like GDPR where you’ve got this data that is no longer legally allowed to be on a server somewhere protected in Europe,” said Kujawa.

“Cybercriminals may be more interested in stealing data like they used to because this stuff is no longer as easy to obtain as it was.”

While information-stealers hogged the spotlight, the threat landscape remains diverse – targets are predominately concentrated within Western countries, while the use of exploit kits were found mostly in Asian countries including South Korea.

Kujawa also noted that social engineering, such as phishing attacks, remains a successful technique for malicious hackers.

He said: “Almost all attacks are distributed through social engineering, that’s still the number one way to get past things like security software, firewalls, and things like that.”

“The biggest problem in our industry right now is people not taking it [cybersecurity] seriously enough,” Kujawa added.

“At the end of the day we’re never going to win the war on cybercrime with just technology because that’s exactly what the bad guys are using against us.”

Source: https://portswigger.net/daily-swig/businesses-are-becoming-main-target-for-cybercriminals-report-finds