Tag Archives: Malware

Top 5 Cyber Attacks You Should be Aware for Your Business

DSA Technologies works with a wide range of businesses, that face many of the same security challenges over and over. Most of these issues are preventable or can at least be mitigated with the right care and awareness. Here’s what the resident expert Michael Reese at DSA Technologies shared with being the most common problems that you should keep an eye out for.

  1. Phishing Schemes
    Phishing is the crime of deceiving people into sharing sensitive information like passwords and credit card numbers. Nearly all successful cyber-attacks begin with a phishing scheme. These attacks are responsible for over $12 billion losses globally! Usually the attack is delivered in the form of an email and will demand that the victim go to a website and take immediate action. If the user clicks the link, they are sent to a fake website that imitates a real website. From here, they are asked to login. The criminal now has your information to cause more damage.
  2. Cloud Cyber Security Threats
    Cloud computing, or the use of an internet source to store information, has grown significantly. Most people assume that cloud storage is safe, but this isn’t necessarily the case. If your provider offers minimal security your sensitive data could be easily accessible to hackers. The amount of security your cloud server offers is usually in the terms and conditions. These can be muddy waters. Don’t be afraid to talk to an expert on how to navigate these threats.
  3. Ransomware/Malware Ransomware
    is like malware in that they are both criminal software used to take control of your computer and/or your information stored. Ransomware attacks are on the rise. Companies like DSA Technologies can help you build your line of defense through software against this type of attack. It’s estimated that an organization will fall victim to ransomware every 14 seconds in 2019. A single attack could leave you out of business for a week or more. Could you afford to be out of business that long?
  4. IoT (Internet of Things) What I call “Internet of Threats”
    IoT devices include internet enabled devices (i.e. iPhones, Amazon Alexa, Printers). There will be more than 20 billion IoT devices by 2020. How are the increasing amounts of data being secured? In most cases it’s not. There are manufacturers who have no security on their IoT devices, meaning anyone can access them. With so many devices being used, businesses should be aware of the security in place on IoT devices. Each device represents a different access point for attacks. With the rise of internet enabled devices the rise of attacks is inevitable. Ensure that your devices for your business are secure to protect sensitive data.
  5. Single Factor Passwords
    Single factor passwords are when you use a username and a passcode to log in. This is traditional and the method most websites maintain. Unfortunately, most passwords can be cracked in a matter of minutes. A second line of defense can help you and your business protect your data. An added defense line is the use of multi-step or two-step authentication passwords. This means that to log into your account, you can enter your password, but then a second step will require you to enter additional information, like a unique code sent to your cell phone. Having at least two steps make hacking your account more difficult in turn making your data less of an appealing target.

    DSA Technologies’ resident Cyber Security Expert, Michael Reese is there to assist businesses tighten their security.
    Visit DSA Technologies to learn more about how they can assist your business.

All U.S. and Canadian Eddie Bauer stores infected by point-of-sale malware

It happens again: The clothing chain said payment card information of customers was stolen.
credit_card-100594349-large

Clothing retailer Eddie Bauer has informed customers that point-of-sale systems at its stores were hit by malware, enabling the theft of payment card information.

All the retailer’s stores in the U.S. and Canada, numbering about 350, were affected, a company spokesman disclosed Thursday. He added that the retailer is not disclosing the number of customers affected. The card information harvested included cardholder name, payment card number, security code and expiration date.

The retailer said that information of payment cards used at its stores on various dates between Jan. 2 and July 17, 2016 may have been accessed, but added that not all cardholder transactions were affected. Payment card information that was used for online purchases at its website was not affected.

The company is the latest in a long list of retailers, hotels and other establishments that were hit by point-of-sale malware that skimmed payment card information.

Eddie Bauer learned during the investigation that the malware found on its systems was “part of a sophisticated attack” directed at multiple restaurants, hotels, and retailers, besides its own operations, CEO Mike Egeck said in a statement. “Unfortunately, malware intrusions like this are all too common in the world that we live in today,” he added.

The company said it has been working closely with the FBI, cybersecurity experts, and payment card organizations, and wanted to reassure customers that it had fully identified and contained the incident. Customers would not be responsible for any fraudulent charges to their accounts, it added.

Eddie Bauer said it had taken measures to strengthen the security of its point-of-sale systems to prevent a similar hack in the future. Kroll, a provider of risk mitigation and response, would provide 12 months of complimentary services to affected customers, it added.

Businesses need to be able to watch more closely  the data passing through a corporate network to have a better chance of preventing breaches or at least minimizing the damage by stopping them soon, said John Christly, chief information security officer of Netsurion, a provider of remotely-managed security services for multi-location businesses, in an emailed statement.

“Some of these breaches may look like normal web traffic coming out of the firewall, and other attacks can even seem like legitimate DNS traffic, which may pass right by the typical un-managed firewall,” he added.

Hyatt Hotels, Target, Starwood Hotels & Resorts Worldwide, Hilton Worldwide Holdings, Omni Hotels & Resorts, HEI Hotels & Resorts and Neiman Marcus have also reported previously data breaches through their point-of-sale systems.

FBI investigating attack against computer networks at U.S. law firms

thinkstockphotos450270251sma_763723The Federal Bureau of Investigation (FBI) and the Manhattan U.S. attorney’s office are investigating an attack in which hackers accessed the computer networks at U.S. law firms, including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, according to a Wall Street Journal report.

An individual familiar with the investigation told the Journal that investigators are looking into whether the hackers accessed the networks for insider trading or other purposes.

It is also likely that employee and client records were accessed in order to facilitate spearphishing and social engineering attacks, said Adam Levin, chairman and founder of IDT911 and author of “Swiped” in comments emailed to SCMagazine.com. “The bad guys gained privileged access by way of stolen credentials, infected computers with malware, monitor activity, collect information and then use it for their financial gain,” he noted.

The attackers have reportedly posted threats of similar attacks against other laws firms.

Darren Hayes, director of cybersecurity at Pace University’s Seidenberg School of Computer Science and Information Systems, noted that law firms have been a target for hackers because they possess large quantities of intellectual property. “The recent slew of attacks on Wall Street law firms is a new phenomenon, but makes sense given their access to sensitive information.”

Seclore Technology CEO Vishal Gupta said in an email to SCMagazine.com that financial institutions and Fortune 500 companies have improved their security preparedness, but he noted that “hackers are finding loopholes – and in this case, it’s through the top US law firms.”

Hayes also acts as a consultant on legal cases involving digital evidence. He said law firms “are not known to generally possess the best network security defenses.”

Forget the hospitals, it now appears that the world’s cyber hyenas have found an endless source of fat and slow moving wildebeests to prey on the digital savanna. Cash “cows” as it were for ransomware attacks.

Can you think of a slower, less well-defended beast with more cash that would be so highly motivated to pay the ransom to protect their reputation?

The ransomware challenge simply cannot be solved by playing defense alone. We need to de-monetize this exploit by either holding the perpetrators at risk of arrest — or disrupting their ability collect the ransom.

No matter what the security-industrial complex technologists try to sell you to allay your fears and let you play a losing rope-a-dope defense a bit longer — the only successful solution is to pursue and challenge these ransomware teams directly.

5 things you need to know about ransomware, the scary malware that locks away data

869cbb32-a1c0-47d3-8364-6a4e39983484-large

Over the past few years millions of PCs from around the world have been locked or had their files encrypted by malicious programs designed to extort money from users. Collectively known as ransomware, these malicious applications have become a real scourge for consumers, businesses and even government institutions. Unfortunately, there’s no end in sight, so here’s what you should know.

It’s not just your PC that’s at risk

Most ransomware programs target computers running Windows, as it’s the most popular operating system. However, ransomware applications for Android have also been around for a while and recently, several variants that infect Linux servers have been discovered.

Security researchers have also shown that ransomware programs can be easily created for Mac OS X and even for smart TVs, so these and others devices are likely to be targeted in the future, especially as the competition for victims increases among ransomware creators.

Law enforcement actions are few and far between

There have been some successful collaborations between law enforcement and private security companies to disrupt ransomware campaigns in the past. The most prominent case was Operation Tovar, which took over the Gameover ZeuS botnet in 2014 and recovered the encryption keys for CryptoLocker, a notorious ransomware program distributed by the botnet.

In most cases, however, law enforcement agencies are powerless in the face of ransomware, especially the variants that hide their command-and-control servers on the Tor anonymity network. This is reflected in the multiple cases of government agencies, police departments and hospitals that were affected by ransomware and decided to pay criminals to recover their files. An FBI official admitted at an event in October that in many cases the agency advises victims to pay the ransom if they don’t have backups and there are no other alternatives.

Back up, back up, back up

Many users back up their sensitive data, but do it to an external hard drive that’s always connected to their computer or to a network share. That’s a mistake, because when a ransomware program infects a computer, it enumerates all accessible drives and network shares, so it will encrypt the files hosted in those locations too.

The best practice is to use what some people call the 3-2-1 rule: at least three copies of the data, stored in two different formats, with at least one of the copies stored off-site or offline.

You might get lucky, but don’t count on it

Sometimes ransomware creators make mistakes in implementing their encryption algorithms, resulting in vulnerabilities that allow the recovery of the files without paying the ransom. There have been several cases where security companies were able to create free decryption tools for particular versions of ransomware programs. These are temporary solutions though, as most ransomware developers will quickly fix their errors and push out new versions.

There are other situations where security researchers take control of command-and-control servers used by the ransomware authors and make the decryption keys available to users for free. Unfortunately these cases are even rarer than vulnerabilities in the ransomware programs themselves.

Most security vendors discourage paying the ransom, because there’s no guarantee that the attackers will provide the decryption key and because it ultimately encourages them.

If you decide to hold your ground, keep a copy of the affected files as you never know what might happen in the future. However, if those files are critical to your business and their recovery is time sensitive, there’s little you can do other than pay up and hope that the criminals keep their word.

Prevention is best

Ransomware programs get distributed in a variety of ways, most commonly through malicious email attachments, Word documents with macro code and Web-based exploits launched from compromised websites or malicious advertisements. Many are also installed by other malware programs.

As such, following the most common security best practices is critical. Always keep the software on your computer up to date, especially the OS, browser and browser plug-ins like Flash Player, Adobe Reader, Java and Silverlight. Never enable the execution of macros in documents, unless you have verified their senders and have confirmed with them that the documents should contain such code. Carefully scrutinize emails, especially those that contain attachments, regardless of who appears to have sent them. Finally, perform your day-to day activities from a limited user account, not from an administrative one, and run an up-to-date antivirus program.

The 5 Biggest Cybersecurity Risks for Small and Medium Businesses

Cyber_Security

Cases of data breaches from major corporations around the world are becoming more and more frequent, much to the dismay of business owners all over the world. Every few weeks, there is a report about a big corporation’s data being leaked on some website, causing the company huge monetary losses as well as irreparable damage to reputation.

Although the alarming frequency of such high-profile data breaches would lead one to believe that the hackers must really have it in for large business owners, the fact still remains that small and medium business owners are just as susceptible to data breaches, if not more. Even if small and medium businesses realize that they are under threat as well, they might wrongly think that they would need to spend a large amount of money to keep the threat at bay.

The reality is anything but this. The major factor that decides whether you fall victim to such attacks is your level of negligence. Therefore, this article aims to make you aware about the 5 biggest threats your business might face.




The 5 biggest threats

1. Stolen laptops and mobiles
It is astonishing how much data is stolen or compromised when the devices used by employees are stolen. The one who has access to the systems can access the company data and use it as he or she wishes. Therefore, it is absolutely essential for businesses to encrypt all data that is transferred on portable device of an employee. This would ensure that the data remains protected in the event that the device is stolen.
2. Unsecured Internet Networks
This is a blatant overlooking of your business’s security. Wireless networks are used by all businesses, and even small businesses today require off-shore and remote employees to access corporate data from elsewhere. Therefore, having a secure network is important to prevent unauthorized personnel from entering your network and causing problems.
3. Spear Phishing
This is another term for email scams. Email scams are one of the oldest tricks of the trade of gaining access to a user’s system. Hackers quite often send such tampered emails to all employees of a company in hopes that one of them falls for it. These attacks spread like fire, so if one employee system is affected, the entire network could be done soon enough. This is something employees should keep an eye out for as well, for such emails are usually simple to spot.
4. Malware
Malware is any code that has malicious intentions and has the capability to cause serious problems in your system. Malware are of different types, but they can be warded off by keeping a good anti-virus and anti-malware software on hand. It is also important to regularly update your anti-virus.
5. Insider Threats
This is something that is not always the case but is always a possibility. An employee holding a grudge against your company might take things further by mishandling your sensitive corporate data. To prevent such a thing from happening, make sure employees have differing access to corporate data according to their rank in your company. It is also wise to record the activity of all employees, big or small, to know if something is amiss.
Conclusion
We saw in this article how small and medium businesses can be targeted. The amount of money to be spent on security systems is by no means huge. All it takes is a little background knowledge to invest right in opposition to investing big.

Laboratory and Online Malware Analysis

MalwareYour Network has been compromised by a Virus, Worm, Trojan, a botnet client or some other form of Malware. As the Systems or Network Administrator, you know Malware Analysis is necessary because your system (or network) has been exposed. The goal is to figure out what that malware has done so you can determine the destruction or the damage caused by this activity. You also need to figure out the threat or vulnerability your company has been exposed too and determine if (there is a risk) information is leaving your enterprise.

Depending on the nature of your business (Cybersecurity facilitates the conduct of business); the Administrator investigates to determine if there could be damage to individual users (or consumers) through the loss of credit card or personal information. The Administrator must also check to see if there is damage to the company through the loss of intellectual property which Malware has caused to be taken. An initial assessment of the loss or damage is made. Although Malware attacks have permeated every platform, the Windows environment remains the most popular platform (to attack) among Malware authors.

The Security minded Administrator will have a Virtual or traditional controlled (isolated) laboratory set up to examine Malware specimens. The Virtual lab allows the Administrator to run multiple clients or servers (and multiple operating systems) on a single computer system to examine how Malware specimens interact with other computer systems within a network. The Virtual lab also allows you to record the state of a system or network (before the Malware is introduced) by taking snapshots. This also allows the Administrator to return a system or network to its original state after the analysis is complete.

Networking in the Virtual environment allows the Administrator to observe the Malware exhibit its full potential in a controlled environment as the malicious program reveals its network interactions. When you employ this laboratory set up, you must employ a large hard drive (for the files on the physical system’s hard drive) and you must install as much RAM into the physical system as you can ( which is an important performance factor for virtualization tools). You will employ an inexpensive hub or switch where applicable.

The Professional Malware writer has begun producing Malware that can detect if it is being run in a virtualized environment. This makes it practical to also have physical machines available for laboratory systems also. The Isolated Test Lab is a necessity for proper analysis and developing the skills critical to an Administrator and Incident Response (IR) team responding to security incidents. The free tools that will aid the Administrator’s analysis in the lab are:

  1. Network monitoring: Wireshark – We can use this network sniffer to observe lab traffic for malicious communications
  2. Process monitoring: Process Explorer (and Process Hacker) – We can replace Windows Task manager and observe malicious processes.
  3. Change detection: Regshot – We can compare the system’s state (Registry and File System) before and after the infection.
  4. File system and registry monitoring: Process Monitor (with ProcDOT) – We can observe how local processes read, write, or delete registry entries and files. These tools can help you understand how malware attempts to embed into the system upon infection.

An Administrator who has gained a sense of the key capabilities of the malicious executable may seek to discover details of the Malwares characteristics through code analysis. There are disassemblers, debuggers and memory dumpers freely available that will assist with the process of reverse engineering the malicious executable.

Malware Behavioral Analysis

In the Behavioral Analysis of the Malware specimen we have isolated it allows an Administrator to figure out what the Malware has done and what it is capable of doing as it interacts with its environment. When we are subject to a Malware attack, we can see if it maintains contact with an attacker, what actions it performs within an infected system and how it spreads. Analyzing the Malware in a controlled (isolated) environment can answer all of our IR questions and guide the IR team to the proper response.

In the case of zero day infections (signatures), the IR team has a virus loose on the system or the network performing tasks that are contrary to operations while the Administrators don’t really know what it is doing. The antivirus software does not get the signatures up-to-date and we do not get the Malware removed. We must take precautions to isolate the malware-analysis lab from the production network, to mitigate the risk that a malicious program will escape (and infect the operations environment).

Online Malware Analysis Tools

There are many websites that can be of assistance in performing malware analysis. People are concerned enough to understand the value of malware analysis because of the overbearing amount of malware we are inundated with and the destructive nature of what it does. There are many sites that will perform the malware analysis for you.

The first website we will mention is “Virus Total”. It is a community driven website. It allows you to upload a file and have “Virus Total” perform the analysis. The site will analyze your upload and tell you if it’s a piece of malware, identified by name or class, and give you some understanding of what that malware has done or what it can do which gives the user a better understanding of what they are dealing with.

A second website I would like to mention is “Cuckoo”. It gives you the ability to perform an analysis from file properties and from a hash of the file. “Virus Total” looks at the characteristics of the file that has been uploaded. “Cuckoo” will actually run the software for you and capture what is going on in real time.

This is actually done in a very safe environment. It performs these actions through the use of virtual machines. “Cuckoo” automates the process with virtual machines running the executable malware so we can actually see what is going on in the machine or on the network. Basically, “Cuckoo” is a virtual sandbox that allows us to observe and analyze malware.

There are other websites that perform free automated behavioral analysis (malware analysis) on compiled Windows executables (that an Administrator may supply). The primary difference is each website employs a different analysis technology on the back end. The advantage for the Administrator (who is submitting the executable) is that it broadens the field of analysis on the executable. These tools include:

Anubis

BitBlaze

Comodo (Automated Analysis System)

EUREKA

Malwr

ThreatExpert

Conclusion

When we have software that is being used for malicious purposes, the Administrator needs to understand what is happening on the systems or network. The Administrator needs to know the damage this piece of executable software has introduced into the network that is causing problems so we can determine what contingency to undertake to correct the problem. The Administrator can also figure out what is needed to protect the network or recover from the malicious activity that has gone on with this malware that was introduced into operations