Categories
Security

Cybercriminal Monday: remote employees and retailers take caution

For the last 10+ years, the post-Thanksgiving shopping bonanza known as Black Friday has courted crowds and controversy, with major retailers deciding to open their doors on Thanksgiving Day to mobs of rabid customers looking for deep discounts.

This year, things look a little different. While some doors will open on Black Friday, many shoppers will choose to look for deals online instead. And even though online shopping will protect consumers from catching COVID-19, there’s no guarantee they won’t pick up a different kind of virus — and pass it on to corporate networks.

Conversely, online retailers and organizations with ecommerce platforms should take extra precautions this year, as cybercriminals have already ramped up their attacks on a wide variety of shopping sites.

Watch out for Black Friday and Cyber Monday pitfalls

As the nation heads into a holiday season on lockdown, we once again face norms-defying circumstances: Thanksgiving gatherings will be much smaller and Black Friday will likely have crowds rushing to their laptops instead of their local malls.

Since the start of the pandemic, online spending has increased by 75 percent. Ecommerce cybercrime has followed suit, with a 25 percent rise in credit card skimming observed in the first month of the pandemic alone. Scams laced with COVID-19 misinformation have tricked thousands into giving out their personal and business data or led to infections of home and corporate networks. And ransomware attacks have taken advantage of a vulnerable and distributed workforce. All this means the stakes are even higher for the coming week of holiday shopping.

In fact, expect stores to extend Black Friday deals through the month and beyond, luring shoppers repeatedly back to their ecommerce pages for maximum return on investment. But the old methods for staying safe while online shopping are not all relevant in today’s threat landscape. For organizations with remote employees who may also use their work device for personal use (or personal device for work activities), it’s prudent to send out reminders this holiday shopping season to keep personal business — especially online purchases — separate from business business. Here are a few you can send to your staff:

  • Just because a website uses HTTPS and has a padlock does not mean it is safe. It simply means that the connection is secure between a particular server and who the website claims to be. But it’s easy for cybercriminals to spoof legitimate sites and have your information be sent to them over a secure connection. All the padlock guarantees is that other cybercriminals can’t interrupt the exchange.
  • To protect against web skimmers, consider equipping personal devices with antivirus software that has web protection, or browser extensions that block malicious content. All work devices should be protected with the same.
  • Avoid clicking directly on targeted ads for a particular deal. Online ads could contain exploits delivered via malvertising, which could deliver malicious payloads or divert users to scam pages. If there’s an ad for a great deal, go directly to the retailer’s website instead.
  • Do not use public WiFi to shop online. Also avoid using the company’s VPN for that purpose. The best bet is to shop from a password-secured home network or to purchase your own VPN for home use.

In addition, online retailers and other ecommerce sites should take particular precautions over the next month to protect against web skimmers or other online attacks. Here’s my advice for staying secure:

  • Keep your site updated to protect against cybercriminals who would exploit vulnerabilities, and that includes shoring up weak code. Make sure any admin access to the site’s backend is protected with a strong, rotating password.
  • Make sure any third parties, including Content Management Systems (CMSes), financial transaction partners, or even libraries of code are free from known vulnerabilities by running all updates or cross-checking code for mistakes.
  • Take preventative measures by implementing safeguards, such as a Content Security Policy (CSR) and Subresource Integrity (SRI).

Best wishes for a safe and happy Thanksgiving holiday!

Categories
Security

How cyber insurance is changing the security industry

As ransomware and other advanced threats continue their assault on businesses, organizations have increasingly turned to cyber insurance providers to help them out of a jam. However, this marketplace isn’t just growing—it’s changing. What was once considered necessary protection in case of file encryption and ransom demands is now an integral part of many businesses’ security infrastructures.

In response to changes in the work environment due to the pandemic, ransomware attacks and extortion techniques have evolved. So, too, has the industry that sprung up to assist organizations that had already been hit. More and more, companies are realizing that yes, they need to shore up preventative security, but they also must have a working plan for the very real potential of getting breached.

According to an October 2020 study by ReportLinker, the global cyber insurance market is expected to grow from $4.8 billion in 2019 to $16.9 billion by the end of 2025, a Compound Annual Growth Rate (CAGR) of 23 percent. After an onslaught of ransomware attacks last year on schools, cities, and government agencies, many organizations doubled down on cyber insurance to cover costs that might arise from another attack, such as investigative teams, remediation and recovery efforts, business interruption losses, digital data recovery, and more.

While the cyber insurance industry drew early criticism from security insiders for potentially juicing ransomware threat actors’ bank accounts, the sentiment has since shifted. In 2017, the NotPetya attack, one of the largest cyberattacks in history, caused $10 billion in damage worldwide. Only 3 percent of those costs were covered by cyber insurance. In the years since WannaCry, NotPetya, and other expensive attacks on businesses, organizations have moved to adopt more robust insurance policies, including coverage for nation-state attacks and hands-on assistance in bolstering existing security policies.

As ransomware attacks have increased in frequency and complexity, ransoming techniques have also evolved, switching the focus away from “simply” encrypting files and requiring a ransom to return them. Where many companies adapted to ransomware threats by instituting regular, automatic backups, cybercriminals returned the volley by threatening to release sensitive data to the public or disrupting operations for ransom.

Cyber insurance, paired with layered security software and employee awareness, can thus provide the additional protection necessary to prevent attacks when possible, and recover from an attack quickly when it’s not. Expect cyber insurance to continue evolving in this direction, filling in technical gaps and not just providing hefty ransom payments. In fact, that’s why we’ve recently partnered with Coalition, a leading cyber insurance provider, to help business customers further reduce their risk of cyberattacks.

To learn more about why cyber insurance should include coverage for state-sponsored attacks, read this article from the Harvard Business Review: https://hbr.org/2020/10/does-your-cyber-insurance-cover-a-state-sponsored-attack

For more information on the Malwarebytes and Coalition partnership: https://go.malwarebytes.com/Coalition-Malwarebytes-Partnership.html

Categories
Security

RegretLocker ransomware encrypts virtual machines

Ransomware, ransomware, ransomware. At this point, the other malware families might be feeling some Jan Brady-level jealousy toward their flashier, more advanced brother. Ransomware is getting all the attention right now—for good reason.

Ransomware attacks have been ramping up in volume and in sophistication over the last year. Corporate targets have had to steel themselves against stealthy spear phishing campaigns, exposed RDP ports, zero-day exploits, and more. Now they have to worry about their virtual machines.

Using a combination of advanced attack techniques, a new ransomware family discovered in October called RegretLocker is able to encrypt virtual hard drives and close any files open by users for encryption. Why does this matter? RegretLocker is able to execute much more quickly than previous ransomware families and evade detection.

RegretLocker takes ransomware to the next level

RegretLocker ransomware appears fairly simple on the surface. It is accompanied by a short and sweet ransom note (as opposed to a long-winded soliloquy that has become common among ransomware threat actors). It uses email instead of Tor to accept ransom payments. When encrypting files, it applies a harmless-sounding .mouse extension.

But that’s where the simplicity ends. Instead of encrypting large files en masse, which can take a long time, RegretLocker mounts a virtual disk file so that each file may be encrypted individually, speeding up the process. In addition, RegretLocker uses the Windows Restart Manager API to terminate processes on Windows that can keep a file open during encryption, preventing users from salvaging open files.

RegretLocker follows in the footsteps of another ransomware family known as Ragnar Locker, which was first discovered in October 2019. Ragnar Locker deploys virtual machines to victim systems and launches the ransomware from inside. This gives the ransomware access to files on the local disk without being detected by security software deployed on the host system. In September 2020, Maze ransomware authors added Ragnar Locker’s virtual machine tactic to their bag of tricks.

The use of virtual machines by these ransomware families is not for the faint of heart—it’s complex, messy, and requires prior knowledge about the hardware and capabilities of its target networks, including whether or not the services had already been disabled. However, for threat actors looking to select and encrypt specific files quickly, or for those who’ve compromised a system but are looking to crack particularly difficult files, these methods represent the next evolution in a long chain of dangerous developments in ransomware.

What’s more, there are not many ways to protect against these types of ransomware attacks outside of preventing them from happening in the first place. (Though Malwarebytes’ Anti-Ransomware technology blocks RegretLocker from launching.)

What we can take away from these latest developments in ransomware is that cybercriminals have been busy doing what they do best: developing new tricks and workarounds that had previously prevented their malware from being as dangerous as it could be. The best defense, as it has always been, is awareness and proactive protection.

To learn more about RegretLocker ransomware, take a look at our blog on Malwarebytes Labs: https://blog.malwarebytes.com/ransomware/2020/11/regretlocker-new-ransomware-can-encrypt-windows-virtual-hard-disks/

And here is Bleeping Computer’s take on RegretLocker: https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/

For information on Ragnar Locker’s attack on gaming company Capcom: https://threatpost.com/gaming-giant-capcom-ragnar-locker-ransomware/160996/

Categories
Security

Maze ransomware group calls it quits… maybe

2020 has claimed victim nearly 200,000 small businesses across the United States—a gut punch of a statistic. But there’s one group closing up shop that I won’t shed any tears over: Maze ransomware.

Last week, the notorious Maze ransomware group known for corporate targeting and data extortion schemes announced they are shutting down operations. So why aren’t security folks like me rejoicing? First, we’ve seen ransomware families disappear before, only to come back with a smarter business plan for distribution or key updates that increase their potency. Second, never trust the word of a cybercriminal.

Back in May 2019, Malwarebytes researchers discovered a new strain of ransomware known as Maze, distributed via the Fallout exploit kit. Soon after, we found that Maze was spreading indiscriminately through other exploit kits, such as Spelevo, as well as through spam campaigns using documents laced with malicious macros.

As time went on, Maze operators began to adopt a more targeted approach, likely looking for a higher return on investment. They began going after organizations with spear phishing campaigns or by exploiting vulnerabilities in exposed infrastructure. Nothing new there. However, Maze was a pioneer in some regards, as it was one of the first to threaten its victims with leaking sensitive data if the ransom was not paid. Its authors also adopted clever tricks to evade detection by leveraging virtual machines to encrypt files.

Rumors began months ago that the threat actors behind Maze ransomware might be abandoning ship, as several of its affiliates switched to an up-and-coming ransomware family known as Egregor, which likely shares some of its code with Maze. In fact, it’s possible that former Maze developers are the ones behind the Egregor project, which would explain the recruitment of their affiliates.

On November 1, coincidentally my birthday, the group behind Maze released a statement claiming that they were done for good. The error-laden message (more of a rant) went on to claim that the future will be lived entirely online, therefore Maze’s efforts were meant to help prepare companies by forcing them to increase their security—typical rhetoric among delusional criminals who try to reframe their acts as benevolent.

There’s no doubt the Maze developers and distributors made enough money to call it a day. Their so-called press release is perhaps a distraction meant to hide conflicts or internal disagreements. It could also be a smokescreen for a potential shift to Egregor. When a cybercriminal says, “We never had partners or official successors,” you can count on the opposite to be true.

Whether Maze is actually gone, we can’t yet say for sure. We thought Ryuk had vanished earlier in 2020, only to have it return. At the same time, the affiliate shift to Egregor is reminiscent of the shift away from GandCrab to Sodinokibi ransomware in 2019.

Unfortunately, history has shown us that when a crime group decides to close their doors, it’s rarely because they have seen the error in their ways. Because of this, it’s best to continue to guard against, at the very least, the types of attack vectors used by Maze ransomware. I suggest:

  • Updating software and hardware to shore up vulnerabilities (protecting against exploit kits)
  • Boosting protection against brute force attacks and exposed RDP ports
  • Increasing employee awareness on sophisticated spear phishing tactics
  • Segmenting sensitive data into more restrictive servers

For more information on the Maze ransomware group’s retirement, take a look at our blog on Malwarebytes Labs: https://blog.malwarebytes.com/ransomware/2020/11/maze-ransomware-gang-announces-retirement/

For an in-depth threat spotlight on Maze ransomware’s capabilities: https://blog.malwarebytes.com/threat-spotlight/2020/05/maze-the-ransomware-that-introduced-an-extra-twist

For TechCrunch’s take on Maze’s retirement: https://techcrunch.com/2020/11/02/maze-ransomware-group-shutting-down

Categories
Security

Brute force attacks increasing on open RDP ports

Ever watch a procedural cop show where the lead detective is some kind of password savant? Then you know this scene: The detective walks into a suspect’s apartment, finds a locked computer, and, after his partner complains they’ll need NSA hackers to get in, cracks the tricky password in a single try. While I love a good Hollywood cybersecurity gaffe, the truth is Detective Special Skills actually would have a decent chance at getting into that computer if he knew the suspect’s name and attempted using a few of the most popular default passwords today. (I’m looking at you, 1-2-3-4-5.)

But let’s say this suspect is a little more tech savvy and has a stronger, unique password in place. That’s game over, right? No getting in? Unfortunately for us good guys trying to protect our personal or business data, the answer is no. By using brute force attacks that automate trial and error, cybercriminals are able to run thousands or even millions of username and password combinations until they crack the code for credentials.

COVID-19’s grip on the global workforce has remained tight for nearly three quarters, keeping the majority of corporate employees—including technicians, security, and IT staff—confined to their homes. The repercussions of ongoing work-from-home conditions continue to be felt, especially a generally weaker security posture for all organizations, the natural result of having a distributed workforce. One such repercussion is a massive increase in open RDP ports, from 3 million in January 2020 (pre-Covid) to 4.5 million in March (post-Covid).

Cybercriminals of course pounced immediately, and to our detriment, they keep throwing everything they’ve got at us. COVID-19 misinformation, scams, social engineering laced with malware, Emotet and more of its friends, digital card skimmers, targeted ransomware attacks, and now brute force attacks, which themselves are methods of endless, everything-but-the-kitchen-sink attack.

Brute force attacks are typically automated or conducted via application, which allows threat actors to “set it and forget it,” coming back to their target once the app notifies them of a successful crack of the desired credentials. And lately, they’ve been cracking open a lot of RDP ports, exposed to the Internet so that remote workers can access company resources from home or IT staff can troubleshoot employee devices remotely.

Once cybercriminals have brute forced their way into an open RDP port, they can launch ransomware attacks, install keyloggers or other spyware on target organizations, or conduct espionage or extortion—pretty much a nightmare scenario. To protect against brute force attacks and shield RDP ports, I recommend:

  • Limiting the number of open ports
  • Restricting access to RDP ports to only those that need it
  • Enhancing security of the port and the protocol (with security software that blocks malicious IPs from compromised servers, for example)
  • For remaining RDP port users, disabling legacy usernames, rotating passwords, and enabling 2FA

At Malwarebytes, we’re now exploring new protective features to combat rising brute force attacks on open RDP ports. Stay tuned for some news on that soon!

To learn more about brute force attacks on the rise and how to protect open RDP ports, read our blog on Malwarebytes Labs: https://blog.malwarebytes.com/exploits-and-vulnerabilities/2020/10/brute-force-attacks-increasing/

For advice on how to protect RDP access from ransomware attacks: https://blog.malwarebytes.com/security-world/business-security-world/2018/08/protect-rdp-access-ransomware-attacks/

And for a refresher on best security practices for all work-from-home employees: https://blog.malwarebytes.com/how-tos-2/2020/03/security-tips-for-working-from-home-wfh/

Categories
Security

Covid fatigue causes careless behavior, endangers online safety

Because it’s not bad enough that we’ve had to shelter in place, shut down businesses, and stay away from friends and families for months. Now we learn that our natural response to this stress—a type of emotional exhaustion medical professionals call Covid fatigue—puts us in danger, too. Great. Might as well give up now.

The above paragraph is a meta example of Covid fatigue… or at least the beginnings of it. The defeatist attitude is a telltale symptom of this type of fatigue, which should not be mistaken for the fatigue that can sometimes be a symptom of Covid-19 infection. Covid fatigue is instead defined as feeling overwhelmed and exhausted by the conditions brought on by the pandemic and the ever-changing list of rules to follow in order to stay safe.

Those with Covid fatigue are less likely to follow basic social protocols for protecting against the virus. And that, unfortunately, spills over into their online habits as well.

For many of you in IT and security, a lightbulb may have already flickered on. Covid fatigue sounds awfully similar to security fatigue or alert fatigue. Indeed, it’s the exact same principle. And if you’re catching on to how emotional fatigue can lead to self-destructive behavior online (like reusing passwords or exercising less caution opening emails, for example), then guess who else knows?

The most successful threat actors study user psychology so their social engineering tactics can be believable. And those threat actors have been clued into Covid fatigue for a while now.

It’s most important, then, that IT and security leaders guide their employees in fighting back against possible online attacks, remembering basic security hygiene, and combatting emotional fatigue. The last item may require help from your people operations teams, but will ultimately lead to a happier, healthier workforce with energy in reserves.

There’s so much uncertainty with this virus, and that contributes to Covid fatigue, too. But if there’s one thing we can be sure about, it’s that battling this pandemic—and the one we’re facing online—is a marathon, not a sprint.

Read on to learn how to cope with Covid fatigue and stay safe online: https://blog.malwarebytes.com/malwarebytes-news/2020/10/how-covid-fatigue-puts-your-physical-and-digital-health-in-jeopardy/

For background on security fatigue: https://blog.malwarebytes.com/101/2017/04/how-to-fight-security-fatigue/

To see what Johns Hopkins recommends for fighting Covid fatigue: https://www.hopkinsmedicine.org/health/conditions-and-diseases/coronavirus/how-to-deal-with-coronavirus-burnout-and-pandemic-fatigue

On alert/notification fatigue: https://betanews.com/2020/07/09/security-report-alert-fatigue/

Categories
Entrepreneurship

Why your chief executive should wear a hoodie

In the early days of a startup, once your company achieved scale, the technical founder would step back to be replaced with a “professional chief executive”.

This used to be commonplace; everyone from Cisco to eBay went through the management team merry-go-round.

But the tide is turning and there is a growing acceptance that the guy in the hoodie who wrote the code has a unique set of skills that can translate into business success.

RUTHLESS OBSESSION

First, such people are relentlessly fussy about the quality of their products and services. Show me an engineer who is happy to cut corners and I will show you a liar.

Years spent ruthlessly obsessing about the position of a button instils a strong sense of perfectionism.

In a transient world where customer loyalty is everything, meticulous product development is all. All the marketing money in the world cannot replace a poorly built product or service.

RELENTLESS TINKERING

This leads into the second reason why technical co-founders are valuable: we are never happy to sit still.

In a world where business cycles are shortening all the time, if the guy at the top isn’t a relentless tinkerer, then you will be left behind.

This is something that is increasingly true across the board, not just in the tech industry.

The abundance of “labs” and “innovation centres” in everything from the car to the pharma industry is a sign of this.

A willingness to play around with business models and improve legacy processes, often using technical skills as an instigating factor, is tearing down the walls at companies that have dominated for years.

It’s certainly not an overstatement to say that an engineer with a curious mind can build something that in a few years will be eating everyone’s lunch.

Look at Travis Kalanick at Uber, a software engineer sitting atop a six-year-old company that is rewriting all kinds of markets.

This willingness to experiment is a personality trait hard-wired into technical professionals.

CALCULATED RISK

A calculated approach to evaluating risk – and the associated decision-making – is the third area where a technical background can really help a chief executive.

Years of basing decisions on data and gradually iterating products through analytics removes the emotional response.

With more information available to management teams nowadays, this ingrained problem-solving instinct can make the difference between a successful venture and a costly one.

Of course, it’s not all about perfectly calculated business decisions. I will happily hold my hand up to the fact that there are many areas where those with a non-technical background are absolutely crucial.

Until I figure out how to automate the creative and interpersonal skills required by sales and marketing, for example, I am happy to leave this to a specialist team!

This raises an important point, however. I am a strong believer in the benefits of having a technical co-founder in the top spot, as their innate abilities really make a difference.

But in order to realise this value, it is vital to collaborate closely with those who have complementary skills. Every hoodie needs a suit, each Steve Jobs needs a Steve Wozniak.

Note: This is a byline I wrote for City A.M.

Categories
Security

Why Malwarebytes for Mac

As some of you may have already seen, we released Malwarebytes Anti-Malware for Mac last week. Prior to the release of the new product, I was of the mindset that Macs were not vulnerable to malware. So what changed my mind?

Doug Swanson, my former CTO at Malwarebytes (and current board member!) e-mailed me about a cool product called AdwareMedic he had found over the weekend. Doug’s grandmother’s computer, a Macbook Pro, had fallen victim to a search hijacker that was redirecting any links she clicked to advertising content. He ran AdwareMedic and all was well in the world. Doug insisted I take a look at the software, and his story certainly left me intrigued.

Categories
Security

Poor communication can cost you $52,140.60

Over the weekend, I received several cryptic e-mails from my CFO, Mark Harris, asking if I had approved the wire template for “the wire I had requested.” We were in the process of making a few wire transfers on Monday but I had already approved those and communicated that to him. He repeated the question a few times, but I still didn’t think anything of it. He asked me again in person this morning. That’s when I started to dig in.

Categories
Entrepreneurship

Best advice I’ve ever been given

“Marry the believers, divorce the naysayers.”

My CFO said that when I first met him; it’s what his previous CEO used to tell him. Get the wrong people off of the bus and keep the right people on. Unfortunately, this advice is hard to follow most of the time.