Categories
Security

How to protect against Labor Day ransomware attacks

On the last major American holiday, the fourth of July, IT solutions developer Kaseya announced it had become the victim of a ransomware attack — an attack that cascaded down the software supply chain, impacting more than 1,500 businesses. 

Kaseya aren’t the first and certainly won’t be the last victim of a cyberattack over the holidays. In fact, cybercriminals love to pounce when IT and security teams are out of the office for an extended time, or when employees let their guards down because they’re about to go on vacation. 

That’s why it’s important to stay alert before and during the three-day Labor Day weekend.

Weak IoT security should concern consumers, businesses as adoption increases

Labor Day weekend is nearly here, and I bet many employees’ thoughts have already turned to mini getaways, lazy afternoon binge-fests, or that one last barbeque before the weather turns crisp. Cybercriminals are banking on it, in fact, because the best time to attack is the absolute least convenient time for IT and security teams: weekends and holidays.

In fact, there’s a precedent for weekend and holiday ransomware attacks going back at least to December 2018, when cybercriminals leveled Tribune Publishing and other businesses with Ryuk ransomware on Christmas Eve. However, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement on August 31 warning that they have observed an increase in “highly impactful ransomware attacks” occurring over holidays and weekends in the United States over the last several months.

In the last three months alone, three massive ransomware attacks have taken place on US critical infrastructure on or leading up to holiday weekends. Just before Mother’s Day in May, cybercriminals dropped DarkSide ransomware on Colonial Pipeline, one of the nation’s biggest suppliers of fuel. After DarkSide actors gained access to the Colonia Pipeline network, they encrypted and exfiltrated the company’s data before threatening to publish it, attempting to extort them into paying the ransom. The attack resulted in a week-long suspension of operations, which led to panic-buying, price hikes, and crazy lines at gas stations up and down the east coast.

That same month, JBS, the world’s largest producer of beef and pork, was hit over Memorial Day weekend with Sodinokibi/REvil ransomware. The attack affected all US and Australian meat production plants, causing a complete halt in operations. And of course, IT solutions provider Kaseya suffered its breach and subsequent ransomware attack during the Fourth of July holiday weekend. Threat actors gained access to Kaseya’s remote monitoring and management tool, through which they deployed malicious updates to hundreds of organizations — including multiple managed service providers (MSPs) and their customers.

Ransomware has been on a meteoric rise — so much so that John Oliver devoted an entire segment of his HBO show “Last Week Tonight” to the subject last month. While Oliver blamed ransomware-as-a-service (RaaS), the popularity of cryptocurrency, and countries providing safe havens to cybercriminals as the reasons behind ransomware’s ascension, likely the answer is even more simple. Cybercriminals are opportunistic, and ransomware can easily defeat organizations when they don’t have the proper protection in place. Add to that the fact that IT is usually short-staffed over the holidays, and you have the recipe for disaster.

To avoid the fate of Colonial Pipeline, JBS, and Kaseya, take the following actions before and during Labor Day weekend:

  • Run a deep scan on all endpoints, servers, and any other connected systems to ensure there are no threats waiting to pounce when the lights go off.
  • Make an offline backup of your organization’s most critical data.
  • Run any necessary OS or software updates on endpoints to be sure that known vulnerabilities will not be exploited.
  • Employ stricter access requirements for sensitive data, such as multi-factor authentication (MFA).
  • Shut down all non-essential systems and endpoints on Friday evening.
  • Ensure there is always someone watching the network during the holiday, and make sure they are equipped to handle a sudden attack situation.

For more ways to stay safe from ransomware over the holiday weekend, check out this blog from Malwarebytes Labs: https://blog.malwarebytes.com/101/how-tos/2021/08/how-to-stay-secure-from-ransomware-attacks-this-labor-day-weekend/

For the joint statement by the FBI and CISA on increasing ransomware attacks over the holidays: https://us-cert.cisa.gov/sites/default/files/publications/AA21-243A-Ransomware_Awareness_for_Holidays_and_Weekends.pdf

And to watch the John Oliver episode on ransomware: https://youtube.com/watch?v=WqD-ATqw3js

Categories
Security

Kaseya ransomware strike reveals a disturbing new trend in cyberattacks

Over the same weekend America celebrated its independence, Kaseya, an IT solutions developer for managed service providers (MSPs) and enterprise clients, announced it had become the victim of a cyberattack. But this wasn’t your garden variety ransomware assault. Those days appear to be behind us now.

Once again striking the now-endangered supply chain, cybercriminals leveraged a vulnerability in Kaseya’s VSA software against multiple MSPs and their hundreds of small business customers. Where SolarWinds had only recently gained infamy as the country’s largest supply chain attack, Kaseya is eerily reminiscent—and likely not to be the last.

Kaseya ransomware attack: The new normal

On July 2, MSP solutions provider Kaseya started receiving reports of “suspicious things happening” with its VSA software program, a remote-monitoring and management tool for networks and endpoints. Within an hour, the company had shut down its VSA service.

Kaseya CEO Fred Voccola said that less than 0.1 percent of its roughly 40,000 clients were affected by the breach. However, as a provider of technology to MSPs, which in turn provide services to other companies, Kaseya is at the center of a wider software supply chain. Current estimates are that about 1,500 businesses were impacted downstream.

So how did cybercriminals pull off their attack within an attack? This was no ordinary, broad ransomware campaign sweeping up any enterprise fish it might catch in its net. The attack on VSA customers was delivered through an automatic, malicious update of the platform, which pushed the REvil ransomware variant, also known as Sodinokibi.

In order to access the VSA platform and the MSPs using it, cybercriminals first had to breach Kaseya itself. They did so by exploiting a known vulnerability in Kaseya software that the company was actively working to correct. Kaseya had thankfully already rolled out patches to its SaaS VSA clients. But before on-premise customers could receive their fix, threat actors made their move.

During the attack, cybercriminals shut off administrative access to VSA and disabled several protections within Microsoft Defender. If clients didn’t take their VSA servers offline, they were served the malicious update. And if they didn’t have another security vendor layered on top of Defender, they were treated with a ransom note and all of their files were encrypted. Customers of Malwarebytes were shielded from this attack — and, with features such as tamper protection and uninstall protection enabled, any future such attacks.

On July 4, the criminals behind REvil staked claim to the attack and demanded $70 million from Kaseya in return for a universal key, later amended to $50 million. They asserted that more than a million systems were impacted, yet their key could restore all in less than an hour — both controversial and dubious allegations, at best. Still, there’s no doubt they pulled off one of the largest ransomware attacks in history.

In fact, you know you’ve “made it” as a cybercriminal when your attack is used as bait for other phishing scams. In the wake of Kaseya, Malwarebytes researchers discovered opportunistic carrion fish had launched a malspam campaign to exploit companies eagerly awaiting the VSA patch so they could bring the platform back online. The email contained both a malicious link and attachments that dropped the Cobalt Strike RAT.

By July 12, Kaseya had released its patches, disclosed its vulnerabilities, and brought the majority of its VSA servers back online. However, the company remained mum on whether or not it would pay the ransom. The REvil affiliates behind the attack could go around Kaseya to negotiate with each of the 1,500 businesses affected. However, threat actors may be wary of creating thousands of “paper trails” on the Bitcoin blockchain now that law enforcement have trained their eye on cryptocurrency as a means of attribution.

Unfortunately, these more aggressive efforts by authorities don’t appear to be slowing or scaling down cyberattacks — at least, not yet. Assaults against organizations have increased steadily in frequency, volume, and sophistication over the last five years — from exploiting vulnerabilities to breach a single enterprise to using such vulnerabilities to gain administrative access to software used by tens of thousands of companies and their millions of customers.

These cascading attacks on supply chain software like SolarWinds and Kaseya are two data points in a greater, more worrying trend: Organizations are increasingly dependent on Internet-connected remote administration tools, and those tools are rife with flaws. Threat actors are aware of both, and we can expect them to continue to target and exploit those flaws, all while creating chaos in the supply chain, disrupting operations, and raking in the Bitcoin.

Security administrators can no longer look away from a problem that impacts the very tools they rely on to do their jobs. They must identify and ensure all known vulnerabilities for software products used in their organization are patched as soon as possible, and vet new software with an eagle eye. Consistent testing, communicating with employees and customers, and updating IT tools and servers — as well as implementing multiple layers of security — is the type of vigilance required to stave off massive breaches. And even then, it’s no failsafe unless the rest of the security community steps up to meet the challenge of cascading cyberattacks.

We need more security researchers and security-conscious developers to devote time and effort to combatting today’s vulnerabilities and preventing future, similarly-flawed products from entering the market. Software engineers must take greater care with borrowing outdated code from online repositories without testing for errors, such as weak encryption or default passwords. Vendors should also invite third-party reviewers to analyze source code created in-house before providing clients with a software bill of materials itemizing components and vulnerabilities.

The cooperation doesn’t stop there. Countries should better incentivize independent security research so analysts aren’t afraid to report their findings. Bug bounty programs are well and fine, but often their payments aren’t substantial enough to subvert dealings on the gray or black market. This $10 million reward offered by the US government for information leading to the identification or location of a nation-state threat actor is a healthy start, though.

What’s clear is that individuals — and even well-stacked IT departments — can no longer be solely responsible for their own cyber protection. To truly combat these increasingly sophisticated cascading attacks in the future, it will require an institutional shift in thinking that brings the top security minds together in lockstep.

We’ll need international cooperation and aggressive action from government and law enforcement. 360-degree security up and down the supply chain, branching out to fourth- and fifth-tier parties. Smart and secure development of Internet-connected software, as well as layers of security to stop breakthrough breaches. And a collective awareness by all that cybercrime has evolved and we can no longer turn the other cheek.

To learn more about the technical details of the Kaseya attack, check out this blog from Malwarebytes Labs: https://blog.malwarebytes.com/cybercrime/2021/07/shutdown-kaseya-vsa-servers-now-amidst-cascading-revil-attack-against-msps-clients/

Categories
Security

Business email compromise cost businesses $1.8B in 2020

I know looking back at 2020 for any reason can be a less-than-appealing thought. But in the case of business email compromise (BEC), it would not only be a dangerous oversight, but a costly one. In fact, last year BEC cost organizations nearly $2B.

That’s what the FBI discovered (among many other unsavory finds) in its annual Internet Crime Report released March 17. The report states that businesses suffered losses totaling $1.8B, a more than threefold increase from the $54 million lost in 2019. And although the FBI received the most complaints about phishing scams, BEC far outpaced phishing in financial damage, underscoring its tremendous cost — and the need for more awareness.

Last week, the FBI issued another warning to state, local, and tribal governments about BEC — unfortunately, the BEC attacks do not appear to be slowing in 2021.

BEC a growing problem for organizations

People complained to the FBI about business email compromise (BEC) 19,369 times in 2020. That sounds like a hefty number… until you stack it up against the $1.8B in collective losses caused by BEC, according to the FBI’s annual Internet Crime Report. If we divide the cost of BEC losses among the 19,000+ victims evenly, that’s an average of a little less than $100,000 per business. That’s not a loss many businesses could take on the chin lightly.

While BEC might have barely cracked the top 10 most-reported cybercrimes in 2020, it blew away the competition in victim losses. The second-most costly crime was confidence fraud/romance scams at around $600,000, over $1B less than BEC, and it’s not a cybercrime particularly targeted to businesses.

Yet how many could tell what business email compromise looks like? How to spot a BEC scam and properly report it? The best methods to protect against it? Last year, BEC was the most expensive cybercrime, and it was reported far less phishing and its counterparts — vishing, smishing, and pharming — which ensnared nearly 250,000 in 2020, according to the FBI report.

If you’re wondering why I didn’t mention ransomware, it’s because the $29 million in losses reported to the FBI do not paint an accurate picture of the total devastation ransomware wreaked on businesses last year. The FBI’s record is so low because it doesn’t reflect estimates of lost business, time/productivity, wages, customer and company data, equipment, or any third-party remediation services acquired. Which makes the $4.2B in total losses reported from cybercrime in 2020 that much more nauseating.

Getting back to BEC, last week, the FBI warned state and local governments that the onslaught of BEC attacks is not slowing in 2021. The organization issued a Private Industry Notification stating that these smaller government organizations are being targeted by BEC attackers because they have inadequate resources and cybersecurity controls. The FBI cites two risks contributing to these attacks: the move to remote work and the failure to provide sufficient training to the workforce.

So what does business email compromise, or email account compromise (EAC) as some call it, actually look like? BEC/EAC is a sophisticated scam that targets both businesses and individuals that are transferring funds. BEC typically happens when a threat actor compromises a legitimate business email account through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds.

But as cybercrime has evolved, so have BEC/EAC attacks. In 2013, BEC/EAC scams routinely began with the hacking or spoofing of CEO or CFO email accounts. Fraudulent emails were sent to unknowing recipients requesting wire payments. Not wanting to question the directions of their superiors, employees typically responded by sending the money first, asking questions later.

Over the years, BEC has evolved to include compromising not just business emails, but personal, vendor, and lawyer email accounts as well. Fraudulent requests have expanded to include W-2 information, large amounts of gift cards, and other personally identifiable information (PII).

In 2020, the IC3 (branch of the FBI researching cybercrimes) observed an increase in the number of BEC/EAC complaints related to sophisticated, multi-pronged cyberattacks. In these variations, an initial victim is first scammed via extortion, tech support scam, romance scam, etc. into providing the criminal with PII. The PII is then used to establish a bank account that will receive stolen BEC/EAC funds, which are then exchanged for cryptocurrency.

Try getting out of that mess! Actually, as with most cybercrime, the best protection is prevention. Here are a few tried and true tips for protecting against BEC/EAC.

  • Keep an eye on the usual phishing red flags, such as odd formatting, bad grammar, or false email addresses.
  • Mind the money: BEC emails typically target someone with access to financial records/finances and may make strange payment requests, such as wiring money to an unknown location.
  • Pay special attention to emails sent by people claiming to be accountants, lawyers, or executives, especially those with a sense of urgency. They may be trying to convince you to wire money in support of a business deal, such as an acquisition. Even if the deal is real, the request may not be.
  • Watch out for vendor email compromise, especially an attack where a threat actor has successfully infiltrated a vendor’s email account. The sender’s domain name is genuine and the transaction may seem legitimate, often with proper documentation attached (because the account has been hacked, not spoofed). However, the processing details direct payment to a different account controlled by the scammer.
  • Add BEC/EAC awareness to your company’s security training regimen. Your IT/security team should be able to recognize a standard phish from BEC, and your other employees should at least get a sense that something’s not right with this email. Anyone working directly with vendors, processing payments, or handling financial records should sit for this training as well.
  • Training alone isn’t enough. Compliance is required to head off BEC/EAC. Employees targeted by BEC are typically mid-level and might be nervous approaching an executive, lawyer, or other purported requester to verify unless there is an accepted protocol for reporting potential fraud.
  • Build a layered defense with technical controls, including multi-factor authentication, encryption, virtual private networks (VPNs), and enterprise security software, like Malwarebytes Endpoint Detection and Response.

For more on the FBI’s Internet Crime Report and the impact of BEC in 2020, read our Malwarebytes Labs blog:
https://blog.malwarebytes.com/business-2/2021/03/report-reveals-the-staggering-scale-of-business-email-compromise-losses/

To read the full Internet Crime Report:
https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf

Categories
Security

Greatest cybersecurity hits of 2020

It’s been an unprecedented year for cybersecurity. The pandemic has forced organizations to evolve at breakneck speeds, strong-arming a distributed, remote work model for millions of employees at once — and in the process, leaving corporate networks more vulnerable. Distance learning has brought IT and security issues into every student’s and teacher’s living rooms. The increase in online shopping has lured cybercriminals to take advantage via digital skimming. As we close out this most difficult year, it might appear that the cybercriminals have the upper hand.

Yet as I look back on the scams, phishing campaigns, new malware strains, and sophisticated attacks, I also see teams of IT and security professionals adapting swiftly to wave after wave of obstacles. I see Herculean efforts to keep companies up and running and students learning. I see researchers, analysts, system admins, technicians, directors, and CISOs working together to solve complicated problems. And that makes me hopeful as we head into 2021 and face new challenges. So, let’s take a look back at some of the major cyber events of 2020 and keep their lessons fresh in our minds as we tackle the new year with fortitude, resilience, and renewed optimism.

We may have kicked off this year with 20/20 vision, but none of us had the foresight to predict what was to come. Not long after the beginning of the year, the coronavirus hit in the United States and its first impacts to cybersecurity were cancellations of major conferences. However, as cases rapidly increased through March, it became clear that we had to hunker down and stay in our homes. This, of course, brought on a massive shift to remote work.

For resources on the impact of working from home on security:

As more and more states issued social distancing, masking, and shelter-in-place orders, cybercriminals (ever the opportunists) capitalized on the rising fear with COVID-19 misinformation campaigns, phishing emails that dropped Emotet payloads, and even APT attacks using the coronavirus as a lure. Here are a few stories featuring the ways in which threat actors leveraged public fear and confusion about the virus to their advantage:

Meanwhile, cyberattacks on organizations, a carry-over trend from 2019, picked up pace on SMBs through large enterprise. The malware of choice? Ransomware. Ransomware variants became stealthier and harder to remove as the threat actors behind them became bolder, double-dipping on extortion and raising ransom prices through the roof. Here are just a few of the notable ransomware attacks of 2020:

Attacks on ecommerce platforms, schools/distance learners, and of course the latest discovery of the alleged Russian hack of federal government agencies and IT/security companies round out an astonishing year in cybersecurity. In comparison, the entire previous decade seems pretty tame!

For other takes on the year in cybersecurity, take a look at the following: https://www.techradar.com/news/2020-could-be-the-worst-year-in-cybersecurity-history

https://www.govtech.com/blogs/lohrmann-on-cybersecurity/2020-the-year-the-covid-19-crisis-brought-a-cyber-pandemic.html

And for a look ahead at 2021, Security Magazine has five predictions: https://www.securitymagazine.com/articles/94223-cybersecurity-predictions-for-2021

Categories
Security

Paying the ransom. Damned if you do, damned if you don’t

There isn’t a person on Earth who would argue that 2020 has been a good year for fighting viruses. Turns out, it’s also been a tough one for ransomware.

While ransomware attacks have been arguably ramping up since 2016, it was 2020 that rained expensive ransom threats down on companies from a wide range of increasingly dangerous and emboldened cybercriminal gangs. Ryuk, Sodinokibi, Maze, and others doubled down on their dastardly deeds by not only encrypting and withholding sensitive data, but threatening to make it public.

In a stunning end-of-the-year development, ransomware actors showed belligerent persistence by cold calling organizations that refrained from paying the ransom or targeting them with an angry Facebook ad campaign. Meanwhile, cybercriminals have increasingly been hanging onto the files of those that do pay the ransom for auction or re-exploitation. It seems like businesses are either damned if they pay the ransom, or damned if they don’t. So what’s the right move?

Ransomware authors push the envelope, emboldened by success

Ransomware authors are having a field day — or rather, a field year. In 2019, the average ransom payment was $41,000. A year later, it was $234,000, about a 470 percent increase. Ransom demands have skyrocketed in 2020, as have their frequency and potency. Even if organizations are following security best practices by ignoring ransom notes and restoring from backups, they can no longer claim victory. In fact, businesses can run into trouble whether they refuse to pay the ransom or pay in full.

Victims of ransomware attacks who don’t compensate their captors are now rewarded with a not-so-friendly phone call from cybercriminals, marking an escalation in tactics that include threatening to notify journalists of the breach or leaking data onto public sites. Ransomware gangs such as Maze, Ryuk, Conti, and Egregor/Sekhmet have been engaging in these cold calls as far back as August, often dialing from a call center and using a script. The callers make vague threats about continuing to monitor victim endpoints and issue an ultimatum: Pay up now or the problems with your network “will never end.”

To add insult to injury, the threat actors behind Ragnar Locker ransomware have cooked up a similar scheme, this time pressuring victims into paying via fraudulent Facebook ads. According to Brian Krebs, one such ad was taken out against Italian beverage company Campari Group, which had already publicly acknowledged a malware attack. Cybercriminals used hacked accounts to pay for the ads, which Facebook did eventually detect as a scam, but not before displaying them to thousands of people.

On the flip side, ransomware gangs are increasingly failing to make good on their promise of deleting stolen data once the ransom has been paid. Back in 2019, Maze introduced the idea of double extortion — ransoming data plus threatening to release it publicly — and other ransomware operators followed suit, dumping sensitive files onto data leak sites. Over the summer, Sodinokibi took this a step further. When threatening victims to pay up didn’t work, they began auctioning off their stolen data online, charging hefty prices to the highest bidder (often a competitor).

These tactics reveal an uncomfortable truth: There’s no way to tell whether a cybercriminal group has actually deleted the files they promise to delete after you pay the ransom. According to Coveware’s Q3 2020 report on ransomware, groups such as Sodinokibi, Conti, Maze, Sekhmet/Egregor, Mespinoza, and Netwalker are using fake data as proof of deletion or even re-extorting the same victim.

So, what’s an IT/security professional to do? The FBI has flip-flopped on its official position about whether organizations should pay the ransom, first staying mum on the topic, then stating unequivocally that the ransom should never be paid. For a while, many in the security industry were inclined to agree. But that’s a tough pill to swallow for individuals. Would you pay a $200 ransom to return your PhD thesis, which represents months of work? What about for pictures of your baby’s first year?

As ransomware actors become more and more aggressive — not just stealing data and threatening to release it, but interrupting operations in hospitals, schools, and cities — some in the security industry have changed their tune. There are many who believe that in rare cases, organizations should try to negotiate for their most important files back. An entire industry of ransomware insurance providers has popped up to provide companies with cover, should their files be ransomed for exorbitant amounts.

The long and short of it is there’s no one-size-fits-all answer when it comes to ransomware. Once again, the best defense against this threat is to avoid infection in the first place. If your security software doesn’t protect against the ransomware authors mentioned above, you may want to consider investing in additional protection.