Category : Encryption

5 Ways to Spy a Hacker in Your Network

download

1. Search for the telltale signs of a breach. 

Port Scans? Excessive failed log-ins? When a hacker infiltrates an unfamiliar network they need to learn the topology of the network, looking for vulnerable points of access in servers. From this point they can pinpoint administrative users and data stores.

2. Look for a “normal” user performing administrative tasks. 

By using native tools on computers and servers, hackers can stay under the radar for much longer than if they were to use known attack tools. Anti-virus software should pick up on malware and attack tools, but not normal administrative tools. Determining who the admins with the organization are can significantly lessen the worry. Active Directory aids in establishing user roles and privileges with which you can then use to see the applications and devices used by administrators or that are managed by administrators. Awareness about what the administrators within the organization are using, should make it easier to spot when an attacker is looming in the background.  If a hacker takes control of a administrator machine and begins performing tasks, you’ll be able to identify if this is normal or suspect activity.

3. Look for a device using multiple accounts and credentials to access network resources. 

Hackers, both internally and externally, generally steal user account information or generate fake accounts in order to gain access to the network. In order to spy indicative markers of of attack activity, analyze credential usage. Make sure to monitor network traffic and analyze log from the authentication and authorization infrastructure in your network. Extract data and look carefully to see how many systems each user interacts with, and monitor abnormalities.

4. Look for an attacker trying to find valuable data in file servers. 

By figuring out what Windows file shares are accessible, attackers hunt for important data such as intellectual property and banking information, or once they find important data they will encrypt it and the rest is history. A valuable signal would be to spot abnormalities in file share access. This is a preventative measure for spotting both hackers and employees considering insider theft.

5. Look for the command and control activity or persistent access mechanisms. 

Keep an eye on outbound communication. Attackers need to be able to communicate between the Internet and endpoints they control within your network. There could be malware and Remote Access Trojans in your network, so be mindful of indications of malicious software phoning home.

 

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit:Five signs an attacker is already in your network

Threats That Are Spoofing Mobile Enterprise Apps

Nicht jede App ist vertrauenswürdig. Manche installieren Schadsoftware, andere klauen Dokumente oder Passwörter. Von diesen sollte man besser die Finger lassen.

Malware has taken to mobile applications, namely those in the enterprise. Enterprise employees use mobile applications to share data, send packages, manage email, and otherwise juggle the needs of a functioning business. Spoofing applications such as Cisco’s Business Class Email app, ADP, Dropbox, FedEx Mobile, Zendesk, VMware’s Horizon Client, and Blackboard’s Mobile Learn app, makes for very dangerous territory. These spoofed applications are nearly identically to the real counterpart, without serious knowledge of information technology you would never know that the FedEx app you are using is really malicious malware. By impersonating these types of enterprise applications, using the brand and packaging name, unsuspecting users become the host of dangerous malware.

Shuanet is a family of malware that automatically roots a device and installs itself on the system. After Shuanet installs itself on the system it proceeds to install more applications without the permission of the user. These applications are pushed to the phone with the intention to continue installing even more applications and more opportunities to fill the unsuspecting device with malware. With each installation of more applications comes aggressive marketing tactics to try to get a user to bite. Rooted devices are essentially in an altered state, when a device is rooted it is usually for the gain of customization, however in order to remain secure one must know how to configure the security, if they do not configure the device properly the device will no longer receive important software updates. Factory resetting a device infected with malware that installs itself on the system partition, such as Shuanet, will not wipe the malware completely from the device. Apps like these continue to download applications that also house malware, which only adds fuel to the fire.

Examples of apps it spoofs: ADP Mobile Solutions, CamCard Free, Cisco Business Class Email (BCE), Duo Mobile, Google Authenticator, VMWare Horizon Client, Zendesk, Okta Verify.

AndroRAT is another family of malware spoofing enterprise applications. Originally AndroRAT was developed by university students for a class project. It was used as a remote administration tool, as it allows a third party to control the device. Well controlling the device also means allowing the software to collect information from the device such as contacts, call logs, text messages, audio from the microphone, and even device location. Not exactly a comforting piece of information. Hidden remote access software allows attackers the ability to control the device and extract data with nearly nothing standing in their way. Most compromising to the enterprise is the continued remote access to a mobile device. This mobile device is carried throughout the day and it is only a matter of time before the device connects to a business network, allowing an attacker to infiltrate Wi-Fi networks and VPNs.

Examples of apps it spoofs: Dropbox, Skype, Business Calendar

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit:5 active mobile threats spoofing enterprise apps

Bank Accounts Targeted by Silent Malware

hybrid-banking-trojan-goznym-steals-4m-showcase_image-2-a-9049

 

Another level of sophisticated malware has hit the online banking platform in the form of a virus called “GozNym”. GozNym has already helped hackers steal over $4 million from banks in the United States, Canada, and Europe, according to IBM Security’s executive adviser Etay Maor, who also led forces in discovering the malicious software.

GozNym is a high alert and extremely dangerous malware due to a few contributing factors. One of which being the combination malware. Initial malware infects the machine, installing itself and a second form of malware onto the device. This second form waits in the background until the user decides to visit the web interface of a financial institution, storing the user’s username and password. The encryption level of the malware in this case has been doubled, making it even more difficult to analyze and research. The process is time consuming and often presents little answers as to how to alleviate the machine from the infection.

In addition, GozNym has been shown to be especially more difficult for anti-virus software to detect. Most well informed people aware of the sensitivity of their data, or simply value the life and protection of their computer, already have a noteworthy anti-virus software installed on their machine. Heeding to the advice of information technology professionals. However, if the anti-virus cannot detect the malware then your machine is basically waving it’s hands in the air, asking for trouble. An infection could arise without the user ever being aware of the installation, and all it takes is one visit to their bank’s web portal and the rest is history.

“There might be a million malware strains, but there are only a few families that are active and dangerous and those principal malware families are owned by organized crime, so this could cause very heavy losses in online banking fraud.”

 Don’t use the same password for everything. If hackers can silently get the password to one of your bank accounts without you knowing it, don’t give them more to work with by making that same password the golden key to all of your logins. Password managers are becoming increasingly popular due to the need for multiple passwords for everything. Although this method cannot be called bulletproof, it is a significantly better way to stay safe. The GozNym malware is sophisticated enough to show full bank account balances even after criminals have drained accounts. Try to stay conscious of how you are accessing your banking information. Paper statements for the time being, might be the best practice until a solution is found.


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: Dangerous New Malware Targets Online Bank Accounts

Kansas Heart Hospital- Paying the ransom still wasn’t enough

bitcoin, ransomware

The Kansas Heart Hospital in Wichita, recently found themselves at the mercy of a ransomware nightmare. Seeing as the demands were not unattainable or extremely high, the hospital decided to simply pay the Bitcoin, thinking that would be the end. Not quite. After the hospital paid the Bitcoin, the hackers decided that the hospital was a willing target for even more money! The hackers received payment and decided to hold back some of the data they had encrypted and proceeded to demand more money from the Kansas Hospital.

To my surprise, the Kansas Heart Hospital didn’t end up giving any more funds to the hackers. We aren’t sure if they decided the data was not of importance, or if the hospital employed some tech support from a trusted source. Whichever the case, I appreciate the hospital standing firm in their decision to not pay anymore Bitcoin. As many have been urged to not pay absurd ransomware demands, it can be terrifying when the circumstance comes about. Helpless, I’m sure is how many ransomware victims feel.

Nevertheless, it is important to be aware of malware and ransomware threats. Nearly half the hospitals in the United States have been attacked by some variable of malware/ransomware. An official at the Kansas Heart Hospital even told reporters that they “were aware of the ransomware threat and had a plan in place to deal with it”. Better make sure you have a plan B too.


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: Hospital pays ransom, ransomware demands more money

Businesses Beware- FBI warns Ransomware is on the rise

ransomeThe FBI released statements of warning this week about the rapid growth of ransomware attacks. As attacks become more frequent and sophisticated, it is crucial that businesses are proactive about ransomware prevention. The influx of attacks against hospitals has made ransomware a major threat to the U.S. healthcare industry this year and will only continue without proper protection.

Years prior, ransomware was delivered through email. Now that email systems have evolved, and spam settings have become more sensitive, cyber criminals have stepped away from email delivery. Seeding legitimate websites with malicious code and taking advantage of unpatched software on end-user computers, there is no need for an individual to click on a link in order to be infected. In a usual email attack, a user may see an email addressed to them and open it. Unsuspectingly clicking on the attachment that appears no different than any other attachment, the malware code is then able to access the victims machine and the rest is history.

Once the machine has been infected, the malware begins encrypting the files and folders on local drives, including attached drives, backups and even other computers on a shared network. As seen many times this year, organizations are often unaware of the attack until they are unable to open their files and retrieve data. Sometimes organizations are not made aware of the encryption until messages start to display ransom payment in exchange for a decryption key.

Whether or not to pay the ransom is still under debate. The FBI does not encourage payment, only because paying the bitcoin does not guarantee the safe return of sensitive data. Morally, payment would be frowned upon, as it is most certainly funding illicit criminal activity and encouraging more attacks. However, it is understandable why many have been forced to pay, simply put businesses need their data in order to survive. Unfortunately ransomware criminals know that all too well.

Prevention Measures 

  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization’s data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to automatically update and conduct regular scans.
  • Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
  • Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).
  • Back up data regularly.
  • Secure your backups. Make sure they aren’t connected to the computers and networks they are backing up.

If you would like to educate yourself in more detail about the information presented in this blog post please visit: FBI: Ransomware threat at all-time high; how to protect company jewels

What to do if you suspect Malware? We have the answers

Most often one does not know that they are infected with Malware until it is indefinitely too late. A few signs can lead you too believe you might be infected, such as incredibly slow PC performance, browser pop-ups when no browser is open, and security warnings from security programs that have never been installed on your computer, can make you feel uneasy about your machine. Try these tools to kick Malware in the butt. malware-microsoft

Update Antivirus

The software IDs within antivirus software identify existing malware based on what has come before and the latest updates available. Make sure your antivirus software is current, with all of the latest installs. Having software that is even one day out of date leaves your machine at risk for encryption. Antivirus vendors offer updates based on viruses they encounter both in the lab and in the field.

Find Safe Mode

Most malware, when designed correctly, is ready to evade System Restore points set in Windows. Perhaps this might be enough to fix the problem, but say that its not, as it most likely won’t be, try running a program designed to kill any known malware process in progress, such as RKill. The other option in this case is to boot Windows in a way that will not allow malware to get started, aka Safe Mode. By first restarting your PC (Windows 8 or 10), hold down the shift key during the boot sequence, and choose Safe Mode within the troubleshooting options.

Delete Hiding Places

You should then delete all temp files that could hide malware. To delete temp files, open the Start menu, type Disk Cleanup into the search bar and it will check the C:drive for all temp files that can be safely deleted. The software IDs within antivirus software identify existing malware based on what has come before and the latest updates available. Make sure your antivirus software is current, with all of the latest installs. Having software that is even one day out of date leaves your machine at risk for encryption. Antivirus vendors offer updates based on viruses they encounter both in the lab and in the field. After this process it is advised that you run an antivirus on-demand scanner, such as Malwarebytes Anti-Malware. This program is a great line of second defense against malware because it often comes to the rescue if your initial antivirus fails.

No Connection

A RAT, means that someone is remotely accessing your PC. Your first step in this case is to get off the internet. Turn off the Wi-Fi, remove the Ethernet cable, turn off the router, whatever needs to be done in order to detach from the internet. Now, being disconnected from the internet ensures that you are no longer able to be controlled, but it makes it a great deal harder to receive the latest antivirus without access to the internet. The latest software will need to be retrieved from a third party PC, at a different location preferably, then transferred to the RAT PC via USB flash drive. Another option would be to reboot the computer with a CD. Running a full anti-malware utility, these CDs are sometimes called “rescue CD” and can be used without internet connection. Of course, in order to use this option, a CD player will be necessary.

Portable Help

If all other options have failed, it may be the Operating System that has already been infected, making it impossible to even download the newest antivirus software. In order avoid the OS and let the antivirus do its job, you will need to utilize portable apps through a USB flash drive. These portable apps do not require a direct installation. Apps like this consist of Microsoft Safety Scanner, CLamWin, McAfee Stinger, or Kaspersky Security Scan. You can also try a mix of many portable apps since they will not conflict as you have to run each scan individually. There are also other software options such as Spybot and Symantec’s Norton Power Eraser that specifically target a type of malware called crimeware, that run scams. Although this is measure is aggressive, and often times deletes files that might not be malware, all in the effort of safety of course.


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: How to Remove Malware From Your PC

DDoS Attacks are Making Cybercriminals Very, Very, Rich

Actually, $100,000 richer to be exact.

By sending just an email, the group called Armada Collective is easily shaking down companies and pulling in the cash. Distributed denial-of-service, better know as DDoS attacks, consist of little technical experience other than causing a website to crash by flooding it with traffic. Usually the threatening email alone is enough to get companies to pay up in Bitcoin.

This is not the first time we have heard of the Armada Collective group. Back in 2015 they became nonactive, and in 2016 alleged members were arrested. It is believed that a separate group has decided to use the Armada name in order to capitalize on previous DDoS presence.

The email looks something like this:

Capture

Over 100 businesses have received the email threats according to CloudFlare CEO Matthew Price. However, not one case of Armada actually launching a DDoS attack has been reported. Price weighs in by saying, ” In fact, because the extortion emails reuse Bitcoin addresses, there’s no way the Armada Collective can tell who has paid and who has not. In spite of that, the cybercrooks have collected hundred of thousands of dollars in extortion payments. ”

The Bitcoin fee ranges between 10-50 Bitcoin which is about $4,600-$23,000. There seems to be no rhyme or reason to how the collective determines Bitcoin amounts per company.


If you would like to educate yourself in more detail about the information presented in this blog post please visit: How cybercriminals earned $100,000 just by sending a DDoS threat email

 

Software Defined Networking – 5 best practices

software-defined-networking_sdn

Software Defined Networking, (SDN) provides cost-effective, easily adaptable management of network control and forwarding functions. In simple terms, SDN is the physical separation of the network control plane from the forwarding plane, where a control plane controls multiple devices. Software Defined Networking is an emerging technology and therefore lacks long term examples to be used as a guideline for success. Greg Stemberger, Principal Solutions Architect, has laid out what he has seen in his experience with SDN, creating a five step process for best practices of implementation.

The first step, as it most often it with any new technology employment it to define usage. Bringing in a new technology for your company is only helpful if the technology fits the needs of your organization. Determine the problems your company is facing and proceed to evaluate whether the desired technology will be able to handle and alleviate such problems accordingly. No one technology will be able to solve all your problems. Identify specific problems you believe SDN can fix, specifically just one problem at a time. As Stemberger suggests, “A single use case with tangible, positive results, offers more reliable, measurable outcomes than implementing SDN across your entire network.”

It is crucial to assemble a cross functional team with SDN. Utilizing SDN in the correct manner means having a skilled team with a united approach. A team of well versed members is the best way to manage SDN. You need people who can combine skill sets to work together. Increasing efficiency lets you IT staff spend more of their time on you IT infrastructure rather than operational overhead. Get everyone on the same page, toward a universal goal.

Remember to test in a less critical network area. This is common sense for most. Find a less critical network that you can play with first before moving to your network. This way you avoid uprooting your entire network and facing the wrath of angry coworkers. A small-scale SDN test allows the flexibility to learn and make mistakes.

After testing for a while, make sure to go over the data you gather and review your test case. Did it solve your current problem? Is it a wise investment to expand SDN to the entire network? Do you have the infrastructure ready on both a personnel and technical level?

As a gentle reminder that it’s okay to stay on the cautious side, it is suggested that you gain maturity before expanding deployment.  Rather than diving head first, proceed slowly and make the implementation gradual. Even if the SDN went better than expected in one area of the network, this is not a gurantee that the entire network will function at the same caliber. How will SDN performance change across higher trafficked areas of the network?

These steps are meant to evaluate risks, gain perspective and ensure efficiency. In order to get the most out of Software Defined Networking, it’s best to get all your ducks in a row.


If you would like to educate yourself in more detail about the information presented in this blog post please visit: 5 steps to launching Software Defined Networking

ATM’s – The Next Target For Hackers

Use of outdated operating systems like Windows XP and lack of security means it’s still possible to crack ATM security, warn researchers.

As one of the millions of people who frequent their banks ATM at least once a week, the last thing on my mind is usually the security of the operating system. But when you think about the foundation of the machine taking your card and spitting back cash, you’ll realize this machine is just a PC running on old software. Easily susceptible to malware. Not comforting.

There was a 15 percent jump in ATM fraud activity between 2014 and 2015 and researchers believe statistics will only increase. Within this time cyber criminals were able to get their hands on more than $150 million. Researchers credit security vulnerabilities to the use of outdated platforms that no longer receive patches and fixes such as Windows XP.

“If we think of a modern ATM as a MS Windows PC with a money box attached to it that’s controlled through software, it is easy to see how it becomes an attractive target for any malware writer,” Sancho and Huq said.

Trend Micro and Europol’s European Cybercrime Center (EC3) discovered two main malware threats that either provide hackers with the card details of the user, or give the hacker privileges to dispensed cash. Most worrisome is the lack of extreme measures hackers have to employ in order to infect ATMS. Simply put all hackers have to do is install malware onto the machines via a USB or the CD- drive.

At the moment, malware ATM fraud has only been reported in international cases, Eastern Europe and South America. Despite little activity in the United States, authorities are aware of increasing malware ATM concerns and are monitoring cyber criminal forums for activity.1447059385670243


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: A Windows PC with a money box attached: Why hacking ATMs is big business for criminals

Ransomware Attacked My Mom’s Computer

04CYBERWALL-facebookJumbo
How My Mom Got Hacked, a real life story about Brooklyn artist who receives a panicked phone call from her mom one day complaining her personal computer has been taken over by some sort of strange encryption. The story unravels the journey Alina Simone and her mom Inna endure in order to restore the files back from the hackers. After the initial shock of the situation sets in the two research their options and realize, as many do, that there is little to no answer as to how to get the files back without paying the hefty $500 ransom fee.

“I thought it was a typical mom rant about hr hardware crashing and having to pay the repair people $500 because her computer crashed.” Like many of us do when our parents call us after a long days work, Alina didnt take her mom seriously. Seeing as it was Thanksgiving weekend, a major snowstorm had just hit, and the ransom deadline was already decreasing to less than a 24 hour bracket, Alina and her mother were frantic. Her mother didn’t make the deadline, and according the the hackers the ransom would double due to this. Inna pleaded with the hackers and they let her off with $500 ransom and all her files. Luckily.

Others, such as the case of the Hollywood Presbyterian Medical Center that was hacked in early February and had to pay a whooping 40 bitcoin, $17,000 ransom, in order to get their system back on track.

“The value of my personal files and pictures caps off somewhere. But [if] I encrypt the back-end of your corporate system and prevent you from processing payments, that has a tremendous value. And if the hacker can recognize the value of what he has, the ransom can be more dynamically set based on the content of the data.”explains Grayson Milbourne, Security Intelligence Director for Internet security firm Webroot.

From personal to corporate, ransomware is most certainly an eye opening experience to security vulnerabilities.

 


 

If you would like to educate yourself in more detail about the information presented in this blog post please visit: The Growing Threat of Ransomware