1-888-643-2217 Email ABEX
Keeping you updated

Tag Archives: Cyber Crime

September Cyber Incidents

It’s been busy in the world of cyber risk, and September is no exception. In the past month, we’ve seen big players like Apple and Microsoft suffer zero-day vulnerabilities as well as ransomware continuing to wreak havoc across the globe.

  1. The return of the REvil ransomware groupThe REvil ransomware gang has returned and is attacking new victims and publishing their stolen files.

    Following a massive attack on July 2nd, which exploited a zero-day vulnerability in the Kaseya VSA platform to encrypt 60 managed service providers and over 1,500 businesses, REvil shut down their infrastructure and completely disappeared. The attack’s impact was felt worldwide, bringing the attention of international law enforcement, and the REvil gang suddenly shut down on July 13th.

    To everyone’s surprise, the REvil ransomware gang came back to life on 7th September under the same name when the Tor payment/negotiation and data leak sites suddenly turned back on and became accessible. Proof of new attacks emerged on September 9th when someone uploaded a new REvil ransomware sample compiled on September 4th to VirusTotal. On September 11th, the group published screenshots of stolen data for a new victim on their data leak site.

  2. Windows MSHTML zero-day exploits shared between attackersThreat actors are sharing Windows MSHTML zero-day (CVE-2021-40444) tutorials and exploits on hacking forums, allowing other hackers to start exploiting the new vulnerability in their own attacks.

    On 7th September, Microsoft disclosed a new zero-day vulnerability in Windows MSHTML that allows threat actors to create malicious documents, including Office and RTF docs, to execute commands on a victim’s computer remotely. After the vulnerability was disclosed, Microsoft Defender and other security programs were configured to detect and block parts of this attack.

    While these mitigations will help, as the exploit has been modified not to use ActiveX controls, users are still at risk until an official security update is released. Until Microsoft releases a security update, everyone should treat all Word and RTF attachments suspiciously and their source manually verified before opening them.

  3. Olympus hit with BlackMatter ransomwareOlympus, a leading medical technology company, is investigating a “potential cybersecurity incident” that impacted some of its EMEA IT systems last week. Olympus has more than 31,000 employees worldwide and over 100 years of history developing for the medical, life sciences, and industrial equipment industries.

    While Olympus did not share any details on the attackers’ identity, ransom notes left on systems impacted during the breach point to a BlackMatter ransomware attack. The same ransom notes also point to a Tor website the BlackMatter gang has used in the past to communicate with victims.

  4. Apple patches zero-day flaw exploited by NSO GroupApple has released security updates for a zero-day vulnerability that affects every iPhone, iPad, Mac and Apple Watch. Citizen Lab, which discovered the vulnerability and was credited with the find, urges users to immediately update their devices.

    Citizen Lab said it has now discovered new artifacts of the ForcedEntry vulnerability which it first revealed in August as part of an investigation.

    This exploit is significant because it breaks through new iPhone defenses that Apple had baked into iOS 14, dubbed BlastDoor, which were supposed to prevent silent attacks by filtering potentially malicious code. Citizen Lab calls this exploit ForcedEntry for its ability to skirt Apple’s BlastDoor protections.

    Citizen Lab said it attributes the ForcedEntry exploit to NSO Group with high confidence, citing evidence it has seen that it has not previously published.

Source: www.cfcunderwriting.com


Remote Working Vulnerabilities Hit School Hard

The CFC case study below explains how hackers accessed a school’s systems through remote desktop protocol and held data to ransom.

The education sector is no exception to the massive technological changes that have occurred over the past 20 years or so. Schools in particular are now increasingly dependent on their computer systems to provide students with a 21st century education. Both teachers and students now regularly make use of computer technology in the classroom, whether that be through delivering PowerPoint presentations on interactive whiteboards, conducting interactive learning on tablets and laptops, completing online assessments and tests, or using software programs for compiling student grades and monitoring classroom attendance. Schools are also seeing a shift away from paper filing and are storing more and more of their important data in an electronic format.

Although the use of computer technology has undoubtedly brought many benefits to schools, their increasing dependence on computer systems and electronic databases also makes them vulnerable to cyber losses. If teachers and staff are unable to gain access to their computers, whether that be as a result of a malicious cyber attack or a non-malicious system failure, it can result in serious operational disruption for the school. And if a hacker gains access to sensitive electronic data held by the school, it could have a negative impact on the school in terms of both its finances and its reputation.

One of CFC policyholders affected by a cyber loss was a private school responsible for educating approximately 800 students aged 11-18, with the school catering for both day and boarding students.

The incident began when a hacker managed to gain access to the school’s computer systems through the remote desktop protocol (RDP). RDP allows remote users to connect to the desktop of another computer through a network connection and is typically used by schools to allow staff and students to access their networks whilst they are not on school premises. In this case, the port that the school used for RDP access was exposed directly to the internet. Hackers are constantly using scanning tools to identify vulnerable organizations and establish any weak points that they may have in their cyber security, and an RDP port that is exposed directly to the internet is one of the most common that they look out for.

Having identified this area of weakness, the hacker looked to gain access to the school’s network by initiating a brute force attack against a local administrator account. A brute force attack is where a hacker uses a computer program to crack passwords by trying numerous possible password combinations in rapid succession, with the program typically trying a long list of the most commonly used passwords. Generally speaking, the longer and more complex the password, the more difficult and time consuming it is for the program to crack. Unfortunately, however, the school’s local administrator account had a weak password in place that had been used as a default but never been changed. With the password lacking in complexity, the program quickly cracked the password. What’s more, the school did not have multi-factor authentication enabled for RDP access, so as soon as the password was cracked, the hacker was able to gain access to the school’s network without having to go through a second verification procedure.

Upon gaining access, the hacker took the opportunity to unleash ransomware across the school’s computer systems. Ransomware is a type of malicious software that works by encrypting data on a network, and then demands that a ransom be paid in exchange for a decryption key to regain access to the data. In this case, the ransomware had encrypted multiple servers, effectively locking the school out of its computer systems, and the hacker demanded a payment of 2 bitcoin for the decryption key. In many cases, it’s possible to mitigate ransomware attacks by recovering from back-up. However, the school’s back-ups were contained on one of the servers encrypted by the ransomware, rendering them useless.

Fortunately for the school, the ransomware attack occurred over the course of a school holiday, but without being able to restore from back-ups, the school recognized that a great deal of disruption would ensue if its computer systems were still unavailable once students returned. For example, the school would be unable to have ready access to highly important information, such as the financial information needed for accounting purposes, details about prospective students for the next school year and critical information about students under the school’s care, such as medical records and dietary requirements;  teachers would be unable to make use of interactive whiteboards to provide presentations to students; students would no longer be able to use e-learning courses in the classroom or complete online assessments; and boarding students would be unable to complete homework assignments on schools computers in the evening.

With the prospect of significant operational disruption looming over the school, it was at this point that the incident was notified to CFC’s incident response team. The team’s first priority was to establish what ransomware variant had been used in the attack by looking at a copy of the ransom note and a sample of the encrypted files. Having identified the likely ransomware variant, the team then carried out some research to see if there was any way of removing the ransomware without paying the ransom demand. One of our incident response partners produces a regularly updated list of freely available decryption keys for known ransomware variants. Luckily for the school, the team were able to find a decryption key online. With the decryption key to hand, the school was able to begin the process of decrypting the affected data and applications without having to pay the ransom.

However, even though the school had managed to regain access to its computer systems, there was still a question mark over whether the attack had resulted in a data breach. The ransomware attack had impacted servers containing sensitive data, including parents’ names, phone numbers, and residential addresses; data on past and present students, such as grades, attendance, disciplinary and medical records; information on staff, such as contact details, addresses and bank account details; and information on prospective students who were likely to be inducted in the next school year. As the school was subject to local data breach notification laws, it meant that if it transpired that some or all of this data had been accessed or exfiltrated in the course of the attack, the school would have to notify the affected individuals, potentially resulting in a regulatory investigation and damaging the school’s reputation in the eyes of staff, students and parents alike.

In order to address this issue, we engaged one of our incident response partners to conduct a forensic investigation to establish how the hacker had gained access to the insured’s computer systems and whether they had accessed any sensitive data whilst they were there. Unfortunately, when the hacker had carried out the attack, they had set up a temporary user profile, which meant that there was no way of knowing for sure what folders the hackers may have explored and what files may have been opened.

Nevertheless, our incident response team and our forensic partners were able to establish some pertinent facts about the case. First, based on previous incidents and threat intelligence, the ransomware variant used during the course of the attack was not known to be capable of accessing or exfiltrating data. Second, the bandwidth usage logs obtained from the school’s internet service provider did not show high levels of traffic during the period that the hacker had access to the school’s computer systems, indicating that there had not been any major data exfiltration from the school’s network. Third, the hacker was only logged on to the school’s computer systems for a short period of time, suggesting that they were primarily focused on deploying the ransomware rather than seeking out sensitive data.

Given this, our forensic partners determined that the hackers main motive appeared to be financial gain through the use of ransomware, rather than the theft of sensitive data. After engaging legal advice to determine whether a data breach notification would be required, the lawyers advised that, based on the findings of the forensic investigation, no notification would be needed in this instance, thus ensuring that the school’s reputation was not damaged unnecessarily.

The total cost of carrying out a root cause analysis, network security assessment, forensic investigation and engaging legal counsel came to £17,560, all of which was covered by the school’s cyber policy with CFC.

This claim highlights a few key points. Firstly, it highlights the importance of securing the remote desktop protocol (RDP) effectively. If organizations are using RDP, they should make sure that it is not directly exposed to the internet and use a virtual private network (VPN) instead. In addition, businesses should ensure that they have good password hygiene in place and enable multi-factor authentication for any remote access to the network. If the school had had these measures in place, it is highly unlikely that the hacker would have gained access to its computer systems.

Secondly, it highlights the importance of having a good data back-up policy. In this case, the school had been prudent enough to back up its data. However, by not saving these back-ups external to the school’s servers, it meant that when the ransomware started encrypting, it encrypted the back-ups too. Ideally, businesses should maintain daily offline back-ups to help prevent back-ups from being compromised during the course of an attack.

Finally, this claim highlights the value of cyber insurance. When you buy a cyber insurance policy, you are not just buying a promise to pay valid claims. You are also paying for a service to help and advise you when things go wrong. In this case, CFC’s incident response team and our partners were able to provide threat intelligence on the ransomware variant and obtain a free decryption key, enabling the school to regain access to its computer systems; conducted a root cause analysis to establish how the hacker got into the system, enabling the business to identify and remedy any cyber security weaknesses; and conduct a forensic investigation that allowed us to determine that the ransomware attack had not resulted in a data breach, thus preventing the school from conducting an unnecessary notification procedure and needlessly damaging its reputation.

Source: cfcunderwriting.com


Cybercriminals Exploiting Coronavirus

Public concern and working-from-home mandates are providing opportunities for cybercriminals.

This CFC advisory provides some background on these risks along with some easy-to-implement steps that businesses can follow to avoid falling victim.

COVID-19 increasingly being used in phishing attempts

As new cases of the COVID-19 Coronavirus continue to be reported daily, cybercriminals have been leveraging the situation to take advantage of those looking for information on the outbreak. Scams include the following and are changing each day:

  • The Sophos Security Team has spotted emails impersonating the World Health Organization (WHO). The emails ask victims to “click on the button below to download Safety Measure”. Users are then asked to verify their email by entering their credentials, redirecting those who fall for the scam to the legitimate WHO page, and delivering their credentials straight to the phisher.
  • Interpol has warned of a large increase in fraudulent websites claiming to sell masks, medical supplies and other high demand items that simply take money from victims and never deliver the promised goods. It is advisable that internet users purchase items only from established and reputable sources.
  • There have been reports of airlines and travel companies being impersonated by fraudsters in a bid to either obtain sensitive information, like passport numbers, or install malware on victims’ computers. They may say they want to advise you of COVID-19 infected passengers on past flights you’ve taken or offer discounts on future flights. When in doubt, we advise users to be vigilant when clicking on any links, delete any suspicious emails, and not disclose sensitive information if you are approached unexpectedly.
  • Fraudsters are also developing fake charitable donation campaigns which claim to help individuals and communities impacted by the Coronavirus. Any money donated is sent to fraudulent accounts. Again, if you are wanting to support relief efforts, make sure to research the organizations you are looking to donate to.
  • A Twitter user has identified another malware campaign purporting to be a “Coronavirus Update: China Operations”. The emails have attachments linking to malicious software.

As global concern about the coronavirus grows, it is likely that threat actors will continue to abuse this outbreak to their advantage.

Increased remote working can open gateway to hackers

Remote desktop protocol (RDP), when set up correctly, is a great tool for remote working. However, using it without multi-factor authentication (MFA) enabled or on an insecure network can open the gateway to hackers. In fact, in 2019, 80% of the ransomware attacks we handled were initiated through RDP.

Businesses that start using RDP for remote working during the outbreak should be aware of some of the cybersecurity risks it can pose and ensure it is being used securely. Employees should always log on within a trusted network and ideally work with their IT department to secure personal devices – and implement MFA – prior to remote working.

CFC recommendations

We suggest implementing the following steps to bolster security:

  1. Test remote log-in capabilitiesNot only should personal devices be configured for secure remote working, but business should ensure that multi-factor authentication (MFA) is set up immediately. MFA is an authentication process that requires more than just a password to protect an email account or digital identity and is used to ensure that a person is who they say they are by requiring a minimum of two pieces of unique data that corroborates their identity. Implementing this significantly reduces the chances of cybercriminals being able to log into a business’s RDP. For more information on MFA and how to implement it, click here.
  2. Train your employees on how to spot a phishing emailAs a CFC cyber policyholder, you can get free access to a range of risk management tools, including CyberRiskAware, an e-learning tool focusing on phishing attacks. This valuable tool teaches people within your business to be more vigilant when in comes to opening attachments, clicking on links, transferring money, or sending sensitive information. To find out more about it, including instructions on how to access it, click here.
  3. Prepare for operational disruption in advancePut simply, prepare for the worst. As with so many cyber incidents, time is of the essence so ensure you have an incident response plan in place, a template for which you can access for free as a CFC cyber policyholder. And as ever, if you believe that one of your employees has fallen victim or that you are experiencing any kind of cyber event, notify CFC as soon as possible so that we can help you.
  4. Finally, be vigilantWhat’s becoming clear as this pandemic plays out is that cybercriminals are shifting tactics daily. If you see something on social media or receive an unsolicited email that seems too good to be true, it probably is. Aside from learning how to spot phishing emails, make sure to do your research, use reputable companies, and follow-up requests for money or information with a phone call using a number from a separate, trusted source.

Source: www.cfcunderwriting.com


Cyber Criminals Scam Construction Firm Out of Cash

Compared to many other industries, construction companies have been slower to take up cyber insurance. Because they typically don’t hold large amounts of sensitive data and aren’t solely reliant on their computer systems to carry out their business operations, construction companies don’t often believe that they are overly exposed to cyber risk.

Nevertheless, even if a business doesn’t hold vast quantities of data or isn’t wholly dependent on their systems to function, it is still likely that the business in question has some form of cyber exposure. Most modern businesses will hold some data on employees and third parties, use email to communicate with customers and suppliers, and use business bank accounts to receive and disburse funds electronically.

The construction sector is no different, and one area where they are particularly exposed is funds transfer fraud. Most construction companies will regularly work with suppliers and subcontractors to carry out their projects, and these partners will usually invoice the construction firm for the goods and services provided. If the company pays these invoices electronically, then they can fall prey to cybercriminals who are constantly looking for opportunities to intercept these payments and divert them to fraudulent accounts.

One of our policyholders affected by such a loss was a small construction firm with revenues below $50 million. The business specializes in commercial construction projects, ranging from office buildings to warehouse units and regularly makes use of specialist subcontractors to assist with projects.

Digging for login credentials

The scam all began when an employee fell for a credential phishing email. Credential phishing emails are used by malicious actors to try and trick individuals into voluntarily handing over their login details, typically by directing them to a link that takes them through to a fake login page.

In this case, the employee received an email purporting to be from Microsoft which stated that in order to implement some urgent new security features on his Office 365 account, he would have to verify his account details by clicking on an attached link. Not wanting to miss out on these new features, the employee clicked on the link and inputted his email login details. However, despite the email appearing to come from a legitimate source, the employee had unwittingly handed his credentials to a fraudster.

To make matters worse, the construction firm had not enabled multi-factor authentication on staff email accounts, so the fraudster was able to use the credentials to access this employee’s email account remotely.  This allowed the fraudster to monitor communications to and from the account and gain valuable information about the nature of the policyholder’s business and the employee’s role within it.

The employee whose email account had been compromised was one of the firm’s project managers. As part of his role, he regularly liaised with subcontractors and they would often send invoices over to him, which he would then pass to the finance department for payment. As it happened, a few weeks after the fraudster had gained access to the inbox, an email was sent over to the project manager from the managing director of a firm that had been subcontracted by the construction company to carry out some structural steel fabrication work on a project. The email had an invoice attached for a month’s worth of work done on the project, amounting to $93,425. Having spotted an opportunity, the fraudster chose this moment to strike.

Fraudster hammers out a plan

The first step was to set up a forwarding rule in the project manager’s email account. Forwarding rules are settings that can be applied to an email account which ensure that emails that fall within certain criteria are automatically forwarded to a specific folder or to another email account. In this case, the fraudster set up a forwarding rule that meant that any emails that featured the steel fabrication firm’s genuine domain name were immediately marked as read and sent directly to the account’s deleted items folder.

The next step was to set up an email address impersonating the managing director of the steel fabrication firm. In order to do so, the fraudster created an email address which, to the untrained eye, was exactly the same as the managing director’s, but crucially omitted one character from the domain name. So rather than reading Joe.Bloggs@ABCfabricators.com, it read Joe.Bloggs@ABCfabicators.com.

The final step was to send an email to the project manager. In the email, the fraudster explained that the firm had recently changed banks and that the previous invoice had mistakenly included the old account details. The email went on to say that the new bank account details could be found on the new invoice attached to the email and that the construction firm should update its records so that all current and future payments went to the correct account.

The fraudster had used exactly the same invoice template as before, including the same company address, logo and statement of work, with the only amendment being the bank account details. In order to give the email an added sense of authenticity, the fraudster took the original email that had been sent by the subcontractor to the project manager and forwarded it on to the fake email account. The fraudster then replied to this original email when sending the fraudulent email to the project manager, making it appear as though it was part of the original email chain.

Missed verification opportunity

With the email forming a part of the original email chain and coming from a seemingly identical email address, along with the exactly the same invoice template, the project manager never doubted the legitimacy of the request. Assuming that the change of account was valid, the project manager sent the amended invoice over to the finance department for processing.

In theory, it was at this point that the scam should have been thwarted. The construction firm had previously sent out an email to staff regarding the verification of account changes, stating that all requests for account changes should be followed up with a call to an individual at the company requesting the changes to confirm that everything is in order. If this verification procedure had been carried out, it’s unlikely that the fake invoice would have been paid. Unfortunately, the member of the finance department dealing with the request failed to carry out this procedure and updated the bank details, resulting in the full $93,425 being transferred to the fraudulent account.

It was only when the managing director of the steel fabrication firm called up the project manager, several weeks later, to inquire about the status of the payment that the scam was uncovered. Both the banks involved and local law enforcement agencies were informed about the loss, but by this point it was too late and the funds had already been transferred out of the fraudulent account. With the funds deemed unrecoverable and the steel fabrication firm still expecting payment, the construction firm had little choice but to pay the invoice for a second time, resulting in a significant loss to the business. Thankfully, however, the construction firm was able to recoup the funds under the cybercrime section of its cyber policy with CFC.

Smarter criminals and other key takeaways

This case highlights a few key points. Firstly, it shows just how skillful cybercriminals are becoming at parting businesses from their money and how difficult it is for businesses to spot a fake.

In this case, the fraudster managed to successfully impersonate Microsoft and manipulate the project manager into volunteering his email login details; set up a forwarding rule to prevent any emails from the real subcontractor reaching the project manager and jeopardizing the scam; set up a fraudulent email address that was virtually identical to the genuine subcontractor’s; make it look as though the fake email sent to the project manager was part of the original email chain; and send over an identical invoice template to the one used by the genuine sub-contractor.

Secondly, it illustrates how human error plays a major role in cyber losses. Many organizations don’t think they need to purchase cyber insurance because they believe they have the IT security and risk management procedures in place to prevent a cyber loss. But as with so many cyber-related events, this loss stemmed from human error and it’s very difficult for any business to eliminate this risk entirely. The fraudster was able to compromise the email account because the project manager fell for a sophisticated credential phishing scam, and the funds were successfully intercepted because an employee in the finance department failed to carry out a verification procedure.

Finally, it highlights how almost all modern businesses have some form of cyber exposure. Even though the policyholder in this case was a construction firm that didn’t solely rely on its computer systems to carry out its business operations, the company still used emails to communicate with subcontractors and made payments electronically. All it took was for just one email account to be breached for the business to be defrauded out of $93,425. But by having a cyber insurance policy in place, the company was able to successfully recover the loss, illustrating the value that cyber insurance can bring to any modern business.

Source: www.cfcunderwriting.com


4 Takeaways from a Cyber Study

Cyber lock with chainsThe Scalar Security Study is an annual report that examines how prepared Canadian businesses are for cyber threats. Specifically, the study surveyed 654 IT and IT security practitioners to determine the average cost of a cyber attack, whether organizations feel prepared for cyber threats and what tactics they find most effective when it comes to protecting themselves. The following are some of the major findings from the study:

  1. The number of cyber attacks is increasing. Survey responders reported experiencing an average of 40 cyber attacks per year. This number represents a 17 per cent increase compared to last year’s report. It’s important to note that many of these cyber attacks related to the loss of sensitive information.
  2. Organizations are less confident in their ability to protect themselves. Cyber attacks are increasing in frequency and sophistication. What’s more, insufficient personnel or lack of in-house expertise were found to be the major reasons for why organizations felt unprepared for the increasing threat. In fact, only about 37 per cent of organizations felt they are winning the war against cyber criminals.
  3. Organizations are concerned about security threats from mobile devices. Mobile devices and applications were two of the major security concerns for organizations. These risks require both technological and internal governance to help mitigate the risk.
  4. Intellectual property is a major and expensive target of cyber criminals. The loss of intellectual property and other proprietary information due to cyber attacks impacted 33 per cent of the businesses surveyed, with the average cost of the loss coming in just under $6 million.

In addition to the above, the report found that cyber security threats will increase in severity. Businesses will need to adapt to the changing landscape if they are to protect themselves from the devastating losses associated with cyber crime.

©  Zywave, Inc. All rights reserved.


Blog

FOLLOW OUR BLOG

Receive notifications of new posts automatically.



ABEX - AFFILIATED BROKERS EXCHANGE IS ON FACEBOOK.

Like us on Facebook

Connect with us on LinkedIn