Browser extensions

How Browser Extensions can Exploit User Activities for Malicious Operations

 

What are browser extensions?

Browser extensions are mini-applications that add more features and functionalities to the browser. Some of the most common extensions are ad blockers, password managers, grammar check extensions, screenshot creators, and translators. They allow users to integrate their browsers with their preferred services. 

Upon installation, extensions require permissions such as access to read, edit, and alter data on the websites that the user visits. Permissions that allow extensions to read the user’s browsing history or modify the data that the user copies and pastes is a surefire way to enable the extension to monitor all your activities. However, for well-functioning browser extensions users usually grant such permissions or overlook the extension’s default settings.

Browser extensions Permissions

Most browser extensions offer features that interact with the current web page, such as  password managers that fill in passwords for different websites, or dictionary extensions that provide instant definitions for words. For the same reason, users do not concern themselves with permissions. 

Some extensions require broader permissions. For example, the Web Developer extension for Chrome requires the permission to read and change users’ data on the websites they visit and their browsing history, modify the data that users copy and paste, and change user settings that control the website’s access to features such as cookies, Javascript, plugins, geolocation, microphone, camera, etc.

Browser Extensions Web Developer

If an extension is allowed to access all the web pages that the user visits, the user could be opening the door to malicious attacks. It could function as a keylogger and capture sensitive information, insert advertisements, redirect the search traffic to malicious sites, etc. This doesn’t mean that every extension is malicious, but they can surely be dangerous.

Browser extensions that work statically and don’t connect to external servers are generally safe. Extensions that require a connection to the server to retrieve data are more sensitive because cybercriminals may capitalize on this feature; they can hijack the server or the domain name to further their malicious scheme.

Few extensions may display ads:

Browser Extensions Ads
Extensions are part of a long-running ad-fraud and malvertising network. When Chrome’s add-ons were first announced in 2009, initially most extensions focused only on certain areas, but primarily they were used to block ads. However, currently, those same extensions display advertisements.


Is it safe to let your browser manage passwords?

Internet usage has skyrocketed over the last decade, and today an average user spends 6.5 hours online, on a daily basis. Online services such as  email, social media, online stores, and streaming services are the most popular platforms users spend their time on. However, for convenience, most users save their passwords on browsers to enter the password for that site upon login, automatically. Trying to memorize multiple passwords can be tricky. Therefore, more and more browsers ask users whether they would like the browser to save their credentials. If users enable this option, their passwords are saved and synchronised locally and on other devices that the user has used to login.


Your secure extensions can transform into malware  

In some cases, popular browser extensions that are trusted to be secure are sold to shady organizations or even hijacked. Malicious groups who take charge of such extensions set up updates that can turn seemingly harmless extensions into malware. The compromised extensions connect the browser to a command and control architecture, to exfiltrate sensitive data of unaware users, and expose them to further risks.

 

Underground marketplaces that sell fingerprints

The unauthorized data collected may include sensitive information like login credentials to the user’s online payment portal accounts, e-banking services, file-sharing or social networking websites. It may also steal cookies associated with these accounts, browser user-agent details, and other browser and PC details.

Cybercriminals, very recently, realized the value of unique fingerprints of users, where these digital identities are being sold on underground marketplaces such as the Genesis Store and Russian Market.

Genesis Store operators have developed a .crx plugin for Chromium- based browsers to make it easier to use stolen identities, in any way they want. The plugin installs stolen digital profiles into the cybercriminal’s browser, allowing the actor to activate a doppelgänger of the victim. Then, the attacker only needs to connect to a proxy server with an IP address from the victim’s location to bypass the anti-fraud system’s verification mechanisms, pretending to be a legitimate user.

A snapshot of available Genesis bots:

Genesis Bots


Conclusion

  • Fewer the extensions on your browser, the better. Do not install extensions that raise even the slightest suspicion in your mind. Fewer extensions would only help your browser to be faster. Extensions not only affect your computer’s performance but it can also be a potential attack vector. 
  • Install extensions only from official Web stores. The extensions available in such stores undergo security tests, with security specialists filtering out those that are malicious from head to toe. Even though this does not guarantee safe browsing experience, they are better than the extensions from external sources. 
  • Observe the permissions that extensions require. If an extension that is already installed on your computer requests a new permission, it could be a red flag. There is always the possibility that the extension might’ve been hijacked or sold.
  • Before installing any extension, it’s always a good idea to go through the permissions they require and make sure that they are appropriate for the functionality offered by the extension. If the permissions requested do not seem logical in correspondence to the extension’s functions, it’s probably better not to install that extension at all.
Data leak ransomware

The Evolution of the Data Leak Extortion Ecosystem

 

Ransomware is one of the most disconcerting security issues in the cybersecurity ecosystem. It has evolved since its first appearance in 1989, when it was only a primitive trojan that spread via discs, injecting host computers with a virus that encrypts files and hides directories, which are returned only when the victim pays a ransom. They are significantly more sophisticated and costly now.

The release of CryptoLocker in the year 2013 was a milestone in the evolution of ransomware. Unlike its predecessors, this ransomware does not adhere to bullying, which only makes it worse. It directly encrypts all the files on the system and demands a ransom in exchange for its decryption. And now with the likes of Sodinokibi and Maze the ransomware lineage is operating at a huge scale.

Over the years, malicious ransomware operators have expanded the scope of the virus to include screen locker capabilities along with the ability to overwrite boot data records. And thanks to the prevalence of ransomware families, today, ransomware is a global threat that has advanced extortion capabilities and tactics. The perpetrators behind such ransomware groups also target the victim’s personal records and files.  

To ensure the complete surrender of victims,  threat actors have switched to two-fold attack techniques. If the victim refuses to pay the ransom, their data is leaked on public domains or data leak websites.

In this blog, we explain the evolution of the data leak extortion ecosystem through the advancements made by ransomware groups over the last three decades.

Police Lockers

The mid 2010s were dominated by Trojans that took away users access to their screens or browsers. In the year 2012, a fresh scam that involved one such Trojan invaded browsers. It sent messages and fake alerts that masqueraded as the law enforcement agency, only to dupe unsuspecting victims. The message would claim that the victim’s device was found to be involved in illegal activities such as copyright violation or child pornography. The victims are then scared into paying an amount as ransom using prepaid cards like MoneyPak, Paysaf, or Ukash.

During the same period, another ransomware that spread disguised as the FBI victimized thousands of computer users. However, this ransomware came with the additional ability to lock the host computer’s IP address, Windows version, location, and ISP name.

CryptoLocker

2013 witnessed yet another iteration of the malicious software that was capable of encrypting data. CryptoLocker was the first ransomware of this kind and it used 2048-bit RSA encryption. Also, the victims were asked to pay the ransom in Bitcoins for the first time or using prepaid cards. Over time, the operators behind CryptoLocker increased their demand from $100 to $600 per computer. The despicable success of this ransomware led to the launch of other such malicious software like PClock, CryptoLocker 2.0, and TorrentLocker.

Emergence of Ransomware-as-a-Service (RaaS)

In 2015, advanced groups of cybercriminals decided to monetize ransomware through RaaS platforms. In attacks that follow, customers procure ransomware from such platforms on the dark web and share the profit with the authors of the ransomware. RaaS has advanced tracking tools embedded as part of its services. It has been the reason for a surge of ransomware attacks across the world.

Locky Ransomware and KeRanger

The Locky ransomware that was released in 2016 spread malicious Microsoft Word macros, infecting millions of PCs around the world. Another ransomware that made an entry during this period was KeRanger, which leveraged the asymmetric RSA cryptosystem to lock down the victim’s data. KeRanger operators usually demand for $500 from the victim in exchange for the decryptor and instruct victims to visit sites hosted on Tor (anonymity network).

WannaCry and Notpetya

With time, ransomwares have been developed to be stealthier and devastating. In the year 2017, there were multiple ransomware outbreaks, namely WannaCry and Notpetya. These attacks were not detected initially.  And today, threat actors clearly distinguish between individuals and businesses, when they demand a ransom. They consider businesses and organizations to be juicier targets. The biggest pay-outs until then, that were a result of ransomware attacks, were reported in the year 2016.

A decline in the prices of Bitcoin and improved security awareness have indeed forced ransomware operators to revamp their mode of attack. Today, local governments, small and medium sized businesses, health care organizations, and educational institutions are major targets of the threat actors.

Ransomware groups like Sodinokibi and Ryuk spot unsecured ports like RDP ports to access networks. Most recent attacks show that actors are so sophisticated that once they hack service providers, they even invade networks of partner organizations.

Maze

Recently, in November 2019 Maze ransomware resurfaced the cyber ecosystem, and hacked a plan to attack a security organization – Allied Universal.

The group behind the attack extorted 7GB data, contacted the organization’s management, and demanded 300 Bitcoins in ransom. The actors even threatened to leak sensitive information about the organization unless the management of Allied Universal paid them. When the management refused to pay up, the operators sold around 700 MB of data to Russian hackers and uploaded the remaining data in the wild.

 

Conclusion

Ransomware is growing continuously and exponentially, adding new, sophisticated tools and methods to their arsenal. Businesses that fall prey to their attacks not only lose access to crucial data, but the entire incident tarnishes their reputation. To top it off, ransomware attacks invite lawsuits and compliance issues. To stay safe and to counter the threat actors, organizations need to have proper mitigation mechanisms in place. Maintaining a backup for the data wins you half the battle, but in the long run organizations need to use reliable security software such as CloudSEK’s XVigil to prevent most file encrypting threats. 

The Upsurge of Digital Fingerprints in Underground Marketplaces

 

Digital fingerprints are unique slices of information related to software and hardware components of each device, in addition to the user’s distinguishable characteristics. Device fingerprinting gathers information about a computer to identify an individual user, regarding it as a digital asset.

A device’s fingerprints include its:

  • IP address (external and local),
  • Screen information (screen resolution, window size),
  • Firmware version,
  • Operating system version,
  • Browser plugins installed,
  • Timezone,
  • Device ID,
  • Battery information,
  • Audio system fingerprint,
  • GPU info,
  • WebRTC IPs,
  • TCP/ IP fingerprint,
  • Passive SSL/ TLS analysis,
  • Cookies, and many more.

Digital fingerprints also include the following attributes of individual users; their social network accounts (third-party cookie tracking) and various aspects of his/ her behavior:

  • Time spent on e-commerce websites
  • Website click locations
  • Items of interest, the typical amount of money spent on such items, virtual or real merchandise, etc.
  • Mouse/ touchscreen behavior
  • System configuration changes

 

Underground marketplace tout digital identities

SIRUS Shop is an online cybercriminal, private marketplace that trades stolen digital fingerprints. This new Russian underground marketplace – SIRIUS Shop Online – sells tens of thousands of compromised digital fingerprints, enabling threat actors to commit online fraud. At the moment it offers more than 20k+ stolen profiles. These profiles include browser fingerprints, website user logins and passwords, cookies, and credit card information. The price of these profiles varies from $1 – $27 – it hugely depends on the value of the information in the profile. SIRIUS has been active since June 2020 and also helps sellers to set up their own shop on the market. They advertise the availability of these digital fingerprints on one of their underground carding forums. 

 

SIRIUS Shop sells :

  • Credit card details
  • Dumps
  • SSN
  • Scan ID, DL
  • Logs bot full dump
  • SHELL
  • CRM Panel
  • CMS Panel
  • Emails and password databases

 

SIRIUS Home page digital fingerprints
SIRIUS Home page

 

Bot Profile Dumps

The operators of SIRIUS Shop deliver malware to steal digital fingerprints from user devices and other information such as user account credentials, browser cookies from online payment portals, stores and even bank accounts. Such digital assets are then sold on the underground forum. 

Users who have been infected with malware in the past or have installed rogue browser extensions, have unknowingly had their account passwords and full browser details recorded, and then sent to SIRIUS operators. In some cases they also acquire information via web injects, form grabbers, and passwords saved in browsers. The operators scour for more of such data and updates related to the data, which is then pushed to their online underground store.

Each user profile includes login credentials for their accounts on online payment portals, e-banking services, file-sharing, or social networking services. It also comprises the cookies associated with those accounts, browser user-agent details, WebGL signatures, HTML5 canvas fingerprints, and other browser and PC details.

The user profiles are then imported into the SIRIUS Shope, where it’s indexed; cybercriminals then perform an easy search by parameter, to find the types of profiles they’re interested in. 

 

SIRIUS Store page
SIRIUS Store page

SIRIUS Store has a configurable search panel that allows threat actors to track down specific user fingerprints. One can search for credentials from a particular website, the victim’s country, operating system, the date the profile first appeared at the market.

 

SIRIUS Search Panel
SIRIUS Search Panel

These logs provide leeway to threat actors and make credit-card frauds easier. The marketplace sells digital identities along with stolen credentials to online shops and payment services that were exposed previously. Anyone who gets hold of such digital assets, launches them through a browser and proxy connection to masquerade as a real user and commits fraud undetected. By doing so, the attacker can then access the victim’s online accounts or make new, trusted transactions in their name. Their social media accounts are also susceptible.

 

Preventive Measures

For website owners

  • Install an SSL Certificate

Data is transferred constantly between the user’s browser and your web server. Without an SSL certificate, this data (cookies) is sent in clear-text format. Thereby allowing a hacker to intercept the plain text easily. Thus, login credentials and other sensitive information in the data is left exposed. 

SSL (Secure Sockets Layer) encrypts the data before it’s transferred. So even if a hacker manages to steal it, they won’t be able to read the data. You can get an SSL certificate through your web hosting company or from an SSL provider. You can also get a basic free SSL certificate from Let’s Encrypt.

  • Install a Security Plugin

A security plugin’s firewall generally prevents attempts to hack your website and blocks malicious IP addresses. Also, it scans your site regularly and alerts you if hackers try to enter malicious code, in which case you can clean up your website instantly. This will help you detect and delete such attempts before they can cause any harm.

  • Update Your Website

Update your website regularly including the installation, themes, and plugins. Outdated software can create vulnerable spots on a website which in turn lures in hackers. Check for latest updates by the vendor. These updates carry new features, address bugs in the website and also fix security flaws from time to time.

 

For website visitors

  • Install an Effective Anti-virus

Ensure the device you’re using to access the internet has anti-malware software installed. It detects and alerts you of any malware found on malicious sites. It also removes any malware that you might accidentally download or install on your system.

  • Never Click on Suspicious Links

Avoid clicking on suspicious links and be especially cautious of the ones that advertises attractive offers or discounts.

  • Avoid Storing Sensitive Data

For a quick and convenient check-out, users tend to store their payment details (such as credit card information) on shopping websites. Some even choose to save passwords on web browsers to auto log into websites. But these convenient options come at a great cost. Never store sensitive data on websites or browsers. 

  • Clear Cookies

Remember to clear cookies regularly to get rid of any sensitive information stored on browsers. 

 

Conclusion

Online marketplaces that trade databases and dumps are quite ubiquitous and as authorities fail to keep up with such sites, more and more users have their identities stolen and sold on such sites. Since most victims fall prey to such malicious attempts due to their presence on the internet, website owners should take steps to ensure safe and secure experience on their sites. Enabling extra layers of security such as the two-factor authentication system is one way of going about it. They can also consider an additional biometric authentication method.

Why programming skills are essential for pen-testers

Why programming skills are essential for penetration testers

 

Some security professionals across the world would say that one does not need to learn coding to hunt for bugs in web applications. In fact, some experienced security professionals would go even further to suggest that entry-level positions in cybersecurity and hacking does not require extensive knowledge of programming.

Although this holds true to some extent, a career in hacking and pen-testing web applications demands in-depth knowledge in programming.

 

Where do many researchers go wrong?

In case of Cross-Site Scripting (XSS) attacks, for instance, researchers report the bugs by triggering an alert. This clearly does not call for advanced understanding of programming. 

But they may lack the skills to exploit the same bug to create a javascript code so as to steal cookies or leverage the XSS bug to carry out other malicious activities. 

Inspired by such bounty hunters, beginners in the field assume that all they have to do is fire up Burp Intruder, add a list of payloads, and prompt an alert on the browser to earn a quick buck. 

 

Why do you need to learn programming in security testing?

Understanding the application:

Awareness and proficiency in programming can help a researcher understand an application’s infrastructure and the implementation of its many functionalities. Once you are familiar with the workings and technicalities of web applications, even entry-level programmers can certainly outsmart amateur coding enthusiasts. 

 

Attack automation:

Hackers use tools such as Nmap, Metasploit, Amass, etc. to automate enumeration and exploitation processes. Automation of enumeration attacks saves them a lot of time and effort. By learning how to code, you are also opening yourself up to vast knowledge, which can guide a beginner to build such tools on their own. Apart from that, while pen-testing, a programmer at some point will have to write a code that can exploit a vulnerability; for instance, when you have to pass the current timestamp along with a request, you need to automate it using coding. This requires that you are well versed with programming.

 

Conclusion

Programming is said to be the future of innovations, and a necessary skill to master. Therefore, a security professional should undergo training and have adequate knowledge regarding programming. Anyone pursuing a career in penetration testing should consider programming as an essential part of their occupation. It does not merely set you apart from peers, but also gives you a competitive advantage over them. 

 

Happy Automation! 

What makes web applications an easy target for hackers?

 

Web applications form a major part of an organization’s attack surface and according to Verizon’s 2020 Data Breach Investigation Report, web applications are the single most significant cause for data breaches. Web application attacks account for 43% of all successful data breaches. 

These websites contain several vulnerabilities such as Remote Code Execution (RCE), Server-Side Request Forgery (SSRF), Local File Inclusion (LFI), Server Side Template Injection (SSTI), and more. Some of these vulnerabilities allow intrusion of corporate networks. These vulnerabilities are the result of mistakes that programmers make. Developers trust and hope that their applications will end up in the right hands, which often turns out to be the biggest mistake they ever made. 

In this multi-part series about web apps, we explore the common mistakes and threats affecting web applications, as well as point out factors regarding applications that appeal to threat actors. The first part of this multi-part series focuses on web app user input and the pitfalls of not validating or sanitizing it. The article also sheds a light on the steps one can take to prevent application attacks and reduce vulnerabilities.

 

Rule #1: Never trust user input

While developing an application, web programmers should refrain from accepting data from users and in fact should presume all data is bad until proven otherwise. This is how threat actors leverage different vulnerabilities:  

 

Remote Code Execution

In an instance where the Image File Upload functionality of an application uploads the filename and contents onto a server, the server processes it further. However, if the application doesn’t validate user inputs, it permits the attacker to upload the server side language extension file, such as the .php file. This further allows the attacker to execute OS commands on the server.

 

Local File Inclusion 

Similarly, when web applications are coded poorly, hackers can inject local files into the include statements. For instance, an attacker can exploit the Local File Inclusion vulnerability by changing the path of a PDF file with that of another sensitive file such as passwd. If the application doesn’t validate the input, the attacker can simply read internal server files.

 

Example

Test URL: https://vulnerable.site/somefile.php?file=validpdffile.pdf

To 

Attacking URL: https://vulnerable.site/somefile.php?file=../etc/passwd

 

Server Side Request Forgery

In an attack that exploits this vulnerability hackers gain partial or complete access to the requests sent by the application, to abuse a functionality. This allows them to make the server-side application to configure HTTP requests that lead to malicious domains of the attacker’s choice. If the website does not validate the user input, the hacker can access internal server files and more.

 

Example

Test URL: https://vulneralbe.site/somefile.php?filetocall=https://external.site/somefile.js

To

Attacking URL: https://vulneralbe.site/somefile.php?filetocall=file:///etc/passwd

 

SQL Injection

This vulnerability allows hackers to insert or inject a query into an entry field, so as to execute malicious SQL statements. This enables actors to retrieve sensitive data from the database evading any security measures.

 

Example

Test URL:https://targetsite.com/somefile.php?id=2

However, if the web application does not validate the user input, the attacker can submit something like this:

Attacking URL: https://targetsite.com/somefile.php?id=’ OR ‘1’=’1’–+

From the above instances and scenarios it is clear that if the user input is not properly validated or sanitized, most web app vulnerabilities can be exploited, eventually leading to breaches and data loss.

 

How can you reduce vulnerabilities and prevent attacks

Let us look at the issue at hand before we suggest a solution. The following instance summarizes the problem:

This is a test application that accepts the user input and returns results based on it.

Web App normal search

An average user looks up topics such as Python or JAVA, while hackers with a malicious intent would submit something like this:

Web App unvalidated

There are a number of symbols we can inject, such as a single quote(‘), double quotes (“), open, closed angle brackets (<>), equals to (=), and open, closed brackets [()], and if the web application accepts these without validating them, attackers can used this as a weapon to steal session cookies of other people, by using advanced XSS payloads (Cross-Site scripting payloads).

Now, let’s try to understand the logic of the code:

Web App coding gone bad

The GET variable named $_GET[‘vulnparam’] at the TOP accepts the user input, which then allows the webapp to proceed with that variable name $vulparam. As you may have noticed, the user input variable $_GET[‘vulnparam’] is not validated. The web application is using it as it is.

The right way to code

In order to validate the user input first, we use the htmlentities() function that converts characters and symbols to HTML entities. This helps to prevent Cross-site Scripting (XSS) attacks and the web app proceeds further with the encoded user input.

 

Summary

Almost every OWASP Web Vulnerability is exploited in real world websites as web applications fail to properly validate user input, before processing it. Therefore, it is important that app developers and security testers regularly collaborate with each other. Once the programmer has built a particular feature or an app, security testers can test it before deploying them on the prod servers. Ultimately, this will save them a lot of time and prevent any data loss that could have resulted from exploitation. 

Cyber Trivia - Cybersecurity Quiz CloudSEK

[Quiz] Weekly Cyber Trivia Quiz Contest #4

Cyber Trivia Quiz is here!

Find out if you’re up-to-date on your cybersecurity news from across the world.

If you’re behind on the news, fret not. We’ve sprinkled in some hints to help you along.

We will select 3 people in random who submitted the quiz and got all 10 questions right.
Prize: Amazon Vouchers worth 100 INR to each winner.

Get cracking! #CyberTrivia

Why you should be worried about a cyber pandemic that could take over the cyberspace

 

Companies of all sizes and sectors fall prey to data breaches and ransomware attacks. Security incident(s) that result in data leakage can stain the reputation of the concerned organization, let alone the legal battle that follows. Enterprises spend millions of money on security products to attain a comprehensive security posture, yet attackers are able to  compromise networks and exfiltrate data. Threat actors as well as state sponsored actors craft sophisticated attack vectors that are undetectable and develop zero-day exploits for applications used by victim organizations. 

Quite often, the RaaS [Ransomware as a Service] model for ransomware developers are advertised on underground hacker forums. Today, anyone can make use of the RaaS platform and become a ransomware operator. Companies pay the ransom amount, when it becomes the only viable option. This emboldens threat actors to carry out more campaigns against organizations.

State sponsored APTs are more dangerous since they are backed by nation states. Their funding never runs dry, which in turn enables them to develop complex infrastructure. Target objective is another factor that makes APTs stand out, since geopolitical factors are their primary motivation and not financial factors.

Ransomware rate

Threat Landscape

Recent trends in the cyber threat intelligence landscape involves ransomware and banking trojans. Multistage complex malware downloaders can also be found in the wild. They facilitate further dissemination of ransomware and other spyware/ trojans. Certain ransomware groups also engage in looting cryptocurrency by compromising crypto exchanges.

 

Ransomware

Ryuk

Ryuk has been spotted in various attacks targeting enterprise organizations worldwide, demanding ransom payments ranging from 15 to 50 Bitcoins (BTC); which translates to between US$97,000 and $320,000 at the time of valuation. 

 

Fig1. Popular attack vectors
Fig1. Popular attack vectors

 

Ransomware targets Windows

REvil/ Sodinokibi

REvil/ Sodinokibi ransomware was first detected in 2019, targeting the health and IT sectors. Later, it began auctioning off sensitive data over the dark web, stolen from companies using its malicious code. As part of their tactics, this ransomware group threatens to release their victims’ data, unless their ransom demands are met.

 

Dharma/ CrySiS

Dharma ransomware appends various extensions to infected files and is a variant of CrySiS. The malware has been in operation since 2016 and the threat actors behind the ransomware continue to release new variants which are not decryptable.

 

STOP/ djvu

Djvu is a high-risk virus that belongs to the STOP malware family. Firstly discovered by Michael Gillespie, this virus is categorized as ransomware and is designed to lock (encrypt) files using a cryptography algorithm. 

 

Ransomware strains reported

Fig2. Ransomware strains Q1 2020 (incl. STOP)
Fig2. Ransomware strains Q1 2020 (incl. STOP)

Cooperation between ransomware families has also been noticed to increase lately, enforcing more efficiency in operating Ransomware as a Service [RaaS] offerings.

Fig3. Ransomware strains Q1 2020 (excl. STOP)
Fig3. Ransomware strains Q1 2020 (excl. STOP)

STOP, Dharma, Phobos, and REvil have had major roles to play in the RaaS sector. They are very active, even today, carrying out their campaigns, especially Dharma and REvil.

Phishing and ransomware

Malware attacks vs. Malware-free attacks

Malware attacks are simple use cases where a malicious file is written to disk. This can be easily detected and blocked by Endpoint Detection and Response (EDR). Malware-free attacks are more in-memory code execution and credential spraying attacks that require more sophisticated detection mechanisms. We have seen an increase in malware-free attacks as part of campaigns since 2019. They successfully evade security measures and defenses set up by the enterprises.

 

Cost of a Ransomware Attack

The total cost of a ransomware attack includes the ransom amount (if paid), costs for network remediation, lost revenue, and the cost of a potential damage to the reputation of the brand. Recent trends in attacks indicate that more businesses are targeted and threatened to release data, for a ransom. 

It seems that ransomware groups have evaluated the long-term impacts of their attack on the brand image, trust, and reputation of organizations that refuse to pay up. Ryuk ransomware is largely responsible for the massive surge in ransomware demands. Ransomware operators demand an average of $288,000 for the release of systems.

Ransomware affectes business

Fig4. Largest amount of ransom reported in 2019
Fig4. Largest amount of ransom reported in 2019

 

Fig5. Largest avg. ransom pay-offs 2020
Fig5. Largest avg. ransom pay-offs in 2020

 

Ransomware statistics for 2020

Taking into account the current trend and statistics, ransomware + downtime costs for the top five countries for 2020 are estimated to be:

  • Italy: $1.1 billion – $4.3 billion
  • Germany: $1 billion – $4 billion
  • Spain: $830 million – $3.3 billion
  • UK: $469 million – $1.9 billion
  • France: $121 million – $485 million

 

Hidden Costs of ransomware

  • Downtime of Information systems
  • Loss of Reputation
  • Penalties/Fines[Compliance]
  • Legal Action from user

Avg. ransom payment

 

Cyber security during COVID-19

“WHO reports fivefold increase in cyber attacks, urges vigilance”

Threat actors have exploited COVID-19 extensively to carry out phishing attacks, masquerading as WHO and similar agencies, to deliver malware-laced emails. COVID-19-related phishing attacks went up by 667%, scams increased by 400% over the month of March 2020, making Coronavirus the largest-ever security threat. To make things worse, social distancing guidelines observed across countries forced organizations to work from remote locations, putting the security of such organizations at risk. Remote work exposed user endpoints to external threats and had the following impacts:

  • Increased security risk from remote working/ learning
  • Potential delay in cyber-attack detection and response
  • Business Continuity Plans (BCP) to feature global pandemics

 

Effective Threat Intelligence

For an average company earning $10K/ hour, operating 8 hours a day, and 5 days a week, the downtime cost is estimated at $1,760,000 each month. Estimated average downtime is 1-2 hours. Cost of 1.6 hours average downtime/ week for a Fortune 500 company is approximately $46M per year. 

A Distributed Denial of Service [DDoS] attack that temporarily disrupts the activities of a website, can last for a few days or even longer. According to the IDG DDoS report, 36% of companies that have experienced more than five DDoS attacks, suffer an average downtime of 7-12 hours.

An experienced Cyber Threat Intelligence (CTI) team gathers information from different sources and converts it into intelligence to safeguard client corporations. If an effective CTI is not part of a company’s mature security model they can fall prey to any attack at any time.

A CTI team can actively monitor and create actionable intelligence on the following areas of your business:

  • Supply chain 
  • Dark web monitoring for data leaks 
  • Zero-days
  • New emerging attack vectors

Threat intelligence must be actionable. Threat Intelligence provides Tactics, Techniques and Procedures (TTPs) and Indicators of Compromise (IoCs) to the security team, especially to the Security Operation Center (SOC) team, for proactive/ reactive measures to counter cyber threats.

 

Indicators of Compromise

These are some of the common Indicators of Compromise:

  • IP addresses, URLs and Domain names used by malware
  • Email addresses, email subject, links and attachments used by malware  
  • Registry keys, filenames and file hashes and DLLs of malware 
Examples
  • hxxp://45.142.213.230/bssd [sectopRAT Trojan]
  • hxxp://45.142.213.230/blad [SectopRAT Trojan]
  • [email protected] [djvu ransomware]
  • [email protected]     [djvu ransomware]
  • ef95c48e750c1a3b1af8f5446fa04f54 [maze]
  • f04d404d84be66e64a584d425844b926 [maze]

 

Tactics, Techniques, Procedures/ TTPs

TTPs define the behaviour of a threat actor or group and explain how the actor carries out an attack against the network and makes a lateral movement within the intranet. 

MITRE ATT&CK is the most widely used, open-source threat intelligence framework to understand adversary tactics and techniques. There are 11 tactics and 291 techniques listed in this framework.

 

Example of Tactic and Technique

 

Tactic 
Techniques
Initial Access T1193: Spear Phishing Attachment
Execution T1059: Command-Line Interface

T1086: PowerShell

T1085: Rundll32

T1064: Scripting

T1204: User Execution

T1028: Windows Remote Management

 

The efficacy of a CTI team to predict the possibility of an occurrence and ensure effective implementation of mitigation measures is essential to the survival of any organisation in their current realm of operations.

 

Conclusion

To further their nefarious intentions, threat actors arm themselves with sophisticated tools and advanced capabilities. It is quite difficult for the law enforcement as well as cyber security practitioners to keep pace with these actors. An effective CTI system can help organizations contain the attack within the network, reduce associated costs, and minimize data loss. Investing in a strong CTI system will allow security operation centers to predict and mitigate attacks proactively. However, a CTI system is only as strong as its weakest link: humans. Human errors can cause even the most impenetrable, robust security system to fail. A good security system monitors information systems and applications and conducts regular vulnerability assessments and pentesting. But, a comprehensive security system prioritizes employee/ user training and updation on cyber hygiene and best practices.

Worst cybersecurity strategies and how we can overcome them

 

Towards the end of March 2020, almost all businesses across the globe had enforced remote work policy. And as governments are easing the social distancing rules and restrictions, some organizations have gradually reopened over the last few weeks. However, the pandemic has clearly had an adverse impact on small businesses and large corporations alike, and business leaders are not aiming for a quick comeback. Whether they have decided to resume work from the office or extend the remote work policy to 2021, companies in various sectors are strategizing for a transformation in the way they work and communicate. 

Cybersecurity witnessed a dramatic change during the last couple of months and unsecure remote workforces have forced organizations to recognize the importance of cybersecurity preparedness. Cyber attacks have increased multifold since the Coronavirus outbreak where cyber criminals preyed on an unready, unaware workforce. There has been a spike in the number of phishing attacks and malware, ransomware campaigns. So, as more organizations plan their comeback, hopefully every company’s plan and strategy prioritizes information security. It is also important that organizations steer clear of any security blunders that could cost them their reputation and financial standing. 

In this article we list some of the worst cybersecurity practices and strategies that could be detrimental to your organization, and compare them with alternate solutions and best practices.

 

Achieving 100% security vs. Minimizing risks

Although 100% security might sound like the perfect answer to emerging threats, it is likely that an entirely secure system is possible only when it is disabled. So the best alternate solution is to identify technological and financial resources your organization can spare, and minimize the risk of incidents that may occur. Simply being aware of this can help you build a better strategy of detecting the threat, establishing a mechanism to respond to the threat or prevent it, thereby minimizing the impact of the threat. It is also essential to understand the various attack vectors that actors use to infiltrate your organization, and to allocate available resources to address all these threats.

 

Lax with security updates vs. Regular software fixes

Security vulnerabilities are found on a daily basis and developers release patches frequently. However, businesses that have integrated such software usually fail to apply these patches and update the software. This could be because of stretched resources or lack of awareness. Harmful software vulnerabilities can create a security weakness/ holes which allows attackers to exploit and infect your systems, gaining access to your sensitive, personal information. The solution to this is a dedicated IT team to ensure that network and software are updated regularly. 

 

Pursue attackers vs. Prevent attacks

Attackers, these days, are pretty sophisticated and are quick to come up with new technologies that enable them to hack into your systems. Staying ahead of these actors is critical to save your organization from the humiliation and loss the attacks could cost you. This is why it is important to take proactive measures to prevent attacks and outrun cyber criminals, instead of pursuing them. Organizations should also be aware of the implications of a possible attack and should be able to defend their valuable assets. 

An assessment of the following attack vectors and technologies that could assist you in avoiding attacks altogether. Employees form a major part of the threat vector, thus making it important to keep them aligned with the organization’s cybersecurity practices.

  • Security vulnerabilities
  • Firewall settings
  • Anti-malware and anti ransomware technologies
  • Data egress points
  • Creating awareness among employees 
  • Training them to combat social engineering tactics
  • Practice good internet hygiene

 

Weak passwords vs. Password management programmes

Despite the increasing number of cyber attacks most users tend to fall back on weak or easy passwords, sometimes reusing the same passwords for multiple accounts. An online security survey by Google indicates that 52% respondents reuse the same passwords for several accounts. The Ponemon research, “The 2019 State of Password and Authentication Security Behaviors Report,” reports that 69% respondents have shared their credentials among colleagues. Also, 57% respondents have not changed their passwords even after enduring phishing attacks. Which also means that they have not considered alternate solutions such as Password Manager. 53% respondents mentioned that they rely on memory to manage their credentials. 

Password Managers assists users in memorizing passwords of all their accounts, for which the users simply have to remember the master password of the Password Manager. Password management programmes will also generate random, strong passwords when you create a new account. Organizations should also make sure that the access to company-related documents and software is limited. Password Managers also support two factor authentication methods, which adds an extra layer of security. 

 

Assume you’re not a desirable target vs. Prepare for the worst

Although it is true that cyber criminals target popular brands and companies, companies that are part of any industry are vulnerable to cyber attacks regardless of its size. In fact, small businesses are soft targets, considering the lack of resources allocated to protect their systems. Data breach of any scale is significant and the ramifications can be devastating. Privacy, data breaches can cost you more than a financial loss, it can tarnish your reputation and leave yourself wide open to lawsuits and legal action. 

Therefore, it is important for organizations to gear up against emerging cyber threats. Companies should resort to cyber threat monitoring solutions such as CloudSEK’s XVigil, to detect and prevent undesirable actors trying to target your security posture.

 

Using public Wi-Fi and unknown devices vs. Network Security

Unauthorized access to your computer network can lead to several forms of attacks such as Man-in-the-middle attacks, malware delivery, snooping, sniffing, breaches, etc. A major concern regarding public as well as home Wi-Fi is unencrypted networks which exposes your online activities to hackers. Similar is the case with unknown devices and unsolicited software. The use of such devices and software opens the door to malicious actors looking to abuse your systems. 

Establish a secure network and secure communications (SSL connections) over the network, and also make sure to log out of all your accounts once you’re done using them. While on a public network avoid accessing any sensitive information, including PII, addresses, banking information, etc. 

 

Coronavirus has brought about an extensive change in the workplace and in the way we work. Technology will surely have a significant role to play in all of it. Meetings, conferences and collaborations are increasingly conducted over the internet, adapting to a more decentralized organizational structure. These changes can also contribute to an undesirable impact on cybersecurity. When organizations are busy building contingency plans to accommodate COVID-19 into the way they work, we hope their plans won’t fall short of cybersecurity strategies.

Why monitoring the most popular P2P messenger should be a cybersecurity priority

 

Cloud-based encrypted communication platform – Telegram – became an overnight sensation, owing to a WhatsApp outage that occurred in 2018. The user base of Telegram hit a whopping 400 million, as of April 2020, since its inception in the year 2013. The non-intrusive nature of the app, contrary to the likes of Facebook Messenger and WhatsApp, is another reason for its popularity.

However, over the years, the app and its developer Pavel Durov have also been on the receiving end of some criticism. The anonymous secure connection of Telegram allows users to access selectively prohibited networks and websites. Among other proxy servers and VPN services, Telegram is also completely or partially banned across several countries that are unwilling to risk national security. Furthermore, the app is not as secure as it claims to be. Its security flaws have been a major cause for data leaks.

In Russia, a struggle that ensued between the Federal Security Service (FSB) and Telegram, after the St. Petersburg bombing, resulted in the application’s ban in 2018. Pavel Durov refused to share the encrypted messages of the suicide bomber who was apparently active on the messaging platform. A court maintained that the app remain banned until its developer agreed to hand over its data encryption keys to the authorities. Russian authorities failed to hold up the ban successfully and decided to lift the ban only recently.

In 2016, 15 million Iranian users’ records were leaked following a major data breach. Iranian hackers exploited the security flaws in Telegram to compromise accounts. In particular, they hacked the SMS verification codes that are generally sent to the users. This attack targeted Saudi royals, NATO officials, and even nuclear scientists.

In a more recent event, pro-democracy campaigners in Hong Kong coordinated their demonstrations against their government using Telegram. Although the app has been banned in the country since 2015, users found a way around it.

In Germany, the police launched a crackdown on criminals to prevent premeditated crimes. For this they only had to use proprietary software to hack into Telegram correspondences. The police successfully carried this out for two years.

 

Why should you monitor Telegram for threats?

The anonymity associated with the app is concern for regulators and governments. It increases the odds of misuse of the app’s features. Which is why Telegram activities on the app should be monitored for the following reasons:

Selective chat encryption

Although users tend to think that their correspondences are all encrypted and secure, the app requires you to change the settings to “activate” end-to-end encrypted chats. Most users are not aware of this.

Proprietary encryption

Telegram relies on the symmetric encryption method and uses proprietary protocol MTproto, making it difficult external cryptographers to audit its efficacy. 

Exposes Metadata

Researchers have uncovered flaws in the app whereby an attacker can snoop on significant data about the user, apart from their chats. For instance, the attacker can figure out when the user is online and offline. This could in turn help them determine who the user is talking to, which is a rather serious flaw.

Breeding ground for illegal activities

In a 2016 report by Memri, Telegram was referred to as “the app of choice for many ISIS, pro-ISIS and other jihadi and terrorist elements.” Terrorist organizations weaponize Telegram to disseminate hatred and misinformation. The anonymity that the messaging app offers indirectly, endorses criminal activities, harmful to civilians and governments alike.

Corrupted files

Latest research from Symantec indicates that media files shared on WhatsApp and Telegram can be manipulated using a malware. This security flaw, known as media file jacking, exists in Android devices. It allows attackers to intercept the process by which applications save media files on the device’s storage.

Command and control

The ‘Masad Clipper and Stealer’ malware, capable of allowing hackers to access user’s personal information and their crypto wallets, was sold via Telegram channels. The Telegram channel was also a makeshift command and control for the same malware.

 

CloudSEK’s proprietary cyber threat monitoring platform XVigil gathers information from Internet Relay Chat (IRC) and chat rooms (for instance, Telegram Channels). The platform then detects conversations that are intended to obtain information about your organisation, and weaponize it against you. XVigil crawls across various parts of the internet to find mentions of your digital assets, so that you can take proactive measures to prevent any external threats to your brand and infrastructure.

data breach impact

How much does a data breach cost you?

 

The increase in cyber-attacks during the Coronavirus pandemic has highlighted the gaps in traditional cybersecurity programs. With the large-scale shift to teleworking, companies have been forced to take their operations online. And this has proved to be a breeding ground for threat actors. From the increase in ransomware attacks and phishing campaigns to bitcoin scams and data leaks, we have witnessed increasingly sophisticated threats across the internet.

There is no denying that cyber threats have far-reaching real-world impact. From stock price to reputation, organizations cannot escape the consequences of a cyber-attack. For example: Twitter’s shares went down by 3% following the recent hack that targeted several profile twitter accounts.

The annual Cost of Data Breach report by the Ponemon Institute has been quantifying this impact for the last 15 years. The Cost of a Data Breach Report 2020 (published by IBM) has found a 1.5% decrease in the average cost from $3.92 million in 2019 to $3.86 million in 2020. However, for organizations that have mandated remote work, the average cost of a data breach is $137,000 more, making the global annual cost almost $4 million.

In this article we explore ways to incorporate the findings from this report to strengthen an organization’s cyber security posture.

 

Key takeaways from the report’s findings:

 

Identify stolen or leaked credentials

Stolen credentials, which are the costliest and most frequent threat vectors, are the root cause for 19% of malicious breaches. Despite this, organizations are slow to identify and neutralize leaked credentials. The longer the credentials are exposed the higher the chance that threat actors will exploit them to orchestrate large-scale intrusive attacks.

Which is why it is important to incorporate processes and tools that ensure data leaks related to your organization are monitored continuously. This includes real-time monitoring of the surface web, deep web, and dark web using a comprehensive threat monitoring tool such as CloudSEK’s XVigil.

 

Monitor for cloud misconfigurations

Cloud misconfigurations are exploited in 19% of malicious breaches. And the cost of these breaches, at $4.41 million, is 14% higher than the average. While the move to cloud-based services and databases are convenient, they come with a unique set of security requirements.

The bedrock of cloud security is a combination of Identify Access Management (IAM), permission controls, and continuous misconfiguration monitoring. XVigil’s Infrastructure Monitor offers solutions to scan for misconfigured cloud storage, web applications, and ports. This allows you to identify and mitigate the risks before they can be exploited by threat actors.

 

Leverage Artificial Intelligence (AI) to identify and mitigate threats

Automation separates the winners from the losers. The cost of breaches for organizations that have not leveraged end-to-end AI based security solutions was $6.03 million, which is more than double the cost of breaches seen by organizations that have deployed automated security solutions. With a difference of $3.58 million between companies that have deployed automated solutions and those that have not, automation is no longer a bonus, but the very core of effective cybersecurity.

 

Secure your customers’ PII

80% of data breaches include customers’ Personally Identifiable Information (PII). And each lost or stolen record costs an organization an average of $175, which is 17% higher than the average cost of a stolen record. Since customer PII is the most coveted type of data, it is important to ensure that it is anonymized and backed-up regularly. And as a rule of thumb, enforce strong password policies, encryption standards, and multi-factor authentication.

 

The healthcare industry needs to up its cybersecurity quotient

It takes the healthcare industry 329 days to identify and contain a breach, which is 49 days more than the average 280 days, and a whopping 96 days more than the financial sector. The faster a breach is identified, the lower the cost incurred. So, it doesn’t come as a surprise that the healthcare sector, for the 10th year in a row, clocked the highest average cost of a breach at $7.13 million, which is a 10.5% increase from 2019.

Timely identification only comes with continuous real time monitoring of internal and external threats. And this cannot be done manually, which is why automation and AI-driven security tools need to be deployed across organizations.

 

Proactively mitigate remote work related data breaches

With more organizations adopting remote work, there has been a surge in cyber-attacks, globally. Relaxed security controls to support remote work, unsecured home Wi-Fi networks, dependence on conferencing platforms, and the deluge of COVID-related scams have made it easier for threat actors to target organizations.

It is incumbent on organizations to reassess their cybersecurity programs to account for new threat vectors. So much so that 76% of respondents believe that despite their current cybersecurity measures, remote work will increase the time it takes to detect and contain a breach. But by deploying solutions that can address the WFH-related threat vectors, organizations can gain a significant advantage over threat actors.

 

Given that a data breach can have severe short-term and long-term impacts on an organization, taking preventive measures is a must. And with more and more companies adopting teleworking, the need for continuous monitoring of the internet, for threats related to your organization, is at an all time high.

Here’s where XVigil can help you strengthen your security posture. XVigil’s AI-driven engine scours the internet for threats and data leaks related to your organization, prioritizes it by severity, and provides real time alerts. Thus, giving you enough time to mitigate the threats before it can have adverse impacts on your business.