Search engine optimization (SEO) is the process of optimizing your website content and website ranking on search engines, like Google, whenever a person search with the key words the purpose is to present your webpage among the list of the top searches. In terms of SEO, it consists of the searcher, search engine, and your very own website.
Reasons Why a Website Should have a Good Search engine optimization (SEO)
Optimized Site Has More Traffic of Audience
SEO’s goal is to improve Websites’ rankings on a search engine so when a person types a keyword in a search bar it shows your profile on the front page of it.
The purpose of SEO is none other than gaining high rankings which leads to attracting more traffic from the audience, buyers, or consumers and also to sustaining those audiences as your potential customers.
A Good SEO Saves Cost of digital Advertisement
When your SEO is good you don’t need to pay for Ads unless you want one. There are two types of search results that generally appear on a search engine.
First Column is for the paid Ads and the other columns are for organic searches which appear based on your keyword.
SEO helps in gaining Trust:
As we all are daily users of internet and websites, suppose we click on a link on the back end it is broken and redirects us to some other page or has no attachment to any page, we feel exhausted and leave the site. SEO helps in making sure all the links are working completely fine, and error-free for a smoother user experience.
These are some of the major reasons you should consider SEO services for your website. And as an IT company, Computer Support Professionals also provide different SEO Services for your Business Growth. Our Support agreement can be custom designed based on the client’s requirement.
Sophos Rapid Response has discovered that keeping close tabs on the account credentials in your organization should always be a top priority. Sophos Rapid Response is a 24/7 service that helps organizations to quickly identify and neutralize active threats.
The company reached out to Rapid Response to get help with a Nefilim (also known as Nemty) ransomware attack in which more than 100 systems were impacted. Sophos’ Intercept X endpoint protection has no problem detecting and stopping Nefilim. Unfortunately, the customer did not have this protection in place. Nefilim ransomware, like virtually all major ransomware, replaces the original files with encrypted versions, making recovery impossible without either the decryption key or a recent backup.
The Rapid Response team sprang into action as soon as they were contracted by the customer, loading Sophos security onto all the systems it could access, ensuring all necessary protections were turned on for systems that already had Sophos installed, and digging for clues as to how and when the intrusion began and what might have been stolen.
By the time of Sophos’ standard “kick-off” call to describe the process of the Rapid Response team and gather context around the evidence uncovered so far, the team had already singled out user accounts that had been taken over and compiled a general timeline of the attack.
The team determined the attacker had compromised an admin account with high level access about one month before launching Nefilim ransomware. Or more accurately, the attacker gained access to that admin account, then spent one month quietly moving around to steal credentials for a domain admin account, finding the trove of data they wanted, exfiltrating hundreds of GB of data, and then finally announcing their presence with the ransomware attack.
“Ransomware is the final payload in a longer attack. It is the attacker telling you they already have control of your network and have finished the bulk of the attack. It is the attacker declaring victory,” Peter Mackenzie, manager for Rapid Response, said. “Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts.”
Based on Sophos intelligence, the Rapid Response team knew the threat actors behind Nefilim ransomware commonly gain initial access either by exploiting vulnerable versions of Citrix or Remote Desktop Protocol. In this case, the adversary exploited vulnerable Citrix software, gained access to the admin account, then stole the credentials for a domain admin account using Mimikatz.
During Sophos’ initial kick-off call, the Rapid Response team relayed which admin account had been compromised in the initial intrusion, and asked the customer: Whose account was it? The answer: the account belonged to an individual who had sadly passed away around three months before the attacker’s first move.
Apparently, the account was kept active because there were services that it was used for, meaning the Rapid Response team had to discern which activities from that account were legitimate and which were malicious.
“The malicious activities were often in the middle of the night for the customer’s local time,” Mackenzie said. “We were able to work out some of the movements in the account based on when they occurred and when the commands were being performed.”
If an organization really needs an account after someone has left the company, they should implement a service account and deny interactive logins to prevent any unwanted activity. Or, if they don’t need the account for anything else, disable it and carry out regular audits of Active Directory. Active Directory Audit Policies can be set to monitor for admin account activity or if an account is added to the domain admin group.
Mackenzie noted far fewer accounts need to be a domain admin than most people think.
“People assume because a person is an executive or is in charge of the network that they need to be using a domain admin account. This isn’t true and it’s dangerous,” Mackenzie said. “No account with privileges should be used by default for work that doesn’t require that level of access. Users should elevate to using the required accounts when needed and only for that task.”
Mackenzie added that alerts should be set so that if the domain admin account is used or if a new admin account is created, someone knows. A previous case that Rapid Response was called in on proved this point.
In this particular case, an attacker gained access to an organization’s network, created a new user, and added that account to the domain admin group in Active Directory. No alerts were set off, so that new domain admin account went on to delete about 150 virtual servers and used Microsoft BitLocker to encrypt the server backups.
Mackenzie told the customer they were lucky the attack was so visibly destructive and easily noticed.
“If they hadn’t done that, how long would they have had domain admin access to the network without the customer knowing?”
Detection and IoCs
Nefilim ransomware is detected in Sophos Endpoint Protection under the definition Troj/Ransom-GDN.
Additional indicators of compromise have been published to the SophosLabs Github.
Nefilim group Tactics, Techniques, and Procedures (TTPs)
The common Tactics, Techniques and Procedures (TTPs) of the group(s) that operate Nefilim ransomware have often utilized Citrix vulnerabilities or Remote Desktop Protocol (RDP) to gain initial entry into victim environments by exploiting public facing applications MITRE ATT&CK T1190.
In this case, the Rapid Response team discovered vulnerable versions of Citrix software on customer systems. Although it is unclear what vulnerability was exploited, the installed Citrix Storefront 7.15 CU3 was vulnerable at time of incident to 1 Critical (CVE-2019-11634) and 4 High rated CVE vulnerabilities (CVE-2019-13608, CVE-2020-8269, CVE-2020-8270, CVE-2020-8283) which may have been exploited in order to gain initial access to the target network.
Once in, the threat actor also used Remote Desktop Protocol (RDP) logins to maintain access to the initial admin account used in the attack. On the network, the threat actor used Mimikatz, which allows the threat actors to reveal the credentials stored on the system, to compromise a domain admin account.
The Rapid Response investigation uncovered PowerShell commands as well as the use of RDP and Cobalt Strike to move laterally to multiple hosts, conduct reconnaissance, and enumerate the network.
The threat actor installed the file transfer and synchronization application MEGA in order to exfiltrate data.
The Nefilim ransomware binaries were deployed using Windows Management Instrumentation (WMI) via the compromised domain admin account.
Checklist for secure account access management
Only grant the access permissions needed for a specific task or role
Disable accounts no longer needed
If you need to keep an account active after the original owner has left the organization, implement a service account and deny interactive logins
Carry out regular audits of Active Directory: Active Directory Audit Policies can be set to monitor for admin account activity or if an unexpected account is added to the domain admin group
Have a robust security solution in place, ideally with anti-ransomware technologies such as that featured in Intercept X
The Australian Cyber Security Centre (ACSC) is aware of recent ransomware campaigns targeting the aged care and healthcare sectors. Cyber criminals view the aged care and healthcare sectors as lucrative targets for ransomware attacks. This is because of the sensitive personal and medical information they hold, and how critical this information is to maintaining operations and patient care. A significant ransomware attack against a hospital or aged care facility would have a major impact.
The ‘Maze’ ransomware is designed to lock or encrypt an organisation’s valuable information, so that it can no longer be used, and has been observed being used alongside other tools which steal important business information. Cyber criminals may then threaten to post this information online unless a further ransom is paid. This is especially effective in the aged care and healthcare sectors.
If Australian organisations are infected by the Maze ransomware, they should seek assistance in the first instance from the ACSC via 1300 CYBER1. We encourage reporting cyber security incidents to enable the ACSC to alert and assist a broader range of organisations, and understand the scope and nature of cyber intrusions.
Read the ACSC advice on mitigating the threat of ransomware. Keeping software up to date and having current backups stored offline is the best way to protect your organisation from a ransomware attack.
Never pay a ransom demand
We recommend you do not pay the ransom if affected by the Maze ransomware. There is no guarantee paying the ransom will fix your devices, and it could make you vulnerable to further attacks. Restore your files from backup and seek technical advice.
Identify and backup critical information and systems
Backing up and restoring your files offers peace of mind and makes it faster and easier to get up and running again following a ransomware attack.
Keep your systems and software up to date through regular patching
All your personal or business devices including your phone, tablet, computer or laptop use software to run, such as operating systems like Microsoft Windows or Apple MacOS; and antivirus, web browsers or word processors at work. Read more about patching software.
Use antivirus software and keep it up to date
Install antivirus software on all devices and set the software to automatically check for updates on a daily basis.
The federal government has finally unveiled its delayed cyber security strategy but left much of the detail to forthcoming legislation that is yet to be put before parliament.
The 52-page strategy [pdf], released on Thursday, will see $1.67 billion invested in a number of already-known initiatives aimed at enhancing Australia’s cyber security over the next decade.
Much of the funding is from the previously announced $1.35 billion cyber enhanced situational awareness and response (CESAR) package.
The strategy’s key elements include proposed laws and an “enhanced regulatory framework” to secure critical infrastructure, deemed the “best way to protect Australians at scale”.
The new framework will outline the government’s minimum expectation, including an “enforceable positive security obligation for designated critical infrastructure entities”.
“These powers will ensure the Australian Government can actively defend networks and help the private sector recover in the event of a cyber attack,” the strategy states.
“The nature of this assistance will depend on the circumstances, but could include expert advice, direct assistance or the use of classified tools.
“This will reduce the potential down-time of essential services and the impact of cyber attacks on Australians.”
The framework, which will be delivered through amendments to the Security of Critical Infrastructure Act, is also expected to extend to systems of national significance.
While much of the focus on critical infrastructure is ensuring assets are properly defended during a cyber attack, the government will also assist operators to “enhance their cyber security posture”.
It will do this by using the proposed $62.3 million “classified national situational awareness capability”, funded in the CESAR package, to response to threats against critical infrastructure.
Critical infrastructure operators will similarly be able to share intelligence about malicious cyber activity through the government’s $35 million cyber threat-sharing platform, which has been on the cards for several years.
Further afield, the government is also considering additional “legislative changes that set a minimum cyber security baseline across the economy”.
It will also expand the cyber security incident exercise program run by the Australian Cyber Security Centre to improve how government and businesses prepare for incidents.
Secure government hubs
With departments and agencies continuing to struggle to implement rudimentary cyber security controls, government systems and data are key concerns.
In a bid to uplift cyber resilience, the government is planning to “centralise the management and operations of the large number of networks” run by agencies as a priority.
The strategy said that centralising networks would allow the government to “focus its cyber security investment on a smaller number of more secure networks”.
“A centralised model will be designed to promote innovation and agility while still achieving economies of scale,” the strategy states.
It also plans to explore the creation of “secure hubs” to reduce the number of networks that hostile actors can target even further, though the strategy does not elaborate on what this might look like.
Standard cyber security clauses will also be introduced into government IT contracts to avoid unnecessary risks.
The strategy notes that federal, state and territory agencies were the target of 35.4 percent of the 2266 cyber security incidents that the ACSC responded to in the 2019-20 financial year.
Around the same number of incidents impacted critical infrastructure providers in the healthcare, education, banking, water, communications, transport and energy sectors.
The government will also provide law enforcement agencies with $124.9 million to strengthen their ability to counter cyber crime, including $89.9 million for the Australian Federal Police.
The funding will sit alongside planned legislation that will assist the AFP to identify individuals engaging in serious criminal activity on the dark web.
The ACSC will also receive a further $31.6 million to improve its ability to counter cyber crime offshore and assist federal, state and territory law enforcement to identify and disrupt cyber criminals.
“The Australian Government will ensure it has fit-for-purpose powers and capabilities to discover target, investigate and disrupt cyber crime, including on the dark web,” the strategy states.
The strategy also outlines the government’s $63.4 million plan to assist small and medium enterprises (SMEs) to uplift their cyber security capabilities with the help of large businesses.
One such initiative will see large businesses and service provider provide SMEs with ‘bundles’ of secure services such as threat blocking and antivirus, as well as other awareness training.
“Integrating cyber security products into other service offerings will help protect SMEs at scale and recognises that many businesses cannot employ dedicated cyber security staff,” the strategy states.
The government also plans to “provide online training and a 24/7 helpdesk for SMEs that needs cyber security advice or assistance”.
COVIDSafe was sold as Australia’s ticket out of lockdown. But almost three months since launch in late April, its impact is hard to measure.
Victoria has accessed data from the app almost 400 times, but health authorities are yet to point to any potential COVID-19 exposure that was not picked up by manual contact tracing.
In New South Wales, app data has been extracted 23 times. In one instance, a person whose contact details were unavailable during manual contact tracing was contacted using app data.
But COVIDSafe’s ability to reliably transmit and collect encrypted codes using Bluetooth from other apps remains under scrutiny.
And there is another option.
In May, Google and Apple launched an exposure notification API or framework built into their devices’ operating systems that allows health authorities to build their own apps, and ostensibly helps the technology perform better with less bugs and workarounds.
Germany and Ireland, as well as a handful of other European countries, have now launched their own COVID-19 exposure notification apps using the Google-Apple framework.
So how do they compare to COVIDSafe?
A centralised or a decentralised model
COVIDSafe and apps built using the Apple-Google API both deploy Bluetooth to create an encrypted log of random codes from other devices with the app, that come into close range.
But Ireland’s COVID Tracker app and Germany’s Corona-Warn-App differ when it comes to the next step.
Broadly, if someone tests positive for the virus and has one of those apps, they can voluntarily make their weeks of random codes available to the exposure notification system.
Each individual app regularly checks the exposure codes they have stored against ones the system has identified as belonging to an infected person.
If there is a match, they receive a warning notification on their phone and can then choose to get in touch with a doctor.
All the data processing is done on the device.
In contrast, if someone with COVIDSafe is diagnosed with the virus, health authorities may ask them to share their app’s data with a central database. Then those random codes will be sorted into close contacts (1.5 metres for upwards of 15 minutes) and used by local health authorities to track potential exposures.
Ireland and Germany’s apps operate more as a warning system and offer much less information to authorities.
That lack of centralised data collection is part of what makes security expert Vanessa Teague, chief executive of Thinking Cybersecurity, believe Australia should move to the Google-Apple API.
“It has this huge privacy advantage,” she said.
And although we do not yet have sufficient empirical data comparing the performance of available models, she suggested it’s likely apps built using the Google-Apple framework will work more reliably than COVIDSafe because the Bluetooth detection technique is built into the devices’ operating systems.
“By work, I mean, when two people are near each other, the likelihood that it exchanges the pings it’s supposed to exchange is likely to be a lot higher,” she said.
Are apps built using the Google-Apple API a success?
Like in Australia, German and Irish authorities have been quick to boast about download figures.
Germany launched its app in mid-June. As of July 23, the Corona-Warn-App has registered 16.2 million downloads, according to the Robert Koch Institute, in a country with a population of more than 80 million.
Ireland’s Health Services told the ABC that almost 1.4 million people have downloaded the app since July 7 — out of almost 5 million people — and 91 COVID Tracker app users have received an exposure alert.
But like in Australia, where the app has been downloaded more than 6 million times, there are few metrics publicly available to understand the app’s contribution to pandemic control, or even how many people have the app open and working each day.
In Germany, about 660 people who were shown to test positive for SARS-CoV-2 ha