Insurance Premiums Data Leak because of Cyber Attacks

Australian organizations have been hit hard with the expense of data leak of premium up to 30 percent to cover cyber-attacks, as reported by insurance brokers Marsh.

 

This is increasing rapidly in the country because insurers are not spending on the IT services for covering such costly cyber and ransomware attacks, in which hackers demand payment and hostage the data until they get the amount they are asking for, and also leaks valuable information all over the internet.

 

Marsh’s head of global placement for the Asia-Pacific region John Donnelly said “There is just an increasing number of ransomware attacks, The losses … are significant.”

 

Many organizations are affected by cyber-attacks including Nine Entertainment, publisher of the Australian Financial Review, and logistics outfit Toll. The toll was under a cyberattack which seemed like the Ransomware Attack but no demands were made to Nine.

 

Marsh noticed that organizations that renewed their yearly insurance in the first quarter of 2021 had a 35% chance to deal with cyber-attacks in the United States, “double the increase seen in the prior quarter and the largest increase since 2015”. In Britain, it was 29%.

 

Mr. Donnelly discussed a fear for insurers and stated that unlike geographically restricted events e.g., cyclone hitting North Queensland, a cyber-attack could strike across a company’s systems. “It has the potential to be global,”..

 

As part of the Australian Govt. Stay Smart Online partner, Computer Support Professionals can also measure the security health of your business with the latest industry best tools and application. We can help you to protect your business from the latest threat which can cause a security risk and damage your identity.

WHAT WE COVER UNDER IT SECURITY:

  • Managed security services and solutions
  • Design security solution as per business needs
  • Cybersecurity awareness programs
  • Anti-Virus and Anti-ransomware solutions
  • Enterprise and SMB risk and IT compliance strategies
  • Security risk assessment
  • Identity and access management
  • Security audit and Incident investigation

Article courtesy: financial review

 

 

Nefilim Ransomware Attack Uses “Ghost” Credentials

Sophos Rapid Response has discovered that keeping close tabs on the account credentials in your organization should always be a top priority. Sophos Rapid Response is a 24/7 service that helps organizations to quickly identify and neutralize active threats.

The company reached out to Rapid Response to get help with a Nefilim (also known as Nemty) ransomware attack in which more than 100 systems were impacted. Sophos’ Intercept X endpoint protection has no problem detecting and stopping Nefilim. Unfortunately, the customer did not have this protection in place. Nefilim ransomware, like virtually all major ransomware, replaces the original files with encrypted versions, making recovery impossible without either the decryption key or a recent backup.

The Rapid Response team sprang into action as soon as they were contracted by the customer, loading Sophos security onto all the systems it could access, ensuring all necessary protections were turned on for systems that already had Sophos installed, and digging for clues as to how and when the intrusion began and what might have been stolen.

By the time of Sophos’ standard “kick-off” call to describe the process of the Rapid Response team and gather context around the evidence uncovered so far, the team had already singled out user accounts that had been taken over and compiled a general timeline of the attack.

Nefilim ransomware attack timelineThe team determined the attacker had compromised an admin account with high level access about one month before launching Nefilim ransomware. Or more accurately, the attacker gained access to that admin account, then spent one month quietly moving around to steal credentials for a domain admin account, finding the trove of data they wanted, exfiltrating hundreds of GB of data, and then finally announcing their presence with the ransomware attack.

“Ransomware is the final payload in a longer attack. It is the attacker telling you they already have control of your network and have finished the bulk of the attack. It is the attacker declaring victory,” Peter Mackenzie, manager for Rapid Response, said. “Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts.”

Based on Sophos intelligence, the Rapid Response team knew the threat actors behind Nefilim ransomware commonly gain initial access either by exploiting vulnerable versions of Citrix or Remote Desktop Protocol. In this case, the adversary exploited vulnerable Citrix software, gained access to the admin account, then stole the credentials for a domain admin account using Mimikatz.

During Sophos’ initial kick-off call, the Rapid Response team relayed which admin account had been compromised in the initial intrusion, and asked the customer: Whose account was it? The answer: the account belonged to an individual who had sadly passed away around three months before the attacker’s first move.

Apparently, the account was kept active because there were services that it was used for, meaning the Rapid Response team had to discern which activities from that account were legitimate and which were malicious.

“The malicious activities were often in the middle of the night for the customer’s local time,” Mackenzie said. “We were able to work out some of the movements in the account based on when they occurred and when the commands were being performed.”

If an organization really needs an account after someone has left the company, they should implement a service account and deny interactive logins to prevent any unwanted activity. Or, if they don’t need the account for anything else, disable it and carry out regular audits of Active Directory. Active Directory Audit Policies can be set to monitor for admin account activity or if an account is added to the domain admin group.

Mackenzie noted far fewer accounts need to be a domain admin than most people think.

“People assume because a person is an executive or is in charge of the network that they need to be using a domain admin account. ​This isn’t true and it’s dangerous,” Mackenzie said. “No account with privileges should be used by default for work that doesn’t require that level of access. Users should elevate to using the required accounts when needed and only for that task.”

Mackenzie added that alerts should be set so that if the domain admin account is used or if a new admin account is created, someone knows. A previous case that Rapid Response was called in on proved this point.

In this particular case, an attacker gained access to an organization’s network, created a new user, and added that account to the domain admin group in Active Directory. No alerts were set off, so that new domain admin account went on to delete about 150 virtual servers and used Microsoft BitLocker to encrypt the server backups.

Mackenzie told the customer they were lucky the attack was so visibly destructive and easily noticed.

“If they hadn’t done that, how long would they have had domain admin access to the network without the customer knowing?”

Detection and IoCs

Nefilim ransomware is detected in Sophos Endpoint Protection under the definition Troj/Ransom-GDN.

Additional indicators of compromise have been published to the SophosLabs Github.

Nefilim group Tactics, Techniques, and Procedures (TTPs)

The common Tactics, Techniques and Procedures (TTPs) of the group(s) that operate Nefilim ransomware have often utilized Citrix vulnerabilities or Remote Desktop Protocol (RDP) to gain initial entry into victim environments by exploiting public facing applications MITRE ATT&CK T1190.

In this case, the Rapid Response team discovered vulnerable versions of Citrix software on customer systems. Although it is unclear what vulnerability was exploited, the installed Citrix Storefront 7.15 CU3 was vulnerable at time of incident to 1 Critical (CVE-2019-11634) and 4 High rated CVE vulnerabilities (CVE-2019-13608, CVE-2020-8269, CVE-2020-8270, CVE-2020-8283) which may have been exploited in order to gain initial access to the target network.

Once in, the threat actor also used Remote Desktop Protocol (RDP) logins to maintain access to the initial admin account used in the attack. On the network, the threat actor used Mimikatz, which allows the threat actors to reveal the credentials stored on the system, to compromise a domain admin account.

The Rapid Response investigation uncovered PowerShell commands as well as the use of RDP and Cobalt Strike to move laterally to multiple hosts, conduct reconnaissance, and enumerate the network.

The threat actor installed the file transfer and synchronization application MEGA in order to exfiltrate data.

The Nefilim ransomware binaries were deployed using Windows Management Instrumentation (WMI) via the compromised domain admin account.

Checklist for secure account access management

  • Only grant the access permissions needed for a specific task or role
  • Disable accounts no longer needed
  • If you need to keep an account active after the original owner has left the organization, implement a service account and deny interactive logins
  • Carry out regular audits of Active Directory: Active Directory Audit Policies can be set to monitor for admin account activity or if an unexpected account is added to the domain admin group
  • Have a robust security solution in place, ideally with anti-ransomware technologies such as that featured in Intercept X

Article Courtesy: news.sophos.com

Microsoft warns to stay alert from human-operated ransomware campaigns

Microsoft warns to stay alert from human-operated ransomware campaigns

During the pandemic crisis, the cybercriminals are still looking for victims. The Microsoft’s Threat Protection Intelligence Team has warned. The ransomware criminals are still looking to attack healthcare and critical service providers. It has also issued a detailed guide in order to reduce the risk of falling victim to them.

Previously, the ransomware attacks were usually automated. But this time Microsoft confirmed that these attacks are not done in an automated fashion. Instead, they are conducted by criminal gangs that work by compromising internet-facing network devices. In order to establish a presence on vulnerable systems months before they strike and steal and encrypt victims’ data.

The attackers have a range of vulnerabilities. Which they can use to access victims’ networks and work. Their way to capture credentials and prepare for the final ransomware activation, Microsoft noted.

The most recent ransomware attacks that were observed by the Microsoft security teams highlighted Remote Desktop Protocol or Virtual Desktop systems that aren’t secured with multi-factor authentication.

Older, unsupported and unpatched operating systems. For instance: Microsoft Windows Server 2003 with weak passwords and 2008, misconfigured web servers including Internet Information Services, back up servers, electronic health record software and systems management servers are all being attacked currently. Vulnerable Citrix Application Delivery Controller and Pulse Secure are also in ransomware criminals’ sights and should be patched as soon as possible.

Once the cybercriminals have access to the victims’ device. They attempt to steal admin login credentials and move laterally within networks with common tools. For instance: Mimikatz and Cobalt Strike, Microsoft said.

After gaining access, the attackers usually create new accounts, modify Group Policy Objects in Windows. We add scheduled tasks and register operating system services, and deploy backdoors and remote access tools for persistence. CSPRO wait for an opportune moment to activate the ransomware to blackmail victims.

Several human-operated ransomware payloads are actively being used presently.These include RobbinHood, REvil/Sodinokibi, the Java-based PonyFinal and Maze, the operators of which were one of the first to sell stolen data from technology providers and public services it has attacked, Microsoft said.

One particular campaign, NetWalker, targets hospitals and healthcare providers through bogus COVID-19 subject emails with the ransomware delivered as a malicious Visual Basic script file.

Apart from actively patching systems, Microsoft said to watch out for malicious behaviors such as tampering with security events logs and other techniques used to evade detection, suspicious access to Local Security Authority Subsystem Service (LSASS), and Windows Registry database modifications which could indicate that credentials theft is taking place.

Investigating the Windows Event Log during the earliest part of a suspected breach. They looking for event ID 4624 and logon type 2 or 10 could indicate post-compromise access, Microsoft said.

Later on, searching WEL for type 4 or 5 logons could also indicate suspected breach activity.

Ransomware criminals show no compunction as to the impact their attacks have on health care providers, Microsoft warned.

They have also recently caused extensive damage to organizations such as forex giant Travelex which had to shut down its systems over the New Year, and global logistics company Toll Group.

If you’re concerned your personal details have been compromised, you can reach us at 1300 660 368 and one of our team members can help you in staying safe from the ransomware attack.

Article courtesy: www.itnews.com.au

Is advanced monitoring agent harmful ?

Businesses large and small are under threat from increasingly aggressive and brutal ransomware attacks. Loss of access to critical files, followed by a demand for payment can cause massive disruption to an organization’s productivity.Advanced monitoring agent handle backup files to control data.

But what does a typical attack look like? And what security solutions should be in place to give the best possible defense?

This article examines commonly used techniques to deliver ransomware, looks at why attacks are succeeding, and gives nine security recommendations to help you stay secure. It also highlights the critical security technologies that every IT setup should include and advanced monitoring agents handle backup files to control data.

Ransomware – a brief introduction

Ransomware is one of the most widespread and damaging threats that internet users face. Since the infamous CryptoLocker first appeared in 2013, we’ve seen a new era of file-encrypting ransomware variants delivered through spam messages and Exploit Kits, extorting money from home users and businesses alike.Advanced monitoring agents can handle backup files.

The current wave of ransomware families can have their roots traced back to the early days of Fake AV, through “Locker” variants and finally to the file-encrypting variants that are prevalent today. Each distinct category of malware has shared a common goal – to extort money from victims through social engineering and outright intimidation. The demands for money have grown more forceful with each iteration.

A survey of 2,700 organizations found that 54% have been hit by ransomware – twice on average. Of those hit, 77% were running up-to-date antivirus at the time of the attack. And the costs are punitive, with the median impact per organization US$133k (£100k).

Why are ransomware attacks so successful?

Most organizations have at least some form of IT security in place. So why are ransomware attacks slipping through the net?

  1. Sophisticated attack techniques and constant innovation
  • Access to ready-made ‘Exploit as a Service’ (EaaS) programs is increasingly easy, making it simple to initiate, successfully complete and benefit from an attack, even for less tech-savvy criminals. Below is a EaaS program for sale.

  • Skillful social engineering is used to prompt the user to run the installation routine of the ransomware. For example you may receive an email that reads something like this: “My organization’s requirements are in the attached file, please provide me with a quote.”
  • Producers of ransomware operate in a highly professional manner. This includes providing a working decryption tool after the ransom has been paid, although this is by no means guaranteed.
  1. Security holes at affected companies
  • Inadequate backup strategy (no real-time backups, backups not offline/off-site).
  • Updates/patches for operating system and applications are not implemented swiftly enough.
  • Dangerous user/rights permissions (users work as administrators and/or have more file rights on network drives than necessary for their tasks).
  • Lack of user security training (“Which documents may I open and from whom?”, “What is the procedure if a document looks malicious”, “How do I recognize a phishing email?”).
  • Security systems (virus scanners, firewalls, IPS, email/web gateways) are not implemented or are not configured correctly. Inadequate network segmentation can also be included here (servers and work stations in the same network).
  • Lack of IT security knowledge (.exe files may be blocked in emails but not Office macros or other active content).
  • Advanced monitoring agents specifies the backup files.
  • Conflicting priorities (“We know that this method is not secure but our people have to work…”).
  1. Lack of advanced prevention technology
  • Many organizations have some form of generic protection.
  • Ransomware is constantly being updated to exploit and avoid this protection. For example, deleting itself so quickly after encrypting files that it can’t be analyzed.
  • Solutions need to be designed specifically to combat ransomware techniques.
  • We are applying advanced monitoring agents.

How does a ransomware attack happen?

There are two main ways that a ransomware attack starts. Via an email with a malicious attachment, or by visiting a compromised (often a legitimate, mainstream) website.

Malicious email

Today’s criminals are crafting emails that are indistinguishable from genuine ones. Grammatically correct with no spelling mistakes, and often written in a way that is relevant to you and your business.

When opened, the zip file appears to contain an ordinary .txt file.

However, when the file is executed the ransomware is downloaded and installed onto your computer. In this example it’s actually a JavaScript file disguised as a .txt file that’s the Trojan horse, but there are many other variations on the malicious email approach, such as a Word document with macros, and shortcut (.lnk) files.

Malicious websites

Another common way to get infected is by visiting a legitimate website that has been infected with an exploit kit. Even popular websites can be temporarily compromised. Exploit kits are black market tools that criminals use to exploit known or unknown vulnerabilities (such as zero-day exploits).

You browse to the hacked website and click on an innocent-looking link, hover over an ad or in many cases just look at the page. And that’s enough to download the ransomware file onto your computer and run it, often with no visible sign until after the damage is done.

What happens next?

After initial exposure such as via the email and web examples, the ransomware takes further action:

  • It contacts the attacker’s Command & Control server, sending information about the infected computer and downloading an individual public key for it.
  • Specific file types (which vary by ransomware type) such as Office documents, database files, PDFs, CAD documents, HTML, XML, etc., are encrypted on the local computer, removable devices and all accessible network drives.
  • Automatic backups of the Windows operating system (shadow copies) are frequently deleted to prevent data recovery.
  • A message appears on the desktop explaining how the ransom can be paid (typically in Bitcoins) in the specific time frame.

  • Finally, the ransomware deletes itself leaving the encrypted files and ransom note behind.
  • advanced monitoring agent provides the best results according to the demands.

Ransomware Evolved

One of the first major ransomware outbreaks was the CryptoLocker ransomware which appeared in 2013. CryptoLocker infected hundreds of thousands of machines, earning millions of dollars for the attackers. It eventually was shut down when the Gameover Zeus botnet, which was used to distribute the attacks, was taken offline. CryptoLocker was followed by variants such as CryptoWall, TeslaCrypt, and Cerber.

In 2017 ransomware gained global attention with the outbreak of WannaCry. The attack was launched using suspected NSA code that was leaked by a group of hackers known as the Shadow Brokers. It used a variant of the ShadowBrokers APT EternalBlue Exploit (CC-1353). WannaCry was followed by another high profile attack, Petya or NotPetya. This attack is believed to be a nation-state attack started by Russia. Unlike file-based encryption ransomware, Petya was a “wiper” ransomware attack which encrypted the Master Boot Record causing significant damage to the device.

After WannaCry, attackers became even more ruthless with their attacks, focusing on specific targets such as businesses, hospitals, schools, and government agencies, rather than just a “spray and pray” approach. Some of the more impactful ransomware variants included Emotet and SamSam which used advanced stealthy techniques to get by endpoint defenses. Advanced monitoring agent helps to prevent your systems from attackers.

This has continued in 2019 with Ryuk. Ryuk has leveraged (and stolen) the techniques that have been proven to be successful from previous attackers. Techniques include entering via an exposed Remote Desktop Protocol (RDP), escalating privileges, tampering with security software, and spreading far and wide before executing the payload.

Nine best security practices to apply now

Staying secure against ransomware isn’t just about having the latest security solutions. Good IT security practices, including regular training for employees are essential components of every single security setup. Make sure you’re following these nine best practices:

  1. Patch early, patch often

Malware that doesn’t come in via a document often relies on security bugs in popular applications, including Microsoft Office, your browser, Flash and more. The sooner you patch, the fewer holes there are to be exploited.

  1. Backup regularly and keep a recent backup copy off-line and off-site

There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.

  1. Enable file extensions

The default Windows setting is to have file extensions disabled, meaning you have to rely on the file thumbnail to identify it. Enabling extensions makes it much easier to spot file types that wouldn’t commonly be sent to you and your users, such as JavaScript.

  1. Open JavaScript (.JS) files in Notepad

Opening a JavaScript file in Notepad blocks it from running any malicious scripts and allows you to examine the file contents.

  1. Don’t enable macros in document attachments received via email

Microsoft deliberately turned off auto-execution of macros by default many years ago as a security measure. A lot of infections rely on persuading you to turn macros back on, so don’t do it!

  1. Be cautious about unsolicited attachments

The crooks are relying on the dilemma that you shouldn’t open a document until you are sure it’s one you want, but you can’t tell if it’s one you want until you open it. If in doubt leave it out.

  1. Don’t give yourself more login power than you need

Don’t stay logged in as an administrator any longer than is strictly necessary and avoid browsing, opening documents or other regular work activities while you have administrator rights.

  1. Stay up-to-date with new security features in your business applications

For example Office 2016 now includes a control called “Block macros from running in Office files from the internet”, which helps protect against external malicious content without stopping you using macros internally.

  1. Patch early, patch often!

Staying on top of patches is so important that we’ve included it twice. Don’t let ransomware exploit vulnerabilities that have patches available!

How can we protect you from ransomware?

To stop ransomware you need to have effective, advanced protection in place at every stage of an attack.

Securing your endpoints

We use multiple layers of defence to stop ransomware in its tracks. Anti-exploit technology stops the delivery of ransomware, deep learning blocks ransomware before it can run and CryptoGuard prevents the malicious encryption of files, rolling back affected files. It works alongside your existing antivirus from any vendor.And prevents advanced monitoring agent.

Protecting your servers

Server Advanced includes CryptoGuard functionality to prevent the malicious encryption of your files, rolling back affected files. Whitelisting and lock down permits only authorized applications and identifies what they can change – all other attempts to make changes are blocked. Malicious traffic detection stops ransomware from contacting command & control servers and downloading the payload.Advanced monitoring agent control malicious application.

Stop phishing emails

Phish Threat sends simulated phishing attacks to your organization, testing preparedness against real world attacks. Emails can be customized to your organization and industry and have been carefully localized for multiple languages. Detailed feedback lets you see how many users failed, overall susceptibility to attacks and more.Is Advanced monitoring agent are workable?

Are you infected with ransomware?

Looking for a solution?

Don’t worry, Computer Support Professionals have got you covered.

Contact us at 1300 660 368 and get rid of ransomware in no time.