Driz Group BlogStay up to date with the latest cybersecurity research, news and alerts.
NASA Data Breach May Have Put Personnel Information at Risk
In December 2018, news broke of a data breachat NASA. This is just one of the many cybersecurity issues to strike large organizations and businesses in recent months, including Facebook, Marriott and more.
It’s believed the attack may have compromised personnel data, potentially making Social Security numbers vulnerable. The breach was first discovered in October, in servers containing personally-identifiable details of NASA staff, though it was kept from staff for nearly two months.
Obviously, this is a major problem that no doubt inspired dread in anyone who believed they may have been affected. Sadly, it’s an ongoing risk when hackers continue to utilize ever-more sophisticated techniques to bring networks down or simply steal valuable information.
At the time of writing, the extent of the breach was still unknown but was assumed to affect both current and former NASA personnel (including those connected to NASA as far back as 2006).
However, such a breach may not be a surprise to anyone following NASA closely, as its cybersecurity has been flagged for its flaws in the past. Its Office of Inspector General had indicated there were problems with NASA’s entire IT management and security processes overall — something that no company of any size can afford to overlook.
The Importance of Effective Cybersecurity
For something as vast and well-known as NASA, cutting-edge security is essential to both defend against and deter potential attacks. Not only is the data of personnel under threat, but NASA is involved in a large number of important projects, and any interference, delays or disruptions could have significant repercussions.
An audit conducted at NASA’s Security Operations Center (based in California) revealed that it was underperforming in multiple ways. A reportfrom the Office of Inspector General concluded that the Security Operations Center had ‘fallen short’ of its purpose: to act as the driving force behind NASA’s cybersecurity efforts.
Lapses in management can affect cybersecurity in every company: a proper structure must be established to address potential risks, ways to manage attacks when they happen and strategies for handling the aftermath.
The NASA breach demonstrates that even technological powerhouses, responsible for some of the most mind-bending feats in history, may still fall prey to cyber-attacks.
Common Cybersecurity Pitfalls
It’s vital that your business or organization takes steps to avoid common pitfalls that essentially open the door for hackers to step into your network and help themselves to almost anything they like. What are these dangers and how do you address them?
A lack of education
Sadly, human error is one of the biggest culprits in cybersecurity flaws. While we might all like to believe we’re smart enough to stay safe online, it’s easy to make small mistakes with big consequences.
Weak passwords increase a business’s risk of attack, and all employees should be made aware of this. Likewise, sharing sensitive data with others and falling for common phishing scams can all reduce your company’s security.
This is why comprehensive education is so essential today. Even if you have intelligent staff who know their way around all of your tools and software, they could still make one tiny error that brings your entire network down.
Data breaches can chase existing and prospective customers away to competitors offering greater stability. Research shows consumers expect companies to keep their details safe, and 70 percent would walk awayfrom a brand if their finances were affected by a data breach the business should have prevented.
Undertake expert training for all staff, at every level, to minimize cybersecurity dangers. When your employees know how to create strong passwords, keep sensitive data private and spot phishing risks, you can offer customers a higher standard of protection against threats.
Depending on outdated security
Don’t leave your security software outdated — make sure you always update to the latest version and take full advantage of the defenses it offers.
While it can be easy to assume any form of firewalls and other programs designed to keep you safe will repel attacks, that’s not the case. Cybercriminals are well-versed in tiny flaws and know how to exploit them to gain access to systems, no matter how minor such gaps may seem.
If you know your security is weaker than it should be and hackers could find an obvious way into your network, take steps to address it immediately. You can’t depend on outdated software to stop the most up-to-date attacks.
Physical security oversights
Not only is effective cybersecurity fundamental to protect your employees’ and customers’ data, but physical security is just as important.
Your business site must be equipped with the best protection you can afford. Surveillance cameras, alarms, sensors, smart locks — utilize anything and everything available to keep your workplace safe from unwanted visitors.
Why? Because apart from the obvious problems related to theft, any laptops, USB sticks, hard drives or devices stolen from your office could all contain invaluable data. Thieves may either use this themselves or sell it on to cybercriminals set to target your personnel or clients.
Certain members of staff could seize an opportunity to steal sensitive data from your system and pass it on to others.
This may be for profit or out of a malicious aim to disrupt your operations, perhaps if they feel they have been mistreated or are due to leave the company. Whatever the circumstances, anyone with access to important information could cause major problems for your business if left unchecked.
While such individuals can cover their tracks and avoid suspicion for a long time, make sure you stay vigilant. Encourage employees to be aware of potential risks posed by colleagues and understand how important it is to report any suspicions they have.
Looking to learn more about how effective cybersecurity can protect your business from hackers in 2019? Want to work with a team of cybersecurity experts with the tools, training and techniques to help your company’s system stay secure?
Just reach out and get in touch!
Mirai Botnet Operator Responsible for Cutting Off Internet Access of an Entire Country Jailed
A UK court recently sentenced to 2 years and 8 months 30-year-old Daniel Kaye for operating the Mirai botnet, which resulted in cutting off the internet access of the entire country of Liberia.
Kaye pleaded guilty in carrying out intermittent Distributed Denial of Service (DDoS) attacks on the Liberian telecommunications provider Lonestar MTN. According to Kaye, he was hired by a rival Liberian network provider and paid a monthly retainer to conduct intermittent DDoS attacks on Lonestar.
According to theUK National Crime Agency (NCA), from September 2016, Kaye started operating his own Mirai botnet, composed of a network of infected Dahua security cameras, to carry out intermittent DDoS attacks on Lonestar. In November 2016, the NCA said that the traffic from Kaye’s Mirai botnet was so high in volume that it disabled internet access all over Liberia.
The intermittent DDoS attacks on Lonestar, the NCA added, resulted in revenue loss of tens of millions in US dollars as customers left the network, and cost the company approximately 600,000 USD for remedial cost to prevent the attacks from happening again.
What Is a Mirai Botnet?
Mirai is a malicious software (malware) that infects Internet of Things (IoT) devices, such as video cameras, and turns these infected IoT devices into a botnet – referring to a group of infected computers that’s operated under the control of a cybercriminal to conduct malicious activities such as DDoS attacks.
Mirai first came to public attention on September 20, 2016, when it attacked Brian Krebs’ security blog. The DDoS attack on Krebs’ security blog was considered one of the largest on record at the time. By the end of September 2016, just days after the DDoS attack on Krebs’ security blog, the author of Mirai, using the name “Anna Senpai”, released the source code of Mirai on an online hacking forum. Anna Senpai claimed that 380,000 IoT devices had been infected by the Mirai malware and formed part of the botnet that took down Krebs’ website.
The Mirai source code reveals that this malware continuously scans the internet for IoT devices that use any of the 61-factory default username and password combinations. While 62 username and password combinations are listed on the Mirai source code, there’s one duplication, leaving only 61 unique username and password combinations.
Given that many owners of IoT devices didn’t bother to change factory default usernames and passwords combinations, the Mirai malware easily infected hundreds of thousands of IoT devices and turned them as a botnet for DDoS attacks.
The publication of the Mirai source code on an online forum encouraged other cybercriminals to copy the code and operate their respective Mirai botnets. Following the publication of the Mirai source code, a series of high-profile DDoS attacks were attributed to Mirai botnets.
On October 21, 2016, Mirai brought down a big chunk of the internet on the U.S. east coast. Dyn, an internet infrastructure company, was a subject a DDoS attack that subsequently rendered popular websites inaccessible to the public. Dyn, in a statement, said that a significant volume of DDoS attack traffic originated from Mirai botnets. To date, the perpetrator of the Dyn DDoS attack remains unknown and no case has been filed against anyone in relation to this attack.
In addition to Lonestar DDoS attacks, Kaye also admitted to launching DDoS attacks using his own Mirai botnet on Deutsche Telekom that affected 1 million customers in November 2016. Kaye was extradited to Germany for this crime but only received a suspended sentence.
Three college-age friends in late 2017, Paras Jha, Josiah White and Dalton Norman, pleaded guilty before a U.S. court in creating the Mirai malware. Jha, in particular, pleaded guilty in launching multiple DDoS attacks using Mirai on Rutgers University computer system, resulting in the shutting of the University’s server used for all communications among faculty, staff and students.
Jha, White and Norman dodged jail. Jha, in particular, was ordered by a New Jersey court to pay $8.6 million in restitution and serve 6 months of home incarceration for launching DDoS attacks on the Rutgers University computer network.
The U.S. Department of Justice, in a statement, said that Jha, White and Norman’s involvement with the Mirai ended when Jha posted the Mirai source code on an online forum. “Since then, other criminal actors have used Mirai variants in a variety of other attacks,” the U.S. Department of Justice said.
The publication of a source code of a malware has two sides. First, it encourages script kiddies – those who attempt to launch cyberattacks using scripts or codes written by others, such as in the case of Mirai. Many script kiddies, using the original Mirai source code, have been able to build their own DDoS botnets and offer the service called “DDoS-for-hire”.
Second, the flipside of making a malware source code public is that this enables the cybersecurity community to study the code and develop tools and advisories that could render this malware inoperable or useless.
There are currently available security tools that block DDoS attacks coming from Mirai botnets. Also, a simple change of factory default username and password combinations can prevent IoT devices from being infected by the Mirai malware and, in effect, could prevent DDoS attacks.
Cybercriminals are, however, relentless in their campaigns. Since the publication of the Mirai source code, cybercriminals have tweaked the Mirai source code, for instance, infecting not just IoT devices, but enterprise servers as well. Attackers also don’t simply use factory default login details in infecting computer devices, but also exploit known security vulnerabilities.
Cyber Attack Disrupts Operations of Major U.S. Newspapers
Cyber criminals ended 2018 with a high-profile cyber attack, this time, attacking Tribune Publishing’s network, resulting in the disruption of the news production and printing process of some of the major newspapers in the U.S.
The Los Angeles Timesreported that what was first thought as a server outage at Tribune Publishing’s network was later identified as a cyber attack. Tribune Publishing once owned Los Angeles Times and San Diego Union-Tribune. These 2 newspapers were later sold to a Los Angeles biotech entrepreneur. Despite the sale, these 2 newspapers still share Tribune Publishing’s printing networks.
As a result of the cyber attack at Tribune Publishing, the distribution of the December 29thprint edition of these 2 newspapers was delayed. The distribution of the December 29thprint edition of The New York Times and The Wall Street Journal newspapers was also delayed as these two major newspapers share the use of Los Angeles Times’ Olympic printing plant – as the name implies, also used by the Los Angeles Times.
The cyber attack on Tribune Publishing also disrupted production of other Tribune Publishing newspapers. Tribune Publishing currently owns Chicago Tribune, New York Daily News, The Baltimore Sun, Orlando Sentinel, South Florida’s Sun-Sentinel, Virginia’s Daily Press and The Virginian-Pilot, The Morning Call of Lehigh Valley, Pennsylvania, and the Hartford Courant.
Chicago Tribune, for its part, reported that its December 29thprint edition was published without paid death notices and classified ads as a result of the cyber incident at Tribune Publishing.
Marisa Kollias, Tribune Publishing spokeswoman, said in a statement that by December 30th, production and delivery were back on track at all concerned newspapers. She didn’t, however, address the details about the cyber attack itself.
“We acted promptly to secure the environment while … creating workarounds to ensure we could print our newspapers,” Kollias said. “The personal data of our subscribers, online users, and advertising clients has not been compromised.”
While authorities and Tribune Publishing are silent about the cause of the cyber attack and whether the attacker or attackers asked for a ransom, the Los Angeles Times and Chicago Tribune reported that several individuals with knowledge of the situation said the cyber attack bore the signature of Ryuk ransomware.
What Is Ryuk Ransomware?
Ryuk is a malicious software (malware) that’s categorized as a ransomware. In a ransomware attack, all or selected files in a computer infected by the ransomware are encrypted – the process of converting plaintext or any other type of data into encoded version, denying legitimate users access to these files.
Ransomware victims are informed of the file encryption via a notice shown on the monitor of the infected computer. This notice also functions as a ransom notice. Ransomware is characterized by the fact that victims are asked to pay ransom, typically in the form of cryptocurrency like Bitcoin (also referred as BTC) in the promise that once ransom is paid, a decryption key to unlock the encrypted files would be given.
Ryuk was first reported by security researchers at Check Pointon August 20, 2018. The researchers said that 2 weeks prior to August 20th, Ryuk perpetrator or perpetrators attacked various organizations worldwide, earning the attackers over $640,000 in just a span of 2 weeks.
Check Point researchers said Ryuk’s early attacks encrypted hundreds of personal computers, storage and data centers in each infected organization. Some organizations paid large ransom in order to retrieve their files. The highest recorded payment was 50 BTC, then priced nearly $320,000.
According to Check Point researchers, Ryuk is a highly targeted attack, which requires “extensive network mapping, hacking and credential collection” prior to each operation. In addition to encrypting files in the local drives, Ryuk also encrypts network resources.
Analysis of Ryuk conducted by Check Point researchers showed that this ransomware is similar in many ways with another ransomware called “Hermes”. The attack at Far Eastern International Bank (FEIB) in Taiwan in October 2017 brought Hermes into public attention. While Hermes exhibited typical characteristics of a ransomware in the FEIB attack, it acted as a diversion only as the attackers’ ultimate goal was to steal money. The FEIB attackers stole $60 million in a sophisticated SWIFT attack, but the total amount stolen was later retrieved. Unlike Hermes, Ryuk functions not as a diversionary tactic but as the main act.
Here are some similarities in Hermes and Ryuk that led the Check Point researchers to conclude that whoever wrote the Ryuk source code had access to the Hermes source code (to date, the source codes of Ryuk and Hermes aren’t publicly available):
Similarity in Encryption Logic
The encryption logic in both Hermes and Ryuk is similar in structure.
Whitelisting of Similar Folders
Both Hermes and Ryuk encrypt every file and directory except “Windows”, “Mozilla”, “Chrome”, “RecycleBin” and “Ahnlab”. One explanation why attackers want victims to access search engines like Chrome and Mozilla is to allow victims to search online what the ransom note means.
Here are some best security practices in order to prevent or minimize the effects of ransomware attacks like Ryuk:
Implement Network Segmentation
Network segmentation is the practice of splitting a corporate network into subnetworks. This practice ensures that if one subnetwork is infected with a malware like Ryuk, the other subnetworks won’t be infected. In addition to improving security, network segmentation also boosts efficiency.
Back-Up Critical Files
These are the main reasons why organizations are willing to pay an exceptionally large amount of ransom to cyber attackers: a) victims want to retrieve their files back as these files are important to their existence, and b) victims have no copies of these critical files. Organizations that practice regular back-up of critical files can afford not to pay ransom to attackers.
Contact us today if you need assistance in protecting your organization’s resources from ransomware attacks.
What Can Organizations Learn from the Marriott Data Breach
The recent data breach disclosure by Marriott is an eye-opener to organizations, not only because of the extent of the breach – with up to half a billion guests affected, but also because of the length of time that the breach remained undetected – lasting nearly 4 years.
Marriott, currently the world’s largest hotel chain, has over 6,700 properties in 129 countries and territories, including Canada. The company has attained the stature of being the world’s largest hotel chain after it completed its acquisition of Starwood Hotels & Resorts Worldwide in September 2016.
Marriot, in a statement, said that from 2014 up to September 10, 2018, an “unauthorized party” accessed the Starwood guest reservation network affecting up to 500 million guests who made a reservation at Starwood properties. Out of the 500 million guests affected, the hotel chain said that data of 327 million of these guests was accessed without authority, including name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Financial data of an unspecified number of guests was also accessed by the unauthorized party, including payment card numbers and payment card expiration dates. While the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), the hotel chain said it won’t discount the possibility that the unauthorized party decrypted the payment card numbers.
Marriott didn’t specify what month or exact date in 2014 that the data breach started. It can be recalled that prior to the completion of Marriott’s acquisition of Starwood, in November 2015, Starwooddisclosed its own data breach, affecting nearly 100 Starwood hotels in North America.
Sergio Rivera, President of Starwood Americas, in a statement, said that point of sale systems at certain Starwood hotels were infected with a malicious software (malware), enabling “unauthorized parties” to access payment card data of some of the hotel customers.
Lessons from Marriott Data Breach
Here are some cyber security lessons from the recent Marriott data breach:
Implement Network Segmentation
Marriott said that its own Marriott-branded hotels aren’t affected by the data breach at the Starwood guest reservation network as Marriott-branded hotels’ use a different network that wasn’t breached.
Network segmentation is the practice of dividing a computer network into subnetworks, with each network having a different purpose or usage. Implementing network segmentation in your organization ensures that in case one of the networks is infected with a malware, the other subnetworks won’t be infected.
By implementing network segmentation, the data breach at the Starwood guest reservation network was contained to this network alone, preventing the spread of the intrusion to Marriott’s other properties, including Marriott-branded hotels.
Encrypt Important Data
While encryption alone isn’t enough to protect important data, encryption adds a security layer in data protection. Encryption also means that an unauthorized party has to undertake an extra step and extra time to get the decryption key to unlock the encrypted files.
In the case of the Marriott data breach, the only data that was encrypted was limited to payment card numbers. The hotel chain though doesn’t discount that the unauthorized party had gotten hold of the decryption key or keys to unlock the encrypted payment card numbers.
Encryption doesn’t have to be limited to payment card numbers. In the case of the Marriott data breach, important personally identifiable information, including passport numbers, wasn’t encrypted. What happened in the Marriott data breach was that instead of the company doing the encryption to add an additional layer of protection, the unauthorized party did the data encryption in order to avoid detection by any data-loss prevention tools.
Data decryption isn’t an easy thing to do. According to Marriott, while it discovered the data breach on September 8, 2018, it took the company until November 19, 2018 to decrypt the files encrypted by the unauthorized party.
Always Assume that an Intrusion Has Occurred
To date, the cause of the Marriott data breach is still unspecified. The hotel chain, however, identifies the culprit of the data breach as “unauthorized party”, a phrase that could mean a malicious insider or a malicious outsider.
Network intrusion carried out by a malicious outsider could happen in many ways. This could happen via phishing attacks using malicious emails containing malicious links and malicious attachments or via unknown security vulnerabilities exploited by a malicious outsider.
Proactive organizations have adopted the assumption that their networks are vulnerable to intrusion. Many organizations today engage the services of “penetration testers”, also known as ethical hackers. These ethical hackers search for and exploit security vulnerabilities in web-based applications, networks and systems and report back to the organization for the organization to fix the security loopholes.
Monitoring any insider activities within the network is also important. Intrusion by a malicious insider should be assumed all the time. An insider has all the tools needed to abuse one’s access to the trove of data that your organization hold. Your organization must have an automated tool that flags unusual activities, such as abnormal working hours, abnormal access to voluminous data and most importantly unusual volume of data transfer.
Contact ustoday if you need assistance in protecting and detecting intrusions in your organization’s networks, resulting from the actions of a malicious insider or malicious outsider.
New Mirai Variant Hijacks Enterprise Linux Servers for DDoS Attacks
Researchers at Netscout have discovered a new variant of Mirai – a malicious software (malware) once known for hijacking hundreds of thousands of Internet of Things (IoT) devices, including wireless cameras, routers and digital video recorders, to conduct powerful distributed denial-of-service (DDoS) attacks.
Instead of infecting IoT devices, researchers at Netscoutsaid that the new Mirai variant infects non-IoT devices, in particular, enterprise Linux servers running Apache Hadoop YARN, to serve as DDoS bots.
The original Mirai malware, at its peak, infected hundreds of thousands of IoT devices, controlling these infected IoT devices as botnet to conduct high-impact DDoS attacks. Botnet refers to a group of computers controlled by attackers without the knowledge and consent of the owners to conduct malicious activities, including DDoS attacks. In a DDoS attack, the botnet or controlled computers act in unison, flooding the internet connection of a target, for instance, a particular website.
The original Mirai first came to public attention when it launched a DDoS attack against the website of journalist Brian Krebson September 20, 2016. A few days after, on September 30, the source code of Mirai was publicly released on the English-language hacking community Hackforums by a user using the screen name “Anna-senpai”.
Paras Jha, 22, the person behind Anna-senpai, pleaded guilty for co-creating Mirai. According to the U. S. Department of Justice, from December 2016 to February 2017, Jha along with his 2 college-age friends Josiah White and Dalton Norman, admitted that they successfully infected more than 100,000 IoT devices, such as home internet routers, with Mirai malware and used the hijacked IoT devices to form a powerful DDoS botnet.
Since the public release of the source code of Mirai, a number of Mirai variants have been created and released into the wild. According to Netscout researchers, this latest Mirai variant “is the first time we’ve seen non-IoT Mirai in the wild”.
How the Latest Mirai Variant Works?
To deliver the latest Mirai variant, attackers exploit the security vulnerability of Apache Hadoop YARN.
Apache Hadoop is an open source software framework that enables a cluster or group of computers to communicate and work together to store and process large amounts of data in a highly distributed manner. Meanwhile, YARN, which stands for Yet Another Resource Negotiator, is a key feature of Hadoop that helps in job scheduling of various applications and resource management in the cluster.
According to Netscout researchers, the latest Mirai malware will exploit unpatched Linux servers running on Apache Hadoop YARN, and will attempt to brute-force – attacks that systematically attempt to guess the correct username and password combination – the factory default username and password of the Hadoop YARN server.
DemonBot Vs. Latest Mirai Variant
Researchers at Radwaredetected last month another malware called “DemonBot” that infects Hadoop clusters by leveraging YARN’s unauthenticated remote command execution.
The main similarity between DemonBot and the latest Mirai variant is that both malware exploit the Hadoop YARN security vulnerability in order to infect computers. Both malware programs also turn infected computers as botnet for the purpose of launching DDoS attacks.
Enterprise Linux servers running Apache Hadoop YARN infected by DemonBot and the latest Mirai variant are dangerous as these servers account for large volumes of DDoS traffic.
The main difference between DemonBot and the latest Mirai variant is that DemonBot spreads only via central servers and doesn’t expose worm-like behavior exhibited by Mirai variants. Mirai’s worm-like behavior – its ability to spread itself within networks without user interaction – makes it a more dangerous malware than DemonBot.
According to Radware researchers, as of late October, this year, attackers attempted to exploit the Hadoop YARN vulnerability to deliver the DemonBot at an aggregated rate of over 1 million per day.
Original Mirai Vs. Latest Mirai Variant
According to Netscout researchers, the latest Mira variant behaves much like the original Mirai. This means that both have worm-like behavior and enslaves infected computers for the purpose of launching DDoS attacks.
The main difference between the original Mirai and the latest Mirai variant is that while the original Mirai runs on IoT devices, the latest Mirai variant runs on Linux servers, in particular, those running Apache Hadoop YARN.
“Linux servers in datacenters have access to more bandwidth than IoT devices on residential networks, making them much more efficient DDoS bots,” researchers at Netscout said. ”A handful of well-resourced Linux servers can generate attacks that compete with a much larger IoT botnet.”
According to Netscout researchers, there are tens of thousands of attempts per day to exploit the Hadoop YARN vulnerability to deliver the latest Mirai variant.
The risk of further cyberattacks is high for machines infected by malware like Mirai. To prevent attackers from hijacking your organization’s Linux servers running Apache Hadoop YARN for DDoS attacks, make sure to configure your YARN’s access control by using strong username and password combination.
Also, keep all your organization’s software up-to-date and prevent brute-force attacks by implementing an account lockout policy. For instance, after a certain number of failed login attempts, the account is locked out until an administrator unlocks it.
By leveraging the security vulnerability in enterprise Linux servers running Apache Hadoop YARN, attackers can generate much powerful DDoS attacks. Protect your organization’s online resources like websites from DDoS attacks by using an easy to use, cost-effective and comprehensive DDoS protection.
Contact us todayif you need assistance in protecting your organization’s network from malware like Mirai and protecting your organization’s online resources from DDoS attacks.
To reduce the cybersecurity risks, enabling business growth through education and awareness, vulnerability management and the implementation of cutting-edge cyber defence technologies.
Our goal is to make sure that you stop worrying about cybersecurity and concentrate 100% on growing your business.
Driz Group Inc. | 349 Bathurst Glen Dr., Vaughan, ON, Canada, L4J9A3 | Toll-free: 1 888-900-3749