Tag Archives: bitcoin

Some Practical Steps to Avoid Being Hit by Another WannaCry

By now, most of you would have heard about the havoc that WannaCry has caused globally. It is regarded as the biggest cyber-attack of its kind ever and has brought many organisations to its knees most notably the NHS in the UK.

WannaCry was just another ransomware attack. The fact is that neither ransomware, nor the mechanisms required to protect against them are new or sophisticated. I will outline some of these measures below. My simple request when you read them is to know that the sky is not falling and we can take steps to manage such events!

In order to understand how to protect against ransomware attacks such as WannaCry, one must first understand how they work and propagate. Attacks like these usually start with a phishing email to users. Once a user clicks on a malicious link in the email or opens a malicious attachment, malware is then downloaded to their machines. In the case of WannaCry, the malware spread laterally in the network using a Windows vulnerability that was patched two months before WannaCry was released in the wild. Then the process is simple – the malware infects a computer, locking users out of the system (usually by encrypting the data on the hard drive), and then holding the decryption or other release key ransom until the victim pays a fee, usually in bitcoin. In the case of NHS, they experienced hobbled computer and phone systems, system failures, and widespread confusion after hospital computers started showing a ransom message demanding $300 worth of bitcoin. Because of Friday’s (12-03-2017) infection, hospitals, doctors’ offices, and other health care institutions in London and Northern England have had to cancel non-urgent services and revert to backup procedures. Multiple emergency rooms around England spread word that patients should avoid coming in if possible. The impact was wide and serious.

So having had a look at how ransomware works and its impacts, lets now look at some simple steps that can be taken to minimise the damage.

  1. User Education – almost all ransomware attacks start by targeting users and enticing them to clink on a malicious link or open a malicious attachment. Your users can be your weakest link in your security strategy or your greatest ally if they have the right education. Ensure that all your users know IT security basics and have regular education programs. Run mock phishing campaigns to test their knowledge and reinforce the learnings. For further information and practical steps on creating a cultural change around user education, please refer to https://www.cso.com.au/article/604844/security-more-than-user-education-it-about-cultural-change/
  2. Malware entry points – plug as many entry points for ransomware related malware into your organisation. Think, email, web and removable devices on endpoints. Use well regarded web and email filtering solutions. Web protection is particularly important, as not only can malware be downloaded from websites, web-based emails also come into your network via this channel. Employ web and email protection measures that do not just rely on signatures, but use better detection techniques such as behaviour analysis, heuristics, and artificial intelligence to detect and stop sophisticated threats. Use next generation endpoint protection technologies that protect against advanced threats using user and network behaviour analysis, heuristics and other advanced techniques
  3. Vulnerability Management and Patching (applying software updates) – this is one of the most simplest and practical ways to prevent attacks in your organisation. There is a reason why this has been in the ASD Top 4 and now Top 8! Attackers search and exploit unpatched vulnerabilities in your systems to spread and infect your IT assets. Run regular (at least monthly) vulnerability scans and patch your systems before attackers can exploit these vulnerabilities. Remember, WannaCry spread using a Windows vulnerability that was patched two months before the release of WannaCry. Environments that cannot be patched should use virtual patching – put them behind an appliance that holds signatures for the unapplied patches so that they can intercept and stop attacks based on these unpatched vulnerabilities
  4. Segmentation – The reason why malware (WannaCry) spreads so fast through networks is that practically everyone’s network is flat and the networks are designed like chocolate M&Ms – hard on the outside and soft on the inside! This was the case with NHS and further, they had many machines running Windows XP, which went end of life and support (no security patches) a while ago. They were constrained by the fact that certain critical applications needed the XP operating system to run. To protect against such scenarios, organisations need to segment networks based on the criticality of information they house and the risk to them. Machines that cannot be patched for whatever reason should be further segmented to protect them. Use of microsegmentation makes this easy and very practical without requiring major changes to the network infrastructure itself. We are used to applying this segmentation methodology to web based architectures (think separation of web server, application server and database server separation), yet we seem to forget this for the internal network
  5. Minimal User Privileges – malware usually executes on a machine using the privileges of the logged on user. Ensure that users only have the required privileges to perform their tasks. Allowing blanket local admin access to all users is not a good idea!
  6. Incident Response Plan – recognise that despite all our best efforts, bad things will happen! Have a robust and well tested incident response plan that can be activated in the case of a security breach so that you can recover easily and in a methodical fashion
  7. Backups – run regular backups. The backup schedule should be based on the criticality of the systems i.e. the more critical the system, the more frequent the backups should be. Ensure that you have a robust Disaster Recovery Plan and have documented your Recovery Point Objectives (how much data can you afford to lose) and Recovery Time Objectives (how soon do you want the system back up and running to limit the hindrance to your business operations)
  8. Protection Against Advanced Threats – know that the threat landscape will only get worse. The ‘success’ of WannaCry will only encourage attackers to come up with better ways to attack you. Invest in technologies that will detect and protect you against advanced threats. Ensure that the protection is applied at all the right layers – endpoints, servers, network, web traffic, email traffic, etc.

I must point out that everything I have said so far is purely tactical. Threats will evolve and get worse. The only way to truly protect yourself is to conduct a robust risk analysis of your environment using standards such as ISO 27001, NIST, CoBIT, etc. and address the issues that are found. Start with a simple healthcheck. Understand your vulnerabilities and address them methodically. Moreover, once you are done, rinse and repeat! The threat landscape and your environment will constantly change and evolve. In order to stay on top of new and emerging threats, you have to stay ever vigilant and reassess your risks at least annually. Remember, security is a journey!

In addition to this, engage in what is called intelligence-led security. Simply put, it is about having relevant intelligence about threats and vulnerabilities related to your environment and protecting yourself against them. Many organisations provide very useful threat information including from sources such as the open, deep and dark web. Importing this information along with your vulnerability information into your Security Information and Event Management (SIEM) tool will allow you to detect threats faster and much more accurately. This process will greatly enhance your capability to pick up Indicators of Compromise, the investigation of which can prevent or minimise damage.

The risk analysis approach looks at strategies from the inside out. The intelligence-led approach looks at strategies from the outside in (from the attacker’s perspective). It is the combination of these two approaches that can truly give you a well-rounded perspective to risks and threats affecting your organisation.

As the threat landscape evolves, it is important to take some simple and practical steps to protect yourself. What happened with WannaCry would have been a lot less impactful had organisations taken some basic security steps as outlined above. The sky is far from falling, but if one has failed to prepare, then one must prepare to fail.

Ashwin Pal is the Unisys Director of Security Services responsible for Unisys’s security business in the Asia Pacific region.

Join the CSO newsletter!

Error: Please check your email address.

Tags phishing emailcyber-attackAshwin Paluser educationWannaCryGlobal attackransomwareWindows vulnerabilityCSO AustraliaencryptNHSvulnerability managementmalicious

More about AdvancedISO

New phishing scam targets ed in search of W-2 forms

Dive Brief:

  • A dangerous new phishing scheme is targeting employee W-2 forms, and both school districts and colleges have already been targeted.
  • The scam relies on spoof emails supposedly sent from administrators or financial departments requesting sensitive information, including tax forms. 
  • Experts suggest accounting and HR teams remain vigilant and that IT departments alert staff about the issue. When accounting forms are sent electronically, they should be encrypted, and suspicious emails can also be forwarded to the IRS, which has set up a site explaining the scams in more detail.

Dive Insight:

As previously reported, education has fast become one of the most popular targets for hackers looking to invade networks, thanks to the number of devices on school networks and the sometimes haphazard patching and OS maintenance on those devices. Various outdated servers, which may still occasionally be used by staff, can offer convenient backdoors into the larger network.

In addition to phishing scams, schools have also been contending with a rise in DDoS, or denial of service attacks, which can cripple a network’s internet access, often initiated by students during crucial periods, such as during high stakes online testing. Ransomware attacks, where district files are held hostage for payment, usually in untraceable bitcoin, leaving them with the choice of wiping serves and restarting from backups or paying ransoms that can approach $10,000.

All these attacks are preventable, say experts, provided IT teams remain proactive in protecting their networks and also educating staff on how to stay safe.

Top image credit: Fotolia

Shopping for W2s, Tax Data on the Dark Web

The 2016 tax season is now in full swing in the United States, which means scammers are once again assembling vast dossiers of personal data and preparing to file fraudulent tax refund requests on behalf of millions of Americans. But for those lazy identity thieves who can’t be bothered to phish or steal the needed data, there is now another option: Buying stolen W-2 tax forms from other crooks who have phished the documents wholesale from corporations.

A cybercriminal shop selling 2016 W-2 tax data.

A cybercriminal shop selling 2016 W-2 tax data.

Pictured in the screenshot above is a cybercriminal shop which sells the usual goods — stolen credit card data, PayPal account logins, and access to hacked computers. But hidden beneath the “other” category of goods for sale by this fraud bazaar is an option I’ve not previously encountered on these ubiquitous, cookie-cutter stores: A menu item advertising “W-2 2016.”

This particular shop — the name of which is being withheld so as not to provide it with free advertising — currently includes raw W-2 tax form data on more than 3,600 Americans, virtually all of whom apparently reside in Florida. The data in each record includes the taxpayer’s employer name, employer ID, address, taxpayer address, Social Security number and information about 2016 wages and taxes withheld.

Each W-2 record costs the Bitcoin equivalent of between $4 and $20. W-2 records for employees with higher-than-average wages in the 2016 tax year cost more, ostensibly because thieves stand to reap a higher tax refund from those W-2’s if they successfully trick the Internal Revenue Service and/or the states into approving a fraudulent refund in the victim’s name.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

Tax data can be phished directly from consumers via phony emails spoofing the IRS or employers. But more often, the information is stolen in bulk from employers. In a typical scenario, the thieves target people who work in HR and payroll departments at corporations, and spoof an email from a higher-up in the company asking for all employee W-2 data to be included in a single file and emailed immediately.

Incredibly, this scam tricks countless organizations into giving away all employee W-2 data directly to identity thieves who use it (or, in this case, sell it) for tax refund fraud. Earlier this month, solar panel maker Sunrun disclosed that a spear phishing attack exposed W-2 tax form data on more than 3,400 employees.

In this case, however, it does not appear the cybercrime shop obtained the W-2’s through phishing employers. It cost roughly $25 worth of Bitcoin to reveal the likely common thread among all 3,600+ Floridians being exploited by this shop: A local tax preparation firm that got hacked or phished.

Two tax records that a source purchased from the shop listed Kirai Restaurant Group LLC in Fort Lauderdale, Fla. Kirsta Grauberger, managing partner of that organization’s physical property — the Market 17 & Day Market Kitchen — confirmed that the two W-2 records were tied to two employees.

But Grauberger said her company has employed fewer than 150 employees total since it opened for business six years ago. So which other company or companies account for the remaining 3,450 employees whose W-2 are for sale by this shop?

Grauberger told KrebsOnSecurity that her firm doesn’t even handle employee tax forms, and that her company outsourced that entire process to a local tax preparation firm called The Payroll Professionals.

W-2 information also was on sale for employees of a doctor’s office in Boca Raton, Fla. The medical office told KrebsOnSecurity that it, too, managed its payroll through the same third-party payroll management firm.

A man answering the phone at Payroll Professionals who would only give his name as “Robert” said the company was “aware of the potential hacking” and was in the process of informing its clients.

According to recent stats from the Federal Trade Commission, tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints in 2015. The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can.

See last year’s Don’t Be A Victim of Tax Refund Fraud in ’16 for more tips on avoiding this ID theft headache. But here are the main takeaways from that story:

-File before the fraudsters do it for you – Your primary defense against becoming the next victim is to file your taxes at the state and federal level as quickly as possible. Remember, it doesn’t matter whether or not the IRS owes you money: Thieves can still try to impersonate you and claim that they do, leaving you to sort out the mess with the IRS later.

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. A freeze can help you stop ID thieves from opening new lines of credit in your name. Instructions for doing that are here. However, note that neither a credit freeze nor credit monitoring will stop ID thieves from filing a fraudulent refund request with the IRS in your name. Again, your best bet to prevent this is to file your taxes before the fraudsters can do it for you.

-File form 14039 and request an IP PIN from the government. This form requires consumers to state they believe they’re likely to be victims of identity fraud. Even if thieves haven’t tried to file your taxes for you yet, virtually all Americans have been touched by incidents that could lead to ID theft — even if we just look at breaches announced in the past year alone.

Tags: , , , , , , ,