Mid-Year Update: 2019 SonicWall Cyber Threat Report

It’s almost cliché at this point, but the cyber arms race — and respective cybersecurity controls and technology — moves at an alarming pace.

For this reason, SonicWall Capture Labs threat researchers never stop investigating, analyzing and exploring new threat trends, tactics, strategies and attacks. They publish most of their findings — the data they can share publicly, anyway — in the annual SonicWall Cyber Threat Report.

But to ensure the industry and public are able to stay abreast of the quickly shifting threat landscape, the team offers a complementary mid-year update to the 2019 SonicWall Cyber Threat ReportDownload the exclusive report to explore the stories, behaviors and trends that are shaping 2019 — as they are happening.

Malware volume dips in first half

In 2018, global malware volume hit a record-breaking 10.52 billion attacks, the most ever recorded by SonicWall Capture Labs threat researchers.

Fortunately, during the first six months of 2019, that trend slowed — at least somewhat. SonicWall recorded 4.8 billion* malware attacks, a 20% drop compared to the same time period last year.

Ransomware rising

Did you think ransomware was an outdated tactic? The latest 2019 data proves otherwise. Despite overall declines in malware volume, ransomware continues to pay dividends for cybercriminals.

All told, global ransomware volume reached 110.9 million for the first half of 2019, a 15% year-to-date increase. The exclusive mid-year update outlines which countries followed this trend and which were victimized by an increase in ransomware attacks.

Attacks against non-standard ports still a concern

As defined in the full 2019 SonicWall Cyber Threat Report, a ‘non-standard’ port means a service running on a port other than its default assignment, usually as defined by the IANA port numbers registry.

For the first half of 2019, 13% of all malware attacks came via non-standard ports, a slight dip due to below-normal activity in January (8%) and February (11%).

Encrypted threats intensify

In 2018, SonicWall logged more than 2.8 million encrypted threats, which was already a 27% jump over the previous year. Through the first six months of 2019, SonicWall has registered a 76% year-to-date increase.

Machine learning, multi-engine sandboxes evolving to ‘must-have’ security

So far in 2019, the multi-engine SonicWall Capture Advanced Threat Protection (ATP) cloud sandbox has exposed 194,171 new malware variants — a pace of 1,078 new variant discoveries each day of the year.

IoT malware volume doubled YTD

The speed and ferocity in which IoT devices are being compromised to deliver malware payloads is alarming. In the first half of 2019, SonicWall Capture Labs threat researchers have already recorded 13.5 million IoT attacks, which outpaces the first two quarters of last year.

Bitcoin run keeping cryptojacking in play

Late 2018 data showed cryptojacking on the decline. But with the surging values of both bitcoin and Monero, cryptojacking rebounded in 2019. Cryptojacking volume hit 52.7 million for the first six months of the year.

How do cybercurrency prices influence cryptojacking volume? The exclusive mid-year update looks deeper into the numbers.

 

Source
https://blog.sonicwall.com/en-us/2019/07/mid-year-update-2019-sonicwall-cyber-threat-report/

Windows Server 2008 End of Support: Are you Prepared?

On July 14th, 2015, Microsoft’s widely deployed Windows Server 2003 reached end of life after nearly 12 years of support. For millions of enterprise servers, this meant the end of security updates, leaving the door open to serious security risks. Now, we are fast approaching the end of life of another server operating system – Windows Server 2008 and Server 2008 R2, which will soon reach end of support on January 14, 2020.

Nevertheless, many enterprises still rely on Windows Server 2008 for core business functions such as Directory Server, File Server, DNS Server, and Email Server. Organizations depend on these workloads for critical business applications and to support their internal services like Active Directory, File Sharing, and hosting internal websites.

What does this mean for you?

End of support for an operating system like Windows Server 2008 introduces major challenges for organizations who are running their workloads on the platform. While a small number may be ready to fully migrate to a new system or to the cloud, the reality is that most organizations aren’t able to migrate this quickly due to time, budgetary, or technical constraints. Looking back at Windows Server 2003, even nine months after the official EOS, 42% of organizations indicated they would still be using Windows Server 2003 for 6 months or more, while the remaining 58% were still in the process of migrating off of Windows Server 2003 (Osterman Research, April 2016). The same is likely to occur with the Server 2008 EOS, meaning many critical applications will continue to reside on Windows Server 2008 for the next few years, despite the greatly increased security risks.

What are the risks?

The end of support means organizations must prepare to deal with missing security updates, compliance issues, defending against malware, as well as other non-security bugs. You will no longer receive patches for security issues, or notifications of new vulnerabilities affecting your systems. With constant discovery of new vulnerabilities and exploits – 1,450 0days disclosed by the ZDI in 2018 alone – it’s all but guaranteed that we will see additions to the more than 1300+ vulnerabilities faced by Windows Server 2008. The lack of notifications to help monitor and measure the risk associated with new vulnerabilities can leave a large security gap.

This was the case for many organizations in the wake of the 2017 global WannaCry ransomware attack, which affected over 230,000 systems worldwide, specifically leveraging the EternalBlue exploit present in older Windows operating systems. While Microsoft did provide a patch for this, many weren’t able to apply the patches in time due to the difficulty involved in patching older systems.

What can security and IT teams do?

The most obvious solution is to migrate to a newer platform, whether that’s on-premise or using a cloud infrastructure-as-a-service offering such as AWS, Azure, or Google Cloud.

However, we know many organizations will either delay migration or leave a portion of their workloads running in a Windows Server 2008 environment for the foreseeable future. Hackers are aware of this behavior, and often view out-of-support servers as an easy target for attacks. Security teams need to assess the risk involved with leaving company data on those servers, and whether or not the data is secure by itself. If not, you need to ensure you have the right protection in place to detect and stop attacks and meet compliance on your Windows Server 2008 environment.

How can Trend Micro help?

Trend Micro Deep Security delivers powerful, automated protection that can be used to secure applications and workloads across new and end of support systems. Deep Security’s capabilities include host-based intrusion prevention, which will automatically shield workloads from new vulnerabilities, applying an immediate ‘virtual patch’ to secure the system until an official patch is rolled out – or in the case of EOS systems – for the foreseeable future.

Deep Security also helps monitor for system changes with real-time integrity monitoring and application control, and will secure your workloads with anti-malware, powered by the Trend Micro Smart Protection Network’s global threat intelligence. Deep Security’s broad platform and infrastructure support allows you to seamlessly deploy security across your physical, virtualized, cloud, and containerized workloads, and protecting your end of life systems throughout and beyond your migration.

Learn how easy it is to deploy virtual patching to secure your enterprise and address patching issues.

 

Source
https://blog.trendmicro.com/windows-server-2008-end-of-support-are-you-prepared/

WiFi Protection in Public Places

WiFi Internet has added much convenience to our daily lives, with its easy accessibility in public places such as restaurants, hotels, and cafes; malls, parks, and even in airplanes, where we can connect online for faster transactions and communication. Like any online technology, however, it’s vulnerable to hacker abuse, posing potential threats to you and your mobile devices.

Public WiFi hotspots in particular are unsecure, easily hacked by cybercriminals. Some ways you can be hacked when connected to public WiFi include (MUO, Bates, 10/3/16):

  • The hacker can get between you and the WiFi hotspot when hooked to the network, to perform man-in-the-middle attacks and spy on your connection.
  • The hacker can “spoof” the legitimate WiFi, creating an “evil twin” that you log onto without noticing it’s a fake—which again, lets them spy on your data in transit.
  • A hacker can “sniff” the packets on the unencrypted network you’re attached to, reading it with software like WireShark, for identity clues they can analyze and use against you later.
  • They can also “hijack” a session in real-time, reading the cookies sent to your device during a session, to gain access to private accounts you’re logged into. This is typically known as “sidejacking.”
  • Finally, they can “shoulder-surf,” simply watching you over your shoulder, to view your screens and track your keystrokes. In crowded places, it’s easy for hackers to “eavesdrop” on your connection.

Ways you can protect yourself when using public WiFi include (Wired, Nield, 8/5/18):

  • Connect only to more trusted public networks, like Starbucks, rather than any random public WiFi that shows up in your WiFi connection settings, as in a shopping mall or park.
  • Connect only to websites that show HTTPS, not just HTTP, which means the data transmission between the site and you is encrypted.
  • Don’t provide too much personal data, such as email addresses and phone numbers, if the WiFi network requires it to connect. Better to not connect than risk unwanted ads or even identity theft.
  • Don’t do public file or print sharing over public WiFi networks. This is even more true of financial transactions: banking on unsecured WiFi networks is an invitation to hackers to steal your data in transit.
  • Use a Virtual Private Network (VPN) on your mobile device, so you can be certain your data is encrypted to and from your mobile device.

The last piece of advice should probably be your first line of defense. Trend Micro WiFi Protection, for example, protects your devices from online threats by providing just such a VPN. It safeguards your private information when using public hotspots by automatically turning on when the device connects to an unsecured WiFi network. This ensures total anonymity from public servers and hides your data from hacker inspection by encrypting your data over the network. Trend Micro WiFi Protection also includes built-in web threat protection that protects you from online frauds and scams that can come your way via malicious links—and notifies you if there are any WiFi security issues on the network itself. You’ll be happy to also know that Trend Micro WiFi Protection does not affect your WiFi speed as it connects to its local or regional secured server.

Stay safe on public WiFi! Trend Micro WiFi Protection is available for PCMacAndroid and iOSdevices.

 

Source
https://blog.trendmicro.com/wifi-protection-in-public-places/

Set up Chrome Browser Cloud Management

Enroll cloud-managed Chrome Browsers

After you have access to your Google Admin console, here's how to enroll the devices where you want to manage Chrome Browsers. You'll then be able to enforce policies for any users who open Chrome Browser on an enrolled device.

Step 1: Generate enrollment token

  1. In your Google Admin console (at admin.google.com)...

  2. (Optional) To add browsers in the top-level organization in your domain, keep Include all organizational units selected. Alternatively, you can generate a token that will enroll browsers directly to a specific organizational unit by selecting it in the left navigation before moving on to the next step. For more information, see Add an organization unit.
  3. At the bottom, click Add  to generate an enrollment token.
  4. In the box, click Copy  to copy the enrollment token.

Step 2: Enroll browsers with the enrollment token

Enroll browsers on Windows

Option 1: Use the Group Policy Management Editor

Under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome, set CloudManagementEnrollmentToken to the generated token you copied above.

Clear the current enrollment if one exists using:
-HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Enrollment

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, set CloudManagementEnrollmentMandatory under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome to true

Notes:

  • The token must be set at a local machine level. It won't work at the user level.
  • If the machines you are enrolling are imaged from the same Windows source, make sure that you have used Microsoft's System Preparation tool (Sysprep) so that each enrolled machine has a unique identifier.

Option 2: Download the reg file

Click Download .reg file. The downloaded .reg file automatically adds the token and clears the current enrollment when run.

When you use the reg file, Chrome browser will still respect the CloudManagementEnrollmentMandatory policy in Option 1, blocking launch if enrollment fails. See the note above if you're enrolling machines imaged from the same Windows source.

Enroll browsers on Mac

Option 1: Use a policy

Push the token to your browser as a policy named CloudManagementEnrollmentToken. Setting policies on Mac devices requires the Apple Profile Manager.

Note: If you choose to manually set policies, be aware that Mac OS will delete the policy files on every sign-in. Learn more about setting up policies on Mac in the Quick Start Guide and help center.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, set CloudManagementEnrollmentMandatory to true

Option 2: Use a text file

Push the token in a text file called CloudManagementEnrollmentToken, under /Library/Google/Chrome/. This file must only contain the token and be encoded as a .txt file, but should not have the .txt filename extension.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, create a file called CloudManagementEnrollmentOptions under /Library/Google/Chrome/ with the text Mandatory (case sensitive). This file must be encoded as a .txt file, but should not have the .txt filename extension.

If a token is pushed using both methods above, Chrome will use the value present in the policy and ignore the file. The token is stored in a directory under the home directory on the user's Mac. Each Mac OS user must enroll separately.

Enroll browsers on Linux machines

The token can be pushed by creating a text file called enrollment_token, under /etc/opt/chrome/policies/enrollment. This file must only contain the token and nothing else.

(Optional) By default, if enrollment fails (for example if the enrollment token is invalid or revoked), Chrome will start in an unmanaged state. If you instead want to prevent Chrome browser from starting if enrollment fails, create a file called CloudManagementEnrollmentOptions under /etc/opt/chrome/policies/enrollment/ with the text Mandatory (case sensitive). This file must be encoded as a .txt file, but should not have the .txt filename extension.

Step 3: Launch Chrome Browser and confirm enrollment

  1. After setting the enrollment token using one of the methods in Step 2, quit Chrome Browser (if it's open) and launch Chrome Browser on the managed device.
  2. Sign in to the Google Admin console (admin.google.com).
  3. Go to Device management  Chrome management  Managed browsers.  All browsers that have been launched with your enrollment token will appear in the browser list.
  4. (Optional) To see additional details, click a machine's name.

Notes: 

  • If you have multiple installations of Chrome Browser on a single device, they will show up in the browser list as a single managed browser.
  • Enrollment tokens are only used during enrollment. After enrollment, they can be revoked in the Admin console. However, enrolled browsers will still be registered.
  • On Windows, only system installations are supported because Chrome Browser requires admin privileges to register.

Just after registering, not many fields are populated. You need to enable browser reporting to access detailed reporting information. For more information, see Step 4: Enable Chrome Browser reporting.

Unenroll and re-enroll devices

To remove policies and to unenroll a device in Chrome Browser Cloud Management, delete both the enrollment token and the device token.

To re-enroll a device, delete the device token while leaving the enrollment token in place. The device token was created by Chrome during the initial enrollment. Make sure not to revoke the enrollment token. If you accidentally delete the enrollment token, create a new one.

Note: Unenrolling browsers from Chrome Browser Cloud Management doesn't delete the data that's already uploaded to the Google Admin console. To delete uploaded data, delete the corresponding device from the Admin console.

Questions

When are enrollment tokens used?

Enrollment tokens are only used during enrollment. They can be revoked after enrollment and enrolled browsers will still be registered.

Does this token enrollment process require admin privileges on Windows?

Yes. On Windows, only system installations are supported.

What gets uploaded during the enrollment process?

During the enrollment process, Chrome Browser uploads the following information:

  •   Enrollment token
  •   Device ID
  •   Machine name
  •   OS platform
  •   OS version

Why don't I see a Chrome management section in my Admin console?

If you have the legacy free edition of G Suite, Chrome management isn't currently available in your Admin console. Support for legacy free edition will be rolled out in the future.

source:
https://support.google.com/chrome/a/answer/9301891?hl=en

Sonicwall : Cryptojacking Apocalypse – Defeating the Four Horsemen of Cryptomining

Despite price fluctuations of bitcoin and other cryptocurrencies, cryptojacking remains a serious — and often hidden — threat to businesses, SMBs and everyday consumers.

And the most covert of these threats is cryptomining via the browser, where popular forms of malware attempt to turn your device into a full-time cryptocurrency mining bot called a cryptojacker.

To help you creatively understand this trend, let me summon my classical training and be a little hyperbolic. If you see the cryptojacking wave as an apocalypse like some of their victims do, the Four Horsemen would be the four threats to your endpoint or business:

  • The White Horse: The energy it consumes or wastes
  • The Red Horse: The loss to productivity due to limited resources
  • The Black Horse: The damage it can do to a system
  • The Pale Horse: Security implications due to created vulnerabilities

Unlike ransomware that wants to be found (to ask for payment), a cryptojacker’s job is to run invisibly in the background (although your CPU performance graph or device’s fan may indicate something is not normal).

Ransomware authors have switched gears over the past two years to use cryptojacking more, because a ransomware strain’s effectiveness and ROI diminish as soon as it ends up on public feeds like VirusTotal.

Like anyone else running a highly profitable business, cybercriminals need to constantly find new ways to fulfill their financial targets. Cryptojacking is being used to solve that challenge.

In April 2018, SonicWall started tracking cryptojacking trends, namely the use of Coinhive in malware. Over the course of the year, we saw cryptojacking ebb and flow. In that time, SonicWall recorded nearly 60 million cryptojacking attacks, with as many as 13.1 million in September 2018. As published in the 2019 SonicWall Cyber Threat Report, volume dipped across the final quarter of 2018.

Global Cryptojacking Attacks | April-September 2018

The lure of cryptomining

Cryptomining operations have become increasingly popular, now consuming almost half a percent of the world’s electricity consumption. Despite the wild swings in price, roughly 60% of the cost of legitimately mining bitcoin is the energy consumption. In fact, at the time of writing, the price of a bitcoin is worth less than the cost of mining it legitimately.

With such costs and zero risk as compared to buying and maintaining equipment, cybercriminals have strong incentives to generate cryptocurrency with someone else’s resources. Infecting 10 machines with a cryptominer could net up to $100/day, so the challenge for cryptojackers is three-fold:

  1. Find targets, namely organizations with a lot of devices on the same network, especially schools or universities.
  2. Infect as many machines as possible.
  3. Stay hidden for as long as possible (unlike ransomware and more akin to traditional malware).

Cryptojackers use similar techniques as malware to sneak on to an endpoint: drive-by downloads, phishing campaigns, in-browser vulnerabilities and browser plugins, to name a few. And, of course, they rely on the weakest link — the people — via social engineering techniques.

Am I infected by cryptominers?

Cryptominers are interested in your processing power and cryptojackers have to trade stealth against profit. How much of your CPU resources they take depends on their objectives.

Siphoning less power makes it harder for unsuspecting users to notice. Stealing more increases their profits. In either case, there will be a performance impact, but if the threshold is low enough it could be a challenge to distinguish the miner from legitimate software.

Enterprise administrators may look for unknown processes in their environment, and end users on Windows should spawn a Sysinternals Process Explorer to see what they are running. Linux and macOS users should investigate using System Monitor and Activity Monitor, respectively, for the same reason.

How to defend against cryptominers

The first step in defending against cryptominers is to stop this type of malware at the gateway, either through firewalls or email security (perimeter security), which is one of the best ways to scrub out known file-based threats.

Since people like to reuse old code, catching cryptojackers like Coinhive was also a simple first step. But in February 2019, Coinhive publicly announced it was ceasing operations March 8. The service stated that it wasn’t “economically viable anymore” and that the “crash” impacted the business severely.

Despite this news, SonicWall predicts there will still be a surge in new cryptojacking variants and techniques to fill the void. Cryptojacking could still become a favorite method for malicious actors because of its concealment; low and indirect damage to victims reduces chances of exposure and extends the valuable lifespan of a successful attack.

If the malware strain is unknown (new or updated), then it will bypass static filters in perimeter security. If a file is unknown, it will be routed to a sandbox to inspect the nature of the file.

The multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox environment is designed to identify and stop evasive malware that may evade one engine but not the others.

If you have an endpoint not behind this typical set up (e.g., it’s roaming at the airport or hotel), you need to deploy an endpoint security product that includes behavioral detection.

Cryptominers can operate in the browser or be delivered through a fileless attack, so the legacy solutions you get free with a computer are blind to it.

A behavioral-based antivirus like SonicWall Capture Client would detect that the system wants to mine coins and then shut down the operation. An administrator can easily quarantine and delete the malware or, in the case of something that does damage to system files, roll the system back to the last known good state before the malware executed.

By combining a mixture of perimeter defenses and behavioral analysis, organizations can fight the newest forms of malware no matter what the trend or intent is.

Source:
https://blog.sonicwall.com/en-us/2019/05/cryptojacking-apocalypse-defeating-the-four-horsemen-of-cryptomining/

Sonicwall : 4 Ways the WhatsApp Exploit Could Use Employees to Infiltrate Your Network

The recent WhatsApp breach was very sophisticated and clever in the manner it was delivered. And that should be expected considering who was reported as being behind the zero-day attack against the popular messaging application.

But the attack against the WhatsApp app is not just a concern for its millions of global customers. There’s a very real and imminent threat to businesses and enterprises, too.

For example, let’s assume one of your employees has WhatsApp installed on their device and it is subsequently compromised via the latest WhatsApp exploit. In many situations, this employee will, at some point, connect their device to the corporate network.

This legitimate access could be via VPN, cloud applications (e.g., Office 365, Dropbox, etc.), corporate Wi-Fi or, my personal “favorite,” plugging the device into the USB port of a corporate laptop so the phone can charge. Understanding how and where users connect to the corporate network is critical.

In most cases, organizations can’t prevent personal BYOD phones from being compromised — particularly when outside the network perimeter. They can, however, protect the network from exploits delivered via the compromised phone. Here are the four most common ways the WhatsApp vulnerability could be leveraged to infiltrate a corporate network and, more importantly, how SonicWall can prevent it:

  1. Via VPN. If an employee connects to corporate over VPN, SonicWall, for example, would be the endpoint where they establish the VPN Threat prevention (e.g., firewallsCapture ATP) and access control (e.g., Secure Mobile Access) would prevent the WhatsApp breach from spreading any further than the compromised phone.
  2. Via Wi-Fi. In this scenario, next-generation firewalls and secure wireless access points should be in place to inspect all internal traffic and prevent the exploit from going further than the phone.
  3. Via compromised credentials. Because the WhatsApp exploit enabled attackers to steal credentials to cloud services and apps, organizations with Cloud Access Security Broker (CASB) solutions, like SonicWall Cloud App Security, would mitigate account takeovers (ATO), unauthorized access and any related data leakage.
  4. Via USB port. Users often forget that a powered USB port on their laptop is an entry point for attackers — even when doing something as innocent as charging a phone. A sound endpoint protection solution (see diagram), such as Capture Client, would monitor the connection to the laptop and inspect any malicious activity attempting to leverage the USB port to deliver malware payloads.

Computers Still Vulnerable to “Wormable” BlueKeep RDP Flaw

Nearly 1 Million Computers Still Vulnerable to "Wormable" BlueKeep RDP Flaw

Nearly 1 million Windows systems are still unpatched and have been found vulnerable to a recently disclosed critical, wormable, remote code execution vulnerability in the Windows Remote Desktop Protocol (RDP)—two weeks after Microsoft releases the security patch.

If exploited, the vulnerability could allow an attacker to easily cause havoc around the world, potentially much worse than what WannaCry and NotPetya like wormable attacks did in 2017.

Dubbed BlueKeep and tracked as CVE-2019-0708, the vulnerability affects Windows 2003, XP, Windows 7, Windows Server 2008 and 2008 R2 editions and could spread automatically on unprotected systems.

The vulnerability could allow an unauthenticated, remote attacker to execute arbitrary code and take control of a targeted computer just by sending specially crafted requests to the device's Remote Desktop Service (RDS) via the RDP—without requiring any interaction from a user.

Describing the BlueKeep vulnerability as being Wormable that could allow malware to propagate to vulnerable systems just like WannaCry, Microsoft released a security fix to address the vulnerability with its May 2019 Patch Tuesday updates.

However, the latest Internet scan performed by Robert Graham, head of offensive security research firm Errata Security, revealed that, unfortunately, roughly 950,000 publicly accessible machines on the Internet are vulnerable to the BlueKeep bug.

This clearly means that even after the security patch is out, not every user and organisation has deployed it to address the issue, posing a massive risk to individuals and organizations, including industrial and healthcare environments.

Graham used "rdpscan," a quick scanning tool he built on top of his masscan port scanner that can scan the entire Internet for systems still vulnerable to the BlueKeep vulnerability, and found a whole 7 million systems that were listening on port 3389, of which around 1 million systems are still vulnerable.

"Hackers are likely to figure out a robust exploit in the next month or two and cause havoc with these machines," the researcher says.

"That means when the worm hits, it'll likely compromise those million devices. This will likely lead to an event as damaging as WannaCry, and notPetya from 2017 -- potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness."

The BlueKeep vulnerability has so much potential to wreak havoc worldwide that it forced Microsoft to release patches for not only the supported Windows versions but also Windows XP, Windows Vista and Windows Server 2003, which no longer receive mainstream support from the company but are still widely used.

Not just researchers, malicious hackers and cybercriminals have also started scanning the Internet for vulnerable Windows systems to target them with malware, GreyNoise Intelligence said.

"GreyNoise is observing sweeping tests for systems vulnerable to the RDP "BlueKeep" (CVE-2019-0708) vulnerability from several dozen hosts around the Internet. This activity has been observed from exclusively Tor exit nodes and is likely being executed by a single actor," the tweetsays.

However, fortunately, so far no security researcher has yet publicly published any proof-of-concept exploit code for BlueKeep, though a few of them have confirmed to have successfully developed a working exploit.

Are you still waiting for me to tell you what you should do next? Go and fix the goddamn vulnerability if you are using one of them.

If fixing the flaw in your organisation is not possible anytime sooner, then you can take these mitigations:

  • Disable RDP services, if not required.
  • Block port 3389 using a firewall or make it accessible only over a private VPN.
  • Enable Network Level Authentication (NLA) – this is partial mitigation to prevent any unauthenticated attacker from exploiting this Wormable flaw.
Have something to say about this article? Comment below or share it with us on FacebookTwitter or our LinkedIn Group.

Hackers Infect 50,000 MS-SQL and PHPMyAdmin Servers with Rootkit Malware

Cyber Security researchers at Guardicore Labs today published a detailed report on a widespread cryptojacking campaign attacking Windows MS-SQL and PHPMyAdmin servers worldwide.

Dubbed Nansh0u, the malicious campaign is reportedly being carried out by an APT-style Chinese hacking group who has already infected nearly 50,000 servers and are installing a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.

The campaign, which dates back to February 26 but was first detected in early-April, has been found delivering 20 different payload versions hosted on various hosting providers.

The attack relies on the brute-forcing technique after finding publicly accessible Windows MS-SQL and PHPMyAdmin servers using a simple port scanner.

Upon successful login authentication with administrative privileges, attackers execute a sequence of MS-SQL commands on the compromised system to download malicious payload from a remote file server and run it with SYSTEM privileges.

In the background, the payload leverages a known privilege escalation vulnerability (CVE-2014-4113) to gain SYSTEM privileges on the compromised systems.

"Using this Windows privilege, the attacking exploit injects code into the Winlogon process. The injected code creates a new process which inherits Winlogon SYSTEM privileges, providing equivalent permissions as the prior version."

The payload then installs a cryptocurrency mining malware on compromised servers to mine TurtleCoincryptocurrency.

Besides this, the malware also protects its process from terminating using a digitally-signed kernel-mode rootkit for persistence.

"We found that the driver had a digital signature issued by the top Certificate Authority Verisign. The certificate – which is expired – bears the name of a fake Chinese company – Hangzhou Hootian Network Technology."

Researchers have also released a complete list of IoCs (indicators of compromise) and a free PowerShell-based script that Windows administrators can use to check whether their systems are infected or not.

Since the attack relies on a weak username and password combinations for MS-SQL and PHPMyAdmin servers, admins are advised to always keep a strong, complex password for their accounts.

Have something to say about this article? Comment below or share it with us on FacebookTwitter or our LinkedIn Group.

Trendmicro : Phishing Attacks and Ransomware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about schemes used in phishing and other email-based attacks. Also, learn how ransomware continues to make a significant impact in the threat landscape.

Read on:

New Report Finds 25% of Phishing Attacks Circumvent Office 365 Security

As email remains to be a common infection vector because of how easily it can be abused, attackers continue to take advantage of it by crafting threats that are persistent in nature and massive in number. 

New Twist in the Stuxnet Story

What a newly discovered missing link to Stuxnet and the now-revived Flame cyber espionage malware add to the narrative of the epic cyber-physical attack.

Cybersecurity Proposal Pits Cyber Pros Against Campaign Finance Hawks

A Federal Election Commission proposal aims to help presidential and congressional campaigns steer clear of hacking operations by allowing nonprofits to provide cybersecurity free of charge.

New Sextortion Scheme Demands Payment in Bitcoin Cash

Trend Micro researchers uncovered a sextortion scheme targeting Italian-speaking users. Based on IP lookups of the spam emails’ senders, they appear to have been sent via the Gamut spam botnet.  

This Free Tool Lets You Test Your Hacker Defenses

Organizations will be able to test their ability to deter hackers and cyberattacks with a free new tool designed by experts at the UK’s National Cyber Security Centre to prepare them against online threats including malware, phishing and other malicious activities.

Ransomware Hits County Offices, Knocks The Weather Channel Offline

On April 18, the systems of The Weather Channel in Atlanta, Georgia, were infected by ransomware, disrupting the channel’s live broadcast for 90 minutes. 

Hacker Finds He Can Remotely Kill Car Engines After Breaking Into GPS Tracking Apps

A hacker broke into thousands of accounts belonging to users of two GPS tracker apps, giving him the ability to monitor the locations of tens of thousands of vehicles and even turn off the engines for some of them while they were in motion.

Uncovering CVE-2019-0232: A Remote Code Execution Vulnerability in Apache Tomcat

Trend Micro delves deeper into this vulnerability by expounding on what it is, how it can be exploited, and how it can be addressed. 

Hacker Dumps Thousands of Sensitive Mexican Embassy Documents Online

A hacker stole thousands of documents related to the inner workings of the Mexican embassy in Guatemala and posted them online.

Cybersecurity: UK Could Build an Automatic National Defense System, Says GCHQ Chief

The UK could one day create a national cyber-defense system built on sharing real-time cybersecurity information between intelligence agencies and business, the head of the UK’s Government Communications Headquarters said at CYBERUK 19.

Do you think the new hacker defenses tool will decrease the number of cyber-attacks targeted at organizations and public sectors? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

source:
https://blog.trendmicro.com/this-week-in-security-news-phishing-attacks-and-ransomware/

Trendmicro : Keep Your Smart Home Safe

Keep Your Smart Home Safe: Here’s What You Can Do Today to Secure Your Products

The Internet of Things (IoT) is transforming the way we live, work and play. You can find it in the fitness trackers you might be wearing to monitor step count and heart rate. Or the car you may be driving. But more than anywhere else, you’ll see IoT at home in an increasing array of gadgets: from voice-activated smart speakers to internet-connected baby monitors.

It’s estimated that 14.2 billion connected “things” like these are in use globally in 2019, which will rise to 25 billion in a couple of years’ time. There’s just one problem: if not properly secured, they could present hackers with new opportunities to sneak into your smart home through the cyber-front door.

So what are the risks—and how can you protect your home?

Governments take action

First, some good news: as consumers’ homes fill with ever-greater numbers of smart gadgets, governments are aware of the growing risks of cyber-attacks. In the US, California is leading the way with new legislation designed to force manufacturers to improve the security of their products. SB-327introduces minimum requirements such as forcing each user to set a unique device password the first time they connect.

Following hot on the heels of the Golden State is the federal government. Introduced in March, the bipartisan Internet of Things (IoT) Cybersecurity Improvement Act of 2019 doesn’t cover all IoT makers, only ones which sell products to the government. However, it is hoped that the law will have a knock-on effect with the wider industry, encouraging other manufacturers to raise their standards.

But it’s not only the US that is making moves to safeguard IoT users. The UK in May introduced a proposed new law designed to force manufacturers to adhere to key security requirements, covering things like unique passwords and security updates. In addition, retailers will only be allowed to sell devices with a clear label telling consumers how secure they are.

While Trend Micro welcomes any government moves to make smart home gadgets more secure, the truth is that it will take a while for these laws to take effect—and even longer for them to have an impact on the firms designing and building our connected devices. The US federal proposal will require a separate standards body to hunker down and draw up its requirements first, which could take months. There’s also a risk that when new laws take effect, the hackers will simply move on to use new tactics not legislated for.

That’s why consumers must act now to secure their smart home. Below we list some of the key threats and how to take action.

What’s the problem?

The more smart gadgets there are in your home, the greater the number of potential targets for hackers. Devices could be hijacked if attackers manage to guess or crack the passwords protecting them, or exploit flaws in the underlying software (firmware) that runs them.

This is made easier because some devices don’t require a user to install a password; they simply run with an easy-to-guess factory default. Many manufacturers also don’t issue regular updates (patches) either, or if they do, it’s hard for users to find out about and install them. And unlike your laptop/desktop and mobile devices, these IoT endpoints are typically too small to install AV on, further exposing them.

Finally, it’s not just the devices themselves that are at risk, but also the complex, underlying automation systems that link them together behind the scenes. This complexity creates gaps that bad guys are adept at exploiting.

So, to simplify, there are three main threat vectors facing home networks:

1) Physical danger

Devices could be remotely controlled by attackers to surveil the family. For example, by hijacking feeds from smart security cameras, or other sensors around the house such as smart door and window locks, burglars could work out when the property is empty. They could even remotely unlock doors or windows, if these are internet-connected — for example by cloning the owner’s voice and playing commands via your home assistant.

Cases have been reported in the past of hackers remotely monitoring smart homes. In one incident, a baby monitor was hacked and used to broadcast threats to the parents; while more extensive hacks of home security cameras have had their video content streamed online.

2) Data loss and malware

These same devices are also a potential gateway into the home network, which could allow hackers to grab passwords for your key online accounts like banking and email. Any data they collect on you can be sold on the dark web and used for future identity fraud. The router is in many ways the digital gateway to your smart home — the place where all your internet traffic passes through. That makes it particularly vulnerable to these kinds of attack. As well as data theft, hackers could be looking to spread malware such as ransomware and banking trojans.

One major router threat spotted in 2018 was VPNFilter—information-stealing malware which infected at least half a million routers globally by exploiting vulnerabilities in the devices.

3) Hijacked devices become botnets

In another scenario, your smart home gadgets and router are hijacked and remotely controlled not to install ransomware or steal data from your family, but to use in attacks on others. Typically, they become part of a botnet of controlled machines which are programmed to do the bidding of the hackers. This could range from launching denial-of-service (DoS) attacks on businesses to illegally mining for crypto-currency.

The most famous example of this kind of attack came in 2016, when the Mirai campaign managed to hijack tens of thousands of IoT devices by scanning for any exposed to the internet and protected only with factory default passwords. In an infamous attack, it managed to take out a key online provider, resulting in outages at some of the biggest sites on the internet, including Twitter and Netflix.

What to do next

All that said, there are some simple steps you can take today to help reduce your exposure to IoT threats. It should begin with taking time out to understand how your devices work. Are they password protected? How are they updated? Are they running unnecessary services which may expose them to attackers? A bit of research before you buy and install them will also go a long way to keeping you safe.

Here are a few best practice tips to get you started:

  • Change factory default passwords to strong and unique credentials.
  • Switch on two-factor authentication for even more log-in protection, if offered.
  • Regularly check for firmware updates and apply as soon as they’re available. This may require you to visit the manufacturer’s website from time-to-time.
  • Use WPA2 on your routers for encrypted Wi-Fi.
  • Disable UPnP and any remote management features.
  • Set up a guest network on your router, which will help protect your main network, its devices and data, from network worms and other malware inadvertently introduced by guests.
  • Protect your computers and smartphones with AV and only download legitimate smart home apps.

How Trend Micro can help

Trend Micro is here to offer you peace-of-mind when it comes to protecting your smart home. The first step is diagnostic: download our Housecall™ for Home Networks tool to check your network. It will run a comprehensive scan on all your smart home gadgets, highlighting any vulnerabilities and other risks, and providing helpful advice for keeping your network and devices secure.

Next up, install Trend Micro Home Network Security (HNS) for comprehensive protection on all your home devices. It blocks dangerous file downloads and malicious websites, protects your personal/financial data from theft, and will keep ransomware, phishing and other threats at bay. HNS provides instant threat notifications, lets you disconnect any unwanted devices from your network, and offers full control over your devices from your Android or iOS smartphone with the paired HNS monitoring app.

Watch our Trend Micro Home Network Security videos to find out more about how HNS helps protect your network.

Source:
https://blog.trendmicro.com/keep-your-smart-home-safe-heres-what-you-can-do-today-to-secure-your-products/