STE WILLIAMS

INTEROP 2019 – LAS VEGAS – Endpoint security is a common concern among organizations, but security teams should be thinking more broadly about protecting data wherever it resides.

“If you’re just focusing on device protection and not data protection, you’re missing a lot,” said Shawn Anderson, executive security advisor for Microsoft’s Cybersecurity Solutions Group, at the Interop conference held this week in Las Vegas. Rather than add multiple endpoint security products to corporate machines, he urged his audience of IT and security pros to think about protecting their data.

An estimated 60% percent of data is leaked electronically, Anderson said, and 40% is leaked physically. When an organization is breached, the incident costs an average of $240 per record. The average cost of a data breach was $4 million in 2017, a year when hackers stole more than 6 billion records.

As more devices jump online, the risk to businesses and their information continues to grow. An estimated 9 billion devices equipped with microcontrollers are deployed in appliance, equipment, and toys each year. Fewer than one percent are now connected. But that number will grow, and “highly secured” IoT devices require properties many devices don’t have: certificate-based authentication, automatic security updates, hardware root of trust, a computing base protected from bugs in other code.

All computers within an organization – laptops, smartphones, tablets, a rapidly growing pool of IoT devices – are collecting larger amounts of data. Some of it is kept on the machine but more of it is moving to the cloud, which is powering the number of alerts companies handle. Microsoft analyzes 6.5 trillion threat signals daily, Anderson pointed out, up from 1.2 trillion a few years ago.

The cloud is accelerating how companies can collect, process, store, and use information. As companies transition to hybrid infrastructure, and their data moves across cloud-based and on-prem systems, they should evaluate their endpoint security strategies to make sure data is protected where it resides.

In his talk, Anderson discussed what he called the four pillars of infrastructure security: identity and access management, threat protection, information protection, and security management.

Securing Data Wherever It Resides

Companies should have a strategy in place to secure hybrid infrastructure and protect data from internal and external threats. “I always tell customers to assume compromise,” Anderson said, emphasizing the importance of protecting identities. If an attacker has an employees’ laptop that’s one thing; if they have credentials to access a corporate network, that’s another.

Identity protection is a critical component to threat protection, he explained. Businesses should strengthen users’ credentials by enabling MFA, block legacy authentication to reduce the attack surface, increase visibility into why identities are blocked, monitor and act on security alerts, and automate threat remediation with solutions like risk-based conditional access. “Our admins internally do not have 100% access, 100% of the time, across the network,” he said.

Threat protection describes the organization’s ability to detect suspicious activity on the network and address problems on-prem and in the cloud. Ask yourself the following questions: Do you know if your credentials are compromised? How quickly can you remediate advanced threats? Do you have a system in place? How do you protect users from email threats?

“You could put 15 pieces of software on an endpoint, but if you don’t have a data protection strategy, [attackers] win,” Anderson noted.

Data must be protected in use, in transit, and at rest. Businesses should discover and classify sensitive data as it enters the environment, apply protection based on policy, monitor and remediate threats, and remain compliant as data travels throughout the organization before it’s retired and deleted. Information should be tracked and monitored throughout its lifecycle.

Anderson listed a few key steps in the process of building this strategy: define sensitive data, establish a label taxonomy, and customize protection policies based on objectives and compliance requirements. As data is classified and labeled, organizations may adjust their strategy depending on what they observe as they monitor sensitive data and its effect on users.

Visibility, a commonly cited challenge among security pros, is core to the fourth pillar of security management. Businesses should build their security posture with visibility, control, and guidance across identities, devices, apps and data, and infrastructure to manage their security strategy across the organization and improve security practices over time.

Related Content:

• Effective Pen Tests Follow These 7 Steps
• 97% of Americans Can’t Ace a Basic Security Test
• When Older Windows Systems Won’t Die
• The Data Problem in Security

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/data-security-think-beyond-the-endpoint/d/d-id/1334770?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

INTEROP 2019 – LAS VEGAS – Endpoint security is a common concern among organizations, but security teams should be thinking more broadly about protecting data wherever it resides.

“If you’re just focusing on device protection and not data protection, you’re missing a lot,” said Shawn Anderson, executive security advisor for Microsoft’s Cybersecurity Solutions Group, at the Interop conference held this week in Las Vegas. Rather than add multiple endpoint security products to corporate machines, he urged his audience of IT and security pros to think about protecting their data.

Sixty percent of data is leaked electronically, Anderson said, and 40% is leaked physically. When an organization is breached, the incident costs an average of $240 per record. The average cost of a data breach was $4 million in 2017, a year when hackers stole more than six billion records.

As more devices jump online, the risk to businesses and their information continues to grow. Nine billion devices equipped with microcontrollers are deployed in appliance, equipment, and toys each year. Fewer than one percent are now connected. But that number will grow, and “highly secured” IoT devices require properties many devices don’t have: certificate-based authentication, automatic security updates, hardware root of trust, a computing base protected from bugs in other code.

All computers within an organization – laptops, smartphones, tablets, a rapidly growing pool of IoT devices – are collecting larger amounts of data. Some of it is kept on the machine but more of it is moving to the cloud, which is powering the number of alerts companies handle. Microsoft analyzes 6.5 trillion threat signals daily, Anderson pointed out, up from 1.2 trillion a few years ago.

The cloud is accelerating how companies can collect, process, store, and use information. As companies transition to hybrid infrastructure, and their data moves across cloud-based and on-prem systems, they should evaluate their endpoint security strategies to make sure data is protected where it resides.

In his talk, Anderson discussed what he called the four pillars of infrastructure security: identity and access management, threat protection, information protection, and security management.

Securing Data Wherever It Resides

Companies should have a strategy in place to secure hybrid infrastructure and protect data from internal and external threats. “I always tell customers to assume compromise,” Anderson said, emphasizing the importance of protecting identities. If an attacker has an employees’ laptop that’s one thing; if they have credentials to access a corporate network, that’s another.

Identity protection is a critical component to threat protection, he explained. Businesses should strengthen users’ credentials by enabling MFA, block legacy authentication to reduce the attack surface, increase visibility into why identities are blocked, monitor and act on security alerts, and automate threat remediation with solutions like risk-based conditional access. “Our admins internally do not have 100% access, 100% of the time, across the network,” he said.

Threat protection describes the organization’s ability to detect suspicious activity on the network and address problems on-prem and in the cloud. Ask yourself the following questions: Do you know if your credentials are compromised? How quickly can you remediate advanced threats? Do you have a system in place? How do you protect users from email threats?

“You could put 15 pieces of software on an endpoint, but if you don’t have a data protection strategy, [attackers] win,” Anderson noted.

Data must be protected in use, in transit, and at rest. Businesses should discover and classify sensitive data as it enters the environment, apply protection based on policy, monitor and remediate threats, and remain compliant as data travels throughout the organization before it’s retired and deleted. Information should be tracked and monitored throughout its lifecycle.

Anderson listed a few key steps in the process of building this strategy: define sensitive data, establish a label taxonomy, and customize protection policies based on objectives and compliance requirements. As data is classified and labeled, organizations may adjust their strategy depending on what they observe as they monitor sensitive data and its effect on users.

Visibility, a commonly cited challenge among security pros, is core to the fourth pillar of security management. Businesses should build their security posture with visibility, control, and guidance across identities, devices, apps and data, and infrastructure to manage their security strategy across the organization and improve security practices over time.

Related Content:

• Effective Pen Tests Follow These 7 Steps
• 97% of Americans Can’t Ace a Basic Security Test
• When Older Windows Systems Won’t Die
• The Data Problem in Security

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/think-data-security-not-endpoint-security-/d/d-id/1334770?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The authors of the Trickbot banking Trojan have once again begun using URL redirection instead of malicious email attachments to spread their malware. It is the latest example of how cybercriminals constantly evolve — and sometimes recycle — their tactics to stay ahead of defenders.

Security researchers from Trend Micro on Monday said they had recently discovered a new variant of Trickbot arriving via redirection URL in a spam mail message. The URL appears to point toward a Google domain but instead redirects users who click on it to a site that downloads Trickbot on the user’s system.

The content of the spam email purports to be about a processed order that is ready for shipping, Trend Micro said. The email contains what appears to be a tracking number for the package, standard delivery disclaimers, contact details of the purported sender, and even social media icons for lending additional authenticity to the email.

If a user gets tricked into clicking on the embedded URL in the email, the user is routed to a Trickbot download site that is designed to appear like a Web page for reviewing online orders.

The site downloads a compressed file that contains a Visual Basic Script for downloading Trickbot. Once the malware is executed on the system, it quickly deploys additional modules for various tasks, such as stealing browser data, injecting malicious code into browsers for monitoring online banking activity, searching through files on the infected machine, and profiling the network.

“Utilizing a URL redirection from a known domain is a tactic used by other bad actors to fool unsuspecting victims into thinking the embedded URL within an email is legitimate,” says Jon Clay, marketing manager at Trend Micro.

The developers of Trickbot know that many users might do a cursory review of the embedded URLs and are more likely to click on them if they see a legitimate domain. They also know that many users are accustomed to seeing redirect notices when pop-ups appear and are therefore unlikely to be alarmed when they see the requests, Clay says.

“The significance of this new tactic is that, once again, the developers of Trickbot — and many other malware families — are constantly shifting their attack strategies to not only fool their victims, but also to make it more difficult for security solutions to detect their threat,” he says.

A Persistent Threat
Trickbot first surfaced in 2016 and has remained a major threat ever since to online banking customers in several countries, including the US, UK, and Australia. In the US, the malware has targeted users of numerous major banks and credit card companies, including Chase, Bank of America, American Express, and Discover.

Security researchers have described the malware as being sophisticated, stealthy, and capable of evading sandboxes and other detection and blocking measures. Among other things, Trickbot is designed to steal the usernames and passwords that people use for accessing their online banking accounts and transmit the credentials to the criminals behind the operation so it can be used to steal money.

In the first quarter of 2019, Trickbot was among the most active banking Trojans in the wild, according to Trend Micro’s data. The only other banking malware that was consistently more active during that period was Emotet.

Trickbot’s operators have typically distributed the malware via malicious attachments in spam email. The attachments — usually a Microsoft Word or an Excel document — appear to be an invoice or other financial statement that prompt users to enable macros, which then download and execute the malware. However, they have also used URL redirection in the past to spread the malware.

Threat actors often use redirection as a way to get around Web reputation technologies that are becoming increasingly better at detecting malicious URLs, Clay says. In some cases, Trend Micro has observed adversaries using multiple redirects as part of the infection chain in an effort to thwart security detections, he says. 

“Bad actors are looking to compromise legitimate Web pages and install redirects more and more as it has been an effective strategy to evade detection,” Clay notes.

The trend highlights the need for organizations to have capabilities for assessing Web reputation and scanning for embedded URLs within emails. They also need to be able to detect and analyze multiple redirects during a session, Clay says. In addition, organizations need to educate users on how to recognize illegitimate pop-ups and on the danger of enabling Macros in a pop-up, he says.

Related Content:

• Emotet Malware Gets More Aggressive
• US Banks Targeted with Trickbot Trojan
• New Malware Campaign Targets Financials, Retailers
• 7 Malware Families Ready to Ruin Your IoT’s Day

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/new-trickbot-variant-uses-url-redirection-to-spread/d/d-id/1334767?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US Department of Homeland Security warns Chinese-made drones could be transmitting flight data to manufacturers and, in doing so, make it accessible to the Chinese government.

Data security concerns aren’t new when it comes to drones built in China: The US Army banned drones made by DJI in 2017, citing concerns about DJI sharing data with the Chinese government. DJI makes 80% of drones used in the US and Canada, reports CNN, citing industry analysis. Law enforcement officials and infrastructure firms in the US have adopted and now rely on drones.

The Cybersecurity and Infrastructure Security Agency calls the drones “a potential risk to an organization’s information,” the report states, citing a copy of the alert obtained by CNN. Officials, who don’t name drone makers, say drones “contain components that can compromise your data and share your information on a server accessed beyond the company itself.”

DJI, which denied allegations in the 2017 report, says the security of its technology has been verified by the US government and denies the information in today’s DHS alert, a spokesperson shared with Gizmodo. It says users have full control over how data is collected and shared, and businesses and infrastructure firms can buy drones that don’t share data online or with DJI. Still, the DHS advises users to be cautious and turn off a drone’s Internet connection before using.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/iot/dhs-warns-of-data-theft-via-chinese-made-drones/d/d-id/1334769?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

TeamViewer, a German software company specializing in remote access and desktop sharing software, announced that it suffered an attack, presumably from a Chinese hacking group, in 2016. According to the company, the attack was discovered and stopped at the time, with no evidence of damage or compromise found.

The attackers used Winnti, a backdoor Trojan known to have been developed and used by groups located in China. Now used by multiple Chinese hacking groups, the software is considered a reliable indicator that the attack originated within China.

Prior to the Winnti attack, TeamViewer saw a campaign of attacks against user accounts among its customers. The German publication Der Spiegel reported that the Winnti campaign was active against and inside TeamViewer since 2014, a claim that TeamViewer rejected.

Read more here.

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/teamviewer-admits-breach-from-2016/d/d-id/1334768?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The tiny IT team at C.E. Niehoff Co. had been working for two weeks to run down and clean up a malware infection that had infiltrated its network after an employee clicked on a URL in a phishing email. Unbeknownst to the company as it scrambled to quell the attack, the malware, which was later identified as Trickbot, was quietly spreading among its endpoints and servers, gathering intel about the manufacturing firm and stealing credentials from the compromised machines.

It wasn’t until the morning of Sunday, Oct. 14, when C.E. Niehoff IT manager Kelvin Larrue logged into the company’s network from home, that it became clear to the company that the attack was something much more serious than a bot infection. A stunned Larrue could see that an intruder was running a PowerShell session on one of the company’s servers, moving from server to server with stolen credentials and disabling security tools.

“I could see what he was actually doing. I knew we were in real trouble and someone was in our system,” Larrue recalls. “They literally had the keys to the kingdom.”

Larrue jumped into his car and drove the 20-minute route to the data center on the company’s campus in Evanston, Ill., which houses its corporate headquarters and the manufacturing plant where it builds heavy-duty alternators for government and emergency vehicles. Racing to shut down the network in order to shut out the attacker, Larrue and his team pulled the plug in hopes of preventing the attacker from getting any deeper into the network, but it was too late.

“By that time, the perpetrator had done extensive damage to our network,” he says. The attacker had begun dropping ransomware: “He had started routines to encrypt files on all of the servers and any workstations he happened to be on at that point,” Larrue says.

What Larrue was witnessing firsthand, he later learned, was a Ryuk ransomware attack on his company. Ryuk is part of the recent generation of ransomware variants that is typically used for custom and targeted attacks on bigger and potentially more financially lucrative targets. According to Check Point Security, which has studied Ryuk and its attack methods, Ryuk’s authors built it with an encryption scheme that targets critical resources and assets in a victim’s network; for maximum impact, its payload is released manually by the attackers once they have the intel and stolen credentials they need.

“When [Ryuk attackers] infect a new victim, they can stay for a while to observe the network … and see if the infected machine or network is interesting,” explains Itay Cohen, a security researcher with Check Point who tracks Ryuk. “They do not automatically drop Ryuk; they drop it manually” if they decide it’s a useful target. That’s a departure from earlier ransomware attack campaigns that were more random and automated, he says.

Ryuk has claimed several high-profile victims since the fall of 2018, including newspapers such as the Chicago Tribune and the Los Angeles Times; the city of Stuart, Fla.; and Onslow Water and Sewer Authority, which was hit with a ransomware attack in October 2018, around the same time frame as C.E. Niehoff.

Ryuk and other ransomware, such as GandCrab and LockerGoga, which crippled Norwegian aluminum manufacturer Norsk Hydro, are all about targeting what CrowdStrike calls “big game,” or large organizations theoretically able to pay a higher ransom than randomly infected consumers or small organizations.  

Larrue says C.E. Niehoff believes the malicious URL in the phishing email that dropped Trickbot was the first phase of its attack and where the intel-gathering and credential-stealing occurred. In some Ryuk attacks on other victims, the gang has used Emotet as the bot and Trickbot as the intel- and credential-stealer in advance of dropping Ryuk and locking down the victims’ machines.

“What was happening behind the scenes was that Trickbot got in and set up the whole command-and-control thing, and we later found out what was actually going on. They siphoned off credentials, set up the C2, and then we got hit with the big one,” the Ryuk ransomware, Larrue explains.

While he and his team were “chasing our tails” trying to quell the infection’s spread, the attackers had set up a reverse-shell attack, he says, possibly exploiting an unpatched vulnerability in Java. The company’s Vipre anti-malware tools didn’t recognize or catch the variant.

With the stolen credentials, the Ryuk attackers then set up Remote Desktop Protocol (RDP) connections to the network and, via the PowerShell commands, set off the Ryuk ransomware payload, server by server, he says.

But what Larrue and his team didn’t realize at the time was that unplugging machines from the network actually exacerbated the attack: The Ryuk attackers apparently had set the attack to corrupt the firmware of the infected machines if the ransomware’s encryption process was disrupted. Larrue and his team of three IT staffers had not seen the ransom note warning them not to shut down or risk their systems getting corrupted when they frantically did the shutdown; they finally got a look at the message in the wake of the response.

“They were expecting us to come in Monday morning [to the ransom message],” he says. “They didn’t expect us on Sunday.”

Unplugging the machines “was a mistake on my part,” Larrue adds. “Part of the encryption scheme … was if we did pull the plug, something would corrupt the firmware on all the servers,” including the manufacturing firm’s email and ERP servers.

“At that point it was totally lost. Even if we wanted to pay ransom, we couldn’t,” he recalls.

It turned out the ransom note had warned that only the attackers could help decrypt the files, and that resetting or shutting down systems could damage the files. It didn’t include a ransom fee, but instead instructions on how to proceed in working with the attackers to get the files decrypted.

“I’ve had bad days in my life, but I’ve never had one like that,” Larrue says. “I had the weight of the world bearing down on me.” 

Paper and Pen
C.E. Niehoff is a relatively small, privately held manufacturing firm, with 400 employees and a three-person IT department that also works on security issues. Its customers include the US military, which uses its industrial alternators for vehicles, for instance. One of the first worries in the wake of the attack was the loss of its ERP manufacturing server to the Ryuk attack.

The good news was the attackers hadn’t stolen any customer or sensitive information, but the bad news was the manufacturing process had to rely on paper and existing orders to keep the shop floor open. “We had enough paperwork to keep the manufacturing floor running on jobs already issued,” Larrue says. “The ERP system provides information to execute on the shop floor, but we can still produce without it. Production didn’t come to a grinding halt.”

But “we couldn’t see too far into the future” until the ERP system was back online, he recalls.

By some stroke of luck, the company’s human resources and payroll server wasn’t infected with ransomware. Neither was its two backup appliances, although there were signs the attackers had tried to encrypt the Arcserve 8200 Series devices but had failed for some unknown reason. One appliance sat in Building A, and the other in Building B, on the campus, and were set to run a data backup rotation and handle file compression for terabytes of the firm’s data.

“So this was more or less all we had,” as well as some older backup tapes that only contained data for the past four years, Larrue says.

And C.E. Niehoff had not actually set up the appliances for full system recovery yet — the devices were relatively new — so Larrue had to get help from an Arcserve engineer/technician to restore the backups to the new computers, which the manufacturing firm had to quickly purchase to replace the compromised systems. A couple of the systems that had been configured for bare-metal restoration were back online quickly, he recalls, but there were challenges with several other systems that had not been configured for full restoration.

“We had to more or less rebuild the machine,” which took longer to restore, he says.

One way to keep backup systems safe from ransomware attacks is to keep them on a separate domain, advises Gary Sussman, the Arcserve engineer who helped Larrue restore the manufacturing company’s systems. He also recommends setting them with strong credentials and ensuring that hardware encryption “is turned on.”  

In all, it took C.E. Niehoff two-and-half weeks to get all of its systems fully back up and running, starting with its email server. 

Larrue says the company since has added additional layers of security and is working on beefing up redundancy in its systems and storage, including some cloud-based storage. Ransomware threats are the new normal.

“The lessons learned here is this is an ongoing campaign and it’s not going to stop,” he says of the threat of ransomware attacks.

Related Content:

• 6 Things To Know About the Ransomware That Hit Norsk Hydro
• Ransomware’s New Normal
• The Big E-Crime Pivot
• Ransomware Attack Via MSP Locks Customers Out of Systems

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Image Source: Adobe Stock (M.a.u.)

Popping up in various permutations for the better part of four years now, the online payment skimming operations run by Magecart fraudsters continue to intensify in 2019. Targeting vulnerable content management systems used for running payment on e-commerce sites, Magecart once was used to describe the group running these attacks. But as its number widened to as many as 12 major identifiable criminal syndicates, the Magecart moniker is just as likely to refer to the common techniques they use.

Magecart attacks work on the same principles that a POS skimmer would at a physical cash register. The bad guys find a way to quietly insert scripts onto compromised servers running payment systems to steal customer data as it’s entered by customers on an e-commerce site, sending that data silently to the attackers without interrupting the payment mechanism.

“With the number of criminal groups operating these skimming campaigns, it’s likely one of the biggest threats facing e-commerce right now,” said Yonathan Klijnsma, threat researcher for RiskIQ, late last year.

Security experts like Bob Rudis, chief data scientist at Rapid7, believe this has to do with the work done to reduce POS fraud through the use of chip-based credit cards.

“Attackers still want payment card data, since they have their own playbooks full of successful steps they can take to turn digits into dollars,” Rudis recently wrote. “Rather than abandon all this coin, they’ve refocused their efforts to the server side.”

Last year we saw anecdotal evidence of this with high-profile Magecart attacks against the likes of British Airways, Ticketmaster, and NewEgg. The hits keep coming, and the signs are mounting that Magecart is gaining even more momentum this year.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/cloud/7-signs-of-the-rising-threat-of-magecart-attacks-in-2019/d/d-id/1334744?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple