2022’s 3 Biggest IT Trends Affecting Your Business
Keeping track of IT developments that can affect business operations is a daily challenge. As we’re half way through 2022, we’re looking at three IT trends affecting all organizations, no matter their size or industry. Read more
How to Setup a Secure Home Office Network
The COVID-19 pandemic has greatly increased the number of people working from home, making home office networks routine rather than an exception. Home offices typically use a Wi-Fi network to connect wireless devices such as computers, phones, IP cameras, TVs and voice assistants to the internet. This type of network requires some basic steps to prevent a hacker from gaining access and compromising your system.
A home office Wi-Fi network typically includes a wireless router that connects to the internet via a radio signal in the range of 2.4 to 5 GHz. The ability to access the internet without a physical connection is a great advantage in the home, especially as the number of devices on the network increases. However, anyone within range of the router can use its connection unless it’s adequately protected.
Router Updates
Routers use software that the manufacturer updates periodically. Ensure that your router has the most current version of its software before you start setting it up, especially if the router isn’t new. This process generally involves downloading the current version of software from the manufacturer’s website. You should also register your router with the manufacturer and sign up for update notifications if possible. If you got your router from an ISP, you’ll need to check with them for options on updating your router’s software.
Passwords
Many routers have preset passwords, which you should change when setting up your home office network. Hackers can easily learn the default passwords for any commercially manufactured router, making it a trivial process to access your wireless network. The new passwords should generally be difficult to guess, but easy to remember.
Wireless routers have two types of passwords — the Wi-Fi network password and the administrator password. The Wi-Fi network password allows devices to connect to the network, while the administrator password allows you change the router’s configuration. Among other security settings, an administrator can change the router’s password.
The specific procedure for changing a router’s passwords depends primarily on the manufacturer, although it can be specific to that particular model. Perform an online search on phrases like “how to change [manufacturer] Wi-Fi network password” and “how to change [manufacturer] admin password.” If these searches are unsuccessful, you may need to contact the manufacturer directly.
Remote Management
Disable features like remote management, Universal Plug and Play (UPnP) and Wi-Fi Protected Setup (WPS). These features can be highly convenient, but they also weaken security by making it easier for a hacker to access your network. For example, remote management allows you to change the router settings from a web browser, while UPnP lets your devices find each other on the network. WPS allows you to connect a device to the network by pressing a button on the router instead of entering the Wi-Fi network password.
Encryption
Encrypting your network is an essential step for ensuring that unauthorized users can’t access it, which generally involves updating the appropriate setting. Modern routers usually offer secure encryption standards like Wi-Fi Protected Access II (WPA2) and Wi-Fi Protected Access III (WPA3). While WPA3 is a stronger standard, WPA2 is still considered acceptably secure for most home networks.
Older routers may only offer outdated encryption standards like WPA and Wired Equivalent Privacy (WEP), which are now considered insecure. If your router doesn’t currently have WPA2 or WPA3, update your router’s software to see if that action adds them to your encryption options. If not, you should consider getting a new router.
Administrator Log Out
Changing your router’s passwords and other security settings requires you to log on to its administrator account. Once you’ve finished maximizing your router’s security, you need to log out of your administrator account. Otherwise, a hacker can use that account to access your network devices without needing to guess your administrator password.
#covid #covid secure #workplace #office #pandemic flickr photo by Free For Commercial Use (FFC) shared under a Creative Commons (BY) license
4 Actions to Take After Upgrading to Windows 11
After upgrading to Windows 11, you probably will be excited and want to start using it right away. However, it is better to perform some checks and customizations. Here are four actions you might consider taking.
After you upgrade to Windows 11, you probably will be tempted to immediately use it. You might want to resist that temptation, though. A better plan is to make sure everything is working correctly and to make some customizations so that you have the best possible experience. Here are four actions you might consider taking:
- Make Sure Your Desired Antivirus Solution Is Running
Windows 11 comes with Windows Security (formerly known as Windows Defender Security Center). It includes an antivirus program called Microsoft Defender Antivirus. You can choose to use this program or a third-party antivirus solution instead.
Microsoft Defender Antivirus is designed to automatically turn on if you do not have a third-party antivirus solution installed. If you are using another antivirus solution, Microsoft Defender Antivirus is supposed to turn off so your desired solution can run.
No matter your preferred solution, it is a good idea to make sure it is running. Go to the Privacy & Security tab of Window 11's Settings app, select "Windows Security" in the left menu, click the "Open Windows Security" button, and choose "Virus & threat detection". The page that appears will state if a third-party antivirus solution is turned on and display its status. If Microsoft Defender Antivirus is being used, the page will show its status. You will also see options that let you manage Microsoft Defender Antivirus settings and run scans.
- Check Privacy Settings
When you upgrade from Windows 10 to Windows 11, the privacy settings you set in Windows 10 should automatically transfer to Windows 11. However, glitches can occur, so you might want to check your privacy settings. This check will also give you a chance to review those settings and make sure they still align with your comfort level. You can find the privacy settings in the Privacy & Security tab of Windows 11's Settings app.
- Test Third-Party Apps and Peripherals
Windows 11 contains significant changes, so it is important to make sure your third-party apps are working after the upgrade. There are many reasons why an app might not work. For example, a service that the app needs might not be running, the app might be incorrectly installed, or the app might not be supported on Windows 11. Learning why an app is not working will take time, so the sooner you know about a problematic app, the better.
You should also make sure your peripherals (e.g., mouse, keyboard, external hard drives) are working. A common cause of problems is drivers. Although Windows 11 is designed to automatically update drivers, problems can occur. For example, Windows 11 will only install drivers that have been tested and verified by Microsoft. If a device manufacturer releases an updated driver but Microsoft has not tested it, Windows 11 will not install it.
- Customize the Startup Apps
A common complaint about Windows 11 is that it takes longer to launch than its predecessor. One factor that affects bootup performance is the number of high-impact startup apps. Startup apps are programs that are configured to automatically launch when you turn on your computer. For example, the startup apps in Windows 11 include Slack, Spotify, Microsoft OneDrive, and Microsoft Teams. The higher a startup app's impact, the longer it takes for the app to launch — and the longer it takes for the computer to boot up.
You can see the list of starter apps and their impact level in the Settings program (select the Apps tab and choose "Startup" in the left menu). If you do not want a certain app to automatically start, you can move its slider to "Off" to disable it. When you do this, you are not uninstalling the app. You are just stopping it from automatically launching when you turn on your computer. If you later change your mind, you can enable it again by moving its slider to "On".
Disabling a high-impact startup app can improve bootup performance. However, it is important to avoid disabling all the high-impact startup apps. Some of those apps might be needed to keep your computer running properly or keep it secure. So, before changing the status of a startup app with which you are not familiar, check with us first. We can let you know whether or not it is a good idea to change its status.
Windows 11 flickr photo by okubax shared under a Creative Commons (BY) license
Ukraine Invasion Threatens US Cybersecurity
Hacking groups throughout the world are increasing their activities as a result of the Russian invasion of Ukraine on February 24, 2022. Some of these groups are supporting a particular side, while others simply want to take advantage of the resulting chaos.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a warning concerning the growing threat of advanced persistent threat (APT) actors resulting from the invasion. While world superpowers have fought each other by proxy in the past, the current conflict in Ukraine may be the first cyber proxy war.
History
Cyber attacks by Russian-based hackers have already succeeded in affecting US infrastructure, especially during the past year. The ransomware attack of the Colonial pipeline in May 2021 led to gas shortages on the East Coast due to panic buying. A similar attack against JBS, the world’s largest meat processing company, the following month escalated concerns about a spike in meat prices.
Conti
Security analyst believe the ransomware group Conti is backed by the Russian government, so it comes as no surprise that it will be supporting Russia in its ongoing conflict with Ukraine. This group has already carried out hundreds of attacks during recent years and recently stated on the dark web that it would be using all its resources to strike at critical infrastructure belonging to anyone who attacks Russia. Conti is the first cyber criminal group to publicly back Russia, but others are likely to follow. Conti's position is particularly noteworthy, considering Russia’s recent crack downs on ransomware against its own infrastructure. This stance could indicate that the group is operating with the Kremlin’s blessing.
U.S. officials have repeatedly warned about the risk of ransomware attacks from Conti, especially as economic sanctions begin to impact Russia. Conti was the second most active ransomware group in the world during 2021 by number of victims, according to Digital Shadows. This group already has experience in attacking a nation’s critical infrastructure, having crippled Ireland’s Health Service Executive (HSE) in May 2021.
Anonymous
The hacker group Anonymous has allied itself with the Ukraine in the current Russo-Ukraine conflict. This group has made multiple Twitter posts on this issue that include its signature figure in a Guy Fawkes. Anonymous has stated that it’s in a “cyber war” against the Russian government, adding that it will take industrial control systems hostage if the situation in Ukraine worsens. This group’s involvement is expected, as Anonymous has a well-known reputation for taking strong stands on political issues and acting on them via cyber attacks.
Anonymous claimed on the day of the Russian invasion that it had already brought down multiple websites of the Russian government, including state news site RT News. The hacker group added that the news site was spreading propaganda about Russia’s invasion of Ukraine. RT News confirmed that it was the victim of a distributed denial-of-service (DDoS) attack. Anonymous also tweeted on February 25 that it had successfully breached the Russian Ministry of Defence’s website and leaked its contents. Twitter later removed this tweet for violating its posting rules.
Another hacker group named Ghost Security, or GhostSec, has also disclosed its intentions to support Ukraine. Analysts believe GhostSec is an Anonymous offshoot.
The Russian invasion of Ukraine will significantly increase cyber attacks against multiple countries. Politically motivated groups will carry out most of these attacks against the primary combatants, but US infrastructure is also likely to be targeted by ransomware groups during the conflict. Some of these groups may be seeking financial gain, but others could retaliate if the US imposes economic sanctions against Russia. In this scenario, the energy and financial services sector would be at greatest risk since these industries would be most impacted by sanctions. This conflict is thus likely to show that cyber attacks have now joined the traditional conflict theaters of air, land and sea.
Cybersecurity green flickr photo by Infosec Images shared under a Creative Commons (BY) license
Don't Upgrade with this Fake Windows 11 Install
Malicious actors routinely use current events to lure victims into downloading their malware.
For example, one such entity registered the windows-upgraded.com domain on January 27, 2022, the day after Microsoft announced the final phase of the Windows 11 upgrade. The actor used this website to infect computers with RedLine Stealer by disguising it as a Windows 11 installer, although the domain is no longer active as of February 11. This malware steals the victim’s information and is widely available for sale in underground forums.
The fake website in this campaign was similar to the legitimate Windows 11 website, except that clicking on the button labeled “Download Now” downloaded a zip file named Windows11InstallationAssistant.zip. This file was hosted on a Discord network rather than one belonging to Microsoft, as a legitimate file would be. This campaign is similar to an earlier RedLine Stealer campaign discovered in December 2021 that used the domain discrodappp.com, which disguised RedLine Stealer as an installer for discordapp, a popular messaging app.
File Size
Windows11InstallationAssistant.zip has a size of 1.5 MB, which expands to 753 MB when you decompress it. The executable Windows11InstallationAssistant.exe accounts for 751 MB of this total, with six dynamic link libraries (DLLs) and an Extensible Markup Language (XML) file accounting for the remaining 2 MB. The compression ratio for this executable is about 99.8 percent, as compared to a compression of 47 percent for typical executables.
The reason for this unusually high compression is that Windows11InstallationAssistant.exe is heavily padded with meaningless 0x30 bytes just before the file signature at the end of the file. The actors who wrote this malware likely included this padding to make it more difficult to analyze with malware tools, which are often unable to process files above a certain size. Analysts must first remove the padding in Windows11InstallationAssistant.exe before running tools against it, thus preventing many virus scanners running from automatically detecting this malware.
Analysis
Once the Windows11InstallationAssistant.exe’s file size has been reduced to its proper size, it’s possible to dynamically analyze it in a sandbox or statically with malware tools. Upon execution, this malware’s first action is to start a PowerShell process that launches a cmd.exe process with a timeout of 21 seconds. Once this process times out, the PowerShell process downloads a file named win11.jpg, although it isn’t a JPEG file.
The file is actually the RedLine Stealer DLL, but with the contents in reverse order. This tactic allows RedLine Stealer to avoid detection by malware tools looking specifically for its signatures. The initial process in Windows11InstallationAssistant.exe places the contents of win11.jpg in the correct order and loads it, replacing the current thread context with RedLine Stealer.
This malware is a typical information stealer that collects data on the host’s current execution environment, including system name, user name and installed software. It also takes website passwords stored by the host’s browser in addition to auto-complete data that often includes credit card numbers and cryptocurrency wallets. RedLine Stealer then exfiltrates this data to a command and control (C2) server controlled by the attackers and awaits further instructions.
Protection
The most effective way of protecting yourself from fake installs like the latest Redline Stealer campaign is to only download them from legitimate sources, typically the software distributor’s own website. This is particularly true of major distributors like Microsoft, which can afford to host their own installation files. A website on a newly registered domain is highly suspicious, especially if it claims to be from a large software vendor.
Warning Triangle flickr photo by dlg_images shared under a Creative Commons (BY) license
Don't Leave Your Cloud App Data Vulnerable
Many companies use cloud apps like Microsoft 365, Google G Suite, and Salesforce without adequately protecting the data within those apps. Learn why this is problematic and how businesses can remedy the situation.
When cloud computing was first introduced, most businesses were reluctant to try the apps being offered by public cloud service providers. Companies were mainly concerned about whether their data and other IT assets would be secure.
Nowadays, that's no longer the case. The apps offered by public cloud service providers — collectively known as Software as a Service (SaaS) apps — are popular among businesses. Companies use an average of 110 SaaS apps, according to one study. However, more than half of them admit to not investing enough resources to protect the data within the apps. This is problematic because SaaS apps are also popular among cybercriminals.
For example, cybercriminals targeted companies using Microsoft 365 in January 2022. The attackers wanted to access employees' Outlook apps so that they could read and send emails, change inbox rules, view employees' contacts, examine calendars, and more, according to Microsoft. The cybercriminals did not access Outlook by stealing, guessing, or tricking employees into revealing their passwords. Instead, they used a consent phishing campaign.
In consent phishing attacks, cybercriminals try to dupe SaaS users into giving a malicious app the permissions it needs to access data or other resources. In the January 2022 attack, the cybercriminals tricked Outlook users into granting permissions to a malicious app named Upgrade.
The malicious apps used in consent phishing campaigns abuse OAuth request links. These links allow users to share information about their accounts with a third-party app or website, without having to give the app or site their passwords.
Consent phishing attacks are not limited to Microsoft's cloud apps. Any SaaS app that uses OAuth 2.0 authorization is vulnerable. For instance, cybercriminals have used this type of attack to access users' data in Google Gmail.
Consent phishing campaigns are on the rise, according to Microsoft, Proofpoint, and other threat analysts. So, too, are other types of cyberattacks that target SaaS apps. Defending against these attacks requires action from both SaaS providers and the businesses using their apps.
Businesses' Security Responsibilities
One of the main advantages of using SaaS apps is that companies do not need to maintain or secure the apps or the infrastructure on which they run. SaaS providers are responsible for those tasks. However, companies have a few responsibilities.
For starters, businesses are responsible for controlling and securing employees' access to the SaaS apps. Failing to control and protect the account credentials that employees and groups use to access SaaS apps can result in cybercriminals compromising those credentials and using them to access app data.
Companies also are responsible for properly configuring certain SaaS app settings. SaaS providers let companies configure some app settings (e.g., file-sharing options) so that the apps are customized for their environment. However, misconfigurations can open the door to cyberattacks.
"One slight misconfiguration or unsafeguarded user permission presents a possible attack vector," according to SaaS security experts. "The thing is that most organizations now have hundreds of SaaS apps. This amounts to hundreds of global settings as well as thousands to tens of thousands of user roles and permissions to configure, monitor, and consistently update. It's no wonder there are so many exploitable misconfigurations with the sheer volume of settings and configurations."
Finally, businesses are responsible for backing up their app data to protect against data loss. Although SaaS providers assume responsibility and take measures to protect against data loss due to operational failures (e.g., infrastructural breakdowns, natural disasters), the vast majority of them explicitly state in their terms and conditions that it is the company's responsibility to protect against data loss due to accidental deletions and security attacks, according to a Forrester report.
Security Measures That Businesses Can Take
To secure employees' access to SaaS apps, prevent setting misconfigurations, and protect against data loss, companies might consider taking the following security measures:
- Apply the principle of least privilege. Companies should limit employees' access to (and permissions in) SaaS apps to the minimal level that will allow them to perform their job duties. In addition, the access should be in effect for the shortest time necessary.
- Use multi-factor authentication. Many SaaS apps offer multi-factor authentication (aka two-step verification). When multi-factor authentication is enabled, app users must provide two credentials when logging in, such as a password and one-time security code. This extra layer of security helps prevent unauthorized access to the app and its data.
- Stop malicious emails from reaching employees. Since consent phishing attacks are carried out through email, businesses should try to stop as many malicious emails as possible from reaching employees' inboxes. Ways to do this include taking advantage of email servers' security features (e.g., phishing and spam blockers), disabling automatic forwarding to external email accounts, and creating mail flow rules to block risky file attachments. Companies might also consider using an advanced email security solution, such as a secure email gateway.
- Double-check SaaS app settings. Although it takes time to double-check app settings, it is time well spent. Improperly configured settings can give cybercriminals what they need to attack a company.
- Educate employees. It is important to educate employees about cybersecurity in general as well as specific cyberthreats associated with the SaaS apps they are using. For instance, employees should learn about consent phishing emails and how to spot them.
- Back up SaaS app data. Since most SaaS providers explicitly state in their terms and conditions that it is the customer's responsibility to protect against data loss due to cyberattacks and accidental deletions, it is important to regularly back up SaaS app data. This can be accomplished several ways, including using a cloud-to-cloud backup service or an on-premises backup solution.
These security measures provide a good starting point for protecting your company's SaaS app data. We can help you determine additional measures your business can take based on the SaaS apps being used and your IT environment.
Cloud Computing - Abstract 2 flickr photo by perspec_photo88 shared under a Creative Commons (BY-SA) license
Android Malware Attacking Again
Cybercriminals have recently increased their use of banking trojans, which continue to become more effective as they evolve.
For example, Brazilian Remote Access Tool Android (BRATA) was originally spyware for Android devices, but has now been upgraded to a banking trojan. Hackers have developed multiple versions of BRATA, depending on its intended target.
BRATA’s most malicious change is that it can now perform a factory reset on the target device, preventing victims from detecting unauthorized wire transfers. A factory reset indicates that either BRATA has successfully compromised the device and completed the transaction, or it has detected that it’s running in a virtual environment and is attempting to avoid dynamic analysis by anti-virus (AV) software. BRATA primarily uses this capability as a kill switch, but it also discourages users from wiping the device as this action could result in an irreversible loss of data.
Security firm Cleafy reports that a downloader is propagating BRATA to evade detection by antivirus solutions. BRATA also scans the target device for AV software and attempts to remove it before exfiltrating data. In addition, it’s capable of GPS tracking and using several methods to maintain communications between the device and command and control (C2) malware. Furthermore, BRATA continuously monitors the victim’s banking apps with techniques such as keylogging and Virtual Network Computing (VNC).
Variants
Three new variants of BRATA have attacked financial institutions in China, Italy, Latin America, Poland, the U.K and Spain. Each one is specifically designed for different targets, including unique apps, languages and overlays. However, all versions use the same techniques to avoid detection by AV software, including enclosing its Android Application (APK) file into an encrypted Data Exchange (DEX) or Java Archive (JAR) package.
Protection
BRATA relies on social engineering techniques to infect target devices. The best ways of protecting your devices from this type of malware include conducting research on apps you want to download, not using links from untrusted sources and subscribing to a mobile AV program.
An app isn’t necessarily legitimate just because it’s listed on App Store or Google Play. Check the number and quality of reviews before downloading any app. An app that has only a few vague reviews is probably either new or fake. Check the app developer’s history to ensure they have a good reputation before downloading one of their apps.
Never click on any links in an email message if you aren’t sure who sent it. A message with many writing errors is also suspicious, especially if it purports to come from a legitimate business. Phishing emails often rely on creating a sense of urgency to coerce recipients into responding without examining the sender’s address. Call the company’s customer service number directly to verify the email’s authenticity before responding, especially if the email claims to be from a financial institution.
Subscribe to an antivirus product for mobile devices like McAfee Mobile Security. This app uses various techniques to protect Android devices and iPhones, including scanning for malicious apps, safe surfing, and locating lost or stolen devices. Also, use caution when granting permissions to a new app by ensuring those permissions are related to the app’s core functionality.
BRATA is one of many banking trojans that are currently active, which poses a major financial threat. The latest changes in BRATA indicate its creators are developing new features intended to customize it for new targets. The same techniques that are effective against other social engineering-based attacks should also protect your device from BRATA.
Android flickr photo by Inteaux shared under a Creative Commons (BY) license
3 Ways Windows 11 Will Make It Harder for Hackers to Attack Your Company's Computers
The rollout of Windows 11 is well underway. Here are three ways Windows 11 is helping companies keep malware at bay.Read more
Dridex is sending out Termination Letters, Fake Covid Funerals
The latest Dridex phishing campaign has been using various hot topics to lure its victims, including COVID-19 funeral assistance and employee termination letters. Regardless of the message’s contents, the purpose of the email is to get the reader to click on an attachment, which is typically in Excel or Word format. Opening this document installs malicious code on the victim’s computer, which then performs a variety of actions.Read more
GoDaddy Data Breach Exposes Million Users
GoDaddy reports that it was the victim of a data breach affecting up to 1.2 million of its customers. The breach occurred in September 2021, although the web hosting service didn’t notice it until November of this year. Security researchers say the breach was the result of inadequate security that failed to meet industry best practices. While GoDaddy has changed the passwords of the affected customers, those customers may still be at risk for additional problems caused by the hackers while they had access to customer accounts.
GoDaddy’s investigation shows that the attack began on September 6, 2021, but wasn’t discovered until November 17. It also reported that a third party had accessed its provisioning system in GoDaddy’s legacy code base for its Managed WordPress hosting environment. This system is the process by which GoDaddy sets up its customers with their new hosting services, which involves assigning them server space, usernames and passwords. GoDaddy also informed the United States Security and Exchange Commission (SEC) of the breach in November.
The customer data that was exposed includes the following:
- Customer numbers
- Email addresses
- WordPress administrator passwords
- Secure FTP (SFTP) usernames and passwords
- Database usernames and passwords
- SSL private keys
Details
Wordfence security experts report that GoDaddy’s Managed WordPress hosting environment stored sFTP usernames and passwords in unencrypted plain text, allowing hackers to freely obtain usernames and passwords. This approach doesn’t comply with industry best practices, which generally prohibits storing any passwords in a reversible format. The most commonly accepted methods of protecting passwords are to either store them as salted hashes or provide public key authentication for passwords.
Ongoing Concerns
GoDaddy’s report to the SEC states that it has reset all the passwords for affected customers, which should prevent future breaches of those accounts. However, the report also describes the possibility of phishing attacks, since the attackers now have customer email addresses. Furthermore, the fact that the intrusion wasn’t detected for over two months means that websites hosted on GoDaddy could still be compromised because those websites could still contain malicious files left by the hackers. This possibility requires GoDaddy to perform a thorough security scan to remove these files, which could be backdoors or Trojans. Hackers can use these types of files to upload other malicious files or add a user account with administrative privileges.
However, GoDaddy’s official statement doesn’t mention anything about the measures it has taken to repair websites that could still be compromised. Wordfence analysts acknowledge that the two-month period during which the breach was undiscovered could have allowed attackers to retain control over the website even after GoDaddy changed the passwords for those users. Furthermore, the damage may not be limited to the businesses hosted on WordPress through GoDaddy, according to Wordfence. Hackers also had access to databases that could allow them to access additional customer information, including sensitive data stored on ecommerce websites.
A data breach affecting over a million GoDaddy customers occurred in September 2021, which remained undetected for two months. Hackers were able to exploit a vulnerability in GoDaddy’s hosting service that involved storing customer passwords in plain text, making it easy for them to access those customers’ accounts. GoDaddy has reported this breach to the general public and specifically to the SEC.
GoDaddy’s only reported action so far is to reset the passwords of the affected customer accounts. The hosting service hasn’t said anything yet concerning the mitigation of other possible actions by the attackers such as compromised databases, rogue administrator accounts, and malicious scripts. Additional breaches of ecommerce sites hosted by GoDaddy are another issue of concern for their customers going forward.
Data Breach flickr photo by EpicTop10.com shared under a Creative Commons (BY) license