Are You Having A Technology Emergency?

True North Networks Blog

True North Networks has been serving the Swanzey area since 2002, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

Cybersecurity: Malware lingers in SMBs for an average of 800 days before discovery

Small and medium-sized businesses lack the IT staff needed to run comprehensive security detection and response, according to Infocyte.

Despite the adoption of advanced cybersecurity tools, SMBs remain particularly vulnerable to long-lasting breaches compared to enterprise companies, due to a lack of IT staff needed to detect and respond to threats, according to Infocyte's Mid-market Threat and Incident Response Report, released Thursday. 
Infocyte measured threats over the 90-day span from April to June 2019, reviewing more than 550,000 forensic inspections on systems across hundreds of customer networks in the mid-enterprise business sector. Unsurprisingly, SMBs are more vulnerable to various types of threats, the report found: 22% of SMBs said their networks have encountered a ransomware attack that bypassed preventative security controls, while fileless malwareattacks are also on the rise. 
Average attack dwell time—the time between an attack penetrating a network's defenses and being discovered—ranged from 43 to 895 days for SMBs, the report found. The average dwell time for confirmed, persistent malware was 798 days. Dwell time for riskware—including unwanted applications, web trackers, and adware—averaged 869 days. 

Dwell time for attacks including ransomware was much lower, averaging 43 days between the infection of the initial Trojan (often Trickbot or Emotet) and remediation, due to how the ransomware informs its victims, the report noted. 

Some 72% of inspected SMB networks found riskware and unwanted applications in their environment that took longer than 90 days to remove, Infocyte found. While riskware is generally a lower risk than other attacks, networks that fail to control riskware also tend to be less ready to respond to high-priority threats once they are uncovered, according to the report. 

"Infocyte's findings should be a wake-up call for SMBs that are overly confident in their organization's cybersecurity posture. The reality is that many lack the resources, technology, expertise, and visibility to protect their organizations, let alone their customers' and partners' data. The long dwell times reported by Infocyte indicate SMBs are at a higher risk of compromise than their larger enterprise counterparts," Aaron Sherrill, senior analyst at 451 Research, said in a press release. "While modern cybersecurity threats that evade legacy preventative and detection tools are a growing security gap for SMBs, many are unable to remediate the threats they do know about in a reasonable timeframe."



Continue reading

Five emerging cybersecurity threats you should take very seriously in 2019

The cyberthreat landscape continues to evolve, with new threats emerging almost daily. The ability to track and prepare to face these threats can help security and risk management leaders improve their organization's resilience and better support business goals.

The number of high-profile breaches and attacks making headlines has led business leaders to finally take cybersecurity seriously, said Sam Olyaei, senior principal and analyst at Gartner.

"Today, not only are business leaders and the business community understanding cybersecurity, they know it's important to their business outcomes and objectives," Olyaei said. "The problem is, there is still a lack of understanding as to why it's important."

Firms must work to bridge the gap between communicating the technical aspects of cybersecurity and the business outcomes, such as customer satisfaction, financial health, and reputation, Olyaei said.

Keeping track of new threats and not just established ones like ransomware is key for a strong security posture, said Josh Zelonis, senior analyst at Forrester.  

"Whenever we develop our strategies for how we're going to protect our organizations, it's really easy to look at things that you're familiar with, or that you have a good understanding of," Zelonis said. "But if you're not looking ahead, you're building for the problems that already exist, and not setting yourself up for long-term success. And that is really the number one reason why you need to be looking ahead -- to understand how attack techniques are evolving."

Here are five emerging cybersecurity threats that business, technology, and security leaders need to take seriously this year.

1. Cryptojacking

Ransomware has been one of the biggest threats impacting businesses in the past two years, exploiting basic vulnerabilities including lack of network segmentation and backups, Gartner's Olyaei said.

Today, threat actors are employing the same variants of ransomware previously used to encrypt data to ransom an organization's resources or systems to mine for cryptocurrency -- a practice known as cryptojacking or cryptomining.

"These are strains of malware that are very similar to strains that different types of ransomware, like Petya and NotPetya, had in place, but instead it's kind of running in the background silently mining for cryptocurrency," Olyaei said.

The rise of cryptojacking means the argument that many SMB leaders used in the past -- that their business was too small to be attacked -- goes out the window, Olyaei said. "You still have computers, you still have resources, you still have applications," he added. "And these application systems, computers, and resources can be used to mine for cryptocurrency. That's one of the biggest threats that we see from that standpoint."

2. Internet of Things (IoT) device threats

Companies are adding more and more devices to their infrastructures, said Forrester's Zelonis. "Organizations are going and adding solutions like security cameras and smart container ships, and a lot of these devices don't have how you're going to manage them factored into the design of the products."

Maintenance is often the last consideration when it comes to IoT, Zelonis said. Organizations that want to stay safe should require that all IoT devices be manageable and implement a process for updating them.  

3. Geopolitical risks

More organizations are starting to consider where their products are based or implemented and where their data is stored, in terms of cybersecurity risks and regulations, Olyaei said.

"When you have regulations like GDPR and threat actors that emerge from nation states like Russia, China, North Korea, and Iran, more and more organizations are beginning to evaluate the intricacies of the security controls of their vendors and their suppliers," Olyaei said. "They're looking at geopolitical risk as a cyber risk, whereas in the past geopolitical was sort of a separate risk function, belonging in enterprise risk."

If organizations do not consider location and geopolitical risk, those that store data in a third party or a nation state that is very sensitive will run the risk of threat actors or nation state resources being used against them, Olyaei said. "If you do that then you also impact the business outcome."

4. Cross-site scripting

Organizations struggle to avoid cross-site scripting (XSS) attacks in the development cycle, Zelonis said. More than 21 percent of vulnerabilities identified by bug bounty programs are XSS areas, making them the leading vulnerability type, Forrester research found.  

XSS attacks allow adversaries to use business websites to execute untrusted code in a victim's browser, making it easy for a criminal to interact with a user and steal their cookie information used for authentication to hijack the site without any credentials, Forrester said.

Security teams often discount the severity of this attack, Zelonis said. But bug bounty programs can help identify XSS attacks and other weaknesses in your systems, he added.

5. Mobile malware

Mobile devices are increasingly a top attack target -- a trend rooted in poor vulnerability management, according to Forrester. But the analyst firm said many organizations that try to deploy mobile device management (MDM) solutions find that privacy concerns limit adoption.

The biggest pain point in this space is the Android installed base, Zelonis said. "The Google developer site shows that the vast majority of Android devices in the world are running pretty old versions of Android," he said. "And when you look at the motivations of a lot of IoT device manufacturers, it's challenging to get them to continue to support devices and get timely patches, because then you're getting back to mobile issues."

Organizations should ensure employee access to an anti-malware solution, Forrester recommended. Even if it's not managed by the organization, this will alleviate some security concerns.

Continue reading

British Airways Fined £183 Million Under GDPR Over 2018 Data Breach

british-airways British Airways Fined

Britain's Information Commissioner's Office (ICO) today hit British Airways with a record fine of £183 million for failing to protect the personal information of around half a million of its customers during last year's security breach. British Airways, who describes itself as "The World's Favorite Airline," disclosed a breach last year that exposed personal details and credit-card numbers of up to 380,000 customers and lasted for more than two weeks. At the time, the company confirmed that customers who booked flights on its official website ( and British Airways mobile app between August 21 and September 5 had had their details stolen by attackers. The cyberattack was later attributed to the infamous Magecart threat actor, one of the most notorious hacking groups specialized in stealing credit card details from poorly-secured websites, especially online eCommerce platforms. Magecart hackers have been known for using digital credit card skimmer wherein they secretly insert a few lines of malicious code into the checkout page of a compromised website that captures payment details of customers and then sends it to a remote server.

Besides British Airways, Magecart groups have also been responsible for card breaches on sites belonging to high-profile companies like TicketMasterNewegg, as well as sites belonging to other small online merchants. In a statement released today, ICO said its extensive investigation found that a variety of information related to British Airways' customers was compromised by "poor security arrangements" at the company, including their names and addresses, log-ins, payment card data, and travel booking details.

"People's personal data is just that – personal. When an organization fails to protect it from loss, damage or theft, it is more than an inconvenience," Information Commissioner Elizabeth Denham said.


"That's why the law is clear – when you are entrusted with personal data, you must look after it. Those that don't will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights."

However, ICO also said that British Airways has cooperated with its investigation and has made improvements to the security arrangements since the last year data breach came to light. Since the data breach happened after the EU's General Data Protection Regulation (GDPR) took effect on May 2018, the fine of £183.39 million has been imposed on British Airways, which is the equivalent of 1.5% of the company's worldwide turnover for its 2017 financial year but is still less than the possible maximum of 4%.

In response to the ICO announcement, British Airways, owned by IAG, said the company was "surprised and disappointed" by the ICO penalty.

"British Airways responded quickly to a criminal act to steal customers' data," said British Airways chairman and chief executive Alex Cruz.


"We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologize to our customers for any inconvenience this event caused."

The company has 28 days to appeal the penalty. Until now, the most significant penalty by the UK's data protection watchdog was £500,000, which was imposed on Facebook last year for allowing political consultancy firm Cambridge Analytica to gather and misuse data of 87 million users improperly. The same penalty of £500,000 was also imposed on credit reporting agency Equifax last year for its 2017's massive data breach that exposed the personal and financial information of hundreds of millions of its customers. Since both the incidents in Facebook and Equifax occurred before GDPR took effect, £500,000 was the maximum penalty ICO can impose under the UK's old Data Protection Act.


Continue reading

US Cyber Command issues alert about hackers exploiting Outlook vulnerability

US Cyber Command has issued an alert via Twitter today about threat actors abusing an Outlook vulnerability to plant malware on government networks.

The vulnerability is CVE-2017-11774, a security bug that Microsoft patched in Outlook in the October 2017 Patch Tuesday.

The Outlook bug, discovered and detailed by security researchers from SensePost, allows a threat actor to escape from the Outlook sandbox and run malicious code on the underlying operating system.


The bug was privately reported by SensePost researchers in the fall of 2017, but by 2018, it had been weaponized by an Iranian state-sponsored hacking group known as APT33 (or Elfin), primarily known for developing the Shamoon disk-wiping malware.

At the time, in late December 2018, ATP33 hackers were deploying backdoors on web servers, which they were later using to push the CVE-2017-11774 exploit to users' inboxes, so they can infect their systems with malware.

"Once the adversary has legitimate credentials, they identify publicly accessible Outlook Web Access (OWA) or Office 365 that is not protected with multi-factor authentication. The adversary leverages the stolen credentials and a tool like RULER to deliver [CVE-2017-11774] exploits through Exchange's legitimate features," the FireEye report said.

The attacks leveraging the CVE-2017-11774 vulnerability came at the same time that reports surfaced about new sightings of the infamous Shamoon disk-wiping malware -- another hacking tool developed by the APT33 group.

No connection was ever proved at the time about links between FireEye's APT33 report and Shamoon deployments.

However, Chronicle Security researcher Brandon Levene has told ZDNet in an email today that the malware samples uploaded by US Cyber Command appear to be related to Shamoon activity, which took place around January of 2017.

Three of the five malware samples are tools used for the manipulation of exploited web servers, Levene said, while the other two are downloaders which utilized PowerShell to load the PUPY RAT -- most likely on infected systems.

Levene told ZDNet that if the observation of CVE-2017-11774 together with these malware samples holds true, this sheds some light on how the APT33/Shamoon attackers were able to compromise their targets.

When Shamoon attacks happened in the past, Levene said that it had been highly speculated that spear-phishing was involved, but not a lot of information around the initial infection vectors was published other than the FireEye report, which speculated on the infection vectors, rather than provide indisputable evidence.


US Cyber Command's Twitter account doesn't issue alerts about financially-motivated hacker crews targeting the US, and is focused on nation-state adversaries only. All in all, the malware samples shared by US Cyber Command today link the new attacks the agency is seeing to old APT33 malware samples -- most likely deployed in new attacks against US entities.

While US Cyber Command has not named APT33 by name, Levene has, as well as Palo Alto Networks (on Twitter), and FireEye (on Twitter [12] and in private conversations with ZDNet).

The US Cyber Command tweet also comes after Symantec warned about increased activity from APT33 back in March.

Furthermore, two weeks ago, CISA, the Department of Homeland Security's cyber-security agency, also issued a similar warning about increased activity from Iranian threat actors, and especially about the usage of disk-wiping malware such as Shamoon, APT33's primary cyber-weapon.

Besides analyzing malware that hits the US government network, the US Cyber Command is also in charge of offensive cyber operations. Two weeks ago, the DOD agency launched a cyber-attack aimed at Iran's rocket and missile system after the Iranian military shot down an expensive US surveillance drone. With Iranian hackers targeting government networks and the US hitting back, you could say the two countries are in the midst of a very silent and very unofficial cyberwar.

And as a side note, Levene has also pointed out that this is the first time that US Cyber Command has shared non-Russian malware via its Twitter account. The agency started publishing malware samples on VirusTotal and issuing Twitter alerts last fall, deeming it a faster way of spreading security alerts about ongoing cyber-attacks and putting the US private sector on notice.


Continue reading

Get Ready For A Ransomware Tsunami

OK, maybe you can’t say the two cities in Florida hit with ransomware a few weeks ago dodged a bullet, but at least they dodged the digital equivalent of a cruise missile … right?

Riviera Beach and Lake City both paid the ransom. For Lake City, which lost access to its phone and email systems for a couple of weeks, it was 42 bitcoin, worth  $573,000 according to one report and $460,000 according to another. Riviera Beach paid 65 bitcoin, worth $897,650, after three weeks of no access to its computer systems.

Yes, that’s a lot of money. Yes, they took a bullet. But hey, it’s not even close to the estimated $17 million Atlanta is spending to recover from a ransomware attack in March 2018. Or the something north of $18 million it will cost Baltimore to do the same after an attack this past May.

Those Florida city officials can declare, accurately, that they’ve saved their taxpayers a bundle, even if it did mean rolling over for common criminals who likely will never be caught, prosecuted or even identified.

But that gain may be short-lived. They may be setting themselves and other municipalities up for a ransomware tsunami. As any economist will tell you, people respond to incentives. In this case, a thief or band of thieves raked in a payday from one digital holdup that’s enough to put at least one of them into the 1 percent income bracket without even breaking a sweat.

And, of course, the value of those ransom payments wasn’t eroded by any deductions—taxes, Medicare, Social Security. The gross was the net.

That’s the kind of thing other common criminals notice. Hit a local government with ransomware and your chances are pretty good that they’ll fork over $500,000 or more so they can get back in business as quickly as possible.

Graham Cluley, independent blogger and cohost of the Smashing Security podcast, made that point in a recent post carried on Tripwire. “Every time an organization gives in to a ransomware demand, and cybercriminals learn that it is easy to earn such lucrative profits, hackers invest more effort into future attacks,” he wrote.

Indeed, about a week after word of the Lake City and Riviera Beach payments, a third Florida city, Key Biscayne, reported it had been hit as well, by malware called Ryuk, the same one used to attack Lake City. Ryuk is the third piece of the so-called “Triple Threat” attack. The other two are called Emotet and Trickbot.

And this week, officials with the Georgia courts acknowledged that a portion of its digital information systems had been taken down by ransomware. At the time, there was no information on how much the attackers demanded.

Only option still a bad one

Obviously, those officials thought they were doing what was in the best interest of their constituents. And law enforcement officials and security experts acknowledge that there are times when the only option is to pay the ransom.

As Bob Maley, CSO at NormShield and former CISO for the state of Pennsylvania, put it, if a victim organization has no recovery plan or any idea of what the impact of losing everything that has been encrypted, “then the decision becomes one of desperation.”

And the cost to cities like Baltimore and Atlanta for refusing to pay can make that desperation much greater.

“We have seen municipalities across the country attempt to hold off paying ransoms only to suffer incredibly, ultimately end up paying after serious disruption of services, or pay an exorbitant amount of money to avoid paying,” said Kiersten Todt, managing director of the Cyber Readiness Institute.

“That's especially true if human life is at risk from impaired emergency response,” added Phil Reitinger, president and CEO of the Global Cyber Alliance (GCA). “I will throw no stones at a city CISO or mayor who finds that paying thousands in ransom is acceptable rather than suffering millions in recovery expenses, especially given the other significant nonmonetary costs from a paralyzed city.”

But all that still doesn’t make it a good option—for the victim or other potential victims.

For starters, those same attackers could hit the same cities again. Tim Mackey, technical evangelist at Synopsys, noted that ransomware victims are dealing with people they don’t know and will probably never see.

“Payment of a ransom is a trust issue,” he said. “Do you effectively trust that the data will be recoverable following payment? While it’s in the best interests of the attacker to release encrypted files following payment, receipt of encryption keys isn’t the end of it.

“For example, can you ensure the data weren’t corrupted or tampered with? Are you confident the attackers didn’t make copies? Have you taken steps to ensure the attacker doesn’t simply attack you again and demand further payment? In reality, the actual ransom payment may be the least of the incident response costs,” he said.

Change the incentives

A vastly better—and what would seem to be obvious—option would be to make those attacks much more difficult. Create negative incentives. Make it hard for cyber criminals. Yes, doing that will cost money and time, but vastly less than what it costs to pay a ransom or recover from an attack.

As Morgan Wright, a former senior advisor in the U.S. State Department Antiterrorism Assistance Program," style="box-sizing: border-box; background-color: transparent; cursor: pointer; color: rgb(0, 56, 145); text-decoration: none; -webkit-tap-highlight-color: rgba(0, 0, 0, 0);">sardonically put it in a post on The Hill after the Atlanta attack, “There’s never enough time and money to do it right. But when government screws up, there’s always time and taxpayer money to do it over, usually at a much higher cost.”

So, how to avoid screwing up? There is no way to be perfect, but there are multiple ways to get much closer.

The most obvious is to do regular backups that are not connected to the network. A backup that is accessible through a breach is, obviously, worthless. But if it’s held separately and survives, an organization can rebuild its system quickly at minimal expense, without paying the ransom.

Then there is making sure your employees are an asset, not a risk factor. The attacks on all three Florida cities were enabled by an employee clicking on an attachment in a phishing email. Which sends a clear message—employees need effective security awareness training.

Most employees, except for a rogue here and there, want to protect the organization’s assets. They just need to be taught how to spot suspicious communications—to develop a healthy paranoia. There are multiple organizations that offer credible programs in that.

“Approximately 91% of all attacks on enterprises are caused by phishing,” Todt said. “There are online phishing training courses that municipalities could offer, which could be a reasonably low-cost way to help inform municipal employees of the cyber risks to which they are exposed.”

Besides training, Mackey said another personnel basic is to apply the “principle of least privilege” to employees throughout an organization. That means “limiting the level of trust a given employee has at any point in time to only the level of access required to perform specific tasks.”

Be prepared

Beyond training and policy, organizations should harden the security of their assets.

One fundamental is to keep strict track of the software components running applications, systems and networks, and keep them up to date. Failing to install an available patch for a known vulnerability is like leaving the door to a vault wide open.

Maley said organizations should “know the cyber hygiene of their IT ecosystems in the same way the attackers do, then fix the issues before the attacks happen.”

Other ways to be prepared for a ransomware attack, Mackey said, include “having properly patched virtual machine templates, which can be used to restore entire systems using VDI (virtual desktop infrastructure)-style solutions or other remote-access solutions to ensure that sensitive data isn’t accessible from machines easily infected through phishing attacks or drive-by web ads.”

Reitinger said better security hygiene should include “powerful techniques like using a protective DNS (domain name system) service like Quad9. They make a successful attack far less likely, so there is a significant return on investment.”

Of course, while those measures are excellent investments, municipalities do need money to make them, and few have it, according to Todt. “There is not a municipality in the United States that is fully funded to defend its IT networks against cyberattacks,” she said, adding that she believes the feds should provide some of that funding.

“While we have become dependent on the internet for many government services, we have not provided our state and local governments with the capabilities to make these services resilient in the face of persistent cyberattacks,” she said.

“The federal government needs to establish an active coordination and remediation program that is supported by the Department of Homeland Security (DHS) and the National Security Agency (NSA) for municipalities.”

That money, she said, could help local and state governments “in the most important first steps toward cyber resiliency: map the networks they own, understand what is on them and provide assistance to better secure them.”

Yes, of course it could. But that money, while wished for, is not yet a reality. Nor is it likely to become a reality anytime soon. So, as Todt and other experts say, municipalities should set priorities and make trade-offs to get the most important things done.

Those priorities, she said, are raising awareness of the threat and building security and resiliency into the systems.

Because the ransomware threat is not going away. It is increasing.

Continue reading