Loading ...

Category: Virus Infection

Hundreds of Gigabytes of Data Lost in Attacks Targeting Managed Service Providers

Hacked - Grants Pass, OR

“In a new stunning example of the scale and sophistication of online cybercrime, just before the holidays, DOJ charged two hackers with stealing hundreds of gigabytes of data—including sensitive intellectual property, confidential business data, and personal information from companies and government agencies around the world—as part of a multi-year cyber-espionage campaign that targeted managed service providers (MSPs) directly, bypassing the protections of client systems. This indictment is the latest example of the U.S. government’s use of the criminal justice system to crack down on state-sponsored economic espionage.

As alleged in the indictment, the hackers belong to what is believed to be an elite, Chinese government-sponsored group known within the cyber-security community as Advanced Persistent Threat 10 (APT10). The targets of the hacking campaign included companies in the aerospace, health care, biotechnology, finance, manufacturing, and oil and gas industries, as well as U.S. government agencies, such as NASA and the U.S. Department of Energy.”

https://www.lexology.com/library/detail.aspx?g=1068fd0a-8388-4453-aa7b-6872a5c96536

Anatomy of the Breach

The indictment alleges that APT10’s MSP Theft Campaign began in 2014 and involved three stages.

  1. The hackers gained unauthorized access into the MSPs’ computers and installed malware allowing APT10 to remotely monitor the computers and steal login credentials.
  2. The group then used these stolen credentials to move laterally into each MSP’s network and the networks of their clients, further spreading the malware infection.
  3. APT10 identified data of interest on these compromised computers and created packages for exfiltration using encrypted archives, allowing the hackers to move the data from one system to another before ultimately transferring it to APT10’s computers.

This sort of breach calls into question the operating procedures of MSPs everywhere, their security practices, and moral compass. If IT support staff are not trained in best practice and cannot keep from being infected via websites or emails, then what business do they have managing larger network systems with sensitive data.

If you are unsure of your MSPs practices and would prefer a company with transparency, then contact us for assistance.

Warning: Explicit SPAM Messages

Explicit Spam Message

Explicit Spam Message

Here are a couple recent SPAM emails that were received by clients and myself. They are explicit in nature but they a good lesson about the scare tactics of SPAMMERS. The first message seems to be the better SPAM message as it has better English and is even tries to be humorous, while the second is more direct and extortionary. Time to dissect these messages.

SPAM Message #1

  • Password – This message starts by stating that it knows your password. How can this be? There have been several information breaches from the government, retailers, healthcare, etc over the past couple of years. The majority of these breaches are eventually posted online with emails and passwords – hence the reason Farmhouse Networking has started offering Dark Web scanning and advises passwords be changed often.
  • Remote Access – The SPAMMER then goes on to provide a detailed explanation of how they got into the computer. It sounds convincing but deeper analysis by someone who is in the IT Security industry would reveal that their explanation is flawed. To do what they proposed would take several different exploits of various portions of the computer and would likely take longer than video would be playing.
  • Contacts – For their “computer software” to get contacts from all these various sources would require that the password mentioned earlier in the email be the same for all these services. It is recommended by Farmhouse Networking that different passwords be used for each service so that if one is compromised then the rest are not in jeopardy. It might be asked how to keep track and the answer is a password keeping software like LastPass.

 

SPAM Message #2

  • Threats – The message starts immediately with the intimidating remarks and threats. It may be true that alerting the authorities will not bring any immediate assistance, but if we are all upstanding citizens then there is nothing to worry about their threats. It is always good to submit these messages to the authorities (FBI) for analysis so they can take these guys down over time. I do find it sad that this SPAMMER did not take the time to explain how they gained access to my computer.
  • Webcam – It is very possible that if your computer is infected properly that the hacker could gain access to your webcam, but again if we are upstanding citizens and don’t do anything inappropriate in front of our computers then there is nothing to worry about here.
  • Bitcoin – The demands continue with a sense of expediency in the matter giving only 28 hours before the big reveal. This particular SPAMMER either knows the value of the first SPAMMERS creativity in producing a video or are selling themselves short at the $400 ransom in Bitcoin. Finally, they even try to give a bit of legitimacy to their claim by stating that they can send the video to a partial list of contacts.

If your company is interested in Dark Web Scanning for on-going breach protection or worried about SPAM, then contact us for assistance.

New Phishing Email Variant

Thought that I would share a recently received new phishing email variant that could easily be overlooked and possibly cause damage to your network. The email appears to have come from Dropbox as a user sharing a folder with me, but a closer look shows many obvious signs that the email is a fake.

Starting from the Top

Look closely at the From portion of the email:

The lettering is actually another language where the font makes it look like English lettering. There is also the fact that the email is form someone that I don’t do business with. Always fight the urge to look at things that are not yours.

Stick to the Subject

Now to take a look at the Subject line of the email:

This has different lettering but it is again a different language used to look like English lettering.

And now the rest…

The final thing that caught my eye was the “button” in the middle of the email:

It actually looked fuzzy. It turns out the entire body of the email is a single image that is a link to their malicious site. Clicking anywhere in the body of the email would send you on your way to infection or account compromise. Hope this little tutorial helps you detect other phishing attempts in the future.

If your company is having trouble with SPAM or phishing, then contact us for assistance.

SMB Guide to Ransomware

SMB-Guide-to-Ransomware

Ransomware has become a serious epidemic affecting businesses of all sizes, and protecting your company is more essential than ever before as the number of ransomware attacks continues to rise. A recent U.S. Government inter-agency report indicates that, on average, there have been 4,000 daily ransomware attacks since early 2016 — a 300-percent increase over the 1,000 daily ransomware attacks reported in 2015.

As ransomware spreads, it continues to evolve and get more sophisticated — and more lucrative. In fact, according to Internet Crime Complaint Center, ransomware victims paid more than $24 million to regain access to their data in 2015 alone.

What does all this mean for small to medium-sized businesses?

Download the full article here:
http://www.farmhousenetworking.com/downloads/SMB-Guide-to-Ransomware.pdf

If your company is worried about ransomware and would like to see if your business is prepared for the inevitable, then contact us for assistance.

Quick Look at PCI Compliance Regulations

PCI Compliance RegulationsJust got done cleaning up after a security breach (aka hacking) of one of my client’s accounting workstation. They had an older method of remote access called Microsoft Remote Desktop that has known vulnerabilities without additional security measures in place. The hacker did not touch their Quickbooks data (super surprising), but installed software to send SPAM, mine bitcoin crypto-currency, and running fraudulent credit card transactions. Since there was no compromises of Primary Account Numbers (PAN) or customer data there was no need for notifying customers, but the FBI Cyber Crime division was still notified to help share with them the intelligence from the breach. This then lead to me reading through the PCI DSS regulations again and making the requisite recommendations to mitigate the current issues with the client’s network and protect against future attempts. Here is a list of applicable PCI Compliance Regulations:

Requirement 1.1.2 – Current network diagram that identifies all connections between the cardholder data environment and other networks, including any wireless networks.
Requirement 1.2 – Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
Requirement 1.3 – Prohibit direct public access between the Internet and any system component in the cardholder data environment.
Requirement 4.1 – Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks, including the following:
•    Only trusted keys and certificates are accepted
•    The protocol in use only supports secure versions or configurations
•    The encryption strength is appropriate for the encryption methodology in use
Requirement 5.1 – Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).
Requirement 5.2 – Ensure that all anti-virus mechanisms are maintained as follows:
•    Are kept current,
•    Perform periodic scans
•    Generate audit logs
Requirement 5.3 – Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period
Requirement 6.2 – Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.
Requirement 8.2.3 – Passwords/passphrases must meet the following:
•    Require a minimum length of at least seven characters.
•    Contain both numeric and alphabetic characters.
Requirement 8.2.4 – Change user password/passphrases at least once every 90 days.

If your company has PCI Compliance Regulations that you need consulting for, then contact us for assistance.

CyberSecurity Month – Entrepreneur Tips

cybersecurityEntrepreneurs face the same cybersecurity challenges and threats that larger businesses face but with limited resources, capacity, and personnel. Cybersecurity is especially important for entrepreneurs because they have the unique opportunity to integrate cybersecurity practices at the onset of their investments and business development.

DID YOU KNOW?

  • Approximately 77 percent of small firms believe their company is safe from a cyber attack, even though 83 percent  of those firms do not have a written security policy in place.
  • Unlike larger firms that can absorb the cost of a cyber attack, the consequences can be catastrophic for smaller ventures and entrepreneurs.

SIMPLE TIPS

  1. Use and regularly update anti-virus software and anti-spyware on all computers. Automate patch deployments to protect against vulnerabilities. (Our monthly maintenance takse care of this.)
  2. Secure your Internet connection by using a firewall, password protecting your Wi-Fi network, and changing default passwords for your wireless network and router. (Most businesses who buy a router from a local office supply store don’t take the time to change the default password and don’t know these devices are rarely updated by vendors.)
  3. Establish security policies and practices (e.g., using encryption technology) to protect sensitive data, including customer information and intellectual property.
  4. Use strong passwords and change them regularly. (Minimum recommended password length is 10 characters with upper and lower letters, numbers and symbols. Changing passwords should be monthly or quarterly if possible.)
  5. Protect all pages on your public-facing websites, not just the sign-up and checkout pages.
  6. Invest in data loss prevention software and use encryption technology to protect data that is transmitted over the Internet.If your company is concerned about cybersecurity and wants to take the needed steps to protect yourselves, then contact us for assistance.

CyberSecurity Month – Entrepreneur Tips

cybersecurityEntrepreneurs face the same cybersecurity challenges and threats that larger businesses face but with limited resources, capacity, and personnel. Cybersecurity is especially important for entrepreneurs because they have the unique opportunity to integrate cybersecurity practices at the onset of their investments and business development.

DID YOU KNOW?

  • Approximately 77 percent of small firms believe their company is safe from a cyber attack, even though 83 percent  of those firms do not have a written security policy in place.
  • Unlike larger firms that can absorb the cost of a cyber attack, the consequences can be catastrophic for smaller ventures and entrepreneurs.

SIMPLE TIPS

  1. Use and regularly update anti-virus software and anti-spyware on all computers. Automate patch deployments to protect against vulnerabilities. (Our monthly maintenance takse care of this.)
  2. Secure your Internet connection by using a firewall, password protecting your Wi-Fi network, and changing default passwords for your wireless network and router. (Most businesses who buy a router from a local office supply store don’t take the time to change the default password and don’t know these devices are rarely updated by vendors.)
  3. Establish security policies and practices (e.g., using encryption technology) to protect sensitive data, including customer information and intellectual property.
  4. Use strong passwords and change them regularly. (Minimum recommended password length is 10 characters with upper and lower letters, numbers and symbols. Changing passwords should be monthly or quarterly if possible.)
  5. Protect all pages on your public-facing websites, not just the sign-up and checkout pages.
  6. Invest in data loss prevention software and use encryption technology to protect data that is transmitted over the Internet.If your company is concerned about cybersecurity and wants to take the needed steps to protect yourselves, then contact us for assistance.

Compliance Demands Managed Antivirus

computer virusIt continues to astound me how many businesses have a free version or home version of antivirus installed on their workstations at the office. There is no central management for the antivirus software to enforce the company security policy creates an infrastructure where each workstation can have a different level of protection or none at all. Leaving security up to the end-user is never a good idea that could easily lead to a virus infection. For those effected by HIPAA or PCI compliance having managed antivirus is a must.

PCI Compliance Regulations

Section 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers).

Section 5.1.1 Ensure that anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software.

Section 5.2 Ensure that all anti-virus mechanisms are maintained as follows:

  • Are kept current,
  • Perform periodic scans
  • Generate audit logs which are retained per PCI DSS Requirement 10.7

Section 5.3 Ensure that anti-virus mechanisms are actively running and cannot be disabled or altered by users, unless specifically authorized by management on a case-by-case basis for a limited time period

In order to comply with all of these regulations there is no other choice than to use managed antivirus as it automatically updates, regularly scans and keeps logs in a central place.

HIPAA Compliance Regulations

45 C.F.R § 164.306 (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

45 C.F.R § 164.308 (a)(5)(ii)(B) Protection from malicious software. Procedures for guarding against, detecting, and reporting malicious software.

These regulations are a bit more cryptic, but they do require antivirus to be installed, fully capable of protection and able to report. The best way to achieve this is to use managed antivirus.

If your company is using standard or free antivirus to protect your business workstations, then contact us for assistance.

WannaCry Ransomware Spread Halted by Webroot

Webroot & WannaCry Ransomware

WannaCry Ransomware: Webroot protects you.

Ransomware attacks continue to spread around the world this weekend, after the initial damage inflicted on healthcare organizations in Europe on Friday.

The criminals responsible for exploiting the Eternal Blue flaw haven’t yet been identified, but up to 100 countries have hit with WannaCry ransomware, with Russia, Ukraine and Taiwan among the top targets.

The ransomware first appeared in March, and is using the NSA 0-day Eternal Blue and Double Pulsar exploits first made available earlier this year by a group called the Shadow Brokers.  The initial spread of the malware was through email, including fake invoices, job offers and other lures with a .zip file that initiates the WannaCry infection.  The worm-like Eternal Blue can exploit a flaw in the Server Message Block (SMB) in Microsoft Windows, which can allow remote code execution.  This flaw was patched in Microsoft’s March 2017 update cycle, but many organizations had not run the patch or were using unsupported legacy technology like XP.

What’s New

Today, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, including XP and Server 2003.

Overnight and today, it has become clear that a  kill switch was included in the code.  When it detects a specific web domain exists—created earlier today—it halts the spread of malware.  You can learn more at The Register.

As a Webroot customer, are you protected?  YES.

Webroot SecureAnywhere  does currently protect you from WannaCry ransomware.

In simple terms, although this ransomware is currently causing havoc across the globe, the ransomware itself is similar to what we have seen before.  It’s the advanced delivery mechanism that has unfortunately caught many organizations off guard.

In addition to deploying Webroot SecureAnywhere as part of a strong endpoint control strategy, it is essential you continue to keep your systems up-to-date on the latest software versions, and invest in user education on the dangers of phishing, ransomware, social engineering and other common attack vectors.

If you have any questions about your Webroot deployment, reach out to our Support Team now.

And, if you are not a Webroot customer, we encourage you to trial Webroot SecureAnywhere now.

Webroot Incident

Dear Webroot Customers,
You are a critical part of our business. Our Managed Service Providers have asked us to write you to explain why our Webroot SecureAnywhere Business Endpoint Protection experienced performance issues, and what we are doing to resolve those
issues as quickly as possible.
Yesterday, Webroot released a rule that categorized some legitimate files as malware. As a result, multiple legitimate business applications were quarantined and unable to function. This rule change was in effect for 13 minutes on Monday, April 24. To be clear, this rule change was caused by Webroot and not your Managed Service Provider.
Webroot is continuing to work diligently with our partners to restore functionality for our mutual customers. While the false positives that caused the incident have been stopped, we are still working on an automated fix to reverse the files affected. Any
resolution will be released immediately.
Webroot is a trusted partner of many Managed Services Providers and this incident is not representative of our high standards. We always strive to be open and transparent, and we are working tirelessly to fix the issue. Once Webroot has identified the root cause, we will ensure further controls are in place to prevent an
incident like this from happening again.
We apologize for the pain this has caused you. Webroot appreciates your business, and our entire team is dedicated to being your most trusted Partner.
Thank you for your patience as we work through this incident.
Yours sincerely,
Mike Malloy
Executive VP of Product & Strategy

Recent Posts

Categories

Plant a Seed 541-761-9549
233 Rogue River Hwy #873 Grants Pass, OR 97527
Mon-Fri: 9:00am-5:00pm
support@farmhousenetworking.com
© 2016-2018 - Farmhouse Networking. All rights reserved
Terms and Conditions Privacy Policy

Evaluation Signup

Something went wrong, try refreshing and submitting the form again.