Justin Robinson

How SMBs can Lower Risks of Being a Victim of a Ransomware Attack

Ransomware Prevention

As small and medium businesses are more frequently becoming victims of cyber attacks, just 28% of SMBs, who were polled in a recent study, were actually concerned about ransomware. This must mean that small and medium businesses are taking security seriously, right? Wrong! That same study reported that 85% of SMBs have reported at least one cyber attack.

With ransomware becoming big business for cyber criminals, SMBs need to consider what they can do in order to protect themselves from being a victim of a ransomware attack in the first place. Given the recent uptick in ransomware attacks, let’s discuss options for reducing the risk of being a victim of ransomware.

Use Multi-factor Authentication

Using only a username and password to login is simply not secure anymore. Multi-factor authentication (MFA) adds a second, and sometimes third form of authentication. For example, you may login with your username and password, and then need to enter a 6-digit number that is available via an app on your phone, or a hardware token.

Ransomware attacks require a method for the attacker to initiate the ransomware on the target network. Today’s ransomware attacks involve an attacker gaining access to a network, stealing the data, and only then will they initiate the ransomware attack.

Using MFA on logins, especially remotely and on email systems, can make it more difficult for an attacker to gain a foothold.

Change passwords regularly and don’t reuse them

Password changes should be done regularly. This adds a moving target for an attacker who may have found one of your passwords in a data breach somewhere, especially if you don’t reuse passwords.

Control the use of Removable Storage Devices

Removable storage devices, such as USB drives and external hard drives, are the perfect weapon for the transport of Malware including ransomware which will replicate itself to external devices.

Controlling the use of these types of devices may involve something as simple as purchasing a standard USB and only allow its use, to something as complex as a Data Loss Prevention (DLP) solution that prohibits actions. Many anti-virus solutions, like BitDefender, also provide device security controls.

Make security awareness a priority

Clicking on a suspicious link, or entering credentials onto a credential phishing site could inevitably lead to the same results as above. There are many ways that attackers can use to gain access to your company’s computer network, and they should all be discussed and tested as part of a continuous security awareness solution. Topics might include:

  • Being aware of suspicious links
  • Not opening attachments from unknown senders
  • Secure password management using password managers
  • Secure use of removable storage devices

Have Backups

This technically won’t help you to lower the risks of being a victim of a ransomware attack, and you hope that you never have to use them, but, having backups might be critical to your recovery from a ransomware solution and should be taken at regular intervals. These backups should be stored offsite, onsite and on the cloud for the most protection.

No one is 100% safe from cyber attacks but we there are things that we can all do to help reduce the risk.

Cybersecurity Daily News for June 15, 2021

Writing

In today’s news; AmeriGas, US’s largest propane provider discloses data breach that impacted 123 employees and 1 resident; Why SMBs are under increasing attacks by cyber criminals; and REvil claims responsibility for Invenergy data breach.

Cybersecurity Daily News is a curated list of relevant Cybersecurity and Information Security news from around the globe.

Brought to you by


Cybersecurity Daily News is a curated list of daily news articles produced by Rogue Security Intelligence Services from a number of sources around the world. Sign-up below to receive daily news directly to your inbox.

Daily Intelligence Email Sign-up

Cybersecurity Daily News for June 14, 2021

Writing

In today’s news; Volkswagon, Audi disclose data breach of 3.3 million customer records; the RCMP violated Privacy Act using facial AI; and a first hand look at a ransomware attack, recovery.

Cybersecurity Daily News is a curated list of relevant Cybersecurity and Information Security news from around the globe.

Brought to you by


Cybersecurity Daily News is a curated list of daily news articles produced by Rogue Security Intelligence Services from a number of sources around the world. Sign-up below to receive daily news directly to your inbox.

Daily Intelligence Email Sign-up

DNS Security For Individuals and Small Businesses

What Is DNS?

DNS, or Domain Name System, is an Internet system that is completely decentralized, and provides a capability to translate IP Addresses (example: 172.217.12.163) to a Domain Name (example: roguesecurity.ca). The DNS system is the reason that we don’t have to type in the ip address for the website that we wish to visit, and instead are able to type in a friendly domain name that is more representative of the website. Whether I enter the domain name in my address bar, or the ip address for google.ca, I’ll be taken to the same website.

Many medium and large businesses operate their own DNS servers on their own network, but most small businesses and individuals rely on downstream DNS servers that may be owned by their Internet Service Provider (ISP) or perhaps they are using one of the many open DNS providers such as Google Public DNS.

How Does DNS Work?

Without going into too much detail, a DNS request is fairly simple.

  1. You enter a domain name, roguesecurity.ca, into the address bar of your web browser, and hit Enter.
  2. A request is sent to your designated DNS server with the domain, asking for details on the ip address.
  3. The DNS server receives the request and looks up the domain name in its table of information.
  4. If the DNS server finds a matching domain name, it sends the ip address of the domain back to your browser, which your browser uses to actually connect to the website.
    4a. If the DNS server is unable to find a matching domain name, or isn’t able to find an ip address, it will respond with an error.

DNS Cache: Our devices keep a history of DNS requests that we make in order to save some work when we revisit a website that you’ve previously visited. The DNS cache updates once in a while to make sure that you have the latest information, and can be emptied manually.

How Is DNS Attacked?

DNS, like most software, has vulnerabilities, exploits, and can cause issues when used inappropriately. DNS itself has existed since the 1980’s and even though it’s received numerous updates over the years, the underlying concepts really haven’t changed much. This has given people more time to understand the Domain Name System, and as an important aspect of how the Internet operates, is a very commonly attacked protocol.

The most direct of DNS attacks is when a cyber criminal gains access to your DNS server directly. However, it’s quite common to see host-based attacks on your local devices that include Cache Poisoning (aka Cache Spoofing). This is one of the most common types of DNS attacks and involves an attacker injecting malicious data into your devices DNS cache. If an attacker replaces the ip address of roguesecurity.ca in my local DNS cache with an ip address that connects to a malicious website, then every time I go to roguesecurity.ca I’ll be taken to the malicious website instead.

The Domain Name System can also be used to steal data. Let me explain. We know that we send a domain name each time that we send a request to a DNS server. DNS queries are simply strings, and strings can include data, including encoded data. DNS Tunneling is where an attacker includes data, either plain-text or encoded, in what appear to be normal looking DNS requests. The attacker needs to get these queries so this may also involve gaining access to an internal DNS server or modifying local DNS.

DNS servers are also perfect for generating DDOS attacks via DNS Flooding or NXDomain attacks. In these instances an attacker floods a DNS server with requests, or generates a large number of invalid requests in order to overwhelm the server with the goal of bringing it offline.

DNS Security

Use a Trusted Provider

The best protection from DNS-based attacks is to use a secure DNS provider that you trust. Google and Cloudflare are two companies that offer free DNS services to the general public, and are quite reliable.

Pi-hole

Most home users can’t afford and don’t need their own DNS server, but perhaps you have children and you like the idea of some extra security. That’s where Pi-hole comes in. Pi-hole is a software that acts as a DNS sinkhole and can be used to protect devices on your network from unwanted content, block ads, and even manage network device access.

Pi-hole originated on the Raspberry Pi, but can be installed on most Linux distributions.

Cybersecurity Daily News for June 13, 2021

Writing

Cybersecurity Daily News is a curated list of relevant Cybersecurity and Information Security news from around the globe.

Brought to you by


Cybersecurity Daily News is a curated list of daily news articles produced by Rogue Security Intelligence Services from a number of sources around the world. Sign-up below to receive daily news directly to your inbox.

Daily Intelligence Email Sign-up

Cybersecurity Daily News for June 12, 2021

Writing

Cybersecurity Daily News is a curated list of relevant Cybersecurity and Information Security news from around the globe.

Brought to you by


Cybersecurity Daily News is a curated list of daily news articles produced by Rogue Security Intelligence Services from a number of sources around the world. Sign-up below to receive daily news directly to your inbox.

Daily Intelligence Email Sign-up

Cybersecurity Daily News for June 11, 2021

Writing

Cybersecurity Daily News is a curated list of relevant Cybersecurity and Information Security news from around the globe.

Brought to you by


Cybersecurity Daily News is a curated list of daily news articles produced by Rogue Security Intelligence Services from a number of sources around the world. Sign-up below to receive daily news directly to your inbox.

Daily Intelligence Email Sign-up

Cybersecurity Daily News for June 10, 2021

Writing

Cybersecurity Daily News is a curated list of relevant Cybersecurity and Information Security news from around the globe.

Brought to you by


Cybersecurity Daily News is a curated list of daily news articles produced by Rogue Security Intelligence Services from a number of sources around the world. Sign-up below to receive daily news directly to your inbox.

Daily Intelligence Email Sign-up

CyberChef Cyber “Swiss-Army” Knife – Free Tool For Security Professionals

Cyber Chef Logo

CyberChef is a web-based tool that assists with carrying out a number of complex operations such as compressing or decompressing data, encrypting data, creating binary and hex dumps, extracting metadata, matching YARA rules, and so much more. It was created by the GCHQ or Government Communications Headquarters, which is an intelligence service in the United Kingdom. It’s completely open source and is available for anyone and everyone on GitHub.

CyberChef is an absolute must for any security operations analyst or security professional, and can save you time in almost every use case. That is why we at Rogue Security are proud to introduce the Rogue Security hosted, CyberChef instance!

Direct Link: https://cyberchef.roguesecurity.ca/

Disclaimer: Rogue Security will not take responsibility for any data that you use within the tool. Please make sure that you never place secret of confidential data into a tool that you do not have full trust on.

We are making CyberChef available to the general public because we believe that access to tools and resources is critical to the growth of Information Security and Cybersecurity.

CyberChef Interface

Cyberchef Interface
Cyberchef Interface

The CyberChef interface is made up of 4 areas:

1. Input — The Input field provides an area to enter or paste your text or file input.

2. Output — The Output field provides the outcome of your recipe.

3. Operations — The Operations menu provides you wish access to both simple and complex operations, in which will be performed against the input.

4. Recipe — In the Recipe field, you will use any number of Operations that will determine how your input will be processed.

We can use the Input Menu to upload folders and files. The plus ( + ) sign allows us to create multiple tabs for inputs. The Input window will also allow you to drag and drop files, or paste text directly.

Operations list in CyberChef
Operations list in CyberChef

The Operations menu gives you a list of both simple and complex operations that can be performed against

The screenshot to the right provides a list of operations categories that can be performed. I won’t go through the list because it’s extensive, but if you can think about a data manipulation technique then it’s probably here.

Operations can be hovered over to see additional details on what they do, and can be dragged into the recipe window for use against your input. Once your drag an operation into the recipe window, and as long as you have an input and the Auto Bake feature turned on, an output will automatically be generated in the Output window.

CyberChef Resources

How The DOJ Recovered $2.3 Million Paid During The Colonial Pipeline Ransomware Hack

Unless you’ve been living under a rock, you’ve almost certainly heard of the ransomware attack on Georgia-based Colonial pipeline on May 7th, 2021 that forced the company to freeze many of its IT systems in order to prevent further damage. The attack itself was perpetrated by an advanced persistent threat (APT) group that goes by the name of Darkside.

This particular APT group is highly sophisticated, and similar to groups like Maze, state that they will never target critical and other vulnerable bodies such as schools, hospitals and governments. In this instance, they went after the business side of Colonial Pipeline, as opposed to pipeline operations, which could have been devastating to oil and gas markets in not just the U.S., but internationally, as well.

How The DOJ Recovered Coins From a Bitcoin Wallet

According to a news release by the U.S. Department of Justice on June 7th, 2021, they announced that they were able to recover 63.7 bitcoins valued at approximately $2.3 million USD, by seizing a bitcoin wallet that was used by the threat actors.

When Colonial Pipeline paid the 75 bitcoin ($4.4 million) ransomware payment to the Darkside group, they would have had to send it to one or more bitcoin wallets. A bitcoin wallet is just a string of between 26 and 35 characters that will be entered as the recipient of a bitcoin payment. It’s kind of like entering your friends email address when sending them an eTransfer, except that bitcoin wallet addresses don’t identify the owner in and of themselves.

Bitcoin blockchain data is publicly searchable and available via various websites such as Blockchain.com. The DOJ was lucky enough to find out that the bitcoin wallet, and thus the bitcoins within it, were managed by a company in which they had jurisdiction. Even though the wallet address doesn’t identify the owner, the address needs to be generated by software. In this instance, that software was owned by an organization that the U.S. DOJ was able to get a warrant for.

With that warrant, the DOJ managed to obtain the private key for that bitcoin wallet, access it, and withdraw the funds within it. A private key is a second string of alphanumeric characters that gets generated for every bitcoin wallet address. This private key is just as a password for accessing the wallet, and should be stored securely and safely.

The funds took an interesting route their final wallet, so the DOJ simply had to follow the money until it was accessible. I’ve put the timeline into a table, and have included the last 6 characters of the bitcoin wallet so that you can see how they possibly laundered this through a number of other wallets until it sat in a wallet that the DOJ was able to gain access to.

DateSenderAmount (BTC)Recipient
5/8/2021Colonial Pipeline75xxxxxxxxxxxxXjc9fr
5/8/2021Unknown0.0005xxxxxxxxxxxxXjc9fr
5/8/2021xxxxxxxxxxxxXjc9fr0.00001693xxxxxxxxxxxxfytpsf
5/8/2021xxxxxxxxxxxxXjc9fr75.00034246xxxxxxxxxxxxXg7q5X
5/8/2021xxxxxxxxxxxxXg7q5X74.99998307xxxxxxxxxxxxfytpsf
5/8/2021xxxxxxxxxxxxXg7q5X0.00006748xxxxxxxxxxxxtKycsm
5/8/2021xxxxxxxxxxxxfytpsf11.24962019xxxxxxxxxxxxz99zwt
5/8/2021xxxxxxxxxxxxfytpsf63.74998561xxxxxxxxxxxxeqwg45
5/9/2021xxxxxxxxxxxxeqwg4563.7xxxxxxxxxxxxKcdNxB
5/9/2021xxxxxxxxxxxxeqwg450.04976631xxxxxxxxxxxxeqwg45
5/27/2021xxxxxxxxxxxxKcdNxB69.60422177xxxxxxxxxxxxcfsegq

What you might notice is that the wallet in which was seized by the DOJ contained a little more than 69 bitcoins. Colonial got the 63.7 bitcoins that the DOJ could track directly back to their payment, and the DOJ is going to be the recipient of 5.390422177 bitcoins, or just over $188,000 USD.