""/
Cyber Threat Alert, News

Cyber Threat Alert: Dangerous Microsoft Exchange Exploits

Does your organisation run a Microsoft Exchange Server? If so read on!

What Happened?

Microsoft has detected multiple zero day exploits attacking on-premises versions of Microsoft Exchange Server. In these attacks, the threat actor accesses on-premises Exchange servers (and the associated email accounts) and installs additional malware to retain unauthorized access to the environment.

What is Affected?

The vulnerabilities affect Microsoft Exchange Server. Exchange Online is NOT affected.

The versions affected are:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

What to Do

If you run any of the affected versions, IMMEDIATELY apply these updates to affected systems to protect against these exploits. Externally facing Exchange servers should be updated first and then update all affected Exchange Servers.

Node Prevent

When you purchase one of our cyber insurance policies you’ll receive vital cybersecurity updates such as this and online training courses to keep your employees up-to-date with the current cyber threats.

""/
News

Data Privacy Day, advice for businesses

According to a Pew Research Center study, 79% of U.S. adults report being concerned about the way their data is being used by companies.

By respecting your consumers’ privacy you’ll increase trust and enhance reputation and growth in your business.

How can you protect customer data:

  1. If you collect it, protect it. Data breaches lead to financial loss, reputational damage and diminishing customer trust. By following reasonable security measures you can keep individuals’ personal information safe from inappropriate and unauthorized access. Only collect personal data for relevant and legitimate purposes and make sure it’s processed in a fair manner.
  2. Consider adopting a privacy framework. Research and adopt a privacy framework in your business to help you manage risk and create a culture of privacy in your organisation. You may find the following frameworks useful:
  3. Conduct an assessment of your data collection practices. Which privacy laws and regulations apply to your business? Make sure you fully understand the requirements and educate your employees of their and your organisation’s obligations to protecting personal information. 
  4. Transparency builds trust. Be open and honest about how you collect, use and share consumers’ personal information. Communicate clearly what privacy means to your organisation and how you achieve and maintain privacy. How would the consumer expect their data to be used? Create design settings to protect their information by default.
  5. Maintain oversight of partners and vendors. If someone provides services on your behalf, you are also responsible for how they collect and use your consumers’ personal information.

Find out more here.

News

Healthcare suffers a 51% spike in web app attacks in response to COVID-19 vaccine

The healthcare sector experienced a surge in web application attacks in December when the distribution of the first COVID-19 vaccines began, according to new data from Imperva.

Attacks increased 51% last month from November, an industry increasingly targeted by cyber-criminals over the past year due to the global pandemic.

Web application attacks are serious weaknesses or vulnerabilities that allow criminals to gain direct and public access to databases with the goal of using the sensitive data within. Many of these databases contain valuable information such as personal data and financial details, meaning they are frequently targeted.

Four specific web application attacks saw the largest increases in December:

1.) Cross-site scripting (XSS) detections
2.) SQL injection attacks
3.) Remote code execution/remote file inclusion
4.) Protocol manipulation attack

How can healthcare organisations reduce web application attacks?

1.) Web Application Firewalls (WAFs): A vital defence for critical applications and data. WAF controls access to web applications using rules designed to recognise and restrict suspicious activity, such as SQLi, XSS and exploitation of vulnerabilities. By continuously updating the rules they are prepared to catch the latest attack and exploitation techniques before they can harm important resources.

2. Vulnerability Scanning and Security Testing: The fact web applications connect external users to data and services easily makes them big targets for attackers. Scanning and testing databases, networks and applications can help find where the vulnerabilities are and how to mitigate them.

3. Secure Development Training: Provide your developers, testers, project managers and architects with the latest information regarding secure software development. Ensure there is a baseline of security awareness so staff can confidently design, build and deploy secure software and applications.

Terry Ray, Imperva, said that 2020 has been an “unprecedented year” of cyber activity, with global healthcare organizations (HCOs) experiencing 187 million attacks per month on average. That’s almost 500 attacks per HCO each month, a 10% increase year-on-year.

The US, Brazil, UK and Canada were the top countries targeted last year.

Ray believes that Healthcare’s reliance on third-party applications to save time and money may have exposed them.

“While there are sometimes business advantages to third-party applications, the risks include: patching only on the vendor’s timeline, known exploits that are widely publicized and constant zero-day research on widely used third-party tools and APIs.”

Ray also highlighted how exploiting web application vulnerabilities is the most common cyber attacks directed at healthcare organisations.

“Reliance on JavaScript APIs and third-party applications creates a threat landscape of more complex, automated, and opportunistic cybersecurity risks that are increasingly challenging for all organizations to detect and stop. And while ransomware attacks commonly land healthcare organizations in the news, it’s only the vulnerable application front-end to all healthcare data that experiences the variety and volume of daily attacks noted above.”

In just the first three days of 2021, Imperva saw a 43% increase in data leakage.

Cyber Threat Alert

5 Cyber Threats You Will Encounter In 2021

Here are our predictions for 2021 based on statistics collected from 2020.

We warned of ransomware, phishing and remote worker security last year but they won’t be disappearing from our top threats any time soon.

Newcomers AI-driven threats and Cloud threats grow as we rely on these services more and more.

Find our article on the top cyber threats of 2020 here.

Prevention and detection are key to avoiding these cyber threats.

Insurance is necessary but shouldn’t be your only line of defence. Actions need to be taken to help avoid cyber attacks in the first place.

We provide prevention and detection tools with our insurance in the hope you never have to experience a cyber attack. But if the worse should happen we will be there to help you fix it.

Learn more by checking out our in depth articles on some of the cyber threats:

News

SolarWinds Breach: What you need to know

SolarWinds, a popular IT security vendor with 300,000 global customers (including many small to medium size businesses and their Managed Service Providers), has suffered a major compromise.
 
If your organization uses the SolarWinds Orion Platform, READ ON. If you’re not sure, ask someone in your organization that does.
 
Even if you don’t use the SolarWinds Orion Platform, one of your business partners may be among the 18,000 organizations potentially affected by this breach. 

SolarWinds, a popular IT security vendor with 300,000 global customers (including many small to medium size businesses and their Managed Service Providers), has suffered a major compromise.
 
If your organization uses the SolarWinds Orion Platform, READ ON. If you’re not sure, ask someone in your organization that does.
 
Even if you don’t use the SolarWinds Orion Platform, one of your business partners may be among the 18,000 organizations potentially affected by this breach. 

We strongly recommend you contact all business partners with whom you share sensitive business information or allow access into your IT environment to ensure that, if they use the affected platforms, they are taking the recommended actions below.

If you are allowing an affected partner access into your IT environment, we recommend disabling that access until the issue has been remediated.

Indeed, the Cybersecurity and Infrastructure Security Agency (CISA) has advised everyone that uses the SolarWinds Orion monitoring software to assume they’ve been “compromised by threat actors and assume that further persistence mechanisms have been deployed.”

What Happened?
The compromise allowed hackers to inject malicious code into legitimate software released by SolarWinds for its Orion platform, a suite of network management tools.

This malicious code is a backdoor that communicates with command-and-control servers operated by a malicious third party.

This supply chain attack has been connected with the recent FireEye and U.S. Department of Homeland Security (DHS) hacks.

Affected organizations may have been compromised by malicious hackers as early as May 2020.

What/Who is Affected?
The compromised platforms are SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1.

The known affected products for these Orion Platforms are:

  • Application Centric Monitor (ACM)
  • Database Performance Analyzer Integration Module*(DPAIM*)
  • Enterprise Operations Console (EOC)
  • High Availability (HA)
  • IP Address Manager (IPAM)
  • Log Analyzer (LA)
  • Network Automation Manager (NAM)
  • Network Configuration Manager (NCM)
  • Network Operations Manager (NOM)
  • Network Performance Monitor (NPM)
  • NetFlow Traffic Analyzer (NTA)
  • Server & Application Monitor (SAM)
  • Server Configuration Monitor (SCM)
  • Storage Resource Monitor (SRM)
  • User Device Tracker (UDT)
  • Virtualization Manager (VMAN)
  • VoIP & Network Quality Manager (VNQM)
  • Web Performance Monitor (WPM)

SolarWinds said Orion update versions 2019.4 through 2020.2.1 (released between March 2020 and June 2020) also contain the malware.
 
If your organization uses any of the affected Orion affected platforms/products, we recommend you immediately investigate what versions you are running and take the below steps.

What to Do 
Affected organizations should immediately power down or disconnect from their network SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1.

SolarWinds recommends the following immediate actions.

  • All customers with any of the above affected products for Orion Platform v2020.2 with no hotfix or 2020.2 HF 1 to upgrade to Orion Platform version 2020.2.1 HF 2 as soon as possible. This version is available here.
  • SolarWinds asks customers with any of the below products listed as known affected for Orion Platform v2019.4 HF 5 to update to 2019.4 HF 6, which is available for download here.
  • The hotfix release 2020.2.1 HF 2 is now available in the SolarWinds Customer Portal at customerportal.solarwinds.com
  • All customers should update to release 2020.2.1 HF 2, as this release replaces the compromised component and provides several additional security enhancements.

If you cannot upgrade immediately, SolarWinds recommends installing your Orion Platform behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is necessary. For more information, read SolarWinds Orion Platform best practices configurations and the entire SolarWinds security advisory.

Cyber Tips, Tech

Happy Thanksgiving! Stay Safe With Our 5 Simple Cyber Tips!

We wish you all the best over the holiday season!

As Black Friday approaches, more people are shopping online than ever before, and consequently, scams and cyber-crime are skyrocketing. 

We would like to share our five useful tips to help identify and avoid cyber scams over the holidays.  

Any last minute submissions? We have underwriters working as usual over the holiday period so don’t hesitate to get in touch. 

Feel free to download and share!

Want more? Drop us an email, we would love to share our creative content with you. 

Node Chats

Node Chats: Raising Cyber Ethical Kids

“If kids have unfettered, unsupervised use of these smart devices, they’re playing in a global village.”

Cyberman365 edition! This episode we are changing it up with an episode centred around personal cyber risks your family may face.

Neil Gurnhill talks to Frederick Lane, attorney and author of multiple books on cybersafety, digital misconduct and personal privacy, about keeping your family safe in the digital age in the sixth episode of Node Chats.

Your podcast for all things cybersecurity brought to you by Node International, specialists in cyber insurance.

Watch the full episode here:

Cyber Threat Alert, Tech

Top Five Cyber Threats 2020

Where should you focus your cybersecurity efforts?

These top five threats are a good place to start:

Don’t let phishing scare you, this is an easily avoided cyber threat avoided by changing bad habits, learn more about it in our article here.

Ransomware worries? Discover personalised methods of attack to watch out for and everything else you need to know here.

Keep an eye out for the rest of our in-depth articles covering all five cyber threats individually.

""/
Phishing

Phishing, our biggest online threat to remote workers

Phishing is when you receive an email that tricks you into clicking on a link to a fraudulent website and then sharing private information, or opening a malicious attachment on your phone, tablet or computer.

If you trust the link you could be giving away your user names, passwords, Social Security numbers, bank details or installing malware, like viruses, spyware or ransomware on your device and at work you could be handing over access to your company and all their sensitive data.

Phishing is the top cybercrime in the US. In 2019, the FBI reported that it had claimed nearly 115,000 victims with victim losses at $57.8 million, an average of $507 per victim. 

Spotting the phishing attack

Don’t get complacent, the top branded security software (e.g. Norton, Bitdefender etc) are very good at taking out phishing emails before they hit your inbox. But, it’s a false sense of security as some still get through. In fact, in your personal life and as an employee, the next 100 emails you receive, possibly three or four will be phishing scam emails.

The most important golden rule. Change your mindset. Don’t trust emails and don’t click on a link in an email. I’m purposefully, stressing this as the golden rule, even though you think it to be too onerous and impractical. Nonetheless, for the next seven days examine every email (see tips below) and learn to change your mindset and start spotting phishing attempts. The extra time you spend on examining your inbox will build your confidence and you will feel much more confident about email management.

The only time you can trust an email is if it comes from an email address you recognise and the email doesn’t seem out of the ordinary. Even here, if it contains an attachment don’t click on it yet.

Make sure you double check the email address and not just the name. Give the sender a call if you are unsure. Malware is commonly passed between compromised emails accounts so even if the email address is correct that doesn’t mean someone else isn’t sending fraudulent emails from their account.

How to check for the signs of phishing. There are five signs:

  1. Poor grammar. As far as the US is concerned, most cyber criminals are based in overseas countries such as Russia, North Korea, Eastern Europe, China and Iran. For the majority, US English is a foreign language. They make spelling errors (although they have improved significantly in recent years) and make grammatical errors (much harder to improve upon). In fact, as you read the email you will make an on-the-spot judgement – this is well written, this is poorly written. If it is poorly written be wary.
  2. Suspicious logo. If the email is topped with the logo of a known trusted business or government department, then check it against the official website with a quick Google. False logos can have washed out colours, faded edges or imprecise proportions. In effect, it could be a poor copy and paste job. 
  3. Check the URL. Imagine you receive an email from NETFLIX containing a link. If you hover over the link (DON’T CLICK!) a small display will appear containing www.netflix.com plus suffices. You’ve validated the email that it is from NETFLIX. Job done. Imagine it reported www.netfilx.com or www.netflics.com then DO NOT click on the link. It’s false and belongs to a cybercriminal. In fact, any errors, whether spelling or design is a warning. Be super-cautious.
  4. Check the greeting. On my domestic accounts very rarely do I receive the greetings, ‘Dear customer’, ‘Dear subscriber’, ‘Dear friend’ or the more informal,’ Hi customer’, ‘Hi subscriber’. They say, ‘Dear Neil’ or ‘Hi Neil’. This is how customer-orientated domestic businesses tend to interact with their customers. Foreign cybercriminals make mistake ‘out-of-culture’ errors on greetings and/or sign offs. 
  5. Attachments. Legitimate companies don’t send attachments that you didn’t ask for and also would not request sensitive information via email.

If all are followed with the instruction to click on the link to learn more and/or correct the problem. Be super-cautious.

""/
Ransomware

Ransomware 101 – An evolving threat

What is ransomware?

Ransomware is a digital crime where your computer files are ‘stolen’ and encrypted, blocking you from your computer. To gain access to your files you usually have to pay a ransom, normally in bitcoin. 

It takes an average of 3 seconds after clicking an infected link for ransomware to start encrypting your files at lightning speed according to Arctic Wolf Networks.

There are three steps:

  1. You receive a phishing email containing the ransomware link.
  2. The victim clicks on an infected link, the ransomware is delivered and starts encrypting files. 
  3. A screenshot will then appear on your screen announcing the ransomware infection, how much the ransom is and how it’s to be delivered to the criminal.

Whatever, the screenshot wording says, the message is GOTCHA!

Who are the victims?

Ransomware is an international phenomenon. Although the majority of cases are heavily focused in the US.

53% of Ransomware detections came from the US in June 2018 – 2019

Canada receives 10% and the UK 9% following the trend of targeting English speaking countries according to Malwarebytes’ global detection statistics.

46% of SMBs have been targeted by ransomware, 73% have paid the ransom.

Shocking figures from Infrascale, highlighting that smaller sized businesses are certainly not targeted less because of their size.

The History of Ransomware

Ransomware has changed its nature in the last few years. About ten years ago, ransomware was a simple scam based on fake antivirus apps leading to a payment to ‘fix’ the problem. 

Then, the fashion changed to ‘blockers’ or ‘lockers’ that locked the user out of their computers asking for payment to be unlocked. 

Now, the fashion is for ‘crypto-ransomware’ that not only locks you out of your files but also encrypts your files. You will likely have to pay a ‘ransom’ in bitcoins to get your files back.

Bitcoin has significantly increased the success and profitability of ransomware of criminals. By using a bitcoin ‘wallet’ for each attack, then moving these wallets through chains of wallets, the movement of money is outside the traditional financial system and anonymous.

Crypto-ransomware

Crypto-ransomware is very effective. It generally uses unbreakable encryption and if the user has no file backups then the only solution may be to pay the ransom. 

Even if you pay you may not get your files back – don’t forget you are dealing with anonymous criminals!

The near-majority of people pay the ransom. However, a significant minority of payers do not get their files restored or the restoration instructions are not complete or do not work.

The cost is also rising dramatically according to the Coveware Q2 Ransomware Marketplace Report and this trend is what we expect to continue seeing.

The average ransom payment increased by 184% from Q1 to Q2 this year, nearly tripling the cost from $12,762 to $36,295

How are ransomware attacks delivered?

Spam campaigns hit millions of users daily. Just 0.001% of these spams finding a victim still means high profits to the criminals.

A click-rate of only 0.001% (and lower) is still very profitable to the criminal – they sent out 10m spam emails. At 0.001% click-through rate, that’s over $100,000 of ransom returns!

The most common way of infection is by a person(s) simply clicking on a link in a botnet-delivered email. Some of these emails will be categorised as spam and others deleted by the recipient, however, the criminal plans on these deletions. 

Ransomware criminals are now becoming more expert, innovative and audacious with their tactics.

They are finding ways to stay out of the spam folder to increase their click rate by creating more believable personalised campaigns with a higher ransom cost.

Personalised methods of attack to watch out for

1.) Social media

The newer trend is to ‘personalise’ the email using data from social media sites. The criminal collects data from sites like Facebook or LinkedIn and searches for potential candidates. 

Or, they may buy or hire email lists of individuals in a certain target industry and/or profession. Sure, the criminal is spending time and money but they will get a higher click-through rate.

On a much-reduced spam email volume, they might net $250,000 or more.

2.) Impersonation of the government or a business

Further variations are emails from well-known organizations such as a delivery note from UPS, an alert from the IRS (Internal Revenue Service), a family post on social media and so on. 

3.) Downloads

These infections depend on spam emails getting through. A more reliable method for criminals is to get the recipient to download an infected work-relevant file containing a macro, which in turn delivers the ransomware. 

Within the download is a macro that may initiate the ransomware at a later date.

As the criminals say ‘‘job done’’, and then they wait to receive their $250,000 returns. 

4.) Exploit kits

Another mechanism, now becoming more common, is the trend of ‘exploit kits’. Typically, these are fake notifications to update a piece of software from a reputable software supplier, such as JavaScript or Adobe Flash. 

Although seemingly reliable as a source, the download leads to the ransomware being installed. 

5.) Iframes

Further variations are ‘iframes’ installed on web servers and the web pages on the server. The ’iframe’ directs website visitors to the exploit server, which downloads the ransomware. Variations are particularly harmful. For example, an advert placed on a popular website is an advert that directs to the exploit kit. 

Summary

Simply put, it’s based on one inadvertent and simple action. Someone clicks on an infected link on an email and/or website – stop this and you stop ransomware.

We understand that it’s not always that clear cut which is why we provide educational materials to our insureds and educational content to our followers in the hope that we can contribute to the creation of a cyber-risk aware world.

1 2 3
Recent Comments
    About Node International

    We provide leading comprehensive insurance coverage combined with essential cybersecurity prevention and detection tools.

    Related Links
    Cyber Insurance Newsletter

    Interested in Cyber Insurance?

    Privacy Settings
    We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
    Youtube
    Consent to display content from Youtube
    Vimeo
    Consent to display content from Vimeo
    Google Maps
    Consent to display content from Google
    Spotify
    Consent to display content from Spotify
    Sound Cloud
    Consent to display content from Sound