CVE-2020-28441

Read Time:13 Second

This affects the package conf-cfg-ini before 1.2.2. If an attacker submits a malicious INI file to an application that parses it with decode, they will pollute the prototype on the application. This can be exploited further depending on the context.

Read More

What Are Ransomware Attacks? An In-Depth Guide

Read Time:10 Minute, 41 Second

We all love to spend time surfing the web — whether we’re shopping, paying bills, or reacting to funny memes. The internet has also allowed many of us to keep working from home even during the pandemic.  

The internet is great, but the best way to keep enjoying it is to know where and how bad actors can pop up in our computer systems. 

One way is through the use of ransomware, which is a type of malware that threatens users with blocked access or doxing (exposing personal information) if they don’t pay money to the cybercriminals who sent the malicious software.  

We’ll explain what ransomware is, how it works, and how to defend against it so you can stay one step ahead and continue enjoying life online. 

What is ransomware?

Ransomware is malware that uses encryption to hold your information at ransom. This might mean you can’t access critical data in files, databases, or applications. The cybercriminal will then usually demand a ransom to provide access.  

Often, ransomware includes a deadline to add a sense of urgency to the threat. Typical ransomware attacks might suggest that your data will be lost or published on the web for the world to see if you don’t pay. Ransom demands generally ask for payment in Bitcoin or some other form of cryptocurrency, where transactions are less regulated and traceable. 

Unfortunately, ransomware is often designed to spread across a network and target database and file servers — quickly paralyzing an entire organization. Ransomware attacks represent a growing problem, generating billions of dollars in payments to cybercriminals and inflicting damage and expenses for businesses and governmental organizations.  

However, if you have a basic understanding of how ransomware works, you can take steps to protect yourself. 

How does ransomware work?

Ransomware uses asymmetric encryption, which uses a mixture of symmetric and asymmetric encryption methods to make it more difficult to decrypt ransomed data files. Put simply, cybercriminals using asymmetric encryption generate a public key to encrypt files and a separate but private key to decrypt the same files. As a result, the victim has to rely on the hacker for the decryption key — for a price, of course — because the private key to decrypt the files is stored on the attacker’s server.  

The attacker then makes the private key available to the victim only after the ransom is paid, although this isn’t always the case, as seen in recent ransomware campaigns. Without access to the private key, it can be difficult to decrypt the files being held for ransom. 

Many forms of ransomware exist. Often, ransomware (and other malware) is distributed using email spam campaigns or through targeted attacks. Malware needs an attack vector, which is how a cybercriminal gains access to a device to deliver malicious software. This might take the form of an email attachment, webpage, pop-up window, or even instant message. After malware establishes its presence, though, it’ll stay on the system until it finishes its task. 

After a successful exploit, ransomware drops and executes a malicious binary on the infected system. This binary then searches and encrypts valuable files, such as Microsoft Word documents, images, databases, and so on. The ransomware may also exploit system and network vulnerabilities to spread to other systems and possibly across entire organizations. 

Once files are encrypted, ransomware prompts the user for a ransom to be paid within 24 to 48 hours to decrypt the files, or they’ll be lost forever. If a data backup is unavailable or those backups are encrypted, the victim might have to pay the ransom to recover their personal files. 

Examples of ransomware attacks

Cyberattacks, including different types of ransomware, occur and evolve all the time, but there are several ways to avoid them. 

It all starts with looking to the past to protect your sensitive data in the future. In the next few sections, we’ll cover how hackers have engaged in extortion across computer systems over the years. 

CryptoLocker

CryptoLocker was one of the earliest adopters of this type of malware — demanding a ransom payment in cryptocurrency for a user to get their data back. In fact, it was probably the first time many people had heard the term “ransomware.” 

In 2013, CryptoLocker attacked through an email attachment that looked like the tracking notifications of shipping companies like UPS and FedEx. It resulted in more than 250,000 infected computer systems and up to $27 million in extorted money. 

Although a decryption key has existed for CryptoLocker since 2014, it can still cause problems for users who may not recognize the presence of the ransomware before opening the attachment. 

WannaCry

In 2017, Wannacry took the “worm” approach to ransomware, spreading across Windows PCs through shared networks. At the time, the ransomware turned everything on the computer into encrypted data, with the hackers threatening not to return the data until the ransom was paid (in this case, cryptocurrency). Estimates point to over 200,000 computers being infected around the world.  

A killswitch was created to help operating systems infected with WannaCry, but the hacking group is still out there posing new threats. 

Kaseya

The Kaseya ransomware attacks occurred on July 2, 2021, and led to an FBI response because this represented a global cybercrime event. In this instance, though, the ransomware group REvil made damaging use of vulnerabilities found in the on-premises software of Kaseya VSA. The hackers then demanded $70 million in Bitcoin. 

The company managed many service providers, so the attack affected all of the downstream customers of those service providers. In fact, the malware attack may have affected around 1,500 organizations across the world.  

The good news is that patches have now been developed for affected servers. 

JBS

You might not immediately think of the world’s largest meat supplier as being one of the victims of ransomware, but that’s exactly what happened to JBS Foods.  

Threatening to disrupt the food supply chain in May 2021, organized cybersecurity attacks by REvil targeted JBS’s North American and Australian plants, encrypting data that was then ransomed for over $11 million worth of Bitcoin by the company.  

Colonial Pipeline

On May 7, 2021, hackers made malicious use of a single leaked password belonging to a virtual private network (VPN) account associated with the Colonial Pipeline Company.  

Even though the breached account had been dormant for some time, it was still successfully used as an entry point to the Colonial network. The password to this account was linked to a batch of compromised passwords on the dark web, leading officials to believe it could have been an employee who re-used the same password for other accounts.  

 

This major cybersecurity event showcases the ways that ransomware can set up camp inside computer systems without the use of phishing. 

How to defend against ransomware

Being proactive is one of the best things you can do to safeguard against ransomware attacks. This means thinking ahead to what vulnerabilities may exist in your current computer network setup and addressing them before they’re used for cyber extortion.  

There are several ways you can help reduce your exposure to cybercriminals by simply being alert to where they usually get in. The following sections offer information on how to set up the best possible defense against ransomware. 

Back up your data

The best way to avoid the threat of being locked out of your critical files is to ensure that you always have backup copies of them, preferably in the cloud and on an external hard drive. This way, if you do get a ransomware infection, you can wipe your computer or device free and reinstall your files from backup. This protects your data, and you won’t be tempted to reward the malware authors by paying a ransom. Backups won’t prevent ransomware but they can help mitigate the risks. 

Secure your backups

Make sure your backup data isn’t accessible for modification or deletion from the systems where the data resides. Ransomware will look for data backups and encrypt or delete them so they can’t be recovered, so it’s important to use backup systems that don’t allow direct access to backup files. 

Use security software and keep it up to date

Make sure all of your computers and devices are protected with comprehensive security software and keep all of your software up to date. Make sure you update your devices’ software early and often, as patches for flaws are typically included in each update.

Practice safe surfing

Be careful where you click. Don’t respond to emails and text messages from people you don’t know and only download applications from trusted sources. This is important since malware authors often use social engineering to try to get you to install dangerous files.[Text Wrapping Break] 

Only use secure networks

Avoid using public Wi-Fi networks since many of them aren’t secure and cybercriminals can snoop on your internet usage. Instead, consider installing a VPN like McAfee Secure VPN, which provides you with a secure connection to the internet no matter where you go.[Text Wrapping Break] 

Stay informed

Keep current on the latest ransomware threats so you know what to look out for. In the case that you do get a ransomware infection and haven’t backed up all of your files, know that some decryption tools are made available by tech companies to help victims. 

What to do if you’re the victim of a ransomware attack

Ransomware attacks don’t have to spell disaster if you catch them in time and know what to do. If you suspect you’ve been hit with a ransomware attack, it’s important to act quickly.  

Fortunately, there are several steps you can take to address ransomware issues quickly and have your computer systems return to business as usual in no time. 

Isolate the infected device. Many antimalware programs start by discovering where the ransomware has made its home. This might be on a single device within your network or on many devices. Whatever the case, separating infected computers and other devices from the primary network and any other avenues to your sensitive data should be step one.
Assess the damages. Understanding what the ransomware on your computer has had access to is the next step. Is it just your password-protected online accounts, or have your financial and health care records also been involved? Sometimes, the extent of the damage is immediately obvious. Other times, as with many phishing emails, you’ll be able to see that only certain aspects of your private information have been hijacked.
Identify the ransomware. Finding out who and what has actually breached your privacy is crucial. Well-known hacker groups like REvil and Darkside often restrict their attacks to giant corporations, but the advent of things like ransomware as a service (RaaS) means that bad actors can and will target anyone now.
Report the ransomware to authorities. Whether you discover that you have been hit by a somewhat vintage ransomware group like Petya or a more sophisticated modern program like Ryuk, always report your ransomware experience to law enforcement. The main reason for this is to help officials continue to develop decryptor systems until there’s no more ransom software to worry about. The secondary reason is so you aren’t seen as complicit with the actions of any hacker group that has targeted your information.
Evaluate your backups. Lastly, take a good look at your storage and backup systems once you’re through the first hassles of a ransomware attack. Make sure that any external hard drives or cloud storage spaces have remained clean. If these safe spaces still exist, you can usually use them to help restore most of your sensitive data. 

Get a personalized protection plan

We’ve all spent more time online recently in the wake of the pandemic, and no one needs cybersecurity issues on their plates during this or any other time. The good news is that antivirus software is evolving rapidly and there are plenty of steps you can take to shield your computer systems from needless attacks like ransomware. 

One surefire way to get peace of mind against hacker groups is to put your trust in the expert care of Total Protection services from McAfee. All of our plans come with a private VPN, antivirus protection, and safe-browsing features. This means you can live your connected life free from threats like ransomware, malware, and more.  

With multiple affordable plans, there’s a McAfee protection plan for every person. It’s a small price to pay for staying one step ahead of ransomware attacks.  

The post What Are Ransomware Attacks? An In-Depth Guide appeared first on McAfee Blog.

Read More

The future of email threat detection

Read Time:6 Minute, 39 Second

This blog was written by an independent guest blogger.

As businesses continue to adopt cloud integration and remote work increases, security teams are facing more visibility challenges as well as an influx of security event data. There is more need to understand the threats than ever before, as the threat surface area increases, and tactics increase. Cyber threats are becoming more sophisticated and occurring more frequently, forcing organizations to rely on quality threat detection to protect their data, employees, and reputation.

With the vast majority of cybercrime beginning with phishing or spear-phishing email, an effective security solution should focus on your email system. To combat these attacks, you’ll need threat detection services with multiple layers in their approach as no single threat detection tool is equipped to prevent every type of attack. This article will explore the future of security strategies to help keep email and data safe.

Security Information and Event Management (SIEM)

Ransomware attacks continue to rise, and SecOps teams are having difficulty preventing attacks before damage can be done. This results in pursuing solutions that accelerate detection and response while increasing operational efficiencies. Traditional security information and event management (SIEM) are no longer effective in reducing risks and burdens on security teams lacking staff, especially with overwhelming alerts and false positives.

SIEMs were originally designed for log collection and compliance storage and later evolved to include the correlation of log data sources to detect threats. Functionality continued to grow to eventually integrate log, network, and endpoint data into one location and match up with security events. This helped analysts to explore commonalities and develop rules surrounding the related events that SIEM could use to help detect known threats. Organizations looking to minimize cyber risk among in-person, cloud, remote, and hybrid infrastructures require unified data collection, as well as a series of analytics, Machine Learning (ML), Artificial Intelligence (AI), and targeted automation for a shorter response time.

The problem with current threat protection

Attacks are more targeted than ever before, making it necessary to understand more about the user and protect them individually. The need for business intelligence encouraged by data requires increasing the quality of threat detection and response capabilities and to properly defend your assets, you need to know what the threats are.

CEO of Rivery, Ben Hemo said, “The ‘data tsunami’ that companies are experiencing means they are desperately looking for tools, solutions, and services that will help them control this unprecedented flow of data hitting them from all directions, sources, and databases. It is no surprise that the data management market is poised for huge growth.”

Security teams have had to adapt to the security ecosystem by devising new and creative methods out of pressure to replace SIEM tools with limited resources. Unfortunately, time to build, ongoing maintenance, scale, and long-term customer needs have introduced challenges. Practitioners will likely make the move toward solutions that can keep up the pace with high-performance production environments due to a growing need for cloud-native, high-scale detection and response platforms.

Business Email Compromise (BEC)

Employees with authority are frequently impersonated in dangerous email scams because of their role within the company and the access that they have to confidential information. Business email compromise, or whaling, is a popular attack that cybercriminals use to target victims based on hierarchy, their role in the company, and their access to valuable information. These attacks are often successful because of extensive social engineering research on targets that make their emails sound convincing.

Email Account Compromise (EAC)

It has become necessary to now protect users not only from their own accounts being compromised but from third-party vendor accounts being compromised. Email account compromise is a cybersecurity attack that, if successful, will gain access to the user’s inbox after they compromise the email account. This attack is executed by using one of several techniques, including malware, phishing, and brute force via password spray. The compromised account is then used to send phishing emails to the user’s contacts to steal data, funds, and highly sensitive information.

Threats are too sophisticated for an IT manager to deal with on their own, while SMBs have no one to call if they have a cybersecurity problem. Greater levels of support are necessary to ensure systems are properly protected, particularly as the skills shortage in cybersecurity continues.

Threat protection in 2022 and beyond

A crucial change needed for threat detection businesses can make is to start focusing on prioritizing security and implementing effective protection. You should also have an understanding of which assets need to be protected. By identifying those assets, you will then be able to decide on a method of defense and ensure that it can adapt to changing threats while being continually maintained.

Integrated email security

Integrated email security is a key aspect of threat detection. Most companies rely on a security infrastructure that is too complex, consisting of a cloud base, and multiple products from a series of vendors to create layers of defense such as endpoint detection and response solutions, firewalls, IPS, routers, web, and email security. These companies use SIEMs and tools such as ticketing systems, log management repositories, case management systems, as well as external threat intelligence feeds and sources to store internal threat and event data.

Businesses should consider implementing a platform that has an open, extensible architecture that is capable of strong integration and interoperability with pre-existing security tools. It should also include as new security controls that can address new emerging threats while providing a clear path forward.

Managed email security services

To defend against modern email attacks, businesses must implement a fully managed email security solution. This will protect against the specific threats that all businesses face, providing needed expertise and support to safeguard sensitive data and other key assets. Benefits of investing in managed email security services include:

Keeps you ahead of phishing, ransomware, and other persistent and emerging threats with real-time malicious URL protection
Protects sensitive information and prevents email fraud with layered email authentication protocols
Fortifies cloud email against credential phishing and account takeovers

Many businesses, especially SMBs, face ongoing challenges brought on by a lack of both cybersecurity resources and expertise, which has only intensified within the past few years. Small businesses typically do not have a full-time IT department or mail administrator and cannot rely on IT professionals even when these positions are filled as many email security experts are not trained to secure corporate email accounts. An integrated email security solution should provide real-time insight into the security of your email, helping you pinpoint and block the threats targeting your business and the most highly targeted individuals within your organization so you can make better cybersecurity decisions.

Security brain drain

Businesses will need to implement protection against security brain drain since there are constantly new threats, and IT managers can’t protect against all of them. Security brain drain sets in as 1 in 10 professionals exit the industry. Research shows that 51% of cybersecurity professionals experienced extreme stress within the past year, making it a priority for CISOs to alleviate burnout and team culture while developing succession planning to create a conduit for the next generation of security leaders.

Final thoughts

As businesses continue to migrate to the cloud, the need for a capable email security system increases. Traditional threat detection tools were once effective in protecting business email, but protection in the modern threat landscape requires greater defenses. As these threats continue to evolve and present companies with constant new challenges, the implications for organizations of all sizes will become clear.

Those who have retained the services of a cybersecurity company with top-level security knowledge and skills will be in a much stronger position to withstand new threats as they emerge. By implementing managed services and having complete visibility, your organization will be able to rest easy knowing that your clients, staff, and reputation are safe.

Read More