Hacking and targeted cyber-attacks as a result of anti-competitive practices in business 0 34

Targeted Attacks

In ongoing consultations with clients, large companies named targeted attacks and hacking as two of their biggest security challenges since they can seriously impact the continuity of business activities in an organization.

Attackers have many means to infiltrate companies. However, many attacks, don’t require a very high level of technological sophistication. Instead, techniques like targeted social engineering, i.e. spear phishing, or the use of known vulnerabilities for which, patches may have been issued but businesses have not yet deployed, can lead to damaged reputation, revenue and data breaches.

On the other hand, high levels of sophistication can also be utilized as is in the case of a Zero Day attack.  Chief among these was Stuxnet, a recorded attack where malicious code successfully deployed four zero-day vulnerabilities to impede a uranium enrichment program in Iran, and which, according to media, was a state-sponsored attack.

There are many reasons why organizations become repeat targets. Their bank accounts contain more resources than those of an average person or small business and they also have considerable amounts of interesting data that can be monetized. Attacks targeting companies can also be used as a form of competition. Most often, this concerns data hunting, i.e. obtaining interesting information or intellectual property. These attacks can be accompanied by blackmail. For example, a client database is stolen from a company and is later approached by the perpetrators and asked, “what they are going to do about their loss”.

Different ways to monetize attacks bring different consequences

Organizations often find it difficult to admit they have been breached by these types of attacks. Consequently, this may give other companies the false impression that such attacks happen only occasionally. A typical example of targeted attacks, common in recent years, are DDoS as a Service – attacks, which are sponsored by one company to attack the website of another, with the effect of disrupting business and directing customers away from the targeted company and (possibly) towards the attacker’s “employer”. These are criminal tactics, and the attackers know very well which business areas to target for maximum gain.

There are of course other approaches. Take the example of the British National Health Service, which has become a frequent target of ransomware attacks. Digitization of health services has resulted in a situation where the malicious encryption of medical data may lead to a halt in medical interventions and surgeries. Under such conditions, targeted organizations are often more inclined to pay a ransom for the “hijacked” patient data.

In Kenya attackers have been known to target their attacks to banks and financial institutions, with figures of Ksh400 million being reported stolen from an unnamed local bank and Ksh29 million from National Bank of Kenya in 2018 alone.

Innovative approaches to old tricks

In many rural areas worldwide, one quick glance at powerlines will reveal how easy it is to make illegal connections to the power grid. As of late, cyberattackers have followed a similar model, focusing their resources on illegally mining various cryptocurrencies, which have proven to be highly popular in the public’s imagination.

A more complex example was a targeted attack meant to infect StatCounter, which provides a service  very similar to Google Analytics and uses a special script legitimately placed on websites to obtain data about website visitors. In this case, attackers successfully breached StatCounter and subsequently gained access to the service’s end users by injecting JavaScript code in all websites that use Stat Counter’s service.

The problem came to light when visitors navigated to the now compromised websites which contained the infected scrip, and who’s devices then began covertly mining bitcoins for the attackers. During the second stage, the attackers proceeded to steal bitcoins directly from infected devices when they attempted to access a popular cryptocurrency exchange. To get an idea of the scale of such an operation, StatCounter can be found on more than two million websites.

Such an attack means that system resources of infected devices at the company legitimately using the service are additionally tasked to mine. This may not concern only computers, but also mobile devices and especially servers. The subsequent cryptomining accelerates wear and tear on devices and also increases electricity bills. In addition, we should not forget that malicious cryptomining code is usually capable of uploading other types of malicious script onto the network.

Investigations may take months and are looking for a needle in a haystack

When a large company falls victim to such an attack, it is necessary to carry out a complicated investigation of what happened and how the company has been affected. Research shows that it takes about 150-200 days for companies to find out they’ve been infected. Further investigation regarding the method by which the company was infected and where the malicious code originated may take even longer.

Facing such substantial risks, large companies should leverage solutions like ESET Dynamic Threat Defense to detect new, never before seen threats.

To find out more about ESET Dynamic Threat Defense or to request a free in-house cyber security training session for your organisation, please sign up below.

Previous ArticleNext Article

Time to change your Twitter password 0 672

Twitter Password

An internal bug exposed the passwords of an undisclosed number of the more than 330 million Twitter users.

Twitter CTO Parag Agrawal announced that it was a “bug that stored passwords unmasked in an internal log”. He went on to state “we have fixed the bug and our investigation shows no indication of breach or misuse”.

The Social Media platform are insisting that there is no sign of danger and that there is no reason to believe that the passwords were exposed outside of the organisation. However, they are still advising users to change their Twitter passwords and those of any other online service using the same password.

Some additional password tips from Twitter include enabling two-factor authentication and also using a password manager to create a strong and unique password for every individual online service.

Approximately US $150,000 worth of Ethereum-based cryptocurrency stolen 0 770

Online cryptocurrency website MyEtherWallet.com has confirmed that some visitors could have been temporarily redirected to a phishing site designed to steal users’ credentials and – ultimately – empty their cryptocurrency wallets.

According to reports, whoever was behind the attack may have successfully stolen approximately US $152,000 worth of Ethereum-based cryptocurrency.

However,  MyEtherWallet may not have been at fault, as the website explained in its statement:

“This is not due to a lack of security on the [MyEtherWallet] platform. It is due to hackers finding vulnerabilities in public facing DNS servers.”

British security researcher Kevin Beaumont confirms in a blog post that some of MyEtherWallet’s traffic had been redirected to a server based in Russia after traffic intended for Amazon’s DNS resolvers was pointed to a server hosted in Chicago by Equinix.

For the scheme to succeed, someone pulled off a hijack of a crucial component of the internet known as Border Gateway Protocol (BGP), to reroute traffic intended for Amazon’s Route 53 DNS service to the server in Chicago. As a consequence, for some users, entering myetherwallet.com into their browser did not take them to the genuine site but instead to a server at an IP address chosen by the hackers.

The only obvious clue that a typical user might have spotted was that when they visited the fake MyEtherWallet site they would have seen an error message telling them that the site was using an untrustworthy SSL certificate.

It seems that the attackers made a mistake in not obtaining a valid SSL certificate.

Despite the error with their SSL certificate, the hackers haven’t done badly for themselves – both in this attack and in the past. Fascinatingly, the bogus MyEtherWallet website set up by the criminals was moving stolen cryptocurrency into a wallet which already contained some US $27 million worth of assets. Inevitably that raises questions of its own – have the hackers already made a substantial fortune through other attacks, or might their activities be supported by a nation state?

In a statement Equinix confirmed that a customer’s equipment at its Chicago data center was used in the hackers’ hijacking of Amazon’s Route 53 DNS service:

“The server used in this incident was not an Equinix server but rather customer equipment deployed at one of our Chicago IBX data centers… We generally do not have visibility or control over what our customers – or customers of our customers – do with their equipment.”

Amazon however, do not find the blame to lie on themselves, communicating the following statement:

“Neither AWS nor Amazon Route 53 were hacked or compromised. An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain.”

Some advice from award winning security blogger, researcher and speaker, Graham Cluley – avoid putting your cryptocurrency wallet online, keep them off your smartphone or computer and perhaps instead invest in a hardware wallet.