The Central Texas IT Guy

Web Development Austin, SEO Austin, Austin Search Engine Marketing, Internet Marketing Austin, Web Design Austin, Roundrock Web Design, IT Support Central Texas, Social Media Central Texas

Tag: Cyber Attack Page 12 of 14

The New Ryuk Ransomware Attack

By

On November 28, 2020

In Security

Ryuk is a type of crypto-ransomware. It uses encryption as a way to block access to a system or file until the ransom is paid. The ransomware is generally dropped with the help of other malware such as TrickBot or Emotet. Another mode of infection used by Ryuk ransomware is ‘Remote Desk Services’.

The Ryuk attacks were popular in third quarter of 2019, however the ransomware went silent at the onset of COVID-19 quarantine. But, it has returned as new Ryuk ransomware with added features and evolution of tools used to compromise target networks and ransomware deployment.

The most notable feature of new Ryuk ransomware is ‘Speed’. Once a system is infected, the attackers gain access of domain controller and enter early stage of deployment just within a day.

The second notable feature of new Ryuk ransomware is ‘Persistence’. The attackers make multiple attempts by sending renewed phishing emails to establish a contact.

How Is A System Infected?

  • The attackers send a phishing email to the target. The email contains a link, which redirects the user to a malicious document hosted on ‘docs.google.com’.
  • When a user opens the document, its contents are enabled. This allows the document to execute a malicious executable identifier ‘print_document.exe’ as a Buer Loader. Buer Loader is a modular malware-as-a-service downloader.
  • When executed, Buer Loader drops malware files and a Cobalt Strike beacon ‘qoipozincyusury.exe’. it is a modular attack tool which is capable of performing multiple tasks such as providing access to operating system features and establishing a covert command & control channel within the compromised network.
  • Additional Cobalt Strike beacons are downloaded on the system for reconnaissance and to hunt for credentials. Numerous commands are run on the infected system to retrieve information such as list of trusted domains, list of members of ‘enterprise admins’, list of administrators for local machine, list of domain admins, network configuration, etc.
  • Using this data, attackers obtain administrative credentials and connect to domain controller, where they dump data of Active Directory.
  • Using domain administrator credentials, another Cobalt Strike service is installed on the domain controller. It is a chained Server Message Block listener. It allows Cobalt Strike commands to be passed on to the server and other computers on the network. This allows attackers to spread the attack laterally onto other systems in the same network.
  • The Ryuk is launched and it attacks the backup server. In case of detection or interruption by security protocols, the attackers use icacls command to modify access control. This gives them complete control of the system folders on the server.
  • Now, they deploy GMER, a rootkit detector tool. It is used to find and shutdown hidden processes such as antivirus. The ransomware is re-deployed and re-launched multiple times to overwhelm remaining defenses.
  • Ransom notes are dropped in folders hosting the ransomware.

Educate the employees to refrain from opening doubtful emails and documents to prevent the new Ryuk attack.

For more information on the new Ryuk ransomware attack, contact Centex Technologies at (254) 213 – 4740.

Dictionary Attack: What Is It & How To Prevent It?

By

On August 24, 2020

In Security

A dictionary attack is a type of identity breach where the hackers steal the password of the victim to gain access to personal or corporate information.

What Is A Dictionary Attack?

  • It is one of the cyber attacks where cyber criminals take advantage of the user’s habit of using common dictionary words as a password. Most internet users have a tendency to use simple or easy to remember words and phrases as their passwords.
  • In simpler words, it is an attempt to gain unauthorized access to a computer system or user account by using a large set of words to generate a potential password.
  • The traditional approach used by the hackers involved multiple attempts by making use of common words found in the dictionary. However, the attack has now evolved and the attackers make use of databases that include common dictionary words and passwords leaked in previous attacks to crack the password.
  • Some software are also available that help in cracking a password by using the password databases and producing common variations. In contrast to a brutal force attack, a dictionary attack tries only the password possibilities that are considered to be most likely to succeed.

Pre-Computed Dictionary Attack:

It involves pre-computing a list of hashes of common dictionary words these hashes are stored in a database. Once completed, the pre-computed database can then be used anytime to instantly lookup for the password hashes to crack the corresponding password. Although a lot of time is consumed in preparation, the actual attack can be executed faster than a simple dictionary attack.

Common Cracking Software Used In Dictionary Attack:

  • Burp Suite
  • Crack
  • Ophcrack
  • Cain and Abel
  • Aircrack-ng
  • John the Ripper
  • LophtCrack
  • Metasploit Project

How To Prevent A Dictionary Attack?

In order to prevent a dictionary attack, following steps can be helpful:

  • Change the security settings to lock the account after reaching a maximum number of authentication attempts.
  • Use multi-factor authentication to log in.
  • Use special characters and extra syllables in the password.
  • Use longer passwords.
  • Avoid reusing old passwords.

For more information on what is a dictionary attack and how to prevent it, contact Centex Technologies at (254) 213 – 4740.

How Are Attackers Targeting Organizations With Steganographic Techniques?

By

On July 24, 2020

In Security

Steganography is the act of hiding secret information within an ordinary, non-secret file or message to avoid detection. The main strengths of steganography are its capacity to keep a message as secret as possible and hide a large amount of data. Cyber attackers are exploiting these strengths to target organizations by launching sophisticated attacks.

Cyber attacks employ steganography to embed malicious code in seemingly benign content to bypass an organization’s cyber security. The basic layout of a cyber attack using steganography is based on four concepts.

  • Social Engineering: When the user opens the compromised document, the malware code instructs the victim to enable content in the document.
  • Network Security Monitoring Evasion: Once the content is enabled, the document runs a PowerShell script to download a file with embedded malware. The file may be as simple as a popular image, a wallpaper, etc. and is stored on a remote server.
  • Manual Analysis Evasion: The attackers make use of obfuscated VB macros to decode the malicious content hidden within the pixels of these images and install the malware.
  • Persistence: The malware is designed to register scheduled tasks to enable the script to survive system reboots.

What Is PowerShell?

Microsoft introduced it as a scripting language and command line. It is now open-source and cross-platform enabling developers to use multiple languages and libraries for building applications for mobile, gaming, desktop, and IoT solutions. It is popular among cyber criminals for launching steganography attacks because:

  • It’s easy-to-use and versatile, providing access to all major OS functions.
  • It is used and trusted by many administrators, allowing PowerShell malware to blend in with benign activity on the network.

What Type Of Information Hidden Is Via Steganography By Cyber Criminals?

Cyber criminals can use the information hiding at different stages of a cyber attack depending upon the kind of information hidden.

  • Identities: Anonymization techniques are used to hide the identities of communicating parties.
  • Communication: Steganography is used to hide the fact that a conversation is taking place. It conceals the data packet flow by using traffic-type obfuscation methods.
  • Content: Cyber criminals may hide the content of data but not the transmission or presence of data itself.
  • Code: The structure of executable malicious code is hidden by binary code obfuscation and masquerading techniques.

With an increase in the number of sophisticated cyber-attacks using Steganographic techniques, the organizations are required to update their cyber security measures.

For more information on the use of steganography in cyber attacks, contact Centex Technologies at (254) 213 – 4740.

Tips For Disaster Recovery Planning After A Cyber Attack

By

On February 25, 2020

In Uncategorized

A well-planned cyber-attack can wreak havoc on any business. Although, it is advisable to take precautionary steps in order to avoid such attacks; still, some cyber-attacks can catch your business off-guard. Thus, it is important to have a Disaster Recovery Plan for dealing with the after-effects of any cyber-attack. A Disaster Recovery Plan (DRP) helps in softening the blow of the attack by minimizing the loss. A successful DRP should conduct a thorough Business Impact Analysis (BIA) and Risk Analysis (RA). This will help in determining the business areas that need to be prioritized for security. Also, this will enable you to establish an estimated Recovery Time Objective (RTO).

For drafting an effective DRP, it is important to consider following tips in addition to BIA and RA:

A DRP needs to include all the aspects of the business to ensure that no aspect is left exposed during a tragic event.

  • To begin with, segregate your data as per priority. This will facilitate you in increasing the security of vital data, resources, devices, and systems. Also, you can draft separate recovery plans for critical data that is of sheer importance to your organization.
  • It is advisable to set up a separate ‘safe house’ or satellite location and keep a backup of your data. This will help you in avoiding the loss of business in face of a cyber-attack. However, weigh the cost of setting up a separate location against the loss that will be incurred if the business becomes inoperative during RTO. Consider the cost-effectiveness to make an effective decision.
  • If your business organization has some mobile devices that are not linked to the main server, then formulate an alternative backup plan for these devices. This will ensure that these devices do not have to depend upon the DRP.
  • Make it a point to encourage the individual users to run regular backups for their own safety.

The 5 W’s Of DRP

The 5 W’s of DRP help in developing an accurate contingency plan to maximize the longevity of your business:

Who? In order to create a risk-free environment, make it a point to educate every single user about the DRP. This is the key to ensure the success of your recovery plan. Thus, if any cyber-attack threatens our organization, every user will be able to play his role in the recovery plan efficiently.

What? An organization’s DRP should address what steps would be taken if the business meets with an unfortunate situation. The steps should be clearly laid out and should address diverse situations ranging from damaging cyber-attacks to regular risks of losing staff/vital data.

Where? DRP needs to look ahead of the geographical business location alone. Some other aspects that should be included in the DRP are company vehicles, remote workforce, etc.

Why? It is important to understand why you need a DRP. It is a contingency plan that would help the business sustain if met with a disastrous cyber-attack.

When? A common question is that when do you need to formulate a DRP. The answer is that you should formulate a DRP well in advance so that you are equipped to handle any situation, whenever it arises.

For more information on Disaster Recovery Planning, call Centex Technologies at (254) 213 – 4740.

What Makes Location Tracking A Privacy Concern

By

On December 30, 2019

In Security

Undoubtedly using location-based services like Google maps, taxi services, etc. has made our life easier, however, location tracking or geo-tracking poses some real privacy threats as well. In order to understand these threats, it is first important to understand how this data is collected.

How Is Your Location Tracked?

Location is tracked via your devices such as a laptop, mobile phones, tablets, smart-watches, smart jewelry, etc. In the case of a computer, your IP address can be used to track your location. If you are using a mobile device, the location is tracked via GPS, cellular tower data, Wi-Fi signals, and Bluetooth beacons.

A number of popular apps also track your location such as Google Maps, Facebook, Yelp, Uber, dating apps, etc. Some apps may track your location even after you have turned off location tracking in your mobile settings. A common example is Facebook. The app can track your location by your city mentioned in the profile or check-ins.

Additionally, information about your location is also revealed by the metadata attached to your photos. Most mobile phones and digital cameras embed information such as GPS coordinates or Geotags when you take a photo. When such photos are posted on a social media profile, the embedded information is also shared along.

What Kind Of Information Is Revealed By Location Tracking?

Location tracking can be used to disclose a variety of information:

  • Where do you live
  • Your financial status based on where you live
  • Your place of work
  • The regular route of travel
  • Frequently visited stores
  • Your real-time location
  • If you are on a vacation and where are you staying

These are some common types of information that can be disclosed by location tracking.

Privacy Concerns Caused By Disclosure Of Such Information:

  • Stalking & Harassment: Availability of detailed information about your location increases your risk of being stalked or harassed. If a stalker knows your frequently visited places, he can easily identify a place and the best time to confront you.
  • Robbery: Burglars can get hold of sufficient information about you by eyeing your location tracks. This enables them to know when you won’t be home or if you follow a secluded path to your work. Discloser of such private information puts you in a danger.
  • Contextual Advertizing: Contextual advertizing is a rising problem among social media users. Marketing professionals pay a high price for access to personal information such as location data of individuals. This helps them in understanding the user behavior to modify their advertizing campaign accordingly. This has led to a rise in the number of cyber-criminals trying to track the location of individuals for building databases that can be sold to organizations.
  • Frauds: Fraudsters can gain access to your location data for building and studying your individual profile. This profile helps them to have a sneak-peak in your personal life to fabricate a fraud.

For more information on privacy concerns arising out of location tracking, call Centex Technologies at (254) 213 – 4740.

© Copyright 2022 The Centex IT Guy. Developed by Centex Technologies
Entries (RSS) and Comments (RSS)