Ransomware – some recent thoughts

Cybersecurity technology and information security company, Cisco Talos, recently published some interesting information on the tactics, techniques, and protocols (TTPs) used by the top 14 ransomware groups. Let’s see what we can learn from it.

Firstly, they looked at the steps in a ransomware attack, which won’t come as a surprise. The steps were:

• Gain access to the targeted entity. Different techniques can be used, but the most common is social engineering, which usually involves sending emails containing malicious files or links that will run malware on the targeted system to targeted people. The malware allows the attacker to deploy more tools and malware to reach their goals, even bypassing multifactor authentication.
• Scan Internet-facing systems for vulnerabilities or misconfigurations. Unpatched or legacy software is a particularly high risk.
• Gain persistence. If the malware is identified and removed early on, the attack has failed. So, steps need to be taken to ensure permanence. With an attack on Windows, registry keys can be modified, or the malware can be auto-started at boot time. Local, domain, and/or cloud accounts can be created. On a mainframe, multiple copies of the malware might be stored, allowing a second copy to be activated if needed.
• Network scanning to understand the infrastructure. This is where valuable data is identified. In addition, privilege levels need to be raised to administrator levels. On a mainframe, the order these two sub-steps would probably be reversed.
• Data exfiltration. The valuable data, usually personally identifiable data, eg names, address, social security numbers, bank account details, etc, is then stolen. That might be the end of the attack.
• Data encryption. Encrypting the data allows the bad actors to send a ransom to the organization that has been attacked. Unless the ransom is paid, the target organization won’t get the key to decrypt their data.

I would suggest that the attackers might also look for links to other organizations. These supply-chain attacks allow the bad actors to use one attack to get into the systems of multiple organizations.

Cisco Talos does offer some suggestions of how to mitigate the threat of ransomware. These are:

• Apply patches and updates to systems and software to reduce the risk of exploits being used to access a system.
• Implement complex and unique password policies and multifactor authentication.
• Harden the attack surface by disabling unnecessary services and features and limiting the number of public-facing Internet services as much as possible.
• Segment networks using virtual local area networks (VLANs) or similar technologies. Isolating sensitive data and systems from other networks prevents lateral movements from an attacker.
• Monitor endpoints using a security information and event management (SIEM) system, and use endpoint detection and response (EDR) or extended detection and response tools.

One of the big problems facing the IT security team is the number of people working from home. Indusface, an application security SaaS company, has suggested nine ways to protect company data for people working remotely. Here are their suggestions:

1. Provide company devices. This allows organizations to fully manage and secure the devices used to access company data. The devices should be updated and encrypted with SSL certificates. If that’s not possible, home-workers should be given everything they need to secure their own devices, eg anti-malware software.
2. Scan and penetration test applications. Pen testing protects against data breaches by simulating real-world attacks on systems and highlighting vulnerabilities including privilege escalation attacks. Where vulnerabilities are identified, appropriate defensive measures can be taken.
3. Utilize virtual private networks (VPNs) across the business. VPNs are easy to implement and protect data that could otherwise be vulnerable to attacks over an open public network.
4. Deploy a web application firewall (WAF). This will protect web applications from attacks. An AI/ML based WAF should detects anomalies and block illegitimate requests even if they are made through compromised employee credentials.
5. Employ encryption software. Encrypting sensitive files means that were someone able to steal the files, they would not be able to access the data or content. Security policies should ensure that all remote workers know how to encrypt files and when it is necessary. Routine checks should ensure the policy is being followed.
6. Strict password management. Hackers rely on weak passwords when brute forcing point of sale (PoS) terminals. Use automatic password generators to create safe and secure passwords, and ensure that passwords are unique and never duplicated across multiple accounts. For sensitive data, employees should always implement multi-factor authentication (MFA), requiring users to provide multiple methods of verifying their identity.
7. Rigorous access controls. Organizations should apply the principle of least privilege when it comes to access control, ie allowing users access to only the specific assets that they require for their work. Access to files should be revoked as soon as it is no longer necessary, such as when an employee leaves, or a person’s involvement in a project is over.
8. Provide employees with what they need. To make their jobs easier, remote workers may implement tools, systems, or habits that are not sanctioned by the company. This shadow IT could include using risky apps and tools, sending files through unsecure channels, or storing assets somewhere unprotected. Provide remote workers with all the tools they may need to do their job effectively and ensure that they are aware of all the approved platforms that they have access to.
9. Fully prepare and train remote workers. Organizations can implement security strategies, but efforts will be futile unless remote workers fully understand what the procedures are and why they are important. Training staff regularly and testing the effectiveness of the training (eg phishing email simulations) is important.

There are some useful hints and tips there. Although they are mainly PC-based ideas, accessing the Windows infrastructure may be just a short-step away from accessing an organization’s mainframe.

 

Interesting browser updates

I was checking on Statcounter to see how popular different browsers were. I wasn’t surprised to see that Google’s Chrome was the most popular with nearly two-thirds (65.68%) of the market share. Safari came second with 17.96%, which probably gives an indication of the percentage of Macs, iPhones, and iPads in use out there. In third place is Edge. Everyone who has bought PC will have Edge as the default browser. To be honest, the first thing I do when I get a new laptop is download a different browser – and, judging by the figures, so do lots of other people. Firefox is fourth with 2.75%. I always used to use Firefox, and I liked using it. I just didn’t install it on my newest laptops. C’est la vie! I was surprised to see Samsung Internet in fifth place. I’d never considered using it, and I have a Samsung phone. It scored 2.58% of market share. Sixth was Opera with 2.26%.

Looking at figures for just North America, it came as no surprise to see Apple’s browser had nearly a third of the market share at 31.74%. Chrome had over half at 52.55%. In Europe, the figures were still in the same order, but Chrome had 61.89% of the market and Safari had 18.55%.

Still, whatever browser you choose, it’s still just a browser – and you only use it to access your webmail, or get to Amazon to do your shopping, or check your bank balance, book holiday, or go to a million other websites, don’t you?

Once you’ve personalized your browser, and got it to remember the user-id and password you use for the websites you visit frequently, and, especially, the ones you only visit once a year, you don’t really want to change it. After all, what extra could a different browser do?

I’ve just started using Opera, or Opera GX as it calls itself. Opera, the browser, has been around for 25 years and is available on laptops and mobile phones, and has recently had some new updates to its built-in artificial intelligence (AI) called Aria, which adds some interesting new features.

Firstly, it has the ability to turn text prompts and descriptions into unique images using the image generation model Imagen2 by Google. Aria identifies the user’s intention to generate an image based on conversational prompts. Users can also use the ‘regenerate’ option to have Aria come up with a new image. Aria allows each user to generate 30 images per day.

Secondly, Aria can now read answers out loud by using Google’s WaveNet model. It benefits those who normally use screen readers, like to multitask, or need to hear information instead of reading it. To get this to work, I was using the command line, I had to click on the speaker icon in the bottom right corner to have Aria read the text response. It was easy to pause the speaking by clicking the pause button that replaced the speaker icon. Clicking the speaker icon again restarted the dialogue.

Thirdly, it’s gaining contextual image understanding. They say that Internet users find themselves searching for information about something they saw just as often as for something they read or heard about. So, Aria is also gaining image understanding capabilities. This means that users can now upload an image to Aria. As part of the chat conversation, users can then ask the AI tool about it. For example, if the image is an unknown headset, Aria will identify its brand and model as well as provide some context about it. Or a user can take a picture of a maths problem and ask Aria how to solve it.

To get this to work I had to download the developer version of the browser and create an account, and sign in. Once I’d done that, I clicked on the ‘+’ button on the right of the chat input box, and then selected the ‘upload image’ option. The explanation of the context of the image was quite good.

As part of the update, the text-based chat experience with Aria has also been improved with the addition of two new functionalities: ‘Chat Summary’ and ‘Links to Sources’. The former provides users with a concise summary of an entire conversation with Aria, allowing them to recap the most important information. In the latter feature, Aria supplies the user with links to sources about the topic of the conversation, enabling them to get more context regarding their enquiry. In addition, the Aria command line in the browser can now be easily activated by pressing the ‘ctrl + /’ or ‘cmd + /’ button combination. This enables the user to open the additional floating window instead of using Aria from the extension page. There’s also a small icon on the left-hand side of the browser that opens up Aria.

Features that were already part of Opera GX that you might be interested in include: RAM, CPU, and network limiters, a built-in free VPN (virtual private network), Twitch and Discord integration (chat facilities used by gamers), and a built-in ad blocker

I’m quite enjoying using the browser. You might want to give it a try.