A new ransomware report, don’t take shortcuts with code and why firms must limit administration access rights
Welcome to Cyber Security Today. It’s Friday March 19th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
Ransomware is an increasingly lucrative business for threat groups. That’s according to the latest research from Palo Alto Networks’ Unit 42 threat intelligence unit. The report says the average ransom paid by victim organizations last year in the U.S., Canada and Europe was just over $312,000. And that’s the average. It’s a 171 per cent increase over 2019 average payment. The highest ransom paid last year was $10 million – and remember, not all ransomware incidents are reported. A large part of the increase is due to a change in tactics to double extortion – not only encrypting data but also stealing data and threatening to release it to the public or other crooks.
According to websites run by ransomware gangs that claim to have stolen data, the country most hit last year was the U.S., with 151 victim organizations, followed by Canada with 39, Germany with 26 and the United Kingdom with 17. These are only groups that publish stolen data. Other ransomware groups merely encrypt data and demand payment for a decryption key. So the total number of corporate ransomware victims would be higher.
To defend against ransomware the report says employee security awareness training is vital, as well as patching software as soon as security updates are available. Tightly configuring remote access services that employees use will close off that avenue of attack. Also, limit access to data to only those who need it.
There are lots of ways to trick employees into opening malicious attachments: Claiming a document is an invoice, contains package shipping information or news about salary increases are popular. Recently so are cons about COVID-related information. There’s a new scam, the FBI warned this week: Emails that include a phony driving infringement charge. Open the document and the victim’s device is infected with a nasty piece of malware called TrickBot. It contains a bunch of bad capabilities for stealing passwords and data from devices. Gangs also use it as the first stage in a ransomware attack. Make sure antivirus or anti-malware suites are up to date and employees are trained to watch for suspicious email and texts.
Software and website developers sometimes have to put placeholders in their pre-release code until their companies finalize certain things. For example, the final link to an email or web address may not have been chosen so something has to temporarily be put there. However, unless those placeholders are replaced with legitimate links the temporary placeholder could lead to a security compromise. According to security reporter Brian Krebs, that’s what happened to a large American financial services firm called Fiserv whose products are used by banks. A developer inserted a temporary and unregistered website address called “defaultinstitution.com” in an application. But it wasn’t replaced with a registered address when the application went live. A curious researcher was able to register “defaultinstitution.com” and started getting emails with sensitive information. Had crooks done that they would have gotten those messages. The lesson is developers have to carefully scrutinize their code before making anything live.
Finally, a report this week outlined how important user identity and data access management is to blunting some attacks. A report from a firm called BeyondTrust said last year Microsoft reported over 1,200 vulnerabilities in its products, a record high. The leading type of vulnerability allowed an attacker who had either compromised an employee’s account or created a new one to increase unauthorized access to data. This is called access privilege escalation. Researchers figure 56 per cent of critical Microsoft vulnerabilities could be mitigated by removing administrative access rights to people who don’t need it. One way to control administrative rights is for the security team to implement what’s called a zero-trust framework. Briefly, employees aren’t trusted to access everything. They are limited to accessing only the data they need, and only when they need it.
Don’t forget this afternoon there’s the Week In Review edition of the podcast with a guest commentator looking at the news. Today it will be released earlier than usual, about 1 p.m. Eastern, for technical reasons.
That’s it for today. As always links to details about these stories are in the text version of this podcast at ITWorldCanada.com. That’s where you’ll also find my news stories aimed at cybersecurity professionals.
Subscribe to Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.