Hidden Vulnerabilities: Why Cybercriminals Target Small Town Businesses 
0
Dan Gavin
Hidden Vulnerabilities: Why Cybercriminals Target Small Town Businesses 

Week after week, we write about the latest breach or how hackers use social engineering to get into corporate and government systems, but as you read this in Cochise County you think these types of things only happen to big corporations in big cities.  You may think: “My small business is not worth the hackers’ efforts.”  I’ve got news for you; your small or medium-size business is worth their effort.  Why?  Because some businesses make it so easy for them. As we do forensic investigations locally in Cochise County, we have met some of the victims.  Sometimes healthcare providers post a banner on their web pages discussing their breach and compromised data. 

One of the most common way hackers get unauthorized access to local business systems is to scan for open ports on public facing servers. A port is simply a door into your network. The port in particular that they love is the one used for remote access.  In this case think of this port as the magic wardrobe that the children found to enter Narnia. During COVID when many switched from working at the office to working at home, the local IT guru opened that famous port so that users could remote into their server or desktop using Microsoft Remote Desktop.  It was a great solution because it is easy, and it works.  Unfortunately for many, it is not at all secure and is a favorite target for our worldwide hackers.   

It’s possible to scan the entire internet in hours. In 2019, a researcher named Robert Graham scanned the entire IPv4 address space for the remote desktop port and found around 3 million exposed servers. That’s exactly what the bad actors do.   Once they find the open port, the first tactic they try is to determine the type of server and use the default usernames and passwords from the manufacturers.  Many people never remove and reset these.  The next thing hackers will attempt a password cracking technique.  Some techniques are sophisticated like the credential stuffing attack, where hackers look on the dark web for actual cracked passwords for the business which was hacked.  They are hoping that people will reuse their passwords.  Another technique is to run a dictionary attack where common usernames and passwords are automatically attempted.  We see this occur locally where the port is opened for maintenance and within an hour there are failed login attempts from North Korea, China, Russia, and Iran. It really happens here in Cochise County. 

Many business owners believe that they are safe from cyber-attacks because their IT person assured the owners that they have the best firewall the world has ever seen along with the latest and greatest anti-virus.  This is a good start, but the bad news is unless you block internet and email traffic on the firewall, it won’t stop phishing emails.  Your anti-virus won’t stop brand new malware.  According to Verizon’s 2023 Data Breach Report, around 90% of breaches are linked to phishing emails. The others are related to downloading malware through internet browsing.   

Some business owners might say they are safe and don’t need cyber security because their software is cloud-based.  In that case, what happens when an employee downloads a key-logger program that was on a link in their email?   The hacker has access to all company data and if that employee had administrative privileges, the hacker has total control.   

If a breach or ransomware attack could shut down your business for more than a day or if a breach would make you liable to your clients, your business needs solid cybersecurity.  We recommend a defense-in-depth strategy where there are multiple layers of defense.  Start with the basics of up-to-date firewalls and anti-virus, then add endpoint detection response that stops malware from executing, then get some monitoring and user training.  You follow that up with solid security policies. 

Don’t be an easy target.  Harden your business with a defense-in-depth strategy to thrive in the digital world.  Get a cyber risk assessment done to make sure that you are not low hanging fruit for the lazy hacker. 

How the World Ends 
0
Dan Gavin
How the World Ends 

In today’s vernacular you might say you’ve been “click-baited”. Or maybe not. I’ll let you be the judge. I guess it will all come down to how you interpreted “World” and “Ends”. If you immediately pictured the metaphorical “world” or the global context of “world” and if your definition of “ends” means “completion of current state and transformation to something better,” then this most likely will not be what you expected. My intent is to reveal something more sinister and far more depressing. But I beg you to hear me out. After all, it’s only about 5 minutes of your time. 

In 1942 concentration camp victims created massive amounts of counterfeit British pounds in an effort to collapse the British economy. This wasn’t the first use of currency counterfeiting in war though. The technique has been around a long time. The British attempted it during the Revolutionary War; Napoleon used it against the Italians; even during the 15th century Italy employed it.  

Why would one country counterfeit the currency of its enemy? Were they intending to go on a shopping spree after invading their foe? Oh no, that’s not it. it’s more nefarious than that. 

See, here’s a dirty little secret. And it’s one that the Federal Reserve Bank and other central banks around the world would rather you not find out. Counterfeiting leads to hyperinflation. The effect isn’t immediate. It takes some time to get all the money out into circulation. But once it does, the effect can be horrific on the economy.  

Hyperinflation manifests itself in rising prices. At the grocery store, at the gas pump, at the movie theater. Everywhere regular people do their daily transacting. When prices rise everywhere at about the same time, this is the effect of inflating the money supply. It’s not a collusion among all the grocers. It’s more a collusion among Central Bankers. It’s not rich farmers gouging you at the store. It’s the ultra-wealthy oligarchs who control everything. 

By flooding your enemy’s economy with counterfeit bills, you dilute the value of the currency until it becomes worthless. It’s pretty easy as the British found out at the end of World War II. The counterfeited bills were so good, they couldn’t tell the fake from the real bills. The only thing they could do was to stop printing the legitimate pounds and wait for the money to dissipate naturally.  

In the US we’ve been experiencing inflation for some time. Actually, the Fed has a target of 2% per year. It’s intentional. This time, it just got out of hand. Not from counterfeiting, but from legitimate money creation.  

Take a look at the St. Louis Fed website. Just do an internet search for “M2 money supply”. In 2020 the money supply exploded. Not counterfeit. It was Legal Tender. Because of the lag time from currency flooding the economy and inflation we are now feeling the effects. Thank you, US Congress. 

If you have been wondering maybe the US Congress doesn’t always have our best interest at heart, perhaps you are onto something. Think about this. Like you, I live in Sierra Vista. I also own a small business. It’s nothing of significance but I like to think I make a difference in the lives of the people I serve. It’s my small way of pursuing happiness in my life.  

In 2021 Congress passed the Corporate Transparency Act (CTA). As a result, small businesses have to disclose all the details of their business ownership. We have to upload our business details into a government database. You know, the kind of database that is a major target of cyber criminals. The kind of database our government bureaucrats should protect but don’t. From a cybersecurity perspective, the data they require for compliance can easily be used in a social engineering attack to get YOUR information and to scam YOU. Even if you aren’t the small business owner. 

The funny thing about the CTA is that it affects only small businesses that almost exclusively do business locally. Corporations with over $5 million in annual revenue are exempt. The reason Congress claims they passed this legislation is to eliminate elicit money laundering. It’s supposed to be a way to financially suffocate terrorist cells. Most money laundering happens in companies handling greater than $5 million. The exemption is in the wrong direction. It will achieve the stated intent. It’s a shell game.  

Small businesses have little or no budget to hire cybersecurity professionals to protect their computers, networks and sensitive business data. They are the most vulnerable to cyber attacks like ransomware. so in reality what this Act will do is provide a convenient database containing millions of small businesses who characteristically have little or no cyber security controls protecting their data. All neatly packaged for any moderately skilled threat actor.  

Maybe it’s not the end of the world. Or maybe it is the end of the world as we have become accustomed to it. 

Even the Experts Can Be Fooled
0
Dan Gavin
Even the Experts Can Be Fooled

When even experts in social engineering can be fooled, it is important to ensure a defense in depth strategy for your business’ information security.  KnowBe4, one of the country’s largest providers of cybersecurity and social engineering training, got fooled by a North Korean IT worker intent upon loading their network with malware. 

KnowBe4 had a job opening. They were looking for someone for their internal Artificial Intelligence (AI) team.  What they received instead was a valuable training lesson in advanced social engineering. They were fooled. But unlike many companies, they disclosed the failure. Their experience might save others from a similar fate. 

Fortunately, they caught the imposter early enough so there was no breach or illegal access to the company’s systems.  They stopped him before he could do any damage.  Here is how it happened, how they stopped it, and some lessons learned. 

The human resources team did their jobs.  Background checks came back clean because the imposter was using a valid but stolen US-based identity.  They conducted 4 video conference-based interviews validating that the person matched the photo on the application.   The imposter took a stock photo and used AI to merge his features to the photo.  HR even verified his references. 

Once hired, the imposter asked to have his laptop sent to a farm. Not the kind you’re thinking of. It was “an IT mule laptop farm.”  The laptop farm is like an office filled with laptops and computers hackers use. They connect remotely from North Korea to the laptop farm. It was a good thing KnowBe4 restricted new employee access and didn’t allow access to the production systems. 

Once the imposter had been successfully hired and his laptop had been delivered, it was time for him to embed his malware onto the company network.  He downloaded and attempted to execute malware.  He then used some technical trickery to cover his tracks. 

The good news is the company security operations center (SOC) was alerted to potentially dangerous behavior and called the imposter.  The imposter claimed criminals must have compromised his router.  The SOC team quickly isolated his computer from the rest of the network preventing his access to valuable systems and data.  The imposter was unresponsive once he figured out that he was caught.  

Here are some lessons learned.  When a company uses remote workers with remote computers, the company should have a way to scan the device ensuring there are no other connections on the device.  When hiring workers, don’t rely simply on email references.  Do not ship laptops to locations that don’t match the applicant’s address.  Make sure applicants are not using Voice over IP (VOIP) phone numbers.  Lastly, watch for discrepancies in address and date of birth.  

With all the process failures, KnowBe4 did not suffer a breach.  They understood defense in depth.  They had multiple lines of defense in case one (the employee screening process) was breached.  All their laptops had endpoint detection and response (EDR) software loaded and they had a SOC watching over their network.  The EDR stopped the malware from executing and alerted the SOC. The SOC team isolated the computer right away and escalated the issue.   

When it comes to protecting your business, you cannot rely on the minimal protections.   Firewalls and anti-virus are useful, but they do not stop a hacker from entering through your email or your browser.  Technology, like EDRs and SOCs, may save the day, but must be backed up with tried-and-true policies and training.   Although KnowBe4 is an expert in social engineering, they got scammed due to lax hiring policies.  They have since updated their hiring policies.  Remember, a fool may learn from his own mistakes, but a wise man learns from the mistakes of others.   Be the wise man. 

Copyright © 2024 CyberEye Call us at: ‪(520)224-8981