key-logger - CyberEye

Dan Gavin 4, Nov, 2024

Blog

The Destruction of Tyre and the Security of Cloud Applications

The city island of Tyre was a beautiful, powerful, and strategic Phoenician trading city in the eastern part of the Mediterranean Sea. Its defenses were so great that it survived a 13-year siege from the great Babylonian conqueror, Nebuchadnezzar starting in 586BC. The people were proud of how impenetrable they were. That’s why when Alexander the Great came along in 332BC, they did not negotiate with him. So, Alexander’s army razed Old Tyre which was on the mainland next to the great island city of Tyre. The army used the rubble of Old Tyre to create a land bridge to the island of Tyre where they laid siege to the city for 7 months when they utterly destroyed the city and the people.

That story comes to mind when I hear businesses say they don’t need cybersecurity protection because their data is in the cloud. It is safe and sound and no one can hack it because it is not on site. It’s hiding in the cloud. Here are three reasons why they are wrong: Keyloggers, Stealers, and RATs.

A keylogger is malware designed to record the keystrokes made on a computer or mobile device. A keylogger captures everything you type, including emails, passwords, messages, and search queries. This information is then sent to a third party.

On a typical morning for a cloud-centric business, an employee would start work by opening email. On an infected system, the keylogger has access to your business email to either spy or use the account for financial gains. The attacker is hoping your multi-factor authentication is sent to compromised email account. Next the employee logs into the business apps that are in the cloud. This could be a healthcare system, logistics system, or financial system – whatever makes that business move forward. Perhaps an administrator pays an invoice with bank account information or username and password to the bank. Maybe they use a credit card to pay the invoice instead. That’s right! All that information is now in the hands of the hacker thanks to the keylogger.

Stealer malware or infostealer malware targets user credentials, browser data, cryptocurrency wallets, and any other personal data on your device. Not only can it take the usernames and passwords saved in your browser, but it can also steal the credentials from certain applications and accounts that are not run on the browser. Some stealers have been able to access cypto-wallets such as Phantom, Binance, Coinbase, and more. Stealers gather similar information compared to keyloggers, but they don’t have to wait for anyone to login and start typing. They search your device for the information that is already available.

A Remote Access Trojan (RAT) is a type of malware that allows hackers to gain remote control over an infected computer or device. It allows the hacker to use a limited set of commands providing access. Sometimes they steal data. Other times they may install additional malware or spyware. They could reconfigure your local firewalls or shut down other security measures. RATs are usually distributed through phishing or emails with an Adobe PDF attached. The PDF calls an executable file to download the RAT.

What can you do about all this, you ask? First of all, do not fall for phishing and social engineering via email or text. Do not click on a link from a user you don’t know. Secondly, make sure you have set up multi-factor authentication everywhere possible especially anything dealing with money, but may also include social media, emails, and business applications. Making sure your anti-virus is up to date is a start, but that doesn’t stop zero day/ new malware. Monitor your accounts. If you run a business, you should have endpoint detection and response (EDR) installed on all your computers. This is an application running on your computer that watches what is written and executes on your system and prevents unauthorized execution. Talk to your local Cyber Guys for details.

Just because all your applications and systems are in the cloud doesn’t make you bulletproof. Don’t be like Tyre and find out too late that Alexander is building a land bridge in the front yard.

Dan Gavin 13, Sep, 2024

Blog

Hidden Vulnerabilities: Why Cybercriminals Target Small Town Businesses

Week after week, we write about the latest breach or how hackers use social engineering to get into corporate and government systems, but as you read this in Cochise County you think these types of things only happen to big corporations in big cities. You may think: “My small business is not worth the hackers’ efforts.” I’ve got news for you; your small or medium-size business is worth their effort. Why? Because some businesses make it so easy for them. As we do forensic investigations locally in Cochise County, we have met some of the victims. Sometimes healthcare providers post a banner on their web pages discussing their breach and compromised data.

One of the most common way hackers get unauthorized access to local business systems is to scan for open ports on public facing servers. A port is simply a door into your network. The port in particular that they love is the one used for remote access. In this case think of this port as the magic wardrobe that the children found to enter Narnia. During COVID when many switched from working at the office to working at home, the local IT guru opened that famous port so that users could remote into their server or desktop using Microsoft Remote Desktop. It was a great solution because it is easy, and it works. Unfortunately for many, it is not at all secure and is a favorite target for our worldwide hackers.

It’s possible to scan the entire internet in hours. In 2019, a researcher named Robert Graham scanned the entire IPv4 address space for the remote desktop port and found around 3 million exposed servers. That’s exactly what the bad actors do. Once they find the open port, the first tactic they try is to determine the type of server and use the default usernames and passwords from the manufacturers. Many people never remove and reset these. The next thing hackers will attempt a password cracking technique. Some techniques are sophisticated like the credential stuffing attack, where hackers look on the dark web for actual cracked passwords for the business which was hacked. They are hoping that people will reuse their passwords. Another technique is to run a dictionary attack where common usernames and passwords are automatically attempted. We see this occur locally where the port is opened for maintenance and within an hour there are failed login attempts from North Korea, China, Russia, and Iran. It really happens here in Cochise County.

Many business owners believe that they are safe from cyber-attacks because their IT person assured the owners that they have the best firewall the world has ever seen along with the latest and greatest anti-virus. This is a good start, but the bad news is unless you block internet and email traffic on the firewall, it won’t stop phishing emails. Your anti-virus won’t stop brand new malware. According to Verizon’s 2023 Data Breach Report, around 90% of breaches are linked to phishing emails. The others are related to downloading malware through internet browsing.

Some business owners might say they are safe and don’t need cyber security because their software is cloud-based. In that case, what happens when an employee downloads a key-logger program that was on a link in their email? The hacker has access to all company data and if that employee had administrative privileges, the hacker has total control.

If a breach or ransomware attack could shut down your business for more than a day or if a breach would make you liable to your clients, your business needs solid cybersecurity. We recommend a defense-in-depth strategy where there are multiple layers of defense. Start with the basics of up-to-date firewalls and anti-virus, then add endpoint detection response that stops malware from executing, then get some monitoring and user training. You follow that up with solid security policies.

Don’t be an easy target. Harden your business with a defense-in-depth strategy to thrive in the digital world. Get a cyber risk assessment done to make sure that you are not low hanging fruit for the lazy hacker.