Counting down the worst cyber security breaches of 2018 – #4

Counting down the worst cyber security breaches of 2018 – #4

Fitness apparel manufacturer Under Armour gave us a good example of how companies can try to protect their user’s data but often fail to fully cover everything that needs protecting. The information that was stolen from Under Armour is minor compared to some of the data stolen from other companies hacked but still gives us a closer look at what hackers target, and that is why it makes our list of worst breaches of mid-year 2018. It’s a solid reminder that any security breach of this magnitude is significantly detrimental.

In late February of this year, Under Armour announced that its MyFitness Pal app had been hacked. With nearly 150 million users on their platform, the affected information included usernames, email addresses, and hashed passwords – the majority had been protected with the strong hashing encryption function called bcrypt, but other exposed information, including usernames and email addresses, was protected by easier-to-crack SHA-1 hashing.

This article by Wired explains how Under Armour, “had done a good enough job setting up its data protections that the hackers couldn’t access valuable user information like location, credit card numbers, or birth dates, even as they were swimming in login credentials.” Under Armour even had protected passwords but failed to protect all their passwords which lead to customers data being stolen.”

What happened after the hack is paramount. Under Armour had to conduct forensics to determine what was stolen, what data was vulnerable, and what was protected. But all that accomplished, really, was to allow users whose information was stolen to know it was stolen. It’s unfortunate, but there is not much more that can actually be done. High profile hacks such as the UA event shine more light on the questions about the overall security of your data and more importantly, how you will recover from a disastrous event. If Under Armour had a good backup copy of their data, they could best assess what was comprised and begin the best course of action to recovery. It begins with a good backup and disaster recovery plan.

Global Data Vault’s Mid-Year Count-Down of the Worst Cybersecurity Breaches

Global Data Vault’s Mid-Year Count-Down of the Worst Cybersecurity Breaches

Number 5: VPNFilter

More and more, our business environments are connected to the cloud. The transmission of data and the speed to which it can be accessed is critical to business intelligence and competitive advantage. When that data becomes attractive to hackers, the vulnerability also becomes the biggest threat to a company’s livelihood. 2018 has seen a number of newsworthy cyber security breaches to date, and GDV is highlighting the top few in a series of blog posts, starting with #5: VPNFilter.

Last month, it was discovered that hackers working for the Russian government had infected more than 500,000 consumer-grade routers worldwide. The attack began by using a type of malware called VPNFilter which can be used to create a huge botnet. It can also spy on and change web activity on compromised routers.

An example in this article by Ars Technica of ways this attack can affect networks, “It actively inspects Web URLs for signs they transmit passwords and other sensitive data so they can be copied and sent to servers that attackers continue to control even now, two weeks after the botnet was publicly disclosed.”

What’s worse now, is that a senior executive at Talos cites that the hackers are now manipulating everything that travels through the device as well.

This attack taking place on routers around the world is still ongoing and we find out new information each day about the effects and consequences of the VPNFilter campaign.

You might be asking yourself if your router was one of the thousands infected with the malware. We have a list of the devices below. The bigger question is, if not now, when you are a victim of a malware attack, how would you protect your data?

The best way to prevent any loss of data or any sensitive information is to ensure your data is protected by backing up. In these examples where we see infected devices, a simple backup of all data could save you hours of resources to re-establish a clean data set.

List of infected devices:

Ars Technica listed known infected devices:

Asus Devices:

RT-AC66U (new)
RT-N10 (new)
RT-N10E (new)
RT-N10U (new)
RT-N56U (new)
RT-N66U (new)

D-Link Devices:

DES-1210-08P (new)
DIR-300 (new)
DIR-300A (new)
DSR-250N (new)
DSR-500N (new)
DSR-1000 (new)
DSR-1000N (new)

Huawei Devices:

HG8245 (new)

Linksys Devices:

E1200
E2500
E3000 (new)
E3200 (new)
E4200 (new)
RV082 (new)
WRVS4400N

Mikrotik Devices:

CCR1009 (new)
CCR1016
CCR1036
CCR1072
CRS109 (new)
CRS112 (new)
CRS125 (new)
RB411 (new)
RB450 (new)
RB750 (new)
RB911 (new)
RB921 (new)
RB941 (new)
RB951 (new)
RB952 (new)
RB960 (new)
RB962 (new)
RB1100 (new)
RB1200 (new)
RB2011 (new)
RB3011 (new)
RB Groove (new)
RB Omnitik (new)
STX5 (new)

Netgear Devices:

DG834 (new)
DGN1000 (new)
DGN2200
DGN3500 (new)
FVS318N (new)
MBRN3000 (new)
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200 (new)
WNR4000 (new)
WNDR3700 (new)
WNDR4000 (new)
WNDR4300 (new)
WNDR4300-TN (new)
UTM50 (new)

QNAP Devices:

TS251
TS439 Pro
Other QNAP NAS devices running QTS software
TP-Link Devices:
R600VPN
TL-WR741ND (new)
TL-WR841N (new)
Ubiquiti Devices:
NSM2 (new)
PBE M5 (new)

Upvel Devices:

Unknown Models* (new)

ZTE Devices:

ZXHN H108N (new)

VeeamON 2018

VeeamON 2018

Who’s going to #VeeamON 2018?

Register here.

Please let us know if you will attend. We’ll be there in force. Here is what you can accomplish at VeeamON 2018:

• Gain Access to over 60 breakout sessions covering the latest in data management and Hyper-Availability
• Connect with experts and get hands-on experience with Veeam Solutions
• Attend VMCE trainings or sit for my VMCE certification onsite during the conference
• Discover Solutions in Veeam’s Partner Expo Lounge where over 50 sponsors will be exhibiting
• Network with peers and industry experts to learn what is and is not working best in their industries

Hope to see you there,

Will

 

Don’t Let the Reaper Get Your Data

Don’t Let the Reaper Get Your Data

According to a recent article in the Wall Street Journal, concerns are escalating over one of North Korea’s three major hacking organizations because of both their adeptness and sheer brazenness. APT37 aka, “Reaper,” is the hacking group is well known for attacking South Korea, but has since decided to attack companies in Japan, Vietnam and the Middle East. What is especially noteworthy about its recent slew of attacks is the heightened level of sophistication — and that they have made little effort to disguise their bad deeds.

Cybersecurity company FireEye, Inc. monitors Reaper’s attacks and in a report issued earlier this month reveals that Reaper is utilizing a toolset that includes access to zero-day vulnerabilities and wiper malware. Reaper has shown preference to hacking information within companies involved in automotive, aerospace, chemicals, and health care industries. They also recently attacked South Korea when they discovered a vulnerability with Adobe Flash which was then able to install malware on infected computers who opened the corrupt Adobe Flash files.

FireEye squarely points the finger at the North Korean government as the true face of Reaper due to malware development artifacts and targeting that supports state interests. FireEye claims to easily trace these attacks back to the Pyongyang IP addresses that Reaper has been using.

Reaper is just one of a growing collection of hacking groups linked to North Korean leader Kim Jong Un’s regime, including “Lazarus,” which the US blamed for the Sony pictures Entertainment data theft in 2014. Bloomberg Technology posits that North Korea has been widening its cyber-operations to gather cash and intelligence to offset the penalties of international sanctions. The sanctions against North Korea have been on the rise, yet North Korea seems unconcerned and continues to ramp up attacks on foreign countries.

Whether your company is a Reaper target or potentially attractive to another cyber-criminal, attacks are on the rise. Being vigilant within your own company is mission-critical to prevent losing data. The best defense to a cyber-attack is to have a comprehensive and tested disaster recovery plan in place that include an air-gapped backup. You may still be vulnerable to cyber threats, but your day-to-day impact is significantly minimized.

NEW Backup for Microsoft Office 365

NEW Backup for Microsoft Office 365

Office 365 Backup

Whether you have completely migrated to Office 365, or have a hybrid Exchange and Office 365 deployment, your business objectives remain the same. You must remain in control of your data and you need Office 365 backup and recovery at your fingertips.

One of the most vulnerable situations for an IT Admin is when their only option is to send a support ticket and wait. Don’t let this be you.

Backup for Microsoft Office 365 mitigates the risk of losing access to your Exchange Online email data and ensures Availability to your users.

With Office 365, it’s your data

Microsoft Office 365 enables you to work anywhere, anytime, without the need to maintain your own email infrastructure. It also provides a great way to minimize your on-premises footprint and free up IT resources. Even though Microsoft takes on much of the management responsibility, this doesn’t replace the need to have a local backup of your email data.

With Office 365, it’s your data — you control it — and it is your responsibility to protect it. Utilizing Backup for Microsoft Office 365, allows you to:

  • Empower your IT staff to take control of your organization’s Office 365 data
  • Reduce the time and effort needed to find and restore email data
  • Protect against data loss scenarios that are not covered by Microsoft
  • Facilitate the migration of email data between Office 365 and on-premises Exchange

Backup Office 365 email

You need to securely backup Office 365 email data back to your environment for a variety of reasons (i.e. to follow the 3-2-1 Rule of backup, to facilitate eDiscovery and to meet internal policies and compliance requirements). The most important reason being — for the peace-of-mind that comes from knowing you’ll be able to restore your users’ data when needed!

With Backup for Microsoft Office 365, you can retrieve Office 365 Exchange Online mailbox items (email, calendar and contacts*) from a cloud-based instance of Office 365 and uniquely back up this mailbox data into the same format that Microsoft Exchange uses natively — an archive database based on Extensible Storage Engine (ESE), also known as the Jet Blue database.

Office 365 Backup

Restore Office 365 email, calendars, and contacts

Never settle for less than fast, efficient recovery of Office 365 mailbox items with best-of-breed granularity.

Veeam Explorer™ for Microsoft Exchange allows for quick search and recovery of individual mailbox items residing in either archived Office 365 content or on-premises Exchange backups. Mailbox items can be restored directly to an Office 365 mailbox, an on-premises Exchange mailbox, saved as a file, emailed as an attachment or exported as a PST.

Office 365 Restore

eDiscovery of Office 365 email archives

Without a local copy of your data, retrieving emails for regulatory or compliance reasons can be costly and time consuming, and can ultimately present a major disruption to normal business operations.

But, not with Veeam! You can leverage the familiar, advanced search capabilities and the flexible recovery and export options of Veeam Explorer for Microsoft Exchange to perform eDiscovery on Office 365 email archives — just as easily as you would today with your on-premises Exchange server backup.

Office 365 eDiscovery

To start a free trial of Office 365 Backup, contact sales@globaldatavault.com

 

Cry Me a River…Really?

Cry Me a River…Really?

Yep. That’s one headline I saw this weekend about the WannaCry attack. And I guess we can understand that sentiment, maybe. Our view at Global Data Vault, is our job is to be ready to help any of our customers hit by this outrageous attack. Our customers use our services to recover from Ransomware attacks quite regularly and this one is far from over, and I suspect we’ll help our customers perform more than a handful of recoveries. We may all know this by now, but here is some background on the subject.

Ransomware is malware that encrypts and sometimes later deletes files from computers, smartphones, and other intelligent devices – now even including TVs. Ransomware is operated by organized crime gangs, many of whom are based in Russia. The proceeds of these attacks are being used to fund terrorism, human trafficking, drug operations and other nefarious activities.

The first known Ransomware attack occurred at a World Health Organization AIDS conference in 1989. At the time, the intent was to extort small amounts of money. Another early implementation posed itself as antivirus software which the victims were encouraged to purchase in order to eradicate malware that was planted by the same code.

Today, with attacks from so many sources, and with the advent of untraceable virtual currencies like Bitcoin, and through the existence of sophisticated encryption algorithms, ransomware has become a billion-dollar industry.

There is even a market that supplies tools to build ransomware and tech support for implementing attacks. The encryption is often now 256 bit RSA grade and is too sophisticated for even large technical organizations to solve. Citrix reports that many large companies are keeping Bitcoin available as a last-resort.

Even further frightening are cases where remote access trojans have been used to monitor a potential victim to determine the scope of the organization and assess its ability to pay a given ransom.

History

CryptoLocker was the first wideapread attack and first appeared in 2013. It was supported by a large network of malware bots (together called a botnet) which is used to distribute the actual attack. Cryptolocker extorted over $3 million before being shut down by the Department of Justice who took control of the botnet and issued a warrant and a bounty for Russian hacker Evgeniy Bogachev for his involvement.

New threats exist; Cryptowall is believed to have extorted over $350 million; Locky operated in 30 languages; Petya encrypts entire hard drives. As bad as these are Cerber is the most prevalent, accounting for 90% of Windows ransomware.

Cyber attacks through email attachments. Word, Excel and PDF files containing dangerous macros are sent as bait – usually calling themselves invoices, etc. If the user opens the file and allows the macro to run, the attack will generally succeed. Your inbox has become your most vulnerable point.

Avoidance and Prevention

  1. Patch Everything – as often as possible – patch every application.
  2. Do not allow local admin rights on user desktops.
  3. Desktop antivirus is helpful but not enough because the attackers are continually recompiling their code to escape detection. Secure email gateways also help but are also limited for the same reason.
  4. BACKUP – is the only real protection!
  5. Follow the 3-2-1 rule: Always have 3 backups, on 2 media types and 1 offsite. More on the 3-2-1 rule later.

Backup Strategy

As a service provider working in this area, we see attacks on a weekly basis. We have performed hundreds of recoveries. The following points are the lessons learned from our own experience and the well-organized thoughts on this subject from Rick Vanover Director of Technical Product Marketing at Veeam Software.

  1. Use different credentials for backup jobs! An attack or attacker with credentials to access your system might also attack your backups.
  2. At some point commit data to offline media such at tape. If it’s offline, it cannot be attacked.
  3. Use Veeam Cloud Connect (we do). It uses a different method of authentication and a different backup API.
  4. Store backups in a different file system.
  5. Take SAN snapshots of your local backup repository.
  6. Expand and master the 3-2-1 rule – use the 3-2-1-1 rule: have 3 copies of your data, on 2 types of media, have least 1 offsite and at least 1 offline.
  7. Test – have 0 errors after recovery is tested! Veeam’s Sure Backup verification is one great way to test.

While this is a good start, there are other many other technical strategies we implement for our customers. GDV employs as many as possible for each of our customers. We’re always happy to discuss how you can leverage these ideas.

We hope this is helpful. Good luck and stay ready.