Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label RDP Flaw. Show all posts

Small Businesses Remain Vulnerable, With Rising Cyberattacks

 

Small businesses are three times more likely than big corporations to fall prey to scammers in 2021. A single cyberattack's average loss has risen from $34,000 to just about $200,000. These businesses have had to deal with legal bills, compliance penalties, reputational harm, and client loss in addition to cash losses. Many small enterprises are unable to recover from these setbacks.

Kaspersky Lab researchers tracked the amount of Trojan-PSW (Password Stealing Ware) detections in 2022: 4,003,323 versus 3,029,903, up nearly a quarter from the same period in 2021. Trojan-PSW is malware that collects passwords and other account information, allowing attackers to gain access to a company's network and steal important information. Web malware has been particularly bad in Indonesia, the United States, Peru, and Egypt, with the number of incidents in these nations growing several times in the last year.

Several firms have adopted the Remote Desktop Protocol (RDP), a technology that allows computers on the same corporate network to be linked together and accessed remotely, even when employees are at home. However, because RDP is of particular interest to cybercriminals, if an attacker gains access to the corporate network through RDP, they can commit fraud on any of the company's PCs that have been linked. 

The general number of RDP attacks has fallen marginally, but not across the board. There were around 47.5 million attacks in the first trimester of 2021 in the United States, compared to 51 million in the same period in 2022. 

Advanced security services might include built-in training to keep IT professionals informed about the latest cyberthreats. Business owners can transform themselves into sought-after cybersecurity specialists by investing in training and education. 

These specialists will be able to understand how threats may affect their organization and change technological and organizational cybersecurity measures accordingly. Experts at Kaspersky recommend investing in an advanced security product that can perform incident analysis. 

These authorities can figure out where and how a leak happened, they will be better equipped to deal with any unwanted ramifications. Kaspersky Endpoint Security Cloud Pro is a new edition of Kaspersky Endpoint Security Cloud that includes advanced new features such as automated response options and an expanded range of security controls in a single solution. 

Along with all the more ground capabilities, Cobb, the security consultant, recommends that businesses invest in three extra protection measures: 
  • Data backup solution: This ensures that information that has been compromised or lost during a breach can be easily restored from a different place. 
  • Businesses may consider adopting encryption software to protect sensitive data such as employee records, client/customer information, and financial statements. 
  • Password-security software or two-step authentication: To limit the likelihood of password cracking, use these technologies with internal programs.

JSWorm: A Notorious Ransomware

 

The ransomware threat environment has been shifting over the last few years. Following the major ransomware outbreaks of 2017, such as WannaCry, NotPetya, and Bad Rabbit, many ransomware actors have switched to the covert yet the lucrative strategy of "big-game hunting." The news of ransomware triggering a service interruption at a multinational enterprise has become commonplace. 

Since the discovery of JSWorm ransomware in 2019, numerous variants have gained popularity under various names such as Nemty, Nefilim, Offwhite, and others. As part of each “rebranded” edition, several versions were released that changed various aspects of the code, renamed file extensions, cryptographic schemes, and encryption keys. 

JSWorm is a ransomware variant of the GusCrypter malware family. Its purpose is to extort money from victims by encrypting all personal data and requesting a ransom for the decryption key. It's a member of the GusCrypter clan. JSWorm is typically transmitted via spam email attachments. 

The malware also leaves a ransom note, JSWORM-DECRYPT.html, instructing victims to contact criminals via the NIGER1253@COCK.LI email address if they want their data back. Since JSWorm belongs to a well-known ransomware family, it's possible that the encryption will be permanent. 

Although JSWorm ransomware does not encrypt system files, it does modify your system in other ways. As a result of the altered Windows Registry values, ransomware is launched every time the user restarts the device. These modifications, however, are made after the encryption and ransom demand have been completed. 

JSWorm was available as a public RaaS from its inception in 2019 until the first half of 2020, and it was observed spreading through the RIG exploit kit, the Trik botnet, fake payment websites, and spam campaigns. The public RaaS was closed in the first half of 2020, and the operators turned to big-game hunting. An initial intrusion was discovered thanks to the use of weak server-side applications (Citrix ADC) and insecure RDP access. 

The files are encrypted with a 256-bit key using a custom modification of the Blowfish cypher. The key is generated by concatenating the strings user name, system MAC address, and volume serial number at the start of the programme execution. The content of each of the victim's files is encrypted using a custom version of Blowfish. The encryption is limited to 100,000 bytes, most likely to speed up the encryption of large files. The initial data is overwritten by the encrypted data.

Microsoft Warns Users against BlueKeep RDP Flaw; Immediate Update Advised, Again!






Microsoft has beseeched its users all over again to get their systems updated because as it turns out hackers already have exploits of the BlueKeep RDP flaw, already.


The patch has been fabricated for the “wormable” BlueKeep Remote Desktop Protocol (RDP) vulnerability; therwise the hackers could easily perform a “WannaCry” level attack.

The first warning was sent by Microsoft on May 14 when they’d released a patch for another serious Remote Code Execution vulnerability, CVE-2019-0708.

Successful exploitation of this vulnerability leads to the hacker executing an arbitrary code on the windows machine and installing programs.

 The term “Wormable” refers to the fact that any future malware exploits could contagiously spread from one system to another.

According to sources, this vulnerability is of pre-authentication type and needs no user interaction.

Any attacker who could easily exploit this vulnerability could install programs, edit, and view or delete data and even create new accounts with complete user rights.

Microsoft has a strong hunch that the cyber-cons already have fully developed plans for exploiting the aforementioned vulnerability.

More than a million PCs are susceptible to these wormable, BlueKeep RDP flaws.

A security researcher conducted RDP scan hunting for port 3389 used by Remote Desktop to find potentially and current vulnerable devices.

Major Anti-Virus brands such as Kaspersky, McAfee, Check Point and Malware Tech developed a Proof-of-Concept (PoC) that would use the CVE-2019-0708 to remotely execute the code on victim’s system.


So it happens, numerous corporate networks are under the threat and are still vulnerable more than individuals are as more systems are connected in a single network.

A single compromised system of a corporate network could put the entire organization and its systems in danger.

The compromised device could be used as a gateway and as it’s a “wormable” attack it could easily propagate across networks.

The most the users could do is keep their systems updated and their security as tight as possible as future malware could also try hacking back in.

Solutions
·      Update systems as soon as possible
·      Block Remote Desktop Services if they are not in use
·      Block TCP port 3389 at the Enterprise Perimeter Firewall
·      Apply the patch to the vulnerable systems and devices that have RDP enabled