Cybersecurity continues to be a topic of concern, but when the discussion is littered with highly technical terms you may be left scratching your head. Unless you fully understand the conversation, how can you be confident about implementing the appropriate security measures to protect yourself and your business data?
We have summarized four common cyberattacks below to help you gain a better understanding of how cybercriminals work, and what they are looking for to carry out their attacks. As Kaufman Rossin risk advisory professionals, we demonstrated these attacks at CELAES, a leading global financial cybersecurity conference hosted by Florida International Bankers Association (FIBA), to educate the audience about mitigating risks and protecting their institutions from malicious attackers.
Cyberattack #1 – Open Source Intelligence (OSINT) from both Clearnet and Darknet.
Hackers rely on Open Source Intelligence as a key component of almost all attacks. OSINT includes data collected from publicly available sources, and provides hackers with information they can use to make their phishing attacks more realistic and likely to succeed. OSINT has helped advanced persistent threats become so effective that they resulted in the loss of millions of dollars each year.
A common form of exposure is unsecure passwords: if you tend to use the same or similar passwords for several websites, finding a password for an unrelated breached website provides the attacker with access, or with an idea as to where they should base their password cracking attempts (often referred to as dictionary attack. In this case, their attack could be effective even if the password has been changed. For example, if the old password was “target’s dog 2018”, then attempting “target’s dog 2019” might be a good start. A hacker may also find information about software that has a known vulnerability, and use that to target their attacks. If an employee uses a social network to complain about his or her company’s old version of Windows, an attacker can find this information and use it to target a specific business. Once a hacker finds an attack vector, or an ‘opening’, almost any information could be useful.
Damage control can be very difficult after a breach has occurred. To help reduce your risk, be aware of your public information: know what’s out there and what can be done with it, and understand uncommon sources of information leaks such as uploaded documents. If an employee creates a document and uploads it to the firm’s website, take into account certain word-processing software will auto-sign the file with the person’s username, computer name and other specific, internal information that can later be used for a hacker’s malicious purpose.
Cyberattack #2 – Keystroke injection through USB keyboard emulation.
A keystroke injection attack tool (the best known is “USB Rubber Ducky”) is a USB device designed to imitate user-entered keyboard strokes and run malicious code on any host computer into which it is plugged. These devices often look exactly like the removable USB media drives that most of us are familiar with. Because the device looks harmless, unsuspecting victims unwittingly aid hackers to carry out their attack: an employee may find a USB device lying around and plug it in to see what’s stored or who it belongs to. The device is capable of injecting keystrokes much faster than a hacker could manually, so it only needs to be plugged in for 10 to 15 seconds for a hacker to open an encrypted remote connection to a location of their choosing. An attacker may also attempt to plug in the device in an unattended workstation in order to steal credentials or have an initial foothold.
Mitigating keyboard injection attacks is complex, as disabling USB storage media (a common way of blocking malware transported though USB storage) does not work when a device impersonates a keyboard. In addition, disabling the installation of all USB peripherals can be detrimental for staff productivity and for the IT team when they are attempting to fix a device. Consider including security rules that would alert the IT team when abnormally fast typing is detected. A more advanced solution is end-point security, which uses behavioral analysis that will detect a different typing rhythm: even if the attacker configures the device to type at normal speed, the monotonic key press from the USB will not match the typing style of a standard keyboard user and therefore alert the detection system.
Cyberattack #3 – Phishing using Unicode domains (IDN homograph attack).
ASCII characters look like the ones you are reading now, sometimes called Roman characters. Unicode are the characters for other languages, like Cyrillic from Russian. Writing “Unicode” in Cyrillic looks something like this: Юнико́д. Certain Unicode characters are identical or very similar to their ASCII counterparts, which allows for phishing attacks to be effective (Roman character: a looks just like the Cyrillic character: а).
As an example, you may receive an e-mail notifying you that Apple is giving away free iPhones for only the next 15 minutes and you can redeem yours here: https://www.аррӏе.com/. How do you know if it’s Roman or Cyrillic characters? The website may even load the green padlock signifying the connection is secure, and what’s more, the certificate the website uses may be verified by Amazon.
To help mitigate this type of cyberattack enable Punycode in your browser. Google Chrome will likely do it automatically when updated; for other browsers, like Firefox, you might need to go ‘under the hood’: type “about:config” in the address bar and search for “IDN_show_punycode”. Now all your Unicode domains will be replaced by an equivalent using ASCII characters. This way the Cyrillic https://www.аррӏе.com/ now looks Roman: https://www.xn--80ak6aa92e.com/ and you know it is not the real https://www.apple.com/
IDN Homograph attacks are relatively uncommon, as they tend to be targeted. However, recently, the letter “d” in iCloud was replaced by its Latin counterpart to attack thousands of iPhone users by sending them iCloud account links in order to steal login credentials. Once users clicked the fake link and entered their credentials, cybercriminals used the data stolen from those attacks to steal cryptocurrency from wallet apps in users’ smartphones.
Cyberattack #4 – Remote Desktop Protocol (RDP) Man-in-the-Middle (MITM)
The RDP MITM attack is notably dangerous for businesses, as it allows hackers to capture information sent between the victim’s computer and the server he or she is communicating with. This could mean reading all keystrokes the victim types, including capturing passwords and other sensitive information. The attacker could then move to injecting malicious code (or a payload) on the target’s server, which may be connected to several employees’ computers. This allows the attacker to quickly infect multiple workstations and steal valuable company information or cripple the network.
RDP MITM is similar to the USB keystroke injection attack in that it is commonly used to acquire credentials and generate an initial foothold. There are different variations of attacks that target RDP, but most require that the attacker and the victim be located on the same network (such as via the free Wi-Fi in a hotel). Attackers could also rely on brute-force (automated insistent password-cracking attempts) to gain access and inject malware such as the ransomware SamSam, which is able to bypass antivirus protections, move laterally toward other victims and stay hidden within the network.
Two mitigation methods to consider for man-in-the-middle attacks:
- Using an RDP gateway behind a firewall can help control the incoming connections and verify the security is up to standard, which helps avoid downgrade attacks. In a downgrade attack, the goal of the hacker is to forcefully roll-back the connection to use an older encryption protocol that is vulnerable and/or easier to brute-force.
- A more secure way of safeguarding your network involves using a Virtual Private Network (VPN). The target computer must first establish a secure tunnel to the firm’s network before attempting to communicate with the RDP server, which prevents the attacker from seeing information on the target’s server.
As technology continues to evolve, so does cybersecurity. Don’t wait until you have experienced a harmful breach to take a deeper look at your online practices or your business’ technology infrastructure. Contact a Kaufman Rossin risk advisory professional or cybersecurity specialist to assess your risk and ensure proper safeguards around your data.