The IT Nerd

As more companies embrace working from home as a long-term model, they need to take steps to protect themselves against a growing number of cybercriminals looking to exploit the expanding remote workforce.

ESET has launched a security solution – the ESET Remote Workforce Offer – to help small and medium-sized businesses (SMBs) prevent ransomware, zero-day attacks and other complex threats from undermining their IT infrastructure. 

Designed for companies with up to 250 staff working from home, the security bundle includes an advanced anti-virus endpoint solution, encryption and cloud sandboxing.

“Many SMBs have realized during the pandemic shutdown that they can continue to be productive and effective with their employees working from home, but it’s important not to allow network vulnerabilities to expose them to external threats,” says Cameron Leetham, Director of Sales and Partner Alliances, Canada for ESET.

Today’s cybersecurity landscape is constantly evolving with new attack methods and never-before-seen threats. Organizations are sometimes completely unaware that an attack has even taken place.

A cloud security sandbox product provides an additional layer of defense, outside a company’s network, to prevent ransomware from ever executing in a live environment.

ESET’s Dynamic Threat Defense uses three machine learning models to analyze suspect files, before running each sample in a cloud-based sandbox to simulate its behavior and trigger detection-evasion techniques. If anything malicious is detected, the technology moves to protect a company’s IT infrastructure.

To learn more about ESET’s Remote Workforce Offer, visit here.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption.

Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.

Last week, cybercriminals set their sights on the Canadian government when several government services were disabled following a series of cyberattacks.

On August 15, the Treasury Board Secretariat announced that approximately 11,000 online government services accounts, originating from the Government of Canada Key service (GCKey) and Canada Revenue Agency (CRA) accounts, had been victims of hacking attempts. The GCKey allows Canadians to access several Government of Canada online programs and services, including Employment Insurance services and Canada Emergency Response Benefit (CERB) payments, a support program for employees who have lost employment due to the pandemic.

On August 7, CRA noticed the first signs of credential-stuffing attacks on its website. Credential stuffingmeans criminals try to use previously stolen credentials to log into another account owned by the same victim. Unlike a brute-force attack, bad actors use previously stolen user/password combinations to access a third-party service.

The government estimates approximately 11,200 accounts have been hacked. Of these, approximately were 5,600 for the CRA and 9,000 for the KeyGC system. Of the CRA accounts affected, more than half were hacked using the GCKey access.

What can we do?

At this time, we don‘t have details about the types of data that the bad actors have accessed and whether all victims of these attacks have already been notified by the government yet.

However, since we are talking about credential-stuffing attacks, we can point out that people who usethe same credentials for multiple sites and programs are at risk of being victims of this type of attack. Various resources are available to help you find out if one of your accounts has ever been the victim of a data breach.

Even if you weren‘t a victim of cyber attackers this time around, it’s recommended to adopt better security habits now to avoid being a victim of the next attack.

First and foremost, we can never say it too much: never recycle a password. This is an easy and essential step to ensure the security of you and your data. In this case, the bad actors used previously stolen login/password combinations for their attacks.

• Use passwords – or better yet, passphrases – that are strong and unique for each of your accounts.
• You can use a reliable password manager to help you create and, above all, memorize strong and unique passwords.
• Enable multi-factor authentication, whenever it’s available, to add an extra layer of security to your accounts.
• Regularly check your personal records for anomalies, especially if you have been the victim of data theft.

For more information about cybersecurity, please visit welivesecurity.com

In today’s world, the Internet and digital applications is woven into every day life.

From our personal lives to our careers, our digital footprint has become a big piece of our identity. And while our online presence is important to us during life, it is often left for others to deal with after we pass away. 

“I, like many people, use the Internet as a daily part of life and in ways that cause my online and offline worlds to be entwined,” says Tony Anscombe, Chief Security Evangelist for ESET. “Recent events have provoked me into thinking about creating guidance while preparing my own digital world so that, if something unexpected happens to me, those that I leave behind will be less stressed when dealing with my digital legacy.”

The important elements of a digital footprint may include, but are not limited to; financial accounts, family photographs, music collections and playlists through to social media and email accounts. Some service providers may have a broad range of services: for example, Google could be providing email, photos and cloud storage, while Spotify may be storing your favorite playlists. Accessing the data or managing the online accounts could be important both short-term: to inform people about a situation, and long-term to ensure no important data needed by those you leave behind is lost.

The suggested actions below may not cover all services or accounts, but it should constitute a good starting point for making the preparations needed to ensure your data lives on, that loved ones can gain the access needed or your right to be forgotten is observed.

Assign a digital executor

Appoint a digital executor. It’s common practice to appoint an executor in a will, someone trusted who takes care of property, finances and assets and distributes them according to your wishes. Today’s world means you may also need a digital executor to take charge of and handle digital assets – deleting, converting, downloading and managing accounts and profiles. In the same way that you list important financial assets, you may wish to list digital assets and what your specific instructions are for each one, so that there is no confusion or disagreement among the people you leave behind.

Use a password manager

Using a password manager to create a single repository where account credentials are stored has the benefit of enabling extremely complex (and hence secure) passwords to be generated, since the need to remember them all is removed; all you need to remember is one single, very strong, password to unlock the password manager. It’s also a protection against keyloggers, as they cannot monitor something that is not being typed in. Some password managers include a variety of options including creating a family plan, a file vault providing each user a secure place to store important documents and information and a variety of options for password recovery should it be needed.

Alert service providers

Make sure your loved ones know what your wishes are regarding your social media.

·       Facebook — Facebook allows you to appoint a legacy contact; this gives the nominated person the ability to memorialize the account and post a final message. The legacy contact can also delete any unwanted tribute posts, remove tags, respond to friend requests, request account deletion and such like. Be cautious, though, for they can also see all posts you made even if marked as ‘Only Me’ in the privacy settings. The instructions to assign a legacy contact on Facebook can be found here. The other option is to request deletion of the account – note, though that once deleted, access can never be regained; the details to make a deletion request can be found here.

·       Instagram – Instagram does not allow you to appoint a legacy contact. The account can bememorialized or deleted with separate online forms needing to be completed and they include the need to provide proof of death, such as a death certificate. If the request is to delete the account, it needs to be made by an immediate family member who will need to provide proof of their relationship and their authority.

·       LinkedIn – LinkedIn provides the ability to remove an account by reporting it and providing documented evidence similar to that of Instagram.

“This is a delicate topic, especially during a pandemic, and I hope it prompts you to consider taking some action to make a plan, appoint a digital executor, preselect legacy and inactivity contacts or discuss with the family lawyer,” says Anscombe. “While it may be an awkward topic, a discussion directly with family members, close friends or colleagues may prove to be the most effective course of action. The important thing is to do something rather than to do nothing.” 

For more tips, please visit welivesecurity.com

Since going public in 2015, the MITRE ATT&CK^TM knowledge base has witnessed a boon of contributions from the cybersecurity community. ATT&CK collates this information to provide a common language and structured intelligence on adversary behaviors across multiple threat groups. ESET’s most recent contributions comprise four entries in the Software and one extension in the Groups categories of ATT&CK.

Software:

1. Attor (S0438)

Attor is a previously unreported cyberespionage platform used in targeted attacks since at least 2013 against diplomatic missions and governmental institutions located mainly in Russia. Attor’s architecture consists of a dispatcher and loadable plugins.

ESET discovered and named the malware based on two notable features of its plugins: the Device monitor plugin’s capability of using AT commands to fingerprint GSM devices and the Tor client plugin’s use of Tor for command and control communication and exfiltration.

Attor’s functionality maps to 32 ATT&CK Enterprise techniques and 18 sub-techniques.

2. Okrum (S0439)

Okrum is a previously unknown backdoor that ESET first detected in late 2016 in attacks against diplomatic missions in Slovakia, Belgium, Chile, Guatemala and Brazil. The malicious actors behind Okrum employed several tactics to remain undetected, such as embedding the malicious payload within a legitimate PNG image, employing several anti-emulation and anti-sandbox tricks, and making frequent changes in implementation.

ESET discovered the Okrum backdoor delivering a Ketrican sample linking it back to the work of the Ke3chang (APT15) group. The Okrum entry comprises 28 ATT&CK Enterprise techniques and 24 sub-techniques.

3. ComRAT (S0126)

ComRAT, a favorite backdoor used by the Turla threat group since at least 2007, was discovered by ESET in its latest version (version four) released in 2017 targeting two ministries of foreign affairs and a national parliament. The operators were using the backdoor to discover, steal and exfiltrate confidential documents.

ESET researchers found 16 ATT&CK Enterprise techniques and 11 sub-techniques deployed. 

4. DEFENSOR ID (S0479)

DEFENSOR ID is an Android banking trojan that unleashes its fury when users grant permission to activate accessibility services. The app is packed with a host of malicious features, including stealing login credentials, SMS and email messages, displayed cryptocurrency private keys, and software-generated multifactor authentication codes; clearing bank accounts and cryptocurrency wallets; and taking over email and social media accounts.

DEFENSOR ID’s functionality maps to 6 ATT&CK Mobile techniques.

Groups:

1. Turla (G0010)

ESET researchers identified several links between ComRAT v4 and the Turla threat group. Version four of the backdoor uses the internal name “Chinch” as in previous versions, uses the same custom command and control protocol over HTTP as ComRAT v3, shares part of its network infrastructure with Mosquito (another backdoor used by Turla), and was seen either dropped by or dropping other Turla malware families.

By linking ComRAT v4 to Turla, ESET provided extensions of 13 ATT&CK Enterprise techniques and 6 sub-techniques of the Turla group.

MITRE ATT&CK evaluations: Simulating the Carbanak/FIN7 APT group

MITRE ATT&CK is also notable for its evaluations. Running in its third round, the evaluations use simulated attacks to test the prevention and detection capabilities of security products against the techniques employed by high-profile adversaries. ESET and MITRE ATT&CK teams will be engaging in red and blue team activities putting ESET to the test against the techniques of the Carbanak/FIN7 APT group.

FIN7 is infamous for creating a front company called Combi Security that hired black hat recruits under the guise of various cybersecurity roles, such as penetration tester. The U.S. Department of Justice has arrested and charged four members of the group to date. ESET discovered Carbanak malware targeting point of sale systems for credit card data at a casino. Carbanak is known for targeting the finance and retail industries, including banks, forex trading companies, casinos, hotels and restaurants.

How does ATT&CK benefit ESET?

As of August 2020, the number of ESET contributions to MITRE ATT&CK has continued to grow, with ESET being one of the top referenced and engaged vendors directly involved in refinement and population of the MITRE ATT&CK knowledge base. ESET’s engagement with ATT&CK continues to inform product R&D, malware research practice and its ongoing cybersecurity awareness work. These ongoing contributions also help provide additional possibilities to transfer knowledge to that close-knit community.

More details on ESET’s work with MITRE ATT&CK can be found here:

1. Collective Security: ESET improves cyber armor with MITRE ATT&CK(TM) knowledge base

2. Advancing enterprise threat hunting with the MITRE ATT&CK™ knowledge base

3. Malware Researcher + Threat Analyst: two perspectives on the MITRE ATT&CK™ knowledge base

While most people have banded together and done what has needed to be done to get ahead of the COVID-19 virus, it hasn’t – unfortunately — been universal. 

As has been said, some people just want to watch the world burn. As people across the world have united to look after those around them in this time of emergency, the COVID-19 pandemic has shown us how ruthless scammers can be. Across the world — Canada included — scams are on the rise during the COVID period. 

This period of crisis has actually provided a series of advantages to malicious actors, who have ramped up their operations in order to capitalise on the crisis. But good people are not defenceless against these actions. ESET, an industry-leading IT security company, offers some insight into the most prevalent scams that have emerged during the pandemic and, most important, what people can do to protect themselves. 

• Sense of Panic — It’s dangerous, but scammers don’t care — they aim to create a sense of panic. One of the most common attempts during the pandemic has been SMS scams that falsely inform people they have contracted COVID-19. They message tells people they have been near someone who tested positive and they should get tested, but it them directs people to a sire that aims to gain bank details and other personal information. 

Protect Yourself — It is often easy to spot a dodgy email or suspicious web page when thinking calmly, but we understand rational thought process can go by the wayside in a time of panic. This is what scammers are trying to exploit. Before providing any personal details, take a few deep breaths and approach it with a calm mind so that you can assess whether it is legit, or not. 

• Changing Norms — COVID-19 has changed our daily routine and norms. Scammers take advantage of this with schemes that, in normal times, may seem absurd, but may be less obvious during a pandemic when everything has been turned on its head. People are even more vulnerable during a crisis when governments actually are sending out email and text messages to keep people informed. Scammers don’t hesitate to add their phishing messages to the mix. 

Protect Yourself — Admittedly, phishing emails can be difficult to spot on a mobile device. But there are security measures you can put in place for added protection. ESET Mobile Security comes with an anti-phishing feature, taking much of the guesswork out of suspicious texts or emails. Always check the sender’s information before clicking on any links, and try to authenticate the link before clicking on it. To be extra safe, go directly to the company or organization’s website via a fresh search on your browser. 

• Working from Home — The shift to remote work provided a major advantage to cyber criminals. Having workers on their home networks has increased their vulnerability to attack, resulting in an increase in malware and phishing, and hacking of video conferencing platforms. The most infamous example was the “Zoombombing” phenomena, where hackers broke into Zoom meetings to display graphic content to unsuspecting participants.

Protect Yourself — Step 1 is to keep all of your software updated. If a vulnerability is noticed, the company will often provide an update the resolve the issue. But that update is useless if you don’t actually apply it. If possible, select the “auto-update” feature on your computer so that it just happens automatically. Step 2 is installing antivirus and cybersecurity software. These tools make the battle against phishing and malware vastly easier. To find out which software is best for you, check out the range of cybersecurity solutions on our website. 

Whether it’s enemy soldiers, monsters lurking in the deep or physical features in the surrounding area, there are dangers lurking everywhere in your video game environment.

Those dangers, at the least, can’t cause you any actual harm besides a bruised ego. But there are other hazards when you are gaming that can attack your gaming system and put both you and your equipment at risk. Video game hackers have been known to steal in-game valuables and sell them to other users for real currency, but more worrisome is theft of personal data that could include a record of your phone use or even financial information. 

In many cases, the hacker’s job is made easy because of gamers who eschew the use of protective software and the way most can slow down your computer’s performance or pester you with pop-ups. 

That is something the founders of ESET — who originally developed their passion for computers as gamers — took to heart when developing the NOD32 Antivirus Gamer Edition. Light and unobtrusive, NOD32 runs in the background and doesn’t disrupt your game with pop-ups. Its features include: 

• Zero Interruptions — Built to run fast, it doesn’t slow down your machine with pop-ups or down time. 
• Killer Protection — It safely and effectively blocks ransomware, hackers and all of the latest threats. 
• Easy to Manage — If you are changing or upgrading your computer, simply transfer the license. 
• Free Help — When needed, a North American-based support team is available on demand. 
• Developed by Gamers — They know the concerns and hang ups of other programs. NOD32 was built for speed. Guaranteed. 

ESET’s NOD32 Antivirus Gamer Edition is available in Canada at Best Buy. 

ESET researchers are releasing their in-depth analysis into the operations of Evilnum, the APT group behind the Evilnum malware. According to ESET’s telemetry, the targets are financial technology companies – for example, platforms and tools for online trading. Although most of the targets are located in EU countries and the UK, ESET has also seen attacks in countries such as Australia and Canada. The main goal of the Evilnum group is to spy on its targets and obtain financial information from both the targeted companies and their customers.

“While this malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates,” says Matias Porolli, the ESET researcher leading the investigation into Evilnum. “It’s toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service provider whose infamous customers include FIN6 and Cobalt Group,” he adds.

Evilnum steals sensitive information, including customer credit card information and proof of address/identity documents; spreadsheets and documents with customer lists, investments and trading operations; software licenses and credentials for trading software/platforms; email credentials; and other data. The group has also gained access to IT-related information, such as VPN configurations.

“Targets are approached with spearphishing emails that contain a link to a ZIP file hosted on Google Drive. That archive contains several shortcut files that extract and execute a malicious component, while displaying a decoy document,” elaborates Porolli. These decoy documents seem genuine, and they are continuously and actively collected in the group’s current operations as they try to compromise new  victims. It targets technical support representatives and account managers, who regularly receive identity documents or credit cards from their customers.

As with many malicious codes, commands can be sent to Evilnum malware. Among those are commands to collect and send Google Chrome saved passwords; take screenshots; stop the malware and remove persistence; and collect and send Google Chrome cookies to a command and control server.

“Evilnum leverages large infrastructure for its operations, with several different servers for different types of communication,” concludes Porolli.

For more technical details about the Evilnum malware and the APT group, read the full blog post “More evil: a deep look at Evilnum and its toolset” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research. 

The rise of the Internet has led to the creation of the social media influencer, altering the aspirations of children around the world. 

A recent British survey of 2,000 parents of children aged 11 to 16 years shows strong interest in being an influencer for a career. Among parents whose children told them what they want to do when they grow up, 17 per cent said they wanted to be a social media influencer, and another 14 per cent desired to be a YouTuber. Only doctor, at 18 per cent, was higher. 

When your kids are online and working on building a following that would make them worthy the title of “influencer,” here are some red flags that may pop up along the way: 

• Online Hate — Sadly, this is inevitable. The vitriol that can flow from someone hiding behind the safety of their screen is disturbingly sad. Comment sections are flooded with hurtful messages and threats — frightening for anybody, no matter their age. If your children are active online and are actively building a following, parents can help by moderating comments, reporting inappropriate behavior and using parental control tools to monitor your kid’s activity online. With parental support, kids can be taught how to act responsibly and articulate their opinion. 
• Oversharing and Online Stalking — Kim Kardashian is one of the most influential figures on social media. During one of her visits to Paris, this backfired. She was robbed at gun point, resulting in the theft of US$8 million worth of jewelry. The heist was organized based simply on following Kim’s whereabouts through her social media posts. This example of oversharing should be a warning to anyone, especially to young influencers who will do almost anything to please their followers. Parents should help their kids set boundaries between their public and private lives. It is also helpful to drill home that anything posted online will stay there forever. 
• Followers are Not Real Friends — We spend so much time in the digital landscape that it can be easy to forget that it is no real life. Children in particular have a tendency to overlook the fact that followers are not real friends. A digital connection in an online platform is not going to be there when they need a break from the latest social media craze, and they won’t be a confidant in difficult times. It is crucial that parents encourage real friendships and strong family ties that should not be neglected for a digital life. 

To learn more about the dangers faced by children online as well as about how technology can help, check out ESET‘s Safer Kids Online platform.

As people become more sensitive about the privacy and security of their data, Canadians across the country are looking for ways to up their personal security.

One personal device where security features often get overlooked is personal cell phones. Whether because we always have them close by or think it “will never happen to me,“ Canadians are leaving themselves exposed to security risks on their phones. 

To help protect your mobile security, ESET, a world-leader in cybersecurity, offers the following lock screen options for protecting your phone. 

• Pattern Lock — A pattern lock, as the name suggests, requires the owner to enter a specific pattern that they came up with to unlock their device. As far as screen lock choices go, pattern locks could be considered a medium-level security option at best. Your finger squiggle could be as easy as drawing an L or you could make the pattern more difficult by drawing a sophisticated shape. The simpler the pattern is, the easier it is for lurkers to copy it if they are watching over your shoulder. 

In fact, research found that lurkers were successful in recreating the swipe pattern 64.2% of the time after looking at it once; with multiple observations, that risk rises. You can improve your security by turning off feedback lines and opting for a more sophisticated pattern. 

• PIN / Password — If you’ve been smart and set up any protection at all on your devices, you’re probably familiar with the PIN lock/password option, because it is the code your SIM card asks you to enter whenever you turn your phone off and on. Many Android versions will allow you to set a paltry four-digit code, but if you care about your security, you will choose a much longer PIN code. 

If you want to up your lock game, you should probably opt for a password that incorporates letters, numbers and special characters and make it at least eight characters long. It may be a bit harder to remember and type out, but in the long run you’ll be glad you played it safe. If you really want to up the ante, you can also turn on the feature to wipe your phone after a number of failed login attempts.

• Fingerprint Biometric Lock — Fortunately for some of us, fingerprint biometric locks are still a thing. You may encounter different varieties, with some being standalone locks, others incorporated into buttons and the latest development are the ones hidden in the smartphone screen. The case for these is that the fingerprint lock can be one of the fastest ways to secure your phone. By placing your finger on the reader, your phone will unlock within a fraction of a second. 

But is it foolproof? Well, where regular people are concerned it is highly doubtful that a bad actor would go through the ordeal of trying to get through a biometric lock. Still, bypassing a fingerprint lock isn’t entirely impossible. Fingerprints can be stolen from photos and other sources, then recreated, even with just 2D printing.

• Face Scan — This biometric lock does exactly what it says: it scans your face. Although you’d imagine that the process is fairly sophisticated and entails a large number of technological wonders, the truth is it basically relies on your front camera and some software. The camera scans an image of your face and then relies on a facial recognition algorithm to verify your face. The speed of the unlock also depends on your phone and the quality of its front-facing camera. 

There is quite a variety of lock options to choose from. It is always wise to choose a combination of features and not rely on just one. The safest two-step combination is a trusty PIN or password of sufficient length, with a fingerprint scan coming in next. Whichever option you choose, it’s always smart to plan ahead. Securing your phone now might save you from a nasty headache in the future.

For more tips, please visit welivesecurity.com

ESET researchers have discovered a previously unreported cyber espionage framework they dub Ramsay. The framework is tailored for collecting and exfiltrating sensitive documents from air-gapped systems that are not connected to the internet or other online systems. Since the number of victims so far is very low, ESET believes that this framework is under an ongoing development process. 

According to ESET findings, Ramsay has gone through several iterations based on the different instances of the framework found, denoting a linear progression on the number and complexity of its capabilities. The developers in charge of infection vectors seem to be trying different approaches, such as using old exploits for Microsoft Word vulnerabilities from 2017 and deploying trojanized applications for delivery, potentially via spear-phishing. The three discovered versions of Ramsay differ in complexity and sophistication, with the latest third version being the most advanced, especially with regard to evasion and persistence.

Ramsay’sarchitecture provides a series of capabilities managed via a logging mechanism:

• File collection and covert storage: The primary goal of this framework is to collect all existing Microsoft Worddocuments within a target’s file system.
• Command execution: Ramsay’s control protocol implements a decentralized method of scanning and retrieving commands from control documents.
• Spreading: Ramsay’s embeds a component that seems to be designed to operate within air-gapped networks.

• 

For more technical details about Ramsay, read the blog post “Ramsay: A cyber espionage toolkit tailored for Air-Gapped Networks” on WeLiveSecurity. Make sure to follow ESET Research on Twitter for the latest news from ESET Research.