Interested in finding out more about The 20? Click here.

by Sage Driskell

MSPs large and small are systematically being targeted over and over in the news. It’s almost weekly a new article comes out about a given large provider being targeted. Many of these attacks come from API weaknesses. You can’t control the provider or service, but you can minimize the chance of these attacks impacting you and your customers.

Leaky APIs

Leaky APIs are APIs which allow easy exfiltration of data from a service. These exploits often stem from deprecated APIs or privilege escalations. Many deprecated APIs exist in products for backwards compatibility, but they often come with caveats and holes.

Privilege escalations can happen on APIs due to loose queries which can return data from outside of their scope. Other escalations rely on multiple APIs which accidentally return data outside the scope a user can see normally due to their interactions. A deprecated API may help break another API when glued together with the wrong product.

These types of attacks are often used to harvest credentials or information for attacks later. Stolen passwords can be used on any similar account on multiple platforms to see what is shared. Hackers glean data which makes their later attacks easier either for traditional attacks or for things like phishing attacks.

Weaponizing APIs

With the creation of things like fileless malware and easy, privileged access via RMM tools, weaponizing an API has never been easier. Other products like Webroot have been had similar incidents from adding the feature to run commands remotely. This feature creep combined with API access makes these tools further targets.

Most products rely on various SQL products for databases. Many APIs where the developers are not security conscious will be a thin layer between the user and raw SQL queries. These can be weaponized to poison the data allowing greater access or to exfiltrate useful data. Depending on the product, it may be possible to insert hostile, arbitrary code which gets run by something within the API. Some RMMs even store scripts as blobs in the database.

How Do These Attacks Happen?

These attacks happen because of lax security policies on both sides of the equation. Many vendors do not take into account the ramifications of the access their API can provide. Vendors which integrate their products may ask for more permissions than they should need to function. A lot of permission sets are too permissive in general because its easier for the developer and the user to set up.

Clients of these products often fail to limit users enough. API users floating around provide an easy in to a company if they are compromised. Sometimes, the way multiple APIs talk to one another may be targeted as well. A simple return status from a query in a limited API may provide information that the other API would not normally have given. A simple boolean reply may provide a necessary bit of information for a malicious actor to work off of.

What Can You Do?

Removing unnecessary API users or users which may have API access is one of the easiest steps to protecting yourself, even from APIs outside of your control. Turning obsolete or unnecessary API versions, or even entire APIs off, is another great step. Use it or lose it. Trim off enough of the fat, and the hunter will target easier, more profitable prey.

Shrink your attack surface to shrink what you have to keep safe. Besides just trimming off the obsolete, scope your API users. An API user which only reports from a product doesn’t need write access. Your users need Two-Factor Authentication (2FA) everywhere possible. Do not share credentials between API users and do not recycle user names if you can help it. These basic steps have headed off many attacks before they even have the chance to become a threat with very little imposition on our technicians.

If you run products in house which have an API you use, try blocking traffic based on IP for whatever is using it. This isn’t always possible, but can often be used to limit certain service APIs to specific, known entities which limits the impact of a leaky or broken API. Rate limiting connections is another great step. If your average client hits 5 requests per hour, why not set a limit of 10 requests per hour so that brute force attempts take significantly longer? Alerting on these thresholds is another great step, especially if you control something in the stack which can see this.

Researching Products

No product is going to be perfect, but you can shop around to minimize damage. How does your current product handle exploitation? Are they quick to report it or do they take their time? A vendor which reacts fast, may still get hit, but at least you’ll know before your clients do and be able to protect yourself.

A vendor which tells you about an exploit quickly is also a vendor which works on fixing it quickly. Look at the vendor’s response history and how long it takes them to clear out serious CVEs to know how big a threat they are to your business. If they can’t keep up with serious vulnerabilities which are reported, what else are the missing that’s not reported yet?

Always be on the lookout to how a vendor impacts you and your clients. A vendor which never has real access is easier to trust than one which can make system level changes. Look out for how they handle older APIs too. A vendor which leaves deprecated features in too long runs the risk of being exploited down the line.

Ask your vendor what they do about older versions and whether or not they rate limit requests and accounts. See what the scope of their API access is. The irony is that those proudest of their APIs open access will usually be the first to tell you about it. Weigh this with your other options and the impact on your client before signing.

Our Strategy

We minimize unnecessary API interaction and work to maintain best practices to prevent exploits. When an API becomes obsolete, it is removed from our system where possible. API access is also further limited for fixed entities to prevent more wholesale access from being available off premise. Users need 2FA to get into basically anything. These patterns heavily minimize the attack surface with very little maintenance. Our large community contributes to helping make sure every potential exploit is known as soon as possible.

Our Security Focus

We focus on a holistic approach to security, and try to stay ahead of exploits and reduce the risk of any given component. Your security is only as strong as its weakest link, so you must be vigilant. Prevent unauthorized API access by preventing any access unless necessary. We want to know about an exploit as soon as it is public, if not before and be able to react to it.

Cutting off your finger is better than losing your arm, but not having to lose either is best. Prioritization of exploits is extremely important to surviving in the modern security landscape. We’re well past the days of “perfect security” even being a pipe dream, let alone realistic. We work to hedge our bets and make our platform the least ideal for hackers without sacrificing functionality. An ounce of prevention, even if it’s bitter, is a lot better than a pound of cure.

Going Forward

Stay ahead of hackers by locking down every aspect of your security. APIs are one of the most often overlooked, easily exploited part of many products. Almost every major software product is going to have an API of some kind too. Know what you’re dealing with and limit the damage where you can. MSPs have become low hanging fruit to many hackers, elevate your security and elevate yourself from being next.

Our very own Sage Driskell is a Core Services Engineer at The 20. Interested in working for us? We’re hiring!

How was your Thanksgiving? Great, we hope!

How about Black Friday? Cyber Monday? Are you in to those type of things? Personally, I typically avoid these shopping rushes in general, but there’s no question they’re incredibly popular and overwhelmingly successful.

So if you do participate – heck, even if you simply plan on shopping at all online this holiday season (like 100% of us do), you have to beware: scammers want in on that holiday gift budget.

Shoppers are expected to spend roughly 4.1% more this holiday season than in 2017, which equates to around $720.89 billion, according to the National Retail Federation.

Good. Night.

Can you imagine the criminal element’s attraction to a number like that?

Last year, according to Payments Next, online fraud attempts increased by 22% between Thanksgiving and New Year’s Eve. Between Thanksgiving and Cyber Monday alone, malware infections jumped 123%, according to data released by Enigma Software Group.

Red Flags

Just as you wouldn’t want to buy a designer watch from a guy in some dark and creepy alleyway, you don’t want to buy anything online from a seller you haven’t fully investigated.

One place to start is by searching the BBB’s online directory, which can tell you if the business is accredited, and whether or not the BBB has received complaints.

Truth be told, you should probably check to see if they’re even in the database. Because if not, well, that’s a concern. You can also do a general Google search which will pull up a lot of information about that company and their website.

In addition to checking the Better Business Bureau listings, the Federal Trade Commission says to make certain the website includes a physical address and a phone number, and verify them. That way you have a place to contact should things go wrong.

Fake Shipping Notices

This year the BBB is also warning of fake email delivery notices that say you have a package on its way.

It’s probably common sense that an actual delivery company isn’t going to email you about a package, right? How would they have your email address? But I suppose you can’t be too careful during the time of year where you’re conducting online orders left and right. Amazon emails begin to run together and suddenly an email claiming to be from a delivery service doesn’t seem all that strange…

But you have to keep your head on a swivel. DO NOT click on any links. It’s most likely malware, or at the very least, going to ask you for personal information like credit card numbers or addresses. Before you know it, you’ve just participated in the theft of your own identity.

Legitimate carriers will never ask you for personal information through email.

Santa’s Phishing

Several trusted companies offer charming and personalized letters from Santa, but scammers mimic them to get personal information from unsuspecting parents. Check with the BBB to find out which ones are legitimate.

The big risk here isn’t that your kid won’t hear from Santa, but that you’re providing key details to a phisher who will use it to perpetuate other fraud or identity theft.

Charity Scams

Did you also know that scams come with philanthropy?

The holidays are a wonderful time to support your favorite causes, but to ensure that your funds go where you desire, you’ve got to make sure the group is legit.

According to nonprofit rating site Charity Navigator, roughly 40% of all charitable donations are made in the last few weeks of the year. So, you better believe scams pop up in the form of donation solicitations via email, social media and text.

Common charity scams include look-alike sites or imposter websites, phony emails that are “phishing” for personal information or giving a check or cash to an individual as opposed to an organization.

The BBB’s Give.org is a great resource to research legitimacy.

Yep, sorry, everyone… this is a real problem. In fact, it’s a HUGE problem. Your company’s vulnerability, in large part, comes from your employees. And with a little know-how and finesse from the bad guy, here’s a few ways this happens AND a few ways your employees can be active participants in stopping them.

1. Carelessly opening email

Employees often spend the day checking their email — and hackers know it. This makes email a prime entry point for cyber criminals. Employees MUST approach their email with care so they can identify signs of an attack and mitigate the risk.

Common signs of an attack include fake/forged email addresses ([email protected]), unprofessional subject lines, bad grammar/typos, and creating a sense of urgency to respond with personal information.

Employees should be able to identify a potential threat, and report to IT. They shouldn’t click on links (including unsubscribe), submit information, open attachments, or respond to such an email.

2. Giving password over the phone/leaking passwords

How would your employees respond to this call? “Hi, this is Sam, from IT. We noticed your certificate is about to expire, so I need your password to reset.”

Well, hopefully they’d know that IT would never ask you for a password, or other sensitive information like a social security number, address, or common password reset questions/answers.

Another big one is writing passwords on a notepad, or taping it to the computer. I wrote about this a couple of weeks ago. Not a good idea.

3. Losing mobile phone

It’s easy to lose a device with sensitive information. it’s actually not a matter of if, it’s a matter of when.

So, the question then is, how do we mitigate the loss of information? The 2 most important steps for you to take are 1) requiring that phones automatically lock and require a password to access and 2) making sure you have the ability to remotely wipe a device.

The employee plays an important role here, too. Should this happen, they need to be aware of the risks involved, and report immediately, even late on a Friday night. This allows your IT team to quickly wipe the device and prevent information loss.

Pro tip: Make sure employees know who to contact (direct manager, IT, etc) and let them know they will never be punished for losing a device and reporting it immediately. They could, however, be at risk if they try to hide it.

4. Weak passwords

Employees (and well, everyone) typically use the same password for their social sites, bank login, and work password.

Is that bad? Yes!

If one is compromised, then the list of password possibilities for everything in your life significantly dwindles.

You should have a company policy that requires employees to use an unrelated password for all company logins and enforce that these passwords are updated regularly.

5. Improper disposal

Proper disposal of information is often overlooked.

Let’s say an employee is cleaning their desk, and the primary culprit appears to be the large stack of papers, mail, envelopes, sticky notes, and other junk that’s piled up since the last time they cleaned. Well, they haven’t needed anything in the stack for 6 months, so it’s safe to say they won’t need it in the next 6, right? Everything is pushed in the trash.

But wait — what all was in that stack? Maybe a flash drive? Maybe a flash drive with sensitive customer data, confidential company information, passwords…?

Work with your IT team to develop an information disposal policy. This should include wiping all read/writable media like hard drives and flash drives. CDs and DVDs should be shredded. Paper should be shredded or placed in a special bin in which your IT team can properly dispose of them.

Is Your Computer Secretly Mining Cryptocurrency?

Mining cryptocurrency used to require thousands of dollars worth of equipment to see any kind of meaningful return, but not anymore. Newer digital currencies like Monero, ByteCoin, and AEON have given would-be miners the ability to mine tokens right from their laptops. This might benefit small-time miners that want to get involved in the sector, but for every good thing online there are always people that figure out a way to use it for bad.

Hackers have begun using these tools to infect computers and websites to secretly mine cryptocurrencies. This emerging type of malware attack has been dubbed as “cryptojacking,” and it could cause your computer to overheat and crash. Luckily, spotting these hidden miners isn’t all that difficult.

Cryptojacking essentially hijacks your computer’s CPU power to mine. This means when you’re browsing the web, the malware is running in the background completely unbeknownst to you. There are a few types of this malware, and some run only when you visit a certain website and others can be maliciously installed on your computer. The best way to prevent this is by using antivirus software and adblockers.

If you’ve already been hit with this kind of malware, you’ll notice either your computer acting sluggish, getting warmer than usual, or its fan constantly spinning. If you aren’t running any kind of demanding software, like video games or video editing programs, this should be the first hint that your computer is working overtime.

If you’ve noticed your laptop acting up, it’s time to go check on what’s going on under the hood. Mac users can view a detailed breakdown of everything their computer is running by searching “Activity Monitor” and using the magnifying glass icon at the top-right of the screen. Windows users can simply hold down the Ctrl-Alt-Del keys to bring up “Task Manager.”

Both of these menus will display a graph of how much of your computer’s processing power is being used. Any massive spikes should be red flags. You’ll also see an ordered list of the programs using the most processing power at the moment. Before ending any of these programs be sure to research what they are, as you could be ending a crucial part of your operating system.

Both Tesla and the Los Angeles Times have had their sites infected by cryptojacking software. Companies with popular websites are the most at risk, as hackers can embed code onto their servers and use the CPU power of everyone who visits the site. But making it a habit to check on how your computer is running will ensure your device isn’t getting used to make someone else a crypto fortune.

If you’re concerned this is happening to you or your company, please contact us today.

The past 100 years or so have seen an incredible advancement in technology, and the new found age of Artificial Intelligence is certainly no small part of it. Everything and everyone uses Machine Learning concepts to make life easier, like Siri or Alexa, but the dark side of the same can definitely be used to make life a living hell.

At the Black Hat USA 2018 conference a couple of weeks ago, security researchers at IBM considered a very likely scenario in the near future and created DeepLocker – a new generation malware which can fly under the radar and go undetected by way of carrier applications (like video conferencing software) until its target is reached. It uses an A.I. model to identify its target using indicators like facial recognition, geolocation and voice recognition — all of which are easily available on the web. Weaponized A.I. appears to be here for the long haul and could target anyone.

Scary.

DeepLocker is just an experiment by IBM to show how open-source A.I. tools can be combined with straightforward evasion techniques to build a targeted and highly effective malware. As the world of cybersecurity is constantly evolving, security professionals will now have to up their game to combat hybrid malware attacks. Experiments like this allow researchers to stay one step ahead of hackers.

According to Marc Ph. Stoecklin, principal research scientist at IBM Research, “The security community needs to prepare to face a new level of A.I.-powered attacks. We can’t, as an industry, simply wait until the attacks are found in the wild to start preparing our defenses. To borrow an analogy from the medical field, we need to examine the virus to create the ‘vaccine.’”

But back to DeepLocker…

DeepLocker’s Deep Neural Network model provides “trigger conditions” that need to be met for malware to be executed. In case the target is not found, the virus stays blurred inside the app, which makes reverse-engineering for experts an almost impossible task.

To prove the efficiency and precision of A.I.-based malware, security engineers demonstrated the attack using the notorious WannaCry virus. They created a proof-of-concept situation where the payload was hidden inside a video conferencing program. None of the anti-virus engines or sandboxes managed to detect the malware, which resulted in this conclusion by researchers:

Imagine that this video conferencing application is distributed and downloaded by millions of people, which is a plausible scenario nowadays on many public platforms. When launched, the app would surreptitiously feed camera snapshots into the embedded A.I. model, but otherwise behave normally for all users except the intended target.

What is more, applications like Social Mapper can be implemented inside the malware which would make the detection of a potential target an even more manageable task.

Indeed, the power of Artificial Intelligence is probably limitless, but the experiment proves that security researchers still have a lot of work to do when it comes to cybersecurity. The examination of various apps should be taken into consideration, and any unexpected actions should be flagged immediately.

Deep Instinct’s Solution

To combat these cyber threats we suggest deep learning from Deep Instinct as an incredibly effective solution. The 20 has chosen Deep Instinct, the first company to apply deep learning to cybersecurity, for our MSP members to provide superior deep learning cybersecurity capabilities across service offerings and safeguard customers against current and future cyber threats.

Their solution provides full protection that is based on a prediction and prevention first approach, followed by detection and response, with unmatched efficacy against any cyber threat.

Want to learn more about the IT services we deliver? Contact us today!

Ransomware keeps appearing in headlines; attacking hospitals, banks, school districts, state and local governments, law enforcement agencies, as well as businesses of all sizes.

Holy moly. This isn’t good.

It’s reaching an epidemic level. The number of people targeted by ransomware is staggering: in the U.S. alone, 4.1% of the population (13.1 million). Back in 2016, cybercriminals collected $209 million in just the first 3 months from ransomware!

What is ransomware?

So what is it? What is this software wreaking havoc all over the globe?

Ransomware is a form of malicious software (or malware) that, once it’s taken over your computer, threatens you with great harm, usually by denying you access to your data. The attacker demands a ransom from the victim, then promises — though not always telling the truth of course — to restore access to the data upon payment. Users are then shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals typically in Bitcoin.

Ransomware has come to be viewed as an epidemic, expanding to more attacks from PCs to mobile devices and IoT. It is typically delivered through phishing emails, drive-by downloads or malvertising.

There are a few types of ransomware

• Crypto Ransomware
• Locker/Lock-Screen Ransomware
• Rogue Security Software: Fake AVs

Crypto Ransomware are variants that encrypt data on an infected host, and demand ransom in exchange for decrypting it. This is currently the most common ransomware type in the wild. Locker/Lock-Screen Ransomware are variants that deny access to the infected host and extort the victim for money in exchange for “releasing” it. Such variants are particularly popular among mobile ransomware. And finally, Rogue Security Software: Fake AVs are programs that “warn” the user against malware, which has already allegedly infected the host and can only be removed by purchasing the malicious “security software.”

There are several different ways attackers choose the organizations they target with ransomware. Sometimes it’s a matter of opportunity: for instance, attackers might target universities because they tend to have smaller security teams and a disparate user base that does a lot of file sharing, making it easier to penetrate their defenses.

On the other hand, some organizations are tempting targets because they seem more likely to pay a ransom quickly. For instance, government agencies or medical facilities often need immediate access to their files. Law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise quiet — and these organizations may be uniquely sensitive to leakware attacks.

But don’t feel like you’re safe if you don’t fit these categories: some ransomware spreads automatically and indiscriminately across the internet.

Defensive steps to prevent ransomware infection

There are a number of defensive steps you can take to prevent ransomware infection:

• Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to exploit.
• Don’t install software or give it administrative privileges unless you know exactly what it is and what it does.
• Install antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting software, which prevents unauthorized applications from executing in the first place.
• And, of course, back up your files, frequently and automatically! That won’t stop a malware attack, but it can make the damage caused by one much less significant.

Good luck out there.